[83792] in North American Network Operators' Group
Re: A useful oversimplification for network surveillance?
daemon@ATHENA.MIT.EDU (Howard C. Berkowitz)
Thu Aug 25 11:49:07 2005
In-Reply-To: <20050825.083104.7340.139575@webmail12.lax.untd.com>
Date: Thu, 25 Aug 2005 11:47:56 -0400
To: nanog@merit.edu
From: "Howard C. Berkowitz" <hcb@gettcomm.com>
Errors-To: owner-nanog@merit.edu
At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:
>Howard,
>
>I'd most certainly use an IDS (i.e. SNORT) for this instead of
>netflow....
My concern is scalability, remembering I'm talking about the
surveillance level. My preliminary sense is that SNORT is great in a
sinkhole, but isn't as scalable as a reasonable NetFlow export.
>
>- ferg
>
>-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
>
> NetFlow is the key to analyzing traffic patterns outside the router,
> looking for DDoS signatures when known, and for traffic anomalies that
> may become DDoS.
