Hosting Provided By

RE: Views and Correlation in Intrusion Detection

From: Jeff Nathan <jeff(at)snort.org>
Date: Fri Jun 27 2003 - 20:04:45 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--On Thursday, June 26, 2003 15:19 -0400 Richard Ginski <rginski@co.pinellas.fl.us> wrote:

>
> Warning...possible stupid questions below:

IDMEF is a very well intentioned idea. To provide a framework for uniform message passing and a protocol to support such messages between IDS and data collection systems. As it is only a framework, it sets forth certain requirements as to what must be and should be supported but stops short of saying just how they should be supported.

The IDMEF implementation that has become the most prevalent is the XML implementation which in and of itself is contrary to facilitating high-speed message passing between IDS and data collection systems. What really is missing from the IDMEF proposed standard is a requirement stating how data should be passed. Literally, what format it is in. Converting a 4 byte IPv4 address to a 16 byte null-terminated ASCII string is just one small but relevant example of the exponential performance penalty incurred by an XML based IDMEF implementation.

If high-speed distributed data collection and analysis is the goal, it must take high-speed message generation into account. Imagine if TCP/IP data was passed using ASCII strings in an XML format...

-Jeff
-- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds.
- Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+/NudEqr8+Gkj0/0RAghdAJ4jzQII5AQiouqfeiqk+pjhnkU7GwCdGwv+ /7S61bxCcdW7z1p4hrjTlOs=
=Dg2t
-----END PGP SIGNATURE-----

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

Received on Wed Jul 2 10:15:19 2003

This message: [ Message body ]
Next message: Lim Meng Koon: "RE: Foundry ServerIronXL Question"
Previous message: Jeff Nathan: "RE: Views and Correlation in Intrusion Detection"
In reply to: Richard Ginski: "RE: Views and Correlation in Intrusion Detection"
Next in thread: Anton A. Chuvakin: "RE: Views and Correlation in Intrusion Detection"
Reply: Lim Meng Koon: "RE: Foundry ServerIronXL Question"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT

Do you need help?