[Bro] Bro vs Netflow

Seth Hall seth at icir.org
Mon Jun 22 13:00:42 PDT 2015


> On Jun 20, 2015, at 6:33 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> What say you all....any reason not to rip out softflowd and just drive on with Bro's conn.log?  Thank you.

Andrew got the exact reason that you’d still collect netflow.  The Bro conn log is significantly different than netflow though.  It’s bidirectional (IPFIX can be too, but we’ll ignore that for now).  The log doesn’t write out until the connection is complete, whereas netflow breaks and writes out frequently which can be great, but can also be super annoying if you’re trying to pay attention to the full life cycle of a connection forensically.  There are several extra fields in the Bro logs that netflow doesn’t have too (history and service being two that immediately come to mind).

If you’re generating netflow though, there is almost never any benefit these days unless you have a netflow analysis solution in place that you’d like to feed and you can’t collect from routers anymore, usually because your routers can only do sampled netflow.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150622/d5711472/attachment.bin 


More information about the Bro mailing list