[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: VNC logging
From:       Joseph Brown <emailjoebrown () yahoo ! com>
Date:       2001-11-21 20:22:39
[Download RAW message or body]


how bout using windump?  create a batch file so you
can schedule it and have it listen to port 590x and/or
580x and log it to a file?

Example from cmd line

windump host "ip of vnc server" and port "port#" >
logfile.log

not sure how to do multple ports.  anyone know?


--- Jim Forster <jforster@rapidnet.com> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> This with catch VNC connections on any port.
> alert tcp any any -> $HOME_NET any (msg:"INFO VNC
> Active on Network"; 
> flags: A+; content:"RFB 003.003"; logto:"VNC";)
> 
> I also have this rule tucked away in my 'archives',
> but don't remember if 
> it was reliable or not.  :)
> alert tcp any any <> any any (msg:"VNC Data";
> content:"KeyEvent";)
> 
> 
> At 12:13 PM 11/20/2001, Bryan Allerdice wrote:
> >To see if someone is connected to a VNC host, you
> could run netstat from a
> >command prompt (on the host). Look for a connection
> to the port VNC uses,
> >TCP:5801 or something.
> >
> >As for logging, you could run snort on the box,
> setup a rule that looks for
> >connections to TCP:5801, and have snort log
> instances of that. If I'm not
> >mistaken, snort will log all the packets that match
> the rule (as opposed to
> >just logging the initial request), so you're log
> file will be much fatter
> >than you probably want. Maybe someone else on this
> list can suggest how you
> >can make snort just log the initial request, I
> haven't used it for a few
> >months, so I am a bit rusty.
> >
> >BRYAN
> >
> > > -----Original Message-----
> > > From: O'Driscoll, Mike
> [mailto:MODriscoll@ims-group-plc.com]
> > > Sent: Tuesday, November 20, 2001 6:42 AM
> > > To: FOCUS-MS (E-mail)
> > > Subject: VNC logging
> > >
> > >
> > > Is there a way to log incoming connections to a
> VNC host, or to know if a
> > > connection is open?
> > >
> > > The standard way of checking the colour of the
> system tray icon only works
> > > if you are sitting at the machine in question at
> the time of a connection
> > > and if the icon does actually change colour
> which it doesn't always do
> > > anyway.
> > >
> > > Mike O'Driscoll
> > > Interactive Media Services
> >
> >
>
>_________________________________________________________
> >Do You Yahoo!?
> >Get your free @yahoo.com address at
> http://mail.yahoo.com
> 
> -
>
-----------------------------------------------------
> Jim Forster
> Network Administrator
> RapidNet, A Golden West Company
> -
>
-----------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use
> <http://www.pgp.com>
> 
>
iQA/AwUBO/rMBYm0Gn1R8/mJEQKmgACdGLSNLHE4HEjhHZmGK4lzEoFVRTwAoOkY
> DzxSO0JR1XgfNsNyj2lz/1by
> =e2Bf
> -----END PGP SIGNATURE-----
> 


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

[prev in list] [next in list] [prev in thread] [next in thread]