Project

General

Profile

OverflowAlerts

Aim:

OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own. There are then two possibilities : either we make as much class as there are types, which is many, either we remove OverflowAlerts.

YV: This seems like a bad idea. Why ?

SM: Why distinguish OverflowAlerts from the other alerts and not SQL injections for example ?

GH: OverflowAlert is a problem of homogeneity. Either we offer several subtypes of alerts to cover all different most famous types of attack, and we take the risk of inflating the format, either we suppress this class assuming that this level of detail is too precise and not actually used (is it true ?)
As for the inflation of the format, we must consider maintainability as well. Typically, this kind of information necessitate frequents updates seeing the frequency of appearance of new types of attack.

YV : In this case it seems to me more appropriate to add new classes.

Solution 1:

Remove OverflowAlerts

Pros

Cons

Solution 2:

Add more subclasses of Alert to each known Attack

Pros

Cons

Meetings:

30/10/2015 Meeting: Great idea ! We could do the same thing with ToolAlert !
TODO : Ask Yoann and Hervé why they seem to find these alerts useful.

YV: Because these data are really important for forensic and collateral damages handling._

Original comments :

YV: ça semble être une mauvaise idée. Pourquoi ?
SM: Pourquoi faire la distinction entre les Alertes Overflow et pas les autres ? Dans ce cas on pourrait mettre les injections SQL, non ?...
GH: OverFlow alert pose le problème de l'homogénéité du format. Soit on propose différents sous-type pour couvrir les différents types d'attaques les plus courant. On court le risque de l'inflation du format (qui est déjà assez verbeux. Se pose aussi la question de la maintenabilité. Typiquement, ce type d'information nécessite de fréquentes mises à jour vu la fréquance d'apparition des nouveaux types d'attaques. La seconde option consiste à supprimer cette classe en considérant que le niveau de détail est trop important et inutilisé en pratique (est-ce vrai?)
YV: dans ce cas, il me semblerait plus pertinent d'ajouter de nouvelle sous-classe

Commentaire HD/YV:

- A débattre