snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] netflow support in snort

Re: [Snort-sigs] netflow support in snort

From: Matt Olney <molney_at_nospam>
Date: Mon Feb 14 2011 - 14:11:25 GMT
To: <lixi0513@live.cn>

Lee,

As the others have said, Snort does not support NetFlow data. NetFlow,
while incrediblly useful, serves a distinctly different purpose than Snort.
 NetFlow data, from an intrustion perspective, hinges on both an
understanding of "normal" and some pretty serious statistical analysis on
the back end. The main advantages to NetFlow is that it is data agnostic,
so that encryption does not impact the system and the very small footprint
of NetFlow data.

Snort, on the other hand, focuses directly on the data, looking for
indicators of attack within the payload. They are both valuable approaches,
but they are distinct enough that there is no value in integrating the
operations together. There are several open source netflow tools. I'd
recommend you check out http://cosi-nms.sourceforge.net/related.html to
start your investigations.

Matt

p.s. Somebody wrote a money paper for their GIAC on this:
http://www.giac.com/certified_professionals/practicals/gsec/4025.php

2011/2/14 <lixi0513@live.cn>

> HI snort,
> Hope you are well
>
> i'd need a help if possible.i want to use NetFlow data with snort.
> Does snort monitor with NetFlow data by default setting ? if not what i
> should do ?
>
> thanks very much
>
> lee
> 2011/2/14
>

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org