Actually, re-reading your original message, netflow would certainly
be helpful in analysis, trending, etc. (along with something
along the lines of MRTG) -- and IDS is only helpful after the
fact, per se.
I'd most certainly use an IDS (i.e. SNORT) for this instead of
My concern is scalability, remembering I'm talking about the
surveillance level. My preliminary sense is that SNORT is great in a
sinkhole, but isn't as scalable as a reasonable NetFlow export.
If I may add - NetFlow give you the possibility to do network
forensics on 'past' network events (for whatever meaning of past),
even if your IDS has detected nothing. This is an important
I set up a mailing list, flowop, some time ago, to discuss NetFlow
related issues: analysis, deployment considerations, ... The goal is
obviously not to divert traffic from the existing mailing lists
focused on a particular collector / tool, but I felt that besides
those specific lists, a 'generic' one was badly needed.
I never took the time to advertise it, so the traffic is low (that
is, null), but perhaps this is a good time to do so. I look forward
to see many interesting discussions happening here.