diff --git a/src/warden-client/doc/README.cesnet b/src/warden-client/doc/README.cesnet
index 1ab9184f3a20f93c2960bb6ebe3f677c58933fc3..481e0db162d8a3121a00aedaad0ae80f502bba5f 100644
--- a/src/warden-client/doc/README.cesnet
+++ b/src/warden-client/doc/README.cesnet
@@ -36,8 +36,7 @@ B. Registration
- hostname of the machine, where client runs,
- name of the detection service (for example 'ScanDetector'),
- client type = sender,
- - description tags of sent events (more at
- https://homeproj.cesnet.cz/projects/warden/wiki/Typy_udalosti),
+ - description tags of sent events (see below)
- CIDR from which client will communicate with Warden server.
* For receiver client:
@@ -60,19 +59,73 @@ B. Registration
https://tcs.cesnet.cz/
--------------------------------------------------------------------------------
-C. Configuration
+C. Description tags
+
+ Tags are case insensitive alphanumeric strings, designed to allow event
+receivers to do more general filtering according to event source. Receiver
+can for example decide to use only events originating at honeypots, or
+filter out events, generated by human conclusions or correlation engines.
+
+ Sender client specifies its descriptive tags during registration, it is
+up to client administrator's judgment to select or omit any particular tag.
+ Currently tags fall into four general categories - based on event medium,
+data source, detection methodology and detector or analyzer product name.
+ Product name tag is free to choose if same product name was not yet
+accepted by registrar, otherwise existing form must be used (registrar will
+notify about such cases).
+ Categories list is certainly not complete. Therefore if new client's
+administrator feels that name or type of important feature of his (or
+others) detector is not covered, providers of Warden server are glad to
+discuss it at registration address or at Warden project mailing list.
+However, it may or may not be accepted, as aim is to keep the list of
+categories possibly unambiguous, short and usable.
+
+ Following is grouped list of tags together with closer description and
+examples.
+
+ 1. Detection medium
+
+ * Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo)
+ * Host - host based (Swatch, Logcheck)
+ * Correlation - corellation engines (Prelude, OSSIM)
+ * External - credible external sources (incident reporting, ticket
+ systems, human verified events)
+
+ 2. Data source
+
+ * Content - datagram content based detectors (Snort, Bro)
+ * Flow - netflow based (FTAS, FlowMon)
+ * Connection - connection data (portscan, portsweep)
+ * Data - application data based (SpamAssassin, antiviruses)
+ * Log - based on system logs, where more specific source is not
+ applicable (Swatch, Logcheck, SSH scans)
+ * IR - incident reporting, ticket systems, human verified events
+
+ 3. Detection methodology
+
+ * Honeypot (LaBrea, Kippo, Dionaea)
+ * Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
+ * Antivirus (ClamAV)
+ * IDS - IDS/IPS, Snort, Suricata, Bro
+
+ 4. Detector/analyzer product name examples
+
+ * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude
+
+--------------------------------------------------------------------------------
+D. Configuration
CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.
--------------------------------------------------------------------------------
-D. Testing
+E. Testing
For testing purposes of sender clients, event type 'test' can be used.
These events will end up in server database, but will not be taken
further into consideration.
--------------------------------------------------------------------------------
-E. Authors of this document
+F. Authors of this document
Pavel Kacha <ph@cesnet.cz>
Jan Soukal <soukal@ics.muni.cz>