Below are my notes from the CEE meeting at Defcon
a couple of weeks ago.
All in all, things turned out fairly well. Though
I apologize to anyone who wanted to participate
but could not locate us.
Defcon - 08 Aug 2008
Riviera, Las Vegas, NV
- Eric Fitzgerald
- Tina Bird
- Raffy Marty
- Sanford Whitehouse
- Steve Christey
- William Heinbockel
Group met at the Defcon Registration desk at the Riviera at Noon PST.
Discussion lasted for approximately 2 hours.
Definitions discussion is good, though we are now debating symantic
nuaces. MITRE needs to issue a final version and we can extend that
with additional notes and descriptions.
- event definition discussion
- Machine-generated data
- State change may not be good enough, due to problems with
abstration levels the end state might be the same as the start
state. Use activity occured instead.
- We should include a definition for event stream. Generically, the
log flow process seems to be:
event -> event record -> event stream -> event log
- A log is a general sequential or timestamped repository of
- Logs also hold reports or "informational messages"
- Fidelity: Logged events may not have actually occured, such as
with an IDS signature match.
- Look at Oer Kerr's paper on Machine Logs vs. Hearsay
- Applications, Operations, and Admins partake in various log
- The syntax fields should be self-describing
- Support: Binary vs. XML vs. string formats
- Need to support proper ordering of records
- The log order does not always match the event order
- Needs to support granual timestamps
- Synchronizing timestamps
- Needs to support sequence numbers to properly order events
- Pair-wise vs. Universal IDs
Questions / Issues
- Can a record consist of 1 or more records?
- How does CEE handle multi-line data?
- Should logs be machine-readable or human-readable?
- This choice depends on the environment and admins
- machine-readable is more condensed and better for wire formats
- machine-readable can be translated for humans
- Who timestamps the records? The application? The event recorder?
- CEE and LogAnalysis.org will partner up
- MITRE will host the CEE drafts and specifications
- LogAnalysis can host a wiki, log repositories, and everything else
- More to come on this later...
- MITRE will finish the CEE WG Charter
- High level usecases for CFO, CIO/Operations, Developers
- MITRE will produce a CEE Project outline
- We need to get more large players involved: Cisco, Oracle, Apple,
- We need more diversity in the WG: admins and enterprise users
- Create a Vendor Questionaire
- Technical issues with logs?
- Customer issues with current logging?
- How do you view SIM vendors continually asking for logs?
- If logs were standardized, what potential damage or loss would you
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
smime.p7s (4K) Download Attachment
Boy oh boy am I cleaning out my Inbox.
Quoting "Heinbockel, Bill" <[hidden email]>:
> - Look at Oer Kerr's paper on Machine Logs vs. Hearsay
For interested parties, here's a list of relevant URLs on the use of
computer generated data in legal proceedings (U.S. based), starting
with Professor Orin Kerr's original paper for the Department of
Computer Records and the Federal Rules of Evidence (March 2001)
A summary of case law and related issues written by Erin Kenneally,
lawyer and forensic analyst at the San Diego Supercomputer Center
MySpace on the Record: the Admissability of Social Website Content
under the Federal Rules of Evidence (December 2006):
These are the result of an extremely quick swing through Google; there
are probably more recent results as well, but at least this is a
reasonable set of places to start.
cheers -- tbird
|Free forum by Nabble||Edit this page|