You may want to take a look at related work being done in the IETF with the INCH BOF (soon to be working group). This group is working on a common representation of a computer security incident in XML called the Incident Object Description Exchange Format (IODEF). - Charter: http://listserv.surfnet.nl/scripts/wa.exe?A2=ind02&L=inch&F=&S=&P=5407 - Data Model draft: http://search.ietf.org/internet-drafts/draft-meijer-inch-iodef-00.txt - Requirements draft: http://www.cysol.co.jp/contrib/draft-glenn-inch-req-00.txt - Mailing List archive: http://listserv.surfnet.nl/archives/inch.html Roman Danyliw CERT/CC --On Thursday, August 15, 2002 4:35 PM -0400 "Brooke, O'neil (EXP)" <o'neil.brookeat_private> wrote: > Hello, > > Since last night's post, I've received several responses both on and > off list. Every single one of them was positive and/or supportive of the > concept. So I'm going to go ahead with the idea of developing a > standardized report. Right now I have a few objectives in mind for this > report: > > + A generic report that can be used to document virtually any > computer incident investigation. > + Document a methodical approach to the incident investigation. > (Some of the responses I've had expressed an interest in the checklist > because they were not entirely aware of the sequence of events that should > go into an investigation.) > + Document both generic and private information, however, do this in > such a way that the private information can quickly and easily be stripped > from the report. If we start to use this form, it does not make sense to > document in one way for the incidents list and another way for your > management structure. > + Operating System specific sections. We could make the form > operating system independant, but then we lose a great opportunity for > providing newcomers a practicle how-to investigate and incident. > > If anyone else has other objectives they would like a report like > this to satisfy, please, either send them to me or post them to the list. > > O'Neil. > > ------------------------------------------------------------------------- > --- This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management and tracking > system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 09:08:31 PDT