[Bro] Bro vs Netflow

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Sat Jun 20 04:05:50 PDT 2015


James,
I think you’re right, but sometimes you can get Netflow from locations where you might not easily be able to put a Bro sensor.

Kind regards,
Andy
Andrew.Ratcliffe at NSWCSystems.co.uk
CISSP, GCIA, GCIH, GPEN, GWAPT, CSTA, CSTP, CWSA, GCFE
Blog.InfoSecMatters.net <http://blog.infosecmatters.net/>






> On 20 Jun 2015, at 11:33, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> So in my internet travels I ran across this:
> 
> https://www.rsreese.com/parsing-netflow-using-kibana-via-logstash-to-elasticsearch/ <https://www.rsreese.com/parsing-netflow-using-kibana-via-logstash-to-elasticsearch/>
> 
> A tad outdated but I thought why not....I have syslogs and Bro's conn.log going into the ELK stack, so let's add netflow to the mix.  After dinking around with it and getting the data in, I realized that Bro's conn.log pretty much does everything netflow can...unless I'm missing something?  For example, if I want to see what a single IP address is doing I use this as a filter in Kibana:
> 
> type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:TCP
> type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:UDP
> 
> What say you all....any reason not to rip out softflowd and just drive on with Bro's conn.log?  Thank you.
> 
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150620/f7220f22/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150620/f7220f22/attachment.bin 


More information about the Bro mailing list