Gotcha, thanks! Doug On Wed, Nov 14, 2012 at 2:25 PM, Daniel Borkmann <[email protected]> wrote: > On Wed, Nov 14, 2012 at 7:56 PM, Doug Burks <[email protected]> wrote: >> The new version resulted in the following output filename format: >> snort.log-1352918185.pcap >> >> When it rolled to a new pcap based on --interval, the filename format became: >> snort.log1352918248.pcap > > Right, sorry, I forgot to change the second format string. Fixed now. > > You should be able to set a prefix like "snort.log." and then it's > what you want. > >> Sguil is expecting the filenames to be like this: >> snort.log.1352854983 >> (snort.log.TIMESTAMP and no .pcap extension) >> >> So I patched as follows: >> >> --- securityonion-netsniff-ng-20121114.orig/src/netsniff-ng.c >> +++ securityonion-netsniff-ng-20121114/src/netsniff-ng.c >> @@ -598,7 +598,7 @@ static int next_multi_pcap_file(struct m >> pcap_ops[mode->pcap]->prepare_close_pcap(fd, >> PCAP_MODE_WRITE); >> close(fd); >> >> - slprintf(tmp, sizeof(tmp), "%s/%s%lu.pcap", >> + slprintf(tmp, sizeof(tmp), "%s/%s.%lu", >> mode->device_out, mode->prefix ? : "dump-", time(0)); >> >> fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, >> @@ -625,7 +625,7 @@ static int begin_multi_pcap_file(struct >> if (mode->device_out[strlen(mode->device_out) - 1] == '/') >> mode->device_out[strlen(mode->device_out) - 1] = 0; >> >> - slprintf(tmp, sizeof(tmp), "%s/%s-%lu.pcap", >> + slprintf(tmp, sizeof(tmp), "%s/%s.%lu", >> mode->device_out, mode->prefix ? : "dump", time(0)); >> >> fd = open_or_die_m(tmp, O_RDWR | O_CREAT | O_TRUNC | O_LARGEFILE, >> >> Now, netsniff-ng creates the proper output filename: >> snort.log.1352919232 >> >> and when it rolls to a new pcap based on --interval, it retains the >> proper output filename: >> snort.log.1352919276 >> >> Did I miss anything? >> >> Thanks, >> Doug >> >> On Wed, Nov 14, 2012 at 9:44 AM, Daniel Borkmann <[email protected]> >> wrote: >>> On Wed, Nov 14, 2012 at 3:25 AM, Doug Burks <[email protected]> wrote: >>>> Thanks for all the fixes lately! I've got the latest git version packaged >>>> and it looks like we're making great progress! >>>> >>>> I'm running as follows: >>>> sudo netsniff-ng -i eth0 -o test/ --interval 1MiB -Psnort.log -s >>>> >>>> In my test directory, I have filenames like: >>>> snort.log-1352859267.pcap >>>> >>>> However, Sguil is expecting the filenames to be like this: >>>> snort.log.1352854983 >>>> >>>> Would you mind fixing this format or making the format more configurable? >>>> Or should I just do a quick-and-dirty hack? >>> >>> Done and pushed upstream. Thanks for reporting. >>> >>> -- >>> >>> >> >> >> >> -- >> Doug Burks >> http://securityonion.blogspot.com >> >> -- >> >> > > -- > >
-- Doug Burks http://securityonion.blogspot.com --
