Infrequently Noted

Alex Russell on browsers, standards, and the process of progress.

IDMEF

I was out talking with Patrick the other night and we started talking shop (security). He's working on an interesting project which we talked about at length, trying to find mental holes in the encryption implementation that kind of thing. It's always good to exercise those neurons.

One thing we stated talking about that I can't seem to get out of my head though was some kind of replacement for IDMEF. Patrick noted that Snort's XML output might make a very good starting place to work from in designing an intrusion detection data standard that doesn't require you to read tea leaves to implement. IDMEF is/was well intentioned, but as we all know, the road to COBOL is paved with good intentions. What we need is something more lightweight that is more domain-specific (say, network IDS only). My thought was that if we did it right, we could write a definition for a network IDS data exchange format and then write a definition or XSLT conversion for it that would turn it into valid IDMEF markup. Not that anyone uses IDMEF, but at least we wouldn't be throwing away years of work in getting a spec built, and it leaves our domain-specific thinger with a migration path to a more all-inclusive language for those orginizations that need it.

Not that I have spare time to do it in.