Re: self authentication for sensors in ids ?
From: Martin Roesch (roesch_at_sourcefire.com)
Date: 01/12/04
- Previous message: Gaurav_Jindal: "self authentication for sensors in ids ?"
- In reply to: Gaurav_Jindal: "self authentication for sensors in ids ?"
- Next in thread: Stefano Zanero: "Re: self authentication for sensors in ids ?"
- Reply: Stefano Zanero: "Re: self authentication for sensors in ids ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Jan 2004 14:57:03 -0500 To: "Gaurav_Jindal" <gaurav_jindal@da-iict.org>
I'll answer inline for Snort.
On Jan 12, 2004, at 12:58 PM, Gaurav_Jindal wrote:
> Hi,
>
> I would like to know specific for snort , prelude ids is
>
> (1) Are these ids uses some autentication scheme to check for integrity
> of sensor code deployed on the application, host or machine
We have md5 hashes and PGP signatures for the Snort tarball distro and
md5 hashes for most everything else in the downloads section of
snort.org. If you want to make sure a runtime binary is unmodified,
I'd probably recommend AIDE or Tripwire.
> (2) does self authentication schemes like md5 algorithm, or these
> algorithms are used for integity of sensor code.
We just give you an integrity check for the tarball.
> (3) What are the probable chances for failure of the above conditions
> putting sensors or IDS in hands on attacker?
Not sure I understand this one, if the sensor falls into an attacker's
hands the sensor can be made to report anything (or nothing).
> (4) If the source code for snort or prelude have these features what
> part of code should i follow specifically to have my answers
> (5) Alos please suggest any future directions.
AIDE seems to be well constructed to perform integrity checking of the
runtime binary, Snort is monolithic so the only way to change the
running process (short of patching memory) is to do a restart which
will be reported in syslog.
-Marty
>
> Thanking you,
> With Regards,
> Gaurav Jindal
>
>
> "Read, every day, something no one else is reading. Think, every day,
> something no one else is thinking. Do, every day, something no one else
> would be silly enough to do. It is bad for the mind to continually be
> part of unanimity."
> - Christopher Morley
>
>
>
>
>
> -----------------------------------------------------------------------
> ----
> -----------------------------------------------------------------------
> ----
>
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Gaurav_Jindal: "self authentication for sensors in ids ?"
- In reply to: Gaurav_Jindal: "self authentication for sensors in ids ?"
- Next in thread: Stefano Zanero: "Re: self authentication for sensors in ids ?"
- Reply: Stefano Zanero: "Re: self authentication for sensors in ids ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
