【正文】 ? Aims – Define data format – Define exchange procedure ? Outputs – Requirement document – Common intrusion language specification – Framework document IDMEF （ Intrusion Detection Message Exchange Format ） ? Standard data format (using XML) ? Interoperability ? Typical deployments: – Sensor to Manager – Database – Event correlation system – Centralized console IDMEF Addressed Problems ? Inherently heterogeneous information ? Different sensor types ? Different analyzer capabilities ? Different operation systems ? Different objectives of mercial vendors Message Classes (1) ? IDMEFMessage Class ? Alert Class – ToolAlert – CorrelationAlert – OverflowAlert ? Heartbeat Class Message Classes (2) ? Core Classes – Analyzer – Source – Target – Classification – Additional Data Message Classes (3) ? Time Class – CreatTime – DetectTime – AnalyzerTime Message Classes (4) ? Support Class – Node – User – Process – Service Example ?xml version= encoding=UTF8? !DOCTYPE IDMEFMessage PUBLIC //IETF//DTD RFCxxxx IDMEF IDMEFMessage version= Alert ident=abc123456789 impact=successfuldos Analyzer analyzerid=hqdmzanalyzer01 Node category=dns locationHeadquarters DMZ Network/location name/name /Node /Analyzer CreateTime ntpstamp= 20220309T10:01::00 /CreateTime Source ident=a1b2c3d4 Node ident=a1b2c3d4001 category=dns name/name Address ident=a1b2c3d4002 category=ipv4mask address/address mask/mask /Address /Node /Source Target ident=d1c2b3a4 Node ident=d1c2b3a4001 category=dns Address category=ipv4addrhex address0xde796f70/address /Address /Node /Target Classification origin=bugtraqid name124/name url /Classification /Alert /IDMEFMessage Summary ? IDS Classification ? IDS Deployment Considerations ? How to choose an IDS ? Industry standards HKCERT/CC ? Web ? Telephone 2788 6060 ? Fax 2190 9760 ? Email mailto: Reference ? ? ? Thank You ? For suggestions and corrections, please send to or Discussion ? SLA cannot stop service immediately ? Switch to standby system if possible ? Contingency planning ? Trace the source。 Track its activity Technology ? Signature detection ? Anomaly detection CVE (1) ? Standardized name ? Interoperability between tools ? Tool parison guidelines – CVECompatible – No. of signatures CVE (2) ? Version – As of August 2022: 20220507 ? Classification – CVE candidate (CANYYYYXXXX) – CVE entry (CVEYYYYXXXX) D is c o v e ryA s s ign c a n d ida ten u m b e rE d it o r p ro p o s e to th eboardM o d if ic a tion v o te sA c c e p te d o r R e jec te dth e n P u b li s h e dData Sources ? Security Focus weekly Newsletters ( ? Network Computing and the SANS Institute weekly Security Alert Consensus (s/current/) ? ISS monthly Security Alert Summary ( ? NIPC CyberNotes biweekly issues ( Reference Source AIXAPAR ALLAIRE ASCEND ATSTAKE AUSCERT BID BINDVIEW BUGTRAQ CALDERA CERT CERTVN CHECKPOINT CIAC CISCO COMPAQ CONECTIVA CONFIRM DEBIAN EEYE EL8 ERS FREEBSD FarmerVenema FreeBSD HERT HP IBM INFOWAR ISS KSRT L0PHT MANDRAKE MISC MS MSKB NAI NETBSD NETECT NTBUGTRAQ NetBSD OPENBSD REDHAT RSI SCO SEKURE SFINCIDENTS SGI SNI SUN SUNBUG SUSE TURBO URL VULNDEV WIN2KSEC XF Tips for using CVE ? Do not use general terms (. buffer overflow) to search ? Use exact process name (. sendmail) ? Go to the “references” for Fix