IDS mailing list archives
RE: Views and Correlation in Intrusion Detection
From: Jeff Nathan <jeff () snort org>
Date: Fri, 27 Jun 2003 17:04:45 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Thursday, June 26, 2003 15:19 -0400 Richard Ginski <rginski () co pinellas fl us> wrote:
Warning...possible stupid questions below: Doesn't a major component of such a thing already exist with Intrusion Detection Message Exchange? http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt If so, is it just a matter of vendors wanting to "play together" and implement it in their products? I'm curious if this is the real stumbling block. It seems that correlation has been discussed for a while (years). From what I've experienced, technology doesn't take this long to develop unless "people" don't want to.
IDMEF is a very well intentioned idea. To provide a framework for uniform message passing and a protocol to support such messages between IDS and data collection systems. As it is only a framework, it sets forth certain requirements as to what must be and should be supported but stops short of saying just how they should be supported. The IDMEF implementation that has become the most prevalent is the XML implementation which in and of itself is contrary to facilitating high-speed message passing between IDS and data collection systems. What really is missing from the IDMEF proposed standard is a requirement stating how data should be passed. Literally, what format it is in. Converting a 4 byte IPv4 address to a 16 byte null-terminated ASCII string is just one small but relevant example of the exponential performance penalty incurred by an XML based IDMEF implementation. If high-speed distributed data collection and analysis is the goal, it must take high-speed message generation into account. Imagine if TCP/IP data was passed using ASCII strings in an XML format... - -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+/NudEqr8+Gkj0/0RAghdAJ4jzQII5AQiouqfeiqk+pjhnkU7GwCdGwv+ /7S61bxCcdW7z1p4hrjTlOs= =Dg2t -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- <Possible follow-ups>
- RE: Views and Correlation in Intrusion Detection Jeff Nathan (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- Re: Views and Correlation in Intrusion Detection Blake Matheny (Jul 02)
- RE: Views and Correlation in Intrusion Detection Anton A. Chuvakin (Jul 02)
- RE: Views and Correlation in Intrusion Detection Michael Murray (Jul 02)