From dc91c072c53fd35f00a40478edd3ce6428c7676c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Thu, 19 Jan 2012 15:50:11 +0100
Subject: [PATCH] Typy udalosti

---
 src/warden-client/doc/README.cesnet | 33 ++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/warden-client/doc/README.cesnet b/src/warden-client/doc/README.cesnet
index 481e0db..94d24fd 100644
--- a/src/warden-client/doc/README.cesnet
+++ b/src/warden-client/doc/README.cesnet
@@ -42,8 +42,7 @@ B. Registration
     * For receiver client:
       - hostname of the machine, where client runs,
       - client type = receiver,
-      - type of requested events (for example 'portscan', more at
-        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
+      - type of requested events (for example 'portscan', see below)
       - receiving of sent events from my organization = yes/no (organizations
         are separated based on the top-level and second-level domain),
       - CIDR from which client will communicate with Warden server.
@@ -113,19 +112,43 @@ examples.
     * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude
 
 --------------------------------------------------------------------------------
-D. Configuration
+D. Types of events
+
+   Event types purpose is to allow event receivers to filter and/or
+categorise particular events according to attack characteristics. Types are
+loosely chosen as list of common security incidents nowadays observed. List
+is by no means complete, however it was created based on expected use cases
+at receiving places. Possibility of a new type is also open to discussion.
+
+   * portscan - TCP/UDP port scanning/sweeping
+   * bruteforce - dictionary/bruteforce attack to services authentication
+   * spam - unsolicited commercial email (except phishing)
+   * phishing - email, trying to scam user to revealing personal information
+     (possibly by some other channel)
+   * botnet_c_c - botnet command & control master machine
+   * dos - (possibly distributed) denial of service attack
+   * malware - virus/malware sample
+   * copyright - copyright infringement
+   * webattack - web application attack
+   * other - the rest, uncategorizable yet
+
+   In case of complex scenarios with structured info more events with
+particular parts of information can be created.
+
+--------------------------------------------------------------------------------
+E. Configuration
 
     CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  
 
 --------------------------------------------------------------------------------       
-E. Testing
+F. Testing
 
     For testing purposes of sender clients, event type 'test' can be used.
     These events will end up in server database, but will not be taken
     further into consideration.
 
 --------------------------------------------------------------------------------
-F. Authors of this document
+G. Authors of this document
 
     Pavel Kacha     <ph@cesnet.cz>
     Jan Soukal      <soukal@ics.muni.cz>
-- 
GitLab