[Snort-users] netflow input

Olivier Bilodeau obilodeau at ...13341...
Tue Nov 24 18:54:58 EST 2009


We want to generate alarms on a network based on src ip:port and dst 
ip:port criteria. We would like to use snort but the problem is that we 
cannot have a snort probe in all the required places (and forget about 
span) _but_ we can have netflow sources.

Instead of parsing the netflow ourselves and create our own alarm syntax 
we would like to leverage the infrastructure provided by snort.

Is there a way to give netflow traffic to snort?

I did research and here are my findings:

Patch siting in queue[1]
I saw that there was a patch at some point in the past and a post to 
-devel[2] but has there been any work towards this lately?

Transform netflow to pcap
I saw some attempts[3] to use tools that support netflow input and that 
transforms it to pcap. Then to use snort to process this pcap. I am 
aware that a lot of payload information won't be available and I'm ok 
with that.

Has anyone done netflow -> pcap -> snort lately?

Any help or pointers will be appreciated.

p.s.: work in that regard will be incorporated in our open source 
packetfence project (www.packetfence.org)
Olivier Bilodeau
obilodeau at ...13341...  ::  +1.514.447.4918 x115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and 
PacketFence (www.packetfence.org)

More information about the Snort-users mailing list