[Snort-devel] Can't read data_log output file (empty)

Ronin CS ronincs17 at gmail.com
Thu Aug 3 09:45:37 EDT 2017


Thanks, I'll check it!
I've been trying to do a whole patch to Flow events, adding a few fields to
use later, but ended up getting SegFault errors whenever I tried to change
those fields.

So I've been working on a temporary solution to keep developing my project,
but as soon as you guys finish the flow events, I'll try to adapt my module
again.

Thank you.

On Thu, 3 Aug 2017 at 09:13 Russ <rucombs at cisco.com> wrote:

> data_log was updated a few days ago to work with the new http_inspect.
>
> We will get you something for flow events.
>
>
> On 7/19/17 2:26 PM, Ronin CS wrote:
>
> I'll be waiting for the update.
>
> I'm also trying to add end-of-flow events, is there any specific file I
> could look up to use as a model?
> I've already set a passive Inspector to listen to a certain event, but I'm
> not sure where I should setup the module responsible for publishing this
> end-of-flow event.
>
> On Mon, Jul 17, 2017 at 8:51 PM, Russ <rucombs at cisco.com> wrote:
>
>> http_server (the old one) was deleted so you should stick with the
>> http_inspect (the new one).  Unfortunately, data_log now needs an update.
>> We will get you something soon.
>>
>>
>> On 7/17/17 6:20 PM, Ronin CS via Snort-devel wrote:
>>
>> Hello everyone,
>>
>> I'm trying to better understand how to handle events inside Snort++ using
>> data_log inspector as example. But at the moment, I can't really read the
>> output file because it's always empty for me.
>>
>> Until now, I did the following changes to snort.lua:
>>
>> - Added a new line "data_log = { key = 'http_raw_uri' }
>> - Changed the "http_inspector = { }" to "http_server = { }"
>> (As recommended here:
>> http://marc.info/?l=snort-users&m=147422221322032&w=2)
>>
>> And ran the command:
>>
>> "sudo snort -c /opt/snort/etc/snort/snort.lua -R
>> /opt/snort/etc/snort/samples.rules -r http.cap -A alert_ex --plugin-path
>> /opt/snort/lib/snort_extra"
>>
>> The http.cap I'm using is the one located at
>> https://wiki.wireshark.org/SampleCaptures
>>
>> What am I missing here?
>>
>> Thanks in advance,
>> Ronin.
>>
>>
>> _______________________________________________
>> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170803/160ef8d3/attachment.html>


More information about the Snort-devel mailing list