[83795] in North American Network Operators' Group
Re: A useful oversimplification for network surveillance?
daemon@ATHENA.MIT.EDU (sjk)
Thu Aug 25 12:19:03 2005
Date: Thu, 25 Aug 2005 11:15:23 -0500 (CDT)
From: sjk <sjk@dredel.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "Fergie (Paul Ferguson)" <fergdawg@netzero.net>,
hcb@gettcomm.com, nanog@merit.edu
In-Reply-To: <874q9euhk3.fsf@mid.deneb.enyo.de>
Errors-To: owner-nanog@merit.edu
We use both -- NetFlow gives us trending data which helps us identify
issues and patterns, Snort allows us to perform a deeper analysis -- I
don't think you could use one and not the other and have effective traffic
inspection.
On Thu, 25 Aug 2005, Florian Weimer wrote:
>
>> I'd most certainly use an IDS (i.e. SNORT) for this instead of
>> netfow....
>
> Could you provide a use case at the ISP level where an IDS is indeed
> superior to NetFlow data collection?
>
> (Take into account that ISPs typically see the effects of new malware
> well before the AV companies. 8-)
>
_____________________________________
sjk@cupacoffee.net
http://www.cupacoffee.net
No one can understand the truth until
he drinks of coffee's frothy goodness.
~Sheik Abd-al-Kadir
