Goals of the Release
- Add additional features to the existing TopNetE network application
- Introduce the CER factory,
a simple way to inject events into the EDDY
framework without the need to develop new normalizer agents in Java. This
feature will also include a facility for embedded systems and simple scripts
that scan log files
to simply inject events into an EDDY cluster
- Add SSL plug-ins to argument Unix domain socket and network socket
template transports. (Update 2)
- Extend the service to accept asynchronous template submission requests
(update 3)
- Increase the performance of the framework with respect to marshalling
events
- Removed references to manual copying of the jssecacerts EDDY root certificate
file into the JDK (Update 2)
- Increased robustness of transport (TLS) to accommodate non-EDDY connection
requests (Update 4)
Additions from the past 0.5.1 (Sushi) Release
- Better internal error notification of back plane problems (configuration,
transport, etc.)
- All Framework options are now configurable
- Included new types of CERs
- Performance bug fixes
Components
The following is a high level view of the major components of the release.
- A event transport and dissemination framework for,
- Developing and running back plane agents
- Creating new CER's
- Agents to begin to use the back plane and act as a template for creating
new types
- Normalzers (to import events, e.g. log files, network flows, etc.)
- Native (high performance Java API)
- CER Factory
(medium performance Perl API)
- Transformation (data anonymization and aggregation)
- Application (API to external analysis services and tools)
Documentation (start here)
Base Documentation: The EDDY Development
and Deployment Guide is a comprehensive document that provides an,
- Introduction to concepts and methods
- Explanation of the EDDY agent framework
- Guide to setting up the development environment
- Primer for developing EDDY agents
CER Factory: The EDDY CER
Factory is a service that simplifies the creation of a CER from event
data by reducing the effort and complexity in doing so. A Factory Design
and Development Guide provides both an overview and detail into the
motivation and operation of the factory. The document provides an,
- Quick start users guide
- Insights into the Design and Motivation
- Sample templates
High Level Overview: To visually explain the concepts
of the EDDY components a Visual Glossary
is provided as well as an overview of
the CER Factory.
We recommend that the developer starts with the Development
and Deployment Guide rather then just acquiring the source code directly
as it will explain concepts and methods that will insure a properly configured
development environment.
Software
This software distribution is can be obtained via anonymous CVS or a tar
file via HTTP:.
Feature Roadmap
Keeping with the 2008/2009 development timeline, during the late summer and
fall of 2008, the EDDY team will begin prioritizing and designing the features
of the next release. During the next year's efforts, the goals of the
2008/2009 development timeline will be,
The EDDY team encourages developers to create new CERs as needed. We suggest
that they check the following list to see if one has not been created yet. Since
this project is at a very early stage this is likely to be the case. When the
developer begins to create a new CER, we suggest the following process
We suggest that the developer try to find a CER that closely resembles the
one they desire and morph it into a structure that fits their requirements.
The following are official CERs that have been registered in our OID list.
| EDDY OID |
Class |
Payload Types |
Name |
Derived From OID(s) |
Description |
Status |
| - |
any |
raw,cooked |
CERv0.6.9 |
generic |
Base CER description that all others are built from |
complete |
| 1001 |
network |
raw,cooked |
eddy_network_argus_v2.0.11 |
native |
Argus network flow record - version 2.0 |
complete |
| 1002 |
network |
raw,cooked |
eddy_network_argus_v2.0.11_dragnet |
1003 |
CMU Dragnet project flow record which includes, everything from the EDDY
OID 1003 except there is no payload and the src/dst addresses are anonyimized. |
complete |
| 1003 |
network |
raw,cooked |
eddy_network_argus_v2.0.0_iso |
1001 |
CMU Information Security Office flow records flow record which includes,
src/dst address, src/dst port numbers, src/dst packet counts, src/dst byte
counts, protocol, src/dst payload |
complete |
| 1004 |
network |
analysis |
eddy_analyzed_topnete_v1.0.0
|
1001, 1002, 1003 |
Top network talkers, a summary of the top (configurable) hosts sorted
by their usage of packets, flows, or bytes within a specific time window.
Also included are the services that each host has running. |
complete |
| 1005 |
environmental |
raw,cooked |
eddy_environmental_cbpd_v1.0.0 |
native |
CMU connected building project, records from embedded devices such as,
environmental sensors, actuators, and control devices such as embedded systems. |
complete |
| 1006 |
network |
raw,cooked |
eddy_network_snmp_v1.0.0 |
native |
SNMP version 1 record |
in process |
| 1007 |
network |
raw,cooked |
eddy_network_snmp_v1.0.0_trap |
native |
SNMP version 1 trap |
in process |
| 1008 |
application |
raw,cooked |
eddy_application_boa_v1.0.0 |
native |
BOA web server log record. |
complete |
| 1009 |
network |
raw,cooked |
eddy_network_cisco_netflow_v5 |
native |
Cisco NetFlow version 5 |
complete |
| 1020 |
application |
raw,cooked |
eddy_application_genlog_v1.0.0 |
native |
Generic log file |
complete |
| 1021 |
application |
raw,cooked |
eddy_application_shibboleth_v1.0.0 |
native |
Shibboleth log files |
complete |
| 1022 |
application |
raw,cooked |
eddy_application_mon_v1.0.0 |
native |
Mon monitoring service |
complete |
| 1023 |
application |
raw,cooked |
eddy_application_dns_v.1.0.0 |
native |
Domain Name Service/Bind |
complete |
| 1024 |
network |
raw,cooked |
eddy_network_cisco_netflow_v9 |
native |
Cisco NetFlow version 9 |
planned |
| 1025 |
application |
raw,cooked |
eddy_application_censcir_v.1.0.0 |
native |
CMU Center for Sensed Critical Infrastructure Research (senscir events) |
in progress |
| 1026 |
security |
raw,cooked |
eddy_application_snort_v.1.0.0 |
native |
Snort IDS log events |
complete |
| 1027 |
network |
raw.cooked |
eddy_network_ip_tables_v.1.0.0 |
native |
Linux IP Table events |
complete |
| 1028 |
application |
raw,cooked |
eddy_application_sshd_v.1.0.0 |
native |
Secure Shell Daemon (sshd) event logs |
complete |
| 1029 |
security |
raw/cooked |
eddy_security_ses_v.1.0.0 |
native |
IDMEF events |
complete |
| not assigned |
application |
raw,cooked |
eddy_application_sendmail_v.1.0.0 |
native |
Sendmail log records |
in process |
| not assigned |
application |
raw,cooked |
eddy_application_template_v1 |
native |
Example/template for creating new application CER events |
planned |
| not assigned |
system |
raw,cooked |
eddy_system_template_v1 |
native |
Example/template for creating new system CER events |
planned |
| not assigned |
network |
raw,cooked |
eddy_network_template_v1 |
native |
Example/template for creating new network CER events |
planned |
| not assigned |
application |
cooked |
eddy_application_eddy_error_v1 |
native |
Internal errors from EDDY framework agents |
in progress |
| not assigned |
application |
cooked |
eddy_application_eddy_status_v1 |
native |
Internal status information form EDDY framework agents |
in progress |
| not assigned |
application |
raw,cooked |
eddy_application_syslog_v1 |
native |
Syslog events |
in progress |
| not assigned |
application |
raw,cooked |
eddy_application_smtp_v1 |
native |
SMTP events |
in progress |
| not assigned |
application |
raw, cooked |
eddy_application_pop_v1 |
native |
POP events |
in progress |
| not assigned |
application |
raw, cooked |
eddy_application_imap_v1 |
native |
IMAP events |
in progress |
| not assigned |
application |
raw, cooked |
eddy_application_cyrus_v1 |
native |
Cyrus mail infrastructure events |
in progress |
| not assigned |
application |
raw, cooked |
eddy_application_spam_engine_v1 |
native |
Generic spam engine events |
in progress |
| not assigned |
network |
raw, cooked |
eddy_application_argus_v3.0 |
native |
Argus network flow record - version 3.0 |
planned |
Copyright
Copyright © 2004-2009 Carnegie Mellon. All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. The name "Carnegie Mellon University" must not be used to
endorse or promote products derived from this software without prior written
permission. For permission or any legal details, please contact:
Center for Technology Transfer
Carnegie Mellon University
4615 Forbes Avenue
Pittsburgh, PA 15213-3890
(412) 268-7393, fax: (412) 268-7395
4. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed at Carnegie Mellon University
".
THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESSED
OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DECLINED.
IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTES GOOD OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF OR RELATING TO THE USE (INCLUDING
DISTRIBUTION OR PERFORMANCE) OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGES.
(c) 2003-2009 Carnegie Mellon. All Rights Reserved.
