Success = time for beer. Thanks for sharing the config. --Phil On Feb 17, 2012 11:24 AM, "Mike Disley" <[email protected]> wrote:
> > Folks, > Thanks for the input. I am now successfully monitoring for outbound > internet access on servers where humans should not be doing that. Here is > the config I ended up using; > > In the local Windows Agent ossec.conf file; > > <localfile> > <log_format>command</log_format> > <command>netstat -an | findstr ":80 :443 " | findstr TCP</command> > </localfile> > > In the OSSEC server local_rules.xml file; > > </group> <!-- SYSLOG,LOCAL --> > <group name="local"> > <rule id="140123" level="7" ignore="7200"> > <if_sid>530</if_sid> > <match>ossec: output: 'netstat -an | findstr ":80" | findstr TCP</match> > <check_diff /> > <description>Outbound Internet Access Detected</description> > </rule>' > </group> > > Cheers, > Mike >
