On 2015-08-13 19:00, Aaron Hopkins wrote:
I try to avoid storing any raw per-flow data to disk. At the scale I'm operating, I can't store it for very long, and walking through it again is too slow. If I wanted to throw more hardware at netflow log processing, it's at least possible to do, though. Of the people I've heard doing this, they are mostly paranoid companies (not ISPs) who want to be able to trace security incidents after the fact.
I was surprised how many companies had enough traffic to retroactively determine whether HEARTBLEED had previously been exploited. Neat, but scary.