Anh, I'm referring to the communication between the OSSEC agents and server. Thanks.
-----Original Message----- From: Anh K. Huynh [mailto:[email protected]] Sent: Monday, December 20, 2010 9:19 PM To: [email protected] Cc: Jarred White; [email protected] Subject: Re: [ossec-list] Securely deploying OSSEC On Mon, 20 Dec 2010 18:54:42 +0000 Jarred White <[email protected]> wrote: > Hello. I'm trying to find a way to remotely deploy OSSEC to some of > our remote sites and have it report back to us on server > health/security. There is no direct connection to the remote network, > so any reporting would need to happen over the Internet since VPN is > out of the question. > > Naturally I'm not going to send ossec alerts unencrypted via the > Internet. I've thought about writing some scripts that would keep an > stunnel up and running in order to report back to us, but I'm > wondering if there is a better way Are you mentioning the traffic between OSSEC nodes (the server and the agents), or between the OSSEC master and you (the one who will receive reports)? My 2 cents may help: I set up local mail servers (using exim/dovecot-imap) to receives any alerts. The messages will be stored on servers and won't be sent to any sources. Then I use SSH tunnel from my local server to OSSEC master, to fetch all alerts to local disks. Regards, > > I did see this on the list archives, dated 9/21/06: > > Ossec uses blowfish (192 bits) for the agent/server communication > channel and md5+sha1 combined for the integrity verification. > > I reviewed a presentation put on by Daniel and while it mentions the > use of pre-shared keys, I'm interested in understanding a little bit > more about how the authentication/security mechanism works. My guess > is that the UDP traffic could be sniffed, but I'm just not sure and > with my limited understanding about how it works, am not anxious to > send alerts via the Internet. > > Any thoughts? > > Thanks, > Jarred -- Anh Ky Huynh at UTC+7
