snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] netflow support in snort

Re: [Snort-sigs] netflow support in snort

From: Russ Combs <rcombs_at_nospam>
Date: Mon Feb 14 2011 - 13:31:40 GMT
To: Joel Esler <jesler@sourcefire.com>

2011/2/14 Joel Esler <jesler@sourcefire.com>:
> On Feb 14, 2011, at 1:08 AM, wrote:
>
> HI snort,
> Hope you are well
>
> i'd need a help if possible.i want to use NetFlow data with snort.
> Does snort monitor with NetFlow data by default setting ? if not what i
> should do ?

I'm not that familiar with netflow data, but from a quick look and
your question I'm guessing that it has packets buried in there. If
that is the case and you want Snort to read the packets and process
them as if it were a pcap, then you can either:

1. Export a pcap from netflow data (there may be a tool for that).
2. Write a netflow DAQ.

>
> thanks very much
>
> Snort does not handle netflow data natively. At Sourcefire we have other
> tools to perform this function.
> --
> Joel Esler
> jesler () sourcefire.com
> http://blog.snort.org && http://blog.clamav.net
>

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org