You could setup snort to look for port 25 traffic and alert on it, then feed those alerts into ossec. Or, if you're just worried about port 25 being open, you could nmap the network looking for port 25 and feed that scan into ossec.
On Tue, Jan 19, 2010 at 5:12 PM, <[email protected]> wrote: > What do I need to do, what rule applies, to send an ossec email alert if a > machine on my network is suddenly using port 25 when it shouldn't be? > > Thanks > > > Sent from my Verizon Wireless BlackBerry >
