Sebastien Tricaud's post to Focus-IDS informed me of the Security Device Event Exchange (SDEE), an IDS alert format and transport protocol specification. ICSA's Intrusion Detection Systems Consortium (IDSC) devised the SDEE specification. The IDSC consists of Cisco, Fortinet, Infosec Technologies, ISS, SecureWorks, Sourcefire, Symantec, and Tripwire.
TruSecure, owner of ICSA Labs, published a press release which says in part:
"IDSC members Jeff Platzer and Mike Hall of Cisco Systems, Robert Graham of ISS, Marty Roesch of Sourcefire and Marcus Ranum of TruSecure Corporation co-developed the SDEE transport protocol specification format; this team will manage future revisions to the specification...
SDEE specifies the format of the IDS alerts as well as the protocol used to communicate events generated by security devices. SDEE is flexible and extensible so vendors can utilize product specific extensions in a way that maintains messaging compatibility. In addition, SDEE will provide corporations and security vendors better management of multiple vendor environments by having all alerts communicated in the same format. SDEE builds upon the XML, HTTP and SSL/TLS industry standards to facilitate adoption by vendors and users by allowing them to use existing software that implements these standard interfaces."
This effort may conflict with the IETF's Intrusion Detection Message Exchange Format. The Intrusion Detection Working Group just published a new draft of their standard in January 2004.
More information on SDEE is available through these means:
Option 1: To sign up for the ICSA Labs SDEE listserv & receive the SDEE specification file, simply send an email to firstname.lastname@example.org with "SUBSCRIBE" in the subject line.
Option 2: To receive the SDEE specification file only, simply send an email to email@example.com with "FILE" in the subject line.