Snort mailing list archives
Re: Naming convention of Snort
From: Chris Green <cmg () sourcefire com>
Date: Wed, 13 Mar 2002 15:08:20 -0500
Jason Hammerschmidt <Jason.Hammerschmidt () maclaren com> writes:
So then what's the difference between a HIDS in promiscous mode (with tap/mirroring/etc),
A tap would be of no use to a HIDS. Typically on a HIDS, you expect the machine to still be doing its real job ( not IDS ). A HIDS really only monitors a single host. Some people use snort somewhat like this ( watching their cable modem IP ) but it doesn't take advanatage of the weatlth of other informatoin a hids could be using.
and a NIDS, furthermore using a tap/mirroring you're in effect trusting your networking gear to do a lot of things...
Yeah.....
trusting it to follow IEEE 802.x standards (and how often have we seen this violated?), trusting it not to fail in even the slightest way, trusting it to handle congestion (what if packets get dropped on your mirrored port), trusting the software of the switch. You're not garanteed 100% of your network traffic, or at least you can't be certain 100% is getting through.
Well ethernet taps like the Finisar do reproduce the electrical signals but you are trusting that your ethernet card acts the same way etc... Theres no cure all.
In paranoid circles wouldn't GIDS be the only true 100% NIDS?
What if the GIDS interprets packets somewhat differently from the host it's protectecting.... Theres problems with every solution. Many people are more paranoid of an over active GIDS nuking vital parts of their network.
I've been taught never to trust port mirroring/VLAN's/all that jazz of switches if your intention is to be highly secure. I believe there's even something in the FAQ in length about the various traps of setting up Ethernet taps/mirroring. In my opinion you cannot trust such setups for intention of a NIDS.
(This is based on my experience at my past job and not a reflection of Sourcefire official statement) I have had internet connections going through hubs and taps with pretty reliable success. Things like VLANs and CPU limited solutions can be a lot less trustworthy than electrical signal reproductions.
PS. I'm only asking these questions as a semantics inquiry, I'm not meaning to start any wars. Just feeding my curiosity.
Thats fine. I thik it all boils down to nothing is perfect but we're all trying. -- Chris Green <cmg () sourcefire com> "Not everyone holds these truths to be self-evident, so we've worked up a proof of them as Appendix A." -- Paul Prescod _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Naming convention of Snort Jason Hammerschmidt (Mar 13)
- Re: Naming convention of Snort Chris Green (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- <Possible follow-ups>
- Re: Naming convention of Snort Jason Hammerschmidt (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- Re: Naming convention of Snort Leigh David Heyman (Mar 13)
- Re: Naming convention of Snort Chris Green (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- Re: Naming convention of Snort counter . spy (Mar 13)
- RE: Naming convention of Snort Bob Walder (Mar 13)