IDS mailing list archives
Re: Views and Correlation in Intrusion Detection
From: Blake Matheny <bmatheny () mkfifo net>
Date: Wed, 2 Jul 2003 12:33:37 -0400
If you look at the ietf draft, sections 6.17 and 6.19 clearly state that it 'The IDMEF itself MUST be extensible'. I think using some of the IDMEF fields for a required (or suggested) set of data is okay. Bishops' paper, "A Standard Audit Trail Format", proposed a very general, novel format for audit data. His proposed solution allows you to describe a very large set of data. I think augmenting IDMEF, with something like Bishop's solution can be appropriate. If you check section 4.2.4.6 of http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-10.txt the AdditionalData class would allow for that type of augmentation. I'm curious what information can't be represented by this. If anyone knows the limitations, please let me know. In terms of normalizing IDS data, are we talking about converting from the original format to an intermediary? If so, we start getting into issues of message semantics, data transformations, and lots of other areas that no one seems to be wanting to tread :-) If you look at related research literature, much of it assumes a common format. Cheers, -Blake Whatchu talkin' 'bout, Willis?
Doesn't a major component of such a thing already exist with Intrusion Detection Message Exchange? http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txtNot really. IDMEF is likely impossible to use to define alerts from non-IDS devices which still report on intrusions, such as host logs, firewall messages, etc. Such circumstantial evidence plays a major role in detecting intrusions beyond the NIDS. Thus, at present IDMEF's usability for correlation is at best limited. However, the problem of normalizing of IDS, fw, app, OS, etc data is definitely solvable. Its just there is no single agreed-upon way to do it...If so, is it just a matter of vendors wanting to "play together" and implement it in their products? I'm curious if this is the realWell, so far approximately 1 IDS vendor did :-) Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org
-- Blake Matheny "... one of the main causes of the fall of the bmatheny () mkfifo net Roman Empire was that, lacking zero, they had http://www.mkfifo.net no way to indicate successful termination of http://ovmj.org/GNUnet/ their C programs." --Robert Firth ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- <Possible follow-ups>
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- RE: Views and Correlation in Intrusion Detection Michael Murray (Jul 02)