[Snort-users] Naming convention of Snort
Jason.Hammerschmidt at ...5298...
Wed Mar 13 11:24:03 EST 2002
So then what's the difference between a HIDS in promiscous mode (with
tap/mirroring/etc), and a NIDS, furthermore using a tap/mirroring
you're in effect trusting your networking gear to do a lot of things...
trusting it to follow IEEE 802.x standards (and how often have we seen
this violated?), trusting it not to fail in even the slightest way,
trusting it to handle congestion (what if packets get dropped on your
mirrored port), trusting the software of the switch. You're not
garanteed 100% of your network traffic, or at least you can't be
certain 100% is getting through. In paranoid circles wouldn't GIDS be
the only true 100% NIDS? I've been taught never to trust port
mirroring/VLAN's/all that jazz of switches if your intention is to be
highly secure. I believe there's even something in the FAQ in length
about the various traps of setting up Ethernet taps/mirroring. In my
opinion you cannot trust such setups for intention of a NIDS.
PS. I'm only asking these questions as a semantics inquiry, I'm not
meaning to start any wars. Just feeding my curiosity.
On March 13, 2002 01:32 pm, Chris Green wrote:
> Jason Hammerschmidt <Jason.Hammerschmidt at ...5298...> writes:
> > Why name Snort a NIDS when it's really a Host based IDS..
> It is a NIDS.
> Host Based IDS generally refers to monitoring Host based events such
> as process activity or the like.
Jason Hammerschmidt - direct: 416.643.8560
"Whatever you do will be insignificant, but it is very important that
you do it." --Mahatma Gandhi
More information about the Snort-users