Closed Bug 630868 Opened 13 years ago Closed 13 years ago

Define CEF signature values and content for Pake

Categories

(Cloud Services :: Server: Key Exchange, defect)

Product:
Cloud Services
Component:
Server: Key Exchange
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: tarek, Assigned: tarek)

References

Details

Attachments

(1 file)

Change log names
5.49 KB, patch
jrconlin
: review+
Details | Diff | Splinter Review 
For each CEF message we will have a signature + extra value when needed

---------------------------------------------------------------------------------------------
| Event                              | Signature        | extension field name & value       |
|--------------------------------------------------------------------------------------------
| An IP is blacklisted               | BlackListedIP    | None                               |
| Invalid Client Id                  | InvalidClientId  | msg = invalid client id provided   | 
| Invalid Channel Id	             | InvalidChannelId | msg = invalid channel id provided  | 
| Could not delete a channel         | DeleteFailure    | msg = channel id                   | 
| Unkown Client Id in valid Channel  | UnknownClientId  | msg = invalid client id provided   |
| Report made by a valid client      | Report           | msg = full report                  |
----------------------------------------------------------------------------------------------

- Do we want to use Names ? or are Signatures supposed to be Names and we use another value in Signature
- Do we want to prefix Signature values with "Pake" ?
Arg, my neat table got busted :D
I'm having trouble understanding how Event, Signature, extension fieldname & value map into the CEF fields.

The goal is to have any repeated data, such as event name or the msgs you list above, to be static fields in the CEF alerts. The variable data, such as the invalid channel id that is provided, should be submitted via a custom string.
- Event: It's just a description of what's happening
- Signature: this is the signature field in CEF
- Extension Field: An extension field as defined in ArcSight, like msg=value

For example an Invalid Client Id event might look like this :

CEF:0|mozilla|keyexchange-stage|1.3|InvalidClientId|Invalid
X-KeyExchange-Id|5|cs1Label=requestClientApplication cs1=curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 requestMethod=GET request=/new_channel src=10.250.5.175 dest=stage-setup.services.mozilla.com msg="INVALID KEY VALUE HERE"

The name field here ("Invalid X-KeyExchange-Id") is a bit redundant with the signature. Thus my question: do we want to use it instead of the signature field ?

If yes, the line becomes:

CEF:0|mozilla|keyexchange-stage|1.3|PAKE|InvalidClientId|5|cs1Label=requestClientApplication cs1=curl/7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 requestMethod=GET request=/new_channel src=10.250.5.175 dest=stage-setup.services.mozilla.com msg="INVALID KEY VALUE HERE"

Where Signature becomes a fixed "PAKE" value for all event.
Here is the naming scheme from the CEF document.

CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

For us the NAME field is the most important. We build most of our rules off of this. 
Device Vendor and Device Product are important too, though they are largely static across a particular application.
Siganture ID is not really important to us. It should be unique for each CEF detectino point, but we don't see it in our logging tool.  It's fine for the SIGNATURE ID to be the same as the NAME

Regarding your two examples, I prefer the first one. This is only because I would rather see the NAME as "Invalid X-KeyExchange-Id", which I feel is more descriptive and effectively summarizes the event.
(In reply to comment #0)
> - Do we want to use Names ? or are Signatures supposed to be Names and we use
> another value in Signature

Name and Signature should both be the same value. 

On that same line of thinking, we should only a particular CEF NAME for one type of event in the application. We want to be able to see a particular NAME and know exactly what caused that event. Reusing CEF NAME's in multiple places in an application would make this very hard.

> - Do we want to prefix Signature values with "Pake" ?

Nope, not necessary. We can derive that information from DEVICE PRODUCT which is set to "keyexchange"
So what I'll do is:

- put in the signature the same value as name, and make this the general behavior for our CEF logger, unless explicitly specified.
- put in msg= any extra info when it applies

For Pake:

- Name, Msg
- BlackListed IP, None  
- Invalid X-KeyExchange-Channel, value provided
- Invalid X-KeyExchange-Id, value provided
- Could not delete the channel, channel id
- Unknown X-KeyExchange-Id in a valid channel, channel id + client id
- Report, full report
Attached patch Change log namesSplinter Review 

        Attachment #510356 -
        Flags: review?(jrconlin)

    
    

    
  
Comment on attachment 510356 [details] [diff] [review]
Change log names

reviewed, looks good

        Attachment #510356 -
        Flags: review?(jrconlin) → review+

    
    

    
  
Done in http://hg.mozilla.org/services/server-key-exchange/rev/8bad9eedc843
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: