RE: threat/attack nomenclature/reporting [was Re: IDS Correlation]
From: Jared A. Tucker (jared.tucker@terradon.com)Date: 03/28/02
- Previous message: Azim, Ozakil: "Re: IDMEF usage"
- Next in thread: Azim, Ozakil: "Re: IDMEF usage"
- Reply: Azim, Ozakil: "Re: IDMEF usage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Mar 2002 10:55:51 -0500 From: "Jared A. Tucker" <jared.tucker@terradon.com> To: "Azim, Ozakil" <azim@netForensics.com>, "Matthew F. Caldwell" <mattc@guarded.net>
In reading the IDWG's IDMEF DTD memo, published December 28, 2001, I believe they do account for security events. I believe they're goal, as in ours, is to get a bigger picture of what is happening to your infrastructure. From the memo (section 3, Introduction):
"But there are other places where the IDMEF can be useful:
+ a single database system that could store the results from a
variety of intrusion detection products would make it possible for
data analysis and reporting activities to be performed on "the
whole picture" instead of just a part of it;
+ an event correlation system that could accept alerts from a
variety of intrusion detection products would be capable of
performing more sophisticated cross-correlation and cross-
confirmation calculations than one that is limited to a single
product;
+ a graphical user interface that could display alerts from a
variety of intrusion detection products would enable the user to
monitor all of the products from a single screen, and require him
or her to learn only one interface, instead of several; and
+ a common data exchange format would make it easier for different
organizations (users, vendors, response teams, law enforcement) to
not only exchange data, but also communicate about it."
I think these guys are trying to build the tools for a bigger monster; something that can analyze these events/alerts and tell you (in standard terms) what is happening. I believe they're DTD accounts for a standardization of most data that would be encapsulated by one of these alerts. The beauty of these DTDs is that they can grow with future specifications. So what are we trying to accomplish? Building the bigger monster, or standardizing the bigger monster's analysis and display of events?
Jared A. Tucker
Senoir Web Developer & Designer
Terradon Communications Group
jared.tucker@terradon.com
-----Original Message-----
From: Azim, Ozakil [mailto:azim@netForensics.com]
Sent: Thursday, March 28, 2002 10:16 AM
To: Matthew F. Caldwell
Cc: Jared A. Tucker; eddonega@WellsFargo.COM; Keith T. Morgan;
xwu@anr.mcnc.org; focus-ids@securityfocus.com
Subject: Re: threat/attack nomenclature/reporting [was Re: IDS
Correlation]
well.. this thread seems to be drifting from the original
question that Keith had regarding 'standard threat/attack
nomenclature/reporting' to IDMEF to new RFCs etc.
So here is a slight change in subject and my two
cents/lira/paisas worth... :)
Correct me if I am wrong; from what I have been reading,
I think that we are talking about two things here:
1) Threat nomenclature normalization at a level higher
than CVE/bugtraq etc.
2) Standard security event formats that use the normalized
nomenclature for reporting.
the event format first:
the IDWG doesn't seem to be interested in security events.
at least not right now.
(check http://www.semper.org/idwg-public/archive/0346.html)
they are focussed more on IDSs, IDS alerts and IDS comm.
I agree that the biggest technical issue that has to be
addressed when formalizing a security event format is performance
as anyone perusing firewall logs will tell you (whether all
firewall log data should be considered as security events can
be the subject for another thread).
XML has a tendency to get bloated but it still can be used
very effectively, with acceptable performance, if you use
smaller tags, flatter schemas and compression.
(the biggest non-technical issue will be - will everyone use it?)
threat nomenclature:
most security correlation vendors are dealing with the
same issue of reducing a huge flood of events from
various security devices (and almost daily signature updates
from IDS vendors) into something which is concise, meaningful,
and normalized in terms of the threat faced by the enterprise.
It might make sense to create a common vocabulary that all
vendors use for threats/security events - a vocabulary
that doesn't have to change when new IDS signatures come up,
a vocabulary that is consistent across all vendors, a
vocabulary the enterprise security administrators can rely
on.
but here are a couple of questions...
The IDWG has been working on a common language for intrusion
detection for over two years now. How many of the IDS vendors
have implemented IDMEF/IDXP yet?
given the time it takes to create standards, like IDMEF, and
the fact that vendors do not always buy into these standards,
is it even worth the effort to attempt to standardize?
-azim
Keith T. Morgan wrote:
> is there a movement to standardize threat/attack nomenclature/reporting
> etc? Has anyone submitted an RFC? If this has been done, someone point
Matthew F. Caldwell wrote:
> XML is great but bloated,I think the IDWG (IDMEF,IAP etc) DTD could be expanded
> to cover not just IDS events, however it needs compression. All those tags multiply
> the data transmitted and in high traffic enviroments this matters greatly.
>
> -----Original Message-----
> From: Jared A. Tucker [mailto:jared.tucker@terradon.com]
> Sent: Wed 3/27/2002 8:52 PM
> To: eddonega@WellsFargo.COM; Keith T. Morgan; Matthew F. Caldwell
> Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com
> Subject: RE: IDS Correlation
>
>
>
> For that matter:
>
> http://www.ietf.org/html.charters/idwg-charter.html
>
>
>
> -----Original Message-----
> From: eddonega@WellsFargo.COM [mailto:eddonega@WellsFargo.COM]
> Sent: Wed 3/27/2002 5:27 PM
> To: Keith T. Morgan; mattc@guarded.net
> Cc: xwu@anr.mcnc.org; focus-ids@securityfocus.com; Jared A. Tucker
> Subject: RE: IDS Correlation
>
>
>
> You might want to check this out ...
>
> http://www.infosecuritymag.com/articles/june01/columns_standards_watch.shtml
> -----------------------------------------
> Ed Donegan
> Network Intrusion Detection
> Team Lead/CIPD
> Security Product Services
> (415) 243-6459
> eddonega@wellsfargo.com <mailto:eddonega@wellsfargo.com>
>
> "I could never have invented the Internet without Ed's help." - Al Gore
>
> -----Original Message-----
> From: Keith T. Morgan [mailto:keith.morgan@terradon.com]
> Sent: Wednesday, March 27, 2002 12:40 PM
> To: Keith T. Morgan; Matthew F. Caldwell
> Cc: Xiaoyong Wu; focus-ids@securityfocus.com; Jared A. Tucker
> Subject: RE: IDS Correlation
>
>
>
>
> I've spoken with another security / software engineer here at
> TCG who is willing to help out. We're likely to stir quite
> the hornet's nest among IDS/Firewall vendors if this goes
> very far. I'm all about the stirring. Count me in.
>
> > > > Has anyone submitted an RFC? If this has been done,
> > > someone point
> > > > me to the appropriate RFC number, because I have some
> > > serious reading to
> > > > do.
> > > >
> > >
> > > None?
> > >
> > > Lets work on it.
> > >
> >
>
>
>
>
--
Ozakil Azim, azim@netforensics.com, 732-393-6030
- Previous message: Azim, Ozakil: "Re: IDMEF usage"
- Next in thread: Azim, Ozakil: "Re: IDMEF usage"
- Reply: Azim, Ozakil: "Re: IDMEF usage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
