[Snort-users] digitally sign event data by sensor
ben at ...7123...
Thu Oct 17 09:00:02 EDT 2002
has snort plugins too.
It uses a java i-button to digitally sign logs. And then the logs are
FIPS compliant (which is supposed to make it easier to use them as
evidence in a court case).
From: Bennett Todd [mailto:bet at ...6163...]
Sent: Thursday, October 17, 2002 8:38 AM
To: counter.spy at ...348...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] digitally sign event data by sensor
2002-10-17-10:34:58 counter.spy at ...348...:
> Is there any plugin available that provides functionality to digitally
> each event-message that is generated by snort e.g. by using a machine
Not that I know of.
> Does anyone know of an IDS in the market that provides such
Again, not that I know of.
> I am asking because in my environment I will have to be able to prove
> certain event really originated from the sensor that sent it and has
> been faked.
Interesting requirement. Presumably, you're assuming that the IDS
sensor host itself has not been compromised; if it had been the
attacker could pick up the keys to create their own forged alerts
You're also apparently not interested in identifying forged alerts
created by lobbing nasty looking packets over the IDSes nose, where
it'll pick 'em up, alert, sign the alert, and so forth.
So you're only interested in alerts injected into your
alert-forwarding channel between the trusted IDS and the alert
Since you're presuming a trusted IDS host, this should be very easy
Create a logwatcher on the IDS host that picks up the alerts, signs
'em, and forwards 'em. This could be done with PGP. It could also be
done with other apps, or custom code.
Create or find a replacement for syslog that secures the traffic
between the IDS and the collection point. syslog-ng with tcp
forwarding could be channeled over an ssh port forwarding or a
stunnel SSL pipe.
Use straight syslog, and secure the channel. Use a dedicated
separate physical network to forward the alerts. Or use a VPN, like
CIPE or IPSec.
There are other choices, I'm sure.
More information about the Snort-users