Re: IDS Correlation
From: Kurt Seifried (bugtraq@seifried.org)Date: 03/28/02
- Previous message: Marcus J. Ranum: "RE: IDS Correlation"
- In reply to: Matthew F. Caldwell: "RE: IDS Correlation"
- Next in thread: Hui Lee: "Re: Re: IDS Correlation"
- Maybe reply: Hui Lee: "Re: Re: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kurt Seifried" <bugtraq@seifried.org> To: "Matthew F. Caldwell" <mattc@guarded.net>, "Jared A. Tucker" <jared.tucker@terradon.com>, <eddonega@WellsFargo.COM>, "Keith T. Morgan" <keith.morgan@terradon.com> Date: Wed, 27 Mar 2002 22:16:48 -0700
Silly suggestion but could you use XML, but simply setup both endpoints to
rip/replace XML tags as needed by agreeing on a standard format, i.e.
instead of:
<Attack>
<source_ip>1.2.3.4</>
<source_port>3422
and so on and so forth......
pack it to:
[32bits, attacker ip][16bits source port][32bit dest ip][16bits dest
port]... etc. And then of course have the other end unpack it and off you
go. Seems simple enough to do (load a template at either end that defines
the XML in and the "compressed" raw data out).
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
- Previous message: Marcus J. Ranum: "RE: IDS Correlation"
- In reply to: Matthew F. Caldwell: "RE: IDS Correlation"
- Next in thread: Hui Lee: "Re: Re: IDS Correlation"
- Maybe reply: Hui Lee: "Re: Re: IDS Correlation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
