Notes from the LA CIDF BOF, 31 March 1998 taken by Stuart Staniford-Chen, edited by Brian Tung Brian Tung (ISI) gave an introduction and overview of the objectives of the Common Intrusion Detection Framework (CIDF). This started as a DARPA effort, but has gathered enough interest that the DARPA group decided to introduce the ideas and work to the IETF. Stuart Staniford-Chen (UC Davis) gave brief history of CIDF. Brian described some of the terminology used in the DARPA CIDF group (just in case they were accidentally used without definition later on), and went through the charter and milestones. Folks demanded to see online version of slides. They will be put on the CIDF web site and also in the IETF proceedings. Jeff Schiller asked for interest. Many folks were involved in implementing some intrusion detection products, not all of whom thought it was a great idea to standardize, though many said they would be willing to be involved. There was some debate over whether Brian's bullets on charter/milestones were clear enough--mostly because Brian's slides used CIDF lingo (which the charter doesn't). There was some discussion over whether general error handling is also included in this framework. It is rather unclear what the separation is between general faults and intrusions (from the standpoint of handling them.) Brian discussed the current CIDF architecture, and Dan Schnackenberg (Boeing) went through a list of requirements for the CIDF message layer. Questions on scalability: how much should scalability be a requirement of CIDF. Discussion but no clear conclusion. Someone asked why DARPA CIDF didn't use TLS as a message layer? Dan explained that it didn't provide support for long term associations and multicast. Another alternative for a message layer was SNMP; the group came to no clear consensus as to why that was not used (and it's not clear that it isn't appropriate yet). Dan described the proposed message layer formats briefly. Jeff Schiller's reaction was that the message layer is duplicating internet functionality and that isn't useful. Dan responded that DARPA CIDF hadn't found the right thing for its requirements. Phil Porras (SRI) described the objectives of the GIDO (Generalized Intrusion Detection Object) definition. He also described the GIDO header. Brian followed by describing the GIDO payload. Much of this material can be found at the following URL: http://seclab.cs.ucdavis.edu/cidf/ Cliff Kahn (Open Group) explained briefly how a directory service could be used to help various components locate the appropriate other components to talk to. An overall critique of the effort was that there was too much duplication. The GIDO payload was perhaps the least redundant. Jeff Schiller concluded by conducting a series of polls, and issued the following recommendation: Since there appears to be support for a working group in this area, one should be pursued, but there is a need to develop a charter and requirements before proceeding to message formats. The group may use CIDF requirements specifically as a starting point. The existing mailing list cidf[-request]@cs.ucdavis.edu will be used to bash out these requirements before the BOF reconvenes.