[Snort-users] Naming convention of Snort
erek at ...577...
Wed Mar 13 10:32:09 EST 2002
On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:
> Why name Snort a NIDS when it's really a Host based IDS.. often being
> used as an attempted NIDS via Ethernet taps/port mirroring.
Ummm... A HIDS is something that actually sits on one box and _only_ looks at
that one box. Snort is a NIDS, since it monitors network traffic and not host
based processes/data. Since that's the case, the best way to use it would be
with taps and/or mirrored ports.
> So I don't start a flame war, I'm assuming NIDS is an inline, or inband IDS
> at the point of an interconnection from one network to another (like a
> router/firewall/single transparent bridge). Also, this is strictly a
> curiousity question, I very much like Snort.
Oh, don't worry about flame wars here. As long as you don't mention your OS
is bigger than mine, we don't care. ;-)
What you're really thinking of is a GIDS (Gateway IDS).
> In various articles/docs, Snort is often referred to as lightweight, is
> this only because it's non commercial? I'm confused by this term,
> although it seems to be disapearing recently. Anyone?
The real reason is almost historical now... When Marty first wrote it, it was
tiny and 'light'. Almost just a simple network packet grepper. Then as
things got expanded--plugins being the main culprit--it started to get
'plumper'. It's still light and fast, but it now does things that it's
orginal versions could only dream of.
More information about the Snort-users