Howard,
I'd most certainly use an IDS (i.e. SNORT) for this instead of
netfow....
- ferg
Howard,
I'd most certainly use an IDS (i.e. SNORT) for this instead of
netflow....
My concern is scalability, remembering I'm talking about the surveillance level. My preliminary sense is that SNORT is great in a sinkhole, but isn't as scalable as a reasonable NetFlow export.
I'd most certainly use an IDS (i.e. SNORT) for this instead of
netfow....
Could you provide a use case at the ISP level where an IDS is indeed
superior to NetFlow data collection?
(Take into account that ISPs typically see the effects of new malware
well before the AV companies. 
We use both -- NetFlow gives us trending data which helps us identify issues and patterns, Snort allows us to perform a deeper analysis -- I don't think you could use one and not the other and have effective traffic inspection.
We use both -- NetFlow gives us trending data which helps us
identify issues and patterns, Snort allows us to perform a deeper
analysis -- I don't think you could use one and not the other and
have effective traffic inspection.
Of course, but you do this to support certain processes in your
organization. I just wonder how a process might look like which
actually needs data gathered by an IDS, at the ISP level.
(Drawing pretty charts showing the number of attacks you've blocked
doesn't count, IMHO.)
We use both -- NetFlow gives us trending data which helps us identify issues and patterns, Snort allows us to perform a deeper analysis -- I don't think you could use one and not the other and have effective traffic inspection.
I think we are in agreement. Remember, I was dealing specifically with surveillance. Surveillance and deeper analysis are complementary.
I'd most certainly use an IDS (i.e. SNORT) for this instead of
netfow....Could you provide a use case at the ISP level where an IDS is indeed
superior to NetFlow data collection?(Take into account that ISPs typically see the effects of new malware
well before the AV companies._____________________________________
sjk@cupacoffee.net
http://www.cupacoffee.netNo one can understand the truth until
he drinks of coffee's frothy goodness.
~Sheik Abd-al-Kadir
This .sig must be preserved. I go to refill my cup.
Has anyone ever quantified the relationship between available network clue and available caffeine?
We are an ISP - we look for specific trending data to help pinpoint new
potential virus and malware which can adversley effect transit links or
equiptment.
Plain IDS data, or netflow data? (I don't doubt the usefulness of flow
data.)