[Bro] Netflow and Bro
Robin Sommer
robin at icir.org
Mon Nov 28 08:40:34 PST 2011
On Sun, Nov 27, 2011 at 00:43 -0500, you wrote:
> I am able to use bro as netflow collector now but i am unable to
> proceed after this point. Should I use the existing scripts on the
> netflow data to detect the the threats ? or should i write my own
> scripts?
Currently, we don't have any Bro scripts for NetFlow processing, so
you'll need to write your own ones. Feeding NetFlow into the existing
scripts (which would be mainly the scan detection I think) would
probably be tricky as the scan.bro code (from 1.5) is already quite
complex. We're planing to migrate that over to the new Metrics
framework. That would probably also be the best starting point with
NetFlow.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list