New Inspector not recognized by snort3 #6
Comments
|
It looks like your --plugin-path arg is not including the install directory for your plugin. You can specify a colon separated list with that arg and include the install path of your plugin. You can check that the plugin is loaded like this: $ snort --warn-all --plugin-path <so_path>:<cusotm_path> --list-plugins Be sure to put --list-plugins last as shown. The warnings will reveal any plugin that fails to load due to missing symbols. |
|
Hi, After that a bunch of modules/files were listed. Even my custom inspector was there. I updated my command to see if I receive any warning in the actual run. And right at the beginning when all the inspectors were loaded I got this warning: In snort.lua I just added this to the inspector section: |
|
Update: |
Hi,
I created a new Inspector by copying most of the dpx inspector file.
I updated the sub-directory in ./inspectors and I am able to build/make/make install the project.
I can also see my custom inspector in the build tree. The "custom_plugin.so" file is also placed in the right location.
Now when I try to execute snort3 with a local pcap file:
sudo /usr/local/bin/snort -c /usr/local/etc/snort/snort.lua -r ~/pcap_dir/test.pcap -l /var/log/snort --plugin-path /usr/local/etc/so_rules/ --script-path ~/snort3_extraIt is running without any errors and snort3 is doing what it should do except that my custom inspector was not loaded and did nothing...
I added some print message to check if the methods of my inspector are called.
Btw. I also added the custom inspector to snort.lua:
custom_plugin = { }I don't know if this information is important but PKG_CONFIG_PATH is pointing to /usr/local/lib/pkgconfig. (It also contains a snort.pc inside)
Would be nice if someone knows what I am missing :/
The text was updated successfully, but these errors were encountered: