[Snort-devel] NetFlow support in Snort

Luca Deri deri at ...2472...
Fri Apr 9 08:53:06 EDT 2004


Hi all,
please find enclosed my contribution that allows snort to be activated 
over NetFlow. Basically snort can now act as a NetFlow v5 collector (add 
-5 <port> to tell snort to wait incoming flows on the <port> [note that 
-i has no effect if -5 is specified]) and run the signatures over the 
incoming flows. The main difference between runnins snort over NetFlow 
with respect to pcap is that with NetFlow you have no payload access so 
basically all the payload signatures are not activated. So you can 
detect a portscan but you cannot detect a SSH exploit.

Enjoy, Luca

-- 
Luca Deri <deri at ...2472...>	http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040409/2e678f3e/attachment.ksh>


More information about the Snort-devel mailing list