So does the replay protection feature of OSSEC only serve to protect from malicious replays of OSSEC messages or does is serve other purposes, too?
Kevin On Tuesday, June 7, 2016 at 6:55:34 PM UTC-4, Kevin Branch wrote: > > I see that at times it is recommended to set remoted.verify_msg_id to 0 in > the internal_options.conf or local_internal_options.conf file of the OSSEC > server and/or agent, like when you are deploying HA or otherwise having > trouble with rids getting out of sync between agents and server. Besides > losing protection from an attacker replaying agent messages in an attempt > to DoS my server, are there any other downsides to taking this action? Are > there other common benign causes of OSSEC agent message re-transmissions > that this anti-replay feature is also intended to protect me from? > > Kevin > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
