[Bro] Bro vs NetFlow

Seth Hall seth at icir.org
Tue Oct 8 06:40:36 PDT 2013

On Oct 8, 2013, at 9:26 AM, "Swan, Jay" <jswan at sugf.com> wrote:

> I probably screwed up by titling the thread Bro *versus* NetFlow... I was mainly curious if anyone had managed to do away with NetFlow analysis through pervasive use of Bro. I didn't think that would likely be the case.

I've been meaning to write some scripts for Bro to start doing netflow logging and analysis for a long time but I still haven't done it.

> I don't think I could get all the performance-related data I want just from Bro, at least at my current level of expertise. Forensically, I think Bro has almost everything I want, but putting sensors at every tiny location we have is logistically infeasible

Yep, I think this is the major win with netflow.  It's pervasive deployment certainly has a lot of benefits.

> Hence, we're looking for a new (probably commercial) NetFlow product.

Yeah, Bro is definitely not in a position right now to fill that need for you.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131008/1da74725/attachment.bin 

More information about the Bro mailing list