From: Masud Hasan (mashasan) <mashasan@cisco.com>
Date: Fri, 18 Feb 2022 21:20:13 +0000 (+0000)
Subject: Pull request #3278: netflow: add dev_notes.txt
X-Git-Tag: 3.1.24.0~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a0027c0ff8d9e43d1026592884c14d36a5e5e7d;p=thirdparty%2Fsnort3.git

Pull request #3278: netflow: add dev_notes.txt

Merge in SNORT/snort3 from ~MMATIRKO/snort3:netflow-devnotes to master

Squashed commit of the following:

commit 562995f31163726ee9a547bd3bbb3b50150052b6
Author: Michael Matirko <mmatirko@cisco.com>
Date:   Thu Feb 17 10:33:59 2022 -0500

    netflow: add dev_notes.txt
---

diff --git a/src/service_inspectors/netflow/dev_notes.txt b/src/service_inspectors/netflow/dev_notes.txt
new file mode 100644
index 000000000..534c51793
--- /dev/null
+++ b/src/service_inspectors/netflow/dev_notes.txt
@@ -0,0 +1,11 @@
+The NetFlow inspector inspects Cisco NetFlow version 5 and 9 traffic. When the device
+running Snort3 is placed between a NetFlow collector and exporter, this allows Snort
+to generate RNA events based on exported NetFlow flows.
+
+By means of a template and a record cache, Snort3 keeps track of new and existing
+flows, as well as their associated services - similar to host_cache. Events generated
+follow the same format as their corresponding RNA events, such as new_host, new_network_proto,
+etc.
+
+Note that these caches are currently thread-local for performance reasons, so the occasional
+duplicate event is expected.