Agent Classification


When it comes to analyzer development, you usually define your class like this:

#define ANALYZER_CLASS "Host and Network IDS" 
ret = idmef_analyzer_new_class(analyzer, &string);
if ( ret < 0 )
        goto err;
prelude_string_set_constant(string, ANALYZER_CLASS)

Classify your Analyzer as "Host and Network IDS" is evil, and this is the subject of this page.

Why do we need to classify our Analyzer?

According to the IDMEF standard, the Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. In this analyzer class, we focus on the children "class", which is the class of analyzer software and/or hardware. A class is a classification in order to let the manager know the analyzer capabilities.

Capabilities vary from being a Host IDS, which can include an anti-virus, a log analyzer, an integrity checker; a Network IDS, which can be behavior based, signature based etc..

The idea behind setting the analyzer class type is useful for the human operator and the correlator. And that is for the second that we need to be accurate in the way we define the analyzer class.

How to classify?

The following strings should be used as a comma separated list:

Long name Short name Description Analyzer Examples
Network IDS NIDS Network Intrusion Detection System Snort
Signature-based Network IDS SNIDS When the NIDS performs the analysis using signatures Snort
Host IDS HIDS Host Intrusion Detection System Samhain, Ossec, Prelude LML
Intrusion Prevention System IPS System that blocks any intrusion pattern at the firewall level Snort-inline
File Integrity Checker FICHIDS When the HIDS does files integrity checking Samhain, Ossec
Integrity Checker ICHIDS Usually performs integrity checking on files Samhain, Ossec
Log Analyzer LHIDS Analyze logs to extract alerts Prelude LML, Ossec
Network Anti-Virus NAV The anti-virus is network based Snort+Clamav
Host Anti-Virus HAV The anti-virus is host based Clamav
Correlator COR Alerts correlator Prelude correlator
Firewall FW Firewall NuFW
Honeypot HNP Honeypot Nepenthes
Software Monitoring SMNT Software Monitoring program Nagios
Hardware Monitoring HMNT Hardware Monitoring program Nagios, SNMP
Active Vulnerability Scanner AVS Active Vulnerability Scanner Nessus
Passive Vulnerability Scanner PVS Passive Vulnerability Scanner PVS
Alarm hardware ALHW Alarm system for physical intrusions
Private Branch Exchange PBX Private Branch Exchange Asterisk
Few rules:
  • The short name is not recommended. Use it only if you have > 3 capabilities.
  • Host IDS is not mandatory when the analyzer class is obviously what a HIDS is supposed to do, such as "File Integrity Checker".
  • If the table has information missing, please complete it.

Example, for Ossec:

#define ANALYZER_CLASS "File Integrity Checker, Logs Analyzer" 

List of sensors with their class

Snort NIDS
Prelude LML Log Analyzer
Prelude Correlator Correlator
NuFW Firewall
Sancp NIDS
Samhain Integrity Checker
Nepenthes Honeypot
Ossec Host IDS, File Integrity Checker, Log Analyzer