Re: self authentication for sensors in ids ?

From: Martin Roesch (roesch_at_sourcefire.com)
Date: 01/12/04

  • Next message: Stefano Zanero: "Re: self authentication for sensors in ids ?"
    Date: Mon, 12 Jan 2004 14:57:03 -0500
    To: "Gaurav_Jindal" <gaurav_jindal@da-iict.org>
    
    

    I'll answer inline for Snort.

    On Jan 12, 2004, at 12:58 PM, Gaurav_Jindal wrote:

    > Hi,
    >
    > I would like to know specific for snort , prelude ids is
    >
    > (1) Are these ids uses some autentication scheme to check for integrity
    > of sensor code deployed on the application, host or machine

    We have md5 hashes and PGP signatures for the Snort tarball distro and
    md5 hashes for most everything else in the downloads section of
    snort.org. If you want to make sure a runtime binary is unmodified,
    I'd probably recommend AIDE or Tripwire.

    > (2) does self authentication schemes like md5 algorithm, or these
    > algorithms are used for integity of sensor code.

    We just give you an integrity check for the tarball.

    > (3) What are the probable chances for failure of the above conditions
    > putting sensors or IDS in hands on attacker?

    Not sure I understand this one, if the sensor falls into an attacker's
    hands the sensor can be made to report anything (or nothing).

    > (4) If the source code for snort or prelude have these features what
    > part of code should i follow specifically to have my answers
    > (5) Alos please suggest any future directions.

    AIDE seems to be well constructed to perform integrity checking of the
    runtime binary, Snort is monolithic so the only way to change the
    running process (short of patching memory) is to do a restart which
    will be reported in syslog.

         -Marty

    >
    > Thanking you,
    > With Regards,
    > Gaurav Jindal
    >
    >
    > "Read, every day, something no one else is reading. Think, every day,
    > something no one else is thinking. Do, every day, something no one else
    > would be silly enough to do. It is bad for the mind to continually be
    > part of unanimity."
    > - Christopher Morley
    >
    >
    >
    >
    >
    > -----------------------------------------------------------------------
    > ----
    > -----------------------------------------------------------------------
    > ----
    >
    >

    -- 
    Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
    Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Stefano Zanero: "Re: self authentication for sensors in ids ?"

    Relevant Pages

    • Re: IDS is dead, etc
      ... is there any way to make the quality of data coming out of the IDS ... I'm working on just such a program/product called RNA (Real-time Network ... on the Sourcefire web site. ... > to see an snort Ethereal plugin as I regularly take a raw packet dump of our ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... I'm currently running a fourteen sensor distributed Snort ... IDS system on my WAN and I'd like to know what issues I should be on the look ... Are there any other Snort users in Houston or am I the only one? ... > response from ISS than any other non open source based IDS tools. ...
      (Focus-IDS)
    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
      ... I'm the original author of Snort as well as the founder of Sourcefire ... TippingPoint has released is basically tcpreplay with some connection ... Sourcefire continues to innovate in the IDS arena and contribute those ...
      (Focus-IDS)
    • RE: high-speed NIDS (>1.7GBit/sec traffic) required.
      ... then go with the Cisco IDS blade. ... You could use an IDS load balancer that spreads the traffic to many highly ... tuned small snort IDS sensors, then carve up the rulesets (3 or 4 per ... Sensor 1 does IIS, ...
      (Focus-IDS)