[Snort-devel] Inter-Sensor Communication? (long)

Frank Knobbe FKnobbe at ...339...
Sat May 19 13:26:08 EDT 2001

Hash: SHA1

> -----Original Message-----
> From: agetchel at ...358... [mailto:agetchel at ...358...]
> Sent: Saturday, May 19, 2001 12:46 AM
> 	Looks like the encryption portion is taken care of. =D  What
> authentication schemes do you think would be appropriate for 
> an inter-sensor
> communication system?  I shy away from the idea of simple 
> source IP address
> authentication.  This can be easily be defeated by spoofing.  

Well, in case of my plug-in, the receiver sitting on the FW-1
management station has a list of authorized IP addresses and will
discard packets from sensors not in that list. Spoofing is an issue,
but since the packets are symmetrically encrypted, the shared key is
one part of authentication. The packets also have an internal
sequence number systems.

However, should a snort sensor get compromised and the key be known,
the attacker would be able to send spoofed packets. But if your IDS
gets compromised in the first place, the game is over anyway.

> 	While this idea scares the hell out of me for everyday 
> general use,
> it's a feature that's _very_ nice to have during times of 
> heavy targeted
> attacks.  All it takes is one hacker launching a multi-pronged
> attack against your network with his source address spoofed as 
> various root DNS
> servers to make your day turn sour. 

Arghhh... that's always the same argument that comes up. Here the
a) Not all rules fire, only the ones you configure.
b) The receiver on the FW-1 mgmt station has a white-list of IP's
that never get blocked.
c) The receiver also has a time-period-override that will assign
certain host a default time for blocking (i.e. rule specifies the
intruder to be blocked for an hour, but if the IP is in an override
list, it will use that time, for example 5 minutes. Very useful for
listing of proxy servers. You might want to block a modem dial-up for
an hour, but AOL proxy servers [and with that all AOL users] only for
5 minutes.
d) The receiver has an attack threshold. If more than x blocking
request are receive in z seconds, it will roll back the last y
blocked IP's.
e) You can specify how traffic is blocked (only incoming packets from
that IP, outgoing packets to that IP, both directions, or only that
one particular connection that fired the rule (src/dest:port).

> 	Exactly!  The ability to use dynamic sigs and session 
> tagging across
> multiple network sensors.  Well, I guess I'm really going to 
> have to brush
> up on my C coding now, that's the second feature I've wanted 
> to see added to
> Snort that I've received positive feedback about. =)

Go for it. That's what makes snort so great. You have 10000 minds
coming up with cool (and useful) stuff. I'm not aware of any other
IDS that has this breadth of programming talent and features.


Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-devel mailing list