Re: threat/attack nomenclature/reporting [was Re: IDS Correlation]
From: Azim, Ozakil (azim@netForensics.com)Date: 03/28/02
- Previous message: Keith T. Morgan: "RE: IDS Correlation"
- In reply to: Matthew F. Caldwell: "RE: IDS Correlation"
- Next in thread: Marcus J. Ranum: "RE: IDS Correlation"
- Next in thread: Keith T. Morgan: "RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Mar 2002 10:16:04 -0500 From: "Azim, Ozakil" <azim@netForensics.com> To: "Matthew F. Caldwell" <mattc@guarded.net>
well.. this thread seems to be drifting from the original
question that Keith had regarding 'standard threat/attack
nomenclature/reporting' to IDMEF to new RFCs etc.
So here is a slight change in subject and my two
cents/lira/paisas worth... :)
Correct me if I am wrong; from what I have been reading,
I think that we are talking about two things here:
1) Threat nomenclature normalization at a level higher
than CVE/bugtraq etc.
2) Standard security event formats that use the normalized
nomenclature for reporting.
the event format first:
the IDWG doesn't seem to be interested in security events.
at least not right now.
(check http://www.semper.org/idwg-public/archive/0346.html)
they are focussed more on IDSs, IDS alerts and IDS comm.
I agree that the biggest technical issue that has to be
addressed when formalizing a security event format is performance
as anyone perusing firewall logs will tell you (whether all
firewall log data should be considered as security events can
be the subject for another thread).
XML has a tendency to get bloated but it still can be used
very effectively, with acceptable performance, if you use
smaller tags, flatter schemas and compression.
(the biggest non-technical issue will be - will everyone use it?)
threat nomenclature:
most security correlation vendors are dealing with the
same issue of reducing a huge flood of events from
various security devices (and almost daily signature updates
from IDS vendors) into something which is concise, meaningful,
and normalized in terms of the threat faced by the enterprise.
It might make sense to create a common vocabulary that all
vendors use for threats/security events - a vocabulary
that doesn't have to change when new IDS signatures come up,
a vocabulary that is consistent across all vendors, a
vocabulary the enterprise security administrators can rely
on.
but here are a couple of questions...
The IDWG has been working on a common language for intrusion
detection for over two years now. How many of the IDS vendors
have implemented IDMEF/IDXP yet?
given the time it takes to create standards, like IDMEF, and
the fact that vendors do not always buy into these standards,
is it even worth the effort to attempt to standardize?
-azim
Keith T. Morgan wrote:
> is there a movement to standardize threat/attack nomenclature/reporting
> etc? Has anyone submitted an RFC? If this has been done, someone point
Matthew F. Caldwell wrote:
> XML is great but bloated,I think the IDWG (IDMEF,IAP etc) DTD could be expanded
> to cover not just IDS events, however it needs compression. All those tags multiply
> the data transmitted and in high traffic enviroments this matters greatly.
>
> -----Original Message-----
> From: Jared A. Tucker [mailto:jared.tucker@terradon.com]
> Sent: Wed 3/27/2002 8:52 PM
> To: eddonega@WellsFargo.COM; Keith T. Morgan; Matthew F. Caldwell
> Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com
> Subject: RE: IDS Correlation
>
>
>
> For that matter:
>
> http://www.ietf.org/html.charters/idwg-charter.html
>
>
>
> -----Original Message-----
> From: eddonega@WellsFargo.COM [mailto:eddonega@WellsFargo.COM]
> Sent: Wed 3/27/2002 5:27 PM
> To: Keith T. Morgan; mattc@guarded.net
> Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com; Jared A. Tucker
> Subject: RE: IDS Correlation
>
>
>
> You might want to check this out ...
>
> http://www.infosecuritymag.com/articles/june01/columns_standards_watch.shtml
> -----------------------------------------
> Ed Donegan
> Network Intrusion Detection
> Team Lead/CIPD
> Security Product Services
> (415) 243-6459
> eddonega@wellsfargo.com <mailto:eddonega@wellsfargo.com>
>
> "I could never have invented the Internet without Ed's help." - Al Gore
>
> -----Original Message-----
> From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
> Sent: Wednesday, March 27, 2002 12:40 PM
> To: Keith T. Morgan; Matthew F. Caldwell
> Cc: Xiaoyong Wu; focus-ids@securityfocus.com; Jared A. Tucker
> Subject: RE: IDS Correlation
>
>
>
>
> I've spoken with another security / software engineer here at
> TCG who is willing to help out. We're likely to stir quite
> the hornet's nest among IDS/Firewall vendors if this goes
> very far. I'm all about the stirring. Count me in.
>
> > > > Has anyone submitted an RFC? If this has been done,
> > > someone point
> > > > me to the appropriate RFC number, because I have some
> > > serious reading to
> > > > do.
> > > >
> > >
> > > None?
> > >
> > > Lets work on it.
> > >
> >
>
>
>
>
-- Ozakil Azim, azim@netforensics.com, 732-393-6030
- Previous message: Keith T. Morgan: "RE: IDS Correlation"
- In reply to: Matthew F. Caldwell: "RE: IDS Correlation"
- Next in thread: Marcus J. Ranum: "RE: IDS Correlation"
- Next in thread: Keith T. Morgan: "RE: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
