[Snort-sigs] netflow support in snort

Russ Combs rcombs at ...435...
Mon Feb 14 08:31:40 EST 2011

2011/2/14 Joel Esler <jesler at ...435...>:
> On Feb 14, 2011, at 1:08 AM, 李曦 wrote:
> HI snort,
> Hope you are well
> i'd need a help if possible.i want to use NetFlow data with snort.
> Does snort monitor with NetFlow data by default setting ? if not what i
> should do ?

I'm not that familiar with netflow data, but from a quick look and
your question I'm guessing that it has packets buried in there.  If
that is the case and you want Snort to read the packets and process
them as if it were a pcap, then you can either:

1.  Export a pcap from netflow data (there may be a tool for that).
2.  Write a netflow DAQ.

> thanks very much
> Snort does not handle netflow data natively.  At Sourcefire we have other
> tools to perform this function.
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net

More information about the Snort-sigs mailing list