Re: A useful oversimplification for network surveillance?

[Yann Berthier <yb () bashibuzuk net>]

On Thu, 25 Aug 2005, Fergie (Paul Ferguson) wrote:

> Actually, re-reading your original message, netflow would certainly
> be helpful in analysis, trending, etc. (along with something
> along the lines of MRTG) -- and IDS is only helpful after the
> fact, per se.

   If I may add - NetFlow give you the possibility to do network
   forensics on 'past' network events (for whatever meaning of past),
   even if your IDS has detected nothing. This is an important
   consideration.

   I set up a mailing list, flowop, some time ago, to discuss NetFlow
   related issues: analysis, deployment considerations, ... The goal is
   obviously not to divert traffic from the existing mailing lists
   focused on a particular collector / tool, but I felt that besides
   those specific lists, a 'generic' one was badly needed.

   I never took the time to advertise it, so the traffic is low (that
   is, null), but perhaps this is a good time to do so. I look forward
   to see many interesting discussions happening here.

   Subscription information:
   http://www.csrrt.org.lu/mailman/listinfo/flowop

   Thanks,

      - yann