snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] netflow input

[Snort-users] netflow input

From: Olivier Bilodeau <obilodeau_at_nospam>
Date: Tue Nov 24 2009 - 23:54:58 GMT
To: snort-users@lists.sourceforge.net, deri@ntop.org


Hi,

We want to generate alarms on a network based on src ip:port and dst ip:port criteria. We would like to use snort but the problem is that we cannot have a snort probe in all the required places (and forget about span) _but_ we can have netflow sources.

Instead of parsing the netflow ourselves and create our own alarm syntax we would like to leverage the infrastructure provided by snort.

Is there a way to give netflow traffic to snort?

I did research and here are my findings:

Patch siting in queue[1]
I saw that there was a patch at some point in the past and a post to -devel[2] but has there been any work towards this lately?

Transform netflow to pcap
I saw some attempts[3] to use tools that support netflow input and that transforms it to pcap. Then to use snort to process this pcap. I am aware that a lot of payload information won't be available and I'm ok with that.

Has anyone done netflow -> pcap -> snort lately?

Any help or pointers will be appreciated.

p.s.: work in that regard will be incorporated in our open source packetfence project (www.packetfence.org)
[1]http://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357
[2]http://sourceforge.net/mailarchive/message.php?msg_id=40756546.2050003%40ntop.org
[3]http://sourceforge.net/mailarchive/message.php?msg_id=20021027224032.GA4032%40columbia.edu
-- Olivier Bilodeau obilodeau@inverse.ca :: +1.514.447.4918 x115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users