Hey, Yes, the communication is using UDP port 1514 (by default). This is how it works:
-Network level: 1-Agent connects to the manager port 1514 2-Manager acknowledges the connection by replying back to the agent. 31-Agent sends the events to the manager as they are read locally. 32-Agent sends a keep alive every 5 minutes and waits for the manager to reply. 321-Manager acknowledges the keep alive. 322-If the manager is offline (and don't answer the keep alive), the agent will retry it a few times. If no reply is received, it will enter the offline mode, stop processing events and keep trying to re-connect to the manager. 4- If the manager doesn't receive the keep alive from the agent, it will alert that the agent is offline (after a wait period to give the agent a chance to reconnect). -Low level 1- Agent reads the key from client.keys and the message count from the rids directory. 2- When sending the event, the agent increases the rids count, adds a random pad and prepends the event to the final string. It encrypts it all using blowfish and sends to the manager. 3- The manager checks if the source IP address matches the configured IP address for that agent and decrypts the message using the symmetric key. 4- If the rids count is repeated, it drops the message (injection attack or network problem). I hope that helps to summarize how it works... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Feb 26, 2010 at 2:01 PM, Wim Remes <[email protected]> wrote: > Hi, > > I might be off but if I remember correctly OSSEC uses blowfish crypto. The > key is based (amongst others) on the ip address of the client. > > Cheers, > > Wim > > On 26 Feb 2010, at 16:07, HotteFred wrote: > >> >> >> Greetings everyone, >> >> Could someone tell me what kind of crypto and authentication ossec >> uses for thesecureconnectionfrom clients to the server? We're >> considering making some adjustments to our network for reliability >> purposes and we need to know how exactly ossec handles the >> communication channel. I haven't seen any documentation on this, >> although maybe I missed it. >> >> Full disclosure: No, I admit I haven't read the source - C and I are >> not on good terms. >> >> --cryogen >> >> ------------------------------------------------------------------------ >> >> Im interested too. Is there anyone, who can tell me more about the >> secure connection between client server? How does it works? >> >> Thanks >> Christian > >
