[Snort-devel] netflow / input plugins?

Chris Green cmg at ...835...
Wed Oct 30 06:00:01 EST 2002


Matt Selsky <selsky at ...1657...> writes:

> I'd like to be able to run the NetFlow[1] data that I collect from my
> routers through snort.  NetFlow records aggregate traffic so packet
> payloads are not saved, but you can still examine where traffic went
> from/to, how much, and what type.  It seems like snort could still
> produce useful reports with this reduced dataset (detect DOS attacks,
> attacks to specific ports, port scans).

Snort isn't really the best place for handling this type of info at
the momemnt.

Snort would be better to generate that type of data rather than
actually processing it back through.

NTop is designed to handle this type of data flow and statistics from
netflow devices.

> Does it make sense to try to "fix" flow-export to write out more data in
> the pcap files, or is there some way to directly read the NetFlow data
> in snort?  Perhaps some sort of generic input plugin interface?  I
> noticed there is already a generic output plugin interface.



-- 
Chris Green <cmg at ...402...>
Warning: time of day goes back, taking countermeasures.





More information about the Snort-devel mailing list