Folks,
Thanks for the input. I am now successfully monitoring for outbound internet
access on servers where humans should not be doing that. Here is the config I
ended up using;
In the local Windows Agent ossec.conf file;
<localfile>
<log_format>command</log_format>
<command>netstat -an | findstr ":80 :443 " | findstr TCP</command>
</localfile>
In the OSSEC server local_rules.xml file;
</group> <!-- SYSLOG,LOCAL -->
<group name="local">
<rule id="140123" level="7" ignore="7200">
<if_sid>530</if_sid>
<match>ossec: output: 'netstat -an | findstr ":80" | findstr TCP</match>
<check_diff />
<description>Outbound Internet Access Detected</description>
</rule>'
</group>
Cheers,
Mike
