IETF Logo Mail Archive

Re: [sacm] Review and contribution requested: draft-boesch-idxp-idpef-01 (Bjoern-C. Boesch)

"B.-C. Boesch" <bjoernboesch@gmx.net> Fri, 01 May 2015 16:31 UTC

Return-Path: <bjoernboesch@gmx.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806A91A8935; Fri, 1 May 2015 09:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEtOkYfGn64y; Fri, 1 May 2015 09:31:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 391DB1A8AA7; Fri, 1 May 2015 09:31:50 -0700 (PDT)
Received: from [192.168.2.100] ([79.246.25.249]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MTSrf-1Yfjdr3pyh-00SQp5; Fri, 01 May 2015 18:31:49 +0200
Message-ID: <5543AA71.5030702@gmx.net>
Date: Fri, 01 May 2015 18:31:45 +0200
From: "B.-C. Boesch" <bjoernboesch@gmx.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: tony@yaanatech.com, saag@ietf.org, sacm@ietf.org, ietf@ietf.org, OPSAWG@ietf.org
Subject: Re: [sacm] Review and contribution requested: draft-boesch-idxp-idpef-01 (Bjoern-C. Boesch)
References: <5540ED82.5060905@gmx.net> <5542974B.9080208@yaanatech.com>
In-Reply-To: <5542974B.9080208@yaanatech.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:hRGVc6/5ST5b4qHWzzc1rxUu1AuMIrOwfylxQhajmxXfm2S+Be7 MDs7GRaSbTGFE+HUz8HwRidjkO9hUxqg+ezxw4MPk8XHggNTM+RzTfwf52SWQGAbu8r7bUL bGupLzaVXOskKrCK6M06DzDjX64UcGCRxmtQEMkBG6hvyupKl1XBq5c92WWU4ojNitL4IoB O7ME09PkVgTFH+390HqFg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/-MMzzrr6YCh3BEZJ_ektC6ZzsWY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2015 16:31:53 -0000

Hi Tony,

thanks for your question. You are not the first one who ask in context 
to STIX or CybOX. So this seems to be an important point, which I have 
to take care about.

The STIX project is very interesting and covers a wide field of cyber 
security. Currently I make me still familiarise with STIX and CybOX with 
special focus on interoperability with and provisions by IDPEF. My work 
is close to the IDMEF and IDXP of the IETF and is focused on IDS 
federation and interoperability only. So I decide at the start of IDPEF 
to be close to IDMEF and IDXP.

By my point of view the STIX project is more focussed on communication 
of standardized cyber threat information (reporting). The focus of IDPEF 
is to improve the management of IDS under one independent central 
management system for all operated IDS Anlayzers. So IDPEF customizes 
the Analyzer to the individual environment and implementation of the IDS 
entity.

So STIX is more the output of an IDS and IDPEF more the interoperability 
and combination between IDS Analyzers under one independent central 
Manager. For me this are two separate working focus. I am open to align 
IDPEF closer to other frameworks like STIX, CybOX, etc. but by now the 
structure and notation of IDPEF is close to IODEF and IDMEF.

Currently all standardization is focussed on reporting and alerting to 
exchange threat and incident information structured and in a secure 
manner (STIX, IODEF, IDMEF, etc.). IDPEF intended usage is to operate 
all IDS Analyzers under a independent management system. So IDPEF focus 
is more the interoperability and combination between IDS Analyzers under 
one independent central Manager. For me this are two separate working 
focus.

Did you have an other point of view, please let us discus so that I have 
the chance to adjust IDPEF closer to STIX. A small STIX notation based 
on an example of Appendix A will be great and very helpful for me.

Thanks.

Kind regards

Bjoern-C.

Am 30.04.2015 um 22:57 schrieb Tony Rutkowski:
> How is this not like STIX?
>
> -t
>
> On 2015-04-29 10:41 AM, B.-C. Boesch wrote:
>> Abstract
>>
>> The Intrusion Detection Parametrization Exchange Format (IDPEF) 
>> defines data formats and exchange procedures to standardize 
>> parametrization information exchange into intrusion detection and 
>> response systems from an independent central Manager to any Analyzer. 
>> The IDPEF enables a combination of different (vendor and analyzing 
>> technique) IDS Analyzers under one independent central Manager. A 
>> separate operations of IDS is not longer needed. Base is a new 
>> parametrization methodology where IDS operating parameters 
>> (configurations) are separated in an environmental parametrization 
>> part and a vendor-specific analyzing part.
>>
>> This Internet-Draft describes a data model to represent 
>> parametrization information of intrusion detection system entities, 
>> and explains the rationale for using this model. An implementation of 
>> the data model in the Extensible Markup Language (XML) is presented, 
>> a XML Document Type Definition is developed, and parametrization 
>> examples are provided.
>
>

v2.23.0 | Report a Bug | By Email