this is a little dated, but the point is...
http://www.marktaw.com/technology/HowlongdoesittaketocrackS.html
On 12/20/2010 04:07 PM, Chuck (MdMonk) wrote:
How about saying it's "astronomically improbable." :)
-Chuck (MdMonk)
On Mon, Dec 20, 2010 at 1:58 PM, Erik <rscalo...@gmail.com>
wrote:
Hello,
Technically traffic can be sniffed yes but it would require
1) allot of cpu power and memory
2) heaps (tons of heaps) of patience
to actually "decrypt" the traffic depending on the encryption
algoritm used by ossec
it is "near to impossible" offcource 90% is not 100%
Op 20/12/2010 21:27, loyd.darby schreef:
The traffic is encrypted but if someone can record the
communication, they have essentially forever to hack at
it until it breaks.
You really don't want all your remote clients connecting
to a local server. That would be sending way more
traffic than actually matters to you.
What I think you want is ossec server preprocessing the
events and generating alerts, and possibly forwarding
only some of those.
You could scp to the remote host and fetch the alerts on
a schedule or overlay encrypted attachments to email.
If you want to then re-merge and correlate all those
events, you might look at a limited deployment of OSSIM
SIEM.
On 12/20/2010 02:02 PM, dan (ddp) wrote:
On Mon, Dec 20, 2010 at 1:54 PM, Jarred White<jwh...@immense.net>
wrote:
Hello. I’m trying to find a way to remotely deploy
OSSEC to some of our
remote sites and have it report back to us on server
health/security. There
is no direct connection to the remote network, so
any reporting would need
to happen over the Internet since VPN is out of the
question.
Naturally I’m not going to send ossec alerts
unencrypted via the Internet.
I’ve thought about writing some scripts that would
keep an stunnel up and
running in order to report back to us, but I’m
wondering if there is a
better way.
I did see this on the list archives, dated 9/21/06:
Ossec uses blowfish (192 bits) for the agent/server
communication channel
and md5+sha1 combined for the integrity
verification.
I reviewed a presentation put on by Daniel and while
it mentions the use of
pre-shared keys, I’m interested in understanding a
little bit more about how
the authentication/security mechanism works. My
guess is that the UDP
traffic could be sniffed, but I’m just not sure and
with my limited
understanding about how it works, am not anxious to
send alerts via the
Internet.
Any thoughts?
Thanks,
Jarred
The traffic between agents and the manager are
authenticated and
encrypted. I don't have an understanding of the
technologies used to
do this though.
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
|
