LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-13-2007, 03:00 PM   #1
hedpe
Member
 
Registered: Jan 2005
Location: Boston, MA
Distribution: Debian
Posts: 380

Rep: Reputation: 30
intrusion detection with flow level data and no payload?


Hi,

I have archived flow level data with no payload that I would like to run through an intrusion detection system. I have the following information about all flows:
- Length in seconds
- Protocol used (UDP/TCP/ICMP....)
- Source/Destination IP and Port
- Source/Destination Packets and Bytes

Without payload I understand that many attacks cannot be detected via some signature. However port scans are definitely detectable with the information I have... and some possible worms via popular ports and number of pakets sent.

Can snort work with only flow level data? I can reformat my data if needed. If snort cannot do it, does anyone know of any other tools?

Thanks!
George
 
Old 01-14-2007, 07:17 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm acting on what little info you spilled so YMMV(VM) but AFAIK Snort can't work with Netflow or other *flow data since it isn't packet capture data. Here's a list of Netflow tools that may or may not help: http://www.switch.ch/tf-tant/floma/software.html.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
convert packet level pcap captures to flow level data hedpe Linux - Networking 1 07-27-2006 03:56 PM
intrusion detection fakie_flip Linux - Security 4 08-19-2005 06:24 PM
Intrusion Detection L1nuxbug Linux - Security 4 07-21-2004 06:20 AM
Intrusion Detection!!! egyptian Linux - Security 2 04-02-2004 12:37 PM
Intrusion Detection? matador Linux - Security 5 09-03-2003 05:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration