I've recently started restructuring the wip-ossec-rules repository. I can't seem to settle on an organizational structure.
I haven't messed with those rules in a while, haven't even had a chance to test them with bro-ids 1.5.3. The rules as written required bro-ids to alert via syslog, watching the individual bro-ids logs would be quite intensive and not all of the formats were really easily parsed. You should be able to copy the local_bro-ids_rules.xml file to /var/ossec/rules/ and add it to /var/ossec/etc/ossec.conf on the server. The bro-ids decoders are already in the default decoder.xml, so that's one less piece you need to put in place. There aren't many bro-ids rules at the moment, so there's plenty of room to contribute... ;) dan On Fri, Apr 29, 2011 at 2:57 PM, Chuck Little <[email protected]> wrote: > Has anyone implemented ossec to monitor Bro-IDS logs? > > I have the code from wip-ossec-rules > (http://code.google.com/p/wip-ossec-rules/), but am unsure how to best > implement. > > Any recommendations? > > Thanks! > > -Chuck (MdMonk) >
