Re: Can Snort Analyze Sampled Netflow Traffic

[Hanan Shteingart <chanansh () gmail com>]

Thanks,
What is the file format it expects to get? I have text files csv with
information like ip,  Port,  tcp flags etc. How do I tell snort these is
sampled packet flow header and not 1:1 sampling? These files were Not
sampled by snort.

Hanan
On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto () gmail com>
wrote:

> Hello Hanan,
>
> 1. You can process network dumps using the -r option in the command line,
> or save every capture into a directory and use option --pcap-dir. Here you
> have the whole chapter that talks about that matter:
> http://manual.snort.org/node8.html
> 2. I don't understand your question. Do you want to get statistics from
> snort? I think you may check statistics generated after reading your input.
> Here you have the basic outputs: http://manual.snort.org/node9.html.
> Anyway, I've seen a work done by the Splunk team which is interesting, and
> they used the SNORT Categories:
> http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/
> 3. I'd recommend the official SNORT manual: http://manual.snort.org/ or
> in PDF format:
> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf
>
> Hope it helps!
>
> Regards,
> Emiliano.
>
> On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh () gmail com>
> wrote:
>
> > Hi,
> >
> >    1. I have tons of sampled netflow traffic (1:4096 rate, sampled
> >    packet flows).Can it be digested with Snort?
> >    2. What will be the guidelines to process these with Snort for Big
> >    Data?
> >    3. Where can I get a list of Snort capabilities?
> >
> > Thanks,
> > Hanan
> > *HS*
> >
> >
> > ------------------------------------------------------------------------------
> > Site24x7 APM Insight: Get Deep Visibility into Application Performance
> > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> > Monitor end-to-end web transactions and take corrective actions now
> > Troubleshoot faster and improve end-user experience. Signup Now!
> > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!