CEE Field List: Feedback

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CEE Field List: Feedback

joël Winteregg-3
Hello List,

When I saw Raffy field list (related to Common Log Syntax - CLS), I
found them very interesting and very similar to IDMEF fields. So I
decided to compare this field list to IDMEF fields... The result is
attached to this email (CSV file) where almost 70% of CEE fields
proposal are directly available into the current IDMEF standard. As you
will notice, IDMEF event interactions are similar too David Corlette
proposal ( http://www.nabble.com/Re%3A-CEE-Field-List-p15885885.html )
where initiator = alert.source, originator = alert.analyzer, and target
= alert.target.

So I don't really understand why IDMEF is defined (into CEE whitepaper)
as follow: "It also suffers from a narrow focus on intrusion event, thus
unsuitable for audit logging and system troubleshooting logging"

Many IDMEF missing fields (given as "?" into attached file) could be
simple IDMEF extensions like a new Service Class inheritance (sub-class)
like the actual alert.source.WebService Class.

Don't you think that IDMEF could be used as a basis for CLS where CEET
(Common Event Expression Taxonomy) could be seen as a way to better
define/structure IDMEF fields values ?


Joël Winteregg

CEE-fields_IDMEF.csv (12K) Download Attachment