Do we need to specify a specific transport protocols within IDMEF specification?
Added by Anonymous over 6 years ago
My feeling is that a transport protocol for alerts has not to be specific. What is really important is the structure of the alerts. A concrete alert (maybe compressed if needed) can then be carried by any general purpose transport protocol that offers classical services: error detection, re-emission if packets get lost, etc.
RE: Do we need to specify a specific transport protocols within IDMEF specification? - Added by Guillaume Hiet over 6 years ago
I totally agree with Ludovic : we should focus on the schema and the semantic part (dictionaries, enumerations, etc.) of the standard. IDMEF should be compatible with any decent transport protocol.
RE: Do we need to specify a specific transport protocols within IDMEF specification? - Added by Gilles Lehmann over 6 years ago
The definition of the transport protocol is essential for format adoption otherwise tools can't easily communicate together. As for IDMEF "v1" it might be one reason why it has not been so much adopted (surely not the only reason)
But the good news is that today (I suppose it was not the case back in 2007) there are few protocols already defined and "adopted" that should feet the needs.
Our part is to clarify this need and check that those alternatives coudl be ok.
I think about AMQP which looks very similar to what Yoann has developped in LibPrelude for example, but maybe there are others.