This is the one I get when successful login vnc. >> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:36 Connection received from 192.168.2.3
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 21, 2013 11:07 AM To: [email protected] Subject: Re: [ossec-list] VNC Windows Server Alerts On Mon, Oct 21, 2013 at 10:53 AM, Forums <[email protected]> wrote: > I would need one for successful and failed attempts. I appreciate the > help as I know you guys are busy. For whatever the reason, I cannot > seem to find examples for this. I am a bit lacking in knowledge > regarding the rules for VNC. Anyway thanks again for getting back to me. I'm not sure which log message was for successful connections, but here's one for invalid connections: <rule id="300002" level="1"> <if_sid>300000</if_sid> <match> Invalid attempt from client </match> <description>Invalid VNC attempt.</description> </rule> You may need to adjust the levels for these, depending on what you want them to do. As far as examples go, the rules directory is full of examples of rules. These aren't very difficult. You could also add this decoder: <decoder name="ultravnc"> <parent>windows</parent> <prematch>UltraVnc: </prematch> <regex offset="after_prematch"> from (\S+)$| from client (\S+)$</regex> <order>srcip</order> </decoder> It would require a tweak of the rules, but the srcip might be useful if you want to use it with active response in the future. > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, October 21, 2013 10:49 AM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Mon, Oct 21, 2013 at 10:29 AM, Forums <[email protected]> wrote: >> Here is the copy of the logs I sent out from the archive last week. >> Also >> below: >> > > Were there any other log messages you wanted me to write rules for? Or > was it just the one? > > >> Archive log: >> >> Here is the output from the archives log after the >> <logall>yes</logall> option was set. >> >> >> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >> >> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:36 Connection received from 192.168.2.3 >> >> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >> BEAST.mydomain.local: A request to disable the Desktop Window Manager >> was made by process (VNC server for X64/win32) >> >> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >> BEAST.mydomain.local: (no message) >> >> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> 14/10/2013 20:36 Client 192.168.2.3 disconnected >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Monday, October 21, 2013 10:07 AM >> To: [email protected] >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> On Mon, Oct 21, 2013 at 9:59 AM, Forums <[email protected]> wrote: >>> Any ideas? >>> >> >> Sorry about that, missed the email with the logs. >> >> <rule id="300000" level="1"> >> <if_sid>18100</if_sid> >> <match>UltraVnc: </match> >> <description>UltraVNC blah blah</description> >> </rule> >> >> <rule id="300001" level="1"> >> <if_sid>300000</if_sid> >> <match>Connection received from </match> >> <description>VNC connection</description> >> </rule> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: >> (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 >> Connection received from 192.168.2.3' >> hostname: 'arrakis' >> program_name: '(null)' >> log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no >> user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection >> received from 192.168.2.3' >> >> **Phase 2: Completed decoding. >> decoder: 'windows' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '300001' >> Level: '1' >> Description: 'VNC connection' >> **Alert to be generated. >> >> >>> -----Original Message----- >>> From: Forums [mailto:[email protected]] >>> Sent: Monday, October 14, 2013 8:55 PM >>> To: '[email protected]' >>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>> >>> Here is the output from the archives log after the >>> <logall>yes</logall> option was set. >>> >>> >>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >>> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >>> BEAST.mydomain.local: A request to disable the Desktop Window >>> Manager was made by process (VNC server for X64/win32) >>> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >>> BEAST.mydomain.local: (no message) >>> >>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: Monday, October 14, 2013 3:01 PM >>> To: [email protected] >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>> >>> On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> wrote: >>>> Okay I will do just that. I am not sure how to turn that on but I >>>> will research it and let you know or provide the logs once done. >>>> >>> >>> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#elemen >>> t >>> - >>> logall >>> >>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] >>>> On Behalf Of dan (ddp) >>>> Sent: Monday, October 14, 2013 2:03 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >>>> On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> > wrote: >>>>> I am such a fool. Please forgive me for my stupidness. I did >>>>> provide the screenshot of the log files that will need to be >>>>> parsed which were windows application logs. Not really vnc itself >>>>> but the > logs. >>>>> If you don't hear from me again its because I stuck my tongue in a >>>>> light >>> socket. >>>>> >>>> >>>> And I don't want to waste a bunch of time trying to figure out how >>>> that log event looks to OSSEC. I could spend a lot of time doing >>>> that, or you could provide the log from archives.log (after turning >>>> on the log all option and triggering the log). >>>> Maybe someone else wants to give it a shot though. >>>> >>>>> >>>>> >>>>> From: [email protected] >>>>> [mailto:[email protected]] >>>>> On Behalf Of dan (ddp) >>>>> Sent: Monday, October 14, 2013 11:58 AM >>>>> To: [email protected] >>>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>>> >>>>> >>>>> >>>>> >>>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: >>>>>> >>>>>> The log from the windows macines (VNC login) is attached. My >>>>>> point is, there >>>>> >>>>> Sorry about that, I must have missed it. All I saw was an >>>>> absolutely useless screen shot of event viewer. I'll take another >>>>> look > after lunch. >>>>> >>>>>> is currently no rule for VNC, the any logs are probably going to >>>>>> point to nothing at this point. I need assistance creating a rule >> right? >>>>>> >>>>>> If I am to turn on all logs feature for the OSSEC server I will >>>>>> research that as I have never heard of it. >>>>>> >>>>>> -----Original Message----- >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] On Behalf Of dan (ddp) >>>>>> Sent: Monday, October 14, 2013 10:58 AM >>>>>> To: [email protected] >>>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>>>> >>>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >>>>>> <[email protected]> >>>>>> wrote: >>>>>> > VNC is installed on my windows machine. I have ossec server >>>>>> > installed on a Linux machine with agents installed on my >>>>>> > workstations. I need to be alerted when someone remotes to my >>>>>> > windows >>>> machine using VNC. >>>>>> > The alert event ID 1 shows in the application logs. Is there a >>>>>> > rule like >>>>>> VNC.xml for ossec? >>>>>> > >>>>>> > I cannot seem to get this event to trigger. Pease see attached. >>>>>> > >>>>>> > localrules.xml >>>>>> > >>>>>> > <!-- VNC Login --> >>>>>> > <rule id="100036" level="11"> >>>>>> > <id>^1|^2</id> >>>>>> > <match>Connection received from</match> >>>>>> > <group>syslog,</group> >>>>>> > <description>VNC Login</description> >>>>>> > </rule> >>>>>> > </group> <!--SYSLOG,LOCAL --> >>>>>> > >>>>>> >>>>>> Turn on the log all option on the server and trigger the log message. >>>>>> That way we'll have a copy of the log to work with. >>>>>> >>>>>> > -- >>>>>> > >>>>>> > --- >>>>>> > You received this message because you are subscribed to the >>>>>> > Google Groups "ossec-list" group. >>>>>> > To unsubscribe from this group and stop receiving emails from >>>>>> > it, send an email to [email protected]. >>>>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the >>>>>> Google Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the >>>>>> Google Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups >>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an >>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups >> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups > "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an > email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
