On Wed, Nov 14, 2012 at 7:56 PM, Doug Burks <[email protected]> wrote: > The new version resulted in the following output filename format: > snort.log-1352918185.pcap > > When it rolled to a new pcap based on --interval, the filename format became: > snort.log1352918248.pcap
Right, sorry, I forgot to change the second format string. Fixed now. You should be able to set a prefix like "snort.log." and then it's what you want. > Sguil is expecting the filenames to be like this: > snort.log.1352854983 > (snort.log.TIMESTAMP and no .pcap extension) > > So I patched as follows: > > --- securityonion-netsniff-ng-20121114.orig/src/netsniff-ng.c > +++ securityonion-netsniff-ng-20121114/src/netsniff-ng.c > @@ -598,7 +598,7 @@ static int next_multi_pcap_file(struct m > pcap_ops[mode->pcap]->prepare_close_pcap(fd, PCAP_MODE_WRITE); > close(fd); > > - slprintf(tmp, sizeof(tmp), "%s/%s%lu.pcap", > + slprintf(tmp, sizeof(tmp), "%s/%s.%lu", > mode->device_out, mode->prefix ? : "dump-", time(0)); > > fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, > @@ -625,7 +625,7 @@ static int begin_multi_pcap_file(struct > if (mode->device_out[strlen(mode->device_out) - 1] == '/') > mode->device_out[strlen(mode->device_out) - 1] = 0; > > - slprintf(tmp, sizeof(tmp), "%s/%s-%lu.pcap", > + slprintf(tmp, sizeof(tmp), "%s/%s.%lu", > mode->device_out, mode->prefix ? : "dump", time(0)); > > fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, > > Now, netsniff-ng creates the proper output filename: > snort.log.1352919232 > > and when it rolls to a new pcap based on --interval, it retains the > proper output filename: > snort.log.1352919276 > > Did I miss anything? > > Thanks, > Doug > > On Wed, Nov 14, 2012 at 9:44 AM, Daniel Borkmann <[email protected]> > wrote: >> On Wed, Nov 14, 2012 at 3:25 AM, Doug Burks <[email protected]> wrote: >>> Thanks for all the fixes lately! I've got the latest git version packaged >>> and it looks like we're making great progress! >>> >>> I'm running as follows: >>> sudo netsniff-ng -i eth0 -o test/ --interval 1MiB -Psnort.log -s >>> >>> In my test directory, I have filenames like: >>> snort.log-1352859267.pcap >>> >>> However, Sguil is expecting the filenames to be like this: >>> snort.log.1352854983 >>> >>> Would you mind fixing this format or making the format more configurable? >>> Or should I just do a quick-and-dirty hack? >> >> Done and pushed upstream. Thanks for reporting. >> >> -- >> >> > > > > -- > Doug Burks > http://securityonion.blogspot.com > > -- > > --
