Notes from the LA CIDF BOF, 31 March 1998
taken by Stuart Staniford-Chen, edited by Brian Tung

Brian Tung (ISI) gave an introduction and overview of the objectives
of the Common Intrusion Detection Framework (CIDF).  This started as
a DARPA effort, but has gathered enough interest that the DARPA group
decided to introduce the ideas and work to the IETF.

Stuart Staniford-Chen (UC Davis) gave brief history of CIDF.

Brian described some of the terminology used in the DARPA CIDF group
(just in case they were accidentally used without definition later on),
and went through the charter and milestones.

Folks demanded to see online version of slides.  They will be put on
the CIDF web site and also in the IETF proceedings.

Jeff Schiller asked for interest.  Many folks were involved in
implementing some intrusion detection products, not all of whom thought
it was a great idea to standardize, though many said they would be
willing to be involved.

There was some debate over whether Brian's bullets on charter/milestones
were clear enough--mostly because Brian's slides used CIDF lingo (which
the charter doesn't).

There was some discussion over whether general error handling is also
included in this framework.  It is rather unclear what the separation
is between general faults and intrusions (from the standpoint of
handling them.)

Brian discussed the current CIDF architecture, and Dan Schnackenberg
(Boeing) went through a list of requirements for the CIDF message layer.
Questions on scalability: how much should scalability be a requirement
of CIDF.  Discussion but no clear conclusion.

Someone asked why DARPA CIDF didn't use TLS as a message layer?  Dan
explained that it didn't provide support for long term associations and
multicast.  Another alternative for a message layer was SNMP; the group
came to no clear consensus as to why that was not used (and it's not
clear that it isn't appropriate yet).

Dan described the proposed message layer formats briefly.  Jeff Schiller's
reaction was that the message layer is duplicating internet functionality
and that isn't useful.  Dan responded that DARPA CIDF hadn't found the
right thing for its requirements.

Phil Porras (SRI) described the objectives of the GIDO (Generalized
Intrusion Detection Object) definition.  He also described the GIDO
header.  Brian followed by describing the GIDO payload.  Much of this
material can be found at the following URL:

   http://seclab.cs.ucdavis.edu/cidf/

Cliff Kahn (Open Group) explained briefly how a directory service could
be used to help various components locate the appropriate other components
to talk to.

An overall critique of the effort was that there was too much duplication.
The GIDO payload was perhaps the least redundant.

Jeff Schiller concluded by conducting a series of polls, and issued the
following recommendation: Since there appears to be support for a working
group in this area, one should be pursued, but there is a need to develop
a charter and requirements before proceeding to message formats.  The
group may use CIDF requirements specifically as a starting point.  The
existing mailing list

   cidf[-request]@cs.ucdavis.edu

will be used to bash out these requirements before the BOF reconvenes.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.