On Tue, Oct 22, 2013 at 11:38 AM, Forums <[email protected]> wrote: > I didn’t have a local_decoder file so I created on and added in the decoder > you gave me. It works fine for the first rule: > >> After I added the decoder, these rules seemed to work: >> <rule id="300000" level="1"> >> <match>UltraVnc: </match> >> <description>UltraVNC blah blah</description> >> </rule> > > > > The other rules pointing to <if_sid>30000 etc etc do notwork because it says > something about not finding that sid or something. Regardless all I need is > the first rule. Just for my own knowledge I will be looking into why the > other rules don’t work and why I am getting the error messages. > >> <rule id="300001" level="1"> >> <if_sid>300000</if_sid> (its like there is not 30000) >> <match>Connection received from </match> >> <description>VNC connection</description> >> </rule> >> >> <rule id="300002" level="1"> >> <if_sid>300000</if_sid> >> <match> Invalid attempt from client </match> >> <description>Invalid VNC attempt.</description> >> </rule> > > > > The errors show themselves when I restart the ossec services > > > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... > > 2013/10/22 11:36:35 rules_list: Signature ID '300000' not found. Invalid > 'if_sid'. >
So rule 300000 isn't getting loaded. > ossec-analysisd: Configuration error. Exiting. > > Started ossec-maild... > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > Sent: Monday, October 21, 2013 9:35 PM > > > To: [email protected] > Subject: RE: [ossec-list] VNC Windows Server Alerts > > > > > On Oct 21, 2013 9:33 PM, "Forums" <[email protected]> wrote: >> >> I had little time tonight to work on this but I attempted to add your >> decoder rule with the following error: >> >> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... >> 2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name >> invalid: 'windows'. >> 2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding decoder >> plugin. >> 2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error at >> '/etc/decoder.xml'. Exiting. >> > > Tey adding it to local_decoder.xml instead. The windows decoder exists, > unless you removed it. > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of Forums >> Sent: Monday, October 21, 2013 11:34 AM >> To: [email protected] >> Subject: RE: [ossec-list] VNC Windows Server Alerts >> >> Great work! Thanks again. I will add the decoder you have given me. If >> there >> is anything specific I need to know when creating the decoder let me know. >> As far as I have seen there is only 1 decoder rule file which is where I >> will add in the decoder rule you have given. I will let you know my >> results. >> >> >> Regards >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> Sent: Monday, October 21, 2013 11:27 AM >> To: [email protected] >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> On Mon, Oct 21, 2013 at 11:19 AM, Forums <[email protected]> wrote: >> > This is the one I get when successful login vnc. >> > >> >> Ok, one of the rules covered that. >> >> After I added the decoder, these rules seemed to work: >> <rule id="300000" level="1"> >> <match>UltraVnc: </match> >> <description>UltraVNC blah blah</description> >> </rule> >> >> <rule id="300001" level="1"> >> <if_sid>300000</if_sid> >> <match>Connection received from </match> >> <description>VNC connection</description> >> </rule> >> >> <rule id="300002" level="1"> >> <if_sid>300000</if_sid> >> <match> Invalid attempt from client </match> >> <description>Invalid VNC attempt.</description> >> </rule> >> >> >> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >> > >> > -----Original Message----- >> > From: [email protected] [mailto:[email protected]] >> > On Behalf Of dan (ddp) >> > Sent: Monday, October 21, 2013 11:07 AM >> > To: [email protected] >> > Subject: Re: [ossec-list] VNC Windows Server Alerts >> > >> > On Mon, Oct 21, 2013 at 10:53 AM, Forums <[email protected]> >> > wrote: >> >> I would need one for successful and failed attempts. I appreciate the >> >> help as I know you guys are busy. For whatever the reason, I cannot >> >> seem to find examples for this. I am a bit lacking in knowledge >> >> regarding the rules for VNC. Anyway thanks again for getting back to >> >> me. >> > >> > I'm not sure which log message was for successful connections, but >> > here's one for invalid connections: >> > >> > <rule id="300002" level="1"> >> > <if_sid>300000</if_sid> >> > <match> Invalid attempt from client </match> >> > <description>Invalid VNC attempt.</description> >> > </rule> >> > >> > You may need to adjust the levels for these, depending on what you >> > want them to do. >> > >> > As far as examples go, the rules directory is full of examples of rules. >> > These aren't very difficult. >> > >> > You could also add this decoder: >> > <decoder name="ultravnc"> >> > <parent>windows</parent> >> > <prematch>UltraVnc: </prematch> >> > <regex offset="after_prematch"> from (\S+)$| from client >> > (\S+)$</regex> >> > <order>srcip</order> >> > </decoder> >> > >> > It would require a tweak of the rules, but the srcip might be useful >> > if you want to use it with active response in the future. >> > >> > >> >> -----Original Message----- >> >> From: [email protected] >> >> [mailto:[email protected]] >> >> On Behalf Of dan (ddp) >> >> Sent: Monday, October 21, 2013 10:49 AM >> >> To: [email protected] >> >> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >> >> >> On Mon, Oct 21, 2013 at 10:29 AM, Forums <[email protected]> >> wrote: >> >>> Here is the copy of the logs I sent out from the archive last week. >> >>> Also >> >>> below: >> >>> >> >> >> >> Were there any other log messages you wanted me to write rules for? >> >> Or was it just the one? >> >> >> >> >> >>> Archive log: >> >>> >> >>> Here is the output from the archives log after the >> >>> <logall>yes</logall> option was set. >> >>> >> >>> >> >>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >> >>> >> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >> >>> >> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >> >>> BEAST.mydomain.local: A request to disable the Desktop Window >> >>> Manager was made by process (VNC server for X64/win32) >> >>> >> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >> >>> BEAST.mydomain.local: (no message) >> >>> >> >>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> Application: >> >>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >> >>> >> >>> -----Original Message----- >> >>> From: [email protected] >> >>> [mailto:[email protected]] >> >>> On Behalf Of dan (ddp) >> >>> Sent: Monday, October 21, 2013 10:07 AM >> >>> To: [email protected] >> >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >>> >> >>> On Mon, Oct 21, 2013 at 9:59 AM, Forums <[email protected]> >> wrote: >> >>>> Any ideas? >> >>>> >> >>> >> >>> Sorry about that, missed the email with the logs. >> >>> >> >>> <rule id="300000" level="1"> >> >>> <if_sid>18100</if_sid> >> >>> <match>UltraVnc: </match> >> >>> <description>UltraVNC blah blah</description> >> >>> </rule> >> >>> >> >>> <rule id="300001" level="1"> >> >>> <if_sid>300000</if_sid> >> >>> <match>Connection received from </match> >> >>> <description>VNC connection</description> >> >>> </rule> >> >>> >> >>> >> >>> **Phase 1: Completed pre-decoding. >> >>> full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: >> >>> (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 >> >>> Connection received from 192.168.2.3' >> >>> hostname: 'arrakis' >> >>> program_name: '(null)' >> >>> log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no >> >>> user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection >> >>> received from 192.168.2.3' >> >>> >> >>> **Phase 2: Completed decoding. >> >>> decoder: 'windows' >> >>> >> >>> **Phase 3: Completed filtering (rules). >> >>> Rule id: '300001' >> >>> Level: '1' >> >>> Description: 'VNC connection' >> >>> **Alert to be generated. >> >>> >> >>> >> >>>> -----Original Message----- >> >>>> From: Forums [mailto:[email protected]] >> >>>> Sent: Monday, October 14, 2013 8:55 PM >> >>>> To: '[email protected]' >> >>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >> >>>> >> >>>> Here is the output from the archives log after the >> >>>> <logall>yes</logall> option was set. >> >>>> >> >>>> >> >>>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> > Application: >> >>>> INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >> >>>> >> >>>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> > Application: >> >>>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>>> 14/10/2013 20:36 Connection received from 192.168.2.3 >> >>>> >> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> > Application: >> >>>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >> >>>> BEAST.mydomain.local: A request to disable the Desktop Window >> >>>> Manager was made by process (VNC server for X64/win32) >> >>>> >> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> > Application: >> >>>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >> >>>> BEAST.mydomain.local: (no message) >> >>>> >> >>>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >> > Application: >> >>>> INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local: >> >>>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >> >>>> >> >>>> >> >>>> -----Original Message----- >> >>>> From: [email protected] >> >>>> [mailto:[email protected]] >> >>>> On Behalf Of dan (ddp) >> >>>> Sent: Monday, October 14, 2013 3:01 PM >> >>>> To: [email protected] >> >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >>>> >> >>>> On Mon, Oct 14, 2013 at 2:43 PM, Forums <[email protected]> >> > wrote: >> >>>>> Okay I will do just that. I am not sure how to turn that on but I >> >>>>> will research it and let you know or provide the logs once done. >> >>>>> >> >>>> >> >>>> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#eleme >> >>>> n >> >>>> t >> >>>> - >> >>>> logall >> >>>> >> >>>> >> >>>>> -----Original Message----- >> >>>>> From: [email protected] >> >>>>> [mailto:[email protected]] >> >>>>> On Behalf Of dan (ddp) >> >>>>> Sent: Monday, October 14, 2013 2:03 PM >> >>>>> To: [email protected] >> >>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >>>>> >> >>>>> On Mon, Oct 14, 2013 at 1:52 PM, Forums <[email protected]> >> >> wrote: >> >>>>>> I am such a fool. Please forgive me for my stupidness. I did >> >>>>>> provide the screenshot of the log files that will need to be >> >>>>>> parsed which were windows application logs. Not really vnc itself >> >>>>>> but the >> >> logs. >> >>>>>> If you don't hear from me again its because I stuck my tongue in >> >>>>>> a light >> >>>> socket. >> >>>>>> >> >>>>> >> >>>>> And I don't want to waste a bunch of time trying to figure out how >> >>>>> that log event looks to OSSEC. I could spend a lot of time doing >> >>>>> that, or you could provide the log from archives.log (after >> >>>>> turning on the log all option and triggering the log). >> >>>>> Maybe someone else wants to give it a shot though. >> >>>>> >> >>>>>> >> >>>>>> >> >>>>>> From: [email protected] >> >>>>>> [mailto:[email protected]] >> >>>>>> On Behalf Of dan (ddp) >> >>>>>> Sent: Monday, October 14, 2013 11:58 AM >> >>>>>> To: [email protected] >> >>>>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> >> >>>>>> wrote: >> >>>>>>> >> >>>>>>> The log from the windows macines (VNC login) is attached. My >> >>>>>>> point is, there >> >>>>>> >> >>>>>> Sorry about that, I must have missed it. All I saw was an >> >>>>>> absolutely useless screen shot of event viewer. I'll take another >> >>>>>> look >> >> after lunch. >> >>>>>> >> >>>>>>> is currently no rule for VNC, the any logs are probably going to >> >>>>>>> point to nothing at this point. I need assistance creating a >> >>>>>>> rule >> >>> right? >> >>>>>>> >> >>>>>>> If I am to turn on all logs feature for the OSSEC server I will >> >>>>>>> research that as I have never heard of it. >> >>>>>>> >> >>>>>>> -----Original Message----- >> >>>>>>> From: [email protected] >> >>>>>>> [mailto:[email protected]] On Behalf Of dan (ddp) >> >>>>>>> Sent: Monday, October 14, 2013 10:58 AM >> >>>>>>> To: [email protected] >> >>>>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >> >>>>>>> >> >>>>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >> >>>>>>> <[email protected]> >> >>>>>>> wrote: >> >>>>>>> > VNC is installed on my windows machine. I have ossec server >> >>>>>>> > installed on a Linux machine with agents installed on my >> >>>>>>> > workstations. I need to be alerted when someone remotes to my >> >>>>>>> > windows >> >>>>> machine using VNC. >> >>>>>>> > The alert event ID 1 shows in the application logs. Is there a >> >>>>>>> > rule like >> >>>>>>> VNC.xml for ossec? >> >>>>>>> > >> >>>>>>> > I cannot seem to get this event to trigger. Pease see attached. >> >>>>>>> > >> >>>>>>> > localrules.xml >> >>>>>>> > >> >>>>>>> > <!-- VNC Login --> >> >>>>>>> > <rule id="100036" level="11"> >> >>>>>>> > <id>^1|^2</id> >> >>>>>>> > <match>Connection received from</match> >> >>>>>>> > <group>syslog,</group> >> >>>>>>> > <description>VNC Login</description> >> >>>>>>> > </rule> >> >>>>>>> > </group> <!--SYSLOG,LOCAL --> >> >>>>>>> > >> >>>>>>> >> >>>>>>> Turn on the log all option on the server and trigger the log >> message. >> >>>>>>> That way we'll have a copy of the log to work with. >> >>>>>>> >> >>>>>>> > -- >> >>>>>>> > >> >>>>>>> > --- >> >>>>>>> > You received this message because you are subscribed to the >> >>>>>>> > Google Groups "ossec-list" group. >> >>>>>>> > To unsubscribe from this group and stop receiving emails from >> >>>>>>> > it, send an email to [email protected]. >> >>>>>>> > For more options, visit >> >>>>>>> > https://groups.google.com/groups/opt_out. >> >>>>>>> >> >>>>>>> -- >> >>>>>>> >> >>>>>>> --- >> >>>>>>> You received this message because you are subscribed to the >> >>>>>>> Google Groups "ossec-list" group. >> >>>>>>> To unsubscribe from this group and stop receiving emails from >> >>>>>>> it, send an email to [email protected]. >> >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>>>>> >> >>>>>>> -- >> >>>>>>> >> >>>>>>> --- >> >>>>>>> You received this message because you are subscribed to the >> >>>>>>> Google Groups "ossec-list" group. >> >>>>>>> To unsubscribe from this group and stop receiving emails from >> >>>>>>> it, send an email to [email protected]. >> >>>>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>>>> >> >>>>>> -- >> >>>>>> >> >>>>>> --- >> >>>>>> You received this message because you are subscribed to the >> >>>>>> Google Groups "ossec-list" group. >> >>>>>> To unsubscribe from this group and stop receiving emails from it, >> >>>>>> send an email to [email protected]. >> >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>>>> >> >>>>>> -- >> >>>>>> >> >>>>>> --- >> >>>>>> You received this message because you are subscribed to the >> >>>>>> Google Groups "ossec-list" group. >> >>>>>> To unsubscribe from this group and stop receiving emails from it, >> >>>>>> send an email to [email protected]. >> >>>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>>> >> >>>>> -- >> >>>>> >> >>>>> --- >> >>>>> You received this message because you are subscribed to the Google >> >>>>> Groups "ossec-list" group. >> >>>>> To unsubscribe from this group and stop receiving emails from it, >> >>>>> send an email to [email protected]. >> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>>> >> >>>>> -- >> >>>>> >> >>>>> --- >> >>>>> You received this message because you are subscribed to the Google >> >>>>> Groups >> >>>> "ossec-list" group. >> >>>>> To unsubscribe from this group and stop receiving emails from it, >> >>>>> send an >> >>>> email to [email protected]. >> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >>>> send an email to [email protected]. >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups >> >>> "ossec-list" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> >>>> send an >> >>> email to [email protected]. >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> >>> send an email to [email protected]. >> >>> For more options, visit https://groups.google.com/groups/opt_out. >> >>> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, >> >>> send an >> >> email to [email protected]. >> >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, >> >> send an email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> > "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, >> >> send an >> > email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
