Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Naming convention of Snort

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 13 Mar 2002 11:50:12 -0800 (PST)
On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:


So then what's the difference between a HIDS in promiscous mode (with
tap/mirroring/etc), and a NIDS,


Well, Chris sums it up fairly well with this:


Host Based IDS generally refers to monitoring Host based events such
as process activity or the like.


To me, that means I can have a HIDS on a machine with no ethernet connection.
Granted, that's not going to happen very often, but it could.  :)



furthermore using a tap/mirroring
you're in effect trusting your networking gear to do a lot of things...
trusting it to follow IEEE 802.x standards (and how often have we seen
this violated?), trusting it not to fail in even the slightest way,
trusting it to handle congestion (what if packets get dropped on your
mirrored port), trusting the software of the switch.  You're not
garanteed 100% of your network traffic, or at least you can't be
certain 100% is getting through.  In paranoid circles wouldn't GIDS be
the only true 100% NIDS?  I've been taught never to trust port
mirroring/VLAN's/all that jazz of switches if your intention is to be
highly secure.  I believe there's even something in the FAQ in length
about the various traps of setting up Ethernet taps/mirroring.  In my
opinion you cannot trust such setups for intention of a NIDS.


IMHO, if you use just _one_ IDS, you're asking for trouble.  Single point of
failure and all that happiness.  Be safe, spread it out.  Multiple IDS's of
various flavors.  Sure, it's a PITA to maintain, but it gives you the best
"view".  Just remember that there is no 'silver bullet'.  That goes for
IDS's, switches, taps, etc.  It's all the same...


PS. I'm only asking these questions as a semantics inquiry, I'm not
meaning to start any wars.  Just feeding my curiosity.


I'm sorry, this isn't an all you can eat buffet.  You'll have to order from
the menu sir.  ;-)

[Note to self:  Cut back a bit on the coffee or start drinking decaf.
*shudder*]

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: