On Tue, Jun 18, 2013 at 4:24 AM, <[email protected]> wrote:
> There are a number of articles (and even a section in the official ossec
> documentation) on how to make ossec detect USB Storage connected to a
> Windows system, but I've been unable to find a way to make it detect
> connection of USB storage to a Linux system.
>
> This page
> http://www.ossec.net/doc/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage
> in the official documentation describes the windows part.
>
> In CentOS (or RedHat) the default place for the log to be written seems to
> be in /var/log/kernel. The only decoder that I can find that reads anything
> in that file is the 'iptables'-decoder.
>
> Can I just create a rule that creates an alert if there's a matching entry
> in /var/log/kernel (given that that file is actually monitored on the client
> systems), or do I need to 'hack' the decoder as well?
>
> I tried creating this in local_rules.xml:
>
> <rule id="100341" level="8">
> <decoded_as>iptables</decoded_as>
> <program_name>kernel</program_name>
> <regex>^usb \S* new</regex>
> <description>Unknown USB device attached</description>
> </rule>
>
I got this to work with ossec-logtest:
<rule id="500007" level="10">
<decoded_as>iptables</decoded_as>
<match>^usb</match>
<regex>^usb \S+: New</regex>
<description>XXX</description>
</rule>
> But I haven't been able to get it to generate the alert.
>
> The log file entry looks like this:
>
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: new high speed USB device
> number 10 using ehci_hcd
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device found,
> idVendor=0951, idProduct=1607
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: New USB device strings: Mfr=1,
> Product=2, SerialNumber=3
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: Product: DataTraveler 2.0
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: Manufacturer: Kingston
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: SerialNumber:
> 001D0F0CAAC55A891B1400E4
> Jun 18 09:56:23 localhost kernel: usb 1-5.2: configuration #1 chosen from 1
> choice
> Jun 18 09:56:23 localhost kernel: scsi9 : SCSI emulation for USB Mass
> Storage devices
> Jun 18 09:56:23 localhost kernel: usb-storage: device found at 10
> Jun 18 09:56:23 localhost kernel: usb-storage: waiting for device to settle
> before scanning
> Jun 18 09:56:24 localhost kernel: usb-storage: device scan complete
> Jun 18 09:56:24 localhost kernel: scsi 9:0:0:0: Direct-Access Kingston
> DataTraveler 2.0 1.00 PQ: 0 ANSI: 2
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: Attached scsi generic sg6 type
> 0
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] 15679488 512-byte
> logical blocks: (8.02 GB/7.47 GiB)
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Write Protect is off
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Mode Sense: 23 00 00 00
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache:
> write through
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache:
> write through
> Jun 18 09:56:24 localhost kernel: sdd: sdd1
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Assuming drive cache:
> write through
> Jun 18 09:56:24 localhost kernel: sd 9:0:0:0: [sdd] Attached SCSI removable
> disk
> Jun 18 09:56:27 localhost kernel: usb 1-5.2: USB disconnect, device number
> 10
>
> I've made sure that the file /var/log/kernel is checked, both in ossec.conf
> on the server and in agent.conf on the client. I've restarted both server
> and client and tried to insert my USB drive. The log entry is created but no
> alert.
>
> Anyone looked at this and got it to work?
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
