Snort mailing list archives
RE: digitally sign event data by sensor
From: "Ben Tetu-Pappas" <ben () finaplex com>
Date: Thu, 17 Oct 2002 08:59:10 -0700
Symantec ManHunt has snort plugins too. It uses a java i-button to digitally sign logs. And then the logs are FIPS compliant (which is supposed to make it easier to use them as evidence in a court case). -----Original Message----- From: Bennett Todd [mailto:bet () rahul net] Sent: Thursday, October 17, 2002 8:38 AM To: counter.spy () gmx de Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] digitally sign event data by sensor 2002-10-17-10:34:58 counter.spy () gmx de:
Is there any plugin available that provides functionality to digitally
sign
each event-message that is generated by snort e.g. by using a machine certificate?
Not that I know of.
Does anyone know of an IDS in the market that provides such
functionality? Again, not that I know of.
I am asking because in my environment I will have to be able to prove
that a
certain event really originated from the sensor that sent it and has
not
been faked.
Interesting requirement. Presumably, you're assuming that the IDS sensor host itself has not been compromised; if it had been the attacker could pick up the keys to create their own forged alerts there. You're also apparently not interested in identifying forged alerts created by lobbing nasty looking packets over the IDSes nose, where it'll pick 'em up, alert, sign the alert, and so forth. So you're only interested in alerts injected into your alert-forwarding channel between the trusted IDS and the alert collection point. Since you're presuming a trusted IDS host, this should be very easy to arrange. Create a logwatcher on the IDS host that picks up the alerts, signs 'em, and forwards 'em. This could be done with PGP. It could also be done with other apps, or custom code. Create or find a replacement for syslog that secures the traffic between the IDS and the collection point. syslog-ng with tcp forwarding could be channeled over an ssh port forwarding or a stunnel SSL pipe. Use straight syslog, and secure the channel. Use a dedicated separate physical network to forward the alerts. Or use a VPN, like CIPE or IPSec. There are other choices, I'm sure. -Bennett ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- digitally sign event data by sensor counter . spy (Oct 17)
- Re: digitally sign event data by sensor Bennett Todd (Oct 17)
- Re: digitally sign event data by sensor Oliver Bode (Oct 17)
- <Possible follow-ups>
- RE: digitally sign event data by sensor Ben Tetu-Pappas (Oct 17)