Normalizers and Sensors

AirCERT > Normalizers and Sensors

The AirCERT normalization capability is responsible extracting and converting a proprietary data representation to a standardized format used in AirCERT. This transformation requires both reformatting of the data, as well as, semantic translations.

Given that almost all security technologies export data in a different format, it was not scalable to write a script or program for each technology. Rather, the AirCERT approach is to segment the technologies according to the data store or transmission protocol used to log events. AirCERT currently provides the following normalizers:

  • rex: a text files normalizer through regular expressions
  • tabula: a database normalizer

  • spo_xml: XML output plugin for Snort

Running in tandem to the normalization process is dredge, the retransmission engine, that sends normalized data to the collector.

Copyright © 2002-2003, Carnegie Mellon University