[Snort-users] Naming convention of Snort

Leigh David Heyman leigh at ...5300...
Wed Mar 13 12:40:37 EST 2002


> On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:
> 
> > So then what's the difference between a HIDS in promiscous mode (with
> > tap/mirroring/etc), and a NIDS,
> 
> Well, Chris sums it up fairly well with this:
> 
> > > Host Based IDS generally refers to monitoring Host based events such
> > > as process activity or the like.
> 
> To me, that means I can have a HIDS on a machine with no ethernet connection.
> Granted, that's not going to happen very often, but it could.  :)
> 
> 
In (what I believe to be the simplest terms) a HID can only detect intrusions (or intrustion attempts) to the system on which it is running.  Whereas a NID can detect intrustions (or attempts) against all (or a subset thereof) systems on a network.  By running a HID in promisc mode (mirroring etc.) you've basically created a NID (so to answer your question above there's no real difference)... I've seen portsentry for example run this way (in fact run portsentry on a linux router and you've turned a HID into what Erek called a GID!)

-Leigh


-----------------------------
Your business will go through a period of considerable expansion.






More information about the Snort-users mailing list