[Snort-devel] Can't read data_log output file (empty)

Lawrence Belyeu lbelyeu71 at gmail.com
Mon Jul 17 23:49:57 EDT 2017


I asked to be removed from this list. I did what i was instructed. Please
remove me off the snort list again.

On Jul 17, 2017 6:57 PM, "Russ via Snort-devel" <snort-devel at lists.snort.org>
wrote:

> http_server (the old one) was deleted so you should stick with the
> http_inspect (the new one).  Unfortunately, data_log now needs an update.
> We will get you something soon.
>
> On 7/17/17 6:20 PM, Ronin CS via Snort-devel wrote:
>
> Hello everyone,
>
> I'm trying to better understand how to handle events inside Snort++ using
> data_log inspector as example. But at the moment, I can't really read the
> output file because it's always empty for me.
>
> Until now, I did the following changes to snort.lua:
>
> - Added a new line "data_log = { key = 'http_raw_uri' }
> - Changed the "http_inspector = { }" to "http_server = { }"
> (As recommended here: http://marc.info/?l=snort-user
> s&m=147422221322032&w=2)
>
> And ran the command:
>
> "sudo snort -c /opt/snort/etc/snort/snort.lua -R
> /opt/snort/etc/snort/samples.rules -r http.cap -A alert_ex --plugin-path
> /opt/snort/lib/snort_extra"
>
> The http.cap I'm using is the one located at
> https://wiki.wireshark.org/SampleCaptures
>
> What am I missing here?
>
> Thanks in advance,
> Ronin.
>
>
> _______________________________________________
> Snort-devel mailing listSnort-devel at lists.snort.orghttps://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20170717/4ee03d87/attachment.html>


More information about the Snort-devel mailing list