What is Hflow2
Hflow2 is a data coalesing tool for honeynet/network analysis. It allows to coalesce data from snort, p0f, sebekd into a unified cross related data structure stored in a relational database.
There is a paper with a more detailed description can be found here.
The rationale for building hflow2 was the need to create a tool that had several features that were not available in other systems. In particular no tool existed that provided a sebek and network aware offline processing. A comparision of hflow2 with other similar systems follows:
| Hflow2 | Hflow + sebekd | sebekd | argus | netflow | |
| Flow Type | Bidi | Bidi | none | Bidi | uni |
| Sebek Aware | Yes | Yes | Yes | No | No |
| P0f Aware | Yes | Yes | No | No | No |
| Content Based marking | Yes | No | No | No | No |
| Off line | Yes | No | Yes | Yes | Yes |
| No runtime dependencies | Yes | No | Yes | Yes | Yes |
| Fail Stop | Yes | No | Yes | Yes | Yes |
hflow2 however can appear to be MUCH slower than other systems than only analyze flow data such as argus or netflow. The main reason this happens with high-interaction honeynet data is that hflow also takes care of sebek data, which can be extremely voluminous. Internal tests of idle systems show that sebek data is 40 times larger than non-sebek data. This results in a much higher use of the DB and thus a really disturbing performance, packet captures with no sebek data should be processed faster than argus v2.
More information can also be found in the original hflow2 website.