Snort mailing list archives
Re: Can't read data_log output file (empty)
From: Russ via Snort-devel <snort-devel () lists snort org>
Date: Thu, 3 Aug 2017 08:13:57 -0400
data_log was updated a few days ago to work with the new http_inspect. We will get you something for flow events. On 7/19/17 2:26 PM, Ronin CS wrote:
I'll be waiting for the update.I'm also trying to add end-of-flow events, is there any specific file I could look up to use as a model? I've already set a passive Inspector to listen to a certain event, but I'm not sure where I should setup the module responsible for publishing this end-of-flow event.On Mon, Jul 17, 2017 at 8:51 PM, Russ <rucombs () cisco com <mailto:rucombs () cisco com>> wrote:http_server (the old one) was deleted so you should stick with the http_inspect (the new one). Unfortunately, data_log now needs an update. We will get you something soon. On 7/17/17 6:20 PM, Ronin CS via Snort-devel wrote:Hello everyone, I'm trying to better understand how to handle events inside Snort++ using data_log inspector as example. But at the moment, I can't really read the output file because it's always empty for me. Until now, I did the following changes to snort.lua: - Added a new line "data_log = { key = 'http_raw_uri' } - Changed the "http_inspector = { }" to "http_server = { }" (As recommended here: http://marc.info/?l=snort-users&m=147422221322032&w=2 <http://marc.info/?l=snort-users&m=147422221322032&w=2>) And ran the command: "sudo snort -c /opt/snort/etc/snort/snort.lua -R /opt/snort/etc/snort/samples.rules -r http.cap -A alert_ex --plugin-path /opt/snort/lib/snort_extra" The http.cap I'm using is the one located at https://wiki.wireshark.org/SampleCaptures <https://wiki.wireshark.org/SampleCaptures> What am I missing here? Thanks in advance, Ronin. _______________________________________________ Snort-devel mailing list Snort-devel () lists snort org <mailto:Snort-devel () lists snort org> https://lists.snort.org/mailman/listinfo/snort-devel <https://lists.snort.org/mailman/listinfo/snort-devel> Please visithttp://blog.snort.org for the latest news about Snort!
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Can't read data_log output file (empty) Ronin CS via Snort-devel (Jul 17)
- Re: Can't read data_log output file (empty) Russ via Snort-devel (Jul 17)
- Re: Can't read data_log output file (empty) Lawrence Belyeu via Snort-devel (Jul 17)
- Re: Can't read data_log output file (empty) Ronin CS via Snort-devel (Jul 19)
- Re: Can't read data_log output file (empty) Russ via Snort-devel (Aug 03)
- Re: Can't read data_log output file (empty) Ronin CS via Snort-devel (Aug 03)
- Re: Can't read data_log output file (empty) Russ via Snort-devel (Jul 17)