Project

General

Profile

IDMEFV2 » History » Version 18

« Previous - Version 18/22 (diff) - Next » - Current version
Anonymous, 11/05/2015 01:54 PM


IDMEFV2

One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.

Here are listed the changes that we think could be insteresting to include in the V2.

All of these changes were discussed during meetings or on the forum.

In red are the fields or class to be suppressed, the others are to be added.

Evolution Impacted Class Proposed Field Type
Indicate start time and end time or a duration for an event such as worm propagation or scan
StartTime Date Date
EndTime Date Date
Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol
Service transport_protocol ATP
CUDP
DCCP
FCP
IL
MPTCP
RDP
RUDP
SCTP
SPX
SST
TCP
UDP
UDP Lite
µTP
Handle translated addresses and ports
Address translation no_translation
pre_trabslation
post_translation
Add original log attachment Alert original_log string
Occurrence counter of aggregated events Alert event_number Integer
Occurrence counter of aggregated alerts in correlation alerts CorrelationAlert alert_number Integer
Add Thread ID Process TID Integer
Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert
Impact target_vulnerability Enum
target_criticity Enum
Remove OverflowAlerts
OverflowAlerts
Specify host category Node category Rethink the enumeration
Add More explicit location data (latitude, longitude, country, city, etc.) Node->Location latitude float
longitude float
city String
country String
state String
Node Location
Expand WebService class WebService->WebServiceHeaderParams parameter host
referer
user-agent
server
cookie
http-method
other
value String
WebService->WebServiceParams
parameter String
value String
Add subclasses to Service class Service->LDAPService url String
operation start_tls
bind
search
compare
add
delete
modify
modify_dn
abandon
extended-operation
unbind
other
ext-operation String
dn String
LDAPService->LDAPServiceParams parameter scope
filter
deref_aliases
attribute
sizelimit
timelimit
sizeonly
ext-type
ext-type String
Service->SIPService uri String
request INVITE
ACK
BYE
CANCEL
OPTIONS
REGISTER
PRACK
SUBSCRIBE
NOTIFY
PUBLISH
INFO
referer
MESSAGE
UPDATE
other
ext-request String
response integer
SIPService->HeaderSIPService parameter Enum
value String
Service->SMTPService messsageid String
user-agent String
subject String
references String

Alert.png View (634 KB) Anonymous, 05/26/2016 10:15 AM

Alert.png View (656 KB) Anonymous, 05/26/2016 12:03 PM