'Re: [ossec-list] Custom rules to send email alerts about Chrome Remote Desktop events'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] Custom rules to send email alerts about Chrome Remote Desktop events
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2016-07-20 11:28:59
Message-ID: CAMyQvMrzOzjLxWYbwDyKDb-UOGjk7-YQK8C3itPhSOpv_+7U0Q () mail ! gmail ! com
[Download RAW message or body]

On Mon, Jun 6, 2016 at 5:49 PM, Kevin Branch
<kevin@branchnetconsulting.com> wrote:
> The news about folks getting exploited via TeamViewer made me want to get
> proactive notification whenever any of my systems get logged into via Chrome
> Remote Desktop.  These rules will send email alerts about failed and
> successful logins via Chrome Remote Desktop, plus generate an OSSEC event
> when chromoting sessions close.  Feel free to improve on them.
> 
> <rule id="100050" level="5">
> <if_sid>18103</if_sid>
> <regex>: chromoting: \.* Access denied for client: </regex>
> <description>Chrome Remote Desktop attempt - access denied</description>
> <options>alert_by_email</options>
> </rule>
> 
> <rule id="100060" level="5">
> <if_sid>18101</if_sid>
> <regex>: chromoting: \.* Client connected:</regex>
> <description>Chrome Remote Desktop attempt - connected</description>
> <options>alert_by_email</options>
> </rule>
> 
> <rule id="100070" level="5">
> <if_sid>18101</if_sid>
> <regex>: chromoting: \.* Client disconnected:</regex>
> <description>Chrome Remote Desktop attempt - disconnected</description>
> </rule>
> 
> Thanks to Doug for assisting me in getting these working.
> 

Can you provide log samples for these?

> Kevin Branch
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic