[Bro] Bro vs NetFlow

Swan, Jay jswan at sugf.com
Fri Oct 4 09:54:05 PDT 2013

I've been running Bro 2.1 as part of Security Onion on our Internet edge for quite a while now, and I've found that at least for security-related tasks I now almost always use Bro instead of NetFlow, in situations where I would have previously used NetFlow alone.

We are currently evaluating new NetFlow products, and I started wondering: do folks using Bro also use NetFlow as part of day-to-day operations, or are the NetFlow users generally on a separate network team that's not using Bro at all? Has anyone completely replaced NetFlow with Bro?

I'm aware that Bro has a NetFlow v5 analyzer, but I don't know much about it. Is anyone using that extensively? If so, how?

However, one of the reasons we're looking at a new NetFlow product is for compatibility with various proprietary IPFIX export data, such as Cisco's various exports based off their NBAR2 feature set. I remember Seth mentioning at FloCon that writing an IPFIX analyzer for Bro would be insanely complex, so I don't have hopes of that happening anytime soon.

Jay Swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131004/5b892cb3/attachment.html 

More information about the Bro mailing list