[Bro] Netflow ingest with Bro?
rotsted at reservoir.com
Wed Dec 10 13:29:01 PST 2014
Good to know. Thanks for the quick reply Robin!
On Wed, Dec 10, 2014 at 11:45 AM, Robin Sommer <robin at icir.org> wrote:
> On Wed, Dec 10, 2014 at 10:37 -0800, Robert Rotsted wrote:
>> Is anyone using Bro's Netflow ingest capabilities? If so, what is the
>> output? Does Bro generate TCP and UDP events? Does it create a "conn"
> Two netflow events:
> event netflow_v5_header(h: nf_v5_header);
> event netflow_v5_record(r: nf_v5_record);
> I don't think we ever had a standard script doing something further
> with these.
> Note, the Netflow support has been removed in current git master along
> with some of the restructuring, as it was neither much used nor tested
> at all. But it's not inconceivable to bring it back before the next
> release if there's demand for it.
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
Reservoir Labs, Inc.
More information about the Bro