[Snort-devel] TODO for Snort

Joe McAlerney joey at ...60...
Mon Apr 23 18:32:06 EDT 2001


Hello John,

John Zeng wrote:
> 
> Hi, Joe,
> 
> Here is what I understood so far:
> 
> 1. The current IDMEF XML plug in support file only.

Correct.

> 2. You are going to support BEEP in your next step.

I will most likely release an updated version without BEEP support, then
one with.

> I am building a servlet to receive IDMEF XML alert.  So, I want to receive
> XML through HTTP.  My question is:
> 
> 1. Are you going to support HTTP/HTTPS too?

No.  I plan on using the transport protocol for IDMEF messages decided
on by the IDWG working group.  HTTP is not one of those candidates.   In
short, it doesn't fit the structure required to facilitate communication
between sensors and analyzers.  More detailed information can be found
in section 2.1 of draft-ietf-idwg-iap-05.txt (The current IAP draft),
available at
http://www.silicondefense.com/idwg/draft-ietf-idwg-iap-05.txt.  However,
IDXP (a BEEP "profile") looks to be a more flexible and somewhat more
efficient protocol for IDMEF message transport than IAP.  Unless it
presents any barring issues, IDXP/BEEP will be the standard transport
protocol.

> 2. If you support BEEP, does this mean that HTTP is supported automatically?

Unless there is something else I am not aware of, no.
 
> I think supporting HTTP is easier than supporting BEEP.  So, why don't you
> support HTTP before BEEP.  This meets your goal which is to minimize the
> time between releases.

Again, you raise a very valid point, but doing so would not fit within
the framework of what the IDWG working group has decided.  I apologize
for the inconvenience.  If you feel that there are useful features that
HTTP provides and IAP or BEEP does not, I would encourage you to post
them to the IDWG mailing list at idwg-public at ...393...

Thanks,

-Joe M.

-- 
|   Joe McAlerney     joey at ...63...   |
| Silicon Defense - Technical Support for Snort |
|       http://www.silicondefense.com/          |
+--                                           --+




More information about the Snort-devel mailing list