[Bro] Bro connections v. NetFlow

[Alec Waters]

We set our routers to export flows after one minute if they’re still in progress (it’ll continue to send a flow export every minute until it’s complete). More info here:

 

https://www.manageengine.com/products/netflow/help/cisco-netflow/cisco-ios-netflow.html (“ip flow-cache timeout active 1” is the command to use)

 

This means that, AFAIUI, Netflow can be made to be more timely than Bro. Bro will only output a bro_conn when the flow has been deemed to have finished.

 

Also, Netflow exports are unidirectional – you get separate flow exports for A->B and B->A. With Bro, a bro_conn logs traffic in both directions.

 

alec

 

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Hoelzer, Dave
Sent: 25 August 2016 01:48
To: Navraj Singh; bro at bro.org
Subject: Re: [Bro] Bro connections v. NetFlow

 

Netflow connections are generally logged and a new connection recorded if they exceed 30 minutes.  That’s one.

 

——————————————————— 

David Hoelzer

Fellow, SANS Institute

Dean of Faculty, SANS Technology Institute

 

On August 24, 2016 at 1:45:07 PM, Navraj Singh (navraj42 at gmail.com) wrote:

Hi, 

 

I was wondering what some major differences are between the concept of a 'connection' in Bro and a a 'flow' in NetFlow. Or are they essentially the same concept? If this requires a detailed answer, a reference would be very helpful!

 

Thank you!

_______________________________________________ 
Bro mailing list 
bro at bro-ids.org 
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160825/38b049db/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3901 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160825/38b049db/attachment.bin