RE: IDS Correlation
From: Keith T. Morgan (keith.morgan@terradon.com)Date: 03/28/02
- Previous message: Hui Lee: "Re: Re: IDS Correlation"
- Maybe in reply to: 李辉: "IDS Correlation"
- Next in thread: Jared A. Tucker: "RE: IDS Correlation"
- Next in thread: 李辉: "Re: RE: IDS Correlation"
- Maybe reply: 李辉: "Re: RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Mar 2002 09:57:48 -0500 From: "Keith T. Morgan" <keith.morgan@terradon.com> To: "Jared A. Tucker" <jared.tucker@terradon.com>, "Matthew F. Caldwell" <mattc@guarded.net>, "Kurt Seifried" <bugtraq@seifried.org>, <eddonega@WellsFargo.COM>
I think the first thing that should be analyzed is the types of data coming from various systems. Some things are more or less common across most security devices. Examples: Timestamp, Source IP, Source Port, Dest IP, Dest Port. These are items that you can pretty much bank on being present in all firewall and IDS logging mechanisms. However, almost no logging system notes the local time-zone in each log entry. That's an example of something that should be critical to log aggregation and analysis across diverse systems. Development of a list of capturable information would seem to be a critical primary step. First, you would identify what data could be captured. Standardize that. Then, what data *might* be captured. Standardize and make provisions for that. Then, we would standardize the nomenclature, required fields, and data normalization issues. I think we may be way ahead of ourselves thinking down the road of data-formatting. We haven't even defined the data! Then, this could be me working in my standard "network and security guy" mindset instead of "application developer" mindset.
Application proxying firewalls are going to grab lots more information than a packet filter. An IDS will contain attack signatures, possibly captured packet data, possible references to central repositories explaining the meaning of the attack signature, and lots of other information that a firewall doesn't gather (normally). Some systems go down to the granularity of logging user-id (app proxies/firewalls requiring authentication etc...) and other organization specific information. My focus would be less on standardizing data transmission and storage mechanisms and more towards standardizing the data itself.
> -----Original Message-----
> From: Jared A. Tucker
> Sent: Thursday, March 28, 2002 9:43 AM
> To: 'Matthew F. Caldwell'; Kurt Seifried;
> eddonega@WellsFargo.COM; Keith
> T. Morgan
> Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com
> Subject: RE: IDS Correlation
>
>
> As an application developer, it makes more sense to use a
> language that just about any programming language can parse,
> query, and disect using inherent APIs. Why not use XML, just
> for the sake of not re-inventing the wheel?
- Previous message: Hui Lee: "Re: Re: IDS Correlation"
- Maybe in reply to: 李辉: "IDS Correlation"
- Next in thread: Jared A. Tucker: "RE: IDS Correlation"
- Next in thread: 李辉: "Re: RE: IDS Correlation"
- Maybe reply: 李辉: "Re: RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
