Data Representation
The data processed and generated by AirCERT is represented in one of of three formats: in-core, xml, and RDBMS.
When a component is processing or manipulating AirCERT data in a running process, it is likely represented by the libair:: xml:: air_xml_tree_t data structure.
When exchanging data across administrative domains, XML is the preferred representation format. Three different DTDs are used, each targetting different levels of abstraction in the data.
The purpose of the Incident Handling (inch) working group is to define data formats for communication between a CSIRT and its constituency which reports system misuse; a CSIRT and parties involved in an incident investigation; and collaborating CSIRTs sharing information.
This format will support the now largely human-intensive dimension of the incident handling process. It will represent the product of various incremental data gathering and analysis operations performed by a CSIRT from the time when the system misuse was initially reported (perhaps by an automated system) till ultimate resolution.
The purpose of the Intrusion Detection Working Group is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them.
A custom derived DTD to represent TCP, UDP, and ICMP network traffic.
The permanent store for all data is a relational database.