[Snort-devel] Inter-Sensor Communication? (long)

Frank Knobbe FKnobbe at ...339...
Fri May 18 22:34:49 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: agetchel at ...358... [mailto:agetchel at ...358...]
> Sent: Friday, May 18, 2001 9:15 PM
> 
> [...] Anywho, wouldn't it be cool if a 
> Snort network
> sensor could talk to another Snort network sensor over some form of
> encrypted/authenticated control channel?

If anyone is interested, I just completed a library of TwoFish
encryption routines that will be used by a snort plug-in I'm working
on. The library was purposely written in such a way that other
plug-ins can make use of them. The library is currently being tested
for compatibility across different endian systems.

> [...] This kind of smell's like an IDS automatically changing your
> firewall policy, but unless you're doing some kind of active policy
> enforcement, it would remain completely passive and not 
> interfere with any
> traffic, it would just log it.  Thoughts?

My plug-in will do just that, reconfigure Checkpoint firewalls (by
use of SAM) to block offenders. The plug-in is actually a hybrid of
normal plug-in and output plug-in. That means it's configured just
like an output plug-in, but you can specify options on a per rule
basis.

I think what you envision is a plug-in that can reconfigure snort
rules to add something like 'alert $SUSPECT -> $HOMENET ...'. It
shouldn't be difficult to add lines in a suspectlog.conf file and
restart the snort sensor. This is basically extending the dynamic
rules across sensors. Nice idea actually...

Regards,
Frank


-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOwXbwJytSsEygtEFEQKwDACgsdM/NYg9oqAvm1VbYdJgNuOQNr8An0nH
hseKtCWbjZEx0mcHCPCszgd9
=xU5x
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list