On Wed, Oct 31, 2012 at 2:37 PM, Doug Burks <[email protected]> wrote: > On Tue, Oct 30, 2012 at 10:49 AM, Doug Burks <[email protected]> wrote: >> Hi Daniel, >> >> Thanks for the quick response! Replies inline. >> >> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann >> <[email protected]> wrote: >> <snip> >>>> -n snort.log >>>> This makes daemonlogger name the files in the output directory >>>> snort.log.$TIMESTAMP. Is there an equivalent option in netsniff-ng? >>> >>> No, currently there is no prefix option. If you like feel free to hack >>> the code, it should actually not be too difficult. > > To follow up, I just hardcoded the filename as follows: > > --- securityonion-netsniff-ng-20121031.orig/src/netsniff-ng.c > +++ securityonion-netsniff-ng-20121031/src/netsniff-ng.c > @@ -778,7 +778,7 @@ static int next_multi_pcap_file(struct m > pcap_ops[mode->pcap]->prepare_close_pcap(fd, PCAP_MODE_WRITE); > close(fd); > > - slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0)); > + slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out, > time(0)); > > fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, > DEFFILEMODE); > @@ -804,7 +804,7 @@ static int begin_multi_pcap_file(struct > if (mode->device_out[strlen(mode->device_out) - 1] == '/') > mode->device_out[strlen(mode->device_out) - 1] = 0; > > - slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0)); > + slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out, > time(0)); > > fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, > DEFFILEMODE); > > It's a quick and dirty hack, but it seems to be working so far. Could > there be any unintended consequences I'm overlooking?
No, actually this hack should be fine for your case. Best, Daniel --
