[Bro] Bro's evolutions
Jim Mellander
jmellander at lbl.gov
Fri Sep 8 16:07:32 PDT 2006
LBL is running a netflow -> bro conversion package for internal
monitoring. In brief, we collect netflow records, parse them into Bro
events, which are sent to a running Bro via the Brocolli library. If
you're interested in working with this, great - it some help,as its a
bit of a hack. I'll be happy to share what I'm doing...
Jean-Philippe Luiggi wrote:
> Hello All,
>
> Several things :
>
> While i just sent a mail to Vern last week asking about the
> availability of the svn repository, i too agree with Christian,
> this access can bring its batch of problems so ...
>
> Another subject we spoke a few months ago (if not a year) : "Netflow"
> Let's imagine we would like having this used in "Bro", how doing this ?
>
> There're at least severals solutions :
>
> - Getting Netflow's flows coming directly inside Bro (turning it to be
> something likes a collector as flow-tools, nfcapd, etc.)
>
> - Use an external collector as one of those about which i speak above
> and let Bro getting informations from the data.
>
> In security, i like the principle of unicity so the second approach is
> better for me (an IDS is an IDS, not a Netflow's collector).
>
> So any advices, comments...
>
> Thank you.
>
> Best regards.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
You're out of memory
More information about the Bro
mailing list