Re: IDS/IPS system with Foundry sFlow

[Martin Roesch <roesch () sourcefire com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Scott,

1-in-32 sampling is going to limit what you can do as far as layer 7  
analysis to straight attack signatures, you won't be able to take  
advantage of Snort's ability to define state machines using the rules  
language's flowbits feature and do protocol-based analysis and  
detection.  It'll work but you'll be pretty limited if I understand  
what you're saying.

        -Marty


On Apr 23, 2008, at 9:44 AM, Monk, Scott wrote:

> Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView  
> can
> export all data in real time to a pcap format that snort (locally or
> remotely) can read and then send alerts back to the IronView console.
> Also Lancope has a StealWatch XE for sFlow.
>
> Thanks,
> Scott
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ]
> On Behalf Of Martin Roesch
> Sent: Tuesday, April 22, 2008 1:19 PM
> To: Security Group
> Cc: focus-ids () securityfocus com
> Subject: Re: IDS/IPS system with Foundry sFlow
>
> When you say "with sFlow" do you mean analyze the sFlow records or
> analyze the packets on the wire and correlate it with the sFlow data?
>
> --
> Sent from my iPhone
>
> On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro () gmail com>  
> wrote:
>
> > Hello,
> >
> > We have got a network with an embedded support for sFlow technology.
> > We also want to have a good IDS/IPS system. Does anyone know a good
> > setup with our foundry?
> >
> > We noticed that Foundry got their own application called "IronView
> > Network Manager", it is able to operate with snort. Does anyone know
> > of this is a good solution? Or should we use an sFlow converter (e.g.
> > InMon sFlow toolkit) that can work with snort?
> >
> > What are the other possibilities for IDS/IPS besides snort. It has to
> > operate with the sFlow technology.
> >
> > Kind regards,
> >
> > Babel Timo
> >
> > ---
> > ---------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> > to learn more.
> > ---
> > ---------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIEixdqj0FAQQ3KOARApLRAJ0X/rYNI4WTcelBKG1li4m031ghgwCfSW4j
k6ktTYGjd/wuhxWv2r7WkkU=
=LQ7+
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------