[83793] in North American Network Operators' Group
Re: A useful oversimplification for network surveillance?
daemon@ATHENA.MIT.EDU (Fergie (Paul Ferguson))
Thu Aug 25 12:04:40 2005
From: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>
Date: Thu, 25 Aug 2005 16:02:18 GMT
To: hcb@gettcomm.com
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
Actually, re-reading your original message, netflow would certainly
be helpful in analysis, trending, etc. (along with something
along the lines of MRTG) -- and IDS is only helpful after the
fact, per se.
- ferg
-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:
>Howard,
>
>I'd most certainly use an IDS (i.e. SNORT) for this instead of
>netflow....
My concern is scalability, remembering I'm talking about the
surveillance level. My preliminary sense is that SNORT is great in a
sinkhole, but isn't as scalable as a reasonable NetFlow export.
>
>-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
>
> NetFlow is the key to analyzing traffic patterns outside the router,
> looking for DDoS signatures when known, and for traffic anomalies that
> may become DDoS.
