[Snort-users] Snort Deployment Configurations

Bamm Visscher bamm.visscher at ...11827...
Mon Feb 7 12:50:04 EST 2011

MRTG is more about presenting "flows in motion" while netflow data is
more versatile. I've seen it used for analysis of "flows in motion" as
well as "flows at rest".

I previously tweeted some thoughts about "flows at rest" versus "flows
in motion" with the intention of publishing a more in depth discussion
later. Never happened, but here is a gist of what I was trying to get

Analysing "flows in motion" is usually statistical analysis of point
in time data or an aggregation of a flow attribute over a period of
time. For example, bandwidth on date A was X compared to date B when
it was Y.

"Flows at rest" are more about the attributes of a single hosts itself
or possibly comparing attributes. Examples would be show which hosts
talked to newly identified host Y in the past X days or which host
compromised asset A talked to in the past B days. Another would be
comparing the number of bytes sent in a single flow versus the number
of packets received.

BTW, I tend to prefer SANCP to collect data in a format more conducive
for analysing "flows at rest".


On Sun, Feb 6, 2011 at 10:38 PM, Jason Haar <Jason.Haar at ...294...> wrote:
> On 02/04/2011 04:11 PM, Martin Holste wrote:
>> I currently run Snort in multiple configurations on the gateway, but I
>> used to run it between servers and clients in the data center.  This
>> proved to be a total waste of time--the amount of traffic that needs
>> to be inspected combined with the massive amount of false positives
>> proved to be ineffective for useful intel for the amount of effort
>> required.  For monitoring the inside of the network, I recommend a
>> strategy of Netflow, firewall logs, and server logs before you start
>> trying IDS on that amount and kind of traffic.
> Just as an aside: have you ever found a practical use for NetFlow beyond
> detecting saturated pipes? e.g. like seeing spikes and tracking that
> back to something "bad" that *wasn't* a DoS tool? I just wonder if using
> mrtg to monitor for saturation would do 99.9% of what people actually
> use NetFlow for... On large networks, NetFlow basically makes graphs of
> traffic going up and down - you can get per-port if you're lucky. But
> the complexity of real networks just makes me think detecting "bad
> things" beyond DoS tools isn't really plausible?
> --
> Cheers
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> The modern datacenter depends on network connectivity to access resources
> and provide services. The best practices for maximizing a physical server's
> connectivity to a physical network are well understood - see how these
> rules translate into the virtual world?
> http://p.sf.net/sfu/oracle-sfdevnlfb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

sguil - The Analyst Console for NSM

More information about the Snort-users mailing list