RE: Views and Correlation in Intrusion Detection

["Anton A. Chuvakin" <anton () chuvakin org>]

> Doesn't a major component of such a thing already exist with Intrusion
> Detection Message Exchange?
> http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
Not really. IDMEF is likely impossible to use to define alerts from
non-IDS devices which still report on intrusions, such as host logs,
firewall messages, etc.  Such circumstantial evidence plays a major role
in detecting intrusions beyond the NIDS. Thus, at present IDMEF's
usability for correlation is at best limited.

However, the problem of normalizing of IDS, fw, app, OS, etc data is
definitely solvable. Its just there is no single agreed-upon way to do
it...

> If so, is it just a matter of vendors wanting to "play together" and
> implement it in their products? I'm curious if this is the real
Well, so far approximately 1 IDS vendor did :-)

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------