The news about folks getting exploited via TeamViewer made me want to get
proactive notification whenever any of my systems get logged into via
Chrome Remote Desktop. These rules will send email alerts about failed and
successful logins via Chrome Remote Desktop, plus generate an OSSEC event
when chromoting sessions close. Feel free to improve on them.
<rule id="100050" level="5">
<if_sid>18103</if_sid>
<regex>: chromoting: \.* Access denied for client: </regex>
<description>Chrome Remote Desktop attempt - access denied</description>
<options>alert_by_email</options>
</rule>
<rule id="100060" level="5">
<if_sid>18101</if_sid>
<regex>: chromoting: \.* Client connected:</regex>
<description>Chrome Remote Desktop attempt - connected</description>
<options>alert_by_email</options>
</rule>
<rule id="100070" level="5">
<if_sid>18101</if_sid>
<regex>: chromoting: \.* Client disconnected:</regex>
<description>Chrome Remote Desktop attempt - disconnected</description>
</rule>
Thanks to Doug for assisting me in getting these working.
Kevin Branch
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
