Project

General

Profile

Classification category » History » Version 3

Version 2 (Gilles Lehmann, 02/10/2016 02:16 PM) → Version 3/6 (Thomas Andrejak, 02/15/2016 09:03 AM)

h1. Classification category

*Aim* :

Put alerts in different (optionals) categories to simplify the work of people supervising.

*Description* :

Create a new attribute "Category" at the same level as Classification.

Needs to create/find a list of categories (ex : authentication, authorisation, etc.)

Pros :

* The classification from the agent are not standard so it is difficult for a "non expert" to find it's way. Categories could really help knowing that IDMEF has this "complicated" image.
* The same event can have different names depending on the agent ("authentication failed", "wrong password", "bad login or password", etc.) eventhough it's obvious it's the same event.
* Work have been done on that with LogLogic for example (based on IDMEF)

Cons :

* Needs to find a list of categories
* Is it always possible to put event in a category (and is there allways only one category per event)

Questions :

* Does it have something to do with ISI/ETSI ? Should there be another attribute for "ISI category" or "ISI correspondance" ? (GLE)
* TAN : The ISI/ETSI dictionary should be the solution : http://www.etsi.org/deliver/etsi_gs/isi/001_099/002/01.01.01_60/gs_isi002v010101p.pdf annex B, first section