On Oct 21, 2013 9:33 PM, "Forums" <[email protected]> wrote: > > I had little time tonight to work on this but I attempted to add your > decoder rule with the following error: > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > 2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name > invalid: 'windows'. > 2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding decoder > plugin. > 2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error at > '/etc/decoder.xml'. Exiting. >
Tey adding it to local_decoder.xml instead. The windows decoder exists, unless you removed it. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Forums > Sent: Monday, October 21, 2013 11:34 AM > To: [email protected] > Subject: RE: [ossec-list] VNC Windows Server Alerts > > Great work! Thanks again. I will add the decoder you have given me. If there > is anything specific I need to know when creating the decoder let me know. > As far as I have seen there is only 1 decoder rule file which is where I > will add in the decoder rule you have given. I will let you know my results. > > > Regards > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, October 21, 2013 11:27 AM > To: [email protected] > Subject: Re: [ossec-list] VNC Windows Server Alerts > > On Mon, Oct 21, 2013 at 11:19 AM, Forums <[email protected]> wrote: > > This is the one I get when successful login vnc. > > > > Ok, one of the rules covered that. > > After I added the decoder, these rules seemed to work: > <rule id="300000" level="1"> > <match>UltraVnc: </match> > <description>UltraVNC blah blah</description> > </rule> > > <rule id="300001" level="1"> > <if_sid>300000</if_sid> > <match>Connection received from </match> > <description>VNC connection</description> > </rule> > > <rule id="300002" level="1"> > <if_sid>300000</if_sid> > <match> Invalid attempt from client </match> > <description>Invalid VNC attempt.</description> > </rule> > > > >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>> 14/10/2013 20:36 Connection received from 192.168.2.3 > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > On Behalf Of dan (ddp) > > Sent: Monday, October 21, 2013 11:07 AM > > To: [email protected] > > Subject: Re: [ossec-list] VNC Windows Server Alerts > > > > On Mon, Oct 21, 2013 at 10:53 AM, Forums <[email protected]> wrote: > >> I would need one for successful and failed attempts. I appreciate the > >> help as I know you guys are busy. For whatever the reason, I cannot > >> seem to find examples for this. I am a bit lacking in knowledge > >> regarding the rules for VNC. Anyway thanks again for getting back to me. > > > > I'm not sure which log message was for successful connections, but > > here's one for invalid connections: > > > > <rule id="300002" level="1"> > > <if_sid>300000</if_sid> > > <match> Invalid attempt from client </match> > > <description>Invalid VNC attempt.</description> > > </rule> > > > > You may need to adjust the levels for these, depending on what you > > want them to do. > > > > As far as examples go, the rules directory is full of examples of rules. > > These aren't very difficult. > > > > You could also add this decoder: > > <decoder name="ultravnc"> > > <parent>windows</parent> > > <prematch>UltraVnc: </prematch> > > <regex offset="after_prematch"> from (\S+)$| from client (\S+)$</regex> > > <order>srcip</order> > > </decoder> > > > > It would require a tweak of the rules, but the srcip might be useful > > if you want to use it with active response in the future. > > > > > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] > >> On Behalf Of dan (ddp) > >> Sent: Monday, October 21, 2013 10:49 AM > >> To: [email protected] > >> Subject: Re: [ossec-list] VNC Windows Server Alerts > >> > >> On Mon, Oct 21, 2013 at 10:29 AM, Forums <[email protected]> > wrote: > >>> Here is the copy of the logs I sent out from the archive last week. > >>> Also > >>> below: > >>> > >> > >> Were there any other log messages you wanted me to write rules for? > >> Or was it just the one? > >> > >> > >>> Archive log: > >>> > >>> Here is the output from the archives log after the > >>> <logall>yes</logall> option was set. > >>> > >>> > >>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 > >>> > >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>> 14/10/2013 20:36 Connection received from 192.168.2.3 > >>> > >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: > >>> BEAST.mydomain.local: A request to disable the Desktop Window > >>> Manager was made by process (VNC server for X64/win32) > >>> > >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: > >>> BEAST.mydomain.local: (no message) > >>> > >>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > Application: > >>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>> 14/10/2013 20:36 Client 192.168.2.3 disconnected > >>> > >>> -----Original Message----- > >>> From: [email protected] > >>> [mailto:[email protected]] > >>> On Behalf Of dan (ddp) > >>> Sent: Monday, October 21, 2013 10:07 AM > >>> To: [email protected] > >>> Subject: Re: [ossec-list] VNC Windows Server Alerts > >>> > >>> On Mon, Oct 21, 2013 at 9:59 AM, Forums <[email protected]> > wrote: > >>>> Any ideas? > >>>> > >>> > >>> Sorry about that, missed the email with the logs. > >>> > >>> <rule id="300000" level="1"> > >>> <if_sid>18100</if_sid> > >>> <match>UltraVnc: </match> > >>> <description>UltraVNC blah blah</description> > >>> </rule> > >>> > >>> <rule id="300001" level="1"> > >>> <if_sid>300000</if_sid> > >>> <match>Connection received from </match> > >>> <description>VNC connection</description> > >>> </rule> > >>> > >>> > >>> **Phase 1: Completed pre-decoding. > >>> full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: > >>> (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 > >>> Connection received from 192.168.2.3' > >>> hostname: 'arrakis' > >>> program_name: '(null)' > >>> log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no > >>> user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection > >>> received from 192.168.2.3' > >>> > >>> **Phase 2: Completed decoding. > >>> decoder: 'windows' > >>> > >>> **Phase 3: Completed filtering (rules). > >>> Rule id: '300001' > >>> Level: '1' > >>> Description: 'VNC connection' > >>> **Alert to be generated. > >>> > >>> > >>>> -----Original Message----- > >>>> From: Forums [mailto:[email protected]] > >>>> Sent: Monday, October 14, 2013 8:55 PM > >>>> To: '[email protected]' > >>>> Subject: RE: [ossec-list] VNC Windows Server Alerts > >>>> > >>>> Here is the output from the archives log after the > >>>> <logall>yes</logall> option was set. > >>>> > >>>> > >>>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > > Application: > >>>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 > >>>> > >>>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > > Application: > >>>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>>> 14/10/2013 20:36 Connection received from 192.168.2.3 > >>>> > >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > > Application: > >>>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: > >>>> BEAST.mydomain.local: A request to disable the Desktop Window > >>>> Manager was made by process (VNC server for X64/win32) > >>>> > >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > > Application: > >>>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: > >>>> BEAST.mydomain.local: (no message) > >>>> > >>>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: > > Application: > >>>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: > >>>> 14/10/2013 20:36 Client 192.168.2.3 disconnected > >>>> > >>>> > >>>> -----Original Message----- > >>>> From: [email protected] > >>>> [mailto:[email protected]] > >>>> On Behalf Of dan (ddp) > >>>> Sent: Monday, October 14, 2013 3:01 PM > >>>> To: [email protected] > >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts > >>>> > >>>> On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> > > wrote: > >>>>> Okay I will do just that. I am not sure how to turn that on but I > >>>>> will research it and let you know or provide the logs once done. > >>>>> > >>>> > >>>> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#eleme > >>>> n > >>>> t > >>>> - > >>>> logall > >>>> > >>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] > >>>>> On Behalf Of dan (ddp) > >>>>> Sent: Monday, October 14, 2013 2:03 PM > >>>>> To: [email protected] > >>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts > >>>>> > >>>>> On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> > >> wrote: > >>>>>> I am such a fool. Please forgive me for my stupidness. I did > >>>>>> provide the screenshot of the log files that will need to be > >>>>>> parsed which were windows application logs. Not really vnc itself > >>>>>> but the > >> logs. > >>>>>> If you don't hear from me again its because I stuck my tongue in > >>>>>> a light > >>>> socket. > >>>>>> > >>>>> > >>>>> And I don't want to waste a bunch of time trying to figure out how > >>>>> that log event looks to OSSEC. I could spend a lot of time doing > >>>>> that, or you could provide the log from archives.log (after > >>>>> turning on the log all option and triggering the log). > >>>>> Maybe someone else wants to give it a shot though. > >>>>> > >>>>>> > >>>>>> > >>>>>> From: [email protected] > >>>>>> [mailto:[email protected]] > >>>>>> On Behalf Of dan (ddp) > >>>>>> Sent: Monday, October 14, 2013 11:58 AM > >>>>>> To: [email protected] > >>>>>> Subject: RE: [ossec-list] VNC Windows Server Alerts > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> wrote: > >>>>>>> > >>>>>>> The log from the windows macines (VNC login) is attached. My > >>>>>>> point is, there > >>>>>> > >>>>>> Sorry about that, I must have missed it. All I saw was an > >>>>>> absolutely useless screen shot of event viewer. I'll take another > >>>>>> look > >> after lunch. > >>>>>> > >>>>>>> is currently no rule for VNC, the any logs are probably going to > >>>>>>> point to nothing at this point. I need assistance creating a > >>>>>>> rule > >>> right? > >>>>>>> > >>>>>>> If I am to turn on all logs feature for the OSSEC server I will > >>>>>>> research that as I have never heard of it. > >>>>>>> > >>>>>>> -----Original Message----- > >>>>>>> From: [email protected] > >>>>>>> [mailto:[email protected]] On Behalf Of dan (ddp) > >>>>>>> Sent: Monday, October 14, 2013 10:58 AM > >>>>>>> To: [email protected] > >>>>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts > >>>>>>> > >>>>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White > >>>>>>> <[email protected]> > >>>>>>> wrote: > >>>>>>> > VNC is installed on my windows machine. I have ossec server > >>>>>>> > installed on a Linux machine with agents installed on my > >>>>>>> > workstations. I need to be alerted when someone remotes to my > >>>>>>> > windows > >>>>> machine using VNC. > >>>>>>> > The alert event ID 1 shows in the application logs. Is there a > >>>>>>> > rule like > >>>>>>> VNC.xml for ossec? > >>>>>>> > > >>>>>>> > I cannot seem to get this event to trigger. Pease see attached. > >>>>>>> > > >>>>>>> > localrules.xml > >>>>>>> > > >>>>>>> > <!-- VNC Login --> > >>>>>>> > <rule id="100036" level="11"> > >>>>>>> > <id>^1|^2</id> > >>>>>>> > <match>Connection received from</match> > >>>>>>> > <group>syslog,</group> > >>>>>>> > <description>VNC Login</description> > >>>>>>> > </rule> > >>>>>>> > </group> <!--SYSLOG,LOCAL --> > >>>>>>> > > >>>>>>> > >>>>>>> Turn on the log all option on the server and trigger the log > message. > >>>>>>> That way we'll have a copy of the log to work with. > >>>>>>> > >>>>>>> > -- > >>>>>>> > > >>>>>>> > --- > >>>>>>> > You received this message because you are subscribed to the > >>>>>>> > Google Groups "ossec-list" group. > >>>>>>> > To unsubscribe from this group and stop receiving emails from > >>>>>>> > it, send an email to [email protected]. > >>>>>>> > For more options, visit https://groups.google.com/groups/opt_out . > >>>>>>> > >>>>>>> -- > >>>>>>> > >>>>>>> --- > >>>>>>> You received this message because you are subscribed to the > >>>>>>> Google Groups "ossec-list" group. > >>>>>>> To unsubscribe from this group and stop receiving emails from > >>>>>>> it, send an email to [email protected]. > >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>>>> > >>>>>>> -- > >>>>>>> > >>>>>>> --- > >>>>>>> You received this message because you are subscribed to the > >>>>>>> Google Groups "ossec-list" group. > >>>>>>> To unsubscribe from this group and stop receiving emails from > >>>>>>> it, send an email to [email protected]. > >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> --- > >>>>>> You received this message because you are subscribed to the > >>>>>> Google Groups "ossec-list" group. > >>>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>>> send an email to [email protected]. > >>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> --- > >>>>>> You received this message because you are subscribed to the > >>>>>> Google Groups "ossec-list" group. > >>>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>>> send an email to [email protected]. > >>>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>> > >>>>> -- > >>>>> > >>>>> --- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups "ossec-list" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>> send an email to [email protected]. > >>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>>> > >>>>> -- > >>>>> > >>>>> --- > >>>>> You received this message because you are subscribed to the Google > >>>>> Groups > >>>> "ossec-list" group. > >>>>> To unsubscribe from this group and stop receiving emails from it, > >>>>> send an > >>>> email to [email protected]. > >>>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > >>>> send an email to [email protected]. > >>>> For more options, visit https://groups.google.com/groups/opt_out. > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > >>>> Groups > >>> "ossec-list" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > >>>> send an > >>> email to [email protected]. > >>>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > >>> Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, > >>> send an email to [email protected]. > >>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > >>> Groups > >> "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, > >>> send an > >> email to [email protected]. > >>> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > >> Groups "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, > >> send an email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > >> Groups > > "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, > >> send an > > email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > > Groups > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
