Salsa-CSI2 call - August 16, 2007

Minutes Salsa-CSI2 Conference Call
August 16, 2007

**Attending**
Chris Misra, University of Massachusetts (Chair)
Joel Rosenblatt, Columbia University
Paul Asadoorian, OSHEAN
Wyman Miles, Cornell
Dan Adinolfi, Cornell
Doug Pearson, REN-ISAC/Indiana
Dean Woodbeck, Internet2 (scribe)

**Action Items**

[AI] Dan will send the current link for Spider to the list.

[AI] Chris will work with SteveO on creating a tools page for the CSI2 web page and/or wiki.

[AI] GROUP -- develop ideas for the CSI2 agenda for the next couple of months, particularly in defining needed/useful tool development.

**Spider**

The working group discussed the move of the Spider (the open source forensics tools for network and system administrators) from Cornell to Internet2. Nothing will change in Spider and the association with I2 will provide a community home for the software. I2 will provide a mailing list, web site, wiki space and other support for the Spider community. Cornell is hoping to make this a community-based project and involve others in the continuing development of these tools.

The transfer has not been completed – SteveO will send a note to the CSI2 list when it is. In the meantime, Dan provided the current link: http://www.cit.cornell.edu/security/tools/

This led to a discussion about creating a central location for all security tools. [AI] Chris will work with SteveO on creating a tools page for the CSI2 web page and/or wiki.

**Google Hack**

There was a short discussion about Google Hacks, in relation to security tools. Paul mentioned that he is helping OSHEAN members in this regard and is looking for a tool that uses the Google API that runs a constant query or a daily query to pick up on misconfigured web sites that allow people to write HTML pages to them. He would also like to extend it to look for web application vulnerabilities.

**Metrics**

Joel is in the process of organizing the Educause metrics group and will be the chair. He is also a member of a metrics working group through the Institute for Applied Network Security.

**RENOIR**

Phil is continuing to work on it.

**New Members**

Chris continues to work on new members and would appreciate any thoughts/input from the working group.

A question came up about the ultimate goal or vision of the working group’s purpose/destination. Chris gave a brief history of the working group – over Internet2 and Educause, there wasn’t anything specific to security and tool-building. The focus is on developing tools and functional capabilities, facilitating and encouraging projects, working on projects related to forward-looking concepts like federations and shared security services, and building a community around these ideas.

**Shared Darknet**

There was a question about whether the community would prefer a home-grown ANML path for shared darknet analysis or an Atlas-like path. Each would do the same thing in the end, but would get the data differently. Atlas would require GREs tunneled into a central collector, as opposed to collecting data at the sites and shipping to a central location.

The analysis would be similar. On the Atlas side, the developers are doing a lot of work in terms of data analysis, but REN-ISAC would have less access to the raw data. Another difference –Atlas may be interested in creating an EDU view to see what’s happening in all of the EDU space. That data would roll up into a global view, as well. With Atlas, there wouldn’t be the community involvement in setting direction, but there would be a lot of resources available.

Those on the call didn’t express a preference either way. Columbia, for example, collects and processes the data in real-time and saves a month’s worth of netflow data. Whether it is home-grown or Atlas, the key is whether the process works and produces a useful final product, although the use of a GRE has the potential to impede the process.

There may be the potential for have both a GRE approach and the shared darknet approach, depending on the needs of the institutions.

**Future Agendas**

[AI] Chris asked the working group to develop ideas for the CSI2 agenda for the next couple of months, particularly in defining needed/useful tool development. Are there gaps in the tool development space that CSI2 can fill, or other gaps that CSI2 should look at?

The report from the Cambridge CSI2 face-to-face has been vetted and is posted on the CSI2 web site

**Next call 13 September 2007**