[Snort-sigs] netflow support in snort

Matt Olney molney at ...435...
Mon Feb 14 09:11:25 EST 2011


Lee,

As the others have said, Snort does not support NetFlow data.  NetFlow,
while incrediblly useful, serves a distinctly different purpose than Snort.
 NetFlow data, from an intrustion perspective, hinges on both an
understanding of "normal" and some pretty serious statistical analysis on
the back end.  The main advantages to NetFlow is that it is data agnostic,
so that encryption does not impact the system and the very small footprint
of NetFlow data.

Snort, on the other hand, focuses directly on the data, looking for
indicators of attack within the payload.  They are both valuable approaches,
but they are distinct enough that there is no value in integrating the
operations together.  There are several open source netflow tools.  I'd
recommend you check out http://cosi-nms.sourceforge.net/related.html to
start your investigations.

Matt

p.s. Somebody wrote a money paper for their GIAC on this:
http://www.giac.com/certified_professionals/practicals/gsec/4025.php

2011/2/14 李曦 <lixi0513 at ...3568...>

>  HI snort,
> Hope you are well
>
> i'd need a help if possible.i want to use NetFlow data with snort.
> Does snort monitor with NetFlow data by default setting ? if not what i
> should do ?
>
> thanks very much
>
> lee
> 2011/2/14
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110214/963190e7/attachment.html>


More information about the Snort-sigs mailing list