Thread: [sleuthkit-developers] Application Categories - second try

Brought to you by: carrier

sleuthkit-developers

[sleuthkit-developers] Application Categories - second try

From: Matthias H. <mat...@mh...> - 2004-02-01 11:46:53

Hi all,

here a short writeup from our last discussion about application categorie=
s.
(kg) means, default for this category is known-good and (kb) is known-bad=
.


Application entry:

- remote management (kg)
  Examples: vnc,PC Anywhere, BO/BO2K, SubSeven (???) ...

- office tools (kg)
  Examples: the different office suits - MS Office, OpenOffice, StarOffic=
e,
  Adobe Acrobat ...

- database (kg)
  Examples: the database server and clients, database content files

- desktop (kg)
  Examples: desktop programs like kde tools, acrobat reader, winzip,
games,    screensavers,web browser, email clients

- security (kg)
  Examples: nmap, hping2, virus scanners and signatures, content filter
  software, tripwire/aide/samhain, IDS tools

- sysutils (kg)
  Examples: every day sysadmin utilities (*nix: /sbin/*,/usr/bin ...)

- server daemons (kg)
  Examples: sendmail,postfix,pop3d,imapd,apache,...

- web/network (?) (kg)
  Examples: cgi scripts, php files, ...

- multimedia (kg)
  Examples: sound-, picture-, video-files

- drivers (kg)
  Examples: driver software (sic!)

- (child-)porn (kb)
  Examples: the name says it all

- malware (kb)
  Examples: rootkits, malicious code, worms, viruses, trojans, backdoors =
...

- other (kg)
  Examples: everything which doesn't fit in the other categories

Is "malware" an appropiate name ? Shall we further divide this category ?

How about the separate "child-porn" section ? There are other kinds of
illegal porn which do not fit in this category.

Is "web" or "network" a better name ? What more content would include
network which doesn't fit in the other categories ?

It seems that our "remote management" categoriy includes potentially more
known-bad (subseven/BO(2K) ...) than known-good tools. Should we disband
this category and absorb it in the other categories ?

Has anyone good ideas for other groups or better group names ?

Regards,

Matthias


--=20
Matthias Hofherr
mail: mat...@mh...
web: http://www.forinsect.de
gpg: http://www.forinsect.de/pubkey.asc

Re: [sleuthkit-developers] Application Categories - second try

From: Brian C. <ca...@sl...> - 2004-02-03 17:11:35

Thanks Matthias.

Some of these still have a lot of overlap.  For example, acroread is 
very similar to any of the office tools since you can read and now 
apply edits to the document.  In general, the desktop category seems to 
be a different form of "other".   Similarly, the web category has a lot 
of overlap with server daemons.

Here is a quick guess at how i would organize some of this.  It is not 
done and maybe completely off.  I realized as I was doing it that it 
could be useful to distinguish between  tools in the category and files 
in the category:



System Tools and Files
- Files that are required for the kernel and operating system to run
   - the kernel executable and other required executables
- Files that are used to administer the kernel and operating system
   - config files, registry ...
- General files that are used by applications
   - system libraries, dll
- Files that are  needed to develop tools for the system
   - system header files
- Drivers?

Communication Tools
- User-level tools that send or recieve files from other network hosts
   - email client, web browser, ftp client, peer-to-peer client
   - email server, HTTP server, FTP server ...
- user-level tools that allow interactive communication between two 
people
   - im, irc

Communication Files
- Files used to communicate data or other files:
   - email with headers, HTML pages WITH HTTP data, any 'encoded' file
   - im logs


Document Tools
- Tools that create or view human-readable documents that are used to 
store
   and organize data
   - office, openoffice, excel, acrobat reader
   - text editor
- HTML development tools
   - cgi, php ...

Document Files
- Files that can be interpreted to show human-readable data
   - Word Documents, HTML files, pdf files, xls files
   - text files


Multimedia Tools
- Tools that play or record audio
   - iTunes, ...
- Tools that play or record video
   - Real, quicktime, Windows Media ..
- Tools that play or record still photographs and graphics
   - Photoshop, Illustrator

Multimedia Files
- Audio Files
   - mp3, wav
- Video Files
   - avi
- Graphic Files
   - jpg, gif..


----------------------------------------------------
I'm less confident about these:

Personal Organization Tools and Files
- Files used to organize a user's time and tasks
  - calendar address book, todo list?
  - PDA sync tools


Database
- Tools and files that are used to store and retrieve data from a 
database
   - oracle, access, SQL
   - files for the above databases

Security - Prevention
- Tools and files that are used to secure a system from attack
   - anti-virus
   - personal firewalls
   - IDS

Security - Attack
- Tools and files that are used to cause a security incident
   - exploits
   - attack tools
   - DDoS tools
   - viruses
- Tools and files that are used to remove evidence of incident
   - log cleaner
   - evidence eliminator
- Tools and files that are used to allow access to a compromised system
   - rootkits


Games
- Tools and files that are games
   - solitare ....


----------------------
I Haven't thought enough about these tools yet:

network port scanners
network IP scanners (ping)
network sniffers

remote management
hex editor
calculator
winzip, tar.gz
encryption tools
development tools



On Feb 1, 2004, at 6:27 AM, Matthias Hofherr wrote:

> Hi all,
>
> here a short writeup from our last discussion about application 
> categories.
> (kg) means, default for this category is known-good and (kb) is 
> known-bad.
>
>
> Application entry:
>
> - remote management (kg)
>   Examples: vnc,PC Anywhere, BO/BO2K, SubSeven (???) ...
>
> - office tools (kg)
>   Examples: the different office suits - MS Office, OpenOffice, 
> StarOffice,
>   Adobe Acrobat ...
>
> - database (kg)
>   Examples: the database server and clients, database content files
>
> - desktop (kg)
>   Examples: desktop programs like kde tools, acrobat reader, winzip,
> games,    screensavers,web browser, email clients
>
> - security (kg)
>   Examples: nmap, hping2, virus scanners and signatures, content filter
>   software, tripwire/aide/samhain, IDS tools
>
> - sysutils (kg)
>   Examples: every day sysadmin utilities (*nix: /sbin/*,/usr/bin ...)
>
> - server daemons (kg)
>   Examples: sendmail,postfix,pop3d,imapd,apache,...
>
> - web/network (?) (kg)
>   Examples: cgi scripts, php files, ...
>
> - multimedia (kg)
>   Examples: sound-, picture-, video-files
>
> - drivers (kg)
>   Examples: driver software (sic!)
>
> - (child-)porn (kb)
>   Examples: the name says it all
>
> - malware (kb)
>   Examples: rootkits, malicious code, worms, viruses, trojans, 
> backdoors ...
>
> - other (kg)
>   Examples: everything which doesn't fit in the other categories
>
> Is "malware" an appropiate name ? Shall we further divide this 
> category ?
>
> How about the separate "child-porn" section ? There are other kinds of
> illegal porn which do not fit in this category.
>
> Is "web" or "network" a better name ? What more content would include
> network which doesn't fit in the other categories ?
>
> It seems that our "remote management" categoriy includes potentially 
> more
> known-bad (subseven/BO(2K) ...) than known-good tools. Should we 
> disband
> this category and absorb it in the other categories ?
>
> Has anyone good ideas for other groups or better group names ?
>
> Regards,
>
> Matthias
>
>
> -- 
> Matthias Hofherr
> mail: mat...@mh...
> web: http://www.forinsect.de
> gpg: http://www.forinsect.de/pubkey.asc
>
>
>
>
> -------------------------------------------------------
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> http://www.eclipsecon.org/osdn
> _______________________________________________
> sleuthkit-developers mailing list
> sle...@li...
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
>
>

Re: [sleuthkit-developers] Application Categories - second try

From: Matthias H. <mat...@mh...> - 2004-02-08 15:40:11

Hi Brian,

Brian Carrier said:
[...]
> Security - Prevention
> - Tools and files that are used to secure a system from attack
>    - anti-virus
>    - personal firewalls
>    - IDS
>
> Security - Attack
> - Tools and files that are used to cause a security incident
>    - exploits
>    - attack tools
>    - DDoS tools
>    - viruses
> - Tools and files that are used to remove evidence of incident
>    - log cleaner
>    - evidence eliminator
> - Tools and files that are used to allow access to a compromised system
>    - rootkits
[...]

What about tools which are used by both blackhats and whitehats ? Where
would you place, e.g. nmap, packit ... ?
In which category whould you place child-porn ?

Regards,

Matthias

Re: [sleuthkit-developers] Application Categories - second try

From: Brian C. <ca...@sl...> - 2004-02-09 06:04:45

On Feb 8, 2004, at 10:40 AM, Matthias Hofherr wrote:

> What about tools which are used by both blackhats and whitehats ? Where
> would you place, e.g. nmap, packit ... ?

I have no clue.  I think we need to group them based on core 
functionality, not on historical associations.  Therefore, nmap would 
go in the same category as all port scanners, even the nice windows GUI 
ones.  I didn't add them to a category because i wasn't sure if there 
should be a network utilities category and if there was such a category 
what its requirements would be.  I am unsure if port scanners are an 
attack security tool or a general network tool.  I'm not sure where 
sniffers fit either.

I would say that packit is an attack tool so it goes into the 
security-attack category.  The categories can't reflect the intent of 
an installation or execution.  Port scanners that have been customized 
to search for specific services and launch attacks or create config 
files that can be used for attacks have been designed to attack and 
would therefore go into the attack category and is considered different 
than nmap.

After thinking about this, when these searches are conducted on the 
hard disk, we are looking for tools and files that serve a certain 
function.  If we are looking at a server intrusion case, we want to 
know about all tools that could have played a role regardless if it is 
nmap or netcat or the network utilities program that comes with OS X.

Maybe subcategories are a good idea.   For example, there maybe a 
general network utilities category.  You can select it as either all 
good or all bad, or you can select the state of each subcategory (host 
scanners, port scanners, sniffers).  Any of these utilities that has 
been customized for attacking will be placed in the security attack 
category.

> In which category whould you place child-porn ?

It falls in the 'Multimedia Files' category because it is a graphical 
image file.  child porn is such a unique and common case though, that I 
think it warrants a subcategory or a related multimedia category.

This is tough!  As a test for any taxonomy that we come up with, it 
would be useful if we could map the existing application types in the 
NSRL to them.

thanks,
brian