[Bro] Bro vs Netflow
jlay at slave-tothe-box.net
Mon Jun 22 13:37:29 PDT 2015
On 2015-06-22 02:00 PM, Seth Hall wrote:
>> On Jun 20, 2015, at 6:33 AM, James Lay <jlay at slave-tothe-box.net>
>> What say you all....any reason not to rip out softflowd and just drive
>> on with Bro's conn.log? Thank you.
> Andrew got the exact reason that you’d still collect netflow. The Bro
> conn log is significantly different than netflow though. It’s
> bidirectional (IPFIX can be too, but we’ll ignore that for now). The
> log doesn’t write out until the connection is complete, whereas
> netflow breaks and writes out frequently which can be great, but can
> also be super annoying if you’re trying to pay attention to the full
> life cycle of a connection forensically. There are several extra
> fields in the Bro logs that netflow doesn’t have too (history and
> service being two that immediately come to mind).
> If you’re generating netflow though, there is almost never any benefit
> these days unless you have a netflow analysis solution in place that
> you’d like to feed and you can’t collect from routers anymore, usually
> because your routers can only do sampled netflow.
I took out softflowd and reverted to my previous version of
logstash.conf. I have to say, it was pretty cool to have my Kibana
graphs up of Bro's conn.log and softflowd side by side to compare....was
More information about the Bro