Hello,
I'm trying to create an alert that will go out every time a single user visits 5 blocked websites in 1 minute, but I'm having some trouble with it. I've included a sample event.
Jul 20 11:09:04 xx.xx.xx.xx Jul 20 11:11:41 xx.xx.xx.xx vendor=Websense product=Security product_version=7.8.4 action=blocked severity=7 category=115 user=LDAP://xx.xx.xx.xx OU=xx,OU=xx,OU=xx,DC=xx,DC=xx,DC=xx/$username src_host=xx.xx.xx.xx src_port=0 dst_host=thepiratebay.se dst_ip=xx.xx.xx.xx dst_port=80 bytes_out=0 bytes_in=0 http_response=0 http_method=- http_content_type=- http_user_agent=- http_proxy_status_code=0 reason=- disposition=1025 policy=- role=0 duration=0 url=http://thepiratebay.se/
↧