Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
"Steven M. Christey" wrote:
> s a known and expected limitation of the CVE with respect to IDS
> systems; it only attempts to standardize on one part of the problem.
> But there's nothing stopping (someone) from attempting to create a
> Common Signature Enumeration or somesuch; as you probably know, the
> CIDF people have actually have been developing such a beast, although
CIDF is an attempt to define a format for reporting intrusive things that
happen, not defining signatures. (Ie, it's supposed to help you say "foo
happened", not "when bar happens report foo").
It does include an "AttackID" field which includes a static laundry list of
different possible kinds of attack. I wasn't involved in producing that
list, but my impression is that it has the status of "we need a list to make
our demos work and this is what we came up with in a few days work", rather
than "we studied this for months and here's the best solution". I could find
out more if necessary. The actual list is found in the CIDF spec available
from http://gost.isi.edu/cidf/ (then grep the doc for Name: AttackID).
> from my outsider's perspective it doesn't appear like CIDF as a whole
> is quite ready to use it yet.
I agree (as someone still fairly involved in CIDF even though I don't chair
the group any more). CIDF is a research project in progress.
Stuart Staniford-Chen --- President --- Silicon Defense
(707) 822-4588 (707) 826-7571 (FAX)