Project

General

Profile

Classification category » History » Version 3

Thomas Andrejak, 02/15/2016 09:03 AM

1 1 Gilles Lehmann
h1. Classification category
2 2 Gilles Lehmann
3 2 Gilles Lehmann
*Aim* : 
4 2 Gilles Lehmann
5 2 Gilles Lehmann
Put alerts in different (optionals) categories to simplify the work of people supervising. 
6 2 Gilles Lehmann
7 2 Gilles Lehmann
*Description* : 
8 2 Gilles Lehmann
9 2 Gilles Lehmann
Create a new attribute "Category" at the same level as Classification.
10 2 Gilles Lehmann
11 2 Gilles Lehmann
Needs to create/find a list of categories (ex : authentication, authorisation, etc.) 
12 2 Gilles Lehmann
13 2 Gilles Lehmann
Pros :
14 2 Gilles Lehmann
15 2 Gilles Lehmann
* The classification from the agent are not standard so it is difficult for a "non expert" to find it's way. Categories could really help knowing that IDMEF has this "complicated" image.
16 2 Gilles Lehmann
* The same event can have different names depending on the agent ("authentication failed", "wrong password", "bad login or password",  etc.) eventhough it's obvious it's the same event.
17 2 Gilles Lehmann
* Work have been done on that with LogLogic for example (based on IDMEF)
18 2 Gilles Lehmann
19 2 Gilles Lehmann
Cons :
20 2 Gilles Lehmann
21 2 Gilles Lehmann
* Needs to find a list of categories
22 2 Gilles Lehmann
* Is it always possible to put event in a category (and is there allways only one category per event)
23 2 Gilles Lehmann
24 2 Gilles Lehmann
Questions :
25 2 Gilles Lehmann
26 2 Gilles Lehmann
* Does it have something to do with ISI/ETSI ? Should there be another attribute for "ISI category" or "ISI correspondance" ?  (GLE)
27 3 Thomas Andrejak
* TAN : The ISI/ETSI dictionary should be the solution : http://www.etsi.org/deliver/etsi_gs/isi/001_099/002/01.01.01_60/gs_isi002v010101p.pdf annex B, first section