[Dshield] Standardized reporting via SOAP? (WAS: Re: [Dshield] New Client: TinyFirewall / Syslog)
Johannes B. Ullrich
jullrich at sans.org
Mon Mar 4 02:09:49 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
> log data, XML-ize it, and store it / transmit it for analysis. Being
> somewhat of a newbie to the whole IDS space, is there any such effort
There is an IETF effort for such a standardized format. This format is for
example implemented in snort, but nobody else I know of uses it so far.
I looked at XML when I started DShield. I used it before in a few
e-commerce application. One reason why people use and like XML is that it
is a great way to make everyone agree on a standard that isn't really one.
Just take a look at the IETF intrusion detection standard.
( http://www.ietf.org/ids.by.wg/idwg.html ). One of the issues I do not
like about it is that it allows the transmission of what I call "magic
strings". In essence, an IDS like snort could sent that it detected a
'Code Red' event. But it is up to the user to define what a 'code red' is
One of the basic ideas of DShield is to collect data with as little
interpretation by the client as possible. We basically want 'just the
facts', not the opinion of a particular firewall/IDS what the facts
We have a full packet capture system in the preliminary planning. It may
use a more advanced format to exchange data. Tab delimited is not an
option in this case....
You may realize by reading the above that I am a 'tab delimited' fan. I
think it is a great and robust data exchange format. (many people will
disagree). But XML would at this point just add a huge overhead to the
system. It would at least double the data volume we have to handle. The
parser would be much more complex.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list