[Snort-devel] Snort and sflow

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Fri Dec 2 03:40:14 EST 2005

Hi -

Has anyone looked into using Snort with sflow 
<http://www.sflow.org>/RFC3176, as implemented on Foundry switches?

My take is that it wouldn't work for many of Snort's signatures, due to 
Snort tracking both transport- and application protocol-state and sflow 
only proving 1-in-n packet sampling. If it did 1-in-n /session/ sampling, 
it would be useful.

Further, although many of Snort's rules are currently stateless, I think 
that in time, it will be necessary to make more of them aware of 
application layer protocol state in order to reduce the rate of false 

I can see, though, that sFlow is useful for traffic analysis NIDS, such as 
that provided by SPADE or commercial alternatives such as Lancope's 
Stealthwatch product.

Discuss. :-)

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-devel mailing list