[ossec-list] Re: USB storage detect & recursive file list

Thu, 28 Apr 2016 08:32:06 -0700 

And I get this in Squert on my Security Onion...

<https://lh3.googleusercontent.com/-s8bBhwqjuDc/VyIsbVMoMaI/AAAAAAAACWM/ntYZ5QQQYYYJM1rxu8gFSPyP2B-LN3-nACLcB/s1600/squert.PNG>


On Thursday, April 28, 2016 at 10:21:58 AM UTC-5, Jacob Mcgrath wrote:
>
> Ok, here is my .Bat script I use to Check for & list files contained 
> within the usb drive.  If no drive is detected the output file would not 
> change there for not causing
> an alarm when the drive is removed.
>
> @echo off
> set host=%COMPUTERNAME%
>
>
> for /F "tokens=1*" %%a in ('fsutil fsinfo drives') do (
>    for %%c in (%%b) do (
>       for /F "tokens=3" %%d in ('fsutil fsinfo drivetype %%c') do (
>          if %%d equ Removable (
> for /f "skip=4 usebackq tokens=2" %%a in (`nslookup %host%`) do echo 
> %host% %%a %user% > C:\temp\usbstor.txt
> echo Drive %%c is Removable (USB^)
> dir /s %%c >> C:\temp\usbstor.txt
> type C:\temp\usbstor.txt
>          )
>       )
>    )
> )
>
>
> Now in the Windows agent config is have the entry that would run the .Bat 
> script every so many minutes or seconds ( I have mine set for 30 seconds 
> for testing but 60 sec would be more 
> realistic.
>
> <localfile>
>     <log_format>full_command</log_format>
>     <command>C:\Admin_Tools\USB_Audit\usb-audit.bat</command>
>     <frequency>30</frequency>
>     <alias>USBDevices</alias>
>   </localfile>
>
> On the Ossec server side I have this entry on the local_rules.xml
>
> <rule id="503002" level="7">
>     <if_sid>530</if_sid>
>     <match>ossec: output: 'USBDevices'</match>
>     <check_diff />
>     <description>Mounted Device change detected</description>
> </rule>
>
>
> After this I restart the Ossec server and agent wait a minute then insert 
> a usb drive.  I get a email alert similar to this:
>
> OSSEC HIDS Notification.
>
> 2016 Apr 28 15:11:29
>
>  
>
> Received From: (mis41) any->USBDevices
>
> Rule: 503002 fired (level 7) -> "Mounted Device change detected"
>
> Portion of the log(s):
>
>  
>
> ossec: output: 'USBDevices':
>
> Drive F:\ is Removable (USB)
>
> MIS41 10.18.100.24  
>
>  Volume in drive F is OS
>
>  Volume Serial Number is 642E-1FF6
>
>  Directory of F:\
>
> 11/06/2015  01:38 PM        22,908,888 mbam-setup-2.2.0.1024.exe
>
> 12/21/2014  10:27 AM       397,798,952 sp66051_driver-pack.exe
>
>                2 File(s)    420,707,840 bytes
>
>  Directory of F:\System Volume Information
>
> 11/05/2015  08:56 AM    <DIR>          .
>
> 11/05/2015  08:56 AM    <DIR>          ..
>
> 11/05/2015  08:56 AM                76 IndexerVolumeGuid
>
> 01/13/2016  02:41 PM                12 WPSettings.dat
>
>                2 File(s)             88 bytes
>
>      Total Files Listed:
>
>                4 File(s)    420,707,928 bytes
>
>                2 Dir(s)   3,328,983,040 bytes free
>
> Previous output:
>
> ossec: output: 'USBDevices':
>
>  
>
>  
>
>  
>
>  --END OF NOTIFICATION
>
> In Squert I can see this:
>
>
>
>
> On Tuesday, April 19, 2016 at 2:23:39 PM UTC-5, Jacob Mcgrath wrote:
>>
>> I have a basic Windows agent setting to alert me when a storage device is 
>> detected using Power shell..
>>
>> <localfile>
>>     <log_format>full_command</log_format>
>>     <command>powershell.exe -command "gwmi win32_diskdrive | select 
>>     
>> Model,InterfaceType,serialnumber,Size,MediaType,CapabilityDescriptions > 
>>     C:\temp\usbdetect.txt ; (gc C:\temp\usbdetect.txt | select -Skip 2)"
>> </command>
>>     <frequency>300</frequency>
>>     <alias>USBDevices</alias>
>>   </localfile>
>>
>>
>> with the following rule in local_rules.xml
>> <rule id="503002" level="7">
>>     <if_sid>530</if_sid>
>>     <match>ossec: output: 'USBDevices'</match>
>>     <check_diff />
>>     <description>Mounted Device change detected</description>
>>   </rule>
>>
>>
>>
>>
>> Of course I get this alert which is nice for basic logging..
>>
>> OSSEC HIDS Notification.
>>
>>  
>>
>> 2016 Apr 19 18:35:31 
>>
>>   
>>
>> Received From: (mis41) any->USBDevices 
>>
>> Rule: 503002 fired (level 7) -> "Mounted Device change detected" 
>>
>> Portion of the log(s): 
>>
>>   
>>
>> ossec: output: 'USBDevices': 
>>
>> Model                  : TOSHIBA DT01ACA100 SCSI Disk Device 
>>
>> InterfaceType          : IDE 
>>
>> serialnumber           :            359ZMW6MS 
>>
>> Size                   : 1000202273280 
>>
>> MediaType              : Fixed hard disk media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, SMART 
>> Notification} 
>>
>> Model                  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType          : USB 
>>
>> serialnumber           : AA00000000000489 
>>
>> Size                   : 16022845440 
>>
>> MediaType              : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>                          edia} 
>>
>> Model                  : Verbatim STORE N GO USB Device 
>>
>> InterfaceType          : USB 
>>
>> serialnumber           : AA00000000000489 
>>
>> Size                   : 16022845440 
>>
>> MediaType              : Removable Media 
>>
>> CapabilityDescriptions : {Random Access, Supports Writing, Supports 
>> Removable M 
>>
>>   
>>
>>   
>>
>>   
>>
>>  --END OF NOTIFICATION
>>
>>
>>
>> I was playing around with Powershell and have a optional command to print 
>> out USB storage device files recursively...
>>
>>
>> powershell.exe $USBDrive = Get-WmiObject Win32_Volume -Filter 
>> "DriveType='2'"| select -expand driveletter ; Get-Childitem $USBDrive 
>> -recurse 
>> > C:\temp\test.txt ; (gc C:\temp\test.txt | select -Skip 2)
>>
>>
>> this gives me this output in a tmp.txt if ran from a powershell window 
>> and or run line.
>>
>>
>>     Directory: F:\
>>
>>
>> Mode                LastWriteTime     Length Name                            
>>   
>> ----                -------------     ------ ----                            
>>   
>> -a---        11/06/2015  12:38 PM   22908888 mbam-setup-2.2.0.1024.exe       
>>   
>> -a---        12/21/2014   9:27 AM  397798952 sp66051_driver-pack.exe         
>>   
>>
>>
>>     Directory: E:\
>>
>>
>> Mode                LastWriteTime     Length Name                            
>>   
>> ----                -------------     ------ ----                            
>>   
>> -a---        12/06/2011   9:51 AM     388608 HijackThis.exe                  
>>   
>> -a---        03/04/2016   2:44 PM   22908888 mbam-setup-2.2.0.1024.exe       
>>   
>> -a---        03/04/2016   2:46 PM       9524 hijackthis.log
>>
>>         I have been attempting to get the above USB recursive file lists 
>> into a USB detection report but have not had any success as of yet using 
>> the above command instead of the first like below.
>>
>>
>>
>>   <localfile>
>>     <log_format>full_command</log_format>
>>     <command>powershell.exe $USBDrive = Get-WmiObject Win32_Volume -
>> Filter "DriveType='2'"| select -expand driveletter ; Get-Childitem
>>  $USBDrive -recurse > C:\temp\test.txt ; (gc C:\temp\test.txt | select -
>> Skip 2)"</command>
>>     <frequency>300</frequency>
>>     <alias>USBDevices</alias>
>>   </localfile>
>>
>>
>> This gives me a empty C:\temp\test.txt file...
>>
>>
>> Any suggestions would be appreiciated...
>>
>>
>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to