A useful oversimplification for network surveillance?

Actually, re-reading your original message, netflow would certainly
be helpful in analysis, trending, etc. (along with something
along the lines of MRTG) -- and IDS is only helpful after the
fact, per se.

- ferg


I'd most certainly use an IDS (i.e. SNORT) for this instead of

My concern is scalability, remembering I'm talking about the
surveillance level. My preliminary sense is that SNORT is great in a
sinkhole, but isn't as scalable as a reasonable NetFlow export.

If I may add - NetFlow give you the possibility to do network
   forensics on 'past' network events (for whatever meaning of past),
   even if your IDS has detected nothing. This is an important

   I set up a mailing list, flowop, some time ago, to discuss NetFlow
   related issues: analysis, deployment considerations, ... The goal is
   obviously not to divert traffic from the existing mailing lists
   focused on a particular collector / tool, but I felt that besides
   those specific lists, a 'generic' one was badly needed.

   I never took the time to advertise it, so the traffic is low (that
   is, null), but perhaps this is a good time to do so. I look forward
   to see many interesting discussions happening here.

   Subscription information:


      - yann