From alois-dev-return-93-apmail-incubator-alois-dev-archive=incubator.apache.org@incubator.apache.org Sun Jan 16 21:38:25 2011 Return-Path: Delivered-To: apmail-incubator-alois-dev-archive@minotaur.apache.org Received: (qmail 67582 invoked from network); 16 Jan 2011 21:38:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 16 Jan 2011 21:38:25 -0000 Received: (qmail 31495 invoked by uid 500); 16 Jan 2011 21:38:25 -0000 Delivered-To: apmail-incubator-alois-dev-archive@incubator.apache.org Received: (qmail 31479 invoked by uid 500); 16 Jan 2011 21:38:25 -0000 Mailing-List: contact alois-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: alois-dev@incubator.apache.org Delivered-To: mailing list alois-dev@incubator.apache.org Received: (qmail 31471 invoked by uid 99); 16 Jan 2011 21:38:24 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Jan 2011 21:38:24 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of Marcus.Holthaus@imsec.ch designates 212.4.71.56 as permitted sender) Received: from [212.4.71.56] (HELO mail.logintas.ch) (212.4.71.56) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 16 Jan 2011 21:38:20 +0000 Received: from localhost (localhost [127.0.0.1]) by mail.logintas.ch (Postfix) with ESMTP id D88811F265A for ; Sun, 16 Jan 2011 22:37:54 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at logintas.ch Received: from mail.logintas.ch ([127.0.0.1]) by localhost (mail.logintas.ch [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCtA2UlkDW26; Sun, 16 Jan 2011 22:37:48 +0100 (CET) Received: from [192.168.90.227] (pomme02m.grey.in.here [192.168.90.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.logintas.ch (Postfix) with ESMTPSA id 9191D1F261F for ; Sun, 16 Jan 2011 22:37:47 +0100 (CET) Message-ID: <4D336507.5030906@imsec.ch> Date: Sun, 16 Jan 2011 22:37:11 +0100 From: "Marcus Holthaus (IMSEC)" Organization: IMSEC User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7 MIME-Version: 1.0 To: alois-dev@incubator.apache.org Subject: Slight rework of apache alois papaer for IMF 2011 X-Enigmail-Version: 1.1.2 Content-Type: multipart/alternative; boundary="------------040101020907060506050403" --------------040101020907060506050403 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi all I just made a few modifications to the excellent text prepared by Urs Ler= ch. Most of them are little corrections regarding system details probably unk= nown to Urs (my history with the tool is longer), some are in respect to the existing fields of use and the potentials for forensic applications, and = some just represent differing feelings on how to formulate an english essay. One thing I cannot handle myself: Urs's figure 2 misses four components: a) An array from "dobby" to "lizard", implying message data flow for mess= age analysis and correlation b) an array from "lizard" to "reptor" (not "reporter", indicating message= flow for reports and alarms c) an array from "prisma" to "lizard", indicating the flow of messages fo= r which there is no input filter (prisma) yet, but which can be analysed al= l the same d) an "s" in "prisma" Urs: Could you correct that, please? Thanks -- Marcus --=20 -- Dr. Marcus Holthaus -- IMSEC GmbH, Sonnhaldenstrasse 87, CH 6331 H=C3=BCnenberg -- +41 41 780 00 11, marcus.holthaus@imsec.ch -- The primary second opinion on IT security -- Please Use OpenPGP key FDBD17F2 to encrypt your mail to me. --------------040101020907060506050403--