If Suricata or Snort can analysis netflow data same as Elastiflow
yangcaixing opened this issue · 1 comments
yangcaixing commented
Hi Rob,
Recently I want integrate IDS with ELK to analysis network attack, So I have a question that if the suricata or snort can analysis netflow data instead of the localhost interface data, I want send netflow data to suricata or snort, then the attack or alerts data visualization via ELK, I don't know if it feasible, looking forward your reply , thanks in advance.
robcowart commented
Suricata and Snort (and Zeek/Bro) only analyze network packets. So while you may be able to have them analyze a PCAP file, there is not enough information in a flow record for most of the IDS rules to work.