I switched formats to snort-full and the false positives have gone away. Thanks for the help.
On 06/10/06, Daniel Cid <
[EMAIL PROTECTED]> wrote:
It does attmept... It checks the beginning of the file for the
snort-full or fast format.
Can you show me the beginning of you alert file? Did you switch alert
methods, btw?
Thanks,
Daniel
On 10/4/06, Harry Wearne <[EMAIL PROTECTED] > wrote:
> The entry in my ossec.conf file says:
>
> <localfile>
> <log_format>snort-fast</log_format>
> <location>/var/log/snort/alert</location>
> </localfile>
>
> I'll change it to snort-full and see if that fixes it.
>
> The snort log entry was added automatically on installing 0.9.1a (now
> upgraded to 0.9.2) - does the installation system attempt to auto-detect log
> types?
>
>
> On 04/10/06, Daniel Cid <[EMAIL PROTECTED]> wrote:
> > Something is wrong. Looks like to me that ossec is reading your
> > snort logs as syslog. Can you show us your /var/ossec/etc/ossec.conf
> > file? You need to make sure that the "log_format" is set to snort-full
> > for this log.
> > It needs to be:
> >
> > <localfile>
> > <log_format>snort-full</log_format>
> > <location>/var/log/snort/alert</location>
> > </localfile>
>
>
>
