Hi all, I was trying to setup an alert when a server has established SSH connections with a "foreign" remote IP (i.e. not beginning with 192.168). It seem to be working so I'm posting, it maybe it's useful for someone. Any comment or correction will be appreciated.

P.S.: change host name and the regex accordingly with your ip addressing

HOST=host01 PORT "LOCAL=%([.:]22)$" "REMOTE=%^(?!(192\.168)).+" state=ESTABLISHED MAX=0 COLOR=red TRACK=SSH_fconn "TEXT=SSH foreign connections"

P.P.S.: very useful site for composing regexp https://regex101.com/ :)