From nobody Sun Jan 18 00:23:19 2015 Return-Path: X-Original-To: lime@ietfa.amsl.com Delivered-To: lime@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 440E01ACEC6; Sun, 18 Jan 2015 00:23:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YToQs_iZotT1; Sun, 18 Jan 2015 00:23:14 -0800 (PST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15BBE1ACEC4; Sun, 18 Jan 2015 00:23:08 -0800 (PST) Received: from [192.168.2.105] ([79.246.26.186]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MQR3s-1YKLHp1LH2-00TiOk; Sun, 18 Jan 2015 09:23:05 +0100 Message-ID: <54BB6D67.6010509@gmx.net> Date: Sun, 18 Jan 2015 09:23:03 +0100 From: "B.-C. Boesch" User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Lime@ietf.org, OPSAWG@ietf.org Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:QcyDAZFSqoju872xTdyeg4dy4BFig/VXqBuwQDwGI+ssuT7Efyo 1b7cdKgDr8lVz59qGDvnMy57RDEArfiJv2RTwblz9U4TcSzIONCguroFy6jCvHABYcoIjyl 5T2Gkz18tniTyJh8F5dympUHVfhHIo0Wzr/+/5vhw4uwU3VsYOiFI0ahm0uPeh2NqM1iFP1 LGpxi+bCb/BhJsHBkVlew== X-UI-Out-Filterresults: notjunk:1; Archived-At: Subject: [Lime] Internet Draft: Standardized Parameterization of Intrusion Detection Entities X-BeenThere: lime@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Layer Independent OAM Management in Multi-Layer Environment \(LIME\) discussion list." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Jan 2015 08:23:16 -0000 Dear Community, Efficiency of Intrusion Detection Systems (IDS) depends on their configuration and coverage of services. The coverage depends on used IDS with currently vendor-specific configurations. In case of usage of multiple systems the operations could become complex. Individual Communication between management interface and the IDS entities results that current multi-vendor IDS architectures do not interact with each other. They are independent coexistent. The Internet Draft defines data formats and exchange procedures to standardize parametrization information exchange into intrusion detection and response systems from a Manager to an Analyzer. The created Intrusion Detection Parametrization Exchange Format (IDPEF) is intended to be a standard data format to parametrize IDS. The development of this open standardized format and the Intrusion Detection Message Exchange Format (IDMEF) will be enable in combination interoperability among commercial, open source, and research systems, allowing users to mix-and-match the deployment of these systems according to their strong and weak points to obtain an optimal IDS implementation. The most obvious place to implement IDPEF is in the data channel between a Manager and an Analyzer of an IDS within this data channel where the Manager sends the configuration parameters to the Analyzers. But there are other places where the IDPEF can be useful: - Combination of specialized IDS like application-IDS with server-IDS, WLAN-IDS and network-IDS to one functional interacting meta-IDS. - Management of different IDS vendors with one central management interface. - Interaction of different IDS by using IDPEF and IDMEF. - Parametrization backups and restore of parametrized IDS entities. - For a communication between a Manager and a Manager in a multi-stage management architecture. I am happy to invite you to give me feedback, suggestions, notations, hints, recommendations, etc. to improve the Internet Draft. The initial version of the Internet Draft could be found at: http://www.ietf.org/id/draft-boesch-idxp-idpef-00.txt Kind regards, B.-C. Boesch