Re: [logs] Sentry/Counterpane how is it working ?

From: Tina Bird (tbird@precision-guesswork.com)
Date: Sat Mar 16 2002 - 03:23:23 PST

  • Next message: Drew: "Re: [logs] Sentry/Counterpane how is it working ?"

    To follow up on this, finally:
    
    1) Yes, agent software is required to monitor 
    Windows systems.  I am personally particularly fond
    of Event Reporter, as I think we've discussed on this
    list before, but we'll work with any EventLog to 
    syslog forwarder that a customer cares to install.
    
    2) After meeting Crispin Cowan and the d00ds at
    Immunix, we canned plans to build a secure Linux
    of our own (BTW, "CLUNIX" --> Counterpane Labs
    UNIX) and decided to use their OS instead.
    
    cheers -- tbird
    
    On Wed, 13 Mar 2002, Alexandre Dulaunoy wrote:
    
    > 
    > On Tue, 12 Mar 2002 dgillettat_private wrote:
    > 
    > > On 12 Mar 2002, at 16:00, Sweth Chandramouli wrote:
    > > 
    > > > On Tue, Mar 12, 2002 at 02:34:51PM +0100, Alexandre Dulaunoy wrote:
    > > > >
    > > > >  - How the device handles encrypted connection (like SSL/TLS, SSH...) ?
    > > > >  - Maybe you can store private key on the sentry box ? (maybe quite dangerous
    > > >
    > > > 	I'm not sure I understand these questions; could you clarify them? 
    > > 
    > >   Understanding that Alexandre is starting from an assumption that 
    > > what the Sentry is doing is sniffing traffic -- an assumption that 
    > > Sweth responded to elsewhere, although not quite definitively -- the 
    > > questions are asking whether the Sentry can sniff *encrypted* 
    > > traffic.  (The second question asks about a specific (but dangerous) 
    > > way this might be done.)
    > >   The way I read Sweth's reply to the sniffing assumption -- and I 
    > > may have misunderstood -- is that the Sentry doesn't (or didn't) 
    > > sniff traffic passing by or through itself, but relies on logs, etc, 
    > > from other devices.  Those devices could include the local terminus 
    > > of encrypted traffic, so I don't think it ever needs to see or 
    > > decrypt the traffic itself.
    > 
    > With all the information I got (thanks everybody). I understand that : 
    > 
    > - The sentry is a passive log collector box. (if I clearly understand)
    >   
    >    - remote unix are configured with syslog.conf @sentrybox and so on... 
    >    - I suspect some dedicated agent are needed for WIN32 ? (or maybe via 
    >      the WIN32 RPC call and passive logging ?)
    >    - This part is not so clear for me. (on how it works ?)
    > 
    > - The communication is done in SSL between the sentry and the counterpane 
    >   MSS. (connection iniated from the counterpane MSS, I suspect)
    >   
    >     - This part seems clear. 
    > 
    > - I have seen an old message from John Callas 
    >   (http://archives.neohapsis.com/archives/crypto/2000-q2/0004.html), and 
    >   they were planning to release it under an open source license. But now ? 
    > 
    > Is there somebody with more information about CLUNIX ? 
    > 
    > Alx
    > 
    > PS : These question are pure technical curiosity ;-) Because logs analysis 
    > is quite complex and fun...
    > 
    > 
    > 
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    > 
    
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Sat Mar 16 2002 - 04:47:45 PST