I had little time tonight to work on this but I attempted to add your decoder rule with the following error:
Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... 2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name invalid: 'windows'. 2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding decoder plugin. 2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error at '/etc/decoder.xml'. Exiting. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Forums Sent: Monday, October 21, 2013 11:34 AM To: [email protected] Subject: RE: [ossec-list] VNC Windows Server Alerts Great work! Thanks again. I will add the decoder you have given me. If there is anything specific I need to know when creating the decoder let me know. As far as I have seen there is only 1 decoder rule file which is where I will add in the decoder rule you have given. I will let you know my results. Regards -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Monday, October 21, 2013 11:27 AM To: [email protected] Subject: Re: [ossec-list] VNC Windows Server Alerts On Mon, Oct 21, 2013 at 11:19 AM, Forums <[email protected]> wrote: > This is the one I get when successful login vnc. > Ok, one of the rules covered that. After I added the decoder, these rules seemed to work: <rule id="300000" level="1"> <match>UltraVnc: </match> <description>UltraVNC blah blah</description> </rule> <rule id="300001" level="1"> <if_sid>300000</if_sid> <match>Connection received from </match> <description>VNC connection</description> </rule> <rule id="300002" level="1"> <if_sid>300000</if_sid> <match> Invalid attempt from client </match> <description>Invalid VNC attempt.</description> </rule> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:36 Connection received from 192.168.2.3 > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Monday, October 21, 2013 11:07 AM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Mon, Oct 21, 2013 at 10:53 AM, Forums <[email protected]> wrote: >> I would need one for successful and failed attempts. I appreciate the >> help as I know you guys are busy. For whatever the reason, I cannot >> seem to find examples for this. I am a bit lacking in knowledge >> regarding the rules for VNC. Anyway thanks again for getting back to me. > > I'm not sure which log message was for successful connections, but > here's one for invalid connections: > > <rule id="300002" level="1"> > <if_sid>300000</if_sid> > <match> Invalid attempt from client </match> > <description>Invalid VNC attempt.</description> > </rule> > > You may need to adjust the levels for these, depending on what you > want them to do. > > As far as examples go, the rules directory is full of examples of rules. > These aren't very difficult. > > You could also add this decoder: > <decoder name="ultravnc"> > <parent>windows</parent> > <prematch>UltraVnc: </prematch> > <regex offset="after_prematch"> from (\S+)$| from client (\S+)$</regex> > <order>srcip</order> > </decoder> > > It would require a tweak of the rules, but the srcip might be useful > if you want to use it with active response in the future. > > >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] >> On Behalf Of dan (ddp) >> Sent: Monday, October 21, 2013 10:49 AM >> To: [email protected] >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> On Mon, Oct 21, 2013 at 10:29 AM, Forums <[email protected]> wrote: >>> Here is the copy of the logs I sent out from the archive last week. >>> Also >>> below: >>> >> >> Were there any other log messages you wanted me to write rules for? >> Or was it just the one? >> >> >>> Archive log: >>> >>> Here is the output from the archives log after the >>> <logall>yes</logall> option was set. >>> >>> >>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >>> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >>> BEAST.mydomain.local: A request to disable the Desktop Window >>> Manager was made by process (VNC server for X64/win32) >>> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >>> BEAST.mydomain.local: (no message) >>> >>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application: >>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] >>> On Behalf Of dan (ddp) >>> Sent: Monday, October 21, 2013 10:07 AM >>> To: [email protected] >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>> >>> On Mon, Oct 21, 2013 at 9:59 AM, Forums <[email protected]> wrote: >>>> Any ideas? >>>> >>> >>> Sorry about that, missed the email with the logs. >>> >>> <rule id="300000" level="1"> >>> <if_sid>18100</if_sid> >>> <match>UltraVnc: </match> >>> <description>UltraVNC blah blah</description> >>> </rule> >>> >>> <rule id="300001" level="1"> >>> <if_sid>300000</if_sid> >>> <match>Connection received from </match> >>> <description>VNC connection</description> >>> </rule> >>> >>> >>> **Phase 1: Completed pre-decoding. >>> full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: >>> (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 >>> Connection received from 192.168.2.3' >>> hostname: 'arrakis' >>> program_name: '(null)' >>> log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no >>> user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection >>> received from 192.168.2.3' >>> >>> **Phase 2: Completed decoding. >>> decoder: 'windows' >>> >>> **Phase 3: Completed filtering (rules). >>> Rule id: '300001' >>> Level: '1' >>> Description: 'VNC connection' >>> **Alert to be generated. >>> >>> >>>> -----Original Message----- >>>> From: Forums [mailto:[email protected]] >>>> Sent: Monday, October 14, 2013 8:55 PM >>>> To: '[email protected]' >>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> >>>> Here is the output from the archives log after the >>>> <logall>yes</logall> option was set. >>>> >>>> >>>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: >>>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >>>> >>>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: >>>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>>> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: >>>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >>>> BEAST.mydomain.local: A request to disable the Desktop Window >>>> Manager was made by process (VNC server for X64/win32) >>>> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: >>>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >>>> BEAST.mydomain.local: (no message) >>>> >>>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: >>>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >>>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] >>>> On Behalf Of dan (ddp) >>>> Sent: Monday, October 14, 2013 3:01 PM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >>>> On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> > wrote: >>>>> Okay I will do just that. I am not sure how to turn that on but I >>>>> will research it and let you know or provide the logs once done. >>>>> >>>> >>>> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#eleme >>>> n >>>> t >>>> - >>>> logall >>>> >>>> >>>>> -----Original Message----- >>>>> From: [email protected] >>>>> [mailto:[email protected]] >>>>> On Behalf Of dan (ddp) >>>>> Sent: Monday, October 14, 2013 2:03 PM >>>>> To: [email protected] >>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>>> >>>>> On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> >> wrote: >>>>>> I am such a fool. Please forgive me for my stupidness. I did >>>>>> provide the screenshot of the log files that will need to be >>>>>> parsed which were windows application logs. Not really vnc itself >>>>>> but the >> logs. >>>>>> If you don't hear from me again its because I stuck my tongue in >>>>>> a light >>>> socket. >>>>>> >>>>> >>>>> And I don't want to waste a bunch of time trying to figure out how >>>>> that log event looks to OSSEC. I could spend a lot of time doing >>>>> that, or you could provide the log from archives.log (after >>>>> turning on the log all option and triggering the log). >>>>> Maybe someone else wants to give it a shot though. >>>>> >>>>>> >>>>>> >>>>>> From: [email protected] >>>>>> [mailto:[email protected]] >>>>>> On Behalf Of dan (ddp) >>>>>> Sent: Monday, October 14, 2013 11:58 AM >>>>>> To: [email protected] >>>>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: >>>>>>> >>>>>>> The log from the windows macines (VNC login) is attached. My >>>>>>> point is, there >>>>>> >>>>>> Sorry about that, I must have missed it. All I saw was an >>>>>> absolutely useless screen shot of event viewer. I'll take another >>>>>> look >> after lunch. >>>>>> >>>>>>> is currently no rule for VNC, the any logs are probably going to >>>>>>> point to nothing at this point. I need assistance creating a >>>>>>> rule >>> right? >>>>>>> >>>>>>> If I am to turn on all logs feature for the OSSEC server I will >>>>>>> research that as I have never heard of it. >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: [email protected] >>>>>>> [mailto:[email protected]] On Behalf Of dan (ddp) >>>>>>> Sent: Monday, October 14, 2013 10:58 AM >>>>>>> To: [email protected] >>>>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>>>>> >>>>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >>>>>>> <[email protected]> >>>>>>> wrote: >>>>>>> > VNC is installed on my windows machine. I have ossec server >>>>>>> > installed on a Linux machine with agents installed on my >>>>>>> > workstations. I need to be alerted when someone remotes to my >>>>>>> > windows >>>>> machine using VNC. >>>>>>> > The alert event ID 1 shows in the application logs. Is there a >>>>>>> > rule like >>>>>>> VNC.xml for ossec? >>>>>>> > >>>>>>> > I cannot seem to get this event to trigger. Pease see attached. >>>>>>> > >>>>>>> > localrules.xml >>>>>>> > >>>>>>> > <!-- VNC Login --> >>>>>>> > <rule id="100036" level="11"> >>>>>>> > <id>^1|^2</id> >>>>>>> > <match>Connection received from</match> >>>>>>> > <group>syslog,</group> >>>>>>> > <description>VNC Login</description> >>>>>>> > </rule> >>>>>>> > </group> <!--SYSLOG,LOCAL --> >>>>>>> > >>>>>>> >>>>>>> Turn on the log all option on the server and trigger the log message. >>>>>>> That way we'll have a copy of the log to work with. >>>>>>> >>>>>>> > -- >>>>>>> > >>>>>>> > --- >>>>>>> > You received this message because you are subscribed to the >>>>>>> > Google Groups "ossec-list" group. >>>>>>> > To unsubscribe from this group and stop receiving emails from >>>>>>> > it, send an email to [email protected]. >>>>>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the >>>>>>> Google Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>> it, send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> --- >>>>>>> You received this message because you are subscribed to the >>>>>>> Google Groups "ossec-list" group. >>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>> it, send an email to [email protected]. >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the >>>>>> Google Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the >>>>>> Google Groups "ossec-list" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>>> >>>>> -- >>>>> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups >>>> "ossec-list" group. >>>>> To unsubscribe from this group and stop receiving emails from it, >>>>> send an >>>> email to [email protected]. >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups >>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, >>>> send an >>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups >> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, >>> send an >> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google >> Groups > "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an > email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
