[Snort-devel] Inter-Sensor Communication? (long)

agetchel at ...358... agetchel at ...358...
Sun May 20 03:08:56 EDT 2001

> Well, in case of my plug-in, the receiver sitting on the FW-1
> management station has a list of authorized IP addresses and will
> discard packets from sensors not in that list. Spoofing is an issue,
> but since the packets are symmetrically encrypted, the shared key is
> one part of authentication. The packets also have an internal
> sequence number systems.

	What mechanism are you using for key exchange?  Preshared?  IKE?

> However, should a snort sensor get compromised and the key be known,
> the attacker would be able to send spoofed packets. But if your IDS
> gets compromised in the first place, the game is over anyway.

	True, true...

> a) Not all rules fire, only the ones you configure.

	This I assumed.  I imagine it to be much like the configuration
option for flex response, but it tells your sensor to direct your firewall
to block a certain source IP address.  Is the ability there to tell it to
block, say, the class C which the IP address is located in?

> b) The receiver on the FW-1 mgmt station has a white-list of IP's
> that never get blocked.

	That pretty much takes care of any concerns I had. =)


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

More information about the Snort-devel mailing list