IDS mailing list archives

Re: self authentication for sensors in ids ?

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 12 Jan 2004 14:57:03 -0500

I'll answer inline for Snort.

On Jan 12, 2004, at 12:58 PM, Gaurav_Jindal wrote:

Hi,

I would like to know specific for snort , prelude ids is

(1) Are these ids uses some autentication scheme to check for integrity
of sensor code deployed on the application, host or machine

We have md5 hashes and PGP signatures for the Snort tarball distro andmd5 hashes for most everything else in the downloads section ofsnort.org. If you want to make sure a runtime binary is unmodified,I'd probably recommend AIDE or Tripwire.

(2) does self authentication schemes like md5 algorithm, or these
algorithms are used for integity of sensor code.


We just give you an integrity check for the tarball.

(3) What are the probable chances for failure of the above conditions
putting sensors or IDS in hands on attacker?

Not sure I understand this one, if the sensor falls into an attacker'shands the sensor can be made to report anything (or nothing).

(4) If the source code for snort or prelude have these features what
part of code should i follow specifically to have my answers
(5) Alos please suggest any future directions.

AIDE seems to be well constructed to perform integrity checking of theruntime binary, Snort is monolithic so the only way to change therunning process (short of patching memory) is to do a restart whichwill be reported in syslog.


    -Marty

Thanking you,
With Regards,
Gaurav Jindal


"Read, every day, something no one else is reading. Think, every day,
something no one else is thinking. Do, every day, something no one else
would be silly enough to do. It is bad for the mind to continually be
part of unanimity."
                   - Christopher Morley
------------------------------------------------------------------------------------------------------------------------------------------------------

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

self authentication for sensors in ids ? Gaurav_Jindal (Jan 12)
- Re: self authentication for sensors in ids ? Martin Roesch (Jan 12)
  - Re: self authentication for sensors in ids ? Stefano Zanero (Jan 12)
- Re: self authentication for sensors in ids ? Yoann Vandoorselaere (Jan 13)
- Re: self authentication for sensors in ids ? Michal Melewski (Jan 28)
  - Re: self authentication for sensors in ids ? Stefano Zanero (Jan 30)
    - Re: self authentication for sensors in ids ? Michal Melewski (Jan 30)