I built 1.4.prerelease.12 the other day to play around with several parts of Bro including the NetFlow policies. I'm having good luck with the rest of my investigations, but I can't seem to get Bro to react to the NetFlow that is coming in.
I get a netflow.log file, but nothing ever gets logged.
NetFlow Version is 5.
I read through the policies and .pac files and I don't see a problem, but I'm new to Bro and there is a lot to sort through.
Any thoughts on where I should start?
-Andrew
I assume you are trying to extract netflow data from a dumped trace or
by sniffing on a network device. However the Bro NetFlow support is an
IO source, which either listens for incoming flows on a UDP socket or
reads flows from a file. You find the details in the current CHANGES
file <http://svn.icir.org/bro/trunk/bro/CHANGES>. Especially read the
subsection about "auxiliary programs" in case you want to use files as
input.
Regards,
Bernhard
Command line is
bro -i eth0 ACF.bro
ACF.bro is attached. The rest of my config is currently unmodified. I could write the NetFlow to a tcpdump file. I hadn’t thought to try the -r switch. Thanks for the idea.
-Andrew
rmkml wrote:
ACF.bro (229 Bytes)