{"id":56,"date":"2010-03-15T18:34:01","date_gmt":"2010-03-15T18:34:01","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=56"},"modified":"2020-07-01T18:35:45","modified_gmt":"2020-07-01T18:35:45","slug":"detecting-usb-storage-usage-with-ossec","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2010\/03\/detecting-usb-storage-usage-with-ossec\/","title":{"rendered":"Detecting USB Storage Usage with OSSEC"},"content":{"rendered":"\n<p><a href=\"http:\/\/blog.rootshell.be\/\">Xavier<\/a>&nbsp;wrote a very interesting article on&nbsp;<a href=\"http:\/\/blog.rootshell.be\/2010\/03\/15\/detecting-usb-storage-usage-with-ossec\/\">Detecting USB Storage Usage with OSSEC<\/a>. He used our policy auditing module for that, but I think USB monitoring can be done in a much easier way with our new&nbsp;<a href=\"http:\/\/www.ossec.net\/dcid\/?p=198\">check_diff<\/a>&nbsp;feature. You need our latest snapshot for it to work (or wait until v2.4 is out).<\/p>\n\n\n\n<p>To get started, first configure your Windows agents to monitor the USBSTOR registry entry using the reg command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;agent_config os=\"windows\">\n  &lt;localfile>\n    &lt;log_format>full_command&lt;\/log_format>\n    &lt;command>reg QUERY HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR&lt;\/command>\n  &lt;\/localfile>\n\n&lt;\/agent_config><\/code><\/pre>\n\n\n\n<p>Next create a local rule for that command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;rule id=\"140125\" level=\"7\">\n    &lt;if_sid>530&lt;\/if_sid>\n    &lt;match>ossec: output: 'reg QUERY&lt;\/match>\n    &lt;check_diff \/>\n    &lt;description>New USB device connected&lt;\/description>\n  &lt;\/rule><\/code><\/pre>\n\n\n\n<p>Now after a few minutes you will see a directory at \/var\/ossec\/queue\/diff\/[agent_name]\/[rule_id] with the current snapshot of this command. Once someone adds a new USB device you will get this alert:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>** Alert 1268687754.35062: mail  - local,syslog,\n2010 Mar 15 18:15:54 (xx-netbook) any->reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR\nRule: 140125 (level 7) -> 'New USB device connected'\nSrc IP: (none)\nUser: (none)\nossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':! REG.EXE VERSION 3.0\n\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_&amp;Prod_USB_Flash_Memory&amp;Rev_5.00\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Generic&amp;Prod_Flash_Disk&amp;Rev_8.0\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Hitachi&amp;Prod_HTS543225L9A300&amp;Rev_\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_LEXAR&amp;Prod_JD_FIREFLY&amp;Rev_1100\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_SAMSUNG&amp;Prod_HM160JC&amp;Rev_0000\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Sony&amp;Prod_DSC&amp;Rev_1.00\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_TomTom&amp;Prod_ONE_XXL_IQ_Rts\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_USB_2.0&amp;Prod_USB_Flash_Drive&amp;Rev_0.00\n\nPrevious output:\n\nossec: output: 'reg QUERY HKLMSYSTEMCurrentControlSetEnumUSBSTOR':\n! REG.EXE VERSION 3.0\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_&amp;Prod_USB_Flash_Memory&amp;Rev_5.00\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Generic&amp;Prod_Flash_Disk&amp;Rev_8.07\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Hitachi&amp;Prod_HTS543225L9A300&amp;Rev_\nHKEY_LOCAL_ACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_SAMSUNG&amp;Prod_HM160JC&amp;Rev_0000\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_Sony&amp;Prod_DSC&amp;Rev_1.00\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_TomTom&amp;Prod_ONE_XXL_IQ_Rts\nHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTORDisk&amp;Ven_USB_2.0&amp;Prod_USB_Flash_Drive&amp;R<\/code><\/pre>\n\n\n\n<p>I think we can expand this to create all sort of nice rules\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Xavier&nbsp;wrote a very interesting article on&nbsp;Detecting USB Storage Usage with OSSEC. He used our policy auditing module for that, but I think USB monitoring can be done in a much easier way with our new&nbsp;check_diff&nbsp;feature. You need our latest snapshot for it to work (or wait until v2.4 is out). To get started, first configure [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/56"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=56"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/56\/revisions"}],"predecessor-version":[{"id":57,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/56\/revisions\/57"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=56"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=56"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=56"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}