IDS mailing list archives
Re: self authentication for sensors in ids ?
From: Yoann Vandoorselaere <yoann () prelude-ids org>
Date: Tue, 13 Jan 2004 08:18:30 +0000
On Mon, 2004-01-12 at 17:58, Gaurav_Jindal wrote:
Hi,
Hi,
I would like to know specific for snort , prelude ids is
Here are the answer for Prelude,
(1) Are these ids uses some autentication scheme to check for integrity of sensor code deployed on the application, host or machine
Each release of a Prelude components come with it's set of MD5 hashes and PGP signature, making it possible for the user to check tarball integrity. Martin Roesch answer about runtime check to verify whether a binary was not modified still apply, thought there are 2 things in Prelude that might already tell you that something bad is going on : - If a sensor is stopped or restarted, the administrators will notice it because of the heartbeat sent by the sensors, which should normally come to the Manager at regular interval. - I'm thinking about including a self MD5 of the binary within the heartbeat, which would also be helpful for this task.
(2) does self authentication schemes like md5 algorithm, or these algorithms are used for integity of sensor code.
We don't, but that could be an interesting feature.
(3) What are the probable chances for failure of the above conditions putting sensors or IDS in hands on attacker?
Without him being detected ? They seem pretty small to me... Even if there are no concrete alert about the sensor binary being modified (read #5 answer), you should be able to know that something happened through heartbeat monitoring.
(4) If the source code for snort or prelude have these features what part of code should i follow specifically to have my answers
IDMEF message generation code API within libprelude; plus usage of this API in different sensors, as well as reception of IDMEF message within prelude-manager.
(5) Alos please suggest any future directions.
If you decide to use a third party software for checking machine/IDS integrity, you can look at making this application Prelude aware as well. Reporting from this application will then goes directly to the Prelude centralized alert system. Regards, -- Yoann Vandoorselaere <yoann () prelude-ids org> --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- self authentication for sensors in ids ? Gaurav_Jindal (Jan 12)
- Re: self authentication for sensors in ids ? Martin Roesch (Jan 12)
- Re: self authentication for sensors in ids ? Stefano Zanero (Jan 12)
- Re: self authentication for sensors in ids ? Yoann Vandoorselaere (Jan 13)
- Re: self authentication for sensors in ids ? Michal Melewski (Jan 28)
- Re: self authentication for sensors in ids ? Stefano Zanero (Jan 30)
- Re: self authentication for sensors in ids ? Michal Melewski (Jan 30)
- Re: self authentication for sensors in ids ? Stefano Zanero (Jan 30)
- Re: self authentication for sensors in ids ? Martin Roesch (Jan 12)