Re: Can Snort Analyze Sampled Netflow Traffic

["Joel Esler (jesler)" <jesler () cisco com>]

I've seen netflow used very heavily for anomaly detection and things like that.  For instance our company (Cisco) just 
purchased Lancope, which does some work in the area as well.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 11:21 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote:


Yeah but I guess you can detect some stuff from it.

On Jan 13, 2016 6:17 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Netflow won't show you threats.  Netflow shows you amounts of traffic from point A to point B and the ports it was on.  
There's no packet data contained in netflow logs.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 11:16 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote:


Which open source can digest SAMPLED NETFLOW and detect threats?

On Jan 13, 2016 6:15 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote:
Snort cannot read netflow traffic natively, no.  Snort understands pcap files.  Not netflow.  There are plenty of other 
tools out there that speak netflow.

--
Joel Esler
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 10:47 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote:


Thanks,
What is the file format it expects to get? I have text files csv with information like ip,  Port,  tcp flags etc. How 
do I tell snort these is sampled packet flow header and not 1:1 sampling? These files were Not sampled by snort.

Hanan

On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto () gmail com<mailto:emiliano.fausto () gmail com>> wrote:
Hello Hanan,

1. You can process network dumps using the -r option in the command line, or save every capture into a directory and 
use option --pcap-dir. Here you have the whole chapter that talks about that matter: http://manual.snort.org/node8.html
2. I don't understand your question. Do you want to get statistics from snort? I think you may check statistics 
generated after reading your input. Here you have the basic outputs: http://manual.snort.org/node9.html. Anyway, I've 
seen a work done by the Splunk team which is interesting, and they used the SNORT Categories: 
http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/
3. I'd recommend the official SNORT manual: http://manual.snort.org/ or in PDF format: 
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf

Hope it helps!

Regards,
Emiliano.

On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote:
Hi,

  1.  I have tons of sampled netflow traffic (1:4096 rate, sampled packet flows).Can it be digested with Snort?
  2.  What will be the guidelines to process these with Snort for Big Data?
  3.  Where can I get a list of Snort capabilities?

Thanks,
Hanan
HS

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!