[Snort-devel] [ snort-Patches-932197 ] NetFlow support for snort

From: SourceForge.net <noreply(at)sourceforge.net>
Date: Fri Apr 09 2004 - 02:23:34 EDT

Patches item #932197, was opened at 2004-04-09 08:23 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Luca Deri (lderi)
Assigned to: Nobody/Anonymous (nobody)
Summary: NetFlow support for snort

Initial Comment:
Hi all,
please find enclosed my contribution that allows snort to be activated over NetFlow. Basically snort can now act as a NetFlow v5 collector (add -5 <port> to tell snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the
signatures over the incoming flows. The main difference between runnins snort over NetFlow with respect to pcap is that with NetFlow you have no payload access so basically all the payload signatures are not activated. So you can detect a portscan but you cannot detect a SSH exploit.

Enjoy, Luca
---

Luca Deri <deri@ntop.org>

---

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=303357&aid=932197&group_id=3357

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Apr 9 12:16:18 2004