<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body>
<p>Den 03-01-2017 11:15, Alessandro Tinivelli skrev:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px; width:100%">
<div class="WordSection1">
<p class="MsoNormal"><span>Hi all, I was trying to setup an alert when a server has established SSH connections with a “foreign” remote IP (i.e. not beginning with 192.168).</span></p>
<span>HOST=host01</span>
<p class="MsoNormal"><span>        PORT "LOCAL=%([.:]22)$" "REMOTE=%^(?!(192\.168)).+" state=ESTABLISHED MAX=0 COLOR=red TRACK=SSH_fconn "TEXT=SSH foreign connections"</span></p>
<p class="MsoNormal"><span><br /></span></p>
</div>
</blockquote>
<div class="WordSection1">
<p class="MsoNormal"><span>Neat, I like that :-)</span></p>
<p class="MsoNormal"><span>Regards,<br />Henrik</span></p>
<p class="MsoNormal"><span><br /></span></p>
</div>
<div> </div>
</body></html>