[Snort-users] Snort for Windows - Trying to get payload info into log file, for later read in and analysis

Joel Esler (jesler) jesler at cisco.com
Fri Jan 11 11:49:21 EST 2019

> On Jan 10, 2019, at 7:09 PM, Don Hall <dhall at rmscollects.com> wrote:
> I use Snort v2.9.12 for Windows.
> Issue #1.
> I am trying to get the payload info (-d) and log (-l) to later read back in (-dr) and analyze the payload.
> The payload info goes out to console, but the log file just has the header info, but not the payload info.
> I am using the config file \etc\snort.conf to apply the rules.
> I try to modify the output plug-ins to get the step 6 plug-ins.
> I need to see and analyze the payload.

Snort can only read pcap files via -r.  It can't read log files.

Sounds like you are logging in the wrong format.  Perhaps it would help if you posted your Snort command line?  Maybe log in "-A cmg" or "-b" format?

> Issue #2.
> I am trying to get the files to close after a file size (e.g. 1MB for test purposes).
> With the epoch (timestamp extension), I would spawn off a new file,
> And save off the old file, to examine and do data analysis, on the payload.
> Trying to do it first, in a test; and later, with a 100MB or 1GB file size, for production.
> Do I have to use some other tools, such as logrotatewin? 
> Or, can I do these things in Snort, without add-ons?
> Thanks, in advance, for any good suggestions.
> Regards.

Not sure of any log rotators for Windows.  (I haven't touched Windows in probably 15 years).

Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190111/7fd04d37/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190111/7fd04d37/attachment.bin>

More information about the Snort-users mailing list