Skip to content
Snippets Groups Projects
Commit 1d897ff5 authored by Tomáš Plesník's avatar Tomáš Plesník
Browse files

doplneni drobnosti; uprava formatovani; oprava kreklepu

parent 20691b9c
No related branches found
No related tags found
No related merge requests found
+-------------------------------------+
| README.cesnet - Warden Client 1.0.0 |
| README.cesnet - Warden Client 1.1.0 |
| |
| CESNET Specifics |
+-------------------------------------+
......@@ -7,9 +8,11 @@ Content
A. Overall Information
B. Registration
C. Configuration
D. Testing
E. Authors of this document
C. Description tags
D. Types of events
E. Configuration
F. Testing
G. Authors of this document
--------------------------------------------------------------------------------
A. Overall Information
......@@ -23,19 +26,19 @@ A. Overall Information
2. Version
1.0.0 (2011-11-16)
1.1.0 (2011-11-16) - DOPLNIT
--------------------------------------------------------------------------------
B. Registration
Client attempting to communicate with CESNET Warden server must be
registered. Registration is currently provided by Tomas Plesnik at
address plesnik@ics.muni.cz and following information is needed:
mail address plesnik@ics.muni.cz and following information is needed:
* For sender client:
- hostname of the machine, where client runs,
- name of the detection service (for example 'ScanDetector'),
- client type = sender,
- name of the detection service (for example 'ScanDetector'),
- description tags of sent events (see below)
- CIDR from which client will communicate with Warden server.
......@@ -61,26 +64,27 @@ B. Registration
C. Description tags
Tags are case insensitive alphanumeric strings, designed to allow event
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.
Sender client specifies its descriptive tags during registration, it is
up to client administrator's judgment to select or omit any particular tag.
up to client administrator's judgment to select or omit any particular tag.
Currently tags fall into four general categories - based on event medium,
data source, detection methodology and detector or analyzer product name.
data source, detection methodology and detector or analyzer product name.
Product name tag is free to choose if same product name was not yet
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
Categories list is certainly not complete. Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list.
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
Categories list is certainly not complete. Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list
(warden@cesnet.cz).
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.
Following is grouped list of tags together with closer description and
examples.
examples.
1. Detection medium
......@@ -114,11 +118,11 @@ examples.
--------------------------------------------------------------------------------
D. Types of events
Event types purpose is to allow event receivers to filter and/or
categorise particular events according to attack characteristics. Types are
loosely chosen as list of common security incidents nowadays observed. List
is by no means complete, however it was created based on expected use cases
at receiving places. Possibility of a new type is also open to discussion.
Event types purpose is to allow event receivers to filter and/or categorise
particular events according to attack characteristics. Types are loosely
chosen as list of common security incidents nowadays observed. List is by no
means complete, however it was created based on expected use cases at
receiving places. Possibility of a new type is also open to discussion.
* portscan - TCP/UDP port scanning/sweeping
* bruteforce - dictionary/bruteforce attack to services authentication
......@@ -133,7 +137,7 @@ at receiving places. Possibility of a new type is also open to discussion.
* other - the rest, uncategorizable yet
In case of complex scenarios with structured info more events with
particular parts of information can be created.
particular parts of information can be created.
--------------------------------------------------------------------------------
E. Configuration
......@@ -153,4 +157,4 @@ G. Authors of this document
Pavel Kacha <ph@cesnet.cz>
Jan Soukal <soukal@ics.muni.cz>
Copyright (C) 2011 Cesnet z.s.p.o
Copyright (C) 2011-2012 Cesnet z.s.p.o
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment