[Snort-users] Naming convention of Snort

counter.spy at ...348... counter.spy at ...348...
Wed Mar 13 13:43:13 EST 2002


Jason Hammerschmidt writes:
>So then what's the difference between a HIDS in promiscous mode 
>(with tap/mirroring/etc), and a NIDS, furthermore using a tap/mirroring
>you're in effect trusting your networking gear to do a lot of things...
>trusting it to follow IEEE 802.x standards (and how often have we seen
>this violated?), trusting it not to fail in even the slightest way,
>trusting it to handle congestion (what if packets get dropped on your
>mirrored port), trusting the software of the switch.  You're not
>garanteed 100% of your network traffic, or at least you can't be
>certain 100% is getting through.

Short tutorial in IDS technology:

You would NEVER run a HIDS in promiscous mode!
A HIDS is a piece of software, sometimes called "HIDS agent" that is 
optimized to have a small system footprint, i.e. using moderate amounts
of CPU and RAM and sometimes a reduced signature set for that special host.
A HIDS watches a PRODUCTION SYSTEM, e.g. your e-commerce server and you
wouldn't like it to answer on traffic in some of funny ways promiscuous 
mode devices somtimes do. As a matter of fact, this is one reason for
using STEALTH devices for NIDS:
-IPless Interface
-Read only cable
-Network Taps
so much for the "paranoid circles" ;)

A HIDS traditionally watches logfiles or system calls and sometimes also
performs filesystem integrity checks.

>In paranoid circles wouldn't GIDS be
>the only true 100% NIDS?  I've been taught never to trust port
>mirroring/VLAN's/all that jazz of switches if your intention is to be
>highly secure.  I believe there's even something in the FAQ in length
>about the various traps of setting up Ethernet taps/mirroring.  In my
>opinion you cannot trust such setups for intention of a NIDS.
>



More information about the Snort-users mailing list