Re: Naming convention of Snort

[Leigh David Heyman <leigh () ai mit edu>]

> On Wed, 13 Mar 2002, Jason Hammerschmidt wrote:
>
> > So then what's the difference between a HIDS in promiscous mode (with
> > tap/mirroring/etc), and a NIDS,
>
> Well, Chris sums it up fairly well with this:
>
> > > Host Based IDS generally refers to monitoring Host based events such
> > > as process activity or the like.
>
> To me, that means I can have a HIDS on a machine with no ethernet connection.
> Granted, that's not going to happen very often, but it could.  :)
In (what I believe to be the simplest terms) a HID can only detect intrusions (or intrustion attempts) to the system on 
which it is running.  Whereas a NID can detect intrustions (or attempts) against all (or a subset thereof) systems on a 
network.  By running a HID in promisc mode (mirroring etc.) you've basically created a NID (so to answer your question 
above there's no real difference)... I've seen portsentry for example run this way (in fact run portsentry on a linux 
router and you've turned a HID into what Erek called a GID!)

-Leigh


-----------------------------
Your business will go through a period of considerable expansion.



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users