[Snort-users] netflow input

Olivier Bilodeau obilodeau at ...13341...
Wed Nov 25 10:39:14 EST 2009


Hi Rob,

I CC'ed the list.

 >> On Tue, Nov 24, 2009 at 6:54 PM, Olivier Bilodeau wrote:
 >>
 >>     Is there a way to give netflow traffic to snort?

Rob Dixon wrote:
> 
> have you checked out nTop possibilities?

yes I checked it, there is no alarm mechanism / rule engine. It's more a 
monitoring tool than an IDS.

> 
> also,(maybe outdated) nProbe for netflow distributed collection.

nProbe collects netflow but doesn't come with an alarm mechanism / rule 
engine so we would need to write our own and it defeats the purpose of 
trying to leverage snort's infrastructure.

nProbe -> pcap -> snort maybe?

> 
> another option, i cant remember the name but, there is a Perl module 
> that will parse netflow.

Yes, I'm aware of the module[1] but it is what I'm trying to avoid. If 
we parse ourselves, we will need to write our own rules engine. It can 
be simple for simple needs (ip/port blacklists or whitelist) but to 
detect port scans like snort currently does, its another story.

Also, we (packetfence) already integrate with snort (we isolate hosts 
based on snort alarms) so to have netflow go right into snort would be a 
really simple solution.

Thanks for your thoughts!
[1]http://search.cpan.org/~akoba/Net-Flow-0.04/lib/Net/Flow.pm
-- 
Olivier Bilodeau
obilodeau at ...13341...  ::  +1.514.447.4918 x115  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and 
PacketFence (www.packetfence.org)




More information about the Snort-users mailing list