I have the OSSEC HIDS software version 2.8.3 running on a RHEL 6 server. We have been testing this in the lab with a DNS server to track queries that come into our RPZ and Malware zones. The DNS server has the OSSEC agent installed. In order for this to work we had to use a custom written decoder. Has anyone else had any experience with OSSEC and custom decoders besides those that are installed "out of the box". I am mainly looking to get creative ideas on what other system administrators are doing with OSSEC that could also be useful in our production environment.
For instance, has anyone had success in writing/using a custom decoder to detect USB storage for Linux?
UPDATE: I have been working on a custom decoder and rule for detection of when a USB device is inserted into a server. Here is what the line of the log looks like that I want to match on:
Feb 3 10:23:08 testsys kernel: usb 1-1.2: New USB device found, idVendor=0781, idProduct=5575
My decoder rules in OSSCE:
<decoder name="usb-storage">
<program_name>kernel</program_name>
</decoder>
<decoder name="usb-storage-attached">
<parent>usb-storage</parent>
<regex offset="after_parent">^USB \S+: New</regex>
<order>extra_data</order>
</decoder>
My rules in OSSEC:
<group name="syslog,">
<!-- USB Storage Detection Log Types -->
<!-- level=0 for not generating alerts by default -->
<rule id="310201" level="0">
<decoded_as>usb-storage</decoded_as>
<description>Looking for unknown USB attached storage</description>
</rule>
<!-- USB Storage Detection Event Chains -->
<!-- Fire an alert (level=8) if the log line contains "New USB device found" -->
<rule id="310202" level="8">
<if_sid>310201</if_sid>
<match>^New USB device found</match>
<description>Attached USB Storage</description>
</rule>
</group>