I am very interested, but it seems that it is somewhat outside the scope
of Bro as a classic NIDS. Reading netflow will make no sense (for Bro)
since there is no packet contents.
Actually, I think it does make sense. Bro can do a fair amount of analysis
based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
packet contents. For example, its scan detection is driven off of this
level of information.
Vern
I am very interested, but it seems that it is somewhat outside the scope
of Bro as a classic NIDS. Reading netflow will make no sense (for Bro)
since there is no packet contents.
Actually, I think it does make sense. Bro can do a fair amount of analysis
based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
packet contents. For example, its scan detection is driven off of this
level of information.
But where you will take it beyond scans?
Maybe automatic 'stepping stone' detection based on flows? Or flow profiling (for backdoors and trojans with new prots)? It looks like it will be a very different product as a result.
Also, in this case we will see neither contents nor the header, just the fact that seesion took place.
Best,