Non existing fields

Added by Thomas Andrejak almost 4 years ago

In my experience, with the current IDMEF description, I can not be able to put information about :
  • Confidentiality, Integrity, Availability and Vulnerability impact
  • Secret level of the information, like from non protected network (internet) or from VIP network (with secret data)

Replies (1)

RE: Non existing fields - Added by Sélim Menouar almost 4 years ago

The comparison with several other formats has pointed out some new missing fields:
- Start and end time of the event. That could possibly be useful, but we have to remember that a lot of time fields are already available and that it tends to confuse users.
- The transport protocol also seems to be missing in the IDMEF schema, whereas CEF has a field for it.
- User privileges could be provided in the alert. CEF does it.
- We mentioned a few times the NAT addresses missing in the schema. It could be very easy to add a category field indicating whether the address is translated or not.
- IDMEF already has a field for PID, but there’s no field for TID (thread id).