[Bro] Bro vs Netflow
jlay at slave-tothe-box.net
Sat Jun 20 03:33:52 PDT 2015
So in my internet travels I ran across this:
A tad outdated but I thought why not....I have syslogs and Bro's
conn.log going into the ELK stack, so let's add netflow to the mix.
After dinking around with it and getting the data in, I realized that
Bro's conn.log pretty much does everything netflow can...unless I'm
missing something? For example, if I want to see what a single IP
address is doing I use this as a filter in Kibana:
type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:TCP
type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:UDP
What say you all....any reason not to rip out softflowd and just drive
on with Bro's conn.log? Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro