Project

General

Profile

Normalization and taxonomy

Added by Yoann Vandoorselaere over 4 years ago

This has already been stated when talking with Hervé, but the following would in my opinion greatly improve the standard:

- Take out most (if not all) of the enumeration field from the standard:

Enumerated type shall be maintained by an external authory, such as the IANA.
This authority would allow users to add more value to a given enumerated field, making sure the provided values remain consistant.

- Provide a taxonomy for the alert.classification.text object, and encourage user to use it.


Replies (4)

RE: Normalization and taxonomy - Added by Hervé Debar over 4 years ago

Yoann Vandoorselaere wrote:

This has already been stated when talking with Hervé, but the following would in my opinion greatly improve the standard:

- Take out most (if not all) of the enumeration field from the standard:

Enumerated type shall be maintained by an external authory, such as the IANA.
This authority would allow users to add more value to a given enumerated field, making sure the provided values remain consistant.

I agree. In fact, that is the route that MILE (formerly IODEF) is taking. A draft is out on the topic.

- Provide a taxonomy for the alert.classification.text object, and encourage user to use it.

I disagree. There is a need for free-form text here. The taxonomy should upgrade reference.

RE: Normalization and taxonomy - Added by Yoann Vandoorselaere over 4 years ago

Hervé Debar wrote:

Yoann Vandoorselaere wrote:

This has already been stated when talking with Hervé, but the following would in my opinion greatly improve the standard:

- Take out most (if not all) of the enumeration field from the standard:

Enumerated type shall be maintained by an external authory, such as the IANA.
This authority would allow users to add more value to a given enumerated field, making sure the provided values remain consistant.

I agree. In fact, that is the route that MILE (formerly IODEF) is taking. A draft is out on the topic.

- Provide a taxonomy for the alert.classification.text object, and encourage user to use it.

I disagree. There is a need for free-form text here. The taxonomy should upgrade reference.

I did not state that the classification field should not be free form: we talked about this already, and I agree that it would pose a great number of problem.
Here I am simply stating that we should provide a taxonomy for it, and clearly encourage user to use it (or rather discourage user not to use it).

RE: Normalization and taxonomy - Added by Gilles Lehmann over 4 years ago

I agree about the necessity to propose a taxonomy for classification.text as otherwise same tools use different definition for the same alert and it can be very difficult for operators (who are not allways security expert) to understand the alert.

But of course we can't cover all the needs so it should be possible to use "other".

This principle is often used in IODEF when there is an ENUM, they call it "ext-value"

If the classification is not in the list there would be the "ext-value" choice then the "ext-classification" attribut.

Nota : As classification is essential for the operators to have an idea of what's going on I think we also need to group classification by "categories"

There might be those existing enumeration (classification but also categories) in ISI/ETSI or somewhere else ?

RE: Normalization and taxonomy - Added by Guillaume Hiet over 4 years ago

IDEA propose a taxonomy. They seems to have studied and compared different taxonomies : [[https://csirt.cesnet.cz/IDEA/Classifications]]

    (1-4/4)