README.cesnet

+-------------------------------------+
| README.cesnet - Warden Client 1.0.0 |
| CESNET Specifics                    |
+-------------------------------------+

Content

 A. Overall Information
 B. Registration
 C. Configuration
 D. Testing
 E. Authors of this document

--------------------------------------------------------------------------------
A. Overall Information

 1. About CESNET Warden Server

    Warden is a client-based architecture service designed to share detected
    security issues (events) among CSIRT and CERT teams in a simple and fast way.

    CESNET offers Warden server for security events exchange within its networks.

 2. Version

    1.0.0 (2011-11-16)

--------------------------------------------------------------------------------
B. Registration

    Client attempting to communicate with CESNET Warden server must be
    registered. Registration is currently provided by Tomas Plesnik at
    address plesnik@ics.muni.cz and following information is needed:

    * For sender client:
      - hostname of the machine, where client runs,
      - name of the detection service (for example 'ScanDetector'),
      - client type = sender,
      - description tags of sent events (see below)
      - CIDR from which client will communicate with Warden server.

    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
      - type of requested events (for example 'portscan', more at
        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
      - receiving of sent events from my organization = yes/no (organizations
        are separated based on the top-level and second-level domain),
      - CIDR from which client will communicate with Warden server.

    Clients need to have valid certificate to prove their identity to the
    Warden server. For CESNET network, 'server' type certificate from Terena
    Certificate Service (provided by Comodo) is needed. Hostname of the
    machine must correspond with certificate subject, Alternative Name
    extension is not supported. Administrator of Warden client must be
    entitled to obtain this certificate. CESNET TCS request service 
    interface resides at

      https://tcs.cesnet.cz/

--------------------------------------------------------------------------------
C. Description tags

   Tags are case insensitive alphanumeric strings, designed to allow event
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.

   Sender client specifies its descriptive tags during registration, it is
up to client administrator's judgment to select or omit any particular tag.
   Currently tags fall into four general categories - based on event medium,
data source, detection methodology and detector or analyzer product name.
   Product name tag is free to choose if same product name was not yet
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
   Categories list is certainly not complete.  Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list. 
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.

   Following is grouped list of tags together with closer description and
examples.

 1. Detection medium

    * Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo)
    * Host - host based (Swatch, Logcheck)
    * Correlation - corellation engines (Prelude, OSSIM)
    * External - credible external sources (incident reporting, ticket
                 systems, human verified events)

 2. Data source

    * Content - datagram content based detectors (Snort, Bro)
    * Flow - netflow based (FTAS, FlowMon)
    * Connection - connection data (portscan, portsweep)
    * Data - application data based (SpamAssassin, antiviruses)
    * Log - based on system logs, where more specific source is not
            applicable (Swatch, Logcheck, SSH scans)
    * IR - incident reporting, ticket systems, human verified events

 3. Detection methodology

    * Honeypot (LaBrea, Kippo, Dionaea)
    * Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
    * Antivirus (ClamAV)
    * IDS - IDS/IPS, Snort, Suricata, Bro

 4. Detector/analyzer product name examples

    * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude

--------------------------------------------------------------------------------
D. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

--------------------------------------------------------------------------------       
E. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

--------------------------------------------------------------------------------
F. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>

Copyright (C) 2011 Cesnet z.s.p.o