Ok,
I've been working on an implementation of the IDWG's IDMEF
(filters/doc/draft-ietf-idwg-idmef-xml-06.txt). It's been fairly easy-going
in Java, and I imagine it should be even more simple in Perl. This is
important for messaging, although it adds a bit of overhead. I need to see
some implentations by the 30th. The major road-blocks I've encountered are
in the application-unique identifier area, and with NTP Timestamps. I'm
avoiding the latter issue, and I think we can do without proper timestamps
for now. The first issue, however is a little more important, and more
pervasive. We need to decide on a scheme for uniquely identifying attacks.
This will also be used in other areas of the application (signature IDs,
filter IDs, and basically any entity that may need to be uniquely
identified). It's pretty important.
I think we all know enough about this app to start writing some code. Start
with the IDMEF. This will lay the messaging groundwork, and allow us to
address nomenclature, vocabulary, blah blah blah. Once this is done, we can
move on to proper filtering. Todd is working on a DTD for our filter and
signature classes. Contact him for any updates. FYI, I'll be pretty busy
in the next couple of weeks. I have some new projects in the works (one
HUGE 4D to SQL Server migration and a couple of mini Perl CGIs). These ones
are paying my bills, so they get first priority of course. I believe
everyone has access to the CVS repository, but if not contact me. For those
who may not be familiar with CVS, remember it is not a replacement for
communication. For the next 2 weeks I'll be working in
'filters/lang/java/src/org/owasp/idmef' and 'filters/docs'.
Nathan
|
