A useful oversimplification for network surveillance?

["Howard C. Berkowitz" <hcb () gettcomm com>]

I'm developing some guidance for ISP surveillance for infrastructure 
attacks, and my increasing impression is that for other than the 
expert level, there may be some useful simplifications of the 
applicability of tools. Remember that I am speaking of surveillance 
here, not the detailed analysis in a sinkhole.  Perhaps this could be 
the basis of some security architecture presentations/tutorials at 
NANOG.

Let me put up the following strawmen and invite people with flaming 
torches to go for them, with the caveat that these simplifications 
are for an introduction to the topic.

     NetFlow is the key to analyzing traffic patterns outside the router,
     looking for DDoS signatures when known, and for traffic anomalies that
     may become DDoS.

     SNMP is the key to analyzing the effect of exploits on network elements.
     For example, NetFlow might tell you there is a flood directed at TCP
     port 179, but your router may implement rate-limiting/policing such
     that the control processor doesn't see this flood and processor
     utilization stays within reasonable ranges.

     Syslog and SNMP traps focus on physical events by people (e.g.,
     reconfiguration), physical problems ranging from temperature alarms
     to router and interface shutdown, and exploits against security
     mechanisms.  Some of this asynchronous information has undergo
     root cause analysis: the interface you see go down may be perfectly
     fine; the problem is in the medium or distant interface.