Surveying current log "standards"

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Surveying current log "standards"

heinbockel
There are many prior and current log standardization efforts
that range from Syslog and SNMP to IDMEF and CEF. Instead of
reinventing the wheel, we would like to try to identify possible
alignments between CEE and related efforts. For example, IDMEF
has already performed a host of work in dealing with intrusion
events -- it is worth leveraging their work and/or encouraging
CEE-IDMEF compatibility?


The first step is to gather all of the log standards and
related efforts, along with their current status (alive?
dead? unknown?).  With this list, we can begin to identify
the successes and failures of each effort as well as compare
the event characteristics that each has identified as being
important.

So, I ask for comments regarding the listed "log standards",
as well as any additions (or deletions) to this list.



Here is my initial listing of "log standards"
(with references when available):


==========================================================Name:   Syslog
Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html


Name:   Simple Network Messaging Protocol (SNMP)
Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt


Name:   Common Intrusion Detection Framework (CIDF)
Status: Dead; Work merged into IDMEF.
Refs:   http://gost.isi.edu/cidf/


Name:   Intrusion Detection Message Exchange Format (IDMEF)
Status: IETF RFC
Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766


Name:   Security Device Event Exchange (SDEE) - ICSALabs
Status: Unknown
Refs:
http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5


Name:   Common Event Format (CEF) - ArcSight
Status: Supported by ArcSight
Refs:   http://www.arcsight.com/solutions_cef.htm


Name:   Events Logging Markup Language (ELML) - ISM3
Status: Draft (1.00)
Refs:
http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
Itemid=9


Name:   Common Base Event (CBE) - IBM
Status: Current on the IBM website, though no apparent use
        beyond IBM
Refs:
ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
cbepractice/index.htm


Name:   COTS Logging Information Exchange (CLIX) - NIST
Status: Abandoned
Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm


Name:   Distributed Audit Service (OpenXDAS) - Novell
Status: Unknown
Refs:   http://www.opengroup.org/security/das/xdas_int.htm


Name:   COAST Audit Trails - Purdue CERIAS
Status: Unknown
Refs:
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
format.html

http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
reduce.html


Name:   WSDM Event Format (WEF) - OASIS
Status: OASIS Standard
Refs:



(And, while not a log standard, IODEF seems to be
incorrectly, but commonly grouped here.)

Name:   Incident Object Description Exchange Format (IODEF)
Status: IETF Draft
Refs:   http://www.cert.org/ietf/inch/inch.html




William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Anton Chuvakin
Would it make sense to separate the dead long-gone past efforts from
the alive (and barely alive ones)?

On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:

> There are many prior and current log standardization efforts
> that range from Syslog and SNMP to IDMEF and CEF. Instead of
> reinventing the wheel, we would like to try to identify possible
> alignments between CEE and related efforts. For example, IDMEF
> has already performed a host of work in dealing with intrusion
> events -- it is worth leveraging their work and/or encouraging
> CEE-IDMEF compatibility?
>
>
> The first step is to gather all of the log standards and
> related efforts, along with their current status (alive?
> dead? unknown?).  With this list, we can begin to identify
> the successes and failures of each effort as well as compare
> the event characteristics that each has identified as being
> important.
>
> So, I ask for comments regarding the listed "log standards",
> as well as any additions (or deletions) to this list.
>
>
>
> Here is my initial listing of "log standards"
> (with references when available):
>
>
> ===========================================================
>
> Name:   Syslog
> Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>
>
> Name:   Simple Network Messaging Protocol (SNMP)
> Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>
>
> Name:   Common Intrusion Detection Framework (CIDF)
> Status: Dead; Work merged into IDMEF.
> Refs:   http://gost.isi.edu/cidf/
>
>
> Name:   Intrusion Detection Message Exchange Format (IDMEF)
> Status: IETF RFC
> Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>
>
> Name:   Security Device Event Exchange (SDEE) - ICSALabs
> Status: Unknown
> Refs:
> http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-
> ff36f9b5
>
>
> Name:   Common Event Format (CEF) - ArcSight
> Status: Supported by ArcSight
> Refs:   http://www.arcsight.com/solutions_cef.htm
>
>
> Name:   Events Logging Markup Language (ELML) - ISM3
> Status: Draft (1.00)
> Refs:
> http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
> Itemid=9
>
>
> Name:   Common Base Event (CBE) - IBM
> Status: Current on the IBM website, though no apparent use
>         beyond IBM
> Refs:
> ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
> cbepractice/index.htm
>
>
> Name:   COTS Logging Information Exchange (CLIX) - NIST
> Status: Abandoned
> Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>
>
> Name:   Distributed Audit Service (OpenXDAS) - Novell
> Status: Unknown
> Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>
>
> Name:   COAST Audit Trails - Purdue CERIAS
> Status: Unknown
> Refs:
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> format.html
>
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> reduce.html
>
>
> Name:   WSDM Event Format (WEF) - OASIS
> Status: OASIS Standard
> Refs:
>
>
>
> (And, while not a log standard, IODEF seems to be
> incorrectly, but commonly grouped here.)
>
> Name:   Incident Object Description Exchange Format (IODEF)
> Status: IETF Draft
> Refs:   http://www.cert.org/ietf/inch/inch.html
>
>
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615
>


--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
      http://www.chuvakin.org
  http://chuvakin.blogspot.com
    http://www.info-secure.org

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

heinbockel
In reply to this post by heinbockel
The only 2 that I'm certain of being dead are
CIDF and CLIX (which was never really "alive" to
start with). Many of these standards I have been
pointed to by various sources, but cannot find
any information as to their current status.

Below, I grouped the list into 4 rough categories:
- Alive (being used)
- Alive (updated docs but no known use)
- Dead
- Unknown (Anton: these may meet your criteria for "barely alive")

That said, I'm not as concerned with an effort's
status as I am with its content and goals. For example,
there are some interesting things that CIDF did with their
event taxonomy (language) that should not be
discounted just because the effort was merged into
IDMEF.



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: Anton Chuvakin [mailto:[hidden email]]
>Sent: Tuesday, 03 July, 2007 13:24
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>Would it make sense to separate the dead long-gone past efforts from
>the alive (and barely alive ones)?
>


==========================================================Alive - In Use
==========================================================
Name:   Syslog
Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html


Name:   Simple Network Messaging Protocol (SNMP)
Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt


Name:   Intrusion Detection Message Exchange Format (IDMEF)
Status: IETF RFC
Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766


Name:   Common Event Format (CEF) - ArcSight
Status: Supported by ArcSight
Refs:   http://www.arcsight.com/solutions_cef.htm


Name:   Common Base Event (CBE) - IBM
Status: Current on the IBM website, though no apparent use
        beyond IBM
Refs:
ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
cbepractice/index.htm


==========================================================Alive -- unknown use
==========================================================
Name:   Events Logging Markup Language (ELML) - ISM3
Status: Draft (1.00)
Refs:
http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
Itemid=9


==========================================================Unknown
==========================================================
Name:   Distributed Audit Service (OpenXDAS) - Novell
Status: Unknown
Refs:   http://www.opengroup.org/security/das/xdas_int.htm


Name:   COAST Audit Trails - Purdue CERIAS
Status: Unknown
Refs:
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
format.html
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
reduce.html


Name:   Security Device Event Exchange (SDEE) - ICSALabs
Status: Unknown
Refs:
http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5


Name:   WSDM Event Format (WEF) - OASIS
Status: OASIS Standard
Refs:


==========================================================Dead
==========================================================
Name:   Common Intrusion Detection Framework (CIDF)
Status: Dead; Work merged into IDMEF.
Refs:   http://gost.isi.edu/cidf/


Name:   COTS Logging Information Exchange (CLIX) - NIST
Status: Abandoned
Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Raffael Marty
In reply to this post by heinbockel
RE: [CEE-DISCUSSION-LIST] Surveying current log "standards"

You should keep a column which identifies the scope of the standard:

- Syntax
- Taxonomy
- Recommendation
- Transport

With regards to that, the SANS effort could be mentioned for recommendation

  -raffy

-----Original Message-----
From: Heinbockel, Bill [[hidden email]]
Sent: Tue 7/3/2007 11:00 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"

The only 2 that I'm certain of being dead are
CIDF and CLIX (which was never really "alive" to
start with). Many of these standards I have been
pointed to by various sources, but cannot find
any information as to their current status.

Below, I grouped the list into 4 rough categories:
- Alive (being used)
- Alive (updated docs but no known use)
- Dead
- Unknown (Anton: these may meet your criteria for "barely alive")

That said, I'm not as concerned with an effort's
status as I am with its content and goals. For example,
there are some interesting things that CIDF did with their
event taxonomy (language) that should not be
discounted just because the effort was merged into
IDMEF.



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: Anton Chuvakin [[hidden email]]
>Sent: Tuesday, 03 July, 2007 13:24
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>Would it make sense to separate the dead long-gone past efforts from
>the alive (and barely alive ones)?
>


============================================================
Alive - In Use
============================================================

Name:   Syslog
Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html


Name:   Simple Network Messaging Protocol (SNMP)
Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt


Name:   Intrusion Detection Message Exchange Format (IDMEF)
Status: IETF RFC
Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766


Name:   Common Event Format (CEF) - ArcSight
Status: Supported by ArcSight
Refs:   http://www.arcsight.com/solutions_cef.htm


Name:   Common Base Event (CBE) - IBM
Status: Current on the IBM website, though no apparent use
        beyond IBM
Refs:
ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
cbepractice/index.htm

  
============================================================
Alive -- unknown use
============================================================

Name:   Events Logging Markup Language (ELML) - ISM3
Status: Draft (1.00)
Refs:
http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
Itemid=9


============================================================
Unknown
============================================================

Name:   Distributed Audit Service (OpenXDAS) - Novell
Status: Unknown
Refs:   http://www.opengroup.org/security/das/xdas_int.htm


Name:   COAST Audit Trails - Purdue CERIAS
Status: Unknown
Refs:
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
format.html
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
reduce.html


Name:   Security Device Event Exchange (SDEE) - ICSALabs
Status: Unknown
Refs:
http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5


Name:   WSDM Event Format (WEF) - OASIS
Status: OASIS Standard
Refs:


============================================================
Dead
============================================================

Name:   Common Intrusion Detection Framework (CIDF)
Status: Dead; Work merged into IDMEF.
Refs:   http://gost.isi.edu/cidf/


Name:   COTS Logging Information Exchange (CLIX) - NIST
Status: Abandoned
Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm

________________________________________________________________

ArcSight 2007 User Conference ~ Protecting Your Business

> Register now for the best conference rate

www.arcsight.com/userconference/ 

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Daniel Cid-3
In reply to this post by heinbockel
Hi Bill (and everyone else),

I am glad to see that the list is active and CEE is moving forward. I
think we should
take  every standardization effort into consideration and learn from
their mistakes to
make CEE better. Trying to make it compatible with any other format or
protocol is
just going to tie us to whatever they did that failed (it's funny that
even syslog is not
as standard as we like to think, since the number of applications that
don't follow the
RFC is huge).

Anyway, there is also the WELF log format that is used by some firewalls:

http://www.marshal.com/kb/article.aspx?id=10899&cNode=5R6Q0N


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:

> There are many prior and current log standardization efforts
> that range from Syslog and SNMP to IDMEF and CEF. Instead of
> reinventing the wheel, we would like to try to identify possible
> alignments between CEE and related efforts. For example, IDMEF
> has already performed a host of work in dealing with intrusion
> events -- it is worth leveraging their work and/or encouraging
> CEE-IDMEF compatibility?
>
>
> The first step is to gather all of the log standards and
> related efforts, along with their current status (alive?
> dead? unknown?).  With this list, we can begin to identify
> the successes and failures of each effort as well as compare
> the event characteristics that each has identified as being
> important.
>
> So, I ask for comments regarding the listed "log standards",
> as well as any additions (or deletions) to this list.
>
>
>
> Here is my initial listing of "log standards"
> (with references when available):
>
>
> ===========================================================
>
> Name:   Syslog
> Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>
>
> Name:   Simple Network Messaging Protocol (SNMP)
> Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>
>
> Name:   Common Intrusion Detection Framework (CIDF)
> Status: Dead; Work merged into IDMEF.
> Refs:   http://gost.isi.edu/cidf/
>
>
> Name:   Intrusion Detection Message Exchange Format (IDMEF)
> Status: IETF RFC
> Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>
>
> Name:   Security Device Event Exchange (SDEE) - ICSALabs
> Status: Unknown
> Refs:
> http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-
> ff36f9b5
>
>
> Name:   Common Event Format (CEF) - ArcSight
> Status: Supported by ArcSight
> Refs:   http://www.arcsight.com/solutions_cef.htm
>
>
> Name:   Events Logging Markup Language (ELML) - ISM3
> Status: Draft (1.00)
> Refs:
> http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
> Itemid=9
>
>
> Name:   Common Base Event (CBE) - IBM
> Status: Current on the IBM website, though no apparent use
>         beyond IBM
> Refs:
> ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
> cbepractice/index.htm
>
>
> Name:   COTS Logging Information Exchange (CLIX) - NIST
> Status: Abandoned
> Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>
>
> Name:   Distributed Audit Service (OpenXDAS) - Novell
> Status: Unknown
> Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>
>
> Name:   COAST Audit Trails - Purdue CERIAS
> Status: Unknown
> Refs:
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> format.html
>
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> reduce.html
>
>
> Name:   WSDM Event Format (WEF) - OASIS
> Status: OASIS Standard
> Refs:
>
>
>
> (And, while not a log standard, IODEF seems to be
> incorrectly, but commonly grouped here.)
>
> Name:   Incident Object Description Exchange Format (IODEF)
> Status: IETF Draft
> Refs:   http://www.cert.org/ietf/inch/inch.html
>
>
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615
>

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

E Mintz
In reply to this post by heinbockel
Besides live and dead, I expect to also require a category for
non-starters, or unacceptable.

An effort may be alive, but in some certain cases, we will not wish to
align our efforts.

-Erik


On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:

> There are many prior and current log standardization efforts
> that range from Syslog and SNMP to IDMEF and CEF. Instead of
> reinventing the wheel, we would like to try to identify possible
> alignments between CEE and related efforts. For example, IDMEF
> has already performed a host of work in dealing with intrusion
> events -- it is worth leveraging their work and/or encouraging
> CEE-IDMEF compatibility?
>
>
> The first step is to gather all of the log standards and
> related efforts, along with their current status (alive?
> dead? unknown?).  With this list, we can begin to identify
> the successes and failures of each effort as well as compare
> the event characteristics that each has identified as being
> important.
>
> So, I ask for comments regarding the listed "log standards",
> as well as any additions (or deletions) to this list.
>
>
>
> Here is my initial listing of "log standards"
> (with references when available):
>
>
> ===========================================================
>
> Name:   Syslog
> Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>
>
> Name:   Simple Network Messaging Protocol (SNMP)
> Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>
>
> Name:   Common Intrusion Detection Framework (CIDF)
> Status: Dead; Work merged into IDMEF.
> Refs:   http://gost.isi.edu/cidf/
>
>
> Name:   Intrusion Detection Message Exchange Format (IDMEF)
> Status: IETF RFC
> Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>
>
> Name:   Security Device Event Exchange (SDEE) - ICSALabs
> Status: Unknown
> Refs:
> http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-
> ff36f9b5
>
>
> Name:   Common Event Format (CEF) - ArcSight
> Status: Supported by ArcSight
> Refs:   http://www.arcsight.com/solutions_cef.htm
>
>
> Name:   Events Logging Markup Language (ELML) - ISM3
> Status: Draft (1.00)
> Refs:
> http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
> Itemid=9
>
>
> Name:   Common Base Event (CBE) - IBM
> Status: Current on the IBM website, though no apparent use
>         beyond IBM
> Refs:
> ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
> cbepractice/index.htm
>
>
> Name:   COTS Logging Information Exchange (CLIX) - NIST
> Status: Abandoned
> Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>
>
> Name:   Distributed Audit Service (OpenXDAS) - Novell
> Status: Unknown
> Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>
>
> Name:   COAST Audit Trails - Purdue CERIAS
> Status: Unknown
> Refs:
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> format.html
>
> http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> reduce.html
>
>
> Name:   WSDM Event Format (WEF) - OASIS
> Status: OASIS Standard
> Refs:
>
>
>
> (And, while not a log standard, IODEF seems to be
> incorrectly, but commonly grouped here.)
>
> Name:   Incident Object Description Exchange Format (IODEF)
> Status: IETF Draft
> Refs:   http://www.cert.org/ietf/inch/inch.html
>
>
>
>
> William Heinbockel
> Infosec Engineer, Sr.
> The MITRE Corporation
> 202 Burlington Rd. MS S145
> Bedford, MA 01730
> [hidden email]
> 781-271-2615
>

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Vicente Aceituno
In reply to this post by heinbockel
I don't think status is important to discuss, what is important is:

What are the good ideas that should go in CEE?

On 7/3/07, E Mintz <[hidden email]> wrote:

> Besides live and dead, I expect to also require a category for
> non-starters, or unacceptable.
>
> An effort may be alive, but in some certain cases, we will not wish to
> align our efforts.
>
> -Erik
>
>
> On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:
> > There are many prior and current log standardization efforts
> > that range from Syslog and SNMP to IDMEF and CEF. Instead of
> > reinventing the wheel, we would like to try to identify possible
> > alignments between CEE and related efforts. For example, IDMEF
> > has already performed a host of work in dealing with intrusion
> > events -- it is worth leveraging their work and/or encouraging
> > CEE-IDMEF compatibility?
> >
> >
> > The first step is to gather all of the log standards and
> > related efforts, along with their current status (alive?
> > dead? unknown?).  With this list, we can begin to identify
> > the successes and failures of each effort as well as compare
> > the event characteristics that each has identified as being
> > important.
> >
> > So, I ask for comments regarding the listed "log standards",
> > as well as any additions (or deletions) to this list.
> >
> >
> >
> > Here is my initial listing of "log standards"
> > (with references when available):
> >
> >
> > ===========================================================
> >
> > Name:   Syslog
> > Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
> >
> >
> > Name:   Simple Network Messaging Protocol (SNMP)
> > Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
> >
> >
> > Name:   Common Intrusion Detection Framework (CIDF)
> > Status: Dead; Work merged into IDMEF.
> > Refs:   http://gost.isi.edu/cidf/
> >
> >
> > Name:   Intrusion Detection Message Exchange Format (IDMEF)
> > Status: IETF RFC
> > Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
> >         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
> >
> >
> > Name:   Security Device Event Exchange (SDEE) - ICSALabs
> > Status: Unknown
> > Refs:
> > http://www.icsalabs.com/icsa/topic.php?tid=b2b4$52d6a7ef-1ea5803f$4c69-
> > ff36f9b5
> >
> >
> > Name:   Common Event Format (CEF) - ArcSight
> > Status: Supported by ArcSight
> > Refs:   http://www.arcsight.com/solutions_cef.htm
> >
> >
> > Name:   Events Logging Markup Language (ELML) - ISM3
> > Status: Draft (1.00)
> > Refs:
> > http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
> > Itemid=9
> >
> >
> > Name:   Common Base Event (CBE) - IBM
> > Status: Current on the IBM website, though no apparent use
> >         beyond IBM
> > Refs:
> > ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
> > cbepractice/index.htm
> >
> >
> > Name:   COTS Logging Information Exchange (CLIX) - NIST
> > Status: Abandoned
> > Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
> >
> >
> > Name:   Distributed Audit Service (OpenXDAS) - Novell
> > Status: Unknown
> > Refs:   http://www.opengroup.org/security/das/xdas_int.htm
> >
> >
> > Name:   COAST Audit Trails - Purdue CERIAS
> > Status: Unknown
> > Refs:
> > http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> > format.html
> >
> > http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
> > reduce.html
> >
> >
> > Name:   WSDM Event Format (WEF) - OASIS
> > Status: OASIS Standard
> > Refs:
> >
> >
> >
> > (And, while not a log standard, IODEF seems to be
> > incorrectly, but commonly grouped here.)
> >
> > Name:   Incident Object Description Exchange Format (IODEF)
> > Status: IETF Draft
> > Refs:   http://www.cert.org/ietf/inch/inch.html
> >
> >
> >
> >
> > William Heinbockel
> > Infosec Engineer, Sr.
> > The MITRE Corporation
> > 202 Burlington Rd. MS S145
> > Bedford, MA 01730
> > [hidden email]
> > 781-271-2615
> >
>

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Lagadec Philippe
In reply to this post by heinbockel
Hi,

I'm not sure about the current status of this one (seems to be dead since 1999), perhaps it can be added to the list to see if there are useful ideas ? :

Name:   ULM (Universal Format for Logger Messages)
Refs:   http://www.hsc.fr/ressources/normalisation/ulm/index.html.en


And is it worth mentioning the "syslog-sec" RFC 3195 along with RFC 3164 ?
http://www.ietf.org/rfc/rfc3195.txt

Also I believe that the Prelude IDS has a binary implementation of IDMEF, it may be useful to have a look when we'll discuss about a potential "binary CEE format".
http://www.prelude-ids.org/

Hope this helps,

Philippe Lagadec.


-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: 03 July 2007 19:11
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] Surveying current log "standards"

There are many prior and current log standardization efforts that range from Syslog and SNMP to IDMEF and CEF. Instead of reinventing the wheel, we would like to try to identify possible alignments between CEE and related efforts. For example, IDMEF has already performed a host of work in dealing with intrusion events -- it is worth leveraging their work and/or encouraging CEE-IDMEF compatibility?


The first step is to gather all of the log standards and related efforts, along with their current status (alive?
dead? unknown?).  With this list, we can begin to identify the successes and failures of each effort as well as compare the event characteristics that each has identified as being important.

So, I ask for comments regarding the listed "log standards", as well as any additions (or deletions) to this list.



Here is my initial listing of "log standards"
(with references when available):


==========================================================Name:   Syslog
Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html


Name:   Simple Network Messaging Protocol (SNMP)
Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt


Name:   Common Intrusion Detection Framework (CIDF)
Status: Dead; Work merged into IDMEF.
Refs:   http://gost.isi.edu/cidf/


Name:   Intrusion Detection Message Exchange Format (IDMEF)
Status: IETF RFC
Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766


Name:   Security Device Event Exchange (SDEE) - ICSALabs
Status: Unknown
Refs:
http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5


Name:   Common Event Format (CEF) - ArcSight
Status: Supported by ArcSight
Refs:   http://www.arcsight.com/solutions_cef.htm


Name:   Events Logging Markup Language (ELML) - ISM3
Status: Draft (1.00)
Refs:
http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
Itemid=9


Name:   Common Base Event (CBE) - IBM
Status: Current on the IBM website, though no apparent use
        beyond IBM
Refs:
ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
cbepractice/index.htm


Name:   COTS Logging Information Exchange (CLIX) - NIST
Status: Abandoned
Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm


Name:   Distributed Audit Service (OpenXDAS) - Novell
Status: Unknown
Refs:   http://www.opengroup.org/security/das/xdas_int.htm


Name:   COAST Audit Trails - Purdue CERIAS
Status: Unknown
Refs:
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
format.html

http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
reduce.html


Name:   WSDM Event Format (WEF) - OASIS
Status: OASIS Standard
Refs:



(And, while not a log standard, IODEF seems to be incorrectly, but commonly grouped here.)

Name:   Incident Object Description Exchange Format (IODEF)
Status: IETF Draft
Refs:   http://www.cert.org/ietf/inch/inch.html




William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Jeff Dell-2
In reply to this post by heinbockel
One thing that interests me is how popular some of these standards are..
they might be very alive, but not popular. Something like Syslog and IDMEF
are both alive, but they are really at two different ends of the spectrum of
popularity. Syslog being supported by just about everything except for
Windows (natively) and IDMEF only being supported by a few products like
Prelude, Snort, etc...

Another one that is not on the list is WS-Eventing which is part of
WS-Management. Microsoft uses this in Vista and Windows Server 2008 for
event forwarding. However it is not a Microsoft standard.

http://www.dmtf.org/standards/wsman
http://schemas.xmlsoap.org/ws/2004/08/eventing

Also if you want a complete list, you might want to look at OPSEC/LEA. I
know it is a Checkpoint log standard, but a lot of products support it and
we could possibly learn from their implementation.

http://www.opsec.com/


and... You have the status for SDEE as Unknown... SDEE is alive and
supported by Cisco IPS.

Cheers,
Jeff

-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Tuesday, July 03, 2007 1:11 PM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] Surveying current log "standards"

There are many prior and current log standardization efforts
that range from Syslog and SNMP to IDMEF and CEF. Instead of
reinventing the wheel, we would like to try to identify possible
alignments between CEE and related efforts. For example, IDMEF
has already performed a host of work in dealing with intrusion
events -- it is worth leveraging their work and/or encouraging
CEE-IDMEF compatibility?


The first step is to gather all of the log standards and
related efforts, along with their current status (alive?
dead? unknown?).  With this list, we can begin to identify
the successes and failures of each effort as well as compare
the event characteristics that each has identified as being
important.

So, I ask for comments regarding the listed "log standards",
as well as any additions (or deletions) to this list.



Here is my initial listing of "log standards"
(with references when available):



Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

heinbockel
In reply to this post by heinbockel
As you probably know, there are too many standards and trying
to capture the failures behind each is enough to write
a dissertation. For now, I have limited the scope down
to only log and related standards -- though I am more
than open to any comments regarding the reasons for
success or failure behind any other standard.

For example, the major reasons behind the successes
of CVE (and OVAL and CWE, but to lesser extents) because
it is technologically valid, can be applied consistently,
and its development relies heavily on the participation
and feedback of vendors and consumers. We also try to
leverage other, related communities so that we can produce
one successful standard.

As for "compatibility", what I meant was for an effort like
CEE to encompass the ideals of the other standards (e.g., IDMEF).
My thoughts are that (at least some of) these standards were
well thought out and developed to support specific goals by
people knowledgeable in said field. In order for CEE to be accepted
as a replacement for Syslog or IDMEF, it should be at least as
good as the standard it replaces.



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: Daniel Cid [mailto:[hidden email]]
>Sent: Tuesday, 03 July, 2007 14:26
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>Hi Bill (and everyone else),
>
>I am glad to see that the list is active and CEE is moving forward. I
>think we should
>take  every standardization effort into consideration and learn from
>their mistakes to
>make CEE better. Trying to make it compatible with any other format or
>protocol is
>just going to tie us to whatever they did that failed (it's funny that
>even syslog is not
>as standard as we like to think, since the number of applications that
>don't follow the
>RFC is huge).
>
>Anyway, there is also the WELF log format that is used by some
>firewalls:
>
><a href="http://www.marshal.com/kb/article.aspx?id899&cNode=5R6Q0N">http://www.marshal.com/kb/article.aspx?id899&cNode=5R6Q0N
>
>
>Thanks,
>
>--
>Daniel B. Cid
>dcid ( at ) ossec.net
>
>
>On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:
>> There are many prior and current log standardization efforts
>> that range from Syslog and SNMP to IDMEF and CEF. Instead of
>> reinventing the wheel, we would like to try to identify possible
>> alignments between CEE and related efforts. For example, IDMEF
>> has already performed a host of work in dealing with intrusion
>> events -- it is worth leveraging their work and/or encouraging
>> CEE-IDMEF compatibility?
>>
>>
>> The first step is to gather all of the log standards and
>> related efforts, along with their current status (alive?
>> dead? unknown?).  With this list, we can begin to identify
>> the successes and failures of each effort as well as compare
>> the event characteristics that each has identified as being
>> important.
>>
>> So, I ask for comments regarding the listed "log standards",
>> as well as any additions (or deletions) to this list.
>>
>>
>>
>> Here is my initial listing of "log standards"
>> (with references when available):
>>
>>
>> ==========================================================>>
>> Name:   Syslog
>> Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>>
>>
>> Name:   Simple Network Messaging Protocol (SNMP)
>> Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>>
>>
>> Name:   Common Intrusion Detection Framework (CIDF)
>> Status: Dead; Work merged into IDMEF.
>> Refs:   http://gost.isi.edu/cidf/
>>
>>
>> Name:   Intrusion Detection Message Exchange Format (IDMEF)
>> Status: IETF RFC
>> Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>>         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>>
>>
>> Name:   Security Device Event Exchange (SDEE) - ICSALabs
>> Status: Unknown
>> Refs:
>>
>http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69
-

>> ff36f9b5
>>
>>
>> Name:   Common Event Format (CEF) - ArcSight
>> Status: Supported by ArcSight
>> Refs:   http://www.arcsight.com/solutions_cef.htm
>>
>>
>> Name:   Events Logging Markup Language (ELML) - ISM3
>> Status: Draft (1.00)
>> Refs:
>>
>http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
>> Itemid=9
>>
>>
>> Name:   Common Base Event (CBE) - IBM
>> Status: Current on the IBM website, though no apparent use
>>         beyond IBM
>> Refs:
>>
>ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
>> cbepractice/index.htm
>>
>>
>> Name:   COTS Logging Information Exchange (CLIX) - NIST
>> Status: Abandoned
>> Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>>
>>
>> Name:   Distributed Audit Service (OpenXDAS) - Novell
>> Status: Unknown
>> Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>>
>>
>> Name:   COAST Audit Trails - Purdue CERIAS
>> Status: Unknown
>> Refs:
>>
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>> format.html
>>
>>
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>> reduce.html
>>
>>
>> Name:   WSDM Event Format (WEF) - OASIS
>> Status: OASIS Standard
>> Refs:
>>
>>
>>
>> (And, while not a log standard, IODEF seems to be
>> incorrectly, but commonly grouped here.)
>>
>> Name:   Incident Object Description Exchange Format (IODEF)
>> Status: IETF Draft
>> Refs:   http://www.cert.org/ietf/inch/inch.html
>>
>>
>>
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> [hidden email]
>> 781-271-2615
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Vicente Aceituno
In reply to this post by heinbockel
Hi,

> people knowledgeable in said field. In order for CEE to be accepted
> as a replacement for Syslog or IDMEF, it should be at least as
> good as the standard it replaces.
I agree. I think we should milk the good ideas from the standards
published so far and produce a specification that makes it easy for
developers to migrate gradually, instead of being compliant / not
compliant.

Logs contain events that happen in an information system or network.
For this reason, we need to agree (IMHO) about what are the general
parts of information systems, what these parts can do, and what are
the states they go trough.

When we have that, design of syntax and vocabulary will be almost simple.

Vicente

P.S. Sorry if I jumped ahead of the current state of the thread...

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Eric Fitzgerald
In reply to this post by heinbockel
Logs contain _records_ of events that happen in an information system or
network :-)

Eric

-----Original Message-----
From: Vicente Aceituno [mailto:[hidden email]]
Sent: Thursday, July 05, 2007 7:40 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"

Hi,

> people knowledgeable in said field. In order for CEE to be accepted
> as a replacement for Syslog or IDMEF, it should be at least as
> good as the standard it replaces.
I agree. I think we should milk the good ideas from the standards
published so far and produce a specification that makes it easy for
developers to migrate gradually, instead of being compliant / not
compliant.

Logs contain events that happen in an information system or network.
For this reason, we need to agree (IMHO) about what are the general
parts of information systems, what these parts can do, and what are
the states they go trough.

When we have that, design of syntax and vocabulary will be almost
simple.

Vicente

P.S. Sorry if I jumped ahead of the current state of the thread...

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Eric Fitzgerald
In reply to this post by heinbockel
I would also suggest that we don't spend much time (subjective) on why
specific efforts failed; if there is not unanimous agreement then we
should just move on.  We have enough failed standards that patterns
should emerge anyway; I'm concerned about debate falling into... what
could be a passionate space.


-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Thursday, July 05, 2007 7:18 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"

As you probably know, there are too many standards and trying
to capture the failures behind each is enough to write
a dissertation. For now, I have limited the scope down
to only log and related standards -- though I am more
than open to any comments regarding the reasons for
success or failure behind any other standard.

For example, the major reasons behind the successes
of CVE (and OVAL and CWE, but to lesser extents) because
it is technologically valid, can be applied consistently,
and its development relies heavily on the participation
and feedback of vendors and consumers. We also try to
leverage other, related communities so that we can produce
one successful standard.

As for "compatibility", what I meant was for an effort like
CEE to encompass the ideals of the other standards (e.g., IDMEF).
My thoughts are that (at least some of) these standards were
well thought out and developed to support specific goals by
people knowledgeable in said field. In order for CEE to be accepted
as a replacement for Syslog or IDMEF, it should be at least as
good as the standard it replaces.



William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: Daniel Cid [mailto:[hidden email]]
>Sent: Tuesday, 03 July, 2007 14:26
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>Hi Bill (and everyone else),
>
>I am glad to see that the list is active and CEE is moving forward. I
>think we should
>take  every standardization effort into consideration and learn from
>their mistakes to
>make CEE better. Trying to make it compatible with any other format or
>protocol is
>just going to tie us to whatever they did that failed (it's funny that
>even syslog is not
>as standard as we like to think, since the number of applications that
>don't follow the
>RFC is huge).
>
>Anyway, there is also the WELF log format that is used by some
>firewalls:
>
><a href="http://www.marshal.com/kb/article.aspx?id899&cNode=5R6Q0N">http://www.marshal.com/kb/article.aspx?id899&cNode=5R6Q0N
>
>
>Thanks,
>
>--
>Daniel B. Cid
>dcid ( at ) ossec.net
>
>
>On 7/3/07, Heinbockel, Bill <[hidden email]> wrote:
>> There are many prior and current log standardization efforts
>> that range from Syslog and SNMP to IDMEF and CEF. Instead of
>> reinventing the wheel, we would like to try to identify possible
>> alignments between CEE and related efforts. For example, IDMEF
>> has already performed a host of work in dealing with intrusion
>> events -- it is worth leveraging their work and/or encouraging
>> CEE-IDMEF compatibility?
>>
>>
>> The first step is to gather all of the log standards and
>> related efforts, along with their current status (alive?
>> dead? unknown?).  With this list, we can begin to identify
>> the successes and failures of each effort as well as compare
>> the event characteristics that each has identified as being
>> important.
>>
>> So, I ask for comments regarding the listed "log standards",
>> as well as any additions (or deletions) to this list.
>>
>>
>>
>> Here is my initial listing of "log standards"
>> (with references when available):
>>
>>
>> ==========================================================>>
>> Name:   Syslog
>> Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>>
>>
>> Name:   Simple Network Messaging Protocol (SNMP)
>> Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>>
>>
>> Name:   Common Intrusion Detection Framework (CIDF)
>> Status: Dead; Work merged into IDMEF.
>> Refs:   http://gost.isi.edu/cidf/
>>
>>
>> Name:   Intrusion Detection Message Exchange Format (IDMEF)
>> Status: IETF RFC
>> Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>>         (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>>
>>
>> Name:   Security Device Event Exchange (SDEE) - ICSALabs
>> Status: Unknown
>> Refs:
>>
>http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69
-

>> ff36f9b5
>>
>>
>> Name:   Common Event Format (CEF) - ArcSight
>> Status: Supported by ArcSight
>> Refs:   http://www.arcsight.com/solutions_cef.htm
>>
>>
>> Name:   Events Logging Markup Language (ELML) - ISM3
>> Status: Draft (1.00)
>> Refs:
>>
>http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
>> Itemid=9
>>
>>
>> Name:   Common Base Event (CBE) - IBM
>> Status: Current on the IBM website, though no apparent use
>>         beyond IBM
>> Refs:
>>
>ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
>> cbepractice/index.htm
>>
>>
>> Name:   COTS Logging Information Exchange (CLIX) - NIST
>> Status: Abandoned
>> Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>>
>>
>> Name:   Distributed Audit Service (OpenXDAS) - Novell
>> Status: Unknown
>> Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>>
>>
>> Name:   COAST Audit Trails - Purdue CERIAS
>> Status: Unknown
>> Refs:
>>
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>> format.html
>>
>>
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>> reduce.html
>>
>>
>> Name:   WSDM Event Format (WEF) - OASIS
>> Status: OASIS Standard
>> Refs:
>>
>>
>>
>> (And, while not a log standard, IODEF seems to be
>> incorrectly, but commonly grouped here.)
>>
>> Name:   Incident Object Description Exchange Format (IODEF)
>> Status: IETF Draft
>> Refs:   http://www.cert.org/ietf/inch/inch.html
>>
>>
>>
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> [hidden email]
>> 781-271-2615
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

Eric Fitzgerald
In reply to this post by heinbockel
I concur wrt WS-Eventing & WS-Management; but there is a problem.
WS-Eventing only describes a way to subscribe to log streams (and does
not contemplate out-of-band configuration for log subscriptions [e.g.
the syslog model]) so it's incomplete in my mind.

I concur with OPSEC as it's one of the more widely adopted proprietary
standards, but it opens Pandora's box.  First, it's really an API, and
second, does inclusion mean that we'd need to discuss all the less
widely adopted solutions of the same nature (Novell Nsure, etc.).

-----Original Message-----
From: Jeff Dell [mailto:[hidden email]]
Sent: Wednesday, July 04, 2007 7:02 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"

One thing that interests me is how popular some of these standards are..
they might be very alive, but not popular. Something like Syslog and
IDMEF
are both alive, but they are really at two different ends of the
spectrum of
popularity. Syslog being supported by just about everything except for
Windows (natively) and IDMEF only being supported by a few products like
Prelude, Snort, etc...

Another one that is not on the list is WS-Eventing which is part of
WS-Management. Microsoft uses this in Vista and Windows Server 2008 for
event forwarding. However it is not a Microsoft standard.

http://www.dmtf.org/standards/wsman
http://schemas.xmlsoap.org/ws/2004/08/eventing

Also if you want a complete list, you might want to look at OPSEC/LEA. I
know it is a Checkpoint log standard, but a lot of products support it
and
we could possibly learn from their implementation.

http://www.opsec.com/


and... You have the status for SDEE as Unknown... SDEE is alive and
supported by Cisco IPS.

Cheers,
Jeff

-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Tuesday, July 03, 2007 1:11 PM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] Surveying current log "standards"

There are many prior and current log standardization efforts
that range from Syslog and SNMP to IDMEF and CEF. Instead of
reinventing the wheel, we would like to try to identify possible
alignments between CEE and related efforts. For example, IDMEF
has already performed a host of work in dealing with intrusion
events -- it is worth leveraging their work and/or encouraging
CEE-IDMEF compatibility?


The first step is to gather all of the log standards and
related efforts, along with their current status (alive?
dead? unknown?).  With this list, we can begin to identify
the successes and failures of each effort as well as compare
the event characteristics that each has identified as being
important.

So, I ask for comments regarding the listed "log standards",
as well as any additions (or deletions) to this list.



Here is my initial listing of "log standards"
(with references when available):


==========================================================Name:   Syslog
Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html


Name:   Simple Network Messaging Protocol (SNMP)
Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt


Name:   Common Intrusion Detection Framework (CIDF)
Status: Dead; Work merged into IDMEF.
Refs:   http://gost.isi.edu/cidf/


Name:   Intrusion Detection Message Exchange Format (IDMEF)
Status: IETF RFC
Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766


Name:   Security Device Event Exchange (SDEE) - ICSALabs
Status: Unknown
Refs:
http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
ff36f9b5


Name:   Common Event Format (CEF) - ArcSight
Status: Supported by ArcSight
Refs:   http://www.arcsight.com/solutions_cef.htm


Name:   Events Logging Markup Language (ELML) - ISM3
Status: Draft (1.00)
Refs:
http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
Itemid=9


Name:   Common Base Event (CBE) - IBM
Status: Current on the IBM website, though no apparent use
        beyond IBM
Refs:
ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
cbepractice/index.htm


Name:   COTS Logging Information Exchange (CLIX) - NIST
Status: Abandoned
Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm


Name:   Distributed Audit Service (OpenXDAS) - Novell
Status: Unknown
Refs:   http://www.opengroup.org/security/das/xdas_int.htm


Name:   COAST Audit Trails - Purdue CERIAS
Status: Unknown
Refs:
http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
format.html

http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
reduce.html


Name:   WSDM Event Format (WEF) - OASIS
Status: OASIS Standard
Refs:



(And, while not a log standard, IODEF seems to be
incorrectly, but commonly grouped here.)

Name:   Incident Object Description Exchange Format (IODEF)
Status: IETF Draft
Refs:   http://www.cert.org/ietf/inch/inch.html




William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

Reply | Threaded
Open this post in threaded view
|

Re: Surveying current log "standards"

heinbockel
In reply to this post by heinbockel
I agree with Eric, we do not want to go digging through
the weeds of (failed) log standardization efforts.

Let us limit the discussion to only log standards
that list members feel are worth noting. Ideally,
they are either (1) widely known or (2) have something
of value to contribute to CEE. Also, I would suggest
that we only count APIs if they meet the same criteria
and have specifications detailing their output.
(And it would be beneficial if I didn't have to register
to get any of these standards documents...)

As for WS-Eventing and WS-Management, while they don't
appear to offer much for the recording of events, they
may come in handy later once we are focused on the log
transportation. I'll include them for now and will note
that they are of limited use to CEE.


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615

>-----Original Message-----
>From: Eric Fitzgerald [mailto:[hidden email]]
>Sent: Thursday, 05 July, 2007 12:30
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>I concur wrt WS-Eventing & WS-Management; but there is a problem.
>WS-Eventing only describes a way to subscribe to log streams (and does
>not contemplate out-of-band configuration for log subscriptions [e.g.
>the syslog model]) so it's incomplete in my mind.
>
>I concur with OPSEC as it's one of the more widely adopted proprietary
>standards, but it opens Pandora's box.  First, it's really an API, and
>second, does inclusion mean that we'd need to discuss all the less
>widely adopted solutions of the same nature (Novell Nsure, etc.).
>
>-----Original Message-----
>From: Jeff Dell [mailto:[hidden email]]
>Sent: Wednesday, July 04, 2007 7:02 AM
>To: [hidden email]
>Subject: Re: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>One thing that interests me is how popular some of these
>standards are..
>they might be very alive, but not popular. Something like Syslog and
>IDMEF
>are both alive, but they are really at two different ends of the
>spectrum of
>popularity. Syslog being supported by just about everything except for
>Windows (natively) and IDMEF only being supported by a few
>products like
>Prelude, Snort, etc...
>
>Another one that is not on the list is WS-Eventing which is part of
>WS-Management. Microsoft uses this in Vista and Windows Server 2008
for

>event forwarding. However it is not a Microsoft standard.
>
>http://www.dmtf.org/standards/wsman
>http://schemas.xmlsoap.org/ws/2004/08/eventing
>
>Also if you want a complete list, you might want to look at
>OPSEC/LEA. I
>know it is a Checkpoint log standard, but a lot of products support it
>and
>we could possibly learn from their implementation.
>
>http://www.opsec.com/
>
>
>and... You have the status for SDEE as Unknown... SDEE is alive and
>supported by Cisco IPS.
>
>Cheers,
>Jeff
>
>-----Original Message-----
>From: Heinbockel, Bill [mailto:[hidden email]]
>Sent: Tuesday, July 03, 2007 1:11 PM
>To: [hidden email]
>Subject: [CEE-DISCUSSION-LIST] Surveying current log "standards"
>
>There are many prior and current log standardization efforts
>that range from Syslog and SNMP to IDMEF and CEF. Instead of
>reinventing the wheel, we would like to try to identify possible
>alignments between CEE and related efforts. For example, IDMEF
>has already performed a host of work in dealing with intrusion
>events -- it is worth leveraging their work and/or encouraging
>CEE-IDMEF compatibility?
>
>
>The first step is to gather all of the log standards and
>related efforts, along with their current status (alive?
>dead? unknown?).  With this list, we can begin to identify
>the successes and failures of each effort as well as compare
>the event characteristics that each has identified as being
>important.
>
>So, I ask for comments regarding the listed "log standards",
>as well as any additions (or deletions) to this list.
>
>
>
>Here is my initial listing of "log standards"
>(with references when available):
>
>
>==========================================================>
>Name:   Syslog
>Refs:   RFC3164 http://www.faqs.org/rfcs/rfc3164.html
>
>
>Name:   Simple Network Messaging Protocol (SNMP)
>Refs:   RFC1157 http://www.ietf.org/rfc/rfc1157.txt
>
>
>Name:   Common Intrusion Detection Framework (CIDF)
>Status: Dead; Work merged into IDMEF.
>Refs:   http://gost.isi.edu/cidf/
>
>
>Name:   Intrusion Detection Message Exchange Format (IDMEF)
>Status: IETF RFC
>Refs:   (Spec) RFC4765 http://tools.ietf.org/html/rfc4765
>        (Reqs) RFC4766 http://tools.ietf.org/html/rfc4766
>
>
>Name:   Security Device Event Exchange (SDEE) - ICSALabs
>Status: Unknown
>Refs:
>http://www.icsalabs.com/icsa/topic.php?tid²b4$52d6a7ef-1ea5803f$4c69-
>ff36f9b5
>
>
>Name:   Common Event Format (CEF) - ArcSight
>Status: Supported by ArcSight
>Refs:   http://www.arcsight.com/solutions_cef.htm
>
>
>Name:   Events Logging Markup Language (ELML) - ISM3
>Status: Draft (1.00)
>Refs:
>http://www.ism3.com/index.php?option=com_docman&task=doc_details&gid=6&
>Itemid=9
>
>
>Name:   Common Base Event (CBE) - IBM
>Status: Current on the IBM website, though no apparent use
>        beyond IBM
>Refs:
>ftp://www6.software.ibm.com/software/developer/library/autonomic/books/
>cbepractice/index.htm
>
>
>Name:   COTS Logging Information Exchange (CLIX) - NIST
>Status: Abandoned
>Refs:   http://www.itl.nist.gov/lab/pub/newsmay06.htm
>
>
>Name:   Distributed Audit Service (OpenXDAS) - Novell
>Status: Unknown
>Refs:   http://www.opengroup.org/security/das/xdas_int.htm
>
>
>Name:   COAST Audit Trails - Purdue CERIAS
>Status: Unknown
>Refs:
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>format.html
>
>http://www.cerias.purdue.edu/about/history/coast/projects/audit-trails-
>reduce.html
>
>
>Name:   WSDM Event Format (WEF) - OASIS
>Status: OASIS Standard
>Refs:
>
>
>
>(And, while not a log standard, IODEF seems to be
>incorrectly, but commonly grouped here.)
>
>Name:   Incident Object Description Exchange Format (IODEF)
>Status: IETF Draft
>Refs:   http://www.cert.org/ietf/inch/inch.html
>
>
>
>
>William Heinbockel
>Infosec Engineer, Sr.
>The MITRE Corporation
>202 Burlington Rd. MS S145
>Bedford, MA 01730
>[hidden email]
>781-271-2615
>