The news about folks getting exploited via TeamViewer made me want to get proactive notification whenever any of my systems get logged into via Chrome Remote Desktop. These rules will send email alerts about failed and successful logins via Chrome Remote Desktop, plus generate an OSSEC event when chromoting sessions close. Feel free to improve on them.
<rule id="100050" level="5">
<if_sid>18103</if_sid>
<regex>: chromoting: \.* Access denied for client: </regex>
<description>Chrome Remote Desktop attempt - access denied</description>
<options>alert_by_email</options>
</rule>
<rule id="100060" level="5">
<if_sid>18101</if_sid>
<regex>: chromoting: \.* Client connected:</regex>
<description>Chrome Remote Desktop attempt - connected</description>
<options>alert_by_email</options>
</rule>
<rule id="100070" level="5">
<if_sid>18101</if_sid>
<regex>: chromoting: \.* Client disconnected:</regex>
<description>Chrome Remote Desktop attempt - disconnected</description>
</rule>
Thanks to Doug for assisting me in getting these working.
Kevin Branch