Hogzilla IDS proposes to identify malicious traffic based on collected network data. At a first moment, we used Snort/libnDPI to identify flows (with attributes) and to tag them using the Snort’s signature database. This data is useful to train methods.
However, collect a large number of details of flows increases the computational costs and the complexity when dealing with big networks.
In this way, we implemented sFlow support in Hogzilla to simplify the data collection, which occurs in network devices (e.g. routers). sFlow is supported by the main vendors and it is quite easy to enable. By other hand, the number of variables collected via sFlow are small when compared with the first approach. Nevertheless, it was possible to implement several methods which are presenting excellent results.
Below, we show some objective answers about our sFlow implementation.
Summary
- What is sFlow?
- Why use sFlow in Hogzilla?
- How is sFlow implemented in Hogzilla?
- What are the disadvantages on using sFlow in Hogzilla?
- In practice, what are the advantages on using Hogilla+sFlow in my network?
- How to install and run it?
1. What is sFlow?
We quote: “sFlow® is an industry standard technology for monitoring high speed switched networks. It gives complete visibility into the use of networks enabling performance optimization, accounting/billing for usage, and defense against security threats. sFlow.org drives the widespread adoption of sFlow by end users, network equipment and software vendors.”
More information at: http://www.sflow.org/about/index.php
2. Why use sFlow in Hogzilla?
To simplify network data collection and reduce computational costs.
3. How is sFlow implemented in Hogzilla?
We chose to make use of available tools. In this case, we used the sFlow collector “sflowtool” with a small binary to insert its output into HBase. Just run the following command:
flowtool -p 6343 -l | ./sflow2hz -h 127.0.0.1 -p 9090
4. What are the disadvantages on using sFlow in Hogzilla?
- SFlow doesn’t provides much information about the network traffic. By its very conception, it collects a “sample”.
- With sFlow we can’t do Deep Packet Inspection (DPI).
5. In practice, what are the advantages on using Hogilla+sFlow in my network?
- You will be able to detect malicious activities in your network, which are impossible to be done with a pattern matching IDS (or IPS).
- Hogzilla IDS has a very low ROI
- Hogzilla IDS has a low rate of false positive alerts
6. How to install and run it?
- Download the pre-installed Virtual Machines or follow the installation guide, clicking here