RE: snort and sflow?

["Kim Wall" <kwall () the4walls net>]

> Can anyone point me to some directions for using snort to pull in 
> sflow data off of a core switch?

> You're trying to use the wrong tool for the job.  Snort is an IDS, it's
not a sflow  
> collector.  If you want it to parse the sflow data, you'd need to
build a decoder for 
> that.  It would be simpler just to setup a collection station for
sflow.

This is actually easy to do and the only way I know of to see what's
happening on every interface on hundreds of switches - simultaneously -
using a single SNORT sensor. Obviously, this is not the approach to take
with highly sensitive areas in your network - for those, you should use
something inline in order to see every packet plus payload. 

First, you need something to sample and collect header information and
send to your SNORT sensor. The sFlow page lists such hardware vendors:
http://www.sflow.org/products/network.php

Secondly, you need a tool to listen for sFlow packets, decode them and
pipe them into SNORT. INMON makes such a tool:
http://www.inmon.com/sflowTools.htm

Finally, you will need to kick things off on your Linux box (this does
not work on Win32 platform because of Microsoft's pipe methodology).
Something like the following would work: 
sflowtool -p 6343 -t | snort -c /etc/snort/snort.conf -r - 

If you want to utilize MySQL, ACID etc, then this doc should help in
that arena:
www.snort.org/docs/snort_acid_rh9.pdf

Things to keep in mind:
* sFlow is based on sampling technology - you will not see every packet
* Depending on the hardware, up to 128 bytes of the packet is sent to
the collector - you will not see all of the payload
* SNORT rules will need to be fine tuned - especially ones pertaining to
payload, port scans, etc.

I have personally done this utilizing switches from Foundry (native
hardware-based sFlow collection) for over 10,000 switched interfaces -
sending to a single SNORT sensor with virtually no impact to network
bandwidth. 

Remember, if it is imperative that you see every packet and the entire
payload, then this is not the right solution. But, if you are looking
for a way to keep an eye on activity throughout your network as a
supplement to existing security layers, then this solution rocks.

Kim




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.529 / Virus Database: 324 - Release Date: 10/16/2003
 



-------------------------------------------------------
This SF.net email is sponsored by OSDN developer relations
Here's your chance to show off your extensive product knowledge
We want to know what you know. Tell us and you have a chance to win $100
http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users