Actually, re-reading your original message, netflow would certainly be helpful in analysis, trending, etc. (along with something along the lines of MRTG) -- and IDS is only helpful after the fact, per se.
- ferg -- "Howard C. Berkowitz" <[EMAIL PROTECTED]> wrote: At 3:30 PM +0000 8/25/05, Fergie (Paul Ferguson) wrote: >Howard, > >I'd most certainly use an IDS (i.e. SNORT) for this instead of >netflow.... My concern is scalability, remembering I'm talking about the surveillance level. My preliminary sense is that SNORT is great in a sinkhole, but isn't as scalable as a reasonable NetFlow export. > >-- "Howard C. Berkowitz" <[EMAIL PROTECTED]> wrote: > > NetFlow is the key to analyzing traffic patterns outside the router, > looking for DDoS signatures when known, and for traffic anomalies that > may become DDoS.