CEE Defcon Meetup Notes - 08 Aug 2008

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

CEE Defcon Meetup Notes - 08 Aug 2008

Below are my notes from the CEE meeting at Defcon
a couple of weeks ago.

All in all, things turned out fairly well. Though
I apologize to anyone who wanted to participate
but could not locate us.


CEE Meeting
Defcon - 08 Aug 2008
Riviera, Las Vegas, NV


- Eric Fitzgerald
- Tina Bird
- Raffy Marty
- Sanford Whitehouse
- Steve Christey
- William Heinbockel


Group met at the Defcon Registration desk at the Riviera at Noon PST.
Discussion lasted for approximately 2 hours.


Definitions discussion is good, though we are now debating symantic
nuaces. MITRE needs to issue a final version and we can extend that
with additional notes and descriptions.

- event definition discussion
  - Machine-generated data
  - State change may not be good enough, due to problems with
    abstration levels the end state might be the same as the start
    state. Use activity occured instead.
- We should include a definition for event stream. Generically, the
  log flow process seems to be:

    event -> event record -> event stream -> event log

- A log is a general sequential or timestamped repository of
- Logs also hold reports or "informational messages"
- Fidelity: Logged events may not have actually occured, such as
  with an IDS signature match.
- Look at Oer Kerr's paper on Machine Logs vs. Hearsay
- Applications, Operations, and Admins partake in various log
- Syntax
  - The syntax fields should be self-describing
  - Support: Binary vs. XML vs. string formats
  - Need to support proper ordering of records
    - The log order does not always match the event order
  - Needs to support granual timestamps
    - Synchronizing timestamps
  - Needs to support sequence numbers to properly order events
    - Pair-wise vs. Universal IDs

                Questions / Issues

- Can a record consist of 1 or more records?
- How does CEE handle multi-line data?
- Should logs be machine-readable or human-readable?
  - This choice depends on the environment and admins
  - machine-readable is more condensed and better for wire formats
  - machine-readable can be translated for humans
- Who timestamps the records? The application? The event recorder?


- CEE and LogAnalysis.org will partner up
  - MITRE will host the CEE drafts and specifications
  - LogAnalysis can host a wiki, log repositories, and everything else
  - More to come on this later...
- MITRE will finish the CEE WG Charter
  - High level usecases for CFO, CIO/Operations, Developers
- MITRE will produce a CEE Project outline
  - Deliverables
  - Schedule
- We need to get more large players involved: Cisco, Oracle, Apple,
- We need more diversity in the WG: admins and enterprise users
- Create a Vendor Questionaire
  - Technical issues with logs?
  - Customer issues with current logging?
  - How do you view SIM vendors continually asking for logs?
  - If logs were standardized, what potential damage or loss would you

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view

Re: CEE Defcon Meetup Notes - 08 Aug 2008

Tina Bird
Boy oh boy am I cleaning out my Inbox.

Quoting "Heinbockel, Bill" <[hidden email]>:

> - Look at Oer Kerr's paper on Machine Logs vs. Hearsay

For interested parties, here's a list of relevant URLs on the use of  
computer generated data in legal proceedings (U.S. based), starting  
with Professor Orin Kerr's original paper for the Department of  

Computer Records and the Federal Rules of Evidence (March 2001)

A summary of case law and related issues written by Erin Kenneally,  
lawyer and forensic analyst at the San Diego Supercomputer Center  
(December 2002):

MySpace on the Record: the Admissability of Social Website Content  
under the Federal Rules of Evidence (December 2006):

These are the result of an extremely quick swing through Google; there  
are probably more recent results as well, but at least this is a  
reasonable set of places to start.

cheers -- tbird