[Snort-users] Naming convention of Snort

Jason Hammerschmidt Jason.Hammerschmidt at ...5298...
Wed Mar 13 11:24:03 EST 2002

So then what's the difference between a HIDS in promiscous mode (with 
tap/mirroring/etc), and a NIDS, furthermore using a tap/mirroring 
you're in effect trusting your networking gear to do a lot of things... 
trusting it to follow IEEE 802.x standards (and how often have we seen 
this violated?), trusting it not to fail in even the slightest way, 
trusting it to handle congestion (what if packets get dropped on your 
mirrored port), trusting the software of the switch.  You're not 
garanteed 100% of your network traffic, or at least you can't be 
certain 100% is getting through.  In paranoid circles wouldn't GIDS be 
the only true 100% NIDS?  I've been taught never to trust port 
mirroring/VLAN's/all that jazz of switches if your intention is to be 
highly secure.  I believe there's even something in the FAQ in length 
about the various traps of setting up Ethernet taps/mirroring.  In my 
opinion you cannot trust such setups for intention of a NIDS.

PS. I'm only asking these questions as a semantics inquiry, I'm not 
meaning to start any wars.  Just feeding my curiosity.

On March 13, 2002 01:32 pm, Chris Green wrote:
> Jason Hammerschmidt <Jason.Hammerschmidt at ...5298...> writes:
> > Why name Snort a NIDS when it's really a Host based IDS..
> It is a NIDS.
> Host Based IDS generally refers to monitoring Host based events such
> as process activity or the like.

Jason Hammerschmidt - direct: 416.643.8560
"Whatever you do will be insignificant, but it is very important that
you do it."  --Mahatma Gandhi

More information about the Snort-users mailing list