IDS mailing list archives

Re: self authentication for sensors in ids ?

From: Yoann Vandoorselaere <yoann () prelude-ids org>
Date: Tue, 13 Jan 2004 08:18:30 +0000

On Mon, 2004-01-12 at 17:58, Gaurav_Jindal wrote:

Hi,

Hi,

I would like to know specific for snort , prelude ids is


Here are the answer for Prelude,

(1) Are these ids uses some autentication scheme to check for integrity 
of sensor code deployed on the application, host or machine


Each release of a Prelude components come with it's set of MD5 hashes
and PGP signature, making it possible for the user to check tarball
integrity. 

Martin Roesch answer about runtime check to verify whether a binary was
not modified still apply, thought there are 2 things in Prelude that
might already tell you that something bad is going on :

- If a sensor is stopped or restarted, the administrators will notice it
because of the heartbeat sent by the sensors, which should normally come
to the Manager at regular interval.

- I'm thinking about including a self MD5 of the binary within the
heartbeat, which would also be helpful for this task.

(2) does self authentication schemes like md5 algorithm, or these 
algorithms are used for integity of sensor code.


We don't, but that could be an interesting feature.

(3) What are the probable chances for failure of the above conditions 
putting sensors or IDS in hands on attacker?


Without him being detected ? They seem pretty small to me... Even if
there are no concrete alert about the sensor binary being modified (read
#5 answer), you should be able to know that something happened through
heartbeat monitoring.

(4) If the source code for snort or prelude have these features what 
part of code should i follow specifically to have my answers


IDMEF message generation code API within libprelude; plus usage of this
API in different sensors, as well as reception of IDMEF message within
prelude-manager.

(5) Alos please suggest any future directions.


If you decide to use a third party software for checking machine/IDS
integrity, you can look at making this application Prelude aware as
well. Reporting from this application will then goes directly to the
Prelude centralized alert system.


Regards,

-- 
Yoann Vandoorselaere <yoann () prelude-ids org>


---------------------------------------------------------------------------
---------------------------------------------------------------------------

Current thread:

self authentication for sensors in ids ? Gaurav_Jindal (Jan 12)
- Re: self authentication for sensors in ids ? Martin Roesch (Jan 12)
  - Re: self authentication for sensors in ids ? Stefano Zanero (Jan 12)
- Re: self authentication for sensors in ids ? Yoann Vandoorselaere (Jan 13)
- Re: self authentication for sensors in ids ? Michal Melewski (Jan 28)
  - Re: self authentication for sensors in ids ? Stefano Zanero (Jan 30)
    - Re: self authentication for sensors in ids ? Michal Melewski (Jan 30)