Current Meeting Report

2.5.3 Intrusion Detection Exchange Format (idwg)

NOTE: This charter is a snapshot of the 52nd IETF Meeting in Salt Lake City, Utah USA. It may now be out-of-date. Last Modified: 16-Oct-01
Michael Erlinger <>
Stuart Staniford-Chen <>
Security Area Director(s):
Jeffrey Schiller <>
Marcus Leech <>
Security Area Advisor:
Jeffrey Schiller <>
Mailing Lists:
To Subscribe:
Description of Working Group:
Security incidents are becoming more common and more serious, and intrusion detection systems are becoming of increasing commercial importance. Numerous intrusion detection systems are important in the market and different sites will select different vendors. Since incidents are often distributed over multiple sites, it is likely that different aspects of a single incident will be visible to different systems. Thus it would be advantageous for diverse intrusion detection systems to be able to share data on attacks in progress.

The purpose of the Intrusion Detection Working Group is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them. The Intrusion Detection Working Group will coordinate its efforts with other IETF Working Groups.

The outputs of this working group will be:

1. A requirements document, which describes the high-level functional requirements for communication between intrusion detection systems and requirements for communication between intrusion detection systems and with management systems, including the rationale for those requirements. Scenarios will be used to illustrate the requirements.

2. A common intrusion language specification, which describes data formats that satisfy the requirements.

3. A framework document, which identifies existing protocols best used for communication between intrusion detection systems, and describes how the devised data formats relate to them.

Goals and Milestones:
Done   Submit Requirements document as an Internet-Draft
Aug 99   Submit Framework and Language documents as Internet-Drafts
Aug 99   Submit Requirements document to IESG for consideration as an RFC.
Dec 99   Submit Framework and Language documents to IESG for consideration as RFCs.
No Request For Comments

Current Meeting Report

52nd IETF
Intrusion Detection Working Group Minutes
Stuart Staniford and Mike Erlinger Co-Chairs

Meeting Date/Time: 13 December, 13:30


Agenda Bashing
No changes to the Agenda

Opening Remarks

The working group has nearly completed its Charter in that all of the documents have undergone Working Group Last Call. Minor editorial changes are in process.

Status of Documents

IDXP - Completed WG Last Call with minimal comments. A new ID will appear with editorial changes related to references (ID references converted to RFC references). This is the ID that will be forwarded to the IESG for consideration as a Proposed RFC

IDMEF - Completed WG Last Call with major comments generated on the mail list. All those comments reached consensus on the mail list and a new ID will be released. This is the ID that will be forwarded to the IESG for consideration as a Proposed RFC.

Tunnel - Completed WG Last Call, and has been forwarded to the IESG for consideration as a Proposed RFC.

Requirements - Completed WG Last Call, undergoing final edits. Will be released as an ID and then forwarded to the IESG for consideration as an Informational RFC..

Thus, Last call is closed on all documents and they are in final edit for forwarding to the IESG.

WG Status Closing Down after Last Call

If the IESG has no comments, questions, modification requests the working group will close down and the documents will proceed to RFC status. If someone wants to do later extensions (virus extensions were suggested), they should hold a BOF and start an extensions working group. The Working Group mail list will continue to be available for discussion of implementation and other issues.

Open - Future

Several vendors looking at implementations. We are looking for letters of of vendor support for the protocol and message format. Mike will set up an interim meeting at future IETF to go over questions of interpretation and clarification. No new features will be added to the documents, however clarifications may be requested for revisions.

Watch the mailing lists.

Meeting minutes: Cyndi Mills


None received.