snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: [Snort-users] netflow input

[Snort-users] netflow input

From: Olivier Bilodeau <obilodeau_at_nospam>
Date: Tue Nov 24 2009 - 23:54:58 GMT


We want to generate alarms on a network based on src ip:port and dst ip:port criteria. We would like to use snort but the problem is that we cannot have a snort probe in all the required places (and forget about span) _but_ we can have netflow sources.

Instead of parsing the netflow ourselves and create our own alarm syntax we would like to leverage the infrastructure provided by snort.

Is there a way to give netflow traffic to snort?

I did research and here are my findings:

Patch siting in queue[1]
I saw that there was a patch at some point in the past and a post to -devel[2] but has there been any work towards this lately?

Transform netflow to pcap
I saw some attempts[3] to use tools that support netflow input and that transforms it to pcap. Then to use snort to process this pcap. I am aware that a lot of payload information won't be available and I'm ok with that.

Has anyone done netflow -> pcap -> snort lately?

Any help or pointers will be appreciated.

p.s.: work in that regard will be incorporated in our open source packetfence project (
-- Olivier Bilodeau :: +1.514.447.4918 x115 :: Inverse inc. :: Leaders behind SOGo ( and PacketFence ( ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. _______________________________________________ Snort-users mailing list Go to this URL to change user options or unsubscribe: Snort-users list archive: