Re: [logs] Sentry/Counterpane how is it working ?

From: Alexandre Dulaunoy (adulau-conosat_private)
Date: Wed Mar 13 2002 - 13:40:22 PST

Next message: Michael.Slifcakat_private: "RE: [logs] Sentry/Counterpane how is it working ?"

Previous message: John Campbell: "RE: [logs] Distributed attack on port 6398?"
In reply to: dgillettat_private: "Re: [logs] Sentry/Counterpane how is it working ?"
Next in thread: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Next in thread: Michael.Slifcakat_private: "RE: [logs] Sentry/Counterpane how is it working ?"
Reply: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 12 Mar 2002 dgillettat_private wrote:

> On 12 Mar 2002, at 16:00, Sweth Chandramouli wrote:
> 
> > On Tue, Mar 12, 2002 at 02:34:51PM +0100, Alexandre Dulaunoy wrote:
> > >
> > >  - How the device handles encrypted connection (like SSL/TLS, SSH...) ?
> > >  - Maybe you can store private key on the sentry box ? (maybe quite dangerous
> >
> > 	I'm not sure I understand these questions; could you clarify them? 
> 
>   Understanding that Alexandre is starting from an assumption that 
> what the Sentry is doing is sniffing traffic -- an assumption that 
> Sweth responded to elsewhere, although not quite definitively -- the 
> questions are asking whether the Sentry can sniff *encrypted* 
> traffic.  (The second question asks about a specific (but dangerous) 
> way this might be done.)
>   The way I read Sweth's reply to the sniffing assumption -- and I 
> may have misunderstood -- is that the Sentry doesn't (or didn't) 
> sniff traffic passing by or through itself, but relies on logs, etc, 
> from other devices.  Those devices could include the local terminus 
> of encrypted traffic, so I don't think it ever needs to see or 
> decrypt the traffic itself.

With all the information I got (thanks everybody). I understand that : 

- The sentry is a passive log collector box. (if I clearly understand)
  
   - remote unix are configured with syslog.conf @sentrybox and so on... 
   - I suspect some dedicated agent are needed for WIN32 ? (or maybe via 
     the WIN32 RPC call and passive logging ?)
   - This part is not so clear for me. (on how it works ?)

- The communication is done in SSL between the sentry and the counterpane 
  MSS. (connection iniated from the counterpane MSS, I suspect)
  
    - This part seems clear. 

- I have seen an old message from John Callas 
  (http://archives.neohapsis.com/archives/crypto/2000-q2/0004.html), and 
  they were planning to release it under an open source license. But now ? 

Is there somebody with more information about CLUNIX ? 

Alx

PS : These question are pure technical curiosity ;-) Because logs analysis 
is quite complex and fun...





---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Michael.Slifcakat_private: "RE: [logs] Sentry/Counterpane how is it working ?"
Previous message: John Campbell: "RE: [logs] Distributed attack on port 6398?"
In reply to: dgillettat_private: "Re: [logs] Sentry/Counterpane how is it working ?"
Next in thread: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Next in thread: Michael.Slifcakat_private: "RE: [logs] Sentry/Counterpane how is it working ?"
Reply: Tina Bird: "Re: [logs] Sentry/Counterpane how is it working ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 18:11:37 PST