[Snort-devel] [ snort-Patches-932197 ] NetFlow support for snort

SourceForge.net noreply at ...12...
Fri Apr 9 08:53:08 EDT 2004


Patches item #932197, was opened at 2004-04-09 08:23
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Luca Deri (lderi)
Assigned to: Nobody/Anonymous (nobody)
Summary: NetFlow support for snort

Initial Comment:
Hi all,
please find enclosed my contribution that allows snort
to be activated over NetFlow. Basically snort can now
act as a NetFlow v5 collector (add -5 <port> to tell
snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the
signatures over the incoming flows. The main difference
between runnins snort over NetFlow with respect to pcap
is that with NetFlow you have no payload access so
basically all the payload signatures are not activated.
So you can detect a portscan but you cannot detect a
SSH exploit.

Enjoy, Luca 
---
Luca Deri <deri at ...2472...>

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357




More information about the Snort-devel mailing list