Re: Can't read data_log output file (empty)

[Ronin CS via Snort-devel <snort-devel () lists snort org>]

I'll be waiting for the update.

I'm also trying to add end-of-flow events, is there any specific file I
could look up to use as a model?
I've already set a passive Inspector to listen to a certain event, but I'm
not sure where I should setup the module responsible for publishing this
end-of-flow event.

On Mon, Jul 17, 2017 at 8:51 PM, Russ <rucombs () cisco com> wrote:

> http_server (the old one) was deleted so you should stick with the
> http_inspect (the new one).  Unfortunately, data_log now needs an update.
> We will get you something soon.
>
>
> On 7/17/17 6:20 PM, Ronin CS via Snort-devel wrote:
>
> Hello everyone,
>
> I'm trying to better understand how to handle events inside Snort++ using
> data_log inspector as example. But at the moment, I can't really read the
> output file because it's always empty for me.
>
> Until now, I did the following changes to snort.lua:
>
> - Added a new line "data_log = { key = 'http_raw_uri' }
> - Changed the "http_inspector = { }" to "http_server = { }"
> (As recommended here: http://marc.info/?l=snort-user
> s&m=147422221322032&w=2)
>
> And ran the command:
>
> "sudo snort -c /opt/snort/etc/snort/snort.lua -R
> /opt/snort/etc/snort/samples.rules -r http.cap -A alert_ex --plugin-path
> /opt/snort/lib/snort_extra"
>
> The http.cap I'm using is the one located at
> https://wiki.wireshark.org/SampleCaptures
>
> What am I missing here?
>
> Thanks in advance,
> Ronin.
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel@lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!