new bro "CURRENT" release - 0.8a79
Robin Sommer
sommer at in.tum.de
Fri Apr 2 00:15:47 PST 2004
On Thu, Mar 25, 2004 at 12:33 -0500, Anton Chuvakin, Ph.D. wrote:
> Just curious, what is the motivation for IDMEF support? Just to be
> consistent with industry "standard" or something else? Basically, I am
> asking how users are supposed to use IDMEF in production enviorment.
From my point of view, there are two main motivations:
First, it's indeed simply a standardized way to talk to other
systems. If you're using different kinds of NIDSs (either at
different locations or even at the same place), they may share their
results with IDMEF.
Second, it's interesting to see how Bro's semantics map to IDMEF and
vice versa. Most parts of Bro work on a lower-level than IDMEF. So,
a large fraction of Bro's state is not (reasonably) convertible to
IDMEF. On the other hand, Bro's alert framework looks quite similar
to IDMEF's model. By adding IDMEF support we should be able to
better understand what kind of information can actually be
represented in this format (and if it's sufficient for the task its
supposed to do).
Regarding the question how to use it: if you want to connect
multiple Bros, IDMEF is probably not the best way; there are other
mechanisms now (which are still experimental though). But if you
want to share alerts with other systems, IDMEF could be an option.
Robin
--
Robin Sommer * Room 01.08.055 * www.net.in.tum.de
TU Munich * Phone (089) 289-18006 * sommer at in.tum.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20040402/b802007b/attachment.bin
More information about the Bro
mailing list