nanog mailing list archives

Re: A useful oversimplification for network surveillance?

From: "Howard C. Berkowitz" <hcb () gettcomm com>
Date: Thu, 25 Aug 2005 11:47:56 -0400


At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote:

Howard,

I'd most certainly use an IDS (i.e. SNORT) for this instead of
netflow....

My concern is scalability, remembering I'm talking about thesurveillance level. My preliminary sense is that SNORT is great in asinkhole, but isn't as scalable as a reasonable NetFlow export.


- ferg

-- "Howard C. Berkowitz" <hcb () gettcomm com> wrote:

      NetFlow is the key to analyzing traffic patterns outside the router,
      looking for DDoS signatures when known, and for traffic anomalies that
      may become DDoS.

Current thread:

A useful oversimplification for network surveillance? Howard C. Berkowitz (Aug 25)
- Re: A useful oversimplification for network surveillance? Nicolas FISCHBACH (Aug 30)
- <Possible follow-ups>
- Re: A useful oversimplification for network surveillance? Fergie (Paul Ferguson) (Aug 25)
  - Re: A useful oversimplification for network surveillance? Howard C. Berkowitz (Aug 25)
  - Re: A useful oversimplification for network surveillance? Florian Weimer (Aug 25)
    - Re: A useful oversimplification for network surveillance? sjk (Aug 25)
    - Re: A useful oversimplification for network surveillance? Florian Weimer (Aug 25)
    - Message not available
    - Re: A useful oversimplification for network surveillance? Florian Weimer (Aug 25)
    - Re: A useful oversimplification for network surveillance? Howard C. Berkowitz (Aug 25)
- Re: A useful oversimplification for network surveillance? Fergie (Paul Ferguson) (Aug 25)
  - Re: A useful oversimplification for network surveillance? Yann Berthier (Aug 25)
- Re: A useful oversimplification for network surveillance? Fergie (Paul Ferguson) (Aug 25)