|Main Archive Page > Month Archives > snort-users archives|
You're looking at two very different detection methodolgies, so while Snort does provide a detection engine and an alerting platform, it really isn't geared towards statistical analysis, which is what you're going to look for from netflow data.
Snort just isn't the tool for this. Check out the other Netflow options and failing that, throw flow-tools on a box and start scripting up some perl logic.
On Wed, Nov 25, 2009 at 10:39 AM, Olivier Bilodeau <firstname.lastname@example.org> wrote:
> Hi Rob,
> I CC'ed the list.
> >> On Tue, Nov 24, 2009 at 6:54 PM, Olivier Bilodeau wrote:
> >> Is there a way to give netflow traffic to snort?
> Rob Dixon wrote:
>> have you checked out nTop possibilities?
> yes I checked it, there is no alarm mechanism / rule engine. It's more a
> monitoring tool than an IDS.
>> also,(maybe outdated) nProbe for netflow distributed collection.
> nProbe collects netflow but doesn't come with an alarm mechanism / rule
> engine so we would need to write our own and it defeats the purpose of
> trying to leverage snort's infrastructure.
> nProbe -> pcap -> snort maybe?
>> another option, i cant remember the name but, there is a Perl module
>> that will parse netflow.
> Yes, I'm aware of the module but it is what I'm trying to avoid. If
> we parse ourselves, we will need to write our own rules engine. It can
> be simple for simple needs (ip/port blacklists or whitelist) but to
> detect port scans like snort currently does, its another story.
> Also, we (packetfence) already integrate with snort (we isolate hosts
> based on snort alarms) so to have netflow go right into snort would be a
> really simple solution.
> Thanks for your thoughts!
> Olivier Bilodeau
> email@example.com :: +1.514.447.4918 x115 :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
> PacketFence (www.packetfence.org)
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> Snort-users mailing list
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive: