[Bro] Bro vs Netflow

James Lay jlay at slave-tothe-box.net
Mon Jun 22 13:51:22 PDT 2015


On 2015-06-22 02:44 PM, Seth Hall wrote:
>> On Jun 22, 2015, at 4:37 PM, James Lay <jlay at slave-tothe-box.net> 
>> wrote:
>> 
>> I took out softflowd and reverted to my previous version of 
>> logstash.conf.  I have to say, it was pretty cool to have my Kibana 
>> graphs up of Bro's conn.log and softflowd side by side to 
>> compare....was pretty awesome.
> 
> Nice, did you notice any major discrepancies?
> 
>   .Seth
> 

I did not besides the minor timing thing you described.  For example 
there's an Android device that fires off to ssl.analytics.google.com at 
exact intervals.  The netflow graph showed these at pretty close to the 
same times (squid logs logged the exact time to syslog), whereas Bro had 
them a little varied, but that was ONLY when you dug in like to a every 
5 minute graph.  If you zoomed out to say showing the last 12 hours you 
couldn't tell a difference at all.  I didn't notice a difference in the 
packet count or size either....a good thing :)

James


More information about the Bro mailing list