Hi Dan. I have add [USB Storage Inserted] [any] [] r:HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum -> Count -> !0; to file *win_audit_rcl.txt*: on agent XP. and i restart agent and server. but when i attached USB storage, nerver alert to send to server. I have to make wtih link http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage but it not running. i don't know my error ( i think this way is create query to registry and ossec listen query results to alert
Vào 23:28:57 UTC+7 Thứ ba, ngày 03 tháng sáu năm 2014, dan (ddpbsd) đã viết: > > On Tue, Jun 3, 2014 at 12:27 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Tue, Jun 3, 2014 at 11:57 AM, Nguyễn Văn Hớn <[email protected] > <javascript:>> wrote: > >> Hi every body. i have to make with link > >> > http://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ > >> but it is not running. > > > > What is not running? Did you restart the OSSEC processes after making > > these changes on the manager? Were the changes pushed to the agents > > you're monitoring? Is that registry entry !0? What version of Windows? > > Are you sure the rootcheck stuff is running? > > > >> and link > >> > http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html > > >> but is not running. > >> > > > > Which part is not running? There are multiple entries on that page, > > which one are you trying? What happens? > > > >> i want to create active response when ossec detected USB then active > respone > >> running cmd( script deny USB that) > > Missed this in my initial response. What's stopping you from doing this? > > >> Please help me. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
