Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

NetFlow support in Snort



NTop misc RSS feed   Index | Next | Previous | View Threaded

deri at ntop

Apr 8, 2004, 7:44 AM

Post #1 of 1 (808 views)
NetFlow support in Snort

Hi all,
please find enclosed my contribution that allows snort to be activated
over NetFlow. Basically snort can now act as a NetFlow v5 collector (add
-5 <port> to tell snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the signatures over the
incoming flows. The main difference between runnins snort over NetFlow
with respect to pcap is that with NetFlow you have no payload access so
basically all the payload signatures are not activated. So you can
detect a portscan but you cannot detect a SSH exploit.

Enjoy, Luca

Luca Deri <deri [at] ntop> http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman
Attachments: snort.diff (11.3 KB)

NTop misc RSS feed   Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.