Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can Snort Analyze Sampled Netflow Traffic

From: Hanan Shteingart <chanansh () gmail com>
Date: Wed, 13 Jan 2016 18:39:56 +0200
Yeah but I am looking for open source NETFLOW detection projects
On Jan 13, 2016 6:25 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:


I've seen netflow used very heavily for anomaly detection and things like
that.  For instance our company (Cisco) just purchased Lancope, which does
some work in the area as well.

--
*Joel Esler*
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 11:21 AM, Hanan Shteingart <chanansh () gmail com> wrote:

Yeah but I guess you can detect some stuff from it.
On Jan 13, 2016 6:17 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:


Netflow won't show you *threats*.  Netflow shows you amounts of traffic
from point A to point B and the ports it was on.  There's no packet data
contained in netflow logs.

--
*Joel Esler*
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 11:16 AM, Hanan Shteingart <chanansh () gmail com>
wrote:

Which open source can digest SAMPLED NETFLOW and detect threats?
On Jan 13, 2016 6:15 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:


Snort cannot read netflow traffic natively, no.  Snort understands pcap
files.  Not netflow.  There are plenty of other tools out there that speak
netflow.

--
*Joel Esler*
Manager, Talos Group
Sent from my iPad

On Jan 13, 2016, at 10:47 AM, Hanan Shteingart <chanansh () gmail com>
wrote:

Thanks,
What is the file format it expects to get? I have text files csv with
information like ip,  Port,  tcp flags etc. How do I tell snort these is
sampled packet flow header and not 1:1 sampling? These files were Not
sampled by snort.

Hanan
On Jan 13, 2016 1:53 PM, "Emiliano Fausto" <emiliano.fausto () gmail com>
wrote:


Hello Hanan,

1. You can process network dumps using the -r option in the command
line, or save every capture into a directory and use option --pcap-dir.
Here you have the whole chapter that talks about that matter:
http://manual.snort.org/node8.html
2. I don't understand your question. Do you want to get statistics from
snort? I think you may check statistics generated after reading your input.
Here you have the basic outputs: http://manual.snort.org/node9.html.
Anyway, I've seen a work done by the Splunk team which is interesting, and
they used the SNORT Categories:
http://blogs.splunk.com/2016/01/11/splunk-at-the-wall-for-def-con-23-part-ii/
3. I'd recommend the official SNORT manual: http://manual.snort.org/
or in PDF format:
https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/099/original/snort_manual.pdf

Hope it helps!

Regards,
Emiliano.

On Wed, Jan 13, 2016 at 5:44 AM, Hanan Shteingart <chanansh () gmail com>
wrote:


Hi,

   1. I have tons of sampled netflow traffic (1:4096 rate, sampled
   packet flows).Can it be digested with Snort?
   2. What will be the guidelines to process these with Snort for Big
   Data?
   3. Where can I get a list of Snort capabilities?

Thanks,
Hanan
*HS*


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!



------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: