RE: IDS Correlation

From: Jared A. Tucker (jared.tucker@terradon.com)
Date: 03/28/02 

Date: Thu, 28 Mar 2002 09:42:45 -0500
From: "Jared A. Tucker" <jared.tucker@terradon.com>
To: "Matthew F. Caldwell" <mattc@guarded.net>, "Kurt Seifried" <bugtraq@seifried.org>, <eddonega@WellsFargo.COM>, "Keith T. Morgan" <keith.morgan@terradon.com>

As an application developer, it makes more sense to use a language that just about any programming language can parse, query, and disect using inherent APIs. Why not use XML, just for the sake of not re-inventing the wheel?

Jared A. Tucker
Senoir Web Developer & Designer
Terradon Communications Group
jared.tucker@terradon.com
304.755.1324

"/(bb|[^b]{2})/...that is the question..."


-----Original Message-----
From: Matthew F. Caldwell [mailto:mattc@guarded.net]
Sent: Thursday, March 28, 2002 9:17 AM
To: Kurt Seifried; Jared A. Tucker; eddonega@WellsFargo.COM; Keith T.
Morgan
Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com
Subject: RE: IDS Correlation


seems more logical :>


-----Original Message-----
From: Kurt Seifried [mailto:bugtraq@seifried.org]
Sent: Thursday, March 28, 2002 12:17 AM
To: Matthew F. Caldwell; Jared A. Tucker; eddonega@WellsFargo.COM; Keith
T. Morgan
Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com
Subject: Re: IDS Correlation


Silly suggestion but could you use XML, but simply setup both endpoints to
rip/replace XML tags as needed by agreeing on a standard format, i.e.
instead of:

<Attack>
<source_ip>1.2.3.4</>
<source_port>3422
and so on and so forth......

pack it to:

[32bits, attacker ip][16bits source port][32bit dest ip][16bits dest
port]... etc. And then of course have the other end unpack it and off you
go. Seems simple enough to do (load a template at either end that defines
the XML in and the "compressed" raw data out).


Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



Relevant Pages

  • Re: Dynamic v Static and SEO
    ... > sharp, but that is irrelvant to the point of programming. ... XML is just a notation to give meaning to data) ... > The actual programming language in terms of logic is really not of any ... Also changing from C SHarp to Java is ...
    (alt.internet.search-engines)
  • RE: IDS Correlation
    ... easily parsed for the data breakdown you're describing, and again, there ... Subject: IDS Correlation ... just about any programming language can parse, query, and disect using ... Silly suggestion but could you use XML, ...
    (Focus-IDS)
  • Re: Deviation from object-relational mapping (pySQLFace)
    ... expressions into an XML config file. ... What's wrong with a plain SQL file? ... in a programming language. ... Plain SQL does not have a structure to easily handle metadata. ...
    (comp.lang.python)
  • Re: Dynamic v Static and SEO
    ... > sharp, but that is irrelvant to the point of programming. ... XML is just a notation to give meaning to data) ... > The actual programming language in terms of logic is really not of any ... Also changing from C SHarp to Java is ...
    (alt.internet.search-engines)
  • Re: Harpoon Data Language: "One Syntax to Rule Them All"
    ... it is quite obvious that XML has some very important deficiences. ... it isn't obvious that these are serious deficiencies given the way XML is actually used. ... Check out the various publications on XSLT (which is of course a programming language), Bean Markup Language, etc. ... I wouldn't want to write assembler in XML syntax... ...
    (comp.text.xml)