On Tue, Oct 30, 2012 at 10:49 AM, Doug Burks <[email protected]> wrote:
> Hi Daniel,
>
> Thanks for the quick response! Replies inline.
>
> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann
> <[email protected]> wrote:
> <snip>
>>> -n snort.log
>>> This makes daemonlogger name the files in the output directory
>>> snort.log.$TIMESTAMP. Is there an equivalent option in netsniff-ng?
>>
>> No, currently there is no prefix option. If you like feel free to hack
>> the code, it should actually not be too difficult.
To follow up, I just hardcoded the filename as follows:
--- securityonion-netsniff-ng-20121031.orig/src/netsniff-ng.c
+++ securityonion-netsniff-ng-20121031/src/netsniff-ng.c
@@ -778,7 +778,7 @@ static int next_multi_pcap_file(struct m
pcap_ops[mode->pcap]->prepare_close_pcap(fd, PCAP_MODE_WRITE);
close(fd);
- slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0));
+ slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out,
time(0));
fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE,
DEFFILEMODE);
@@ -804,7 +804,7 @@ static int begin_multi_pcap_file(struct
if (mode->device_out[strlen(mode->device_out) - 1] == '/')
mode->device_out[strlen(mode->device_out) - 1] = 0;
- slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0));
+ slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out,
time(0));
fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE,
DEFFILEMODE);
It's a quick and dirty hack, but it seems to be working so far. Could
there be any unintended consequences I'm overlooking?
Thanks,
--
Doug Burks
http://securityonion.blogspot.com
--
