[Snort-devel] Snort 2.9.12 for Windows, issues trying to get payload info to analyze, and to make multiple file instances with the payload info.

Don Hall dhall at rmscollects.com
Thu Jan 10 19:19:33 EST 2019


I use Snort v2.9.12 for Windows.

Issue #1.
I am trying to get the payload info (-d) and log (-l) to later read back in (-dr) and analyze the payload.
The payload info goes out to console, but the log file just has the header info, but not the payload info.

I am using the config file \etc\snort.conf to apply the rules.
I try to modify the output plug-ins to get the step 6 plug-ins.

I need to see and analyze the payload.

Issue #2.
I am trying to get the files to close after a file size (e.g. 1MB for test purposes).
With the epoch (timestamp extension), I would spawn off a new file,
And save off the old file, to examine and do data analysis, on the payload.
Trying to do it first, in a test; and later, with a 100MB or 1GB file size, for production.

Do I have to use some other tools, such as logrotatewin?
Or, can I do these things in Snort, without add-ons?
Do I have to make certain config file changes,
Or do I set some command line arguments,
Or do I have to make some patches to resolve the issues?

Thanks, in advance, for any good suggestions.

Regards.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20190111/5316daab/attachment.html>


More information about the Snort-devel mailing list