Security Incidents mailing list archives

RE: Standardized Reporting

From: Roman Danyliw <rdd () cert org>
Date: Fri, 16 Aug 2002 10:31:51 -0400

You may want to take a look at related work being done in the IETF with theINCH BOF (soon to be working group). This group is working on a commonrepresentation of a computer security incident in XML called the IncidentObject Description Exchange Format (IODEF).


- Charter:
  http://listserv.surfnet.nl/scripts/wa.exe?A2=ind02&L=inch&F=&S=&P=5407

- Data Model draft:
   http://search.ietf.org/internet-drafts/draft-meijer-inch-iodef-00.txt

- Requirements draft:
   http://www.cysol.co.jp/contrib/draft-glenn-inch-req-00.txt

- Mailing List archive:
   http://listserv.surfnet.nl/archives/inch.html

Roman Danyliw
CERT/CC

--On Thursday, August 15, 2002 4:35 PM -0400 "Brooke, O'neil (EXP)"<o'neil.brooke () lmco com> wrote:

Hello,

        Since last night's post, I've received several responses both on and
off list. Every single one of them was positive and/or supportive of the
concept. So I'm going to go ahead with the idea of developing a
standardized report. Right now I have a few objectives in mind for this
report:

        + A generic report that can be used to document virtually any
computer incident investigation.
        + Document a methodical approach to the incident investigation.
(Some of the responses I've had expressed an interest in the checklist
because they were not entirely aware of the sequence of events that should
go into an investigation.)
        + Document both generic and private information, however, do this in
such a way that the private information can quickly and easily be stripped
from the report. If we start to use this form, it does not make sense to
document in one way for the incidents list and another way for your
management structure.
        + Operating System specific sections. We could make the form
operating system independant, but then we lose a great opportunity for
providing newcomers a practicle how-to investigate and incident.

        If anyone else has other objectives they would like a report like
this to satisfy, please, either send them to me or post them to the list.

O'Neil.

-------------------------------------------------------------------------
--- This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management  and tracking
system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Standardized Reporting Rajiv Dighe (Aug 15)
- RE: Standardized Reporting H C (Aug 15)
- <Possible follow-ups>
- RE: Standardized Reporting Brooke, O'neil (EXP) (Aug 15)
  - RE: Standardized Reporting Russell Fulton (Aug 16)
  - RE: Standardized Reporting Roman Danyliw (Aug 16)
  - RE: Standardized Reporting H C (Aug 16)