[Bro] Netflow ingest with Bro?
rotsted at reservoir.com
Wed Dec 10 10:37:30 PST 2014
Is anyone using Bro's Netflow ingest capabilities? If so, what is the
output? Does Bro generate TCP and UDP events? Does it create a "conn"
Some context from the Bro 1.4 release notes
Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
(Bernhard Ager). NetFlow can be useful for intrusion detection as it
allows analysis of traffic from many different points in the network.
Bro can now read NetFlow data from a UDP socket, as well as (mostly
for debugging purposes) from a file in a specialized format. You can
create these files with the programs given in aux/nftools.
Reservoir Labs, Inc.
More information about the Bro