[Oisf-wg-ruleslanguage] Intrusion Detection Message Exchange Format (IDMEF)

Sun Sep 20 22:16:37 UTC 2009

Just an Idea(tm) : => Intrusion Detection Message Exchange Format (IDMEF)
http://www.ietf.org/rfc/rfc4765.txt

Please let us not forget about ietf efforts and the like. This rfc is
for the alerting output, but it could go a long way into writing an
xml language dtd.

I understand that snort rules are "user standard" and arcsight CEF is
almost the same for the output data.. but let's look at mitre and
other "documentation" before we run out and write YAML, or XML.

FYI: One reason that snort rules are so hard to deal with is there is
NO?! bison/yacc grammar definition file. We must clearly define and
use strict versioning for what ever grammar file is defined.

------------------
Example:
(this information should be in a rule checker and public DTD[if using
xml] definition page. DTD should also be bundled with superIDS source
for offline use.)

superIDS v.01 compact with rule_def 0.1 0.2
superIDS v.02 compact with rule_def 0.1 0.2 0.3
superIDS v.04 compact with rule_def 0.1 0.2 0.3
++ (warning: rule_def 0.1 use depricated)

superIDS v.11 compact with rule_def 0.2 0.3
++ (error: rule_def 0.1 use obsolete)

---------------

I want to validate the rules configuration (XML) not run a binary
snort -T !!! There are really good reasons for this.. pushing a rule
file to a globally distributed ids implementation is time consuming
and never as easy as it sounds.

---------------

If I have to open up the snort source one more time Marty to count the
splits, cases, and loops I will go mad...lol

Thoughts on:
YAML - easy, but requires strict tabs and spaces (no like..)
XML - Can be easy, but can be overly complicated like the IDMEF example..

We could support multiple input types.. simple xsd/xsl to transform
xml to yaml.. just an idea. (works when there is a clearly defined
language..
Examples:
http://www.yaml.org/xml.html
http://www.unfitforprint.com/articles/2005/09/23/yaml2xml-in-33-lines-or-your-money-back

~~~~ shadowbq