Hello. I'm trying to find a way to remotely deploy OSSEC to some of our remote sites and have it report back to us on server health/security. There is no direct connection to the remote network, so any reporting would need to happen over the Internet since VPN is out of the question.
Naturally I'm not going to send ossec alerts unencrypted via the Internet. I've thought about writing some scripts that would keep an stunnel up and running in order to report back to us, but I'm wondering if there is a better way. I did see this on the list archives, dated 9/21/06: Ossec uses blowfish (192 bits) for the agent/server communication channel and md5+sha1 combined for the integrity verification. I reviewed a presentation put on by Daniel and while it mentions the use of pre-shared keys, I'm interested in understanding a little bit more about how the authentication/security mechanism works. My guess is that the UDP traffic could be sniffed, but I'm just not sure and with my limited understanding about how it works, am not anxious to send alerts via the Internet. Any thoughts? Thanks, Jarred
