[Snort-devel] netflow / input plugins?

Matt Selsky selsky at ...1657...
Sun Oct 27 14:41:02 EST 2002


I'd like to be able to run the NetFlow[1] data that I collect from my
routers through snort.  NetFlow records aggregate traffic so packet
payloads are not saved, but you can still examine where traffic went
from/to, how much, and what type.  It seems like snort could still
produce useful reports with this reduced dataset (detect DOS attacks,
attacks to specific ports, port scans).

flow-tools[2] includes flow-export[3] which will export NetFlow records
from flow-tools format to pcap format.  Since snort is able to read
tcpdump files, it seems like the problem is solved.  However, the 
utility doesn't write out complete pcap data.

$ snort -r ft-v05.2002-10-27.162452-0500.pcap
[!] WARNING: IP dgm len (0 bytes) < IP hdr len (20 bytes), packet discarded
[!] WARNING: IP dgm len (0 bytes) < IP hdr len (20 bytes), packet discarded
[!] WARNING: IP dgm len (0 bytes) < IP hdr len (20 bytes), packet discarded

Does it make sense to try to "fix" flow-export to write out more data in
the pcap files, or is there some way to directly read the NetFlow data
in snort?  Perhaps some sort of generic input plugin interface?  I
noticed there is already a generic output plugin interface.

Thank you for your feedback.


[1] http://www.cisco.com/warp/public/732/Tech/nmp/netflow/
[2] http://www.splintered.net/sw/flow-tools/
[2] http://www.splintered.net/sw/flow-tools/docs/flow-export.html




More information about the Snort-devel mailing list