[asterisk-commits] russell: branch group/security_events r199019 - /team/group/security_events/

[SVN commits to the Asterisk project]

Author: russell
Date: Thu Jun  4 08:45:03 2009
New Revision: 199019

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199019
Log:
Add security log formatting info

Modified:
    team/group/security_events/security_events.txt

Modified: team/group/security_events/security_events.txt
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/security_events.txt?view=diff&rev=199019&r1=199018&r2=199019
==============================================================================
--- team/group/security_events/security_events.txt (original)
+++ team/group/security_events/security_events.txt Thu Jun  4 08:45:03 2009
@@ -205,38 +205,55 @@
 associated content will look like:
 
 IE: SecurityEvent
-Content: This is the security event sub-type.  The potential values are:
-    -> FailedACL
+Content: This is the security event sub-type.  
+Values: FailedACL
 
 IE: EventVersion
-Content:
+Content: This is a numeric value that indicates when updates are made to the
+         content of the event.
+Values: Monotonically increasing integer, starting at 1
 
 IE: Service
-Content:
+Content: This is the Asterisk service that generated the event.
+Values: SIP
 
 IE: Module
-Content:
+Content: This is the Asterisk module that generated the event.
+Values: chan_sip
 
 IE: AccountID
-Content:
+Content: This is a string used to identify the account associated with the
+         event.  In most cases, this would be a username.
 
 IE: SessionID
-Content:
+Content: This is a string used to identify the session associated with the
+         event.  The format of the session identifier is specific to the
+	 service.  In the case of SIP, this would be the call ID.
 
 IE: SessionTV
-Content:
+Content: The time that the session associated with the SessionID started.
+Values: <seconds>.<microseconds> since epoch
 
 IE: ACLName
-Content:
+Content: This is a string that identifies which named ACL is associated with 
+         this event.
 
 IE: LocalAddress
-Content:
+Content: This is the local address that was contacted to for the related event.
+Values: <Address Family>/<Transport>/<Address>/<Port>
+Examples:
+     -> IPV4/UDP/192.168.1.1/5060
+     -> IPV4/TCP/192.168.1.1/5038
 
 IE: RemoteAddress
-Content:
+Content: This is the remote address associated with the event.
+Examples:
+     -> IPV4/UDP/192.168.1.2/5060
+     -> IPV4/TCP/192.168.1.2/5038
 
 IE: EventTV
-Content:
+Content: This is the timestamp of when the event occurred.
+Values: <seconds>.<microseconds> since epoch
 
 --------------------------------------------------------------------------------
 --------------------------------------------------------------------------------
@@ -261,26 +278,5 @@
 --------------------------------------------------------------------------------
 --------------------------------------------------------------------------------
 
---------------------------------------------------------------------------------
---- Random Thoughts ------------------------------------------------------------
---------------------------------------------------------------------------------
-
- - Try to detect if an auth attack is trying different passwords by using the
-   same nonce after some number of unsuccessful auth attempts
-
- - Log Subscribe to invalid exten?
-   -> request not allowed with meta data
-
- - RTP
-   -> invalid payload?
-   -> unexpected source addr?
-
- - Differentiate between security error events and informational events
-
- - Events must all be individually interpretable
-
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
-
-================================================================================
-================================================================================
+================================================================================
+================================================================================