[Snort-users] ntop

Fraser Hugh hugh_fraser at ...2804...
Wed Sep 26 09:00:02 EDT 2001

ntop does indeed have some IDS capabilities, but in keeping with ntop's
strength as a network protocol monitoring tool (rather than packet payload),
the rules address protocol errors (like SYN packets that aren't ACK'ed
within a reasonable time frame). There is some overlap with what Snort does
in this area, but it's not a replacement.

I use ntop to watch for longer term trends, ie. to look at protocols
distributions through our firewall, since it's a very good visualization
tool. But to do the automated monitoring of traffic, I use a combination of
Snort as an IDS, MRTG to watch traffic trends (ie. put thresholds on
throughput), and Netsaint to watch MRTG and do the alerting.

-----Original Message-----
From: Florin Andrei [mailto:florin at ...3506...]
Sent: Tuesday, September 25, 2001 8:25 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ntop

On Tue, 2001-09-25 at 15:25, Robert van der Meulen wrote:
> 'ntop' is a network statistics gatherer:

Yes, that was my first impression too, but if you go to www.ntop.org
click on Docs and take a look at the second document from
Papers/Articles ( http://jake.unipi.it/~deri/ntop_IEEE.pdf.gz ) you will
see things like "portscan detection, spoofing detection, spy detection,
trojan horse detection, denial of service", etc.etc.

Like i said, i have a feeling that it's got only very superficial IDS
capabilities, but i cannot vouch for that since i don't have first hand
experience with ntop.

Florin Andrei

"Our mail system is
MS Exchange-Me-For-A-Real-Mailer-Please" - an unhappy sysadmin

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list