I've worked out a different solution that uses Powershell and wmi to detect
currently connected win32_diskdrives. The notification output it provides
is in the following format:
OSSEC HIDS Notification.
2012 Jul 18 14:39:04
Received From: (xxxxxxx) x.x.x.x>USBDevices
Rule: 503002 fired (level 7) -> "Mounted Device change detected"
Portion of the log(s):
ossec: output: 'USBDevices':
Model : Windows 7-0 SSD ATA Device
InterfaceType : IDE
serialnumber : 5847464843394330374d345a355a375634393741
Size : 68713989120
MediaType : Fixed hard disk media
CapabilityDescriptions : {Random Access, Supports Writing, SMART
Notification}
Model : FLASH Drive UT_USB20 USB Device
InterfaceType : USB
serialnumber : �
Size : 2015193600
MediaType : Removable Media
CapabilityDescriptions : {Random Access, Supports Writing, Supports
Removable M
edia}
using the following command in the agent's ossec.conf:
<localfile>
<log_format>full_command</log_format>
<command>powershell.exe -command "gwmi win32_diskdrive | select
Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions >
C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)"</command>
<frequency>300</frequency>
<alias>USBDevices</alias>
</localfile>
with the following rule in local_rules.xml
<rule id="503002" level="7">
<if_sid>530</if_sid>
<match>ossec: output: 'USBDevices'</match>
<check_diff />
<description>Mounted Device change detected</description>
</rule>
The primary advantage to this method of detection is that it shows
currently connected devices when the command is run. The reg QUERY
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR method detects changes to the
list of historically connected USB devices, which will update when a
new-to-this-machine USB device is connected, but not change when one that
was previously connected is removed or reconnected at a later date.
In order to receive the details of the change I had to add the " >
C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)" piece to the
command, which simply exports the result of the wii win32_diskdrive call to
a text file, then reads in the file stripping off the two blank lines at
the top of the file that the output creates. This is definitely not as
elegant as it could be, but it works.
Without this the Notification was limited to this:
Received From: (xxxxxxx) x.x.x.x>USBDevices
Rule: 503002 fired (level 7) -> "Mounted Device change detected"
Portion of the log(s):
ossec: output: 'USBDevices':
The notification breaks with the double blank line, so the detail was
missing.
You can further limit the notification to just USB, by adding "|
?{$_.interfacetype -eq 'USB'}" before the > C:\temp\test.txt output, but I
wanted to see all storage device changes.
Hope this helps someone.
Scott
>
