Snort mailing list archives
Re: netflow support in snort
From: Matt Olney <molney () sourcefire com>
Date: Mon, 14 Feb 2011 09:11:25 -0500
Lee, As the others have said, Snort does not support NetFlow data. NetFlow, while incrediblly useful, serves a distinctly different purpose than Snort. NetFlow data, from an intrustion perspective, hinges on both an understanding of "normal" and some pretty serious statistical analysis on the back end. The main advantages to NetFlow is that it is data agnostic, so that encryption does not impact the system and the very small footprint of NetFlow data. Snort, on the other hand, focuses directly on the data, looking for indicators of attack within the payload. They are both valuable approaches, but they are distinct enough that there is no value in integrating the operations together. There are several open source netflow tools. I'd recommend you check out http://cosi-nms.sourceforge.net/related.html to start your investigations. Matt p.s. Somebody wrote a money paper for their GIAC on this: http://www.giac.com/certified_professionals/practicals/gsec/4025.php 2011/2/14 李曦 <lixi0513 () live cn>
HI snort, Hope you are well i'd need a help if possible.i want to use NetFlow data with snort. Does snort monitor with NetFlow data by default setting ? if not what i should do ? thanks very much lee 2011/2/14
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org
Current thread:
- Re: netflow support in snort Joel Esler (Feb 14)
- Re: netflow support in snort Russ Combs (Feb 14)
- <Possible follow-ups>
- Re: netflow support in snort Matt Olney (Feb 14)