This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
en:index [25.04.2016 15:34] ph@cesnet.cz Fix typo |
en:index [06.12.2017 14:27] ph@cesnet.cz |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Intrusion Detection Extensible Alert ====== | ====== Intrusion Detection Extensible Alert ====== | ||
| - | |||
| - | **The specification is nearly definitive. We expect only minor changes.** | ||
| //IDEA// stands for //Intrusion Detection Extensible Alert//. Even though there exists a variety of models for communication between honeypots, agents, detection probes, none of them is really used because of various limitations for general usage. The IDEA is an attempt to define nowadays requirements and propose foundations for viable solution for security event model, taking into consideration existing formats, their benefits and drawbacks. | //IDEA// stands for //Intrusion Detection Extensible Alert//. Even though there exists a variety of models for communication between honeypots, agents, detection probes, none of them is really used because of various limitations for general usage. The IDEA is an attempt to define nowadays requirements and propose foundations for viable solution for security event model, taking into consideration existing formats, their benefits and drawbacks. | ||
| Line 8: | Line 6: | ||
| These amounts of data should not go in vain – unusable here might be useful there, moreover when combined and correlated from various sources. | These amounts of data should not go in vain – unusable here might be useful there, moreover when combined and correlated from various sources. | ||
| - | Also, in the last couple of years, a number of projects for automated incident report exchange appeared, namely [[https://warden.cesnet.cz/|Warden]], [[http://abusehelper.be/|AbuseHelper]], [[http://n6.cert.pl/|n6]], [[https://gitorious.org/megatron|Megatron]], [[https://code.google.com/p/collective-intelligence-framework/|CIF]] and [[https://www.prelude-ids.org/|Prelude]]). | + | Also, in the last couple of years, a number of projects for automated incident report exchange appeared, namely [[https://warden.cesnet.cz/|Warden]], [[http://abusehelper.be/|AbuseHelper]], [[https://github.com/certtools/intelmq|IntelMQ]], [[http://n6.cert.pl/|n6]], [[https://gitorious.org/megatron|Megatron]], [[https://code.google.com/p/collective-intelligence-framework/|CIF]] and [[https://www.prelude-ids.org/|Prelude]]). |
| The format for security event exchange is not something new – the attempts do exist to define languages or formats that would allow for such an exchange, however none of them have been very successful. We realize we cannot create the perfect one, there is never “one size fits all” solution. We would like to hit some middle ground between complexity of IDMEF and free spirit and structure (or lack thereof) of !AbuseHelper, learn from pitfalls of existing projects and based on experience as members of CSIRT team, propose solutions to some of them on the way, taking into consideration recent evolution and requirements in the field. | The format for security event exchange is not something new – the attempts do exist to define languages or formats that would allow for such an exchange, however none of them have been very successful. We realize we cannot create the perfect one, there is never “one size fits all” solution. We would like to hit some middle ground between complexity of IDMEF and free spirit and structure (or lack thereof) of !AbuseHelper, learn from pitfalls of existing projects and based on experience as members of CSIRT team, propose solutions to some of them on the way, taking into consideration recent evolution and requirements in the field. | ||
CESNET, z. s. p. o.
Generála Píky 26
16000 Prague 6
Tel: +420 234 680 222
Fax: +420 224 320 269
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
Fax: +420 224 313 211
support@cesnet.cz