Hi, I'm trying to catch all events of any net sniffers aka tcpdump, snoop, ethereal... I think I managed to make a rule that will do that: -a entry,always -S socketcall -F euid=0 -F a0=3 I've played around and I think it does the trick. Do you see any problems with this rule? The problem I'm trying to solve now is how to get a daily report of all such events. I was trying to filter it on ausearch -m SYSCALL -sc socketcall -ue 0 but I get all possilble sshd,ftpd and the bunch as well.. I could do post processing with a whitelist and ignore all I know are ok, but it would be much nicer if I could get the search a bit narrower in the first place. Any ideas? Thanks Jure