Project

General

Profile

Original log

Aim:

Add the original log and the signature that triggered the alert in case of a log analysis sensor.

For now, logs can only be added in Additional Data and this raises consistency problems.

Solution 1:

Add a field original_log to Alert

Impacted Class Proposed Field Type
Alert original_log String

Pros

Cons

Solution 2:

Add a Class Origin which contain the original_log in a field

Impacted Class Proposed Field Type
Classification->Origin origin log_analysis
sensor
signature String
log String

Pros

Cons

Meetings:

30/10/2015 Meeting: The log field has to be separated from Reference and should be an attribute of Alert, whereas the signature field should be a reference. As for the URLs, they should be put as references.

VH: This has been modified in the table. But I still keep the old table here because we didn't bring up the Origin.origin field case. Should it be removed ? Is it unnecessary ? I am not completely sure we can overlook this field without even mentionning it.
I am not really happy with the signature as a reference either, because it becomes less obvious that it can be put somewhere. But as we're trying to avoid adding too much fields, I understand that it is a viable solution._

Impacted Class Proposed Field Type
Classification->Origin origin log_analysis
sensor
signature String
log String

VH: Since there seem to be a misunderstanding, I will explain the way the first table was thought : most sensors should and will be "stand alone" sensors, that means that they will write their own alerts from scrtach. But some sensors are log analysis sensors, that create their alerts from logs coming from other sensors (that's what Prelude-LML does for example). These sensor tend to lose information in the process. Thus having the original log, the signature that triggered the alert and precising whether or not it is a log analysis sensor doesn't seem stupid.
I didn'i take into account the fact that some sensors do have signature while not working on logs : Snort or Suricata for example.
Distinguishing between these two ways of using signatures seems to be important and we should maybe rethink about Origin.origin._

Commentaires HD/YV:

- log n'est pas une chaîne, cela peut être une capture pcap par exemple.
- origin est déjà porté par analyzer
- signature n'est pas une donnée pertinente au sein d'IDMEF, l'url de classification est suffisante pour donner des détails.

Eventuellement :
- Ajout d'un objet Origin, similaire à AdditionalData (type, data, mais sans le champ meaning).