Snort mailing list archives
Re: Can Snort Analyze Sampled Netflow Traffic
From: Hanan Shteingart <chanansh () gmail com>
Date: Wed, 13 Jan 2016 18:39:56 +0200
Yeah but I am looking for open source NETFLOW detection projects On Jan 13, 2016 6:25 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
I've seen netflow used very heavily for anomaly detection and things like that. For instance our company (Cisco) just purchased Lancope, which does some work in the area as well. -- *Joel Esler* Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 11:21 AM, Hanan Shteingart <chanansh () gmail com> wrote: Yeah but I guess you can detect some stuff from it. On Jan 13, 2016 6:17 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:Netflow won't show you *threats*. Netflow shows you amounts of traffic from point A to point B and the ports it was on. There's no packet data contained in netflow logs. -- *Joel Esler* Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 11:16 AM, Hanan Shteingart <chanansh () gmail com> wrote: Which open source can digest SAMPLED NETFLOW and detect threats? On Jan 13, 2016 6:15 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:Snort cannot read netflow traffic natively, no. Snort understands pcap files. Not netflow. There are plenty of other tools out there that speak netflow. -- *Joel Esler* Manager, Talos Group Sent from my iPad On Jan 13, 2016, at 10:47 AM, Hanan Shteingart <chanansh () gmail com> wrote: Thanks, What is the file format it expects to get? I have text files csv with information like ip, Port, tcp flags etc. How do I tell snort these is sampled packet flow header and not 1:1 sampling? These files were Not sampled by snort. Hanan On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto () gmail com> wrote:Hello Hanan, 1. You can process network dumps using the -r option in the command line, or save every capture into a directory and use option --pcap-dir. Here you have the whole chapter that talks about that matter: http://manual.snort.org/node8.html 2. I don't understand your question. Do you want to get statistics from snort? I think you may check statistics generated after reading your input. Here you have the basic outputs: http://manual.snort.org/node9.html. Anyway, I've seen a work done by the Splunk team which is interesting, and they used the SNORT Categories: http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/ 3. I'd recommend the official SNORT manual: http://manual.snort.org/ or in PDF format: https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf Hope it helps! Regards, Emiliano. On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh () gmail com> wrote:Hi, 1. I have tons of sampled netflow traffic (1:4096 rate, sampled packet flows).Can it be digested with Snort? 2. What will be the guidelines to process these with Snort for Big Data? 3. Where can I get a list of Snort capabilities? Thanks, Hanan *HS* ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Joel Esler (jesler) (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Hanan Shteingart (Jan 13)
- Re: Can Snort Analyze Sampled Netflow Traffic Emiliano Fausto (Jan 13)