Re: [OPSAWG] Internet Draft: Standardized Parameterization of Intrusion Detection Entities
"B.-C. Boesch" <bjoernboesch@gmx.net> Mon, 02 February 2015 19:13 UTC
Return-Path: <bjoernboesch@gmx.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 009A11A1A42; Mon, 2 Feb 2015 11:13:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.91
X-Spam-Level:
X-Spam-Status: No, score=-0.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfQtoxJrRgGL; Mon, 2 Feb 2015 11:13:49 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC6DC1A1A46; Mon, 2 Feb 2015 11:13:38 -0800 (PST)
Received: from [192.168.2.105] ([79.246.19.23]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MOw4N-1YKqsp1qkh-006KeN; Mon, 02 Feb 2015 20:13:36 +0100
Message-ID: <54CFCC5F.6080709@gmx.net>
Date: Mon, 02 Feb 2015 20:13:35 +0100
From: "B.-C. Boesch" <bjoernboesch@gmx.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: David Harrington <ietfdbh@comcast.net>
Subject: Re: [OPSAWG] Internet Draft: Standardized Parameterization of Intrusion Detection Entities
References: <54BB6D67.6010509@gmx.net> <23D534A9-90E7-45C0-AE78-419617965D15@comcast.net>
In-Reply-To: <23D534A9-90E7-45C0-AE78-419617965D15@comcast.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:D8XI1M81zqUQs/mD82mPNbovlVl+YhAB2M0BxmN6l+yef3I72Gm RBmqa8MIcSSPBmRuo7euT1KgU7SC6+22Hjsqb0m6UnLMWHWBoauPK3DMWFpN6c30gf3rJD9 wxDyLGVHK3wydOcPCfyFxUTkuudUJjmthFo7XtAwkYOgtjMustNP/mZQRiujTXbB4Ky9Six bzZn7HNj623gks1pjxXkw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/abICgIq4qfY4t7twIMEz3rfpkEs>
Cc: ietf@ietf.org, OPSAWG@ietf.org, Lime@ietf.org, sacm@ietf.org, saag@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 19:13:51 -0000
Dear David, thanks for your hint to the SACM WG. I have also posted it within the SACM community for any comments, feedback, suggestions, notations, hints, recommendations, etc. but haven´t received any response or feedback to the Internet Draft so far. I hope this will change and a lively discussion is going to come up. Kind regards B.-C. Boesch Am 02.02.2015 um 18:32 schrieb David Harrington: > I think similar work is being addressed in the sacm wg. > > David Harrington > ietfdbh@comcast.net > > > > On Jan 18, 2015, at 3:23 AM, B.-C. Boesch <bjoernboesch@gmx.net> wrote: > >> Dear Community, >> >> Efficiency of Intrusion Detection Systems (IDS) depends on their configuration and coverage of services. The coverage depends on used IDS with currently vendor-specific configurations. In case of usage of multiple systems the operations could become complex. Individual Communication between management interface and the IDS entities results that current multi-vendor IDS architectures do not interact with each other. They are independent coexistent. >> >> The Internet Draft defines data formats and exchange procedures to standardize parametrization information exchange into intrusion detection and response systems from a Manager to an Analyzer. >> >> The created Intrusion Detection Parametrization Exchange Format (IDPEF) is intended to be a standard data format to parametrize IDS. The development of this open standardized format and the Intrusion Detection Message Exchange Format (IDMEF) will be enable in combination interoperability among commercial, open source, and research systems, allowing users to mix-and-match the deployment of these systems according to their strong and weak points to obtain an optimal IDS implementation. >> >> The most obvious place to implement IDPEF is in the data channel between a Manager and an Analyzer of an IDS within this data channel where the Manager sends the configuration parameters to the Analyzers. But there are other places where the IDPEF can be useful: >> >> - Combination of specialized IDS like application-IDS with server-IDS, WLAN-IDS and network-IDS to one functional interacting meta-IDS. >> >> - Management of different IDS vendors with one central management interface. >> >> - Interaction of different IDS by using IDPEF and IDMEF. >> >> - Parametrization backups and restore of parametrized IDS entities. >> >> - For a communication between a Manager and a Manager in a multi-stage management architecture. >> >> I am happy to invite you to give me feedback, suggestions, notations, hints, recommendations, etc. to improve the Internet Draft. The initial version of the Internet Draft could be found at: >> >> http://www.ietf.org/id/draft-boesch-idxp-idpef-00.txt >> >> Kind regards, >> >> B.-C. Boesch >> >> _______________________________________________ >> OPSAWG mailing list >> OPSAWG@ietf.org >> https://www.ietf.org/mailman/listinfo/opsawg