Thanks for the response, all. I'm not arguing about the encryption method or strength - simply stating that I don't understand what is taking place there. It seems that the shared keys are used to authenticate whether or not an OSSEC agent is authorized to communicate with the server. That makes sense. My question is whether or not the actual payload is encrypted in transit, which you all also seem to be pointing to the answer as being: yes
From: [email protected] [mailto:[email protected]] On Behalf Of loyd.darby Sent: Monday, December 20, 2010 4:12 PM To: [email protected] Subject: Re: [ossec-list] Securely deploying OSSEC this is a little dated, but the point is... http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html On 12/20/2010 04:07 PM, Chuck (MdMonk) wrote: How about saying it's "astronomically improbable." :) -Chuck (MdMonk) On Mon, Dec 20, 2010 at 1:58 PM, Erik <[email protected]<mailto:[email protected]>> wrote: Hello, Technically traffic can be sniffed yes but it would require 1) allot of cpu power and memory 2) heaps (tons of heaps) of patience to actually "decrypt" the traffic depending on the encryption algoritm used by ossec it is "near to impossible" offcource 90% is not 100% Op 20/12/2010 21:27, loyd.darby schreef: The traffic is encrypted but if someone can record the communication, they have essentially forever to hack at it until it breaks. You really don't want all your remote clients connecting to a local server. That would be sending way more traffic than actually matters to you. What I think you want is ossec server preprocessing the events and generating alerts, and possibly forwarding only some of those. You could scp to the remote host and fetch the alerts on a schedule or overlay encrypted attachments to email. If you want to then re-merge and correlate all those events, you might look at a limited deployment of OSSIM SIEM. On 12/20/2010 02:02 PM, dan (ddp) wrote: On Mon, Dec 20, 2010 at 1:54 PM, Jarred White<[email protected]<mailto:[email protected]>> wrote: Hello. I'm trying to find a way to remotely deploy OSSEC to some of our remote sites and have it report back to us on server health/security. There is no direct connection to the remote network, so any reporting would need to happen over the Internet since VPN is out of the question. Naturally I'm not going to send ossec alerts unencrypted via the Internet. I've thought about writing some scripts that would keep an stunnel up and running in order to report back to us, but I'm wondering if there is a better way. I did see this on the list archives, dated 9/21/06: Ossec uses blowfish (192 bits) for the agent/server communication channel and md5+sha1 combined for the integrity verification. I reviewed a presentation put on by Daniel and while it mentions the use of pre-shared keys, I'm interested in understanding a little bit more about how the authentication/security mechanism works. My guess is that the UDP traffic could be sniffed, but I'm just not sure and with my limited understanding about how it works, am not anxious to send alerts via the Internet. Any thoughts? Thanks, Jarred The traffic between agents and the manager are authenticated and encrypted. I don't have an understanding of the technologies used to do this though. -- R. Loyd Darby, OSSIM-OCSE Project Manager DOC/NOAA/NMFS Infrastructure coordinator Southeast Fisheries Science Center 305-361-4297
