[Dshield] Standardized reporting via SOAP? (WAS: Re: [Dshield] New Client: TinyFirewall / Syslog)

Johannes B. Ullrich jullrich at sans.org
Mon Mar 4 02:09:49 GMT 2002

Hash: SHA1

> log data, XML-ize it, and store it / transmit it for analysis.  Being
> somewhat of a newbie to the whole IDS space, is there any such effort
> underway?

There is an IETF effort for such a standardized format. This format is for 
example implemented in snort, but nobody else I know of uses it so far.

I looked at XML when I started DShield. I used it before in a few
e-commerce application. One reason why people use and like XML is that it 
is a great way to make everyone agree on a standard that isn't really one.

Just take a look at the IETF intrusion detection standard. 
( http://www.ietf.org/ids.by.wg/idwg.html ). One of the issues I do not 
like about it is that it allows the transmission of what I call "magic 
strings". In essence, an IDS like snort could sent that it detected a 
'Code Red' event. But it is up to the user to define what a 'code red' is 
all about. 

One of the basic ideas of DShield is to collect data with as little 
interpretation by the client as possible. We basically want 'just the 
facts', not the opinion of a particular firewall/IDS what the facts 

We have a full packet capture system in the preliminary planning. It may 
use a more advanced format to exchange data. Tab delimited is not an 
option in this case....

You may realize by reading the above that I am a 'tab delimited' fan. I 
think it is a great and robust data exchange format. (many people will
disagree). But XML would at this point just add a huge overhead to the 
system. It would at least double the data volume we have to handle. The 
parser would be much more complex. 

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list