Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

NetFlow support in Snort

 

 

NTop misc RSS feed   Index | Next | Previous | View Threaded


deri at ntop

Apr 8, 2004, 7:44 AM

Post #1 of 1 (612 views)
Permalink
NetFlow support in Snort

Hi all,
please find enclosed my contribution that allows snort to be activated
over NetFlow. Basically snort can now act as a NetFlow v5 collector (add
-5 <port> to tell snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the signatures over the
incoming flows. The main difference between runnins snort over NetFlow
with respect to pcap is that with NetFlow you have no payload access so
basically all the payload signatures are not activated. So you can
detect a portscan but you cannot detect a SSH exploit.

Enjoy, Luca

--
Luca Deri <deri [at] ntop> http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman
Attachments: snort.diff (11.3 KB)

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.