Re: A useful oversimplification for network surveillance?
Actually, re-reading your original message, netflow would certainly be helpful in analysis, trending, etc. (along with something along the lines of MRTG) -- and IDS is only helpful after the fact, per se. - ferg -- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote: At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:
Howard,
I'd most certainly use an IDS (i.e. SNORT) for this instead of netflow....
My concern is scalability, remembering I'm talking about the surveillance level. My preliminary sense is that SNORT is great in a sinkhole, but isn't as scalable as a reasonable NetFlow export.
-- "Howard C. Berkowitz" <hcb@gettcomm.com> wrote:
NetFlow is the key to analyzing traffic patterns outside the router, looking for DDoS signatures when known, and for traffic anomalies that may become DDoS.
On Thu, 25 Aug 2005, Fergie (Paul Ferguson) wrote:
Actually, re-reading your original message, netflow would certainly be helpful in analysis, trending, etc. (along with something along the lines of MRTG) -- and IDS is only helpful after the fact, per se.
If I may add - NetFlow give you the possibility to do network forensics on 'past' network events (for whatever meaning of past), even if your IDS has detected nothing. This is an important consideration. I set up a mailing list, flowop, some time ago, to discuss NetFlow related issues: analysis, deployment considerations, ... The goal is obviously not to divert traffic from the existing mailing lists focused on a particular collector / tool, but I felt that besides those specific lists, a 'generic' one was badly needed. I never took the time to advertise it, so the traffic is low (that is, null), but perhaps this is a good time to do so. I look forward to see many interesting discussions happening here. Subscription information: http://www.csrrt.org.lu/mailman/listinfo/flowop Thanks, - yann
participants (2)
-
Fergie (Paul Ferguson) -
Yann Berthier