[Snort-devel] Can't read data_log output file (empty)

Russ rucombs at cisco.com
Thu Aug 3 08:13:57 EDT 2017


data_log was updated a few days ago to work with the new http_inspect.

We will get you something for flow events.

On 7/19/17 2:26 PM, Ronin CS wrote:
> I'll be waiting for the update.
>
> I'm also trying to add end-of-flow events, is there any specific file 
> I could look up to use as a model?
> I've already set a passive Inspector to listen to a certain event, but 
> I'm not sure where I should setup the module responsible for 
> publishing this end-of-flow event.
>
> On Mon, Jul 17, 2017 at 8:51 PM, Russ <rucombs at cisco.com 
> <mailto:rucombs at cisco.com>> wrote:
>
>     http_server (the old one) was deleted so you should stick with the
>     http_inspect (the new one).  Unfortunately, data_log now needs an
>     update.  We will get you something soon.
>
>
>     On 7/17/17 6:20 PM, Ronin CS via Snort-devel wrote:
>>     Hello everyone,
>>
>>     I'm trying to better understand how to handle events inside
>>     Snort++ using data_log inspector as example. But at the moment, I
>>     can't really read the output file because it's always empty for me.
>>
>>     Until now, I did the following changes to snort.lua:
>>
>>     - Added a new line "data_log = { key = 'http_raw_uri' }
>>     - Changed the "http_inspector = { }" to "http_server = { }"
>>     (As recommended here:
>>     http://marc.info/?l=snort-users&m=147422221322032&w=2
>>     <http://marc.info/?l=snort-users&m=147422221322032&w=2>)
>>
>>     And ran the command:
>>
>>     "sudo snort -c /opt/snort/etc/snort/snort.lua -R
>>     /opt/snort/etc/snort/samples.rules -r http.cap -A alert_ex
>>     --plugin-path /opt/snort/lib/snort_extra"
>>
>>     The http.cap I'm using is the one located at
>>     https://wiki.wireshark.org/SampleCaptures
>>     <https://wiki.wireshark.org/SampleCaptures>
>>
>>     What am I missing here?
>>
>>     Thanks in advance,
>>     Ronin.
>>
>>
>>     _______________________________________________
>>     Snort-devel mailing list
>>     Snort-devel at lists.snort.org <mailto:Snort-devel at lists.snort.org>
>>     https://lists.snort.org/mailman/listinfo/snort-devel
>>     <https://lists.snort.org/mailman/listinfo/snort-devel>
>>
>>     Please visithttp://blog.snort.org  for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170803/d8a40cdd/attachment.html>


More information about the Snort-devel mailing list