IDMEFV2 » History » Version 18
« Previous -
Version 18/22
(diff) -
Next » -
Current version
Anonymous, 11/05/2015 01:54 PM
IDMEFV2¶
One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.
Here are listed the changes that we think could be insteresting to include in the V2.
All of these changes were discussed during meetings or on the forum.
In red are the fields or class to be suppressed, the others are to be added.
| Evolution | Impacted Class | Proposed Field | Type |
|---|---|---|---|
| Indicate start time and end time or a duration for an event such as worm propagation or scan |
StartTime | Date | Date |
| EndTime | Date | Date | |
| Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol |
Service | transport_protocol | ATP CUDP DCCP FCP IL MPTCP RDP RUDP SCTP SPX SST TCP UDP UDP Lite µTP |
| Handle translated addresses and ports |
Address | translation | no_translation pre_trabslation post_translation |
| Add original log attachment | Alert | original_log | string |
| Occurrence counter of aggregated events | Alert | event_number | Integer |
| Occurrence counter of aggregated alerts in correlation alerts | CorrelationAlert | alert_number | Integer |
| Add Thread ID | Process | TID | Integer |
| Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert |
Impact | target_vulnerability | Enum |
| target_criticity | Enum | ||
| Remove OverflowAlerts |
OverflowAlerts | ||
| Specify host category | Node | category | Rethink the enumeration |
| Add More explicit location data (latitude, longitude, country, city, etc.) | Node->Location | latitude | float |
| longitude | float | ||
| city | String | ||
| country | String | ||
| state | String | ||
| Node | Location | ||
| Expand WebService class | WebService->WebServiceHeaderParams | parameter | host referer user-agent server cookie http-method other |
| value | String | ||
| WebService->WebServiceParams |
parameter | String | |
| value | String | ||
| Add subclasses to Service class | Service->LDAPService | url | String |
| operation | start_tls bind search compare add delete modify modify_dn abandon extended-operation unbind other |
||
| ext-operation | String | ||
| dn | String | ||
| LDAPService->LDAPServiceParams | parameter | scope filter deref_aliases attribute sizelimit timelimit sizeonly ext-type |
|
| ext-type | String | ||
| Service->SIPService | uri | String | |
| request | INVITE ACK BYE CANCEL OPTIONS REGISTER PRACK SUBSCRIBE NOTIFY PUBLISH INFO referer MESSAGE UPDATE other |
||
| ext-request | String | ||
| response | integer | ||
| SIPService->HeaderSIPService | parameter | Enum | |
| value | String | ||
| Service->SMTPService | messsageid | String | |
| user-agent | String | ||
| subject | String | ||
| references | String | ||
