[Bro] flow-level analysis code

jean-philippe luiggi jp.luiggi at free.fr
Sat Dec 18 11:09:38 PST 2004

Anton Chuvakin, Ph.D. wrote:

>> I use Netflow every day and it may be a good thing to use it inside Bro.
>> Who's interested on this topic ?
>> I think i (we) may start something.
> I am very interested, but it seems that it is somewhat outside the 
> scope of Bro as a classic NIDS. Reading netflow will make no sense 
> (for Bro) since there is no packet contents.
> Best,

Hello Anton,

If I'm not wrong Bro just see the 'local' network, it doesn't work likes a
distributed IDS. On another side, it's sure that using Netflow does not 
give us the ability to see the payload but with Netflow
- We could see network scan
- We could see some 'not usual' traffic which may break the security's 

So may be using this feature would give us some new 'nice' informations ?

More information about the Bro mailing list