This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Next revision Both sides next revision | ||
|
en:architecture [28.11.2014 14:27] trestikv@cesnet.cz |
en:architecture [24.09.2015 11:38] ph@cesnet.cz |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| ===== Sending events ===== | ===== Sending events ===== | ||
| - | Entities/networks involved feed the centre events solely from data sources within the entity/network, i.e. data from detection system operated within the entity/network and monitoring network and service traffic in the network concerned (IDS, honeypots ...). | + | Entities/networks involved feed the centre events from various data sources. These may be within the entity/network, i.e. data from detection system operated within the entity/network and monitoring network and service traffic in the network concerned (IDS, honeypots ...), or the third party sources (like Shadowserver, Honeynet, various blacklists), or even the aggregated or correlated data. There are of course the ways to distinct these cases. |
| - | //An event// fed in by a participating entity into the centre is stateless information about the origin of the attack/ threat containing the following elements: | + | //An event// fed in by a participating entity into the centre is the information about various facets of attack in form of [[https://idea.cesnet.cz|IDEA]] structured event. |
| - | + | ||
| - | * Name (identifier) of the service which had detected the event | + | |
| - | * Time tag of event occurrence (= detection), in GMT/UTC | + | |
| - | * Time tag of event reception by the server, in GMT/UTC | + | |
| - | * Type of event (attack/threat) reported | + | |
| - | * Address of attack/threat source and its type (ip, domain, email) | + | |
| - | + | ||
| - | ==== Optional elements ==== | + | |
| - | + | ||
| - | * Protocol of the attack/threat target | + | |
| - | * Port number of attack/threat target | + | |
| - | * Attack robustness | + | |
| - | * Note (unstructured text) | + | |
| ===== Receiving events ===== | ===== Receiving events ===== | ||
| - | Each entity participating in the system may receive data from the Warden system (through a receiving client). The server (centre) provides participating entities with received events together with event identifier, source and domain name of the station from which the event was received. The server sends the client only events so far unsent (one or more), or a notification that there is no new (unsent) event on the server. | + | Each entity participating in the system may receive data from the Warden system (through a receiving client). The server (centre) provides participating entities with unmodified received events. The server sends the client only events so far unsent, or a notification that there is no new (unsent) event on the server. |
| Participating entities may use data obtained from Warden as necessary to ensure security of their own network and services provided. | Participating entities may use data obtained from Warden as necessary to ensure security of their own network and services provided. | ||
CESNET, z. s. p. o.
Generála Píky 26
16000 Prague 6
Tel: +420 234 680 222
Fax: +420 224 320 269
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
Fax: +420 224 313 211
support@cesnet.cz