Hi all,
Is anyone using Bro's Netflow ingest capabilities? If so, what is the
output? Does Bro generate TCP and UDP events? Does it create a "conn"
log?
Some context from the Bro 1.4 release notes
(https://www.bro.org/sphinx/install/changes.html?highlight=netflow):
Bro now supports analyzing NetFlow v5 data, i.e., from Cisco routers
(Bernhard Ager). NetFlow can be useful for intrusion detection as it
allows analysis of traffic from many different points in the network.
Bro can now read NetFlow data from a UDP socket, as well as (mostly
for debugging purposes) from a file in a specialized format. You can
create these files with the programs given in aux/nftools.
Best,
Bob