debian/ossec-hids/var/ossec/rules/linux_usbdetect_rules.xml

   1 <!-- OSSEC USB-detection Rule for Linux - https://www.thomas-krenn.com/de/wiki/Ubuntu_Syslog -->
   2
   3 <group name="linux, usb,">
   4
   5   <rule id="53600" level="0">
   6     <program_name>kernel</program_name>
   7     <match>usb</match>
   8     <description>Linux USB detection messages grouped</description>
   9   </rule>
  10
  11
  12   <rule id="53601" level="8">
  13     <if_sid>53600</if_sid>
  14     <match>New USB device found</match>
  15     <description>A new USB device was found by the system</description>
  16     <group>linux,</group>
  17   </rule>
  18
  19
  20   <rule id="53602" level="8">
  21     <if_sid>53600</if_sid>
  22     <match>new low-speed USB device</match>
  23     <description>New Low-Speed USB Device was connected.</description>
  24     <group>linux,</group>
  25   </rule>
  26
  27
  28   <rule id="53603" level="8">
  29     <if_sid>53600</if_sid>
  30     <match>new high-speed USB device</match>
  31     <description>New High-Speed USB Device was connected</description>
  32     <group>linux,</group>
  33   </rule>
  34
  35
  36   <rule id="53604" level="3">
  37     <if_sid>53600</if_sid>
  38     <match>USB disconnect</match>
  39     <description>USB device was disconnected</description>
  40     <group>linux,</group>
  41   </rule>
  42
  43 </group>