Correlation rules - existing netflow probes

John Gerth gerth at graphics.stanford.edu
Sat Jan 4 15:36:11 EST 2014


I would definitely classify argus as an existing netflow probe.
There's nothing to develop.

All netflow probes have to be deployed.  Even Cisco netflow has to both be
enabled in the device and have machines set up to collect the netflow data
which is emitted.

All one does  for argus is place it somewhere along the packet stream using
a standard monitoring technology like span port, optical splitter, .....

What you get from argus in return is a much richer set of data which creates
many more opportunities for correlation and other analytics.  And the richness
comes from looking at the packets.  It's not something one could later derive
from the impoverished netflow summaries.  Sure, argus can ingest netflow data,
but it can't provide fields for data which has already been discarded by the probe.


On 1/4/14 12:53 AM, Jaime Nebrera wrote:
> Hi Carter, the main point is at this moment we don't plan to develop netflow probes, but just use existing ones like Cisco 's or Palo Alto
> 
> Our users want L7 application identification, and honestly, that's an arms race we prefer not to enter for now
> 
> Jaime Nebrera - ENEO Tecnología



More information about the argus mailing list