25 Aug
2005
25 Aug
'05
11:47 a.m.
At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:
Howard,
I'd most certainly use an IDS (i.e. SNORT) for this instead of netflow....
My concern is scalability, remembering I'm talking about the surveillance level. My preliminary sense is that SNORT is great in a sinkhole, but isn't as scalable as a reasonable NetFlow export.
- ferg
-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
NetFlow is the key to analyzing traffic patterns outside the router, looking for DDoS signatures when known, and for traffic anomalies that may become DDoS.