The attacker may use certain associations between the fields of a security alert to learn the security posture of the producer site.
Configurations. Sensitive information includes the site's set of network services, protocols, operating systems, and network-accessible content residing within its boundaries. While some of this information may be revealed through direct interactions with external systems, the breadth of probing can be monitored and controlled by the target site. Associations between security alert fields that could potentially lead to undesirable disclosures include [Source_IP, Source_Port, Protocol] and [Dest_IP, Dest_Port, Protocol].
Site vulnerabilities. Revealing the disposition of unsuccessful attacks may be undesirable. Associations between alert producers and the Sensor_ID, Event_ID and Outcome fields may potentially lead to such disclosures.
Defense coverage. Sites may not want to reveal their detection coverage, including information about versions and configurations of security products that are operating within their boundaries. Attacks and probes mounted against a site with the intention of observing, potentially through indirect inference, which sensors are running and their alert production patterns, would seriously impact the site's security posture. Associations between alert producers and the Sensor_ID and Event_ID fields are thus sensitive.
In current practice, these sensitivities are handled in a variety of ways. Sensitive fields are often suppressed at the alert producer's site before the alert is forwarded to a remote alert repository. For example, the DShield alert extractor provides various configuration options to suppress fields and an IP blacklist that allows a site to suppress sensitive addresses. The second approach is to apply cryptographic hashing to fields, allowing equality checks while maintaining a degree of content privacy (this approach may be vulnerable to dictionary attacks, as explained below). The third approach is simply to trust the alert repository with ensuring that neither content nor indirect associations be openly revealed.