Re: [sacm] Review and contribution requested: draft-boesch-idxp-idpef-01 (Bjoern-C. Boesch)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Tony,

thanks for your question. You are not the first one who ask in context to STIX or CybOX. So this seems to be an important point, which I have to take care about.

The STIX project is very interesting and covers a wide field of cyber security. Currently I make me still familiarise with STIX and CybOX with special focus on interoperability with and provisions by IDPEF. My work is close to the IDMEF and IDXP of the IETF and is focused on IDS federation and interoperability only. So I decide at the start of IDPEF to be close to IDMEF and IDXP.

By my point of view the STIX project is more focussed on communication of standardized cyber threat information (reporting). The focus of IDPEF is to improve the management of IDS under one independent central management system for all operated IDS Anlayzers. So IDPEF customizes the Analyzer to the individual environment and implementation of the IDS entity.

So STIX is more the output of an IDS and IDPEF more the interoperability and combination between IDS Analyzers under one independent central Manager. For me this are two separate working focus. I am open to align IDPEF closer to other frameworks like STIX, CybOX, etc. but by now the structure and notation of IDPEF is close to IODEF and IDMEF.

Currently all standardization is focussed on reporting and alerting to exchange threat and incident information structured and in a secure manner (STIX, IODEF, IDMEF, etc.). IDPEF intended usage is to operate all IDS Analyzers under a independent management system. So IDPEF focus is more the interoperability and combination between IDS Analyzers under one independent central Manager. For me this are two separate working focus.

Did you have an other point of view, please let us discus so that I have the chance to adjust IDPEF closer to STIX. A small STIX notation based on an example of Appendix A will be great and very helpful for me.

Thanks.

Kind regards

Bjoern-C.

Am 30.04.2015 um 22:57 schrieb Tony Rutkowski:
How is this not like STIX?

-t

On 2015-04-29 10:41 AM, B.-C. Boesch wrote:
Abstract

The Intrusion Detection Parametrization Exchange Format (IDPEF) defines data formats and exchange procedures to standardize parametrization information exchange into intrusion detection and response systems from an independent central Manager to any Analyzer. The IDPEF enables a combination of different (vendor and analyzing technique) IDS Analyzers under one independent central Manager. A separate operations of IDS is not longer needed. Base is a new parametrization methodology where IDS operating parameters (configurations) are separated in an environmental parametrization part and a vendor-specific analyzing part.

This Internet-Draft describes a data model to represent parametrization information of intrusion detection system entities, and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, a XML Document Type Definition is developed, and parametrization examples are provided.







[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]