I think i founded the problem. The problem is the format of alert of the snort. Now is in snort-full.
On Sep 21, 3:26 pm, "Adriano Bernardi" <[EMAIL PROTECTED]> wrote: > Yo > I've followed this paper to make OSSEC block accordingly with Snort > logs:http://www.snort.org.br/arquivos/ossec-snort-activeresponse_pt-BR.pdf. > But, OSSEC is not reading the cvs output. No errors, they just don't show > nothing (the log is ok). Before OSSEC showed Snort normal logs, but not the > ip. This behavior is normal? > "2008 Sep 21 11:29:50 Rule Id: > 20101<http://www.ossec.net/wiki/index.php/Rule:20101>level: 6 > Location: xxx->/var/log/snort/alert > IDS event. [**] [122:17:0] (portscan) UDP Portscan [**]" > > I want that active response be triggered after Snort logs some alerts with > level 6 -> (firewall block). Active response can be triggered after other > events, like a brute force ssh, but how i make they to trigger snort alerts?
