[Snort-users] digitally sign event data by sensor

Oliver Bode oliver at ...6319...
Thu Oct 17 19:21:04 EDT 2002


> I am asking because in my environment I will have to be able to prove that
a
> certain event really originated from the sensor that sent it and has not
> been faked.

Signing is an act that should be performed by people not machines. Getting
your machine to automatically sign logs will not prove anything more than
what you have now.

If I had root access to your machine I could create whatever logs I wanted
and could sign them using your machine certificate. This is just smoke and
mirrors.

This is probably not the best way of proving the sensor has sent the alert
and has not been faked.






More information about the Snort-users mailing list