Hi Harry,
Something is wrong. Looks like to me that ossec is reading your snort logs as syslog. Can you show us your /var/ossec/etc/ossec.conf file? You need to make sure that the "log_format" is set to snort-full for this log. It needs to be: <localfile> <log_format>snort-full</log_format> <location>/var/log/snort/alert</location> </localfile> Let us know if it fixes the problem.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/4/06, Harry Wearne <[EMAIL PROTECTED]> wrote:
I keep getting alerts generated by Rule 1002 from my Snort logs: Section from /var/ossec/logs/alerts/alerts.log (anonymised): ** Alert 1159947985.812: mail 2006 Oct 04 07:46:25 localhost->/var/log/snort/alert Rule: 1002 (level 7) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) [Classification: Misc Attack] [Priority: 2] Section from snort log (anonymised): [**] [1:2004:7] MS-SQL Worm propagation attempt OUTBOUND [**] [Classification: Misc Attack] [Priority: 2] 10/04-07:46:24.121366 127.0.0.1:1062 -> 127.0.0.2:1434 UDP TTL:116 TOS:0x0 ID:4340 IpLen:20 DgmLen:404 Len: 376 [Xref => http://vil.nai.com/vil/content/v_99992.htm][Xref => http://cgi.nessus.org/plugins/dump.php3?id=11214][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649][Xref => http://www.securityfocus.com/bid/5311][Xref => http://www.securityfocus.com/bid/5310] The $BAD_WORDS variable in syslog_rules.xml includes 'attack' which is matched by 'Attack' in the snort alert when checked with syslog rule 1002. Is it possible to exclude the snort logs from rule 1002?
