Tagy

b481fccf · Pavel Kácha · Pavel Kácha · 2589acee · b481fccf
Commit b481fccf authored 13 years ago by Pavel Kácha Committed by Pavel Kácha 13 years ago
--- a/src/warden-client/doc/README.cesnet
+++ b/src/warden-client/doc/README.cesnet
@@ -36,8 +36,7 @@ B. Registration
      - hostname of the machine, where client runs,
      - name of the detection service (for example 'ScanDetector'),
      - client type = sender,
-      - description tags of sent events (more at 
+      - description tags of sent events (see below)
-        https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti), 
      - CIDR from which client will communicate with Warden server.
    * For receiver client:
@@ -60,19 +59,73 @@ B. Registration
      https://tcs.cesnet.cz/
 --------------------------------------------------------------------------------
-C. Configuration
+C. Description tags
+   Tags are case insensitive alphanumeric strings, designed to allow event
+receivers to do more general filtering according to event source. Receiver
+can for example decide to use only events originating at honeypots, or
+filter out events, generated by human conclusions or correlation engines.
+   Sender client specifies its descriptive tags during registration, it is
+up to client administrator's judgment to select or omit any particular tag.
+   Currently tags fall into four general categories - based on event medium,
+data source, detection methodology and detector or analyzer product name.
+   Product name tag is free to choose if same product name was not yet
+accepted by registrar, otherwise existing form must be used (registrar will
+notify about such cases).
+   Categories list is certainly not complete.  Therefore if new client's
+administrator feels that name or type of important feature of his (or
+others) detector is not covered, providers of Warden server are glad to
+discuss it at registration address or at Warden project mailing list. 
+However, it may or may not be accepted, as aim is to keep the list of
+categories possibly unambiguous, short and usable.
+   Following is grouped list of tags together with closer description and
+examples.
+ 1. Detection medium
+    * Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo)
+    * Host - host based (Swatch, Logcheck)
+    * Correlation - corellation engines (Prelude, OSSIM)
+    * External - credible external sources (incident reporting, ticket
+                 systems, human verified events)
+ 2. Data source
+    * Content - datagram content based detectors (Snort, Bro)
+    * Flow - netflow based (FTAS, FlowMon)
+    * Connection - connection data (portscan, portsweep)
+    * Data - application data based (SpamAssassin, antiviruses)
+    * Log - based on system logs, where more specific source is not
+            applicable (Swatch, Logcheck, SSH scans)
+    * IR - incident reporting, ticket systems, human verified events
+ 3. Detection methodology
+    * Honeypot (LaBrea, Kippo, Dionaea)
+    * Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
+    * Antivirus (ClamAV)
+    * IDS - IDS/IPS, Snort, Suricata, Bro
+ 4. Detector/analyzer product name examples
+    * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude
+--------------------------------------------------------------------------------
+D. Configuration
    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  
 --------------------------------------------------------------------------------       
-D. Testing
+E. Testing
    For testing purposes of sender clients, event type 'test' can be used.
    These events will end up in server database, but will not be taken
    further into consideration.
 --------------------------------------------------------------------------------
-E. Authors of this document
+F. Authors of this document
    Pavel Kacha     <ph@cesnet.cz>
    Jan Soukal      <soukal@ics.muni.cz>