[Snort-users] Request for help in changing packet capture filenames under Snort 1.9

Frank Knobbe fknobbe at ...652...
Mon Dec 2 11:58:29 EST 2002


On Mon, 2002-12-02 at 12:34, Matt Yackley wrote:
> For those of us running snort on linux and then archiving data to a Win32
> machine, the "proto:port-port" filename that is created for packet capture
> files will not work for Windows.  In snort 1.8.x this was fairly simple to
> change by editing a line in the log.c file then compiling, etc.  However in
> snort 1.9 this has changed and I can't find out where to change this option.
> I've tried posting to this list about a month ago and also to
> snort-developers but no one has answered yet or have been able to find the
> answer I should say.


Open spo_log_ascii.c in src/output-plugins. In the OpenLogFile function
you'll see:

#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->sp, p->dp,
suffix);
#endif
            }
            else
            {
#ifdef WIN32
                snprintf(log_file, STD_BUF, "%s/%s_%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#else
                snprintf(log_file, STD_BUF, "%s/%s:%d-%d%s", log_path,
                        protocol_names[p->iph->ip_proto], p->dp, p->sp,
suffix);
#endif



Change those to whatever you want to appear in the log files (i.e.
change the : to a - or _ or whatever). Then recompile.

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021202/310705a6/attachment.sig>


More information about the Snort-users mailing list