RE: Views and Correlation in Intrusion Detection

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- --On Thursday, June 26, 2003 15:19 -0400 Richard Ginski 
<rginski () co pinellas fl us> wrote:

> Warning...possible stupid questions below:
>
> Doesn't a major component of such a thing already exist with Intrusion
> Detection Message Exchange?
>
> http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
>
>
> If so, is it just a matter of vendors wanting to "play together" and
> implement it in their products? I'm curious if this is the real
> stumbling block. It seems that correlation has been discussed for a
> while (years). From what I've experienced, technology doesn't take this
> long to develop unless "people" don't want to.

IDMEF is a very well intentioned idea.  To provide a framework for uniform 
message passing and a protocol to support such messages between IDS and 
data collection systems.  As it is only a framework, it sets forth certain 
requirements as to what must be and should be supported but stops short of 
saying just how they should be supported.

The IDMEF implementation that has become the most prevalent is the XML 
implementation which in and of itself is contrary to facilitating 
high-speed message passing between IDS and data collection systems.  What 
really is missing from the IDMEF proposed standard is a requirement stating 
how data should be passed.  Literally, what format it is in.  Converting a 
4 byte IPv4 address to a 16 byte null-terminated ASCII string is just one 
small but relevant example of the exponential performance penalty incurred 
by an XML based IDMEF implementation.

If high-speed distributed data collection and analysis is the goal, it must 
take  high-speed message generation into account.  Imagine if TCP/IP data 
was passed using ASCII strings in an XML format...

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+/NudEqr8+Gkj0/0RAghdAJ4jzQII5AQiouqfeiqk+pjhnkU7GwCdGwv+
/7S61bxCcdW7z1p4hrjTlOs=
=Dg2t
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------