Netflow ingest with Bro?

Robert_Rotsted · December 10, 2014, 6:37pm

Hi all,

Is anyone using Bro's Netflow ingest capabilities? If so, what is the
output? Does Bro generate TCP and UDP events? Does it create a "conn"
log?

Some context from the Bro 1.4 release notes
(https://www.bro.org/sphinx/install/changes.html?highlight=netflow):

Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
(Bernhard Ager). NetFlow can be useful for intrusion detection as it
allows analysis of traffic from many different points in the network.
Bro can now read NetFlow data from a UDP socket, as well as (mostly
for debugging purposes) from a file in a specialized format. You can
create these files with the programs given in aux/nftools.

Best,

Bob

robin · December 10, 2014, 7:45pm

Two netflow events:

event netflow_v5_header(h: nf_v5_header);
event netflow_v5_record(r: nf_v5_record);

I don't think we ever had a standard script doing something further
with these.

Note, the Netflow support has been removed in current git master along
with some of the restructuring, as it was neither much used nor tested
at all. But it's not inconceivable to bring it back before the next
release if there's demand for it.

Robin

Robert_Rotsted · December 10, 2014, 9:29pm

Good to know. Thanks for the quick reply Robin!

Topic		Replies	Views
Bro and NetFlow Zeek	3	67	May 6, 2022
Bro vs NetFlow Zeek	8	78	May 6, 2022
Netflow and Bro Zeek	2	69	May 6, 2022
Netflow and bro Zeek	2	69	May 6, 2022
Questions About UDP Events in Bro Zeek	1	54	May 6, 2022

Netflow ingest with Bro?

Related Topics