??ࡱ?>?? ????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????n?? ;\?z??+??S\ơ?~??PNG  IHDR?C??1>tEXtSoftwareMicrosoft Office?5q`PLTE?????????????????????㲖?tRNS@??f pHYs@@bCc[ cmPPJCmp0712Hs??IDATx^?]????~{???bɷn;:agg??g?%?d?Y~???ʖv(??S???????????V?ԣ+???}????)?????m?{??@??ēݠ??7hPL??' ???z????????E????9J??X׃?????㩿~.kM????? ?*U?^:B\?[?A?I'^W??q????{-???k?g???S???˩????{??\,??Wх*|?'?s?o??q!>??K?8g2e ^??&L?]d?? Y[? }??Ti*? ?<[?h?i???n?1?M?wц|?m?byJ?y+ó??K?(՜X{????y??䅫?????h^ߪ9?x?/???l?p{?`-?Q??G? ?g ?Þ?u?]a???s??.?ě??0;?'???{?`?W???L??-h`N?Q͝Z{l?+?UnB?dOvĆt[ݟF??Z??[nP??)??Z????&??gߖ.3?????lV+|?V ????)??ɫ????ѷS???B?&?YJ??T?gO???/A??&[Z??Azq ? ????A?TϏ_/??s?\Έ???ӧ? ? ?|n?????? x??i??UI/???4?+?[?"????f?C????7f?t?$0ޭ??=M2yoԻ?|?K, ?cٛ?2?????/QW3(n???<?,???1ء#jء ?|?^???;f??E?͝???VV?hڜ????KKL??Ӿ$p??Y?[5xr???t????%??????i^>?w%???? |?˾?8??? ??o??#?????4???o?I??W?%?? s?O?A??S` [??@?K???ў?ˏZ? ?xB??('?Y{?ٴ???k??I??:~?[?~???S?)?ԭ.&?o,)h8Iލ?-?ŀ????ƞHAἓ?e?{?`???J????7H:[??{L??˰w ?KӘO?y?%%?.??@?Kg??yߠ(???20?Rg?BU???^r?s?I?????.?`⑷(fW? W???????)?Ez??????{ֿiVT3?*?Sm#x?4???Y??? ?@?5???"?u"Z????I?.??T?6?ޱ*]? ?^~?#?2&??n???jR?ku`?%?}ӝ?R?Ɣ?s?ë??Ϩl?m????&7?;[?ׄs2? C???:??1??$;? g?Q)M?Z??&??BV?K?<ɽ?yQ??L?4?????#t'??5?t???!ֳ??mb?m???%?ՉҰ?^/[q??5?&*B?6g?]??&Q?p???&?в?/?? ˬ??????R?p^or|?/W?|g?I")41'u˚??5?n??Z??$\?M?BU?:?$_3?|? DS!v~k? ?QEN?T?}o?1??NԼ6? Hq??g???M?c4)??y"q????XB?1@???g|! R?5ٞ?T?4s?ͻ?bwr?a??Y}?k?e?&??F;䕹 3??8?????????{????ة?V?ׂ????S??>?b?,?C(?V S??q)i????̭???S??E? ?A)Mo?*Ҍ????{???i'O?f? ?X:5u?y??m????洑'c3@? _?]s ??'4? E?C?HK%?y4v??Ǿ4:?ܚg(K??2??jy6???????F{?l?AK*vO??;????@??PB.b^?悊?t?CT('P3O: M4ۓ??_?????1'??X4{2|(!ةp24/??Vߪ#?q??-?+T??~?[kr?ƣ?k_?ц%"??k???j???R\??[????? ?2/??)ePk?J>?'?&?????eg??ӐVv?g':{????к(3?X?*O??p????7?֪7+;?????6h͠u??t?9???kAS9r???!LhGTQSH??ҽ?D????f*?Y??)W?v띙k?Y?L??gF?? JkNy???g*?䴒?ֱeJ??5` ???jN?Zz6?!??0??@??Բ6SR?Q?O?"???Q?i)??????s)?;???y?NK?????3????T??+<?G?*۽?WA???t?????[,???53-?H?dP74???-?R??Db?? Y??O?ä?ի?Dؔ*򄜙sZq??w.u?GNǓs2[?Fl?eS?F?_?l?-?ɞ>?͆ ??? DZ??E*??d?i0??i?#J ?c? ƾ?>?и????͈?Ȥ??x?w?.??E???q?s??w? ?Ӯٽ?c?O?L????7?v?P|_p????_? ?Mx ?5??:?Y?I??Ff?Mg nm??py??y??љ֡????S???7? -@$??????V??D??Mҁ??7?}?u?v?`}?ĀŽ?BC?c?b??C???1?GvƿsI?|?{%)l.u???H???.??< ??dډ9R7?????x/?wz??Vn??Qdԓ??? ?6?D?Kʺ?? 3???־???]?R7??]????-?o???ց(=?1?!????T??w???n?К?w?L)[G],O???%9q?-???nKyU?L9?3?T???|Ͽ??~}???#?'??.?-??w?U?"?&???;'?@p??ph?wO??G?????cX?Qm????Hj W????fP?`#?ҔE^)QLj?ͮ????{??=??M??yX?D???Jx?j?u??^y5q'?IJ=?Q?XFp:?f??CsJ?c?yʫ??)7,?/i¤Ʃ?h#蝶t???2?-?5?? Bޱ◠?Gdn? ?b?][5?WG8??ƛ????0>A??#]?'??A?G ??aY4?1??w?{?Z/;?????\?Cݱ_??e/?Pc?\?=꨽?gq??u???e?9?Py:H?W???=? ???I?S?x????????E?ǺhQ?Z?hO????xvk OhP?<<??&??$??i??pZb??_bPIhHQ???,j???≳?V:z????)?????h????8EaeŅB?P^?TOq??ҽ??cP???S'? ?!c?{kux? ?o????????c8O?p???J??4???)?,q-26鰇???DD/??>5?j?O?S??65???????Zz՝S????i?R? ?R?ۧA???????]K?|? MO??`??]c???uIEND?B`???o?(`?5?  T V?~??jhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/?2? ?iodef@terena.nl?<? ?(i-taxonomy@terena.nl?z? ?fhttp://hypermail.terena.nl/iodef-list/mail-archive/??? ?~http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/?Z??Fhttp://www.ietf.org/rfc/rfc3067.txt???3??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtd-00.dtd???4??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/i-taxonomy_terms.html???5??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtf???9??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-idmef-xmldtd-00-rfc.html???V??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/archive/draft-ietf-grip-prot-evidence-01.txt??/? 0????DTimes New Roman?A?|?d?v? 0|?(? 0?DSymbolew Roman?A?|?d?v? 0|?(? 0h ?DMonotype Sorts?A?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ????D?t*& 3 ?)2    /?X?$?b?$;\?z??+??S\ơ?~?? S ?~??????????1???????????0? ??????n?@???8???????g??42d2dv? 0p?p???????p?pp?0 ? <?4BdBd???? 0,??u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z??~?-?42001. Yu.Demchenko. TERENA ?.IETF50: IODEF and IDMEFO? ?=?^???QRelations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis?8R"/.#??DTERENA ITDWG IODEF Editorial Group Yuri Demchenko ?"E#""?H#     ?B5??Outline?  ??tTERENA Incident Taxonomy and Description WG History and next steps IODEF Documents Relation between IDMEF and IODEF?F-1-!?H;??BIncident Taxonomy and Description WG at TERENA TF-CSIRT - History?CC ? C ???Incident Taxonomy and Description WG Webpage and charter - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/ mailing list i-taxonomy@terena.nl and archive - http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/ Mailing list iodef@terena.nl and archive - http://hypermail.terena.nl/iodef-list/mail-archive/ Next meeting  May 31-June 1, 2001, Ljubljana, Slovenia Next steps Pilot implementation among few CSIRTs in Europe TERENA funded Pilot Project IHS Platforms: Remedy ARS, Magic TSD, Nortel Clarify Next BoF  at 13th FIRST Conference in Toulouse, France BoF at IETF51????&V 0QH&V 0Q 6??<                   %              ; ?  /   ??!0?<q?? !0????? !0????? !0????? !0?A?&??IODEF Documents? ???Incident Object Description and Exchange Format Requirements Published as RFC 3067 http://www.ietf.org/rfc/rfc3067.txt Incident Object Elements Description and XML Data Type Description (XML DTD) Pre-project draft is available http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtd-00.dtd Document (I-draft) to be drafted before May 31, 2001 Problem with name space sharing with IDMEF Incident Object Data Model To be drafted before May 31, 2001??>=N?">=N!N a" ??U#o             ???!0?Ux??3!0??7?WJ??"Other and external IODEF Documents? # ??Best Current Practice on Incident classification and reporting schemes. Version 1 http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtf Taxonomy of the Computer Security Incident related terminology - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/i-taxonomy_terms.html Other documents/areas of interest Evidence Collection and Archiving (current i-draft expired) Cached copy - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/archive/draft-ietf-grip-prot-evidence-01.txt ??IV?Z"<qZIU"?"".q  "??T B        &  la ??5!0?T???4!0??/??V!0????M@??IODEF purposes?  ??jA uniform incident classification enables applications such as: uniform internal incident storage incident handling between teams made easier (only one team needs to classify and analyze the complete incident, the other team can re-use this data) uniform incident reporting by victims to CSIRTs uniform statistic generation and exchange, for both domestic use and exchange of data between teams. Over time a distributed incident statistics infrastructure can evolve trend-analyses for reoccurrence of incidents, victims, attackers, etc. trend-analyses for relations between scans and attacks and thus begin working on pro-active incident response Main IODEF actors are CSIRTs  not IDS?PAM'AM'? ? ?XK??ZExtended Incident Handling  Information flow? . ?h[??IInteraction between IDS, IHS and Vulnerability Reports (Security Alerts) ?JJ ? J ??? ?(  ? ?NA?? Relation between IDMEF and IODEF?!!#?  ???Initial requirements/suggestions: ? 1. IODEF should be compatible with IDMEF and be capable to use/include IDMEF message into IO, e.g. as or inside of IncidentAlert IO class. However, backward compatibility is not required, i.e. it s not necessary that IODEF message is understood by IDS (or other automatic system?) ? 2. If some elements or attributes intersect, options should be considered: change name in IODEF or ask IDWG to consider changing name in IDMEF Request for comments to ITDWG and IODEF http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-idmef-xmldtd-00-rfc.html ???ZEZ?Z """i E  ) Y"???   V                  ??9!0??R?ZM??IDMEF vs IODEF: (1)? ??1. Reuse (confirmed) IDMEF to generate in a simplest way IncidentAlert (message)? Possible format for IODEF IncidentAlert: Some Data Authority created IO AdditionalData containing IDMEF To Be Considered. Ask IDWG about lifetime of IDMEF: What happen with confirmed Intrusion? ??|?]9  '   9 [$?F9   '   ? ?[N??IDMEF vs IODEF: (2)? ???4. Compare (target, source)/IDMEF and (target, source)/IODEF. ?Does source/IDMEF cover/equal to Attacker/IODEF? The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep). The Target class is composed of four aggregate classes: Node, User, Process, Service ? The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial of service attack). The Source class is composed of four aggregate classes: Node, User, Process, Service ? O.K. to reuse??? """"""""" "?""" "?"""&?? ?\O??IDMEF vs IODEF: (3)? ???5. Definition of impact/IDMEF Impact (Optional). The evaluated impact of the event(s) leading up to the alert on the target. The permitted values for this attribute are shown below. The default value is "unknown". ? O.K. to reuse.?J?  ? $ ?? ?]P??IDMEF vs IODEF: (4)? ??6. IDMEF uses detectTime/IDMEF. ? The DetectTime class is used to indicate the date and time the event(s) producing an alert was detected by the analyzer. In the case of more than one event, the time the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection). The DetectTime class has one attribute: ntpstamp representing the same date and time as the element content. ? Can be adopted. TBC. Consider including element registrationTime/IODEF??    j  ? 0$$??      ?   N     o   ?^Q??IDMEF vs IODEF: (5)? ???7. It seems that name  datetime is commonly used in XML world but IDMEF use  date-time with dash. Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601:2000, as show below. Section references in parentheses refer to sections of the ISO 8601:2000 standard. O.K. to adopt. Comment to IDWG to change to datetime.???  /       ,$$$?F  ?   ?_R??IDMEF vs IODEF: (6)? ??A8. IDMEF intends to define tool of the attack by element ToolAlert ToolAlert is subclass of Alert. The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses, and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool." The ToolAlert class is composed of three aggregate classes: name, command, alertident. ? No suggestions (Not applicable for IODEF?)??B9        O  >   *$?~9     P   >   0 ?`S??IDMEF vs IODEF: (7)? ??9. Reuse definition of  Alertident for extended identification of Incidents. AlertIdent - the list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert. ? Not applicable for IODEF??p   !    ? $??   .   ?      V   `    ?aT??IDMEF vs IODEF: (8)? ???10. Check definition of  user and  userId in IDMEF. The User class is used to describe user that is receiving the event(s). It is primarily used as a "container" class for the UserId aggregate class. ? The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. The UserId class is composed of two aggregate classes: name, number. User class in IDMEF is not clearly defined. Comment to IDWG. Do we have/need  user* element in IODEF???xZ      n    A  ?  -   N$$$??$  ?    A  ?  ? ?bU??IDMEF vs IODEF: (9)? ??.11. IDMEF doesn t contain elements Attack and Vulnerability because Attack is a confirmed Intrusion that is being handled by CSIRT/humans Vulnerability is covered by Classification element. However, it looks a bit indefinite as sub-element of <!ELEMENT Alert ( Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification+, ToolAlert?, OverflowAlert?, CorrelationAlert?, AdditionalData*)> ? The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is (for example, to decide whether or not to display the alert on-screen, what color to display it in, etc.). The Classification class is composed of two aggregate classes: name (of vulnerability), url. TBC: What s the relation between Alert and Attack???EZFZ?Z#""" " " '"""@"V""E"""?""'""""""!&&&&??         &        V  6 ?dY??IDMEF vs IODEF: (10)? ???13. Check definition of  classification in IDMEF. Does it mean known/registered vulnerability? <Classification origin="bugtraqid"> <name>629</name> <url>http://www.securityfocus.com</url> </Classification> Classification class is not clearly defined. Is it related to Vulnerabilities, Exposure or Attacks? If latter, what s the definition of attack??Zc  +  r ?$?~z           ? ?eV??IDMEF vs IODEF: (11)? ???14. Check definition of method/IDMEF IDMEF: Service>webservice>method The HTTP method (PUT, GET) used in the request ? ? Contact IDWG to change method to httpmethod. Using generic term method is not good in general. Otherwise: Consider changing/redefining Method/IODEF and/or moving: Vulnerability to Attack and Evidence to Top level elements/classes or to AdditionalData?HPZYZ  ? $$$ $$$$$ $$ %??4   C          (   ? ?fW??IDMEF vs IODEF: (12)? ?? 15. Consider reusing the following terms from IDMEF: size - sub-element of OverflowAlert - N/A number - sub-element of userId - url - (exactly one string) used in classification, WebService - O.K. location  sub-element of node (location, name address) - Not clearly defined. name  has diverse number of definitions: name of a particular tool in ToolAlert, name of equipment in node, name of the alert in Classification from one of the known origins, etc. Meaning depends on place in IDMEF hierarchy. - Not clearly defined.?D5Z Z?ZZ5     $   $        $ !              R $??K      1   ?   ? /?8? ? P?????T? `? ????????f??????`? ???3?????????????`? ???___?????????????>???" dd=??????????????" dd?=?????????????uA?4? d?O?" ?i ?n???" dd??????????   @@``P?P   4 O i`? p?@??@    ? ?)? ?( ? ??p ? ? ?H??????d???? ?'W??? ? ? ?Z?????a????a?????????? ??x8???? ? ?T?? Click to edit Master title style?!? !?: ? ? ?T?4???a????a????????? ??Sg??? ? ???RClick to edit Master text styles Second Level Third Level Fourth Level Fifth Level?!    ? S?  ?  ?`?????a????a??????????? ?? ????? ? ?b???*? ???=44OOii?  ?   ?`?????a????a??????????? ?? `???  ? ?b??*? ???=44OOii?& ?!  ?`????a????a??????????? ??!????? ? ?~??Slide2_*?(  ???=44OOii?Z?F ?1?lY ?$ ??~???~ ?" ? ?N?????????2?????1?l$?~ ?# ? ?N?????????2?????1IlY??F ??? ?) ???c?8 ?% s ?B?C{DE?8F?@??????????????????@????????F??h??=?Zhz?zFz?\F3? @???????????????????0 ?& s ?B?C?DE?4F?<??????????????????@????? ????i??<?????<??#i?????@???????????????g?5?0 ?' s ?B-C?DE?4F?<??????????????????@????? ??o?????*l??,J??????Jz?o@???????????????Arn*? ?( ? ??BKCoDE?4F?<?????????? ??(%+(J27JQ+E%nEQ7@???????????????????H ? ? ?0??@??޽h??? ?? ??????????f?????? ?International?? ? ??@?% ?E?( ??4p? ~?p? ? ?^ ? ? ?6??????? ?@_??p ? ? ?H??????d???? ??_??? ? ? ?Z??c??a????a?????????? ???????? ? ?T?? Click to edit Master title style?!? !?? ? ? ?Z?pf??a????a?????????? ??HZjG ?? ? ?W??#Click to edit Master subtitle style?$? $? ?  ?`?p???a????a??????????? ???????? ? ?\??*????=44OOii? ?  ?`?xs??a????a??????????? ???S ???  ? ?^??*????=44OOii? ?  ?`??t??a????a??????????? ???????? ? ?n??Slide 2_*?  ???=44OOii?H ? ? ?0??@??޽h??? ?? ??????????f??????????0 ??`??*?( ? ?? ? ? ?T?p???jJ??jJ??????? ???? p2??  ? ?h??*? ?? ? ??? ? ? ?T?????jJ??jJ??????? ????? )2?? ? ?j??*? ?? ? ???p ? ? ?0?????1? ???e?X ?? ??: ? ? ?T?X????g?ֳ??g?ֳ?????? ??? b??? ? ???RClick to edit Master text styles Second level Third level Fourth level Fifth level?!    ? S?  ? ? ?Z????jJ??jJ???????? ??? p???  ? ?h??*? ?? ? ???  ? ? ?Z??P?jJ??jJ???????? ???? )??? ? ?j??*? ?? ? ???H ? ? ?0????j??????? ?? ??????̙33????????? ?????0?( ? ??H ? ? ?0?????j?????? ?? ??????̙33??????????? 0?(0????( ? ??? ? # ?l????g????g????????????? ? ??x, ?? ? ? ??? ? # ?l?????g????g????????????? ? ? ?? ?? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??p???0?( ? ???x ?? c ?$?4+P???x8????  P ? ??x ?? c ?$??+P???Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?? ???0?( ? ???x ?? c ?$??A????x8????  ? ? ??x ?? c ?$??B????Sg??? ? ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? 0?(??????( ? ???? ?? # ?l?IP?a????a????????????? ??x8????  P ? ??? ?? # ?l??IP?a????a????????????? ??Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ???WP???x8????  P ? ??r ?? S ??\XP???Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??̊P???x8????  P ? ??r ?? S ???P???Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? x?p?????( ? ???x ?? c ?$?(@P????x8????  P ? ??2? ?? C ? ??A??C:\My Documents\demch_html\1www.terena.nl\tech\task-forces\tf-csirt\i-taxonomy\archive\wrice-docs\slide0003_image004.gif??????? ?? ? ?T??nP???????1?????????? ???.Courtesy of William Rice (former Litton-TASC)?4/ ? / ?H ?? ? ?0???@??޽h?? ?? ??????????f???????? ? ????<?W?( ? ?<?~ ?< s ?*?PMP????x8????  P ? ??~ ?< s ?*???P????Sg??? P ? ??? ?<  ?`?ЍP?????????1?????????xc  ????9Yet To Be Described (including Attack/Incident History)?:: ? : ?H ?< ? ?0???@??޽h?? ?? ??????????f????????? ? ???????$?( ? ???r ?? S ??`?P???x8????  P ? ??r ?? S ???P???Sg??? P ? ??H ?? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????$?( ? ??r ? S ???P???Sg??? P ? ??r ? S ??TP???x8????  P ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ?????$?( ? ??r ? S ????P???x8????  P ? ??r ? S ??@?P???Sg??? P ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ?? ? ?0?( ? ? ?x ?  c ?$??P????x8????  P ? ??x ?  c ?$???P????Sg??? P ? ??H ?  ? ?0???@??޽h?? ?? ??????????f????????? ? ??0??0?( ? ??x ? c ?$?,?P????x8????  P ? ??x ? c ?$??P????Sg??? P ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??@??0?( ? ??x ? c ?$?O?????x8????  ? ? ??x ? c ?$?|)?????Sg??? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??P??0?( ? ??x ? c ?$?@I?????x8????  ? ? ??x ? c ?$?t?????Sg??? ? ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??`??0?( ? ??x ? c ?$???P????x8????  P ? ??x ? c ?$?d?P????Sg??? P ? ??H ? ? ?0???@??޽h?? ?? ??????????f????????? ? ??p? ?0?( ? ? ?x ?  c ?$???P????x8????  P ? ??x ?  c ?$?h?P????Sg??? P ? ??H ?  ? ?0???@??޽h?? ?? ??????????f????????? ? ????$?0?( ? ?$?x ?$ c ?$?L?????x8????  ? ? ??x ?$ c ?$? ?????Sg??? ? ? ??H ?$ ? ?0???@??޽h?? ?? ??????????f????????? ? ????4?0?( ? ?4?x ?4 c ?$?P ?????x8????  ? ? ??x ?4 c ?$? ?????Sg??? ? ? ??H ?4 ? ?0???@??޽h?? ?? ??????????f????????? ? ????(?0?( ? ?(?x ?( c ?$??1?????x8????  ? ? ??x ?( c ?$??2?????Sg??? ? ? ??H ?( ? ?0???@??޽h?? ?? ??????????f????????? ? ????,?0?( ? ?,?x ?, c ?$?&?????x8????  ? ? ??x ?, c ?$? '?????Sg??? ? ? ??H ?, ? ?0???@??޽h?? ?? ??????????f?????????0 ???P??? ?( ????? ???X ?? C ?????e?X ??  P?? ?? S ???P???? b???  P ?"?? ?H ?? ? ?0?????j?????? ?? ??????̙33??????????&0 ??????? ?( ??f?????? ???X ?? C ?????e?X ??  P?? ?? S ???EP???? b???  P ?"?? ?H ?? ? ?0?????j?????? ?? ??????̙33???????r?p???o???4? ??ϽBD?Hl.--??"Systemwf?? ?? -?&TNPP &????????՜.??+,??D??՜.??+,???x?????? ? ?? ????  ?A4 Paper (210x297 mm)n?/?? Times New RomanSymbolMonotype SortsInternationalRRelations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model AnalysisOutlineCIncident Taxonomy and Description WG at TERENA TF-CSIRT - HistoryIODEF Documents#Other and external IODEF DocumentsIODEF purposes.Extended Incident Handling ? Information flowJInteraction between IDS, IHS and Vulnerability Reports (Security Alerts) !Relation between IDMEF and IODEFIDMEF vs IODEF: (1)IDMEF vs IODEF: (2)IDMEF vs IODEF: (3)IDMEF vs IODEF: (4)IDMEF vs IODEF: (5)IDMEF vs IODEF: (6)IDMEF vs IODEF: (7)IDMEF vs IODEF: (8)IDMEF vs IODEF: (9)IDMEF vs IODEF: (10)IDMEF vs IODEF: (11)IDMEF vs IODEF: (12)  Fonts UsedDesign Template Slide Titles? 8@ _PID_HLINKS?A?B6http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/mailto:iodef@terena.nlmailto:i-taxonomy@terena.nl4http://hypermail.terena.nl/iodef-list/mail-archive/@http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/$http://www.ietf.org/rfc/rfc3067.txtNhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtd-00.dtdPhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/i-taxonomy_terms.htmlIhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtfYhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-idmef-xmldtd-00-rfc.htmlbhttp://www.terena.nl/task-forces/tf-csirt/i-taxonomy/archive/draft-ietf-grip-prot-evidence-01.txt?_???C???demchdemch ???? !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopq?stuvw?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????r????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Root Entry??????????d?O?????)?%gV????Pictures????????? Current User????????????e/SummaryInformation(????d PowerPoint Document(?????????????/DocumentSummaryInformation8????????2? ????????????????????????.nl/iodef-list/mail-archive/??? ?~http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/?Z??Fhttp://www.ietf.org/rfc/rfc3067.txt???3??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtd-00.dtd???4??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/i-taxonomy_terms.html???5??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtf???9??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-idmef-xmldtd-00-rfc.html???V??http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/archive/draft-ietf-grip-prot-evidence-01.txt??/? 0????DTimes New Roman?A?|?d?v? 0|?(? 0?DSymbolew Roman?A?|?d?v? 0|?(? 0h ?DMonotype Sorts?A?|?d?v? 0|?(? 0??f???? ? .??@  @@``???  @?n???" dd@?????????  @@``?? ????D?t*& 3 ?)2    /?X?$?b?$;\?z??+??S\ơ?~?? S ?~??????????1???????????0? ??????n?@???8???????g??42d2dv? 0p?p???????p?pp?0 ? <?4BdBd???? 0,??u?ʚ;2N??ʚ;<?4!d!d??{? 0??<?4dddd??{? 0???F?>?___PPT9? /? 0?z??~?-?42001. Yu.Demchenko. TERENA ?.IETF50: IODEF and IDMEFO? ?=??]???QRelations between IODEF and IDMEF Based on IDMEF XML DTD and Data Model Analysis?8R"/.#??DTERENA ITDWG IODEF Editorial Group Yuri Demchenko ?"E#""?H#     ?B5??Outline?  ??tTERENA Incident Taxonomy and Description WG History and next steps IODEF Documents Relation between IDMEF and IODEF?F-1-!?H;??BIncident Taxonomy and Description WG at TERENA TF-CSIRT - History?CC ? C ???Incident Taxonomy and Description WG Webpage and charter - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/ mailing list i-taxonomy@terena.nl and archive - http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/ Mailing list iodef@terena.nl and archive - http://hypermail.terena.nl/iodef-list/mail-archive/ Next meeting  May 31-June 1, 2001, Ljubljana, Slovenia Next steps Pilot implementation among few CSIRTs in Europe TERENA funded Pilot Project IHS Platforms: Remedy ARS, Magic TSD, Nortel Clarify Next BoF  at 13th FIRST Conference in Toulouse, France BoF at IETF51????&V 0QH&V 0Q 6??<                   %              ; ?  /   ??!0?<q?? !0????? !0????? !0????? !0?A?&??IODEF Documents? ???Incident Object Description and Exchange Format Requirements Published as RFC 3067 http://www.ietf.org/rfc/rfc3067.txt Incident Object Elements Description and XML Data Type Description (XML DTD) Pre-project draft is available http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-xmldtd-00.dtd Document (I-draft) to be drafted before May 31, 2001 Problem with name space sharing with IDMEF Incident Object Data Model To be drafted before May 31, 2001??>=N?">=N!N a" ??U#o             ???!0?Ux??3!0??7?WJ??"Other and external IODEF Documents? # ??Best Current Practice on Incident classification and reporting schemes. Version 1 http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/BCPreport1.rtf Taxonomy of the Computer Security Incident related terminology - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/i-taxonomy_terms.html Other documents/areas of interest Evidence Collection and Archiving (current i-draft expired) Cached copy - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/archive/draft-ietf-grip-prot-evidence-01.txt ??IV?Z"<qZIU"?"".q  "??T B        &  la ??5!0?T???4!0??/??V!0????M@??IODEF purposes?  ??jA uniform incident classification enables applications such as: uniform internal incident storage incident handling between teams made easier (only one team needs to classify and analyze the complete incident, the other team can re-use this data) uniform incident reporting by victims to CSIRTs uniform statistic generation and exchange, for both domestic use and exchange of data between teams. Over time a distributed incident statistics infrastructure can evolve trend-analyses for reoccurrence of incidents, victims, attackers, etc. trend-analyses for relations between scans and attacks and thus begin working on pro-active incident response Main IODEF actors are CSIRTs  not IDS?PAM'AM'? ? ?XK??ZExtended Incident Handling  Information flow? . ?h[??IInteraction between IDS, IHS and Vulnerability Reports (Security Alerts) ?JJ ? J ??? ?(  ? ?NA?? Relation between IDMEF and IODEF?!!#?  ???Initial requirements/suggestions: ? 1. IODEF should be compatible with IDMEF and be capable to use/include IDMEF message into IO, e.g. as or inside of IncidentAlert IO class. However, backward compatibility is not required, i.e. it s not necessary that IODEF message is understood by IDS (or other automatic system?) ? 2. If some elements or attributes intersect, options should be considered: change name in IODEF or ask IDWG to consider changing name in IDMEF Request for comments to ITDWG and IODEF http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/iodef-idmef-xmldtd-00-rfc.html ???ZEZ?Z """i E  ) Y"???   V                  ??9!0??R?ZM??IDMEF vs IODEF: (1)?  ??1. Reuse (confirmed) IDMEF to generate in a simplest way IncidentAlert (message)? Possible format for IODEF IncidentAlert: Some Data Authority created IO AdditionalData containing IDMEF To Be Considered. Ask IDWG about lifetime of IDMEF: What happen with confirmed Intrusion? ??|?]9  '   9 [$?@9   '   ? ?[N??IDMEF vs IODEF: (2)?  ???4. Compare (target, source)/IDMEF and (target, source)/IODEF. ?Does source/IDMEF cover/equal to Attacker/IODEF? The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep). The Target class is composed of four aggregate classes: Node, User, Process, Service ? The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial of service attack). The Source class is composed of four aggregate classes: Node, User, Process, Service ? O.K. to reuse??? """"""""" "?""" "?"""&? ? ?\O??IDMEF vs IODEF: (3)?  ???5. Definition of impact/IDMEF Impact (Optional). The evaluated impact of the event(s) leading up to the alert on the target. The permitted values for this attribute are shown below. The default value is "unknown". ? O.K. to reuse.?J?  ? $ ? ? ?]P??IDMEF vs IODEF: (4)?  ??6. IDMEF uses detectTime/IDMEF. ? The DetectTime class is used to indicate the date and time the event(s) producing an alert was detected by the analyzer. In the case of more than one event, the time the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection). The DetectTime class has one attribute: ntpstamp representing the same date and time as the element content. ? Can be adopted. TBC. Consider including element registrationTime/IODEF??    j  ? 0$$??      ?   N     o   ?^Q??IDMEF vs IODEF: (5)?  ???7. It seems that name  datetime is commonly used in XML world but IDMEF use  date-time with dash. Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601:2000, as show below. Section references in parentheses refer to sections of the ISO 8601:2000 standard. O.K. to adopt. Comment to IDWG to change to datetime.???  /       ,$$$?@  ?   ?_R??IDMEF vs IODEF: (6)?  ??A8. IDMEF intends to define tool of the attack by element ToolAlert ToolAlert is subclass of Alert. The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses, and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool." The ToolAlert class is composed of three aggregate classes: name, command, alertident. ? No suggestions (Not applicable for IODEF?)??B9        O  >   *$?t9     P   >   0 ?`S??IDMEF vs IODEF: (7)?  ??9. Reuse definition of  Alertident for extended identification of Incidents. AlertIdent - the list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert. ? Not applicable for IODEF??p   !    ? $??   .   ?      V   `    ?aT??IDMEF vs IODEF: (8)?  ???10. Check definition of  user and  userId in IDMEF. The User class is used to describe user that is receiving the event(s). It is primarily used as a "container" class for the UserId aggregate class. ? The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. The UserId class is composed of two aggregate classes: name, number. User class in IDMEF is not clearly defined. Comment to IDWG. Do we have/need  user* element in IODEF???xZ      n    A  ?  -   N$$$??$  ?    A  ?  ? ?bU??IDMEF vs IODEF: (9)?  ??.11. IDMEF doesn t contain elements Attack and Vulnerability because Attack is a confirmed Intrusion that is being handled by CSIRT/humans Vulnerability is covered by Classification element. However, it looks a bit indefinite as sub-element of <!ELEMENT Alert ( Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification+, ToolAlert?, OverflowAlert?, CorrelationAlert?, AdditionalData*)> ? The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is (for example, to decide whether or not to display the alert on-screen, what color to display it in, etc.). The Classification class is composed of two aggregate classes: name (of vulnerability), url. TBC: What s the relation between Alert and Attack???EZFZ?Z#""" " " '"""@"V""E"""?""'""""""!&&&&??         &        V  6 ?dY??IDMEF vs IODEF: (10)?  ???13. Check definition of  classification in IDMEF. Does it mean known/registered vulnerability? <Classification origin="bugtraqid"> <name>629</name> <url>http://www.securityfocus.com</url> </Classification> Classification class is not clearly defined. Is it related to Vulnerabilities, Exposure or Attacks? If latter, what s the definition of attack??Zc  +  r ?$?tz           ? ?eV??IDMEF vs IODEF: (11)?  ???14. Check definition of method/IDMEF IDMEF: Service>webservice>method The HTTP method (PUT, GET) used in the request ? ? Contact IDWG to change method to httpmethod. Using generic term method is not good in general. Otherwise: Consider changing/redefining Method/IODEF and/or moving: Vulnerability to Attack and Evidence to Top level elements/classes or to AdditionalData?HPZYZ  ? $$$ $$$$$ $$ %??4   C          (   ? ?fW??IDMEF vs IODEF: (12)?  ?? 15. Consider reusing the following terms from IDMEF: size - sub-element of OverflowAlert - N/A number - sub-element of userId - url - (exactly one string) used in classification, WebService - O.K. location  sub-element of node (location, name address) - Not clearly defined. name  has diverse number of definitions: name of a particular tool in ToolAlert, name of equipment in node, name of the alert in Classification from one of the known origins, etc. Meaning depends on place in IDMEF hierarchy. - Not clearly defined.?D5Z Z?ZZ5     $   $        $ !              R $??K      1   ?   ? /?8? ? P????rg??W? C?r/h?  !"#$%&'()*+,-./01????3456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????Oh??+'??04 px??? ??  , 8 DPX?? HTTP и CGI TP=D:\msoffice\Templates\Presentation Designs\International.potademchff215Microsoft PowerPoint 7.0sen@?njw&@??G?}Y?@`??X7?@??cV?? G? ?????y  a7&?????? &????&#????TNPP??2??OMi & TNPP? &????&TNPP   ?? ????-?-- !???-????-??-????--- !?T?F--?-&????u??&????-?-????- $u?u?~~????-? $~?~???????-? $???????>>?-? $????????-? $??????-?--&????&????--kP<:--? d???w???w?g?w d - ????@Times New Roman???w?g?w h -? .!2 z?Relations between* ). .2 ??IODEF and IDMEF-*'$ )8&$.????@Times New Roman???w?g?w? ? -? .72 %] Based on IDMEF XML DTD and Data   ) )    . .2 Y5Model Analysis)   .--S ?n-- ????@Times New Roman???w?g?w m -? .2 ?3 TERENA ITDWG #. .'2 ? IODEF Editorial Group     .????@Times New Roman???w?g?w s -? .2 A?Yuri Demchenko <    . .2 A?demch  . .2 A @terena.  . . 2 Axnl. . 2 A?>l.--??"Systemwf?? ?? -?&TNPP &????????՜.??+,??D??՜.??+,???x?????? ? ?? ????  ?A4 Paper (210x297 mm)n?/?? Times New RomanSymbolMonotype Sorts