Hosting Provided By

Re: Views and Correlation in Intrusion Detection

From: Blake Matheny <bmatheny(at)mkfifo.net>
Date: Wed Jul 02 2003 - 12:33:37 EDT

If you look at the ietf draft, sections 6.17 and 6.19 clearly state that it 'The IDMEF itself MUST be extensible'. I think using some of the IDMEF fields for a required (or suggested) set of data is okay. Bishops' paper, "A Standard Audit Trail Format", proposed a very general, novel format for audit data. His proposed solution allows you to describe a very large set of data. I think augmenting IDMEF, with something like Bishop's solution can be appropriate. If you check section 4.2.4.6 of
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt the AdditionalData class would allow for that type of augmentation. I'm curious what information can't be represented by this. If anyone knows the limitations, please let me know.

In terms of normalizing IDS data, are we talking about converting from the original format to an intermediary? If so, we start getting into issues of message semantics, data transformations, and lots of other areas that no one seems to be wanting to tread :-) If you look at related research literature, much of it assumes a common format.

Cheers,

-Blake

Whatchu talkin' 'bout, Willis?
> >Doesn't a major component of such a thing already exist with Intrusion

-- 
Blake Matheny           "... one of the main causes of the fall of the
bmatheny@mkfifo.net      Roman Empire was that, lacking zero, they had
http://www.mkfifo.net    no way to indicate successful termination of
http://ovmj.org/GNUnet/  their C programs." --Robert Firth

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

Received on Wed Jul 2 14:14:19 2003

This message: [ Message body ]
Next message: Skip Carter: "Re: Anyone else using Argus for monitoring?"
Previous message: aleph1(at)securityfocus.com: "(forw) NIST release of NIST Interagency Report (NISTIR) 7007 - An Overview of Issues in Testing Intrusion Detection Systems"
In reply to: Anton A. Chuvakin: "RE: Views and Correlation in Intrusion Detection"
In reply to Anton A. Chuvakin: "RE: Views and Correlation in Intrusion Detection"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:15 EDT