Closed
Bug 630868
Opened 13 years ago
Closed 13 years ago
Define CEF signature values and content for Pake
Categories
(Cloud Services :: Server: Key Exchange, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: tarek, Assigned: tarek)
References
Details
Attachments
(1 file)
5.49 KB,
patch
|
jrconlin
:
review+
|
Details | Diff | Splinter Review |
For each CEF message we will have a signature + extra value when needed --------------------------------------------------------------------------------------------- | Event | Signature | extension field name & value | |-------------------------------------------------------------------------------------------- | An IP is blacklisted | BlackListedIP | None | | Invalid Client Id | InvalidClientId | msg = invalid client id provided | | Invalid Channel Id | InvalidChannelId | msg = invalid channel id provided | | Could not delete a channel | DeleteFailure | msg = channel id | | Unkown Client Id in valid Channel | UnknownClientId | msg = invalid client id provided | | Report made by a valid client | Report | msg = full report | ---------------------------------------------------------------------------------------------- - Do we want to use Names ? or are Signatures supposed to be Names and we use another value in Signature - Do we want to prefix Signature values with "Pake" ?
Assignee | ||
Comment 1•13 years ago
|
||
Arg, my neat table got busted :D
Comment 3•13 years ago
|
||
I'm having trouble understanding how Event, Signature, extension fieldname & value map into the CEF fields. The goal is to have any repeated data, such as event name or the msgs you list above, to be static fields in the CEF alerts. The variable data, such as the invalid channel id that is provided, should be submitted via a custom string.
Assignee | ||
Comment 4•13 years ago
|
||
- Event: It's just a description of what's happening - Signature: this is the signature field in CEF - Extension Field: An extension field as defined in ArcSight, like msg=value For example an Invalid Client Id event might look like this : CEF:0|mozilla|keyexchange-stage|1.3|InvalidClientId|Invalid X-KeyExchange-Id|5|cs1Label=requestClientApplication cs1=curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 requestMethod=GET request=/new_channel src=10.250.5.175 dest=stage-setup.services.mozilla.com msg="INVALID KEY VALUE HERE" The name field here ("Invalid X-KeyExchange-Id") is a bit redundant with the signature. Thus my question: do we want to use it instead of the signature field ? If yes, the line becomes: CEF:0|mozilla|keyexchange-stage|1.3|PAKE|InvalidClientId|5|cs1Label=requestClientApplication cs1=curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 requestMethod=GET request=/new_channel src=10.250.5.175 dest=stage-setup.services.mozilla.com msg="INVALID KEY VALUE HERE" Where Signature becomes a fixed "PAKE" value for all event.
Comment 5•13 years ago
|
||
Here is the naming scheme from the CEF document. CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension For us the NAME field is the most important. We build most of our rules off of this. Device Vendor and Device Product are important too, though they are largely static across a particular application. Siganture ID is not really important to us. It should be unique for each CEF detectino point, but we don't see it in our logging tool. It's fine for the SIGNATURE ID to be the same as the NAME Regarding your two examples, I prefer the first one. This is only because I would rather see the NAME as "Invalid X-KeyExchange-Id", which I feel is more descriptive and effectively summarizes the event.
Comment 6•13 years ago
|
||
(In reply to comment #0) > - Do we want to use Names ? or are Signatures supposed to be Names and we use > another value in Signature Name and Signature should both be the same value. On that same line of thinking, we should only a particular CEF NAME for one type of event in the application. We want to be able to see a particular NAME and know exactly what caused that event. Reusing CEF NAME's in multiple places in an application would make this very hard. > - Do we want to prefix Signature values with "Pake" ? Nope, not necessary. We can derive that information from DEVICE PRODUCT which is set to "keyexchange"
Assignee | ||
Comment 7•13 years ago
|
||
So what I'll do is: - put in the signature the same value as name, and make this the general behavior for our CEF logger, unless explicitly specified. - put in msg= any extra info when it applies For Pake: - Name, Msg - BlackListed IP, None - Invalid X-KeyExchange-Channel, value provided - Invalid X-KeyExchange-Id, value provided - Could not delete the channel, channel id - Unknown X-KeyExchange-Id in a valid channel, channel id + client id - Report, full report
Assignee | ||
Comment 8•13 years ago
|
||
Attachment #510356 -
Flags: review?(jrconlin)
Comment 9•13 years ago
|
||
Comment on attachment 510356 [details] [diff] [review] Change log names reviewed, looks good
Attachment #510356 -
Flags: review?(jrconlin) → review+
Assignee | ||
Comment 10•13 years ago
|
||
Done in http://hg.mozilla.org/services/server-key-exchange/rev/8bad9eedc843
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•