Re: IDMEF usage

From: Azim, Ozakil (azim@netForensics.com)
Date: 03/28/02 

Date: Thu, 28 Mar 2002 15:23:45 -0500
From: "Azim, Ozakil" <azim@netForensics.com>
To: "Jared A. Tucker" <jared.tucker@terradon.com>, focus-ids@securityfocus.com

   According to the IDMEF DTD Memo, the other places where IDMEF
   can be useful are at a layer above IDSs (correlation database,
   event correlation system, correlation GUI) that get standardized
   feeds from "intrusion detection products".

   I am not knocking the effort people have put in this model;
   I know IDMEF can be extended for events from other security
   devices and that IDMEF doesn't need to be XML based either -
   it being a data model. My concern is the slow pace of
   creation/adoption of the standard.

   Since, I am not aware of development efforts within IDS
   vendors, I may be wrong - it seems that only SNORT supports
   IDMEF. When will ISS RealSecure/CiscoSecure IDS/Dragon etc
   support it? What about firewalls and anti-virus vendors if
   and when it does get extended?

Jared A. Tucker wrote:

> In reading the IDWG's IDMEF DTD memo, published December 28, 2001, I believe they do account for security events. I believe they're goal, as in ours, is to get a bigger picture of what is happening to your infrastructure. From the memo (section 3, Introduction):
>
> "But there are other places where the IDMEF can be useful:
>
> + a single database system that could store the results from a
> variety of intrusion detection products would make it possible for
> data analysis and reporting activities to be performed on "the
> whole picture" instead of just a part of it;
>
> + an event correlation system that could accept alerts from a
> variety of intrusion detection products would be capable of
> performing more sophisticated cross-correlation and cross-
> confirmation calculations than one that is limited to a single
> product;
>
> + a graphical user interface that could display alerts from a
> variety of intrusion detection products would enable the user to
> monitor all of the products from a single screen, and require him
> or her to learn only one interface, instead of several; and
>
> + a common data exchange format would make it easier for different
> organizations (users, vendors, response teams, law enforcement) to
> not only exchange data, but also communicate about it."
>
> I think these guys are trying to build the tools for a bigger monster; something that can analyze these events/alerts and tell you (in standard terms) what is happening. I believe they're DTD accounts for a standardization of most data that would be encapsulated by one of these alerts. The beauty of these DTDs is that they can grow with future specifications. So what are we trying to accomplish? Building the bigger monster, or standardizing the bigger monster's analysis and display of events?
>
>
> Jared A. Tucker
> Senoir Web Developer & Designer
> Terradon Communications Group
> jared.tucker@terradon.com
>