[Snort-users] Naming convention of Snort
erek at ...577...
Wed Mar 13 11:56:03 EST 2002
On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:
> So then what's the difference between a HIDS in promiscous mode (with
> tap/mirroring/etc), and a NIDS,
Well, Chris sums it up fairly well with this:
> > Host Based IDS generally refers to monitoring Host based events such
> > as process activity or the like.
To me, that means I can have a HIDS on a machine with no ethernet connection.
Granted, that's not going to happen very often, but it could. :)
> furthermore using a tap/mirroring
> you're in effect trusting your networking gear to do a lot of things...
> trusting it to follow IEEE 802.x standards (and how often have we seen
> this violated?), trusting it not to fail in even the slightest way,
> trusting it to handle congestion (what if packets get dropped on your
> mirrored port), trusting the software of the switch. You're not
> garanteed 100% of your network traffic, or at least you can't be
> certain 100% is getting through. In paranoid circles wouldn't GIDS be
> the only true 100% NIDS? I've been taught never to trust port
> mirroring/VLAN's/all that jazz of switches if your intention is to be
> highly secure. I believe there's even something in the FAQ in length
> about the various traps of setting up Ethernet taps/mirroring. In my
> opinion you cannot trust such setups for intention of a NIDS.
IMHO, if you use just _one_ IDS, you're asking for trouble. Single point of
failure and all that happiness. Be safe, spread it out. Multiple IDS's of
various flavors. Sure, it's a PITA to maintain, but it gives you the best
"view". Just remember that there is no 'silver bullet'. That goes for
IDS's, switches, taps, etc. It's all the same...
> PS. I'm only asking these questions as a semantics inquiry, I'm not
> meaning to start any wars. Just feeding my curiosity.
I'm sorry, this isn't an all you can eat buffet. You'll have to order from
the menu sir. ;-)
[Note to self: Cut back a bit on the coffee or start drinking decaf.
More information about the Snort-users