[83797] in North American Network Operators' Group
Re: A useful oversimplification for network surveillance?
daemon@ATHENA.MIT.EDU (Howard C. Berkowitz)
Thu Aug 25 12:30:40 2005
In-Reply-To: <Pine.LNX.4.63.0508251113250.1446@godot>
Date: Thu, 25 Aug 2005 12:29:44 -0400
To: nanog@merit.edu
From: "Howard C. Berkowitz" <hcb@gettcomm.com>
Errors-To: owner-nanog@merit.edu
At 11:15 AM -0500 8/25/05, sjk wrote:
>We use both -- NetFlow gives us trending data which helps us
>identify issues and patterns, Snort allows us to perform a deeper
>analysis -- I don't think you could use one and not the other and
>have effective traffic inspection.
I think we are in agreement. Remember, I was dealing specifically
with surveillance. Surveillance and deeper analysis are complementary.
>
> On Thu, 25 Aug 2005, Florian Weimer wrote:
>
>>
>>>I'd most certainly use an IDS (i.e. SNORT) for this instead of
>>>netfow....
>>
>>Could you provide a use case at the ISP level where an IDS is indeed
>>superior to NetFlow data collection?
>>
>>(Take into account that ISPs typically see the effects of new malware
>>well before the AV companies. 8-)
>>
>
>_____________________________________
>sjk@cupacoffee.net
>http://www.cupacoffee.net
>
>No one can understand the truth until
>he drinks of coffee's frothy goodness.
>~Sheik Abd-al-Kadir
This .sig must be preserved. I go to refill my cup.
Has anyone ever quantified the relationship between available network
clue and available caffeine?
