Q&A | Questions and Answers
You will find on this pages answers to questions we’ve been regularly asked. If you have other question don’t hesitate to post it in the forums.
- How can I participate ?
- Why is there two formats ?
- How come on RFC 4765 it says that IDMEF is not an IETF standard ?
- I’ve heard about CEE and MItre working on it, isn’t it more recent and better than IDMEF ?
- What do you do about all the existing proprietary formats ?
- Aren’t those two formats too complicated ?
How can I participate ?
Depending on your profile you can help in many ways :
- Security expert : you can read our documents, post your needs on the forum, promote SECEF around, etc.
- CISO : ask your tools editors if they use standard format and if not to get look at SECEF
- Security tools developpers : implement the formats in your tools (don’t hesitate to ask for help in the forums)
- Academic : experiment the use of those formats, train your students
Why is there two formats ?
IDMEF and IODEF are complementary formats. IDMEF is essentially used for transporting technical informations about an intrusion (or possible intrusion) between security analysers and managers. IODEF is used between security teams to share information about a global security incident.
IDMEF : At 14h01, someone tried a login with a wrong password on the apache web server
IODEF : In september, we have been attacked many times by Chinese IP adress who were using man on the middle type of attack to penetrate in our network. We found a solution which is presented here.
How come on RFC 4765 it says that IDMEF is not an IETF standard ?
Has many knows RFC means Request For Comment … the RFC 4765 is a request of comments on a first definition of a standard. After nearly 10 years of experimentation and utilisation it is time to bring comments. This is a classical way to define standards.
I’ve heard about CEE and MItre working on it, isn’t it more recent and better than IDMEF ?
CEE has been an attempt of the Mitre (who also particpated at the IDMEF working group) to define a more global format for Common Event Expression format for logs.
A lot of work (and money) has been put on CEE but after many years of work nothing has really come out of it and for nom US governement has stopped funding the project.
CEE by trying to solve ALL problems at the same time was maybe to optimistic and at the end it may confirm that’s IDMEF should stay focus on only intrusion detection and no more.
What do you do about all the existing proprietary formats ?
Like any other computer field there are a lot of proprietary format in the market. Nearly each SIEM vendor has invented his own. The aim of IDMEF is not to “replace” those formats inside the propriaty tools (not yet !) but to propose a universal format to communicate between all tools.
In some ways on can compare the IDMEF format for intrusion detection to the SMTP format for mail. At the end, propriatary companies kept there format inside their messaging servers but they all have an “SMTP gateway” somewhere.
Aren’t those two formats too complicated ?
IDMEF is sometime critisized because it’s “too complicated”.
It’s true … it IS complicated, BUT it is complicated because “intrusion detection” is complicated and beeing complicated it needs a “complicated” (complex ?) format.
Anyway, one goal of the SECEF project is to help people understand those format. Tutorial will be written to help people implement the format in their tools.