Re: digitally sign event data by sensor

[Bennett Todd <bet () rahul net>]

2002-10-17-10:34:58 counter.spy () gmx de:
> Is there any plugin available that provides functionality to digitally sign
> each event-message that is generated by snort e.g. by using a machine
> certificate?

Not that I know of.

> Does anyone know of an IDS in the market that provides such functionality?

Again, not that I know of.

> I am asking because in my environment I will have to be able to prove that a
> certain event really originated from the sensor that sent it and has not
> been faked.

Interesting requirement. Presumably, you're assuming that the IDS
sensor host itself has not been compromised; if it had been the
attacker could pick up the keys to create their own forged alerts
there.

You're also apparently not interested in identifying forged alerts
created by lobbing nasty looking packets over the IDSes nose, where
it'll pick 'em up, alert, sign the alert, and so forth.

So you're only interested in alerts injected into your
alert-forwarding channel between the trusted IDS and the alert
collection point.

Since you're presuming a trusted IDS host, this should be very easy
to arrange.

Create a logwatcher on the IDS host that picks up the alerts, signs
'em, and forwards 'em. This could be done with PGP. It could also be
done with other apps, or custom code.

Create or find a replacement for syslog that secures the traffic
between the IDS and the collection point. syslog-ng with tcp
forwarding could be channeled over an ssh port forwarding or a
stunnel SSL pipe.

Use straight syslog, and secure the channel. Use a dedicated
separate physical network to forward the alerts. Or use a VPN, like
CIPE or IPSec.

There are other choices, I'm sure.

-Bennett

Attachment: _bin
Description: