[Bro] Bro vs Netflow
James Lay
jlay at slave-tothe-box.net
Sat Jun 20 03:33:52 PDT 2015
So in my internet travels I ran across this:
https://www.rsreese.com/parsing-netflow-using-kibana-via-logstash-to-elasticsearch/
A tad outdated but I thought why not....I have syslogs and Bro's
conn.log going into the ELK stack, so let's add netflow to the mix.
After dinking around with it and getting the data in, I realized that
Bro's conn.log pretty much does everything netflow can...unless I'm
missing something? For example, if I want to see what a single IP
address is doing I use this as a filter in Kibana:
type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:TCP
type:connlog AND conn_state:S* AND src_ip:192.168.1.100 AND proto:UDP
What say you all....any reason not to rip out softflowd and just drive
on with Bro's conn.log? Thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150620/18625648/attachment.html
More information about the Bro
mailing list