Re: A useful oversimplification for network surveillance?
Howard, I'd most certainly use an IDS (i.e. SNORT) for this instead of netfow.... - ferg -- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote: NetFlow is the key to analyzing traffic patterns outside the router, looking for DDoS signatures when known, and for traffic anomalies that may become DDoS. -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg@netzero.net or fergdawg@sbcglobal.net ferg's tech blog: http://fergdawg.blogspot.com/
At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:
Howard,
I'd most certainly use an IDS (i.e. SNORT) for this instead of netflow....
My concern is scalability, remembering I'm talking about the surveillance level. My preliminary sense is that SNORT is great in a sinkhole, but isn't as scalable as a reasonable NetFlow export.
- ferg
-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
NetFlow is the key to analyzing traffic patterns outside the router, looking for DDoS signatures when known, and for traffic anomalies that may become DDoS.
I'd most certainly use an IDS (i.e. SNORT) for this instead of netfow....
Could you provide a use case at the ISP level where an IDS is indeed superior to NetFlow data collection? (Take into account that ISPs typically see the effects of new malware well before the AV companies. 8-)
We use both -- NetFlow gives us trending data which helps us identify issues and patterns, Snort allows us to perform a deeper analysis -- I don't think you could use one and not the other and have effective traffic inspection. On Thu, 25 Aug 2005, Florian Weimer wrote:
I'd most certainly use an IDS (i.e. SNORT) for this instead of netfow....
Could you provide a use case at the ISP level where an IDS is indeed superior to NetFlow data collection?
(Take into account that ISPs typically see the effects of new malware well before the AV companies. 8-)
_____________________________________ sjk@cupacoffee.net http://www.cupacoffee.net No one can understand the truth until he drinks of coffee's frothy goodness. ~Sheik Abd-al-Kadir
We use both -- NetFlow gives us trending data which helps us identify issues and patterns, Snort allows us to perform a deeper analysis -- I don't think you could use one and not the other and have effective traffic inspection.
Of course, but you do this to support certain processes in your organization. I just wonder how a process might look like which actually needs data gathered by an IDS, at the ISP level. (Drawing pretty charts showing the number of attacks you've blocked doesn't count, IMHO.)
At 11:15 AM -0500 8/25/05, sjk wrote:
We use both -- NetFlow gives us trending data which helps us identify issues and patterns, Snort allows us to perform a deeper analysis -- I don't think you could use one and not the other and have effective traffic inspection.
I think we are in agreement. Remember, I was dealing specifically with surveillance. Surveillance and deeper analysis are complementary.
On Thu, 25 Aug 2005, Florian Weimer wrote:
I'd most certainly use an IDS (i.e. SNORT) for this instead of netfow....
Could you provide a use case at the ISP level where an IDS is indeed superior to NetFlow data collection?
(Take into account that ISPs typically see the effects of new malware well before the AV companies. 8-)
_____________________________________ sjk@cupacoffee.net http://www.cupacoffee.net
No one can understand the truth until he drinks of coffee's frothy goodness. ~Sheik Abd-al-Kadir
This .sig must be preserved. I go to refill my cup. Has anyone ever quantified the relationship between available network clue and available caffeine?
participants (4)
-
Fergie (Paul Ferguson)
-
Florian Weimer
-
Howard C. Berkowitz
-
sjk