RE: [logs] RE: NT Event Log and Web Server Attacks

From: Paul D. Robertson (probertsat_private)
Date: Mon Jan 20 2003 - 15:34:39 PST

  • Next message: Eric Fitzgerald: "RE: [logs] RE: NT Event Log and Web Server Attacks"

    On Mon, 20 Jan 2003, Eric Fitzgerald wrote:
    > Hey Paul,
    > We would never get rid of timestamp.  In fact in an enterprise event
    > collection system there are two timestamps and two sequence numbers that
    > are interesting:
    > * Generation timestamp (already integral to Windows event log)
    > * Receive timestamp on event collector
    > * Generation sequence number (already integral to Windows event log)
    > * Transmit sequence number.
    Yep, I wasn't suggesting that you might get rid of timestamps, I was 
    suggesting that it's important to order the data on the disk in time 
    > Ok, enough geeking on that.
    > The Microsoft Audit Collection Service which will debut this summer will
    > have a choice of two transports- TCP and SSL.  In either case the
    > connection will be reliable, ordered, mutually authenticated, and
    > encrypted.  Other than this choice of transports, there will be no other
    > choice, configurability, or extensibility in transport mechanism, and we
    > are not going to be compatible with any flavor of syslog in version 1.
    > We investigated syslog thoroughly including the new RFCs for BEEPCORE,
    > syslog-reliable and syslog-sign, but none of those protocols seemed both
    > appropriate and sufficient for our purposes (I will not debate this
    > issue further, as it is likely to start a religious war, I just wanted
    > to report that we did not arbitrarily or lightly choose not to use
    > syslog).  Our protocol will be published- third parties will be able to
    > write code to interoperate.
    Is there any chance of getting the spec. out sooner?  I'm sure we'd all 
    like to get a look at it and see if it'll work for other purposes?
    > We are also working on a project called "Secure Server Roles" which will
    > have, among many other things, user-selectable auditing templates for
    > Forensic and Intrusion Detection scenarios.  These templates will set
    > audit policy as well as SACLs on the file system, services, and the
    > registry.  The templates are focused around detection of
    > security-sensitive changes to OS binaries or configuration.  The
    > forensic configuration focuses on changes that were actually successful
    > while the ID configuration also includes unsuccessful attempts.
    Very interesting stuff, I can't wait to see more!
    Paul D. Robertson      "My statements in this message are personal opinions
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure Corporation
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:41:40 PST