Re: [sacm] Review and contribution requested: draft-boesch-idxp-idpef-01 (Bjoern-C. Boesch)
"B.-C. Boesch" <bjoernboesch@gmx.net> Fri, 01 May 2015 16:31 UTC
Return-Path: <bjoernboesch@gmx.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806A91A8935; Fri, 1 May 2015 09:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEtOkYfGn64y; Fri, 1 May 2015 09:31:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 391DB1A8AA7; Fri, 1 May 2015 09:31:50 -0700 (PDT)
Received: from [192.168.2.100] ([79.246.25.249]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MTSrf-1Yfjdr3pyh-00SQp5; Fri, 01 May 2015 18:31:49 +0200
Message-ID: <5543AA71.5030702@gmx.net>
Date: Fri, 01 May 2015 18:31:45 +0200
From: "B.-C. Boesch" <bjoernboesch@gmx.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: tony@yaanatech.com, saag@ietf.org, sacm@ietf.org, ietf@ietf.org, OPSAWG@ietf.org
Subject: Re: [sacm] Review and contribution requested: draft-boesch-idxp-idpef-01 (Bjoern-C. Boesch)
References: <5540ED82.5060905@gmx.net> <5542974B.9080208@yaanatech.com>
In-Reply-To: <5542974B.9080208@yaanatech.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:hRGVc6/5ST5b4qHWzzc1rxUu1AuMIrOwfylxQhajmxXfm2S+Be7 MDs7GRaSbTGFE+HUz8HwRidjkO9hUxqg+ezxw4MPk8XHggNTM+RzTfwf52SWQGAbu8r7bUL bGupLzaVXOskKrCK6M06DzDjX64UcGCRxmtQEMkBG6hvyupKl1XBq5c92WWU4ojNitL4IoB O7ME09PkVgTFH+390HqFg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/-MMzzrr6YCh3BEZJ_ektC6ZzsWY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 16:31:53 -0000
Hi Tony, thanks for your question. You are not the first one who ask in context to STIX or CybOX. So this seems to be an important point, which I have to take care about. The STIX project is very interesting and covers a wide field of cyber security. Currently I make me still familiarise with STIX and CybOX with special focus on interoperability with and provisions by IDPEF. My work is close to the IDMEF and IDXP of the IETF and is focused on IDS federation and interoperability only. So I decide at the start of IDPEF to be close to IDMEF and IDXP. By my point of view the STIX project is more focussed on communication of standardized cyber threat information (reporting). The focus of IDPEF is to improve the management of IDS under one independent central management system for all operated IDS Anlayzers. So IDPEF customizes the Analyzer to the individual environment and implementation of the IDS entity. So STIX is more the output of an IDS and IDPEF more the interoperability and combination between IDS Analyzers under one independent central Manager. For me this are two separate working focus. I am open to align IDPEF closer to other frameworks like STIX, CybOX, etc. but by now the structure and notation of IDPEF is close to IODEF and IDMEF. Currently all standardization is focussed on reporting and alerting to exchange threat and incident information structured and in a secure manner (STIX, IODEF, IDMEF, etc.). IDPEF intended usage is to operate all IDS Analyzers under a independent management system. So IDPEF focus is more the interoperability and combination between IDS Analyzers under one independent central Manager. For me this are two separate working focus. Did you have an other point of view, please let us discus so that I have the chance to adjust IDPEF closer to STIX. A small STIX notation based on an example of Appendix A will be great and very helpful for me. Thanks. Kind regards Bjoern-C. Am 30.04.2015 um 22:57 schrieb Tony Rutkowski: > How is this not like STIX? > > -t > > On 2015-04-29 10:41 AM, B.-C. Boesch wrote: >> Abstract >> >> The Intrusion Detection Parametrization Exchange Format (IDPEF) >> defines data formats and exchange procedures to standardize >> parametrization information exchange into intrusion detection and >> response systems from an independent central Manager to any Analyzer. >> The IDPEF enables a combination of different (vendor and analyzing >> technique) IDS Analyzers under one independent central Manager. A >> separate operations of IDS is not longer needed. Base is a new >> parametrization methodology where IDS operating parameters >> (configurations) are separated in an environmental parametrization >> part and a vendor-specific analyzing part. >> >> This Internet-Draft describes a data model to represent >> parametrization information of intrusion detection system entities, >> and explains the rationale for using this model. An implementation of >> the data model in the Extensible Markup Language (XML) is presented, >> a XML Document Type Definition is developed, and parametrization >> examples are provided. > >
- Review and contribution requested: draft-boesch-i… B.-C. Boesch
- Re: [sacm] Review and contribution requested: dra… B.-C. Boesch
- Re: [OPSAWG] Review and contribution requested: d… B.-C. Boesch
- Re: [OPSAWG] Review and contribution requested: d… Juergen Schoenwaelder
- Re: [OPSAWG] Review and contribution requested: d… B.-C. Boesch
- Re: [saag] [OPSAWG] Review and contribution reque… Juergen Schoenwaelder