Hi Kevin, I added your rules to Ossec Wazuh ruleset <https://github.com/wazuh/ossec-rules>. Check it out here: https://github.com/wazuh/ossec-rules/blob/master/rules-decoders/ossec/rules/msauth_rules.xml#L961
Thanks for your contribution!. Regards. On Monday, June 6, 2016 at 11:49:29 PM UTC+2, Kevin Branch wrote: > > The news about folks getting exploited via TeamViewer made me want to get > proactive notification whenever any of my systems get logged into via > Chrome Remote Desktop. These rules will send email alerts about failed and > successful logins via Chrome Remote Desktop, plus generate an OSSEC event > when chromoting sessions close. Feel free to improve on them. > > <rule id="100050" level="5"> > <if_sid>18103</if_sid> > <regex>: chromoting: \.* Access denied for client: </regex> > <description>Chrome Remote Desktop attempt - access > denied</description> > <options>alert_by_email</options> > </rule> > > <rule id="100060" level="5"> > <if_sid>18101</if_sid> > <regex>: chromoting: \.* Client connected:</regex> > <description>Chrome Remote Desktop attempt - connected</description> > <options>alert_by_email</options> > </rule> > > <rule id="100070" level="5"> > <if_sid>18101</if_sid> > <regex>: chromoting: \.* Client disconnected:</regex> > <description>Chrome Remote Desktop attempt - disconnected</description> > </rule> > > Thanks to Doug for assisting me in getting these working. > > Kevin Branch > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.