You are correct as it is a sampled flow analysis. For 100% traffic you would either need to be able to use Netflow (not supported on Foundry equipment) or a network tap as I am not a big fan of span (mirror) ports. We prefer the Datacom singlestream taps for our Snort IDS servers.
Thanks, Scott -----Original Message----- From: Martin Roesch [mailto:[EMAIL PROTECTED] Sent: Friday, April 25, 2008 2:09 PM To: Monk, Scott Cc: Security Group; [email protected] Subject: Re: IDS/IPS system with Foundry sFlow -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott, 1-in-32 sampling is going to limit what you can do as far as layer 7 analysis to straight attack signatures, you won't be able to take advantage of Snort's ability to define state machines using the rules language's flowbits feature and do protocol-based analysis and detection. It'll work but you'll be pretty limited if I understand what you're saying. -Marty On Apr 23, 2008, at 9:44 AM, Monk, Scott wrote: > Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView > can > export all data in real time to a pcap format that snort (locally or > remotely) can read and then send alerts back to the IronView console. > Also Lancope has a StealWatch XE for sFlow. > > Thanks, > Scott > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > ] > On Behalf Of Martin Roesch > Sent: Tuesday, April 22, 2008 1:19 PM > To: Security Group > Cc: [email protected] > Subject: Re: IDS/IPS system with Foundry sFlow > > When you say "with sFlow" do you mean analyze the sFlow records or > analyze the packets on the wire and correlate it with the sFlow data? > > -- > Sent from my iPhone > > On Apr 21, 2008, at 3:42 PM, "Security Group" <[EMAIL PROTECTED]> > wrote: > >> Hello, >> >> We have got a network with an embedded support for sFlow technology. >> We also want to have a good IDS/IPS system. Does anyone know a good >> setup with our foundry? >> >> We noticed that Foundry got their own application called "IronView >> Network Manager", it is able to operate with snort. Does anyone know >> of this is a good solution? Or should we use an sFlow converter (e.g. >> InMon sFlow toolkit) that can work with snort? >> >> What are the other possibilities for IDS/IPS besides snort. It has to >> operate with the sFlow technology. >> >> Kind regards, >> >> Babel Timo >> >> --- >> --------------------------------------------------------------------- >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw >> to learn more. >> --- >> --------------------------------------------------------------------- >> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n=intro_sfw > to learn more. > ------------------------------------------------------------------------ > - -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFIEixdqj0FAQQ3KOARApLRAJ0X/rYNI4WTcelBKG1li4m031ghgwCfSW4j k6ktTYGjd/wuhxWv2r7WkkU= =LQ7+ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
