I have worked with OSSEC in the past and taken over in the last three months our OSSEC infrastructure, so have mercy... I am following up after reading this thread and trying to implement USB thumb drive insertion monitoring :
https://groups.google.com/d/topic/ossec-list/eL2DTKSXnhI/discussion and trying to follow the 2.7.1 documentation from Daniel Cid on USB storage detection example for using the <check_diff /> feature: http://ossec-docs.readthedocs.org/en/latest/manual/monitoring/process-monitoring.html#detecting-usb-storage-usage I do not get the server to add the directory to the "/diff/" subdirectory: Next create a local rule for that command: <rule id="140125" level="7"> <if_sid>530</if_sid> <match>ossec: output: 'reg QUERY</match> <check_diff /> <description>New USB device connected</description></rule> Now after a few minutes you will see a directory at /var/ossec/queue/diff/[agent_name]/[rule_id] with the current snapshot of this command I get the following excerpt on my client side log (from service restart) and then nothing on my alert log on the server: 2014/06/04 13:10:11 ossec-agent: Exiting... 2014/06/04 13:10:11 ossec-agent: Remote commands are not accepted from the manager. Ignoring it on the agent.conf 2014/06/04 13:10:11 ossec-agent(1202): ERROR: Configuration error at 'shared/agent.conf'. Exiting. 2014/06/04 13:10:11 ossec-execd(1350): INFO: Active response disabled. Exiting. 2014/06/04 13:10:11 ossec-agent(1410): INFO: Reading authentication keys file. 2014/06/04 13:10:11 ossec-agent: INFO: Assigning counter for agent AZS1901RG03: '99746:8391'. 2014/06/04 13:10:11 ossec-agent: INFO: Assigning sender counter: 7:4371 2014/06/04 13:10:11 ossec-agent: INFO: Trying to connect to server (10.1.16.26:1514). 2014/06/04 13:10:11 ossec-agent: INFO: Using IPv4 for: 10.1.16.26 . 2014/06/04 13:10:11 ossec-agent: Starting syscheckd thread. 2014/06/04 13:10:11 ossec-rootcheck: INFO: Started (pid: 4924). Thanks for any help in advance, Paul -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
