Netcat to the Rescue!
Along with my recent OSSEC presentation at the Rochester Security Summit, I helped out the SPARSA guys with the Capture the Flag contest. To demonstrate the capabilities of OSSEC, I created a virtual machine running OSSEC and Snort. It had two virtual interfaces: one ran in promiscuous mode and the other was for management and OSSEC. The virtual switch was configured to mirror the traffic to the interface I was monitoring with Snort and OSSEC monitored not only the agents but also the Snort logs. Everything was virtual. It worked very well.
One snafu we ran into was with the OSSEC keys. The SPARSA guys had already downloaded the Windows OSSEC agent to the Windows machines, but we saved the key stuff until just before it was to begin.
To keep everyone safe, the virtual network had no Internet access. The Windows machines had no way to communicate with the OSSEC server other than through SSH, and we didn’t have PuTTY available.
After trying in vain to manually enter a couple of keys, one of the SPARSA guys had a great idea: how about netcat?
We set up a netcat listener on the OSSEC box to serve the client.keys file over port 80, then connected with IE from the Windows boxes. I believe the command was: nc -l -k 80 < etc/client.keys. After serving up the keys with IE, we created the client.keys file on the Windows boxes in the ossec-agent directory and were on our way!
Although not a secure way of doing things, it presented no problem on a closed network which was designed to be exploited, and solved a real problem.