Snort mailing list archives
RE: snort and sflow?
From: "Kim Wall" <kwall () the4walls net>
Date: Wed, 22 Oct 2003 22:45:49 -0500
Can anyone point me to some directions for using snort to pull in sflow data off of a core switch?
You're trying to use the wrong tool for the job. Snort is an IDS, it's
not a sflow
collector. If you want it to parse the sflow data, you'd need to
build a decoder for
that. It would be simpler just to setup a collection station for
sflow. This is actually easy to do and the only way I know of to see what's happening on every interface on hundreds of switches - simultaneously - using a single SNORT sensor. Obviously, this is not the approach to take with highly sensitive areas in your network - for those, you should use something inline in order to see every packet plus payload. First, you need something to sample and collect header information and send to your SNORT sensor. The sFlow page lists such hardware vendors: http://www.sflow.org/products/network.php Secondly, you need a tool to listen for sFlow packets, decode them and pipe them into SNORT. INMON makes such a tool: http://www.inmon.com/sflowTools.htm Finally, you will need to kick things off on your Linux box (this does not work on Win32 platform because of Microsoft's pipe methodology). Something like the following would work: sflowtool -p 6343 -t | snort -c /etc/snort/snort.conf -r - If you want to utilize MySQL, ACID etc, then this doc should help in that arena: www.snort.org/docs/snort_acid_rh9.pdf Things to keep in mind: * sFlow is based on sampling technology - you will not see every packet * Depending on the hardware, up to 128 bytes of the packet is sent to the collector - you will not see all of the payload * SNORT rules will need to be fine tuned - especially ones pertaining to payload, port scans, etc. I have personally done this utilizing switches from Foundry (native hardware-based sFlow collection) for over 10,000 switched interfaces - sending to a single SNORT sensor with virtually no impact to network bandwidth. Remember, if it is imperative that you see every packet and the entire payload, then this is not the right solution. But, if you are looking for a way to keep an eye on activity throughout your network as a supplement to existing security layers, then this solution rocks. Kim --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.529 / Virus Database: 324 - Release Date: 10/16/2003 ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and sflow? shanks (Oct 22)
- Re: snort and sflow? Erek Adams (Oct 22)
- Re: snort and sflow? shanks (Oct 22)
- <Possible follow-ups>
- RE: snort and sflow? Kim Wall (Oct 22)
- Re: snort and sflow? Erek Adams (Oct 22)