On Wed, Oct 31, 2012 at 2:40 PM, Daniel Borkmann <[email protected]> wrote: > On Wed, Oct 31, 2012 at 2:37 PM, Doug Burks <[email protected]> wrote: >> On Tue, Oct 30, 2012 at 10:49 AM, Doug Burks <[email protected]> wrote: >>> Hi Daniel, >>> >>> Thanks for the quick response! Replies inline. >>> >>> On Tue, Oct 30, 2012 at 10:41 AM, Daniel Borkmann >>> <[email protected]> wrote: >>> <snip> >>>>> -n snort.log >>>>> This makes daemonlogger name the files in the output directory >>>>> snort.log.$TIMESTAMP. Is there an equivalent option in netsniff-ng? >>>> >>>> No, currently there is no prefix option. If you like feel free to hack >>>> the code, it should actually not be too difficult. >> >> To follow up, I just hardcoded the filename as follows: >> >> --- securityonion-netsniff-ng-20121031.orig/src/netsniff-ng.c >> +++ securityonion-netsniff-ng-20121031/src/netsniff-ng.c >> @@ -778,7 +778,7 @@ static int next_multi_pcap_file(struct m >> pcap_ops[mode->pcap]->prepare_close_pcap(fd, >> PCAP_MODE_WRITE); >> close(fd); >> >> - slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0)); >> + slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out, >> time(0)); >> >> fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, >> DEFFILEMODE); >> @@ -804,7 +804,7 @@ static int begin_multi_pcap_file(struct >> if (mode->device_out[strlen(mode->device_out) - 1] == '/') >> mode->device_out[strlen(mode->device_out) - 1] = 0; >> >> - slprintf(tmp, sizeof(tmp), "%s/%lu.pcap", mode->device_out, time(0)); >> + slprintf(tmp, sizeof(tmp), "%s/snort.log.%lu", mode->device_out, >> time(0)); >> >> fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, >> DEFFILEMODE); >> >> It's a quick and dirty hack, but it seems to be working so far. Could >> there be any unintended consequences I'm overlooking? > > No, actually this hack should be fine for your case.
For future reference, I've added an entry in our TODO file to do this properly. --
