Here is a first list of transport needs we can exchange about (most of those criteria are the one you find today in Prelude implementation) :
- Security : the transport needs to be secure with "standard" security like SSL / X509
- Robust : no messages can be lost
- Speed : in a SIEM architecture the number of IDMEF object can be very high so it needs speed
- Bandwith : Data needs to be "compressed" or something equivalent as IDMEF will usually transit on the same network as "business" applications
- Bus : There are many different components in a SIEM architecture so we need the capacity to go further than simple "client-server" protocol. We need a way of subscribing to the bus, being read or read-write, routing, etc.
- Standard : There are some existing protocols today answering all those needs it would be better to choose one of those and not invent a new one.
- Unicity : Maybe there can be more than one way to get information from an IDMEF agent. One way very optimize (and maybe a little difficult to use) for exchange in a SIEM architecture which has lots of needs and another way simplier to configure but not has powerfull. Examples would be AMQP (or similar) for SIEM architecture and Webservices (or similar) for simple access.