Re: [ossec-list] Is a local_decoder.xml needed for USB detection ?

Fri, 30 Mar 2018 12:39:29 -0700 

>
> Hi Dan,  I went ahead created both,  a local_decoder and a corresponding 
> rule in local_rules.xml.  I then ran the "/var/ossec/bin/ossec-logtest " 
> command against my log lines, and it passed the test. The output showed 
> Decoder matched and "Alert to be generated" message  as shown below.  I 
> then restarted the ossec-server after that.   Now when i  again plugin USB 
> on my windows agent to test, i see the USB detection event make it to 
> archives.log file on the server but it still didnt' create an alert.  When 
> i check the alerts.log file it does not have any log entry to my USB 
> event.  The ossec-test passed successfully.  What am i missing ?



 root@securityonion:/var/ossec/logs/alerts# /var/ossec/bin/ossec-logtest
2018/03/30 19:36:01 ossec-testrule: INFO: Reading local decoder file.
2018/03/30 19:36:01 ossec-testrule: INFO: Started (pid: 18771).
ossec-testrule: Type one log per line.

018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck Windows 
Audit: USB Storage Inserted


**Phase 1: Completed pre-decoding.
       full event: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 
172.16.3.10->rootcheck Windows Audit: USB Storage Inserted'
       hostname: 'securityonion'
       program_name: '(null)'
       log: '018 Mar 29 21:50:02 (ENGG-WORKSTATION) 172.16.3.10->rootcheck 
Windows Audit: USB Storage Inserted'

**Phase 2: Completed decoding.
       decoder: 'ICS-lab-detect'
       srcip: '172.16.3.10'

**Phase 3: Completed filtering (rules).
       Rule id: '110001'
       Level: '3'
       Description: 'USB drive detected'
**Alert to be generated.


This is a snippet of my local_rules.xml: 


<group name="syslog,ICS-lab-detect,">
  <rule id="110000" level="0">
    <decoded_as>ICS-lab-detect</decoded_as>
    <description>ICS Lab custom anomaly detection</description>
  </rule>

   <rule id="110001" level="3">
    <if_sid>110000</if_sid>
     <match>USB</match>
    <description>USB drive detected</description>
  </rule>

  <rule id="110002" level="3">
    <if_sid>110000</if_sid>
     <match>failure</match>
    <description>FactoryTalk Administration Console login failure 
</description>
  </rule>


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to