I've read through them and I think they're definitely on the right track. One thing that might be good to consider would be a way to store hierarchical information. For example, the secevt class in the schema doc is really a network class as it only requires the network tuple. So, you could have a hierarchy like this: class Net { required_fields: [ proto, srcip, dstip, srcport, dstport ], optional_fields: [ in_iface, out_iface, details ] } class NAT { required_fields: [ nat_srcip, nat_dstip, nat_srcport, nat_dstport ] } class Security { required_fields: [ verdict ], optional_fields: [ zone ] } This implies that the class Net.NAT.Security requires proto, srcip, dstip, srcport, dstport, nat_srcip, nat_dstip, nat_srcport, nat_dstport, and verdict, but Net.Security only requires proto, srcip, dstip, srcport, dstport, and verdict. By that token, there's no difference between Security.NAT.Net and Net.NAT.Security, so these are really more like tags than a hierarchy. On Thu, Jul 1, 2010 at 3:23 PM, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Thu, 2010-07-01 at 11:03 -0500, Martin Holste wrote:
Shouldn't that go under the provider attribute? My point with the ID's vs UUID was that I prefer a numeric ID. Just as with IP space, we could provide a "number space" for local signatures. For instance, 0 through 2,000,000,000 would be public space, and 2,000,000,000 through 2^32 would be private space.
I think the "opensshd" component would be assigned to the "name" attribute, or something similar, or maybe would be the "class" attribute.
let me think this through and also discuss with the guys who originally designed the XML format and come up with a consistent recommendation on IDs.
Any other comments on the "patterndb" policy document at
http://git.balabit.hu/?p=bazsi/syslog-ng-patterndb.git;a=blob;f=README.txt;h...
Perhaps about the two schemas I've described at the same location in SCHEMAS.txt<
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html