[Snort-devel] NetFlow support in Snort
deri at ...2472...
Fri Apr 9 08:53:06 EDT 2004
please find enclosed my contribution that allows snort to be activated
over NetFlow. Basically snort can now act as a NetFlow v5 collector (add
-5 <port> to tell snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the signatures over the
incoming flows. The main difference between runnins snort over NetFlow
with respect to pcap is that with NetFlow you have no payload access so
basically all the payload signatures are not activated. So you can
detect a portscan but you cannot detect a SSH exploit.
Luca Deri <deri at ...2472...> http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
More information about the Snort-devel