On Thu, Jul 12, 2012 at 1:16 AM, sahil sharma <[email protected]> wrote:
>
>
> On Wed, Jul 11, 2012 at 6:13 PM, dan (ddp) <[email protected]> wrote:
>>
>> On Wed, Jul 11, 2012 at 7:48 AM, sahil sharma <[email protected]>
>> wrote:
>> > Hi,
>> >
>> > 1) Thats output from web-interface, I have pasted.
>> >
>>
>> Don't use that, you're using a broken version (0.3). That's why the
>> output looks wrong. alerts.log.has the proper output.
>>
>
> Ok.
> Output at alerts.log looks as follow:
> ** Alert 1342069429.23337: - local,win7,process_monitor,
> 2012 Jul 11 22:03:49 (win7base) 192.168.1.10->hkeyusbcheck
> Rule: 530 (level 4) -> 'OSSEC process monitoring rules.'
> ossec: output: 'hkeyusbcheck':
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v165w&Rev_0.00
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_hp&Prod_v210w&Rev_1100
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_6.16
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_PMAP
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_1.00
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1.20
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.01
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.20
> HKEY_LOCAL_MACHINE
>
>
>>
>> > 2) and I have defined command at the client's config, sorry I forgot to
>> > mention that.
>> >
>>
>> That's where. What do you have in the agent's ossec.conf for this command?
>>
>
> <localfile>
> <log_format>full_command</log_format>
> <command>reg QUERY
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR</command>
> <alias>hkeyusbcheck</alias>
> </localfile>
>
>
>>
>> You shouldn't have to modify 530. You can look at 533 as an example.
>>
>
> I tried grep on "533", it only has two reference in the ms_auth but nowhere
> it is defined,
> or I am unable to find it. Please help.
>
In ossec_rules.xml:
<rule id="533" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -tan</match>
<check_diff />
<description>Listened ports status (netstat) changed (new port
opened or closed).</description>
</rule>
