README.cesnet

+-----------------------------------+
| README.cesnet - Warden Client 2.0 |
|				    |
| CESNET Specifics                  |
+-----------------------------------+

Content

 A. Overall Information
 B. Registration
 C. Description tags
 D. Types of events
 E. Configuration
 F. Testing
 G. Authors of this document

--------------------------------------------------------------------------------
A. Overall Information

 1. About CESNET Warden Server

    Warden is a client-based architecture service designed to share detected
    security events (issues) among CSIRT and CERT teams in a simple and fast way.

    CESNET offers Warden server for security events exchange within its networks.

 2. Version

    2.0 (2012-07-27)

--------------------------------------------------------------------------------
B. Registration

    Client attempting to communicate with CESNET Warden server must be
    registered. Registration is currently provided by Tomas Plesnik at
    mail address plesnik@ics.muni.cz and following information is needed:

    * For sender client:
      - hostname of the machine, where client runs,
      - client type = sender,
      - name of the detection service (for example 'ScanDetector'),
      - description tags of sent events (see below)
      - CIDR from which client will communicate with Warden server.

    * For receiver client:
      - hostname of the machine, where client runs,
      - client type = receiver,
      - type of requested events (for example 'portscan', see below)
      - receiving of sent events from my organization = yes/no (organizations
        are separated based on the top-level and second-level domain),
      - CIDR from which client will communicate with Warden server.

    Clients need to have valid certificate to prove their identity to the
    Warden server. For CESNET network, 'server' type certificate from Terena
    Certificate Service (provided by Comodo) is needed. Hostname of the
    machine must correspond with certificate subject, Alternative Name
    extension is not supported. Administrator of Warden client must be
    entitled to obtain this certificate. CESNET TCS request service 
    interface resides at

      https://tcs.cesnet.cz/

--------------------------------------------------------------------------------
C. Description tags

   Tags are case insensitive alphanumeric strings, designed to allow event
   receivers to do more general filtering according to event source. Receiver
   can for example decide to use only events originating at honeypots, or
   filter out events, generated by human conclusions or correlation engines.

   Sender client specifies its descriptive tags during registration, it is
   up to client administrator's judgment to select or omit any particular tag.
   Currently tags fall into four general categories - based on event medium,
   data source, detection methodology and detector or analyzer product name.
   Product name tag is free to choose if same product name was not yet
   accepted by registrar, otherwise existing form must be used (registrar will
   notify about such cases).
   Categories list is certainly not complete. Therefore if new client's
   administrator feels that name or type of important feature of his (or
   others) detector is not covered, providers of Warden server are glad to
   discuss it at registration address or at Warden project mailing list 
   (warden@cesnet.cz).
   However, it may or may not be accepted, as aim is to keep the list of
   categories possibly unambiguous, short and usable.

   Following is grouped list of tags together with closer description and
   examples.

 1. Detection medium

    * Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo,
                Dionaea)
    * Host - host based (Swatch, Logcheck)
    * Correlation - corellation engines (Prelude, OSSIM)
    * External - credible external sources (incident reporting, ticket
                 systems, human verified events)

 2. Data source

    * Content - datagram content based detectors (Snort, Bro)
    * Flow - netflow based (FTAS, FlowMon, HoneyScan)
    * Connection - connection data (portscan, portsweep)
    * Data - application data based (SpamAssassin, antiviruses)
    * Log - based on system logs, where more specific source is not
            applicable (Swatch, Logcheck, SSH scans)
    * IR - incident reporting, ticket systems, human verified events

 3. Detection methodology

    * Honeypot (LaBrea, Kippo, Dionaea)
    * Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
    * Antivirus (ClamAV)
    * IDS - IDS/IPS, Snort, Suricata, Bro

 4. Detector/analyzer product name examples

    * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude, Kippo, Dionaea

--------------------------------------------------------------------------------
D. Types of events

   Event types purpose is to allow event receivers to filter and/or categorise
   particular events according to attack characteristics. Types are loosely
   chosen as list of common security incidents nowadays observed. List is by no
   means complete, however it was created based on expected use cases at
   receiving places. Possibility of a new type is also open to discussion.

   * portscan - TCP/UDP port scanning/sweeping
   * bruteforce - dictionary/bruteforce attack to services authentication
   * spam - unsolicited commercial email (except phishing)
   * phishing - email, trying to scam user to revealing personal information
     (possibly by some other channel)
   * botnet_c_c - botnet command & control master machine
   * dos - (possibly distributed) denial of service attack
   * malware - virus/malware sample
   * copyright - copyright infringement
   * webattack - web application attack
   * test - clients can use these at will when debugging/testing, these
            messages will be processed and stored, but ignored later
   * other - the rest, uncategorizable yet

   In case of complex scenarios with structured info more events with
   particular parts of information can be created.

--------------------------------------------------------------------------------
E. Configuration

    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  

--------------------------------------------------------------------------------       
F. Testing

    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.

--------------------------------------------------------------------------------
G. Authors of this document

    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>

Copyright (C) 2011-2012 Cesnet z.s.p.o