wiki:KrakenEventApi
Last modified 11 months ago

Kraken Event API

  1. Kraken Event API
    1. Author
    2. Event Model
    3. Event Dispatcher
    4. Event Provider
    5. Event Suppression Tip
    6. See Also

Author

Event Model

Event is a notification to CERT or administrator. You can easily generate event using EventDispatcher, however event generation should be carefully designed. Verbose and false alarm is very annoying, and they will soon ignore any true alarm. Suppress and compress events as you can. For example, you can generate only one event and update counter for multiple port scan logs from one source ip.

Event has following members:

required? property type description
key EventKey generated automatically
v organizationId int See Organization entity
v firstSeen Date
v lastSeen Date If count is 1, lastSeen should be same with firstSeen in general
v category String Attack, and so on
v severity int Emergency(1), Alert(2), Critical(3), Warning(4), Notice(5)
sourceIp String IPv4 address
destinationIp String IPv4 address
sourcePort int
destinationPort int
v messageKey String group,key
messageValues String '|' separated values
rule String Rule ID (e.g. NCHOVY-2011-0001)
cve String CVE Name (e.g. CVE-2011-0001)
detail String Detail evidence (e.g. packet bytes, request url)
v count int 1 by default

Event Dispatcher

Event dispatcher service dispatches event to all connected event pipes. 

public interface EventDispatcher {
	void dispatch(Event event);

	void ack(Event event);

	void addEventPipe(EventPipe pipe);

	void removeEventPipe(EventPipe pipe);
}

EventPipe can receive new event and acknowledged event: 

public interface EventPipe {
	void onEvent(Event event);

	void onEventAcked(Event event);
}

Event Provider

EventProvider is source of event. It can analyze logs or monitor environment, then generate events using EventDispatcher. It should be configurable, but not implemented yet: 

public interface EventProvider {
	String getName();
}

You can list all event providers in system using EventProviderRegistry service: 

public interface EventProviderRegistry {
	Collection<String> getNames();

	EventProvider get(String name);

	void register(EventProvider provider);

	void unregister(EventProvider provider);

	void addEventListener(EventProviderRegistryEventListener callback);

	void removeEventListener(EventProviderRegistryEventListener callback);
}

EventProviderRegistry tracks all event providers automatically. (i.e. you don't need to register event provider by hands)

Event Suppression Tip

Suppress until administrator acknowledges event. Let's see some example:

  1. Port scan occurs
  2. Remember attacker ip address and generate event.
  3. Following logs from same attacker should be merged as same event and update event counter until administrator acknowledges.
    • Invoke EventDispatcher with specific event key, updated last seen, and counter.
  4. Administrator sees port scan event and acknowledges it.
  5. EventPipe.onEventAcked(Event) will be called.
  6. Purge attacker ip from working memory and go to 1.

See Also