[Bro] Bro vs Netflow
James Lay
jlay at slave-tothe-box.net
Mon Jun 22 13:37:29 PDT 2015
On 2015-06-22 02:00 PM, Seth Hall wrote:
>> On Jun 20, 2015, at 6:33 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>> What say you all....any reason not to rip out softflowd and just drive
>> on with Bro's conn.log? Thank you.
>
> Andrew got the exact reason that you’d still collect netflow. The Bro
> conn log is significantly different than netflow though. It’s
> bidirectional (IPFIX can be too, but we’ll ignore that for now). The
> log doesn’t write out until the connection is complete, whereas
> netflow breaks and writes out frequently which can be great, but can
> also be super annoying if you’re trying to pay attention to the full
> life cycle of a connection forensically. There are several extra
> fields in the Bro logs that netflow doesn’t have too (history and
> service being two that immediately come to mind).
>
> If you’re generating netflow though, there is almost never any benefit
> these days unless you have a netflow analysis solution in place that
> you’d like to feed and you can’t collect from routers anymore, usually
> because your routers can only do sampled netflow.
>
> .Seth
Thanks Seth,
I took out softflowd and reverted to my previous version of
logstash.conf. I have to say, it was pretty cool to have my Kibana
graphs up of Bro's conn.log and softflowd side by side to compare....was
pretty awesome.
James
More information about the Bro
mailing list