snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] netflow input

Re: [Snort-users] netflow input

From: Matt Olney <molney_at_nospam>
Date: Wed Nov 25 2009 - 16:36:24 GMT
To: Olivier Bilodeau <obilodeau@inverse.ca>


Well....

You're looking at two very different detection methodolgies, so while Snort does provide a detection engine and an alerting platform, it really isn't geared towards statistical analysis, which is what you're going to look for from netflow data.

Snort just isn't the tool for this. Check out the other Netflow options and failing that, throw flow-tools on a box and start scripting up some perl logic.

Good luck

matt

On Wed, Nov 25, 2009 at 10:39 AM, Olivier Bilodeau <obilodeau@inverse.ca> wrote:
> Hi Rob,
>
> I CC'ed the list.
>
> >> On Tue, Nov 24, 2009 at 6:54 PM, Olivier Bilodeau wrote:
> >>
> >> Is there a way to give netflow traffic to snort?
>
> Rob Dixon wrote:
>>
>> have you checked out nTop possibilities?
>
> yes I checked it, there is no alarm mechanism / rule engine. It's more a
> monitoring tool than an IDS.
>
>>
>> also,(maybe outdated) nProbe for netflow distributed collection.
>
> nProbe collects netflow but doesn't come with an alarm mechanism / rule
> engine so we would need to write our own and it defeats the purpose of
> trying to leverage snort's infrastructure.
>
> nProbe -> pcap -> snort maybe?
>
>>
>> another option, i cant remember the name but, there is a Perl module
>> that will parse netflow.
>
> Yes, I'm aware of the module[1] but it is what I'm trying to avoid. If
> we parse ourselves, we will need to write our own rules engine. It can
> be simple for simple needs (ip/port blacklists or whitelist) but to
> detect port scans like snort currently does, its another story.
>
> Also, we (packetfence) already integrate with snort (we isolate hosts
> based on snort alarms) so to have netflow go right into snort would be a
> really simple solution.
>
> Thanks for your thoughts!
> [1]http://search.cpan.org/~akoba/Net-Flow-0.04/lib/Net/Flow.pm
> --
> Olivier Bilodeau
> obilodeau@inverse.ca :: +1.514.447.4918 x115 :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
> PacketFence (www.packetfence.org)
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users