[Snort-devel] Inter-Sensor Communication? (long)

Frank Knobbe FKnobbe at ...339...
Fri May 18 22:34:49 EDT 2001

Hash: SHA1

> -----Original Message-----
> From: agetchel at ...358... [mailto:agetchel at ...358...]
> Sent: Friday, May 18, 2001 9:15 PM
> [...] Anywho, wouldn't it be cool if a 
> Snort network
> sensor could talk to another Snort network sensor over some form of
> encrypted/authenticated control channel?

If anyone is interested, I just completed a library of TwoFish
encryption routines that will be used by a snort plug-in I'm working
on. The library was purposely written in such a way that other
plug-ins can make use of them. The library is currently being tested
for compatibility across different endian systems.

> [...] This kind of smell's like an IDS automatically changing your
> firewall policy, but unless you're doing some kind of active policy
> enforcement, it would remain completely passive and not 
> interfere with any
> traffic, it would just log it.  Thoughts?

My plug-in will do just that, reconfigure Checkpoint firewalls (by
use of SAM) to block offenders. The plug-in is actually a hybrid of
normal plug-in and output plug-in. That means it's configured just
like an output plug-in, but you can specify options on a per rule

I think what you envision is a plug-in that can reconfigure snort
rules to add something like 'alert $SUSPECT -> $HOMENET ...'. It
shouldn't be difficult to add lines in a suspectlog.conf file and
restart the snort sensor. This is basically extending the dynamic
rules across sensors. Nice idea actually...


Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-devel mailing list