[Snort-users] Naming convention of Snort

Chris Green cmg at ...1935...
Wed Mar 13 12:19:15 EST 2002

Jason Hammerschmidt <Jason.Hammerschmidt at ...5298...> writes:

> So then what's the difference between a HIDS in promiscous mode (with 
> tap/mirroring/etc), 

A tap would be of no use to a HIDS.  Typically on a HIDS, you expect
the machine to still be doing its real job ( not IDS ).  A HIDS
really only monitors a single host.  Some people use snort somewhat
like this ( watching their cable modem IP ) but it doesn't take
advanatage of the weatlth of other informatoin a hids could be using.

> and a NIDS, furthermore using a tap/mirroring you're in effect
> trusting your networking gear to do a lot of things...


> trusting it to follow IEEE 802.x standards (and how often have we
> seen this violated?), trusting it not to fail in even the slightest
> way, trusting it to handle congestion (what if packets get dropped
> on your mirrored port), trusting the software of the switch.  You're
> not garanteed 100% of your network traffic, or at least you can't be
> certain 100% is getting through.

Well ethernet taps like the Finisar do reproduce the electrical
signals but you are trusting that your ethernet card acts the same way
etc... Theres no cure all.

> In paranoid circles wouldn't GIDS be the only true 100% NIDS?

What if the GIDS interprets packets somewhat differently from the host
it's protectecting.... Theres problems with every solution.  Many
people are more paranoid of an over active GIDS nuking vital parts of
their network.

> I've been taught never to trust port mirroring/VLAN's/all that jazz
> of switches if your intention is to be highly secure.  I believe
> there's even something in the FAQ in length about the various traps
> of setting up Ethernet taps/mirroring.  In my opinion you cannot
> trust such setups for intention of a NIDS.

(This is based on my experience at my past job and not a reflection of
Sourcefire official statement)

I have had internet connections going through hubs and taps with
pretty reliable success.  Things like VLANs and CPU limited solutions
can be a lot less trustworthy than electrical signal reproductions.

> PS. I'm only asking these questions as a semantics inquiry, I'm not 
> meaning to start any wars.  Just feeding my curiosity.

Thats fine.  I thik it all boils down to nothing is perfect but we're
all trying.
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-users mailing list