Project

General

Profile

Target criticity and final priority of the alert

Aim:

Add complementary information on the severity of the attack.

IDMEF only provides a field to indicate the assumed severity of the attack. It lacks a lot of information on the impact the attack can have on its target and the system hosting it. We suggest these additions to be th target vulnerability, its criticity in the system and the priority of the alert.

GH: If we are going to add information, I would add alert_priority. Note: This raises the problem of the fromat extent. If IDMEF is only a sonser->SIEM format, these fields are not very relevant (a sensor shouldn't make assessment on the criticity of an attack. However, if IDMEF is a format designed for import/export between sensors, SIEM and other tools, then this makes sense...)

YV: I don't see why a sensor could not specify the criticity at its level. This criticity could be later taken into account during the correlation.

Solution 1:

Add the fields target_vulnerability and target_criticity in the Impact Class

Impacted Class Proposed Field Type
Impact target_vulnerability Enum
target_criticity Enum

Pros

Cons

Meetings:

30/10/2015 Meeting: Where should this information be placed in IDMEF's structure ? Is it more linked to the alert, the target, the correlated alerts ?
TODO : See what sensors that are linked with Prelude actually can make assessments on.

YV: The assessment of a potential vulnerability or criticity of a target or priority of an alert can very well be linked to a sensor.

Original comments :

GH: tant qu'à faire, je rajouterais alert_priority. Remarque au passage, cela pose le problème de la portée du format. Si c'est juste un format sonde->SIEM, ces champs sont peu pertinents (ce n'est pas le rôle d'une sonde de juger la criticité. Par contre, si IDMEF est un format d'import/exeport entre sonde, SIEM et autres outils, çà a du sens...
YV: je ne vois pas pourquoi une sonde ne pourrait pas spécifier la criticité a son niveau. Cette criticité pourra ensuite être prise en compte lors de la correlation

Commentaires HD/YV:

- Non pertinent dans IDMEF.
- Eventuellement au sein d'une alerte de corrélation.
- Eventuellement voir changement attribut completion.