There are a number of articles (and even a section in the official ossec documentation) on how to make ossec detect USB Storage connected to a Windows system, but I've been unable to find a way to make it detect connection of USB storage to a Linux system.
This page http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage in the official documentation describes the windows part. In CentOS (or RedHat) the default place for the log to be written seems to be in /var/log/kernel. The only decoder that I can find that reads anything in that file is the 'iptables'-decoder. Can I just create a rule that creates an alert if there's a matching entry in /var/log/kernel (given that that file is actually monitored on the client systems), or do I need to 'hack' the decoder as well? I tried creating this in local_rules.xml: <rule id="100341" level="8"> <decoded_as>iptables</decoded_as> <program_name>kernel</program_name> <regex>^usb \S* new</regex> <description>Unknown USB device attached</description> </rule> But I haven't been able to get it to generate the alert. The log file entry looks like this: Jun 18 09:56:23 localhost kernel: usb 1-5.2: new high speed USB device number 10 using ehci_hcd Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device found, idVendor=0951, idProduct=1607 Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 Jun 18 09:56:23 localhost kernel: usb 1-5.2: Product: DataTraveler 2.0 Jun 18 09:56:23 localhost kernel: usb 1-5.2: Manufacturer: Kingston Jun 18 09:56:23 localhost kernel: usb 1-5.2: SerialNumber: 001D0F0CAAC55A891B1400E4 Jun 18 09:56:23 localhost kernel: usb 1-5.2: configuration #1 chosen from 1 choice Jun 18 09:56:23 localhost kernel: scsi9 : SCSI emulation for USB Mass Storage devices Jun 18 09:56:23 localhost kernel: usb-storage: device found at 10 Jun 18 09:56:23 localhost kernel: usb-storage: waiting for device to settle before scanning Jun 18 09:56:24 localhost kernel: usb-storage: device scan complete Jun 18 09:56:24 localhost kernel: scsi 9:0:0:0: Direct-Access Kingston DataTraveler 2.0 1.00 PQ: 0 ANSI: 2 Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: Attached scsi generic sg6 type 0 Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] 15679488 512-byte logical blocks: (8.02 GB/7.47 GiB) Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Write Protect is off Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Mode Sense: 23 00 00 00 Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through Jun 18 09:56:24 localhost kernel: sdd: sdd1 Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache: write through Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Attached SCSI removable disk Jun 18 09:56:27 localhost kernel: usb 1-5.2: USB disconnect, device number 10 I've made sure that the file /var/log/kernel is checked, both in ossec.conf on the server and in agent.conf on the client. I've restarted both server and client and tried to insert my USB drive. The log entry is created but no alert. Anyone looked at this and got it to work? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
