On Nov 13, 2007, at 11:28 AM, Jeremy Bennett wrote:
What I meant was systems that are attempting to extract flow data
by watching the traffic itself.
These must be placed at appropriate points in the topology, yes, if
the infrastructure itself doesn't support NetFlow export. nfdump
would be an example of the type of system you're describing; for
example, Adam's Lancope collectors can also generate flows from RSPAN
or copy/capture VACL destination ports, if necessary.
The disadvantage of this mode of operation is that a) it doesn't
scale well, as you indicate, and b) one loses the input and output
ifindex information, and thus the traceback functionality is impeded.
-----------------------------------------------------------------------
Roland Dobbins <[EMAIL PROTECTED]> // 408.527.6376 voice
-- Elvis Presley
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
