We use both, they're very complementary. Detailed info from Bro, less so with netflow. We collect netflow from our core routers and border fibers (using argus and indexing them live into Splunk), bro is just border and a few key places internally. We're using snort also - why settle for less info when you can have more? :-) --- Steve