[Snort-users] digitally sign event data by sensor

Bennett Todd bet at ...6163...
Thu Oct 17 08:49:02 EDT 2002


2002-10-17-10:34:58 counter.spy at ...348...:
> Is there any plugin available that provides functionality to digitally sign
> each event-message that is generated by snort e.g. by using a machine
> certificate?

Not that I know of.

> Does anyone know of an IDS in the market that provides such functionality?

Again, not that I know of.

> I am asking because in my environment I will have to be able to prove that a
> certain event really originated from the sensor that sent it and has not
> been faked.

Interesting requirement. Presumably, you're assuming that the IDS
sensor host itself has not been compromised; if it had been the
attacker could pick up the keys to create their own forged alerts
there.

You're also apparently not interested in identifying forged alerts
created by lobbing nasty looking packets over the IDSes nose, where
it'll pick 'em up, alert, sign the alert, and so forth.

So you're only interested in alerts injected into your
alert-forwarding channel between the trusted IDS and the alert
collection point.

Since you're presuming a trusted IDS host, this should be very easy
to arrange.

Create a logwatcher on the IDS host that picks up the alerts, signs
'em, and forwards 'em. This could be done with PGP. It could also be
done with other apps, or custom code.

Create or find a replacement for syslog that secures the traffic
between the IDS and the collection point. syslog-ng with tcp
forwarding could be channeled over an ssh port forwarding or a
stunnel SSL pipe.

Use straight syslog, and secure the channel. Use a dedicated
separate physical network to forward the alerts. Or use a VPN, like
CIPE or IPSec.

There are other choices, I'm sure.

-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20021017/49b59130/attachment.sig>


More information about the Snort-users mailing list