Custom rules to send email alerts about Chrome Remote Desktop events

74 views
Skip to first unread message

Kevin Branch

unread,
Jun 6, 2016, 5:49:29 PM6/6/16
to ossec...@googlegroups.com
The news about folks getting exploited via TeamViewer made me want to get proactive notification whenever any of my systems get logged into via Chrome Remote Desktop.  These rules will send email alerts about failed and successful logins via Chrome Remote Desktop, plus generate an OSSEC event when chromoting sessions close.  Feel free to improve on them.

  <rule id="100050" level="5">
    <if_sid>18103</if_sid>
    <regex>: chromoting: \.* Access denied for client: </regex>
    <description>Chrome Remote Desktop attempt - access denied</description>
    <options>alert_by_email</options>
  </rule>

  <rule id="100060" level="5">
    <if_sid>18101</if_sid>
    <regex>: chromoting: \.* Client connected:</regex>
    <description>Chrome Remote Desktop attempt - connected</description>
    <options>alert_by_email</options>
  </rule>

  <rule id="100070" level="5">
    <if_sid>18101</if_sid>
    <regex>: chromoting: \.* Client disconnected:</regex>
    <description>Chrome Remote Desktop attempt - disconnected</description>
  </rule>

Thanks to Doug for assisting me in getting these working.

Kevin Branch

Jesus Linares

unread,
Jul 19, 2016, 6:04:38 AM7/19/16
to ossec-list
Hi Kevin,


Thanks for your contribution!.
Regards.

dan (ddp)

unread,
Jul 20, 2016, 7:29:15 AM7/20/16
to ossec...@googlegroups.com
Can you provide log samples for these?

> Kevin Branch
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages