I'm using Snort3 + Pulledpork to monitor network traffic and I've configured it to output alerts in JSON format. However, I've noticed that the JSON logs are missing the "msg" field. Only the GID and SID are displayed
this is my command to start Snort:
snort -q -c /usr/local/etc/snort/snort.lua --plugin-path /usr/local/etc/so_rules/ -i ens160 -A alert_json -y > /var/www/html/data.json
Example output from data.json:
{ "timestamp" : "24/03/18-12:26:54.347601", "pkt_num" : 2031213, "proto" : "TCP", "pkt_gen" : "raw", "pkt_len" : 40, "dir" : "C2S", "src_ap" : "172.21.32.143:47534", "dst_ap" : "172.21.32.115:80", "rule" : "129:15:1", "action" : "allow" }
My question is:
How can I configure Snort to ensure that the "msg" field is included in the JSON output?
Thank You!