Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Request for help in changing packet capture fil enames under Snort 1.9

From: Matt Yackley <Matt.Yackley () perkinswill com>
Date: Mon, 2 Dec 2002 15:34:35 -0600
*Smacks forehead*
hmmmm lets see, Output Plugins, damn why did I miss that clue....I checked
all over the files up one level, but I must not have searched thru the
Output plugins dir.

Thanks a ton Frank! Looks like it's upgrade time....

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Monday, December 02, 2002 1:57 PM
To: Matt Yackley
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Request for help in changing packet capture
filenames under Snort 1.9


On Mon, 2002-12-02 at 12:34, Matt Yackley wrote:

For those of us running snort on linux and then archiving data to a Win32
machine, the "proto:port-port" filename that is created for packet capture
files will not work for Windows.  In snort 1.8.x this was fairly simple to
change by editing a line in the log.c file then compiling, etc.  However

in

snort 1.9 this has changed and I can't find out where to change this

option.

I've tried posting to this list about a month ago and also to
snort-developers but no one has answered yet or have been able to find the
answer I should say.



Open spo_log_ascii.c in src/output-plugins. In the OpenLogFile function
you'll see:

#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#endif
            }
            else
            {
#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#endif



Change those to whatever you want to appear in the log files (i.e.
change the : to a - or _ or whatever). Then recompile.

Frank



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: