The new Bro can import NetFlow version 5 data now, if you are using HeX 2.0, you can test it quickly. Here's how you can test its new ability to work with NetFlow.Using fprobe to export NetFlow version 5 data on network interface le0 to address 127.0.0.1 and port 5555 -
shell>sudo fprobe -n 5 -f ip -i le0 127.0.0.1:5555
Using bro to eat NetFlow data and log them to disk -
shell>sudo bro --netflow 127.0.0.1:5555 HeX netflow
You will find netflow.log in your $BROLOGS directory, and you can simply examine them with any text viewer.
I'm going to distribute bro-1.4 binary that works well with HeX so that people can try them out if they are interested in latest Bro offerings.
Enjoy (;])
No comments:
Post a Comment