[Snort-devel] Inter-Sensor Communication? (long)

Frank Knobbe FKnobbe at ...339...
Sun May 20 13:27:27 EDT 2001

Hash: SHA1

> -----Original Message-----
> From: agetchel at ...358... [mailto:agetchel at ...358...]
> Sent: Sunday, May 20, 2001 2:09 AM
> > Well, in case of my plug-in, the receiver sitting on the FW-1
> > management station has a list of authorized IP addresses and will
> > discard packets from sensors not in that list. Spoofing is an
> > issue, but since the packets are symmetrically encrypted, the
> > shared key is one part of authentication. The packets also have
> > an internal
> > sequence number systems.
> 	What mechanism are you using for key exchange?  Preshared?  IKE?


it's a preshared key that has to be the same on the snort sensor and
on the firewall module. However (and I forgot to mention that
earlier), during the first communication (when the snort starts up)
and after a defined time interval, the keys automatically change.
It's just a cheap key alteration mechanism (basically 'the
new'='SeqNo of snort'+SeqNo of firewall'+'old key', but since the
initial sequence numbers are random, and the new key does not get
transmitted over the wire, this should suffice. Given the (hopefully)
rare occurrence of these packets, which are also salted, the risk of
brute force should be low. (Besides, spoofed or packets with invalid
seqno's will trigger a re-sync, which requires a two-way
communication to the sensor. So if someone where to sniff the
fw->sensor packets and spoof sensor->fw packets, you would see an
increase in sync attempts, a sign that something is up [Note to self:
lock out unsyncable sensors...])

> > a) Not all rules fire, only the ones you configure.
> 	This I assumed.  I imagine it to be much like the configuration
> option for flex response, but it tells your sensor to direct 
> your firewall
> to block a certain source IP address.  Is the ability there 
> to tell it to
> block, say, the class C which the IP address is located in?

No, but can easily be added on the firewall service (where most of
the work is done anyway to keep the snort sensor lean and fast). I
shall added that capability later.


Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-devel mailing list