Netflow as input for Suricata

Hello, all! I’m trying to provide Netflow v9 flows as input for Suricata. Can anyone tell if Suricata is capable of reading Netflow flows to detect events with simpler rules?

I only found one post that mentions Netflow (Suricata 2.1beta1 Available! - Suricata), but I couldn’t understand if Suricata can process it.

Sorry, Suricata cannot work with Netflow as input. It can generate netflow-like records for output, but thats not going to help you. Most of Suricata is geared around packet contents, so Netflow as an input wouldn’t provide enough.

Hey Jason, thanks for the fast response! Just to be clear, Suricata really isn’t able to read Netflow as input at all, or it can read it, but the detection rules have to be simpler to allow the detection? I apologize for stressing this, I just want to be sure because it is a very decisive information for me to finish my master degree thesis.

And, if it is the first case (Suricata really is not able to read Netflow as input), do you happen to know any tool that can detect malicious events in the network using Netflow (or flows in general) as input?

Hi Amanda. Suricata can’t read Netflow, so its not an option if Netflow is all you have. Unfortunately I don’t know of any tools that operate on Netflow input. Ntopng and Qosient Argus I thought used to, but not sure if they do anymore. At most they just report network stats from the flows and maybe show anomalies, but might be worth a look.

Hey Jason! Got it, that’s unfortunate, but understandable. I’ll take a look at Ntopng and Qosient Argus, let’s see if they can help me. Thank you very much for your time!