Added by Gilles Lehmann over 8 years ago


As a reminder IDMEF v2 needs to be able to describe "SCADA IDS" alerts.

Don't know if this kind of alerts are very different from the "regular" ones.


Replies (2)

RE: SCADA and IDMEF - Added by Anonymous over 8 years ago

I suppose alerts for scada would carry very similar information (IP adresses, process numbers, probe IDs, etc...) than the ones for classical IT systems.
In addition, some fields could be needed to describe very specific information. Nevertheless, I believe these specific information (role of a service or of a machine) is rather to be find, during the post-treatment of alerts (alert correlation phase), in the knowledge database describing the environments under monitoring.

RE: SCADA and IDMEF - Added by Hervé Debar over 8 years ago

I can see two specific issues:

  1. Update to the keyword list of classification, to include specific source of vulnerability information beyond Bugtraq and CVE. Yet, CVE is very largely used for SCADA systems.
  2. Specific information. This should be handled by AdditionalData, possibly extending the XML representation of AdditionalData.

Both need to be addressed anyway to update the standard.