RE: [logs] RE: NT Event Log and Web Server Attacks

From: Eric Fitzgerald (ericfat_private)
Date: Mon Jan 20 2003 - 16:03:38 PST

  • Next message: Tina Bird: "[logs] another gooey performance question"

    Hey Paul,
    We'll probably have a public page for this around the end of March.
    When we do I'll post to the list.
    -----Original Message-----
    From: Paul D. Robertson [mailto:probertsat_private] 
    Sent: Monday, January 20, 2003 3:35 PM
    To: Eric Fitzgerald
    Cc: H C; Rainer Gerhards; loganalysisat_private; Tina Bird; Marcus
    J. Ranum; Ben Laurie
    Subject: RE: [logs] RE: NT Event Log and Web Server Attacks
    On Mon, 20 Jan 2003, Eric Fitzgerald wrote:
    > Hey Paul,
    > We would never get rid of timestamp.  In fact in an enterprise event 
    > collection system there are two timestamps and two sequence numbers 
    > that are interesting:
    > * Generation timestamp (already integral to Windows event log)
    > * Receive timestamp on event collector
    > * Generation sequence number (already integral to Windows event log)
    > * Transmit sequence number.
    Yep, I wasn't suggesting that you might get rid of timestamps, I was 
    suggesting that it's important to order the data on the disk in time 
    > Ok, enough geeking on that.
    > The Microsoft Audit Collection Service which will debut this summer 
    > will have a choice of two transports- TCP and SSL.  In either case the
    > connection will be reliable, ordered, mutually authenticated, and 
    > encrypted.  Other than this choice of transports, there will be no 
    > other choice, configurability, or extensibility in transport 
    > mechanism, and we are not going to be compatible with any flavor of 
    > syslog in version 1. We investigated syslog thoroughly including the 
    > new RFCs for BEEPCORE, syslog-reliable and syslog-sign, but none of 
    > those protocols seemed both appropriate and sufficient for our 
    > purposes (I will not debate this issue further, as it is likely to 
    > start a religious war, I just wanted to report that we did not 
    > arbitrarily or lightly choose not to use syslog).  Our protocol will 
    > be published- third parties will be able to write code to 
    > interoperate.
    Is there any chance of getting the spec. out sooner?  I'm sure we'd all 
    like to get a look at it and see if it'll work for other purposes?
    > We are also working on a project called "Secure Server Roles" which 
    > will have, among many other things, user-selectable auditing templates
    > for Forensic and Intrusion Detection scenarios.  These templates will 
    > set audit policy as well as SACLs on the file system, services, and 
    > the registry.  The templates are focused around detection of 
    > security-sensitive changes to OS binaries or configuration.  The 
    > forensic configuration focuses on changes that were actually 
    > successful while the ID configuration also includes unsuccessful 
    > attempts.
    Very interesting stuff, I can't wait to see more!
    Paul D. Robertson      "My statements in this message are personal
    probertsat_private      which may have no basis whatsoever in fact."
    probertsonat_private Director of Risk Assessment TruSecure
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 16:09:45 PST