[Snort-users] NetFlow output plugin?

Mayers, Philip J p.mayers at ...1913...
Fri May 11 08:30:44 EDT 2001


We're successfully sniffing out 100Mb connection (and getting good data too)
with Snort 1.7 - congratulations to all for a great product. In case
anyone's interested, we're sniffing 7k packets/sec (30Mbits) on a 256Mb
PIII800 (Compaq DL380) at about 15-20% CPU usage. We're going to try a
64-bit PCI gigabit card at some point, hopefully before we move to a Gigabit
connection (eek!).

Anyway, my managers like pretty graphs so I've been investigating the
possibility of writing a preprocessor that will do things like top-N hosts
and bucket-sorting based on packet size/subnet/port number/etc. The thought
occurred to me that the best way to do this would be to have Snort generate
Cisco NetFlow stats and use some of the many tools available to pull that
data out. Has anyone thought about that, or should I give it a look?


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

More information about the Snort-users mailing list