[Bro] Netflow ingest with Bro?

Robin Sommer robin at icir.org
Wed Dec 10 11:45:31 PST 2014



On Wed, Dec 10, 2014 at 10:37 -0800, Robert Rotsted wrote:

> Is anyone using Bro's Netflow ingest capabilities? If so, what is the
> output? Does Bro generate TCP and UDP events? Does it create a "conn"
> log?

Two netflow events:

    event netflow_v5_header(h: nf_v5_header);
    event netflow_v5_record(r: nf_v5_record);

I don't think we ever had a standard script doing something further
with these.

Note, the Netflow support has been removed in current git master along
with some of the restructuring, as it was neither much used nor tested
at all. But it's not inconceivable to bring it back before the next
release if there's demand for it.

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin



More information about the Bro mailing list