On Mon, 20 Jan 2003, Eric Fitzgerald wrote: > Hey Paul, > > We would never get rid of timestamp. In fact in an enterprise event > collection system there are two timestamps and two sequence numbers that > are interesting: > > * Generation timestamp (already integral to Windows event log) > * Receive timestamp on event collector > * Generation sequence number (already integral to Windows event log) > * Transmit sequence number. Yep, I wasn't suggesting that you might get rid of timestamps, I was suggesting that it's important to order the data on the disk in time sequence. > Ok, enough geeking on that. > > The Microsoft Audit Collection Service which will debut this summer will > have a choice of two transports- TCP and SSL. In either case the > connection will be reliable, ordered, mutually authenticated, and > encrypted. Other than this choice of transports, there will be no other > choice, configurability, or extensibility in transport mechanism, and we > are not going to be compatible with any flavor of syslog in version 1. > We investigated syslog thoroughly including the new RFCs for BEEPCORE, > syslog-reliable and syslog-sign, but none of those protocols seemed both > appropriate and sufficient for our purposes (I will not debate this > issue further, as it is likely to start a religious war, I just wanted > to report that we did not arbitrarily or lightly choose not to use > syslog). Our protocol will be published- third parties will be able to > write code to interoperate. Is there any chance of getting the spec. out sooner? I'm sure we'd all like to get a look at it and see if it'll work for other purposes? > We are also working on a project called "Secure Server Roles" which will > have, among many other things, user-selectable auditing templates for > Forensic and Intrusion Detection scenarios. These templates will set > audit policy as well as SACLs on the file system, services, and the > registry. The templates are focused around detection of > security-sensitive changes to OS binaries or configuration. The > forensic configuration focuses on changes that were actually successful > while the ID configuration also includes unsuccessful attempts. Very interesting stuff, I can't wait to see more! Thanks, Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 15:41:40 PST