BadUSB: How To Do USB Device Detection with OSSEC HIDS and AlienVault USM

August 11, 2014 | Fabrizio Siciliano

In a talk last week at Black Hat, a new form of malware that operates inside USB devices and can cause full system compromise with a self-replicating USB virus was discussed. With this type of evil associated with USBs, I thought to share a small how-to on detecting and alerting in AlienVault’s USM platform whenever a USB device (mobile, flash drive, whatever) is connected to an OSSEC agent-enabled machine.

This configuration is for AlienVault USM 4.9 and assumes you’ve already enabled the “ossec-single-line.cfg” plugin on your sensor.

ON THE ALIENVAULT USM SIDE: Add an Agent

1. Add an agent (A) on the AlienVault USM Server using the manage_agents command:

In this example, our host to be monitored will be called “test_host” and has an IP address of 192.168.7.7. You can go with the defaults for the agent ID as the system automatically increments the ID with every new agent.

2. Extract (E) and copy and save your new agents’ key as it will be needed for the agent installation.

3. Confirm your AlienVault ossec-single-line.cfg plugin has a [translation] entry for SID 140125, mapped to Data Source ID 7097: (looks like this should already exist, probably to support the exact functionality we’re looking for.)

4. Rename SID 140125 under Datasource ID 7097 in the AlienVault USM web interface.

- Browse to “Configuration –> Threat Intelligence –> DATA SOURCE

- Use QuickSearch (bottom lower right on the page, magnifying glass icon) for Datasource ID 7097:

- Double-Click on the resulting 7097 DataSource to expand associated SID’s

- in the resulting list, sort by “Event Type ID”, should display the 140125 SID we’re looking for:

- Double-Click on that SID and rename to “ossec: USB Device Detected”, and click “Update”:

5. Add a new rule to your /var/ossec/rules/ossec_rules.xml file, at the very end, before the </group> tag

- restart ossec.

ON THE HOST SIDE (Agent)

1. Download and install the latest version of the ossec HIDS agent for your platform. (For this example, we’ll use Agent 2.7.1 – Windows)

2. Once installed, launch the “Manage Agent” app from your start menu.
– Enter the IP of your AlienVault USM installation in the “OSSEC Server IP” field and paste in your key from earlier.

3. Click on “View” and “View Config” from the menu options in the Agent Manger window. This should open up the agent config in your default text viewer application. The top of this file contains <localfile> locations which will be monitored by your agent.

Add the following:

4. Click on “Manage” from the menu options, and then “Restart” to restart the agent.

CONFIRMING EVERYTHING WORKS

At this point, everything should be setup to detect a new USB device whenever one is plugged into your OSSEC HIDS-enabled machine.

Note: this will only work for *new* USB devices since the registry keeps a list of every USB device that’s ever been used. For testing purposes, you can always delete the keys under the hive below, and re-insert your USB device as many times as you want in order to generate events.

In your AlienVault USM web interface, browse to “ANALYSIS –> Security Events (SIEM)”. Select “Payload” from the search field drop-down, and type “USBSTOR” into the search field. This should pull up your USB Detected event:

With this event information in-hand, follow normal AlienVault procedure to create a directive and generate an alarm based on the event.

Fabrizio Siciliano

About the Author: Fabrizio Siciliano, Technical Expert

Read more posts from Fabrizio Siciliano ›

TAGS:

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial