[Snort-users] Can Snort Analyze Sampled Netflow Traffic

Hanan Shteingart chanansh at ...11827...
Wed Jan 13 11:16:34 EST 2016


Which open source can digest SAMPLED NETFLOW and detect threats?
On Jan 13, 2016 6:15 PM, "Joel Esler (jesler)" <jesler at ...589...> wrote:

> Snort cannot read netflow traffic natively, no.  Snort understands pcap
> files.  Not netflow.  There are plenty of other tools out there that speak
> netflow.
>
> --
> *Joel Esler*
> Manager, Talos Group
> Sent from my iPad
>
> On Jan 13, 2016, at 10:47 AM, Hanan Shteingart <chanansh at ...11827...> wrote:
>
> Thanks,
> What is the file format it expects to get? I have text files csv with
> information like ip,  Port,  tcp flags etc. How do I tell snort these is
> sampled packet flow header and not 1:1 sampling? These files were Not
> sampled by snort.
>
> Hanan
> On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto at ...11827...>
> wrote:
>
>> Hello Hanan,
>>
>> 1. You can process network dumps using the -r option in the command line,
>> or save every capture into a directory and use option --pcap-dir. Here you
>> have the whole chapter that talks about that matter:
>> http://manual.snort.org/node8.html
>> 2. I don't understand your question. Do you want to get statistics from
>> snort? I think you may check statistics generated after reading your input.
>> Here you have the basic outputs: http://manual.snort.org/node9.html.
>> Anyway, I've seen a work done by the Splunk team which is interesting, and
>> they used the SNORT Categories:
>> http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/
>> 3. I'd recommend the official SNORT manual: http://manual.snort.org/ or
>> in PDF format:
>> https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf
>>
>> Hope it helps!
>>
>> Regards,
>> Emiliano.
>>
>> On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh at ...11827...>
>> wrote:
>>
>>> Hi,
>>>
>>>    1. I have tons of sampled netflow traffic (1:4096 rate, sampled
>>>    packet flows).Can it be digested with Snort?
>>>    2. What will be the guidelines to process these with Snort for Big
>>>    Data?
>>>    3. Where can I get a list of Snort capabilities?
>>>
>>> Thanks,
>>> Hanan
>>> *HS*
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160113/6da4b999/attachment.html>


More information about the Snort-users mailing list