Typy udalosti

dc91c072 · Pavel Kácha · b481fccf · dc91c072
Commit dc91c072 authored 13 years ago by Pavel Kácha
--- a/src/warden-client/doc/README.cesnet
+++ b/src/warden-client/doc/README.cesnet
@@ -42,8 +42,7 @@ B. Registration
    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
-      - type of requested events (for example 'portscan', more at
-        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
+      - type of requested events (for example 'portscan', see below)
      - receiving of sent events from my organization = yes/no (organizations
        are separated based on the top-level and second-level domain),
      - CIDR from which client will communicate with Warden server.
@@ -113,19 +112,43 @@ examples.
    * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude

 --------------------------------------------------------------------------------
-D. Configuration
+D. Types of events
+
+   Event types purpose is to allow event receivers to filter and/or
+categorise particular events according to attack characteristics. Types are
+loosely chosen as list of common security incidents nowadays observed. List
+is by no means complete, however it was created based on expected use cases
+at receiving places. Possibility of a new type is also open to discussion.
+
+   * portscan - TCP/UDP port scanning/sweeping
+   * bruteforce - dictionary/bruteforce attack to services authentication
+   * spam - unsolicited commercial email (except phishing)
+   * phishing - email, trying to scam user to revealing personal information
+     (possibly by some other channel)
+   * botnet_c_c - botnet command & control master machine
+   * dos - (possibly distributed) denial of service attack
+   * malware - virus/malware sample
+   * copyright - copyright infringement
+   * webattack - web application attack
+   * other - the rest, uncategorizable yet
+
+   In case of complex scenarios with structured info more events with
+particular parts of information can be created.
+
+--------------------------------------------------------------------------------
+E. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

 --------------------------------------------------------------------------------       
-E. Testing
+F. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

 --------------------------------------------------------------------------------
-F. Authors of this document
+G. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>