deri at ntop
Apr 8, 2004, 7:44 AM
Post #1 of 1
(402 views)
Permalink
|
Hi all,
please find enclosed my contribution that allows snort to be activated
over NetFlow. Basically snort can now act as a NetFlow v5 collector (add
-5 <port> to tell snort to wait incoming flows on the <port> [note that
-i has no effect if -5 is specified]) and run the signatures over the
incoming flows. The main difference between runnins snort over NetFlow
with respect to pcap is that with NetFlow you have no payload access so
basically all the payload signatures are not activated. So you can
detect a portscan but you cannot detect a SSH exploit.
Enjoy, Luca
--
Luca Deri <deri [at] ntop> http://luca.ntop.org/
Hacker: someone who loves to program and enjoys being
clever about it - Richard Stallman
|
snort.diff
