[Bro] flow-level analysis code
jean-philippe luiggi
jp.luiggi at free.fr
Sat Dec 18 11:09:38 PST 2004
Anton Chuvakin, Ph.D. wrote:
>> I use Netflow every day and it may be a good thing to use it inside Bro.
>> Who's interested on this topic ?
>> I think i (we) may start something.
>
>
> I am very interested, but it seems that it is somewhat outside the
> scope of Bro as a classic NIDS. Reading netflow will make no sense
> (for Bro) since there is no packet contents.
>
> Best,
Hello Anton,
If I'm not wrong Bro just see the 'local' network, it doesn't work likes a
distributed IDS. On another side, it's sure that using Netflow does not
give us the ability to see the payload but with Netflow
- We could see network scan
- We could see some 'not usual' traffic which may break the security's
rules
So may be using this feature would give us some new 'nice' informations ?
More information about the Bro
mailing list