Re: Draft Sensor Output Specification for Technical Discussion

View: New views

4 Messages — Rating Filter: Alert me

	Re: Draft Sensor Output Specification for Technical Discussion by Anton Chuvakin :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Heidi: > I wanted to share the spec that was developed so that the CEE working group > could start a more technical discussion on CEE. You must understand that it > is a very draft spec but I thought it was something to start with. I know > that some people will criticize it which is fine but I would encourage for > every criticism that you also provide feedback that can improve the > specification. I consider yourselves the experts in this field. I am curious about a few things in this doc, related to EventTaxonomy: - was this taxonomy based on CEE discussion or created before? - you chose the following taxonomy fields: + Subject + Verb + Object + Result - if not based on CEE chat on that very subject, could you share your motivations for choosing these field (which I like a lot!) - are there any provision for non-XML formats in your spec? - Timestamp. Your RECOMMEND the timezone, but this is horrible - you have to MANDATE; otherwise, madness will ensue :-) - I hope you are being humorous when you refer to "OSI Application layer protocol" - surely you mean TCP/IP app layer, not OSI? - I think DeviceInformation is missing a type of some sort ... E.g. firewall, OS, app, etc. Hope this is useful! Sorry for a delayed feedback ... Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org
	Re: Draft Sensor Output Specification for Technical Discussion by Raffael Marty-3 :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Good morning! I couldn't resist. You guys know that I am very opinionated when it comes to taxonomies: > - you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result > - if not based on CEE chat on that very subject, could you share your > motivations for choosing these field (which I like a lot!) I don't like it. Sorry, but subject is a fairly bad idea. If we make that an optional field. Maybe. But Anton, we had quite some discussion around this a while ago and I thought I had you convinced that it is hardly ever possible to define an object in a taxonomy concept. I need to read your document, Heidi. I just haven't had any bandwidth so far. It's on my todo list. Thanks and have a good weekend everyone -raffy -- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
	Re: Draft Sensor Output Specification for Technical Discussion by William Heinbockel :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message > >I am curious about a few things in this doc, related to EventTaxonomy: > >- was this taxonomy based on CEE discussion or created before? >- you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result >- if not based on CEE chat on that very subject, could you share your >motivations for choosing these field (which I like a lot!) >- are there any provision for non-XML formats in your spec? >- Timestamp. Your RECOMMEND the timezone, but this is horrible - you >have to MANDATE; otherwise, madness will ensue :-) >- I hope you are being humorous when you refer to "OSI Application >layer protocol" - surely you mean TCP/IP app layer, not OSI? >- I think DeviceInformation is missing a type of some sort ... E.g. >firewall, OS, app, etc. Most of this was a collaboration between MITRE and NC3A in support of a trial at NATO CWID last year. The XML was a preliminary thing thrown together by me (though looking back, there are many changes that should be made) based upon some very early discussions surrounding CEE and event standardization (around Jan 2007 or so). The XML was just a brief cut at a common format to be used to translate a couple of Snort and PIX messages into to be fed through an XML guard and into ArcSight ESM. The categories and fields are not complete and may not be ideal for inclusion in a standard such as CEE.
	Re: Draft Sensor Output Specification for Technical Discussion by Lagadec Philippe :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Hello, I would also add that we (MITRE and NC3A) developed an implementation to try this draft spec at NATO CWID, and we found several issues that should be fixed in the future. We know this is only a very draft spec, but we wanted to release it to the WG so that a more practical discussion can start. This draft spec is not CEE, it is a preliminary work to help us understand and show what CEE might be (or not). The issues we found are mainly about the taxonomy, timestamps and the XML schema. More on that later. Philippe. -----Original Message----- From: Heinbockel, Bill [mailto:heinbockel@...] Sent: 07 December 2007 20:09 To: CEE-DISCUSSION-LIST@... Subject: Re: [CEE-DISCUSSION-LIST] Draft Sensor Output Specification for Technical Discussion > >I am curious about a few things in this doc, related to EventTaxonomy: > >- was this taxonomy based on CEE discussion or created before? >- you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result >- if not based on CEE chat on that very subject, could you share your >motivations for choosing these field (which I like a lot!) >- are there any provision for non-XML formats in your spec? >- Timestamp. Your RECOMMEND the timezone, but this is horrible - you >have to MANDATE; otherwise, madness will ensue :-) >- I hope you are being humorous when you refer to "OSI Application >layer protocol" - surely you mean TCP/IP app layer, not OSI? >- I think DeviceInformation is missing a type of some sort ... E.g. >firewall, OS, app, etc. Most of this was a collaboration between MITRE and NC3A in support of a trial at NATO CWID last year. The XML was a preliminary thing thrown together by me (though looking back, there are many changes that should be made) based upon some very early discussions surrounding CEE and event standardization (around Jan 2007 or so). The XML was just a brief cut at a common format to be used to translate a couple of Snort and PIX messages into to be fed through an XML guard and into ArcSight ESM. The categories and fields are not complete and may not be ideal for inclusion in a standard such as CEE.

	Re: Draft Sensor Output Specification for Technical Discussion by Anton Chuvakin :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Heidi: > I wanted to share the spec that was developed so that the CEE working group > could start a more technical discussion on CEE. You must understand that it > is a very draft spec but I thought it was something to start with. I know > that some people will criticize it which is fine but I would encourage for > every criticism that you also provide feedback that can improve the > specification. I consider yourselves the experts in this field. I am curious about a few things in this doc, related to EventTaxonomy: - was this taxonomy based on CEE discussion or created before? - you chose the following taxonomy fields: + Subject + Verb + Object + Result - if not based on CEE chat on that very subject, could you share your motivations for choosing these field (which I like a lot!) - are there any provision for non-XML formats in your spec? - Timestamp. Your RECOMMEND the timezone, but this is horrible - you have to MANDATE; otherwise, madness will ensue :-) - I hope you are being humorous when you refer to "OSI Application layer protocol" - surely you mean TCP/IP app layer, not OSI? - I think DeviceInformation is missing a type of some sort ... E.g. firewall, OS, app, etc. Hope this is useful! Sorry for a delayed feedback ... Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://chuvakin.blogspot.com http://www.info-secure.org
	Re: Draft Sensor Output Specification for Technical Discussion by Raffael Marty-3 :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Good morning! I couldn't resist. You guys know that I am very opinionated when it comes to taxonomies: > - you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result > - if not based on CEE chat on that very subject, could you share your > motivations for choosing these field (which I like a lot!) I don't like it. Sorry, but subject is a fairly bad idea. If we make that an optional field. Maybe. But Anton, we had quite some discussion around this a while ago and I thought I had you convinced that it is hardly ever possible to define an object in a taxonomy concept. I need to read your document, Heidi. I just haven't had any bandwidth so far. It's on my todo list. Thanks and have a good weekend everyone -raffy -- Raffael Marty Chief Security Strategist @ Splunk> Security Visualization: http://secviz.org raffy.ch/blog
	Re: Draft Sensor Output Specification for Technical Discussion by William Heinbockel :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message > >I am curious about a few things in this doc, related to EventTaxonomy: > >- was this taxonomy based on CEE discussion or created before? >- you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result >- if not based on CEE chat on that very subject, could you share your >motivations for choosing these field (which I like a lot!) >- are there any provision for non-XML formats in your spec? >- Timestamp. Your RECOMMEND the timezone, but this is horrible - you >have to MANDATE; otherwise, madness will ensue :-) >- I hope you are being humorous when you refer to "OSI Application >layer protocol" - surely you mean TCP/IP app layer, not OSI? >- I think DeviceInformation is missing a type of some sort ... E.g. >firewall, OS, app, etc. Most of this was a collaboration between MITRE and NC3A in support of a trial at NATO CWID last year. The XML was a preliminary thing thrown together by me (though looking back, there are many changes that should be made) based upon some very early discussions surrounding CEE and event standardization (around Jan 2007 or so). The XML was just a brief cut at a common format to be used to translate a couple of Snort and PIX messages into to be fed through an XML guard and into ArcSight ESM. The categories and fields are not complete and may not be ideal for inclusion in a standard such as CEE.
	Re: Draft Sensor Output Specification for Technical Discussion by Lagadec Philippe :: Rate this Message: Reply (Restricted by the Administrator) \| Reply to Author \| View Threaded \| Show Only this Message Hello, I would also add that we (MITRE and NC3A) developed an implementation to try this draft spec at NATO CWID, and we found several issues that should be fixed in the future. We know this is only a very draft spec, but we wanted to release it to the WG so that a more practical discussion can start. This draft spec is not CEE, it is a preliminary work to help us understand and show what CEE might be (or not). The issues we found are mainly about the taxonomy, timestamps and the XML schema. More on that later. Philippe. -----Original Message----- From: Heinbockel, Bill [mailto:heinbockel@...] Sent: 07 December 2007 20:09 To: CEE-DISCUSSION-LIST@... Subject: Re: [CEE-DISCUSSION-LIST] Draft Sensor Output Specification for Technical Discussion > >I am curious about a few things in this doc, related to EventTaxonomy: > >- was this taxonomy based on CEE discussion or created before? >- you chose the following taxonomy fields: > + Subject > + Verb > + Object > + Result >- if not based on CEE chat on that very subject, could you share your >motivations for choosing these field (which I like a lot!) >- are there any provision for non-XML formats in your spec? >- Timestamp. Your RECOMMEND the timezone, but this is horrible - you >have to MANDATE; otherwise, madness will ensue :-) >- I hope you are being humorous when you refer to "OSI Application >layer protocol" - surely you mean TCP/IP app layer, not OSI? >- I think DeviceInformation is missing a type of some sort ... E.g. >firewall, OS, app, etc. Most of this was a collaboration between MITRE and NC3A in support of a trial at NATO CWID last year. The XML was a preliminary thing thrown together by me (though looking back, there are many changes that should be made) based upon some very early discussions surrounding CEE and event standardization (around Jan 2007 or so). The XML was just a brief cut at a common format to be used to translate a couple of Snort and PIX messages into to be fed through an XML guard and into ArcSight ESM. The categories and fields are not complete and may not be ideal for inclusion in a standard such as CEE.