How about saying it's "astronomically improbable." :) -Chuck (MdMonk)
On Mon, Dec 20, 2010 at 1:58 PM, Erik <[email protected]> wrote: > Hello, > > Technically traffic can be sniffed yes but it would require > > 1) allot of cpu power and memory > 2) heaps (tons of heaps) of patience > > to actually "decrypt" the traffic depending on the encryption algoritm used > by ossec > > it is "near to impossible" offcource 90% is not 100% > > Op 20/12/2010 21:27, loyd.darby schreef: > > The traffic is encrypted but if someone can record the communication, they >> have essentially forever to hack at it until it breaks. >> You really don't want all your remote clients connecting to a local >> server. That would be sending way more traffic than actually matters to >> you. >> What I think you want is ossec server preprocessing the events and >> generating alerts, and possibly forwarding only some of those. >> You could scp to the remote host and fetch the alerts on a schedule or >> overlay encrypted attachments to email. If you want to then re-merge and >> correlate all those events, you might look at a limited deployment of OSSIM >> SIEM. >> >> >> On 12/20/2010 02:02 PM, dan (ddp) wrote: >> >>> On Mon, Dec 20, 2010 at 1:54 PM, Jarred White<[email protected]> >>> wrote: >>> >>>> Hello. I’m trying to find a way to remotely deploy OSSEC to some of our >>>> remote sites and have it report back to us on server health/security. >>>> There >>>> is no direct connection to the remote network, so any reporting would >>>> need >>>> to happen over the Internet since VPN is out of the question. >>>> >>>> >>>> >>>> Naturally I’m not going to send ossec alerts unencrypted via the >>>> Internet. >>>> I’ve thought about writing some scripts that would keep an stunnel up >>>> and >>>> running in order to report back to us, but I’m wondering if there is a >>>> better way. >>>> >>>> >>>> >>>> I did see this on the list archives, dated 9/21/06: >>>> >>>> >>>> >>>> Ossec uses blowfish (192 bits) for the agent/server communication >>>> channel >>>> >>>> and md5+sha1 combined for the integrity verification. >>>> >>>> >>>> >>>> I reviewed a presentation put on by Daniel and while it mentions the use >>>> of >>>> pre-shared keys, I’m interested in understanding a little bit more about >>>> how >>>> the authentication/security mechanism works. My guess is that the UDP >>>> traffic could be sniffed, but I’m just not sure and with my limited >>>> understanding about how it works, am not anxious to send alerts via the >>>> Internet. >>>> >>>> >>>> >>>> Any thoughts? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Jarred >>>> >>> The traffic between agents and the manager are authenticated and >>> encrypted. I don't have an understanding of the technologies used to >>> do this though. >>> >> >> >
