[Snort-devel] Inter-Sensor Communication? (long)

agetchel at ...358... agetchel at ...358...
Mon May 21 02:18:57 EDT 2001


> Or use UDP as underlying protocol? Less reliable but no need
> to keep track of 19^2 connections. Some 3DES crypto,
> timestamps and DSA signatures would solve the problems with
> sniffing/spoofing and replaying attacks.

	I like this idea.  It would be less reliable at the protocol level,
but reliability could be built into the code.  For instance, the sensor
sends out a message to the other sensors using UDP as a transport.  It
expects an acknowledgement from the other sensors that it received this
message. If it doesn't get it within X number of seconds, it tries again.
If it doesn't get an acknowledgement back the second time, it logs something
to a file so the analyst can see what happened.  Sure, you're just
generating more packets, and I'm not sure how one would do this without
keeping the sensor from doing real work while waiting for acknowledgements,
unless you spawn a thread to handle the inter-sensor communication and... oh
my god... here we go with the threading Snort discussion again. =)

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/





More information about the Snort-devel mailing list