[Logcheck-users] Rule question for port 80 - outgoing
Denis Dimick
dgdimick at gmail.com
Thu Nov 1 21:45:13 UTC 2007
I'm trying now two write a rule that will filter out all outgoing port 80
requests from users.
How do I make a list of the variables I'd like to search for?
XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -AF IN
XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -AR IN
XXX.XXX.XXX.XXX,80 PR tcp len 20 52 -S K-S IN
the AR, AF and S-K are the three I'd like to search for.
Here's a bit of code I've got running for the K-S.
[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3},80 PR tcp len [0-9]{2}
[0-9]{2} -S K-S IN$
Thanks,
Denis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.alioth.debian.org/pipermail/logcheck-users/attachments/20071101/a2966958/attachment.htm
More information about the Logcheck-users
mailing list