On Tue, Jun 3, 2014 at 12:47 PM, Nguyễn Văn Hớn <[email protected]> wrote: > Hi Dan. I have add [USB Storage Inserted] [any] [] > r:HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum -> Count -> !0; to > file win_audit_rcl.txt: on agent XP. and i restart agent and server. but
I think you should be adding that to the file on the manager, not the agent. That file should get pushed to the agent. > when i attached USB storage, nerver alert to send to server. My understanding of the blog post (which I only skimmed) leads me to believe a rootcheck scan has to be performed while that USB device is plugged in. If the device isn't plugged in when the scan is performed, then nothing will be alerted. > I have to make wtih link > http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage > but it not running. i don't know my error ( i think this way is create query > to registry and ossec listen query results to alert > Turn the log all option on, and look for logs related to that command in /var/ossec/logs/archives/archives.log Make sure the command localfile is configured on the agent, not the server. I'd add an <alias>usbcheck</alias> or something like that to the command localfile entry. Then modify the rule as necessary. Run the command manually, does it give you the output you expect? > Vào 23:28:57 UTC+7 Thứ ba, ngày 03 tháng sáu năm 2014, dan (ddpbsd) đã viết: >> >> On Tue, Jun 3, 2014 at 12:27 PM, dan (ddp) <[email protected]> wrote: >> > On Tue, Jun 3, 2014 at 11:57 AM, Nguyễn Văn Hớn <[email protected]> >> > wrote: >> >> Hi every body. i have to make with link >> >> >> >> http://blog.rootshell.be/2010/03/15/detecting-usb-storage-usage-with-ossec/ >> >> but it is not running. >> > >> > What is not running? Did you restart the OSSEC processes after making >> > these changes on the manager? Were the changes pushed to the agents >> > you're monitoring? Is that registry entry !0? What version of Windows? >> > Are you sure the rootcheck stuff is running? >> > >> >> and link >> >> >> >> http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html >> >> but is not running. >> >> >> > >> > Which part is not running? There are multiple entries on that page, >> > which one are you trying? What happens? >> > >> >> i want to create active response when ossec detected USB then active >> >> respone >> >> running cmd( script deny USB that) >> >> Missed this in my initial response. What's stopping you from doing this? >> >> >> Please help me. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
