These are the log messages that are giving me the "bad formatted message", it seems like the lack of a classification on the Priority line is causing the issue, is there something I can do to remedy this on the snort side?
[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**] [Priority: 3] 09/06-12:38:49.408268 74.230.55.39:50557 -> 172.19.255.3:80 TCP TTL:113 TOS:0x0 ID:63541 IpLen:20 DgmLen:1400 DF ***A**** Seq: 0x7F99D7C5 Ack: 0x57936D25 Win: 0x4A60 TcpLen: 20 On Aug 31, 1:03 pm, "Zachary Roetemeyer" <[EMAIL PROTECTED]> wrote: > I am launching two instances of snort with the following commands: > > /usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D > /usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D > > I have this in my ossec.conf file with ossec running in agent mode on > my snort sensor: > <localfile> > <log_format>snort-full</log_format> > <location>/var/log/snort/alert</location> > </localfile> > > This is what I get in my ossec.log: > 2007/08/31 11:23:51 ossec-logcollector: Started (pid: 5249). > 2007/08/31 11:30:13 ossec-logcollector: Bad formated snort full file. > 2007/08/31 11:44:51 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:06:55 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:15:53 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:17:31 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:17:57 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:18:39 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:19:29 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:21:09 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:21:35 ossec-logcollector: Bad formated snort full file. > 2007/08/31 12:22:21 ossec-logcollector(1904): File not available, > ignoring it: '/var/log/snort/alert'. > > After which I stop getting any alerts from ossec on the snort events. > Does anyone have any ideas as to why this may be happening (if there > was a previous discussion about this issue please let me know...and > point me at it). > > I'm using ossec 1.3 with snort 2.7.0.1. > > -- > Zac Roetemeyer > [EMAIL PROTECTED]
