[Snort-users] Naming convention of Snort

Erek Adams erek at ...577...
Wed Mar 13 10:32:09 EST 2002

On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:

> Why name Snort a NIDS when it's really a Host based IDS.. often being
> used as an attempted NIDS via Ethernet taps/port mirroring.

Ummm...  A HIDS is something that actually sits on one box and _only_ looks at
that one box.  Snort is a NIDS, since it monitors network traffic and not host
based processes/data.  Since that's the case, the best way to use it would be
with taps and/or mirrored ports.

> So I don't start a flame war, I'm assuming NIDS is an inline, or inband IDS
> at the point of an interconnection from one network to another (like a
> router/firewall/single transparent bridge).  Also, this is strictly a
> curiousity question, I very much like Snort.

Oh, don't worry about flame wars here.  As long as you don't mention your OS
is bigger than mine, we don't care.  ;-)

What you're really thinking of is a GIDS (Gateway IDS).

> In various articles/docs, Snort is often referred to as lightweight, is
> this only because it's non commercial?  I'm confused by this term,
> although it seems to be disapearing recently.  Anyone?

The real reason is almost historical now...  When Marty first wrote it, it was
tiny and 'light'.  Almost just a simple network packet grepper.  Then as
things got expanded--plugins being the main culprit--it started to get
'plumper'.  It's still light and fast, but it now does things that it's
orginal versions could only dream of.


Erek Adams

More information about the Snort-users mailing list