Project

General

Profile

IDMEFV2

One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.

Here are listed the changes that we think could be insteresting to include in the V2.

All of these changes were discussed during meetings or on the forum.

Issues

Ident Name Issue Solutions
1 Enumeration Add the possibility of expanding the enumerations in IDMEF (like IODEFv2) Add an option "other" in the enumeration and a field ext-, to extend it easily.
2 Classification category Put alerts in different (optionals) categories to simplify the work of people supervising. Add a field "category" in the Classification Class (should be an enumeration)
3 Event's duration Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information. Add a Class StartTime and EndTime (like IODEF)
Add a field duration, and consider the detectTime as the beginning of the event
4 Transport Protocol Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol Add a field transport_protocol in Service Class
Specify the port in the format : TCP:53 or UDP:53
5 Translated addresses Handle translated addresses and ports Add an option ipv4-addr-nat/ipv6-addr-nat in address.category
Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)
6 Original log Add the original log and the signature that triggered the alert in case of a log analysis sensor. Add a field original_log to Alert
Add a Class Origin which contain the original_log in a field
7 Counter Count occurrences of particular event repeated over a short period time. Add a field (Integer) counter in Alert Class
8 TID TID is not present in the IDMEF format Add a field tid in the Process Class
9 Impact class Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert Add the fields target_vulnerability and target_criticity in the Impact Class
10 OverflowAlerts OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own. Remove OverflowAlerts
Add more subclasses of Alert to each known Attack
11 Host category Explain what category the host belongs to. (firewall, router, ...) Add an enumeration category in Host Class
12 Location data Add More explicit location data (latitude, longitude, country, city, etc.) Replace the field location in Node by a normalised class.
13 WebService Expand the WebService class (eg. Add ways to add parameters) Add a class WebServiceParams to extend WebService
14 Service class Add complementary information in the Service class by offering more sub-classes to choose from. Add subclasses to Service class

Résumé des modifications

- grisé: champs/classes supprimées
- blanc: champs/classes ajoutées

Alert.png View (634 KB) Sélim Menouar, 05/26/2016 10:15 AM

Alert.png View (656 KB) Sélim Menouar, 05/26/2016 12:03 PM