Hey Paul, We'll probably have a public page for this around the end of March. When we do I'll post to the list. Thanks! Eric -----Original Message----- From: Paul D. Robertson [mailto:probertsat_private] Sent: Monday, January 20, 2003 3:35 PM To: Eric Fitzgerald Cc: H C; Rainer Gerhards; loganalysisat_private; Tina Bird; Marcus J. Ranum; Ben Laurie Subject: RE: [logs] RE: NT Event Log and Web Server Attacks On Mon, 20 Jan 2003, Eric Fitzgerald wrote: > Hey Paul, > > We would never get rid of timestamp. In fact in an enterprise event > collection system there are two timestamps and two sequence numbers > that are interesting: > > * Generation timestamp (already integral to Windows event log) > * Receive timestamp on event collector > * Generation sequence number (already integral to Windows event log) > * Transmit sequence number. Yep, I wasn't suggesting that you might get rid of timestamps, I was suggesting that it's important to order the data on the disk in time sequence. > Ok, enough geeking on that. > > The Microsoft Audit Collection Service which will debut this summer > will have a choice of two transports- TCP and SSL. In either case the > connection will be reliable, ordered, mutually authenticated, and > encrypted. Other than this choice of transports, there will be no > other choice, configurability, or extensibility in transport > mechanism, and we are not going to be compatible with any flavor of > syslog in version 1. We investigated syslog thoroughly including the > new RFCs for BEEPCORE, syslog-reliable and syslog-sign, but none of > those protocols seemed both appropriate and sufficient for our > purposes (I will not debate this issue further, as it is likely to > start a religious war, I just wanted to report that we did not > arbitrarily or lightly choose not to use syslog). Our protocol will > be published- third parties will be able to write code to > interoperate. Is there any chance of getting the spec. out sooner? I'm sure we'd all like to get a look at it and see if it'll work for other purposes? > We are also working on a project called "Secure Server Roles" which > will have, among many other things, user-selectable auditing templates > for Forensic and Intrusion Detection scenarios. These templates will > set audit policy as well as SACLs on the file system, services, and > the registry. The templates are focused around detection of > security-sensitive changes to OS binaries or configuration. The > forensic configuration focuses on changes that were actually > successful while the ID configuration also includes unsuccessful > attempts. Very interesting stuff, I can't wait to see more! Thanks, Paul ------------------------------------------------------------------------ ----- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 16:09:45 PST