+-----------------------------------+
| README.cesnet - Warden Client 2.0 |
| |
| CESNET Specifics |
+-----------------------------------+
Content
A. Overall Information
B. Registration
C. Description tags
D. Types of events
E. Configuration
F. Testing
G. Authors of this document
--------------------------------------------------------------------------------
A. Overall Information
1. About CESNET Warden Server
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast way.
CESNET offers Warden server for security events exchange within its networks.
2. Version
2.0 (2012-07-27)
--------------------------------------------------------------------------------
B. Registration
Client attempting to communicate with CESNET Warden server must be
registered. Registration is currently provided by Tomas Plesnik at
mail address plesnik@ics.muni.cz and following information is needed:
* For sender client:
- hostname of the machine, where client runs,
- client type = sender,
- name of the detection service (for example 'ScanDetector'),
- description tags of sent events (see below)
- CIDR from which client will communicate with Warden server.
* For receiver client:
- hostname of the machine, where client runs,
- client type = receiver,
- type of requested events (for example 'portscan', see below)
- receiving of sent events from my organization = yes/no (organizations
are separated based on the top-level and second-level domain),
- CIDR from which client will communicate with Warden server.
Clients need to have valid certificate to prove their identity to the
Warden server. For CESNET network, 'server' type certificate from Terena
Certificate Service (provided by Comodo) is needed. Hostname of the
machine must correspond with certificate subject, Alternative Name
extension is not supported. Administrator of Warden client must be
entitled to obtain this certificate. CESNET TCS request service
interface resides at
https://tcs.cesnet.cz/
--------------------------------------------------------------------------------
C. Description tags
Tags are case insensitive alphanumeric strings, designed to allow event
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.
Sender client specifies its descriptive tags during registration, it is
up to client administrator's judgment to select or omit any particular tag.
Currently tags fall into four general categories - based on event medium,
data source, detection methodology and detector or analyzer product name.
Product name tag is free to choose if same product name was not yet
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
Categories list is certainly not complete. Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list
(warden@cesnet.cz).
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.
Following is grouped list of tags together with closer description and
examples.
1. Detection medium
* Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo,
Dionaea)
* Host - host based (Swatch, Logcheck)
* Correlation - corellation engines (Prelude, OSSIM)
* External - credible external sources (incident reporting, ticket
systems, human verified events)
2. Data source
* Content - datagram content based detectors (Snort, Bro)
* Flow - netflow based (FTAS, FlowMon, HoneyScan)
* Connection - connection data (portscan, portsweep)
* Data - application data based (SpamAssassin, antiviruses)
* Log - based on system logs, where more specific source is not
applicable (Swatch, Logcheck, SSH scans)
* IR - incident reporting, ticket systems, human verified events
3. Detection methodology
* Honeypot (LaBrea, Kippo, Dionaea)
* Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
* Antivirus (ClamAV)
* IDS - IDS/IPS, Snort, Suricata, Bro
4. Detector/analyzer product name examples
* Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude, Kippo, Dionaea
--------------------------------------------------------------------------------
D. Types of events
Event types purpose is to allow event receivers to filter and/or categorise
particular events according to attack characteristics. Types are loosely
chosen as list of common security incidents nowadays observed. List is by no
means complete, however it was created based on expected use cases at
receiving places. Possibility of a new type is also open to discussion.
* portscan - TCP/UDP port scanning/sweeping
* bruteforce - dictionary/bruteforce attack to services authentication
* spam - unsolicited commercial email (except phishing)
* phishing - email, trying to scam user to revealing personal information
(possibly by some other channel)
* botnet_c_c - botnet command & control master machine
* dos - (possibly distributed) denial of service attack
* malware - virus/malware sample
* copyright - copyright infringement
* webattack - web application attack
* test - clients can use these at will when debugging/testing, these
messages will be processed and stored, but ignored later
* other - the rest, uncategorizable yet
In case of complex scenarios with structured info more events with
particular parts of information can be created.
--------------------------------------------------------------------------------
E. Configuration
CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.
--------------------------------------------------------------------------------
F. Testing
For testing purposes of sender clients, event type 'test' can be used.
These events will end up in server database, but will not be taken
further into consideration.
--------------------------------------------------------------------------------
G. Authors of this document
Pavel Kacha <ph@cesnet.cz>
Jan Soukal <soukal@ics.muni.cz>
Copyright (C) 2011-2012 Cesnet z.s.p.o