On Mon, Jun 6, 2016 at 5:49 PM, Kevin Branch <[email protected]> wrote: > The news about folks getting exploited via TeamViewer made me want to get > proactive notification whenever any of my systems get logged into via Chrome > Remote Desktop. These rules will send email alerts about failed and > successful logins via Chrome Remote Desktop, plus generate an OSSEC event > when chromoting sessions close. Feel free to improve on them. > > <rule id="100050" level="5"> > <if_sid>18103</if_sid> > <regex>: chromoting: \.* Access denied for client: </regex> > <description>Chrome Remote Desktop attempt - access denied</description> > <options>alert_by_email</options> > </rule> > > <rule id="100060" level="5"> > <if_sid>18101</if_sid> > <regex>: chromoting: \.* Client connected:</regex> > <description>Chrome Remote Desktop attempt - connected</description> > <options>alert_by_email</options> > </rule> > > <rule id="100070" level="5"> > <if_sid>18101</if_sid> > <regex>: chromoting: \.* Client disconnected:</regex> > <description>Chrome Remote Desktop attempt - disconnected</description> > </rule> > > Thanks to Doug for assisting me in getting these working. >
Can you provide log samples for these? > Kevin Branch > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
