Re: questions hids & nids

["Jason Robertson" <jason () ifuture com>]

On 12 Dec 2001 at 15:33, Ronneil Camara wrote:

> Hi guys,
>
> I've got some questions here:
>
> 1. Why would I need nids if I already have hids installed on every
> machine?
It is always useful, a HIDS, like tripwire, only tells you if a machine 
is compromised, but as well this can be faked or corrupted, but this 
will not tell you for example if you are getting unusual packets, or 
something that might not be logged.  Or how about receiving packets to 
a non-logged port.  Also remember if they gain root access they could 
update the database for tripwire.

> 2. What about performace issues of snort, how does snort cope up with
> network traffic?
>    How does it perform on 100mbps? Does it have something to do with
> NICs?

Really based on the computer it's on, and the NIC's you are running, 
the 3com cards, if I am correct, do have a bug in which some packets 
can be dropped. (interupt problem, any one found a good fix for this 
yet?)

> 3. Is it possible for snort to log to a remote syslog server? If so,
> what
>    entry in snort.conf would it be? Has anyone configured his snort to
> log 
>    to cisco cvwms?
Yeah just add the forwarding to syslog.conf 
@host should do it
--
Jason Robertson                
Network/Security Analyst     
jason () ifuture com 
http://www.ifuture.com, http://www.astroadvice.com, 
http://www.astroeast.com
Also if you are looking for an employee, I may be available soon, so 
feel free to 
contact me for my resume.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users