Snort mailing list archives
Re: Naming convention of Snort
From: counter.spy () gmx de
Date: Wed, 13 Mar 2002 22:42:11 +0100 (MET)
Jason Hammerschmidt writes:
So then what's the difference between a HIDS in promiscous mode (with tap/mirroring/etc), and a NIDS, furthermore using a tap/mirroring you're in effect trusting your networking gear to do a lot of things... trusting it to follow IEEE 802.x standards (and how often have we seen this violated?), trusting it not to fail in even the slightest way, trusting it to handle congestion (what if packets get dropped on your mirrored port), trusting the software of the switch. You're not garanteed 100% of your network traffic, or at least you can't be certain 100% is getting through.
Short tutorial in IDS technology: You would NEVER run a HIDS in promiscous mode! A HIDS is a piece of software, sometimes called "HIDS agent" that is optimized to have a small system footprint, i.e. using moderate amounts of CPU and RAM and sometimes a reduced signature set for that special host. A HIDS watches a PRODUCTION SYSTEM, e.g. your e-commerce server and you wouldn't like it to answer on traffic in some of funny ways promiscuous mode devices somtimes do. As a matter of fact, this is one reason for using STEALTH devices for NIDS: -IPless Interface -Read only cable -Network Taps so much for the "paranoid circles" ;) A HIDS traditionally watches logfiles or system calls and sometimes also performs filesystem integrity checks.
In paranoid circles wouldn't GIDS be the only true 100% NIDS? I've been taught never to trust port mirroring/VLAN's/all that jazz of switches if your intention is to be highly secure. I believe there's even something in the FAQ in length about the various traps of setting up Ethernet taps/mirroring. In my opinion you cannot trust such setups for intention of a NIDS.
From what I have read about this, I agree with you in not trusting mirroring
or switch port analyzer, as it is sometimes called, but I haven't yet much practical experience with this kind of stuff. I would NOT recomment you using a GIDS that actively blocks traffic, because you have got a single point of failure here. IMHO active blocking is the only true means of using GIDSs but I dont trust that either. A NIDS can see all of the packets up to 100mbit/s if configured properly and if you use strong hardware. NNIDS are Host based IDSs that analyze the network traffic which comes and goes to that SINGLE machine that it monitors. Therefore they are sometimes also called "stack based IDS". As I am currently analyzing how NIDS can be deployed on switched environments I can tell you, that such scenarios are sometimes beyond any economic means. When it comes to monitoring high end ecommerce environments in full duplex some vendors have developed redundant scenarios with lots of taps and toplayer switches as IDS load balancer.... You will want to analyze very carefully at which points of your net NIDS is useful - sometimes NNIDS are better in order to economize on cost without leaving unmonitored patches. If you don't need full duplex you can take a 100mbit/s hub and you can see all the traffic that goes through that hub.
PS. I'm only asking these questions as a semantics inquiry, I'm not meaning to start any wars. Just feeding my curiosity.
Charges 15$ per issue ;-) Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Naming convention of Snort Jason Hammerschmidt (Mar 13)
- Re: Naming convention of Snort Chris Green (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- <Possible follow-ups>
- Re: Naming convention of Snort Jason Hammerschmidt (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- Re: Naming convention of Snort Leigh David Heyman (Mar 13)
- Re: Naming convention of Snort Chris Green (Mar 13)
- Re: Naming convention of Snort Erek Adams (Mar 13)
- Re: Naming convention of Snort counter . spy (Mar 13)
- RE: Naming convention of Snort Bob Walder (Mar 13)