[Snort-devel] Inter-Sensor Communication? (long)

agetchel at ...358... agetchel at ...358...
Sat May 19 01:45:46 EDT 2001

> If anyone is interested, I just completed a library of TwoFish
> encryption routines that will be used by a snort plug-in I'm working
> on. The library was purposely written in such a way that other
> plug-ins can make use of them. The library is currently being tested
> for compatibility across different endian systems.

	Looks like the encryption portion is taken care of. =D  What
authentication schemes do you think would be appropriate for an inter-sensor
communication system?  I shy away from the idea of simple source IP address
authentication.  This can be easily be defeated by spoofing.  Especially if
the intruder has already penetrated the perimeter and has access to internal
systems where he can bypass any ingress filters on the border
router/security device(s).  Hrm, I'll have to give this one some thought.

> My plug-in will do just that, reconfigure Checkpoint firewalls (by
> use of SAM) to block offenders. The plug-in is actually a hybrid of
> normal plug-in and output plug-in. That means it's configured just
> like an output plug-in, but you can specify options on a per rule
> basis.

	While this idea scares the hell out of me for everyday general use,
it's a feature that's _very_ nice to have during times of heavy targeted
attacks.  All it takes is one hacker launching a multi-pronged attack
against your network with his source address spoofed as various root DNS
servers to make your day turn sour.  Watching your network become invisible
to the outside world as it's communication is cut off (indirectly through
the form of name resolution denial) is not a fun thing to watch.
Personally, I prefer the idea of denying access on a per-session basis (ala
flex response) instead of a source address block (ala firewall policy
change).  However, like I said above, this is going to be a nice feature to
have during times of heavy targeted attacks.  Very cool.

> I think what you envision is a plug-in that can reconfigure snort
> rules to add something like 'alert $SUSPECT -> $HOMENET ...'. It
> shouldn't be difficult to add lines in a suspectlog.conf file and
> restart the snort sensor. This is basically extending the dynamic
> rules across sensors. Nice idea actually...

	Exactly!  The ability to use dynamic sigs and session tagging across
multiple network sensors.  Well, I guess I'm really going to have to brush
up on my C coding now, that's the second feature I've wanted to see added to
Snort that I've received positive feedback about. =)


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

More information about the Snort-devel mailing list