Snort mailing list archives
Re: Can Snort Analyze Sampled Netflow Traffic
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 13 Jan 2016 16:25:45 +0000
I've seen netflow used very heavily for anomaly detection and things like that. For instance our company (Cisco) just purchased Lancope, which does some work in the area as well. -- Joel Esler Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 11:21 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote: Yeah but I guess you can detect some stuff from it. On Jan 13, 2016 6:17 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote: Netflow won't show you threats. Netflow shows you amounts of traffic from point A to point B and the ports it was on. There's no packet data contained in netflow logs. -- Joel Esler Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 11:16 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote: Which open source can digest SAMPLED NETFLOW and detect threats? On Jan 13, 2016 6:15 PM, "Joel Esler (jesler)" <jesler () cisco com<mailto:jesler () cisco com>> wrote: Snort cannot read netflow traffic natively, no. Snort understands pcap files. Not netflow. There are plenty of other tools out there that speak netflow. -- Joel Esler Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 10:47 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote: Thanks, What is the file format it expects to get? I have text files csv with information like ip, Port, tcp flags etc. How do I tell snort these is sampled packet flow header and not 1:1 sampling? These files were Not sampled by snort. Hanan On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto () gmail com<mailto:emiliano.fausto () gmail com>> wrote: Hello Hanan, 1. You can process network dumps using the -r option in the command line, or save every capture into a directory and use option --pcap-dir. Here you have the whole chapter that talks about that matter: http://manual.snort.org/node8.html 2. I don't understand your question. Do you want to get statistics from snort? I think you may check statistics generated after reading your input. Here you have the basic outputs: http://manual.snort.org/node9.html. Anyway, I've seen a work done by the Splunk team which is interesting, and they used the SNORT Categories: http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/ 3. I'd recommend the official SNORT manual: http://manual.snort.org/ or in PDF format: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf Hope it helps! Regards, Emiliano. On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh () gmail com<mailto:chanansh () gmail com>> wrote: Hi, 1. I have tons of sampled netflow traffic (1:4096 rate, sampled packet flows).Can it be digested with Snort? 2. What will be the guidelines to process these with Snort for Big Data? 3. Where can I get a list of Snort capabilities? Thanks, Hanan HS ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)