[Snort-users] netflow input
obilodeau at ...13341...
Tue Nov 24 18:54:58 EST 2009
We want to generate alarms on a network based on src ip:port and dst
ip:port criteria. We would like to use snort but the problem is that we
cannot have a snort probe in all the required places (and forget about
span) _but_ we can have netflow sources.
Instead of parsing the netflow ourselves and create our own alarm syntax
we would like to leverage the infrastructure provided by snort.
Is there a way to give netflow traffic to snort?
I did research and here are my findings:
Patch siting in queue
I saw that there was a patch at some point in the past and a post to
-devel but has there been any work towards this lately?
Transform netflow to pcap
I saw some attempts to use tools that support netflow input and that
transforms it to pcap. Then to use snort to process this pcap. I am
aware that a lot of payload information won't be available and I'm ok
Has anyone done netflow -> pcap -> snort lately?
Any help or pointers will be appreciated.
p.s.: work in that regard will be incorporated in our open source
packetfence project (www.packetfence.org)
obilodeau at ...13341... :: +1.514.447.4918 x115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
More information about the Snort-users