When it comes to analyzer development, you usually define your class like this:
#define ANALYZER_CLASS "Host and Network IDS" ... ret = idmef_analyzer_new_class(analyzer, &string); if ( ret < 0 ) goto err; prelude_string_set_constant(string, ANALYZER_CLASS) ...
Classify your Analyzer as "Host and Network IDS" is evil, and this is the subject of this page.
Why do we need to classify our Analyzer?¶
According to the IDMEF standard, the Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. In this analyzer class, we focus on the children "class", which is the class of analyzer software and/or hardware. A class is a classification in order to let the manager know the analyzer capabilities.
Capabilities vary from being a Host IDS, which can include an anti-virus, a log analyzer, an integrity checker; a Network IDS, which can be behavior based, signature based etc..
The idea behind setting the analyzer class type is useful for the human operator and the correlator. And that is for the second that we need to be accurate in the way we define the analyzer class.
How to classify?¶
The following strings should be used as a comma separated list:
|Long name||Short name||Description||Analyzer Examples|
|Network IDS||NIDS||Network Intrusion Detection System||Snort|
|Signature-based Network IDS||SNIDS||When the NIDS performs the analysis using signatures||Snort|
|Host IDS||HIDS||Host Intrusion Detection System||Samhain, Ossec, Prelude LML|
|Intrusion Prevention System||IPS||System that blocks any intrusion pattern at the firewall level||Snort-inline|
|File Integrity Checker||FICHIDS||When the HIDS does files integrity checking||Samhain, Ossec|
|Integrity Checker||ICHIDS||Usually performs integrity checking on files||Samhain, Ossec|
|Log Analyzer||LHIDS||Analyze logs to extract alerts||Prelude LML, Ossec|
|Network Anti-Virus||NAV||The anti-virus is network based||Snort+Clamav|
|Host Anti-Virus||HAV||The anti-virus is host based||Clamav|
|Correlator||COR||Alerts correlator||Prelude correlator|
|Software Monitoring||SMNT||Software Monitoring program||Nagios|
|Hardware Monitoring||HMNT||Hardware Monitoring program||Nagios, SNMP|
|Active Vulnerability Scanner||AVS||Active Vulnerability Scanner||Nessus|
|Passive Vulnerability Scanner||PVS||Passive Vulnerability Scanner||PVS|
|Alarm hardware||ALHW||Alarm system for physical intrusions|
|Private Branch Exchange||PBX||Private Branch Exchange||Asterisk|
- The short name is not recommended. Use it only if you have > 3 capabilities.
- Host IDS is not mandatory when the analyzer class is obviously what a HIDS is supposed to do, such as "File Integrity Checker".
- If the table has information missing, please complete it.
Example, for Ossec:
#define ANALYZER_CLASS "File Integrity Checker, Logs Analyzer"
List of sensors with their class¶
|Prelude LML||Log Analyzer|
|Ossec||Host IDS, File Integrity Checker, Log Analyzer|