Snort mailing list archives
netflow input
From: Olivier Bilodeau <obilodeau () inverse ca>
Date: Tue, 24 Nov 2009 18:54:58 -0500
Hi, We want to generate alarms on a network based on src ip:port and dst ip:port criteria. We would like to use snort but the problem is that we cannot have a snort probe in all the required places (and forget about span) _but_ we can have netflow sources. Instead of parsing the netflow ourselves and create our own alarm syntax we would like to leverage the infrastructure provided by snort. Is there a way to give netflow traffic to snort? I did research and here are my findings: Patch siting in queue[1] I saw that there was a patch at some point in the past and a post to -devel[2] but has there been any work towards this lately? Transform netflow to pcap I saw some attempts[3] to use tools that support netflow input and that transforms it to pcap. Then to use snort to process this pcap. I am aware that a lot of payload information won't be available and I'm ok with that. Has anyone done netflow -> pcap -> snort lately? Any help or pointers will be appreciated. p.s.: work in that regard will be incorporated in our open source packetfence project (www.packetfence.org) [1]http://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357 [2]http://sourceforge.net/mailarchive/message.php?msg_id=40756546.2050003%40ntop.org [3]http://sourceforge.net/mailarchive/message.php?msg_id=20021027224032.GA4032%40columbia.edu -- Olivier Bilodeau obilodeau () inverse ca :: +1.514.447.4918 x115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- netflow input Olivier Bilodeau (Nov 24)
- Message not available
- Re: netflow input Olivier Bilodeau (Nov 25)
- Re: netflow input Matt Olney (Nov 25)
- Re: netflow input Olivier Bilodeau (Nov 25)
- Message not available