[Snort-users] netflow input
obilodeau at ...13341...
Wed Nov 25 10:39:14 EST 2009
I CC'ed the list.
>> On Tue, Nov 24, 2009 at 6:54 PM, Olivier Bilodeau wrote:
>> Is there a way to give netflow traffic to snort?
Rob Dixon wrote:
> have you checked out nTop possibilities?
yes I checked it, there is no alarm mechanism / rule engine. It's more a
monitoring tool than an IDS.
> also,(maybe outdated) nProbe for netflow distributed collection.
nProbe collects netflow but doesn't come with an alarm mechanism / rule
engine so we would need to write our own and it defeats the purpose of
trying to leverage snort's infrastructure.
nProbe -> pcap -> snort maybe?
> another option, i cant remember the name but, there is a Perl module
> that will parse netflow.
Yes, I'm aware of the module but it is what I'm trying to avoid. If
we parse ourselves, we will need to write our own rules engine. It can
be simple for simple needs (ip/port blacklists or whitelist) but to
detect port scans like snort currently does, its another story.
Also, we (packetfence) already integrate with snort (we isolate hosts
based on snort alarms) so to have netflow go right into snort would be a
really simple solution.
Thanks for your thoughts!
obilodeau at ...13341... :: +1.514.447.4918 x115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
More information about the Snort-users