-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Scott,

1-in-32 sampling is going to limit what you can do as far as layer 7
analysis to straight attack signatures, you won't be able to take
advantage of Snort's ability to define state machines using the rules
language's flowbits feature and do protocol-based analysis and
detection. It'll work but you'll be pretty limited if I understand
what you're saying.

-Marty

On Apr 23, 2008, at 9:44 AM, Monk, Scott wrote:

> Yes, the sFlow is sampled 1 of 32 packets and higher. Yes, IronView
> can
> export all data in real time to a pcap format that snort (locally or
> remotely) can read and then send alerts back to the IronView console.
> Also Lancope has a StealWatch XE for sFlow.
>
> Thanks,
> Scott
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]
> ]
> On Behalf Of Martin Roesch
> Sent: Tuesday, April 22, 2008 1:19 PM
> To: Security Group
> Cc: focus-ids (at) securityfocus (dot) com [email concealed]
> Subject: Re: IDS/IPS system with Foundry sFlow
>
> When you say "with sFlow" do you mean analyze the sFlow records or
> analyze the packets on the wire and correlate it with the sFlow data?
>
> --
> Sent from my iPhone
>
> On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro (at) gmail (dot) com [email concealed]>
> wrote:
>
>> Hello,
>>
>> We have got a network with an embedded support for sFlow technology.
>> We also want to have a good IDS/IPS system. Does anyone know a good
>> setup with our foundry?
>>
>> We noticed that Foundry got their own application called "IronView
>> Network Manager", it is able to operate with snort. Does anyone know
>> of this is a good solution? Or should we use an sFlow converter (e.g.
>> InMon sFlow toolkit) that can work with snort?
>>
>> What are the other possibilities for IDS/IPS besides snort. It has to
>> operate with the sFlow technology.
>>
>> Kind regards,
>>
>> Babel Timo
>>
>> ---
>> ---------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig

> n=intro_sfw
>> to learn more.
>> ---
>> ---------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------

> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig

> n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

>
>
> ------------------------------------------------------------------------

> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

>

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFIEixdqj0FAQQ3KOARApLRAJ0X/rYNI4WTcelBKG1li4m031ghgwCfSW4j
k6ktTYGjd/wuhxWv2r7WkkU=
=LQ7+
-----END PGP SIGNATURE-----

------------------------------------------------------------------------

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------

[ reply ]