VNC Windows Server Alerts

[Gary White]

VNC is installed on my windows machine. I have ossec server installed on  a Linux machine with agents installed on my workstations. I need to be alerted when someone remotes to my windows machine using VNC. The alert event ID 1 shows in the application logs. Is there a rule like VNC.xml for ossec?

 

I cannot seem to get this event to trigger. Pease see attached.

 

localrules.xml

 

 <!-- VNC Login -->
  <rule id="100036" level="11">
   <id>^1|^2</id>
   <match>Connection received from</match>
   <group>syslog,</group>
   <description>VNC Login</description>
  </rule>
</group> <!--SYSLOG,LOCAL -->

[dan (ddp)]

Turn on the log all option on the server and trigger the log message.
That way we'll have a copy of the log to work with.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Forums]

The log from the windows macines (VNC login) is attached. My point is, there
is currently no rule for VNC, the any logs are probably going to point to
nothing at this point. I need assistance creating a rule right?

If I am to turn on all logs feature for the OSSEC server I will research
that as I have never heard of it.

[dan (ddp)]

On Oct 14, 2013 11:52 AM, "Forums" <for...@cyberwatchers.com> wrote:
>
> The log from the windows macines (VNC login) is attached. My point is, there

Sorry about that, I must have missed it. All I saw was an absolutely useless screen shot of event viewer. I'll take another look after lunch.

[Forums]

I am such a fool… Please forgive me for my stupidness. I did provide the screenshot of the log files that will need to be parsed which were windows application logs. Not really vnc itself but the logs. If you don’t hear from me again its because I stuck my tongue in a light socket.

[dan (ddp)]

On Mon, Oct 14, 2013 at 1:52 PM, Forums <for...@cyberwatchers.com> wrote:
> I am such a fool… Please forgive me for my stupidness. I did provide the
> screenshot of the log files that will need to be parsed which were windows
> application logs. Not really vnc itself but the logs. If you don’t hear from
> me again its because I stuck my tongue in a light socket.
>

And I don't want to waste a bunch of time trying to figure out how
that log event looks to OSSEC. I could spend a lot of time doing that,
or you could provide the log from archives.log (after turning on the
log all option and triggering the log).
Maybe someone else wants to give it a shot though.

[Forums]

Okay I will do just that. I am not sure how to turn that on but I will
research it and let you know or provide the logs once done.

-----Original Message-----
From: ossec...@googlegroups.com [mailto:ossec...@googlegroups.com] On
Behalf Of dan (ddp)
Sent: Monday, October 14, 2013 2:03 PM
To: ossec...@googlegroups.com
Subject: Re: [ossec-list] VNC Windows Server Alerts

On Mon, Oct 14, 2013 at 1:52 PM, Forums <for...@cyberwatchers.com> wrote:

> I am such a fool. Please forgive me for my stupidness. I did provide

[dan (ddp)]

On Mon, Oct 14, 2013 at 2:43 PM, Forums <for...@cyberwatchers.com> wrote:
> Okay I will do just that. I am not sure how to turn that on but I will
> research it and let you know or provide the logs once done.
>

http://www.ossec.net/doc/syntax/head_ossec_config.global.html#element-logall

[Forums]

Here is the output from the archives log after the <logall>yes</logall>
option was set.


2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:35 Invalid attempt from client 192.168.2.3

2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:36 Connection received from 192.168.2.3

2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(9010): Desktop Window Manager: (no user): no domain:
BEAST.mydomain.local: A request to disable the Desktop Window Manager was
made by process (VNC server for X64/win32)

2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(9013): Desktop Window Manager: (no user): no domain:
BEAST.mydomain.local: (no message)

2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:36 Client 192.168.2.3 disconnected

[Forums]

Any ideas?

-----Original Message-----
From: Forums [mailto:for...@cyberwatchers.com]
Sent: Monday, October 14, 2013 8:55 PM
To: 'ossec...@googlegroups.com'
Subject: RE: [ossec-list] VNC Windows Server Alerts

Here is the output from the archives log after the <logall>yes</logall>
option was set.


2013 Oct 14 20:35:43 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(2): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:35 Invalid attempt from client 192.168.2.3

2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:36 Connection received from 192.168.2.3

2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(9010): Desktop Window Manager: (no user): no domain:
BEAST.mydomain.local: A request to disable the Desktop Window Manager was
made by process (VNC server for X64/win32)

2013 Oct 14 20:36:15 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(9013): Desktop Window Manager: (no user): no domain:
BEAST.mydomain.local: (no message)

2013 Oct 14 20:36:19 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
INFORMATION(3): UltraVnc: (no user): no domain: BEAST.mydomain.local:
14/10/2013 20:36 Client 192.168.2.3 disconnected

[dan (ddp)]

On Mon, Oct 21, 2013 at 9:59 AM, Forums <for...@cyberwatchers.com> wrote:
> Any ideas?
>

Sorry about that, missed the email with the logs.

<rule id="300000" level="1">
<if_sid>18100</if_sid>
<match>UltraVnc: </match>
<description>UltraVNC blah blah</description>
</rule>

<rule id="300001" level="1">
<if_sid>300000</if_sid>

<match>Connection received from </match>

<description>VNC connection</description>
</rule>


**Phase 1: Completed pre-decoding.
full event: 'WinEvtLog: Application: INFORMATION(1): UltraVnc:

(no user): no domain: BEAST.mydomain.local: 14/10/2013 20:36

Connection received from 192.168.2.3'
hostname: 'arrakis'
program_name: '(null)'
log: 'WinEvtLog: Application: INFORMATION(1): UltraVnc: (no

user): no domain: BEAST.mydomain.local: 14/10/2013 20:36 Connection

received from 192.168.2.3'

**Phase 2: Completed decoding.
decoder: 'windows'

**Phase 3: Completed filtering (rules).
Rule id: '300001'
Level: '1'
Description: 'VNC connection'
**Alert to be generated.

[Forums]

Here is the copy of the logs I sent out from the archive last week. Also
below:

Archive log:

[dan (ddp)]

On Mon, Oct 21, 2013 at 10:29 AM, Forums <for...@cyberwatchers.com> wrote:
> Here is the copy of the logs I sent out from the archive last week. Also
> below:
>

Were there any other log messages you wanted me to write rules for? Or
was it just the one?

[Forums]

I would need one for successful and failed attempts. I appreciate the help
as I know you guys are busy. For whatever the reason, I cannot seem to find
examples for this. I am a bit lacking in knowledge regarding the rules for
VNC. Anyway thanks again for getting back to me.

[dan (ddp)]

On Mon, Oct 21, 2013 at 10:53 AM, Forums <for...@cyberwatchers.com> wrote:
> I would need one for successful and failed attempts. I appreciate the help
> as I know you guys are busy. For whatever the reason, I cannot seem to find
> examples for this. I am a bit lacking in knowledge regarding the rules for
> VNC. Anyway thanks again for getting back to me.

I'm not sure which log message was for successful connections, but
here's one for invalid connections:

<rule id="300002" level="1">
<if_sid>300000</if_sid>
<match> Invalid attempt from client </match>
<description>Invalid VNC attempt.</description>
</rule>

You may need to adjust the levels for these, depending on what you
want them to do.

As far as examples go, the rules directory is full of examples of
rules. These aren't very difficult.

You could also add this decoder:
<decoder name="ultravnc">
<parent>windows</parent>
<prematch>UltraVnc: </prematch>
<regex offset="after_prematch"> from (\S+)$| from client (\S+)$</regex>
<order>srcip</order>
</decoder>

It would require a tweak of the rules, but the srcip might be useful
if you want to use it with active response in the future.

[Forums]

Ahhh yes. The decoder is what I am having problems with as in how to create
them. I will take what you gave me and work on it in the evenings. Thanks a
bunch.

[Forums]

This is the one I get when successful login vnc.

>> 2013 Oct 14 20:36:11 (Beast) 10.1.1.12->WinEvtLog WinEvtLog: Application:
>> INFORMATION(1): UltraVnc: (no user): no domain: BEAST.mydomain.local:
>> 14/10/2013 20:36 Connection received from 192.168.2.3

[dan (ddp)]

On Mon, Oct 21, 2013 at 11:19 AM, Forums <for...@cyberwatchers.com> wrote:
> This is the one I get when successful login vnc.
>

Ok, one of the rules covered that.

After I added the decoder, these rules seemed to work:

<rule id="300000" level="1">

<match>UltraVnc: </match>
<description>UltraVNC blah blah</description>
</rule>

<rule id="300001" level="1">
<if_sid>300000</if_sid>
<match>Connection received from </match>
<description>VNC connection</description>
</rule>

[Forums]

Great work! Thanks again. I will add the decoder you have given me. If there
is anything specific I need to know when creating the decoder let me know.
As far as I have seen there is only 1 decoder rule file which is where I
will add in the decoder rule you have given. I will let you know my results.


Regards

[Forums]

I had little time tonight to work on this but I attempted to add your
decoder rule with the following error:

Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name
invalid: 'windows'.
2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding decoder
plugin.
2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error at
'/etc/decoder.xml'. Exiting.

[dan (ddp)]

On Oct 21, 2013 9:33 PM, "Forums" <for...@cyberwatchers.com> wrote:
>
> I had little time tonight to work on this but I attempted to add your
> decoder rule with the following error:
>
> Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...
> 2013/10/21 21:17:15 ossec-analysisd(2101): ERROR: Parent decoder name
> invalid: 'windows'.
> 2013/10/21 21:17:15 ossec-analysisd(2106): ERROR: Error adding decoder
> plugin.
> 2013/10/21 21:17:15 ossec-testrule(1202): ERROR: Configuration error at
> '/etc/decoder.xml'. Exiting.
>

Tey adding it to local_decoder.xml instead. The windows decoder exists, unless you removed it.

[Forums]

I didn’t have a local_decoder file so I created on and added in the decoder you gave me. It works fine for the first rule:

> After I added the decoder, these rules seemed to work:
>   <rule id="300000" level="1">
>     <match>UltraVnc: </match>
>     <description>UltraVNC blah blah</description>
>   </rule>

 

The other rules pointing to <if_sid>30000 etc etc do notwork because it says something about not finding that sid or something. Regardless all I need is the first rule. Just for my own knowledge I will be looking into why the other rules don’t work and why I am getting the error messages.

>   <rule id="300001" level="1">

>     <if_sid>300000</if_sid> (its like there is not 30000)

>     <match>Connection received from </match>
>     <description>VNC connection</description>
>   </rule>
>
>   <rule id="300002" level="1">
>     <if_sid>300000</if_sid>
>     <match> Invalid attempt from client </match>
>     <description>Invalid VNC attempt.</description>
>   </rule>

 

The errors show themselves when I restart the ossec services

Starting OSSEC HIDS v2.4.1 (by Trend Micro Inc.)...

2013/10/22 11:36:35 rules_list: Signature ID '300000' not found. Invalid 'if_sid'.

ossec-analysisd: Configuration error. Exiting.

Started ossec-maild...

[dan (ddp)]

So rule 300000 isn't getting loaded.

[Forums]

The decoder rule that you gave me to add below, when adding it, the VNC
rules work great however my alerts that get emailed to me regarding Windows
RDP quit working. I have tested this by removing the local_decoder file up a
directory, restarting the services and then VNC stop working of course but
then Windows RDP works again... any thoughts?

[dan (ddp)]

On Oct 23, 2013 1:26 PM, "Forums" <for...@cyberwatchers.com> wrote:
>
> The decoder rule that you gave me to add below, when adding it, the VNC
> rules work great however my alerts that get emailed to me regarding Windows
> RDP quit working. I have tested this by removing the local_decoder file up a
> directory, restarting the services and then VNC stop working of course but
> then Windows RDP works again... any thoughts?
>

Plenty. I can't test what I don't know. If you provide logs I can do your work, if you don't I can't. It really seems like you should hire someone technical.

[Forums]

 

You should know, all is documented in the email. You’re the one that had me add in the decoder rule. You’re the OSSEC pro right? I admit I don’t know everything regarding technology no one does. I will take a class so I don’t bother you in your forum. It is a forum right?

 

Anyway since your such a smart ass I will do “my work” for ossec, tonight after I am done building all the exchange servers and RAS servers for the multi site domain I am putting together. Don’t mistake me for being an idiot or not “technical” just because I don’t spend my day helping people with OSSEC.  I can fix the issue myself.  I am short on time and mistakenly thought your forum might be helpful.

 

When I am not working in an office setting up servers and resolving various networking issues I spend my time in the gym to beat the shit out of smart ass bitches like you for entertainment purposes. So please do continue being a douchebag, your safe and far away from the reach of my hands.

 

Regards,

[dan (ddp)]

On Wed, Oct 23, 2013 at 2:00 PM, Forums <for...@cyberwatchers.com> wrote:
>
>
> You should know, all is documented in the email. You’re the one that had me

I will look for clearly labeled RDP log messages so I can test this
and try to get it working for you.

> add in the decoder rule. You’re the OSSEC pro right? I admit I don’t know

Nope, just an amateur spending his free time trying to help people.
Unfortunately some people treat me like an employee, without the
benefits.

> everything regarding technology no one does. I will take a class so I don’t
> bother you in your forum. It is a forum right?
>

I think it's more of a mailing list.

>
>
> Anyway since your such a smart ass I will do “my work” for ossec, tonight
> after I am done building all the exchange servers and RAS servers for the
> multi site domain I am putting together. Don’t mistake me for being an idiot
> or not “technical” just because I don’t spend my day helping people with
> OSSEC. I can fix the issue myself. I am short on time and mistakenly
> thought your forum might be helpful.
>

I feel like I have been helpful. I also think it's rude to expect me
to do all of your work for you. I have a job as well.

>
>
> When I am not working in an office setting up servers and resolving various
> networking issues I spend my time in the gym to beat the shit out of smart
> ass bitches like you for entertainment purposes. So please do continue being
> a douchebag, your safe and far away from the reach of my hands.
>

This is unnecessary, but if you wish to discuss these issues over
coffee I'm more than willing. :)

[dan (ddp)]

On Wed, Oct 23, 2013 at 2:50 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Oct 23, 2013 at 2:00 PM, Forums <for...@cyberwatchers.com> wrote:
>>
>>
>> You should know, all is documented in the email. You’re the one that had me
>
> I will look for clearly labeled RDP log messages so I can test this
> and try to get it working for you.
>

I'm sure I'm just missing them like an idiot, but which logs are for
RDP? The only ones I see reference UltraVNC.

[dan (ddp)]

On Wed, Oct 23, 2013 at 2:56 PM, dan (ddp) <ddp...@gmail.com> wrote:
> On Wed, Oct 23, 2013 at 2:50 PM, dan (ddp) <ddp...@gmail.com> wrote:
>> On Wed, Oct 23, 2013 at 2:00 PM, Forums <for...@cyberwatchers.com> wrote:
>>>
>>>
>>> You should know, all is documented in the email. You’re the one that had me
>>
>> I will look for clearly labeled RDP log messages so I can test this
>> and try to get it working for you.
>>
>
> I'm sure I'm just missing them like an idiot, but which logs are for
> RDP? The only ones I see reference UltraVNC.
>

I found someone else's RDP log message and used that for testing.
I hate the Windows decoder. I couldn't get it to work without
modifications. I had to change the windows decoder (in decoder.xml)
to:
<decoder name="windows">
<type>windows</type>
<prematch>^WinEvtLog: </prematch>
</decoder>

<decoder name="windows">
<parent>windows</parent>
<regex offset="after_parent">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
<fts>name, location, user, system_name</fts>
</decoder>

And then added this as well:
<decoder name="windows">
<parent>windows</parent>
<!--<regex offset="after_parent">^Application: \S+: UltraVnc: \.+:
\.+ from (\S+)$|>^Application: \S+: UltraVnc: \.+ from client
(\S+)</regex>-->
<regex offset="after_parent">^Application: \S+: UltraVnc: \.+: \.+
from (\S+)$|^Application: \S+: UltraVnc: \.+ from client (\S+)</regex>

[Forums]

Sorry for my earlier comments.... I understand you are busy sorry people
treat you like I just did. Anyway,

My fault, I thought I had RDP logs in this posting but it was the one I
resolved earlier a few weeks ago. I can research and figure it out later but
thanks for all the help earlier much appreciated.

<!-- RDP Access Alert Working Fine -->
<rule id="18160" level="8">
<if_sid>18104</if_sid>
<id>^682|^4778|^4624</id>
<description>Remote Desktop Connection Established</description>
<group>authentication_success</group>
</rule>
</group>
<!-- EOF -->

Here is the logs I get: these are only the logs that are mailed out to me. I
am not able to create the archive log but if you want that I can get that
later.

Received From: (Beast) 10.1.1.12->WinEvtLog
Rule: 100035 fired (level 11) -> "Remote Desktop Connection Established"
Portion of the log(s):

WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: gary: MYDOMAIN: BEAST.mydomain.local:
An account was successfully logged on. Subject: Security ID: S-1-5-18
Account Name: BEAST$ Account Domain: mydomain Logon ID: 0x3e7 Logon
Type: 2 New Logon: Security ID:
S-1-5-21-3105247609-3095833174-255621157-1105 Account Name: gary Account
Domain: mydomain Logon ID: 0x1defee59a Logon GUID:
{48B6BD9F-0DD2-F23D-05C6-BF24FE442B0F} Process Information: Process ID:
0x2550 Process Name: C:\Windows\System32\winlogon.exe Network
Information: Workstation Name: BEAST Source Network Address: 127.0.0.1
Source Port: 0 Detailed Authentication Information: Logon Process:
User32 Authentication Package: Negotiate Transited Services: - Package
Name (NTLM only): - Key Length: 0 This event is generated when a logon
session is created. It is generated on the computer that was accessed.



--END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Oct 21 16:57:27

Received From: (Beast) 10.1.1.12->WinEvtLog
Rule: 100035 fired (level 11) -> "Remote Desktop Connection Established"
Portion of the log(s):

WinEvtLog: Security: AUDIT_SUCCESS(4778):
Microsoft-Windows-Security-Auditing: (no user): no domain:
BEAST.mydomain.local: A session was reconnected to a Window Station.
Subject: Account Name: gary Account Domain: MYDOMAIN Logon ID: 0x4ab36
Session: Session Name: Console Additional Information: Client Name:
Unknown Client Address: LOCAL This event is generated when a user
reconnects to an existing Terminal Services session, or when a user switches
to an existing desktop using Fast User Switching.