intrusion detection with flow level data and no payload?
Hi,
I have archived flow level data with no payload that I would like to run through an intrusion detection system. I have the following information about all flows:
- Length in seconds
- Protocol used (UDP/TCP/ICMP....)
- Source/Destination IP and Port
- Source/Destination Packets and Bytes
Without payload I understand that many attacks cannot be detected via some signature. However port scans are definitely detectable with the information I have... and some possible worms via popular ports and number of pakets sent.
Can snort work with only flow level data? I can reformat my data if needed. If snort cannot do it, does anyone know of any other tools?
Thanks!
George
|