Re: Snort++ data_log file empty

[Russ <rucombs () cisco com>]

You need to use the old HTTP inspector until the new one, which is now 
the default, is updated to publish inspection events.  To use the old 
one, change "http_inspect = { }" to "http_server = { }". That is in the 
extras so your --plugin-path will pick it up.

On 9/18/16 1:17 PM, secres () linuxmail org wrote:
> I've been trying to get the teh data_log module to work but I haven't 
> had any success.  Below is the command line options as well as 
> having data_log = { key = 'http_raw_uri' } in the snort.lua file. 
>  I've tried it wil different pcaps and with attaching it to an 
> interface to sniff while browsing the web.  The data.log file is 
> created but its always blank.  The rest of the snort.lua is default 
> from the installation.
> $my_path/bin/snort -c $my_path/etc/snort/snort.lua -R 
> $my_path/etc/snort/sample.rules -r http.cap --plugin-path 
> $my_path/lib/snort_extra -l /opt/snort-3.0/log/ -A alert_ex
> Thanks!
>
>
> ------------------------------------------------------------------------------
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!