Yo I've followed this paper to make OSSEC block accordingly with Snort logs: http://www.snort.org.br/arquivos/ossec-snort-activeresponse_pt-BR.pdf. But, OSSEC is not reading the cvs output. No errors, they just don't show nothing (the log is ok). Before OSSEC showed Snort normal logs, but not the ip. This behavior is normal? "2008 Sep 21 11:29:50 Rule Id: 20101<http://www.ossec.net/wiki/index.php/Rule:20101>level: 6 Location: xxx->/var/log/snort/alert IDS event. [**] [122:17:0] (portscan) UDP Portscan [**]"
I want that active response be triggered after Snort logs some alerts with level 6 -> (firewall block). Active response can be triggered after other events, like a brute force ssh, but how i make they to trigger snort alerts?
