Great idea. Thanks very much, I'll give that a go. Mike
________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of Phil Erlenbeck Sent: Wednesday, February 15, 2012 10:48 AM To: [email protected] Subject: Re: [ossec-list] Detecting Internet Access Hi Mike, Have you considered monitoring the output of a command as in the link below. http://www.ossec.net/doc/manual/monitoring/process-monitoring.html You could set up a scheduled task to run netstat -an | findstr "80 443 8080" | findstr TCP > monitorme.txt then just monitor that file for any changes and alert on a change. You could also run additional commands to capture who was logged in at the time as well. Another way would be to see if you can get logs from a firewall device and set up an alert on that. --Phil On Wed, Feb 15, 2012 at 3:17 AM, Florian Crouzat <[email protected]<mailto:[email protected]>> wrote: Le 14/02/2012 21:37, Mike Disley a écrit : Anyone have a custom rule that would detect Outbound internet access on a Windows system? I'm hoping to detect if/when someone uses a browser to access the web on a server with Internet connectivity. Please and Thanks Mike Maybe force use of a proxy and monitor its logs. Search for any GET/POST with src.ip beeing one of your Windows. 0.02$ -- Cheers, Florian Crouzat
