Project

General

Profile

Specify the attack severity the target supposed vulnerability the target criticity and the final priority of the alert » History » Version 1

Anonymous, 11/04/2015 11:20 PM

1 1 Anonymous
h1. Specify the attack severity the target supposed vulnerability the target criticity and the final priority of the alert
2 1 Anonymous
3 1 Anonymous
4 1 Anonymous
*Aim* : 
5 1 Anonymous
6 1 Anonymous
Add complementary information on the severity of the attack.
7 1 Anonymous
8 1 Anonymous
*Description* : 
9 1 Anonymous
10 1 Anonymous
IDMEF only provides a field to indicate the assumed severity of the attack. It lacks a lot of information on the impact the attack can have on its target and the system hosting it. We suggest these additions to be th target vulnerability, its criticity in the system and the priority of the alert.
11 1 Anonymous
12 1 Anonymous
_GH : If we are going to add information, I would add alert_priority. Note: This raises the problem of the fromat extent. If IDMEF is only a sonser->SIEM format, these fields are not very relevant (a sensor shouldn't make assessment on the criticity of an attack. However, if IDMEF is a format designed for import/export between sensors, SIEM and other tools, then this makes sense...)_
13 1 Anonymous
14 1 Anonymous
_YV : I don't see why a sensor could not specify the criticity at its level. This criticity could be later taken into account during the correlation._
15 1 Anonymous
16 1 Anonymous
*Meetings* : 
17 1 Anonymous
18 1 Anonymous
+30/10/2015 Meeting+ : Where should this information be placed in IDMEF's structure ? Is it more linked to the alert, the target, the correlated alerts ?
19 1 Anonymous
TODO : See what sensors that are linked with Prelude actually can make assessments on.
20 1 Anonymous
21 1 Anonymous
_YV : The assessment of a potential vulnerability or criticity of a target or priority of an alert can very well be linked to a sensor._
22 1 Anonymous
23 1 Anonymous
24 1 Anonymous
Original comments :
25 1 Anonymous
26 1 Anonymous
GH: tant qu'à faire, je rajouterais alert_priority. Remarque au passage, cela pose le problème de la portée du format. Si c'est juste un format sonde->SIEM, ces champs sont peu pertinents (ce n'est pas le rôle d'une sonde de juger la criticité. Par contre, si IDMEF est un format d'import/exeport entre sonde, SIEM et autres outils, çà a du sens...
27 1 Anonymous
YV: je ne vois pas pourquoi une sonde ne pourrait pas spécifier la criticité a son niveau. Cette criticité pourra ensuite être prise en compte lors de la correlation