On Thu, Dec 13, 2012 at 11:30 AM, Leonardo Pezente <[email protected]> wrote: > im using the syslog output of snort, so /var/log/syslog. and yes ossec is > watching there. > they are snort alert, so some think like that: > snort[1705]: (snort_decoder) WARNING: Nmap XMAS Attack Detected > I have try the ossec-testlog, but is not showing any thing.
This statement is too vague. Please provide an example. > I have read some think that maybe i will have to create some ossec rules to > mache with this, but im not sure how to do that. > It's possible, but the ossec-logtest information will help with that. IIRC, there are some snort rules, but I doubt they do very much. There are a lot of snort rules, so creating an OSSEC rule for each one would be a daunting (and probably futile) task. > 2012/12/13 dan (ddp) <[email protected]> > >> On Wed, Dec 12, 2012 at 1:56 PM, Leonardo Pezente <[email protected]> >> wrote: >> > im a noob in ossec, but i think it was a good idea to have in my nids >> > machine. >> > he is aready running, and now i want to him to send an e-mail of >> > possible >> > problem, of he and my nids(snort) detect, but i dont have idea how to do >> > that. >> > i have snort send alerts to my syslog, and i put the syscheck in 1 hour. >> > i have create an e-mail just for that, and i have change the global for >> > send >> > e-mail. >> > So, he will send e-mail every 0ne hour or i have to make more some >> > think? >> >> Where is the snort syslog logging to? Is OSSEC watching that location? >> What do the logs look like? Have you tried feeding them through >> ossec-logtest? > >
