Mailing List Archive: NTop: Misc

nProbe to snort

Index | Next | Previous | View Threaded

obilodeau at inverse

Nov 25, 2009, 9:02 AM

Post #1 of 3 (1162 views)
Permalink

nProbe to snort

Hi,

I'm looking to generate alarms into our open source NAC (PacketFence)
based on netflow traffic.

We were hoping to leverage snort's alarm mechanism and rule engine/syntax.

I've found a patch to add netflow support[1] to snort in this list's
archive. Unfortunately it has not been integrated into snort and I would
think that the patch might not apply as cleanly now (although it seems
relatively small).

I would like to know if there is anyone doing nProbe to snort or nProbe
to pcap to snort here?

Or any suggestion for having a realtime alarm mechanism based on netflow
traffic?

Our goal is to isolate in a quarantine VLAN non 802.1x (devices with no
supplicant) hosts based on traffic flow. ie.: printer shouldn't do web
traffic. We can't have snort probes because the network is too distributed.

Thanks,
[1]http://lists.ntop.org/pipermail/ntop-misc/2004-April/000024.html
--
Olivier Bilodeau
obilodeau [at] inverse :: +1.514.447.4918 x115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
PacketFence (www.packetfence.org)
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

deri at ntop

Nov 26, 2009, 1:53 AM

Post #2 of 3 (1060 views)
Permalink

Re: nProbe to snort [In reply to]

Olivier
that is the criteria for generating an alarm? You mentioned "no traffic
on port X", what else?

Luca

> Hi,
>
> I'm looking to generate alarms into our open source NAC (PacketFence)
> based on netflow traffic.
>
> We were hoping to leverage snort's alarm mechanism and rule
> engine/syntax.
>
> I've found a patch to add netflow support[1] to snort in this list's
> archive. Unfortunately it has not been integrated into snort and I
> would think that the patch might not apply as cleanly now (although it
> seems relatively small).
>
> I would like to know if there is anyone doing nProbe to snort or
> nProbe to pcap to snort here?
>
> Or any suggestion for having a realtime alarm mechanism based on
> netflow traffic?
>
> Our goal is to isolate in a quarantine VLAN non 802.1x (devices with
> no supplicant) hosts based on traffic flow. ie.: printer shouldn't do
> web traffic. We can't have snort probes because the network is too
> distributed.
>
> Thanks,
> [1]http://lists.ntop.org/pipermail/ntop-misc/2004-April/000024.html

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

obilodeau at inverse

Nov 26, 2009, 7:49 AM

Post #3 of 3 (1056 views)
Permalink

Re: nProbe to snort [In reply to]

Hi Luca,

Luca Deri wrote:
> Olivier
> that is the criteria for generating an alarm? You mentioned "no traffic
> on port X", what else?

It has to be flexible. Here are a few examples I can think of:
- no traffic from x to y on port z (x and y can be ranges)
- traffic must not diverge from IP range x to y to/from port z
- an IP x cannot communicate with more than y other IPs in a certain
timeframe z (optionally on a specified port)

First two are trivial but for the next one, this is where I think we
need something more flexible than a simple regexp. That's the reason why
I would have liked to leverage snort or another IDS.

--
Olivier Bilodeau
obilodeau [at] inverse :: +1.514.447.4918 x115 :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.scalableogo.org) and
PacketFence (www.packetfence.org)
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads