Attacker definition in IDIOM

Unanswered Question
Jul 23rd, 2003
User Badges:

We are building a database to store the event alert information from the xml log files. According to IDIOM, each event alert can have multiple attacks in it. By an attack, I refer to a set of an attacker and 1/more victims. However, I havent seen any event alert that consists of more than 1 attack in my test database that has 1.8 million alerts so far.

If anyone can confirm whether an event alert can have multiple attacks, it'll be very helpful especially in determining an efficient design for the database.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dlac455 Wed, 07/23/2003 - 10:01
User Badges:

I've seen it in the Security Monitor Event Viewer display of the context data, but not in the IDIOMs that I email myself.

My real complaint is that the attacker/victim data is in base64 and is unreadable when extracted through the IdsAlarms.exe utility. Does anyone know how to deal with that?

rmulyadi Wed, 07/23/2003 - 10:48
User Badges:

Thanks for the confirmation.

As for the base64 problem, I use a simple script to read it. And, it seems that the new IDM event viewer (4.1) display the base64 data in both ascii and hex format.


This Discussion