Re: Draft Sensor Output Specification for Technical Discussion

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Draft Sensor Output Specification for Technical Discussion

Anton Chuvakin
Heidi:

> I wanted to share the spec that was developed so that the CEE working group
> could start a more technical discussion on CEE.  You must understand that it
> is a very draft spec but I thought it was something to start with.  I know
> that some people will criticize it which is fine but I would encourage for
> every criticism that you also provide feedback that can improve the
> specification.  I consider yourselves the experts in this field.

I am curious about a few things in this doc, related to EventTaxonomy:

- was this taxonomy based on CEE discussion or created before?
- you chose the following taxonomy fields:
   + Subject
   + Verb
   + Object
   + Result
- if not based on CEE chat on that very subject, could you share your
motivations for choosing these field (which I like a lot!)
- are there any provision for non-XML formats in your spec?
- Timestamp. Your RECOMMEND the timezone, but this is horrible - you
have to MANDATE; otherwise, madness will ensue :-)
- I hope you are being humorous when you refer to "OSI Application
layer protocol" - surely you mean TCP/IP app layer, not OSI?
- I think DeviceInformation is missing a type of some sort ... E.g.
firewall, OS, app, etc.

Hope this is useful! Sorry for a delayed feedback ...

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
      http://www.chuvakin.org
  http://chuvakin.blogspot.com
    http://www.info-secure.org

Reply | Threaded
Open this post in threaded view
|

Re: Draft Sensor Output Specification for Technical Discussion

Raffael Marty-3
Good morning!

I couldn't resist. You guys know that I am very opinionated when it
comes to taxonomies:

> - you chose the following taxonomy fields:
>   + Subject
>   + Verb
>   + Object
>   + Result
> - if not based on CEE chat on that very subject, could you share your
> motivations for choosing these field (which I like a lot!)


I don't like it. Sorry, but subject is a fairly bad idea. If we make
that an optional field. Maybe. But Anton, we had quite some discussion
around this a while ago and I thought I had you convinced that it is
hardly ever possible to define an object in a taxonomy concept.

I need to read your document, Heidi. I just haven't had any bandwidth
so far. It's on my todo list.

Thanks and have a good weekend everyone

   -raffy

--
   Raffael Marty
   Chief Security Strategist                           @ Splunk>
   Security Visualization: http://secviz.org       raffy.ch/blog

Reply | Threaded
Open this post in threaded view
|

Re: Draft Sensor Output Specification for Technical Discussion

heinbockel
In reply to this post by Anton Chuvakin
>
>I am curious about a few things in this doc, related to EventTaxonomy:
>
>- was this taxonomy based on CEE discussion or created before?
>- you chose the following taxonomy fields:
>   + Subject
>   + Verb
>   + Object
>   + Result
>- if not based on CEE chat on that very subject, could you share your
>motivations for choosing these field (which I like a lot!)
>- are there any provision for non-XML formats in your spec?
>- Timestamp. Your RECOMMEND the timezone, but this is horrible - you
>have to MANDATE; otherwise, madness will ensue :-)
>- I hope you are being humorous when you refer to "OSI Application
>layer protocol" - surely you mean TCP/IP app layer, not OSI?
>- I think DeviceInformation is missing a type of some sort ... E.g.
>firewall, OS, app, etc.


Most of this was a collaboration between MITRE and NC3A in support
of a trial at NATO CWID last year. The XML was a preliminary thing
thrown together by me (though looking back, there are many changes
that should be made) based upon some very early discussions surrounding
CEE and event standardization (around Jan 2007 or so).

The XML was just a brief cut at a common format to be used to
translate a couple of Snort and PIX messages into to be fed through
an XML guard and into ArcSight ESM. The categories and fields are
not complete and may not be ideal for inclusion in a standard such
as CEE.

Reply | Threaded
Open this post in threaded view
|

Re: Draft Sensor Output Specification for Technical Discussion

Lagadec Philippe
In reply to this post by Anton Chuvakin
Hello,

I would also add that we (MITRE and NC3A) developed an implementation to try this draft spec at NATO CWID, and we found several issues that should be fixed in the future. We know this is only a very draft spec, but we wanted to release it to the WG so that a more practical discussion can start.
This draft spec is not CEE, it is a preliminary work to help us understand and show what CEE might be (or not).
The issues we found are mainly about the taxonomy, timestamps and the XML schema. More on that later.

Philippe.


-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: 07 December 2007 20:09
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Draft Sensor Output Specification for Technical Discussion

>
>I am curious about a few things in this doc, related to EventTaxonomy:
>
>- was this taxonomy based on CEE discussion or created before?
>- you chose the following taxonomy fields:
>   + Subject
>   + Verb
>   + Object
>   + Result
>- if not based on CEE chat on that very subject, could you share your
>motivations for choosing these field (which I like a lot!)
>- are there any provision for non-XML formats in your spec?
>- Timestamp. Your RECOMMEND the timezone, but this is horrible - you
>have to MANDATE; otherwise, madness will ensue :-)
>- I hope you are being humorous when you refer to "OSI Application
>layer protocol" - surely you mean TCP/IP app layer, not OSI?
>- I think DeviceInformation is missing a type of some sort ... E.g.
>firewall, OS, app, etc.


Most of this was a collaboration between MITRE and NC3A in support of a trial at NATO CWID last year. The XML was a preliminary thing thrown together by me (though looking back, there are many changes that should be made) based upon some very early discussions surrounding CEE and event standardization (around Jan 2007 or so).

The XML was just a brief cut at a common format to be used to translate a couple of Snort and PIX messages into to be fed through an XML guard and into ArcSight ESM. The categories and fields are not complete and may not be ideal for inclusion in a standard such as CEE.