Re: [netsniff-ng] Replacing daemonlogger with netsniff-ng

Wed, 14 Nov 2012 10:56:38 -0800 

The new version resulted in the following output filename format:
snort.log-1352918185.pcap

When it rolled to a new pcap based on --interval, the filename format became:
snort.log1352918248.pcap

Sguil is expecting the filenames to be like this:
snort.log.1352854983
(snort.log.TIMESTAMP and no .pcap extension)

So I patched as follows:

--- securityonion-netsniff-ng-20121114.orig/src/netsniff-ng.c
+++ securityonion-netsniff-ng-20121114/src/netsniff-ng.c
@@ -598,7 +598,7 @@ static int next_multi_pcap_file(struct m
                pcap_ops[mode->pcap]->prepare_close_pcap(fd, PCAP_MODE_WRITE);
        close(fd);

-       slprintf(tmp, sizeof(tmp), "%s/%s%lu.pcap",
+       slprintf(tmp, sizeof(tmp), "%s/%s.%lu",
                 mode->device_out, mode->prefix ? : "dump-", time(0));

        fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE,
@@ -625,7 +625,7 @@ static int begin_multi_pcap_file(struct
        if (mode->device_out[strlen(mode->device_out) - 1] == '/')
                mode->device_out[strlen(mode->device_out) - 1] = 0;

-       slprintf(tmp, sizeof(tmp), "%s/%s-%lu.pcap",
+       slprintf(tmp, sizeof(tmp), "%s/%s.%lu",
                 mode->device_out, mode->prefix ? : "dump", time(0));

        fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE,

Now, netsniff-ng creates the proper output filename:
snort.log.1352919232

and when it rolls to a new pcap based on --interval, it retains the
proper output filename:
snort.log.1352919276

Did I miss anything?

Thanks,
Doug

On Wed, Nov 14, 2012 at 9:44 AM, Daniel Borkmann <[email protected]> wrote:
> On Wed, Nov 14, 2012 at 3:25 AM, Doug Burks <[email protected]> wrote:
>> Thanks for all the fixes lately!  I've got the latest git version packaged
>> and it looks like we're making great progress!
>>
>> I'm running as follows:
>> sudo netsniff-ng -i eth0 -o test/ --interval 1MiB -Psnort.log -s
>>
>> In my test directory, I have filenames like:
>> snort.log-1352859267.pcap
>>
>> However, Sguil is expecting the filenames to be like this:
>> snort.log.1352854983
>>
>> Would you mind fixing this format or making the format more configurable?
>> Or should I just do a quick-and-dirty hack?
>
> Done and pushed upstream. Thanks for reporting.
>
> --
>
>



-- 
Doug Burks
http://securityonion.blogspot.com

--

Reply via email to