[Snort-devel] Snort and sflow
Alex Butcher, ISC/ISYS
Alex.Butcher at ...2437...
Fri Dec 2 03:40:14 EST 2005
Has anyone looked into using Snort with sflow
<http://www.sflow.org>/RFC3176, as implemented on Foundry switches?
My take is that it wouldn't work for many of Snort's signatures, due to
Snort tracking both transport- and application protocol-state and sflow
only proving 1-in-n packet sampling. If it did 1-in-n /session/ sampling,
it would be useful.
Further, although many of Snort's rules are currently stateless, I think
that in time, it will be necessary to make more of them aware of
application layer protocol state in order to reduce the rate of false
I can see, though, that sFlow is useful for traffic analysis NIDS, such as
that provided by SPADE or commercial alternatives such as Lancope's
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-devel