[Bro] Bro vs NetFlow
jswan at sugf.com
Fri Oct 4 09:54:05 PDT 2013
I've been running Bro 2.1 as part of Security Onion on our Internet edge for quite a while now, and I've found that at least for security-related tasks I now almost always use Bro instead of NetFlow, in situations where I would have previously used NetFlow alone.
We are currently evaluating new NetFlow products, and I started wondering: do folks using Bro also use NetFlow as part of day-to-day operations, or are the NetFlow users generally on a separate network team that's not using Bro at all? Has anyone completely replaced NetFlow with Bro?
I'm aware that Bro has a NetFlow v5 analyzer, but I don't know much about it. Is anyone using that extensively? If so, how?
However, one of the reasons we're looking at a new NetFlow product is for compatibility with various proprietary IPFIX export data, such as Cisco's various exports based off their NBAR2 feature set. I remember Seth mentioning at FloCon that writing an IPFIX analyzer for Bro would be insanely complex, so I don't have hopes of that happening anytime soon.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro