flow-level analysis code

Zeek
1

Could it also use flow-level analysis data as
input?

At present, no. Some folks have discussed adding support for reading
NetFlow records, but as far as I know, no one is working on this.

    Vern

2

Hello,

I use Netflow every day and it may be a good thing to use it inside Bro.
Who's interested on this topic ?
I think i (we) may start something.

Best regards.

3

I use Netflow every day and it may be a good thing to use it inside Bro.
Who's interested on this topic ?
I think i (we) may start something.

I am very interested, but it seems that it is somewhat outside the scope of Bro as a classic NIDS. Reading netflow will make no sense (for Bro) since there is no packet contents.

Best,

4

Anton Chuvakin, Ph.D. wrote:

I use Netflow every day and it may be a good thing to use it inside Bro.
Who's interested on this topic ?
I think i (we) may start something.

I am very interested, but it seems that it is somewhat outside the scope of Bro as a classic NIDS. Reading netflow will make no sense (for Bro) since there is no packet contents.

Best,

Hello Anton,

If I'm not wrong Bro just see the 'local' network, it doesn't work likes a
distributed IDS. On another side, it's sure that using Netflow does not give us the ability to see the payload but with Netflow
- We could see network scan
- We could see some 'not usual' traffic which may break the security's rules

So may be using this feature would give us some new 'nice' informations ?

5

Hi,

I think it's important that people take a very open stance when
considering what's useful to Bro. Bro is not just a signature matcher.
As Vern indicated when mentioning scan detection, it's not necessarily
about packet contents -- if you want that and only that then use snort
(after making sure that our Bro rules don't do at least as good a job :slight_smile:
The protocol headers give you a lot of information when it comes to
inferring communication patterns, communities of interest, connection
behaviour, traffic volume, etc. It all depends on your policy.

Also, Bro's actually on the brink of becoming really quite distributed.
Bro can already exchange essentially arbitrary state with other Bro
nodes (have a look at the remote.bro and listen-ssl.bro policies) --
this includes policies, connection state, policy state, etc. We can do
Bro-Bro handovers, communicate with non-Bro agents, you name it. I'm not
aware of any other system that comes close to this. It's still being
polished and not widely known yet, but it's coming :slight_smile:

Thanks,
Christian.