> I'd most certainly use an IDS (i.e. SNORT) for this instead of > netfow....
Could you provide a use case at the ISP level where an IDS is indeed superior to NetFlow data collection? (Take into account that ISPs typically see the effects of new malware well before the AV companies. 8-)
