This version has a lot of changes, including new analyzers, documentation,
language features, VLAN support, and the beginnings of IDMEF support. I've
appended the changes since the last "CURRENT" version (0.8a70).
Just curious, what is the motivation for IDMEF support? Just to be
consistent with industry "standard" or something else? Basically, I am
asking how users are supposed to use IDMEF in production enviorment.
First, it's indeed simply a standardized way to talk to other
systems. If you're using different kinds of NIDSs (either at
different locations or even at the same place), they may share their
results with IDMEF.
Second, it's interesting to see how Bro's semantics map to IDMEF and
vice versa. Most parts of Bro work on a lower-level than IDMEF. So,
a large fraction of Bro's state is not (reasonably) convertible to
IDMEF. On the other hand, Bro's alert framework looks quite similar
to IDMEF's model. By adding IDMEF support we should be able to
better understand what kind of information can actually be
represented in this format (and if it's sufficient for the task its
supposed to do).
Regarding the question how to use it: if you want to connect
multiple Bros, IDMEF is probably not the best way; there are other
mechanisms now (which are still experimental though). But if you
want to share alerts with other systems, IDMEF could be an option.