search

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.
http://www.ossec.net
Other
4.44k stars 1.04k forks source link

/queue/diff remains empty #2061

Open MichelDBD opened 2 years ago

MichelDBD commented 2 years ago

Hi,

I’m having an issue with a local rule to detect any USB device connected. I implemented on OSSEC server the following one :

<rule id="100101" level="7">
    <if_sid>530</if_sid>
    <frequency>10</frequency>
    <match>ossec: output: 'reg QUERY</match>
    <check_diff />
    <description>USB device connected</description>
</rule>

After that, I wrote these lines on agent ossec.conf file :

    <localfile>
        <log_format>full_command</log_format>
        <command>reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum</command>
    </localfile>

I restarted OSSEC and the host but /var/ossec/queue/diff remains empty. The connexion between my host and the server is working, because I receive logon and other notifications. There is no specific error message in ossec.log (on agent file, I even read the message « ossec-logcollector: INFO: Monitoring full output of command(10): reg QUERY HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum ») or /var/ossec/logs/ossec.log.

Does anyone have an idea about this issue ?

Cheers!

libellux commented 1 year ago

Hello @MichelDBD check this thread where @ddpbsd mention that you have to track the actual change of value: https://groups.google.com/g/ossec-list/c/1t6dnbzMZzM