search

alisle / elleLog

MultiThreaded Syslog Server with Elastic Search Support written in Go
3 stars 3 forks source link

Add Taxonomy #7

Open alisle opened 11 years ago

alisle commented 11 years ago

The taxonomy needs to be defined and be fairly complete before the correlation engine can be worked on.

alisle commented 11 years ago

Start by using the AV Taxonomy:

Exploit-Shellcode Exploit-SQL_Injection Exploit-Browser Exploit-ActiveX Exploit-Command_Execution Exploit-Cross_Site_Scripting Exploit-FTP Exploit-File_Inclusion Exploit-Windows Exploit-Directory_Traversal Exploit-Attack_Response Exploit-Denial_Of_Service Exploit-PDF Exploit-Buffer_Overflow Exploit-Spoofing Exploit-Format_String Exploit-Misc Exploit-DNS Exploit-Mail Exploit-Samba Exploit-Linux Authentication-Bruteforce Authentication-Bypass Authentication-Login Authentication-Failed Authentication-Cleartext Authentication-Logout Authentication-Disclosure Authentication-Default_Credentials Access-Web_Application_Access Access-File_Access Access-Misc Malware-Spyware Malware-Adware Malware-Fake_Antivirus Malware-KeyLogger Malware-Trojan Malware-Virus Malware-Worm Malware-Generic Malware-Backdoor Policy-Porn Policy-P2P Policy-Instant_Messaging_Chat Policy-Anonymity Policy-Games Policy-Other Denial_Of_Service-Web_Application Denial_Of_Service-Application Denial_Of_Service-Flood Denial_Of_Service-DDoS Suspicious-Blacklist_Address Suspicious-Web_Attack_or_Scan Suspicious-Bad_Traffic Suspicious-Network_Activity Suspicious-Scada_Activity Suspicious-DNS_Activity Suspicious-SSH_Activity Suspicious-NFS_Activity Suspicious-Database_Activity Suspicious-Netbios_Activity Suspicious-RPC_Activity Suspicious-Mail_Activity Network-TFTP_Activity Network-FTP_Activity Network-SNMP_Activity Network-SMTP_Activity Network-Telnet_Activity Recon-Misc Recon-Scanner Info-Misc Network-NTP_Activity Network-SIP_Activity Network-DHCP_Activity Access-Firewall_Permit Access-Firewall_Deny Access-ACL_Permit Access-ACL_Deny Authentication-Policy_Added Authentication-Policy_Changed Authentication-Policy_Deleted Authentication-FTP_Login_Succeeded Authentication-FTP_Login_Failed Authentication-Password_Change_Failed Authentication-Password_Change_Succeeded Authentication-User_Created Authentication-User_Deleted Authentication-User_Changed Authentication-Admin_Access Authentication-Group_Added Authentication-Group_Deleted Authentication-Group_Changed Authentication-Auth_Required Authentication-Account_Lockout Authentication-Account_Unlocked Malware-Virus_Detected Antivirus-Virus_Detected Antivirus-Virus_Quarantine Antivirus-Virus_Quarantine_Failed System-Configuration_Error Antivirus-Definitions_Updated Antivirus-Definitions_Updated_Failed Antivirus-Unknown_Event Antivirus-Started Antivirus-Disabled Antivirus-Scan_Started Antivirus-Scan_Finished Antivirus-Error Application-Web_Opened Application-Web_Closed Application-Web_Reset Application-Web_Terminated Application-Web_Denied Application-Web_Redirected Application-Web_Proxy Application-Web_Error Application-Web_Misc Application-Web_Not_Found Access-Traffic_Inbound Access-Traffic_Outbound Access-Firewall_Misc_Event Suspicious-Network_Anomaly Suspicious-DNS_Protocol_Anomaly Suspicious-SSH_Protocol_Anomaly Suspicious-Telnet_Protocol_Anomaly Suspicious-HTTP_Protocol_Anomaly Suspicious-Mail_Protocol_Anomaly Suspicious-FTP_Protocol_Anomaly Suspicious-Threshold_Exceeded Denial_Of_Service-Other Access-File_Blocked Access-Tunnel_Connection Access-Tunnel_Closed System-Warning System-Emergency System-Critical System-Error System-Notification System-Information System-Debug System-Alert Access-Connection_Opened Access-Connection_Closed Access-Timeout System-Service_Started System-Service_Stopped System-Process_Started System-Process_Stopped Application-Spam_Detected Application-Mail_Dropped System-Restart System-Started System-Stopped System-Locked System-Unlocked Network-IKE_Activity Network-H.323_Activity Network-PPP_Activity Network-OCSP_Activity Network-L2TP_Activity Network-RIP_Activity Network-PPTP_Activity Network-SSL_Activity Network-IGMP_Activity Network-IPSEC_Activity Network-PKI_Activity Voip-Call_Started Voip-Call_Ended Voip-Misc Network-BOOTP_Activity Alert-IDS_Alert Alert-IPS_Alert Alert-HostIDS_Alert Application-Mail_Sent Application-Mail_Server_Misc Application-Mail_Received Availability-State_Up Availability-State_Down Availability-State_Critical Availability-State_Warning Availability-State_Unknown Availability-State_Unreachable Application-VPN_Opened Application-VPN_Closed Application-VPN_Denied Application-VPN_Misc System-Configuration_Changed Network-Misc Policy-Phishing Wireless-New_Network Wireless-Client_Associated Wireless-Flood Wireless-Disassociation Wireless-Deauthentication Wireless-Anomaly Wireless-Spoofing Wireless-Scanner_Detected Wireless-Misc Wireless-Probe Inventory-Service_Detected Inventory-Service_Change Inventory-Service_Misc Inventory-Operating_System_Detected Inventory-Operating_System_Change Inventory-Operating_System_Misc Inventory-Mac_Detected Inventory-Mac_Change Inventory-Mac_Misc Policy-Check_Failed Policy-Check_Passed Network-High_Load Authentication-Error Application-Web_Modified Authentication-Misc Application-DHCP_Release Application-DHCP_Misc Application-DHCP_Request Application-DHCP_Lease Application-DHCP_Pool_Exhausted Application-DHCP_Error System-Software_Installed Honeypot-Connection_Opened Honeypot-Attack_Detected Honeypot-Connection_Closed Honeypot-Misc Application-DNS_Succesful_Zone_Tranfer Application-DNS_Zone_Transfer_Failed Application-DNS_Misc Application-FTP_Command_Executed Application-FTP_Error Application-FTP_Connection_Opened Application-FTP_Connection_Closed Application-FTP_Misc Database-Login Database-Login_Failed Database-Query Database-Logout Database-Stop Database-Start Database-Error Database-Misc

However this doesn't seem complete.