On Wed, Oct 23, 2013 at 2:56 PM, dan (ddp) <[email protected]> wrote: > On Wed, Oct 23, 2013 at 2:50 PM, dan (ddp) <[email protected]> wrote: >> On Wed, Oct 23, 2013 at 2:00 PM, Forums <[email protected]> wrote: >>> >>> >>> You should know, all is documented in the email. You’re the one that had me >> >> I will look for clearly labeled RDP log messages so I can test this >> and try to get it working for you. >> > > I'm sure I'm just missing them like an idiot, but which logs are for > RDP? The only ones I see reference UltraVNC. >
I found someone else's RDP log message and used that for testing. I hate the Windows decoder. I couldn't get it to work without modifications. I had to change the windows decoder (in decoder.xml) to: <decoder name="windows"> <type>windows</type> <prematch>^WinEvtLog: </prematch> </decoder> <decoder name="windows"> <parent>windows</parent> <regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex> <regex>(\.+): \.+: (\S+): </regex> <order>status, id, extra_data, user, system_name</order> <fts>name, location, user, system_name</fts> </decoder> And then added this as well: <decoder name="windows"> <parent>windows</parent> <!--<regex offset="after_parent">^Application: \S+: UltraVnc: \.+: \.+ from (\S+)$|>^Application: \S+: UltraVnc: \.+ from client (\S+)</regex>--> <regex offset="after_parent">^Application: \S+: UltraVnc: \.+: \.+ from (\S+)$|^Application: \S+: UltraVnc: \.+ from client (\S+)</regex> <order>srcip</order> </decoder> >>> add in the decoder rule. You’re the OSSEC pro right? I admit I don’t know >> >> Nope, just an amateur spending his free time trying to help people. >> Unfortunately some people treat me like an employee, without the >> benefits. >> >>> everything regarding technology no one does. I will take a class so I don’t >>> bother you in your forum. It is a forum right? >>> >> >> I think it's more of a mailing list. >> >>> >>> >>> Anyway since your such a smart ass I will do “my work” for ossec, tonight >>> after I am done building all the exchange servers and RAS servers for the >>> multi site domain I am putting together. Don’t mistake me for being an idiot >>> or not “technical” just because I don’t spend my day helping people with >>> OSSEC. I can fix the issue myself. I am short on time and mistakenly >>> thought your forum might be helpful. >>> >> >> I feel like I have been helpful. I also think it's rude to expect me >> to do all of your work for you. I have a job as well. >> >>> >>> >>> When I am not working in an office setting up servers and resolving various >>> networking issues I spend my time in the gym to beat the shit out of smart >>> ass bitches like you for entertainment purposes. So please do continue being >>> a douchebag, your safe and far away from the reach of my hands. >>> >> >> This is unnecessary, but if you wish to discuss these issues over >> coffee I'm more than willing. :) >> >>> >>> >>> Regards, >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> From: [email protected] [mailto:[email protected]] On >>> Behalf Of dan (ddp) >>> Sent: Wednesday, October 23, 2013 1:31 PM >>> >>> >>> To: [email protected] >>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>> >>> >>> >>> >>> On Oct 23, 2013 1:26 PM, "Forums" <[email protected]> wrote: >>>> >>>> The decoder rule that you gave me to add below, when adding it, the VNC >>>> rules work great however my alerts that get emailed to me regarding >>>> Windows >>>> RDP quit working. I have tested this by removing the local_decoder file up >>>> a >>>> directory, restarting the services and then VNC stop working of course but >>>> then Windows RDP works again... any thoughts? >>>> >>> >>> Plenty. I can't test what I don't know. If you provide logs I can do your >>> work, if you don't I can't. It really seems like you should hire someone >>> technical. >>> >>>> -----Original Message----- >>>> From: [email protected] [mailto:[email protected]] On >>>> Behalf Of dan (ddp) >>>> Sent: Tuesday, October 22, 2013 11:41 AM >>>> To: [email protected] >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >>>> On Tue, Oct 22, 2013 at 11:38 AM, Forums <[email protected]> wrote: >>>> > I didn't have a local_decoder file so I created on and added in the >>>> > decoder you gave me. It works fine for the first rule: >>>> > >>>> >> After I added the decoder, these rules seemed to work: >>>> >> <rule id="300000" level="1"> >>>> >> <match>UltraVnc: </match> >>>> >> <description>UltraVNC blah blah</description> >>>> >> </rule> >>>> > >>>> > >>>> > >>>> > The other rules pointing to <if_sid>30000 etc etc do notwork because >>>> > it says something about not finding that sid or something. Regardless >>>> > all I need is the first rule. Just for my own knowledge I will be >>>> > looking into why the other rules don't work and why I am getting the >>>> > error >>>> messages. >>>> > >>>> >> <rule id="300001" level="1"> >>>> >> <if_sid>300000</if_sid> (its like there is not 30000) >>>> >> <match>Connection received from </match> >>>> >> <description>VNC connection</description> >>>> >> </rule> >>>> >> >>>> >> <rule id="300002" level="1"> >>>> >> <if_sid>300000</if_sid> >>>> >> <match> Invalid attempt from client </match> >>>> >> <description>Invalid VNC attempt.</description> >>>> >> </rule> >>>> > >>>> > >>>> > >>>> > The errors show themselves when I restart the ossec services >>>> > >>>> > >>>> > Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... >>>> > >>>> > 2013/10/22 11:36:35 rules_list: Signature ID '300000' not found. >>>> > Invalid 'if_sid'. >>>> > >>>> >>>> So rule 300000 isn't getting loaded. >>>> >>>> > ossec-analysisd: Configuration error. Exiting. >>>> > >>>> > Started ossec-maild... >>>> > >>>> > >>>> > >>>> > From: [email protected] [mailto:[email protected]] >>>> > On Behalf Of dan (ddp) >>>> > Sent: Monday, October 21, 2013 9:35 PM >>>> > >>>> > >>>> > To: [email protected] >>>> > Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> > >>>> > >>>> > >>>> > >>>> > On Oct 21, 2013 9:33 PM, "Forums" <[email protected]> wrote: >>>> >> >>>> >> I had little time tonight to work on this but I attempted to add your >>>> >> decoder rule with the following error: >>>> >> >>>> >> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)... >>>> >> 2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name >>>> >> invalid: 'windows'. >>>> >> 2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding >>>> >> decoder plugin. >>>> >> 2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error >>>> >> at '/etc/decoder.xml'. Exiting. >>>> >> >>>> > >>>> > Tey adding it to local_decoder.xml instead. The windows decoder >>>> > exists, unless you removed it. >>>> > >>>> >> -----Original Message----- >>>> >> From: [email protected] >>>> >> [mailto:[email protected]] On Behalf Of Forums >>>> >> Sent: Monday, October 21, 2013 11:34 AM >>>> >> To: [email protected] >>>> >> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> >> >>>> >> Great work! Thanks again. I will add the decoder you have given me. >>>> >> If there is anything specific I need to know when creating the >>>> >> decoder let me know. >>>> >> As far as I have seen there is only 1 decoder rule file which is >>>> >> where I will add in the decoder rule you have given. I will let you >>>> >> know my results. >>>> >> >>>> >> >>>> >> Regards >>>> >> >>>> >> -----Original Message----- >>>> >> From: [email protected] >>>> >> [mailto:[email protected]] On Behalf Of dan (ddp) >>>> >> Sent: Monday, October 21, 2013 11:27 AM >>>> >> To: [email protected] >>>> >> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >>>> >> On Mon, Oct 21, 2013 at 11:19 AM, Forums <[email protected]> >>>> wrote: >>>> >> > This is the one I get when successful login vnc. >>>> >> > >>>> >> >>>> >> Ok, one of the rules covered that. >>>> >> >>>> >> After I added the decoder, these rules seemed to work: >>>> >> <rule id="300000" level="1"> >>>> >> <match>UltraVnc: </match> >>>> >> <description>UltraVNC blah blah</description> >>>> >> </rule> >>>> >> >>>> >> <rule id="300001" level="1"> >>>> >> <if_sid>300000</if_sid> >>>> >> <match>Connection received from </match> >>>> >> <description>VNC connection</description> >>>> >> </rule> >>>> >> >>>> >> <rule id="300002" level="1"> >>>> >> <if_sid>300000</if_sid> >>>> >> <match> Invalid attempt from client </match> >>>> >> <description>Invalid VNC attempt.</description> >>>> >> </rule> >>>> >> >>>> >> >>>> >> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(1): UltraVnc: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: >>>> >> >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>>> >> > >>>> >> > -----Original Message----- >>>> >> > From: [email protected] >>>> >> > [mailto:[email protected]] >>>> >> > On Behalf Of dan (ddp) >>>> >> > Sent: Monday, October 21, 2013 11:07 AM >>>> >> > To: [email protected] >>>> >> > Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> > >>>> >> > On Mon, Oct 21, 2013 at 10:53 AM, Forums <[email protected]> >>>> >> > wrote: >>>> >> >> I would need one for successful and failed attempts. I appreciate >>>> >> >> the help as I know you guys are busy. For whatever the reason, I >>>> >> >> cannot seem to find examples for this. I am a bit lacking in >>>> >> >> knowledge regarding the rules for VNC. Anyway thanks again for >>>> >> >> getting back to me. >>>> >> > >>>> >> > I'm not sure which log message was for successful connections, but >>>> >> > here's one for invalid connections: >>>> >> > >>>> >> > <rule id="300002" level="1"> >>>> >> > <if_sid>300000</if_sid> >>>> >> > <match> Invalid attempt from client </match> >>>> >> > <description>Invalid VNC attempt.</description> >>>> >> > </rule> >>>> >> > >>>> >> > You may need to adjust the levels for these, depending on what you >>>> >> > want them to do. >>>> >> > >>>> >> > As far as examples go, the rules directory is full of examples of >>>> rules. >>>> >> > These aren't very difficult. >>>> >> > >>>> >> > You could also add this decoder: >>>> >> > <decoder name="ultravnc"> >>>> >> > <parent>windows</parent> >>>> >> > <prematch>UltraVnc: </prematch> >>>> >> > <regex offset="after_prematch"> from (\S+)$| from client >>>> >> > (\S+)$</regex> >>>> >> > <order>srcip</order> >>>> >> > </decoder> >>>> >> > >>>> >> > It would require a tweak of the rules, but the srcip might be >>>> >> > useful if you want to use it with active response in the future. >>>> >> > >>>> >> > >>>> >> >> -----Original Message----- >>>> >> >> From: [email protected] >>>> >> >> [mailto:[email protected]] >>>> >> >> On Behalf Of dan (ddp) >>>> >> >> Sent: Monday, October 21, 2013 10:49 AM >>>> >> >> To: [email protected] >>>> >> >> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >> >>>> >> >> On Mon, Oct 21, 2013 at 10:29 AM, Forums >>>> >> >> <[email protected]> >>>> >> wrote: >>>> >> >>> Here is the copy of the logs I sent out from the archive last week. >>>> >> >>> Also >>>> >> >>> below: >>>> >> >>> >>>> >> >> >>>> >> >> Were there any other log messages you wanted me to write rules for? >>>> >> >> Or was it just the one? >>>> >> >> >>>> >> >> >>>> >> >>> Archive log: >>>> >> >>> >>>> >> >>> Here is the output from the archives log after the >>>> >> >>> <logall>yes</logall> option was set. >>>> >> >>> >>>> >> >>> >>>> >> >>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(2): UltraVnc: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: >>>> >> >>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >>>> >> >>> >>>> >> >>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(1): UltraVnc: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: >>>> >> >>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>>> >> >>> >>>> >> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: A request to disable the Desktop Window >>>> >> >>> Manager was made by process (VNC server for X64/win32) >>>> >> >>> >>>> >> >>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: (no message) >>>> >> >>> >>>> >> >>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> Application: >>>> >> >>> INFORMATION(3): UltraVnc: (no user): no domain: >>>> >> >>> BEAST.mydomain.local: >>>> >> >>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >>>> >> >>> >>>> >> >>> -----Original Message----- >>>> >> >>> From: [email protected] >>>> >> >>> [mailto:[email protected]] >>>> >> >>> On Behalf Of dan (ddp) >>>> >> >>> Sent: Monday, October 21, 2013 10:07 AM >>>> >> >>> To: [email protected] >>>> >> >>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >>> >>>> >> >>> On Mon, Oct 21, 2013 at 9:59 AM, Forums >>>> >> >>> <[email protected]> >>>> >> wrote: >>>> >> >>>> Any ideas? >>>> >> >>>> >>>> >> >>> >>>> >> >>> Sorry about that, missed the email with the logs. >>>> >> >>> >>>> >> >>> <rule id="300000" level="1"> >>>> >> >>> <if_sid>18100</if_sid> >>>> >> >>> <match>UltraVnc: </match> >>>> >> >>> <description>UltraVNC blah blah</description> >>>> >> >>> </rule> >>>> >> >>> >>>> >> >>> <rule id="300001" level="1"> >>>> >> >>> <if_sid>300000</if_sid> >>>> >> >>> <match>Connection received from </match> >>>> >> >>> <description>VNC connection</description> >>>> >> >>> </rule> >>>> >> >>> >>>> >> >>> >>>> >> >>> **Phase 1: Completed pre-decoding. >>>> >> >>> full event: 'WinEvtLog: Application: INFORMATION(1): >>>> >> >>> UltraVnc: >>>> >> >>> (no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 >>>> >> >>> Connection received from 192.168.2.3' >>>> >> >>> hostname: 'arrakis' >>>> >> >>> program_name: '(null)' >>>> >> >>> log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no >>>> >> >>> user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 >>>> >> >>> Connection >>>> >> >>> received from 192.168.2.3' >>>> >> >>> >>>> >> >>> **Phase 2: Completed decoding. >>>> >> >>> decoder: 'windows' >>>> >> >>> >>>> >> >>> **Phase 3: Completed filtering (rules). >>>> >> >>> Rule id: '300001' >>>> >> >>> Level: '1' >>>> >> >>> Description: 'VNC connection' >>>> >> >>> **Alert to be generated. >>>> >> >>> >>>> >> >>> >>>> >> >>>> -----Original Message----- >>>> >> >>>> From: Forums [mailto:[email protected]] >>>> >> >>>> Sent: Monday, October 14, 2013 8:55 PM >>>> >> >>>> To: '[email protected]' >>>> >> >>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> >> >>>> >>>> >> >>>> Here is the output from the archives log after the >>>> >> >>>> <logall>yes</logall> option was set. >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> 2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> > Application: >>>> >> >>>> INFORMATION(2): UltraVnc: (no user): no domain: >>>> BEAST.mydomain.local: >>>> >> >>>> 14/10/2013 20:35 Invalid attempt from client 192.168.2.3 >>>> >> >>>> >>>> >> >>>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> > Application: >>>> >> >>>> INFORMATION(1): UltraVnc: (no user): no domain: >>>> BEAST.mydomain.local: >>>> >> >>>> 14/10/2013 20:36 Connection received from 192.168.2.3 >>>> >> >>>> >>>> >> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> > Application: >>>> >> >>>> INFORMATION(9010): Desktop Window Manager: (no user): no domain: >>>> >> >>>> BEAST.mydomain.local: A request to disable the Desktop Window >>>> >> >>>> Manager was made by process (VNC server for X64/win32) >>>> >> >>>> >>>> >> >>>> 2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> > Application: >>>> >> >>>> INFORMATION(9013): Desktop Window Manager: (no user): no domain: >>>> >> >>>> BEAST.mydomain.local: (no message) >>>> >> >>>> >>>> >> >>>> 2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: >>>> >> > Application: >>>> >> >>>> INFORMATION(3): UltraVnc: (no user): no domain: >>>> BEAST.mydomain.local: >>>> >> >>>> 14/10/2013 20:36 Client 192.168.2.3 disconnected >>>> >> >>>> >>>> >> >>>> >>>> >> >>>> -----Original Message----- >>>> >> >>>> From: [email protected] >>>> >> >>>> [mailto:[email protected]] >>>> >> >>>> On Behalf Of dan (ddp) >>>> >> >>>> Sent: Monday, October 14, 2013 3:01 PM >>>> >> >>>> To: [email protected] >>>> >> >>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >>>> >>>> >> >>>> On Mon, Oct 14, 2013 at 2:43 PM, Forums >>>> >> >>>> <[email protected]> >>>> >> > wrote: >>>> >> >>>>> Okay I will do just that. I am not sure how to turn that on but >>>> >> >>>>> I will research it and let you know or provide the logs once >>>> >> >>>>> done. >>>> >> >>>>> >>>> >> >>>> >>>> >> >>>> http://www.ossec.net/doc/syntax/head_ossec_config.global.html#el >>>> >> >>>> eme >>>> >> >>>> n >>>> >> >>>> t >>>> >> >>>> - >>>> >> >>>> logall >>>> >> >>>> >>>> >> >>>> >>>> >> >>>>> -----Original Message----- >>>> >> >>>>> From: [email protected] >>>> >> >>>>> [mailto:[email protected]] >>>> >> >>>>> On Behalf Of dan (ddp) >>>> >> >>>>> Sent: Monday, October 14, 2013 2:03 PM >>>> >> >>>>> To: [email protected] >>>> >> >>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >>>>> >>>> >> >>>>> On Mon, Oct 14, 2013 at 1:52 PM, Forums >>>> >> >>>>> <[email protected]> >>>> >> >> wrote: >>>> >> >>>>>> I am such a fool. Please forgive me for my stupidness. I did >>>> >> >>>>>> provide the screenshot of the log files that will need to be >>>> >> >>>>>> parsed which were windows application logs. Not really vnc >>>> >> >>>>>> itself but the >>>> >> >> logs. >>>> >> >>>>>> If you don't hear from me again its because I stuck my tongue >>>> >> >>>>>> in a light >>>> >> >>>> socket. >>>> >> >>>>>> >>>> >> >>>>> >>>> >> >>>>> And I don't want to waste a bunch of time trying to figure out >>>> >> >>>>> how that log event looks to OSSEC. I could spend a lot of time >>>> >> >>>>> doing that, or you could provide the log from archives.log >>>> >> >>>>> (after turning on the log all option and triggering the log). >>>> >> >>>>> Maybe someone else wants to give it a shot though. >>>> >> >>>>> >>>> >> >>>>>> >>>> >> >>>>>> >>>> >> >>>>>> From: [email protected] >>>> >> >>>>>> [mailto:[email protected]] >>>> >> >>>>>> On Behalf Of dan (ddp) >>>> >> >>>>>> Sent: Monday, October 14, 2013 11:58 AM >>>> >> >>>>>> To: [email protected] >>>> >> >>>>>> Subject: RE: [ossec-list] VNC Windows Server Alerts >>>> >> >>>>>> >>>> >> >>>>>> >>>> >> >>>>>> >>>> >> >>>>>> >>>> >> >>>>>> On Oct 14, 2013 11:52 AM, "Forums" <[email protected]> >>>> >> >>>>>> wrote: >>>> >> >>>>>>> >>>> >> >>>>>>> The log from the windows macines (VNC login) is attached. My >>>> >> >>>>>>> point is, there >>>> >> >>>>>> >>>> >> >>>>>> Sorry about that, I must have missed it. All I saw was an >>>> >> >>>>>> absolutely useless screen shot of event viewer. I'll take >>>> >> >>>>>> another look >>>> >> >> after lunch. >>>> >> >>>>>> >>>> >> >>>>>>> is currently no rule for VNC, the any logs are probably going >>>> >> >>>>>>> to point to nothing at this point. I need assistance creating >>>> >> >>>>>>> a rule >>>> >> >>> right? >>>> >> >>>>>>> >>>> >> >>>>>>> If I am to turn on all logs feature for the OSSEC server I >>>> >> >>>>>>> will research that as I have never heard of it. >>>> >> >>>>>>> >>>> >> >>>>>>> -----Original Message----- >>>> >> >>>>>>> From: [email protected] >>>> >> >>>>>>> [mailto:[email protected]] On Behalf Of dan (ddp) >>>> >> >>>>>>> Sent: Monday, October 14, 2013 10:58 AM >>>> >> >>>>>>> To: [email protected] >>>> >> >>>>>>> Subject: Re: [ossec-list] VNC Windows Server Alerts >>>> >> >>>>>>> >>>> >> >>>>>>> On Sun, Oct 13, 2013 at 9:05 AM, Gary White >>>> >> >>>>>>> <[email protected]> >>>> >> >>>>>>> wrote: >>>> >> >>>>>>> > VNC is installed on my windows machine. I have ossec server >>>> >> >>>>>>> > installed on a Linux machine with agents installed on my >>>> >> >>>>>>> > workstations. I need to be alerted when someone remotes to >>>> >> >>>>>>> > my windows >>>> >> >>>>> machine using VNC. >>>> >> >>>>>>> > The alert event ID 1 shows in the application logs. Is >>>> >> >>>>>>> > there a rule like >>>> >> >>>>>>> VNC.xml for ossec? >>>> >> >>>>>>> > >>>> >> >>>>>>> > I cannot seem to get this event to trigger. Pease see >>>> >> >>>>>>> > attached. >>>> >> >>>>>>> > >>>> >> >>>>>>> > localrules.xml >>>> >> >>>>>>> > >>>> >> >>>>>>> > <!-- VNC Login --> >>>> >> >>>>>>> > <rule id="100036" level="11"> >>>> >> >>>>>>> > <id>^1|^2</id> >>>> >> >>>>>>> > <match>Connection received from</match> >>>> >> >>>>>>> > <group>syslog,</group> >>>> >> >>>>>>> > <description>VNC Login</description> >>>> >> >>>>>>> > </rule> >>>> >> >>>>>>> > </group> <!--SYSLOG,LOCAL --> >>>> >> >>>>>>> > >>>> >> >>>>>>> >>>> >> >>>>>>> Turn on the log all option on the server and trigger the log >>>> >> message. >>>> >> >>>>>>> That way we'll have a copy of the log to work with. >>>> >> >>>>>>> >>>> >> >>>>>>> > -- >>>> >> >>>>>>> > >>>> >> >>>>>>> > --- >>>> >> >>>>>>> > You received this message because you are subscribed to the >>>> >> >>>>>>> > Google Groups "ossec-list" group. >>>> >> >>>>>>> > To unsubscribe from this group and stop receiving emails >>>> >> >>>>>>> > from it, send an email to >>>> [email protected]. >>>> >> >>>>>>> > For more options, visit >>>> >> >>>>>>> > https://groups.google.com/groups/opt_out. >>>> >> >>>>>>> >>>> >> >>>>>>> -- >>>> >> >>>>>>> >>>> >> >>>>>>> --- >>>> >> >>>>>>> You received this message because you are subscribed to the >>>> >> >>>>>>> Google Groups "ossec-list" group. >>>> >> >>>>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>>>> it, send an email to [email protected]. >>>> >> >>>>>>> For more options, visit >>>> >> >>>>>>> https://groups.google.com/groups/opt_out. >>>> >> >>>>>>> >>>> >> >>>>>>> -- >>>> >> >>>>>>> >>>> >> >>>>>>> --- >>>> >> >>>>>>> You received this message because you are subscribed to the >>>> >> >>>>>>> Google Groups "ossec-list" group. >>>> >> >>>>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>>>> it, send an email to [email protected]. >>>> >> >>>>>>> For more options, visit >>>> >> >>>>>>> https://groups.google.com/groups/opt_out. >>>> >> >>>>>> >>>> >> >>>>>> -- >>>> >> >>>>>> >>>> >> >>>>>> --- >>>> >> >>>>>> You received this message because you are subscribed to the >>>> >> >>>>>> Google Groups "ossec-list" group. >>>> >> >>>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>>> it, send an email to [email protected]. >>>> >> >>>>>> For more options, visit >>>> >> >>>>>> https://groups.google.com/groups/opt_out. >>>> >> >>>>>> >>>> >> >>>>>> -- >>>> >> >>>>>> >>>> >> >>>>>> --- >>>> >> >>>>>> You received this message because you are subscribed to the >>>> >> >>>>>> Google Groups "ossec-list" group. >>>> >> >>>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>>> it, send an email to [email protected]. >>>> >> >>>>>> For more options, visit >>>> >> >>>>>> https://groups.google.com/groups/opt_out. >>>> >> >>>>> >>>> >> >>>>> -- >>>> >> >>>>> >>>> >> >>>>> --- >>>> >> >>>>> You received this message because you are subscribed to the >>>> >> >>>>> Google Groups "ossec-list" group. >>>> >> >>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>> it, send an email to [email protected]. >>>> >> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>>> >>>> >> >>>>> -- >>>> >> >>>>> >>>> >> >>>>> --- >>>> >> >>>>> You received this message because you are subscribed to the >>>> >> >>>>> Google Groups >>>> >> >>>> "ossec-list" group. >>>> >> >>>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>>> it, send an >>>> >> >>>> email to [email protected]. >>>> >> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>> >>>> >> >>>> -- >>>> >> >>>> >>>> >> >>>> --- >>>> >> >>>> You received this message because you are subscribed to the >>>> >> >>>> Google Groups "ossec-list" group. >>>> >> >>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>> it, send an email to [email protected]. >>>> >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>> >>>> >> >>>> -- >>>> >> >>>> >>>> >> >>>> --- >>>> >> >>>> You received this message because you are subscribed to the >>>> >> >>>> Google Groups >>>> >> >>> "ossec-list" group. >>>> >> >>>> To unsubscribe from this group and stop receiving emails from >>>> >> >>>> it, send an >>>> >> >>> email to [email protected]. >>>> >> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>> >>>> >> >>> -- >>>> >> >>> >>>> >> >>> --- >>>> >> >>> You received this message because you are subscribed to the >>>> >> >>> Google Groups "ossec-list" group. >>>> >> >>> To unsubscribe from this group and stop receiving emails from it, >>>> >> >>> send an email to [email protected]. >>>> >> >>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>> >>>> >> >>> -- >>>> >> >>> >>>> >> >>> --- >>>> >> >>> You received this message because you are subscribed to the >>>> >> >>> Google Groups >>>> >> >> "ossec-list" group. >>>> >> >>> To unsubscribe from this group and stop receiving emails from it, >>>> >> >>> send an >>>> >> >> email to [email protected]. >>>> >> >>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >> >>>> >> >> -- >>>> >> >> >>>> >> >> --- >>>> >> >> You received this message because you are subscribed to the Google >>>> >> >> Groups "ossec-list" group. >>>> >> >> To unsubscribe from this group and stop receiving emails from it, >>>> >> >> send an email to [email protected]. >>>> >> >> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >> >>>> >> >> -- >>>> >> >> >>>> >> >> --- >>>> >> >> You received this message because you are subscribed to the Google >>>> >> >> Groups >>>> >> > "ossec-list" group. >>>> >> >> To unsubscribe from this group and stop receiving emails from it, >>>> >> >> send an >>>> >> > email to [email protected]. >>>> >> >> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> > >>>> >> > -- >>>> >> > >>>> >> > --- >>>> >> > You received this message because you are subscribed to the Google >>>> >> > Groups "ossec-list" group. >>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>> >> > send an email to [email protected]. >>>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>>> >> > >>>> >> > -- >>>> >> > >>>> >> > --- >>>> >> > You received this message because you are subscribed to the Google >>>> >> > Groups >>>> >> "ossec-list" group. >>>> >> > To unsubscribe from this group and stop receiving emails from it, >>>> >> > send an >>>> >> email to [email protected]. >>>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> >> Groups "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> >> send an email to [email protected]. >>>> >> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> >> Groups "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> >> send an email to [email protected]. >>>> >> For more options, visit https://groups.google.com/groups/opt_out. >>>> >> >>>> >> -- >>>> >> >>>> >> --- >>>> >> You received this message because you are subscribed to the Google >>>> >> Groups "ossec-list" group. >>>> >> To unsubscribe from this group and stop receiving emails from it, >>>> >> send an email to [email protected]. >>>> >> For more options, visit https://groups.google.com/groups/opt_out. >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an email to [email protected]. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>> > >>>> > -- >>>> > >>>> > --- >>>> > You received this message because you are subscribed to the Google >>>> > Groups "ossec-list" group. >>>> > To unsubscribe from this group and stop receiving emails from it, send >>>> > an email to [email protected]. >>>> > For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google Groups >>>> "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send an >>>> email to [email protected]. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
