[Snort-devel] Inter-Sensor Communication? (long)

agetchel at ...358... agetchel at ...358...
Fri May 18 22:15:16 EDT 2001

Hi all,

Something occurred to me while I was listening to Marty's presentation here
at the SANS conference in Baltimore... which, by the way, was excellent in
case you're thinking about attending one.  This was my second, and they keep
getting better every time.  Anywho, wouldn't it be cool if a Snort network
sensor could talk to another Snort network sensor over some form of
encrypted/authenticated control channel?

For instance, the Snort network sensor you have monitoring your Internet
connection alerts you to the fact that someone has launched a statd buffer
overflow attack against an unfamiliar IP address within your internal
network.  You track down the machine that has this IP address, and you find
that one of your infrastructure guys has put up an unauthorized Linux server
on your network.  Damn infrastructure guys. =)  You find, after tossing the
box, that the attack was successful because the 'admin' didn't patch the
system.  You go back to your Snort box and find that it has successfully
tagged the session and activated the set of rules you told it too when it
detects a statd attack.  You have the start of the audit trail you need, but
the hacker had covered his tracks well.  You find, after doing some forensic
work on the compromised host, that he seemed to have created himself an
account on the box and SSH'd into it after it's compromise.  You can't rely
on your Internet Snort network sensors logs to tell you everything now,
because you can't see the payload of his packets... they're encrypted.
However, you also find that the network sensor which detected this attack
originally, has told your other Snort network sensors you have within your
internal network monitoring your remote office too log all traffic going to
and coming from the machine which the statd attack was launched against.
You find that this person has bounced all over your internal network after
the Linux servers compromise.  Now your audit trail is somewhat more

This is just a simple example of what this kind of functionality could
provide the intrusion detection analyst.  Anyone else think that this
inter-sensor communication feature would be useful?  Wouldn't it truly make
Snort an Intrusion Detection System instead of an Intrusion Detection
Sensor?  This kind of smell's like an IDS automatically changing your
firewall policy, but unless you're doing some kind of active policy
enforcement, it would remain completely passive and not interfere with any
traffic, it would just log it.  Thoughts?


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

More information about the Snort-devel mailing list