Re: Naming convention of Snort

[counter.spy () gmx de]

Jason Hammerschmidt writes:
> So then what's the difference between a HIDS in promiscous mode 
> (with tap/mirroring/etc), and a NIDS, furthermore using a tap/mirroring
> you're in effect trusting your networking gear to do a lot of things...
> trusting it to follow IEEE 802.x standards (and how often have we seen
> this violated?), trusting it not to fail in even the slightest way,
> trusting it to handle congestion (what if packets get dropped on your
> mirrored port), trusting the software of the switch.  You're not
> garanteed 100% of your network traffic, or at least you can't be
> certain 100% is getting through.

Short tutorial in IDS technology:

You would NEVER run a HIDS in promiscous mode!
A HIDS is a piece of software, sometimes called "HIDS agent" that is 
optimized to have a small system footprint, i.e. using moderate amounts
of CPU and RAM and sometimes a reduced signature set for that special host.
A HIDS watches a PRODUCTION SYSTEM, e.g. your e-commerce server and you
wouldn't like it to answer on traffic in some of funny ways promiscuous 
mode devices somtimes do. As a matter of fact, this is one reason for
using STEALTH devices for NIDS:
-IPless Interface
-Read only cable
-Network Taps
so much for the "paranoid circles" ;)

A HIDS traditionally watches logfiles or system calls and sometimes also
performs filesystem integrity checks.

> In paranoid circles wouldn't GIDS be
> the only true 100% NIDS?  I've been taught never to trust port
> mirroring/VLAN's/all that jazz of switches if your intention is to be
> highly secure.  I believe there's even something in the FAQ in length
> about the various traps of setting up Ethernet taps/mirroring.  In my
> opinion you cannot trust such setups for intention of a NIDS.

> From what I have read about this, I agree with you in not trusting mirroring

or switch port analyzer, as it is sometimes called, but I haven't yet much
practical experience with this kind of stuff.

I would NOT recomment you using a GIDS that actively blocks traffic,
because you have got a single point of failure here.
IMHO active blocking is the only true means of using GIDSs but I dont trust
that
either.
A NIDS can see all of the packets up to 100mbit/s if configured properly
and if you use strong hardware.

NNIDS are Host based IDSs that analyze the network traffic which comes and
goes
to that SINGLE machine that it monitors. Therefore they are sometimes also
called
"stack based IDS".

As I am currently analyzing how NIDS can be deployed on switched
environments
I can tell you, that such scenarios are sometimes beyond any economic
means. 
When it comes to monitoring high end ecommerce environments in full duplex
some vendors have developed redundant scenarios with lots of taps and 
toplayer switches as IDS load balancer....
You will want to analyze very carefully at which points of your
net NIDS is useful - sometimes NNIDS are better in order to economize on
cost
without leaving unmonitored patches.
If you don't need full duplex you can take a 100mbit/s hub and you can see
all the 
traffic that goes through that hub.



> PS. I'm only asking these questions as a semantics inquiry, I'm not
> meaning to start any wars.  Just feeding my curiosity.

Charges 15$ per issue ;-)

Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users