Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: digitally sign event data by sensor

From: "Ben Tetu-Pappas" <ben () finaplex com>
Date: Thu, 17 Oct 2002 08:59:10 -0700
Symantec ManHunt
has snort plugins too.
It uses a java i-button to digitally sign logs. And then the logs are
FIPS compliant (which is supposed to make it easier to use them as
evidence in a court case).

-----Original Message-----
From: Bennett Todd [mailto:bet () rahul net]
Sent: Thursday, October 17, 2002 8:38 AM
To: counter.spy () gmx de
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] digitally sign event data by sensor


2002-10-17-10:34:58 counter.spy () gmx de:

Is there any plugin available that provides functionality to digitally

sign

each event-message that is generated by snort e.g. by using a machine
certificate?


Not that I know of.


Does anyone know of an IDS in the market that provides such

functionality?

Again, not that I know of.


I am asking because in my environment I will have to be able to prove

that a

certain event really originated from the sensor that sent it and has

not

been faked.


Interesting requirement. Presumably, you're assuming that the IDS
sensor host itself has not been compromised; if it had been the
attacker could pick up the keys to create their own forged alerts
there.

You're also apparently not interested in identifying forged alerts
created by lobbing nasty looking packets over the IDSes nose, where
it'll pick 'em up, alert, sign the alert, and so forth.

So you're only interested in alerts injected into your
alert-forwarding channel between the trusted IDS and the alert
collection point.

Since you're presuming a trusted IDS host, this should be very easy
to arrange.

Create a logwatcher on the IDS host that picks up the alerts, signs
'em, and forwards 'em. This could be done with PGP. It could also be
done with other apps, or custom code.

Create or find a replacement for syslog that secures the traffic
between the IDS and the collection point. syslog-ng with tcp
forwarding could be channeled over an ssh port forwarding or a
stunnel SSL pipe.

Use straight syslog, and secure the channel. Use a dedicated
separate physical network to forward the alerts. Or use a VPN, like
CIPE or IPSec.

There are other choices, I'm sure.

-Bennett


-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: