RE: VNC logging
From: Joseph Brown (emailjoebrown@yahoo.com)Date: 11/21/01
- Previous message: Ryan Counts: "RE: VNC logging"
- In reply to: Jim Forster: "RE: VNC logging"
- Next in thread: Dinesh Nair: "RE: VNC logging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20011121202239.84557.qmail@web9604.mail.yahoo.com> Date: Wed, 21 Nov 2001 12:22:39 -0800 (PST) From: Joseph Brown <emailjoebrown@yahoo.com> Subject: RE: VNC logging To: "FOCUS-MS (E-mail)" <FOCUS-MS@SECURITYFOCUS.COM>
how bout using windump? create a batch file so you
can schedule it and have it listen to port 590x and/or
580x and log it to a file?
Example from cmd line
windump host "ip of vnc server" and port "port#" >
logfile.log
not sure how to do multple ports. anyone know?
--- Jim Forster <jforster@rapidnet.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This with catch VNC connections on any port.
> alert tcp any any -> $HOME_NET any (msg:"INFO VNC
> Active on Network";
> flags: A+; content:"RFB 003.003"; logto:"VNC";)
>
> I also have this rule tucked away in my 'archives',
> but don't remember if
> it was reliable or not. :)
> alert tcp any any <> any any (msg:"VNC Data";
> content:"KeyEvent";)
>
>
> At 12:13 PM 11/20/2001, Bryan Allerdice wrote:
> >To see if someone is connected to a VNC host, you
> could run netstat from a
> >command prompt (on the host). Look for a connection
> to the port VNC uses,
> >TCP:5801 or something.
> >
> >As for logging, you could run snort on the box,
> setup a rule that looks for
> >connections to TCP:5801, and have snort log
> instances of that. If I'm not
> >mistaken, snort will log all the packets that match
> the rule (as opposed to
> >just logging the initial request), so you're log
> file will be much fatter
> >than you probably want. Maybe someone else on this
> list can suggest how you
> >can make snort just log the initial request, I
> haven't used it for a few
> >months, so I am a bit rusty.
> >
> >BRYAN
> >
> > > -----Original Message-----
> > > From: O'Driscoll, Mike
> [mailto:MODriscoll@ims-group-plc.com]
> > > Sent: Tuesday, November 20, 2001 6:42 AM
> > > To: FOCUS-MS (E-mail)
> > > Subject: VNC logging
> > >
> > >
> > > Is there a way to log incoming connections to a
> VNC host, or to know if a
> > > connection is open?
> > >
> > > The standard way of checking the colour of the
> system tray icon only works
> > > if you are sitting at the machine in question at
> the time of a connection
> > > and if the icon does actually change colour
> which it doesn't always do
> > > anyway.
> > >
> > > Mike O'Driscoll
> > > Interactive Media Services
> >
> >
>
>_________________________________________________________
> >Do You Yahoo!?
> >Get your free @yahoo.com address at
> http://mail.yahoo.com
>
> -
>
-----------------------------------------------------
> Jim Forster
> Network Administrator
> RapidNet, A Golden West Company
> -
>
-----------------------------------------------------
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use
> <http://www.pgp.com>
>
>
iQA/AwUBO/rMBYm0Gn1R8/mJEQKmgACdGLSNLHE4HEjhHZmGK4lzEoFVRTwAoOkY
> DzxSO0JR1XgfNsNyj2lz/1by
> =e2Bf
> -----END PGP SIGNATURE-----
>
__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1
- Previous message: Ryan Counts: "RE: VNC logging"
- In reply to: Jim Forster: "RE: VNC logging"
- Next in thread: Dinesh Nair: "RE: VNC logging"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
