well, i will have to create the rules to him alert, i have tested them in the ossec-logtest. The only think now is that he is not sending alerts via e-mail, but i think this is not an ossec problem. thanks a lot.
2012/12/13 dan (ddp) <[email protected]> > On Thu, Dec 13, 2012 at 11:30 AM, Leonardo Pezente <[email protected]> > wrote: > > im using the syslog output of snort, so /var/log/syslog. and yes ossec is > > watching there. > > they are snort alert, so some think like that: > > snort[1705]: (snort_decoder) WARNING: Nmap XMAS Attack Detected > > I have try the ossec-testlog, but is not showing any thing. > > This statement is too vague. Please provide an example. > > > I have read some think that maybe i will have to create some ossec rules > to > > mache with this, but im not sure how to do that. > > > > It's possible, but the ossec-logtest information will help with that. > > IIRC, there are some snort rules, but I doubt they do very much. There > are a lot of snort rules, so creating an OSSEC rule for each one would > be a daunting (and probably futile) task. > > > 2012/12/13 dan (ddp) <[email protected]> > > > >> On Wed, Dec 12, 2012 at 1:56 PM, Leonardo Pezente <[email protected]> > >> wrote: > >> > im a noob in ossec, but i think it was a good idea to have in my nids > >> > machine. > >> > he is aready running, and now i want to him to send an e-mail of > >> > possible > >> > problem, of he and my nids(snort) detect, but i dont have idea how to > do > >> > that. > >> > i have snort send alerts to my syslog, and i put the syscheck in 1 > hour. > >> > i have create an e-mail just for that, and i have change the global > for > >> > send > >> > e-mail. > >> > So, he will send e-mail every 0ne hour or i have to make more some > >> > think? > >> > >> Where is the snort syslog logging to? Is OSSEC watching that location? > >> What do the logs look like? Have you tried feeding them through > >> ossec-logtest? > > > > >
