Intrusion Detection Message Exchange Format

Used as part of computer security, IDMEF (Intrusion Detection Message Exchange Format) is a data format used to exchange informations between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

IDMEF Format

The purpose of IDMEF is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. It is used in computer security for incidents reporting and exchanging. It is intended for easy automatic processing.

IDMEF is a well-structured object-oriented format, which consists of 33 classes containing 108 fields including three mandatory:

There are currently two types of IDMEF messages that can be created, Heartbeat or Alert

Heartbeat

The Heartbeats are sent by the analyzers to indicate their status. These messages are sent at regular intervals which period is defined in the Heartbeat Interval Field. If none of these messages are received for several periods of time, consider that this analyzer is not able to trigger alerts.

Alert

Alerts are used to describe an attack that took place, the main areas that create the alert are:

There are three other alert types that inherit from this scheme:

Example

IDMEF report of ping of death attack can look as follows:

<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message xmlns:idmef="http://iana.org/idmef" version="1.0">
  <idmef:Alert messageid="abc123456789">
    <idmef:Analyzer analyzerid="bc-sensor01">
      <idmef:Node category="dns">
        <idmef:name>sensor.example.com</idmef:name>
      </idmef:Node>
    </idmef:Analyzer>
    <idmef:CreateTime ntpstamp="0xbc71f4f5.0xef449129">2000-03-09T10:01:25.93464Z</idmef:CreateTime>
    <idmef:Source ident="a1a2" spoofed="yes">
      <idmef:Node ident="a1a2-1">
        <idmef:Address ident="a1a2-2" category="ipv4-addr">
          <idmef:address>192.0.2.200</idmef:address>
        </idmef:Address>
      </idmef:Node>
    </idmef:Source>
    <idmef:Target ident="b3b4">
      <idmef:Node>
        <idmef:Address ident="b3b4-1" category="ipv4-addr">
          <idmef:address>192.0.2.50</idmef:address>
        </idmef:Address>
      </idmef:Node>
    </idmef:Target>
    <idmef:Target ident="c5c6">
      <idmef:Node ident="c5c6-1" category="nisplus">
        <idmef:name>lollipop</idmef:name>
      </idmef:Node>
    </idmef:Target>
    <idmef:Target ident="d7d8">
      <idmef:Node ident="d7d8-1">
        <idmef:location>Cabinet B10</idmef:location>
        <idmef:name>Cisco.router.b10</idmef:name>
      </idmef:Node>
    </idmef:Target>
    <idmef:Classification text="Ping-of-death detected">
      <idmef:Reference origin="cve">
        <idmef:name>CVE-1999-128</idmef:name>
        <idmef:url>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-128</idmef:url>
      </idmef:Reference>
    </idmef:Classification>
  </idmef:Alert>
</idmef:IDMEF-Message>

Tools implementing the IDMEF protocol

References

    External links

    Tutorials

    This article is issued from Wikipedia - version of the 8/8/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.