Re: [logs] Sentry/Counterpane how is it working ?

From: n gold (395cat_private)
Date: Tue Mar 12 2002 - 12:42:48 PST

  • Next message: Alexandre Dulaunoy: "Re: [logs] Distributed attack on port 6398?"

    The Counterpane Sentry is a "passive" monitoring appliance in that it
    "listens" to devices that are configured to send their logs or alerts or
    traps to the Sentry...That is to say, the Sentry does not do "sniffing".
    It's interface has an IP address and does not operate in the "promiscuous"
    mode associated with sniffers.  On the contrary, according to Counterpane,
    the only information the Sentry sees from a customer's network is that
    information which the customer (or their representative) has configured to
    be sent to the Sentry using one of several protocols such as SNMP, syslog,
    or SMTP.
    
    On the Sentry itself, there are proprietary "listeners" running to receive
    input from those protocols and there are some proprietary filters that
    pre-screen the traffic somewhat along the lines of "signature" matching.
    When security relevant events are detected in the data seen by the Sentry,
    the Sentry then generates an alert which it sends to the remote monitoring
    centers where Counterpane analysts examine the information in the context of
    their knowledge of the customer's network, current attacks, etc..
    
    The Sentry uses an outbound SSL connection to set up an encrypted tunnel
    from it to the remote monitoring centers..And it is a little more than just
    a straight SSL connection (after all, the CTO is himself a
    cryptographer-extraordinaire, non?).
    
    HTH,
    n gold
    ----- Original Message -----
    From: "Sweth Chandramouli" <loganalysisat_private>
    To: <loganalysisat_private>
    Sent: Tuesday, March 12, 2002 4:00 PM
    Subject: Re: [logs] Sentry/Counterpane how is it working ?
    
    
    > On Tue, Mar 12, 2002 at 02:34:51PM +0100, Alexandre Dulaunoy wrote:
    > > Dear All,
    > >
    > > We have look around http://www.counterpane.com/sentry.html. And we some
    > > question of how it is working ?
    > [snip]
    > > Is there some user of the sentry software/appliance (or maybe Tina?)
    > > in this list? Any feedback ?
    > I suspect that Tina would rather others respond so that
    > it doesn't seem like she was abusing her role as moderator to spam the
    > group with marketing.  Since I know something about the Sentry as well
    > (I worked for Counterpane very briefly about a year ago), I'll throw in
    > my two cents.  (Insert dislaimers about opinions being mine and nobody
    > elses, etc., etc.)
    >
    > > - If we clearly understand this is only network monitoring sniffing ?
    > At least when I was there, there was no sniffing going on;
    > the sentry was essentially a log aggregator that gathered information from
    > servers, network devices, IDSes, etc., parsed them and did some
    > intelligent preprocessing, and then passed the relevant logs entries on
    > to the Counterpane SOC (via an encrypted channel) for further analysis by
    > humans and other software.
    > That conflicts with what it says at:
    > >   (check out Question 7 : http://www.counterpane.com/questions.html)
    > , however, now that I look at that link:
    > "Counterpane's business model works because network monitoring is
    > fundamentally better than device monitoring" _does_ imply pretty
    > strongly that they don't gather data from routers, switches, servers,
    > etc.  Either that piece of marketing was written by someone who is
    > using "device monitoring" to mean something different (I do notice that
    > earlier in the same section they use the phrase "device monitoring/
    > management", so perhaps they are just trying to emphasize that they
    > only monitor things--they aren't like some companies whose business
    > model was to actually go in and manage devices as part of their security
    > services), or things have changed greatly.
    >
    > >  - How the device handles encrypted connection (like SSL/TLS, SSH...) ?
    > >  - Maybe you can store private key on the sentry box ? (maybe quite
    dangerous
    > I'm not sure I understand these questions; could you
    > clarify them?
    >
    > > - So with this type of system where can you get the system log for
    > > example ? (Event log and audit log from WIN32 ? Specific application
    > > log ?)
    > Again, as of last year, all of this info would be
    > redirected to the sentries just like syslog info would be.
    >
    > > - Another question : Is it possible to get the software of sentry ?
    > > Or having a technical overview of the software ?
    > There's a whole lot of proprietary stuff on those boxes
    > that I don't think they'd want to give away to competitors. :)  I'm
    > sure if you had specific questions, though, their sales folks could
    > get you the appropriate info.
    >
    > -- Sweth.
    >
    > --
    > Sweth Chandramouli ; <svcat_private>
    > President, Idiopathic Systems Consulting
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    >
    >
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 16:43:31 PST