Project

General

Profile

IDMEFV2 » History » Version 20

« Previous - Version 20/22 (diff) - Next » - Current version
Anonymous, 02/11/2016 11:33 AM


IDMEFV2

One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.

Here are listed the changes that we think could be insteresting to include in the V2.

All of these changes were discussed during meetings or on the forum.

Issues

Ident Name Issue Solutions
1 Enumeration Add the possibility of expanding the enumerations in IDMEF (like IODEFv2) Add an option "other" in the enumeration and a field ext-, to extend it easily.
2 Classification category Put alerts in different (optionals) categories to simplify the work of people supervising. Add a field "category" in the Classification Class (should be an enumeration)
3 Event's duration Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information. Add a Class StartTime and EndTime (like IODEF)
Add a field duration, and consider the detectTime as the beginning of the event
4 Transport Protocol Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol Add a field transport_protocol in Service Class
Specify the port in the format : TCP:53 or UDP:53
5 Translated addresses Handle translated addresses and ports Add an option ipv4-addr-nat/ipv6-addr-nat in address.category
Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)
6 Original log Add the original log and the signature that triggered the alert in case of a log analysis sensor. Add a field original_log to Alert
Add a Class Origin which contain the original_log in a field
7 Counter Count occurrences of particular event repeated over a short period time. Add a field (Integer) counter in Alert Class
8 TID TID is not present in the IDMEF format Add a field tid in the Process Class
9 Impact class Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert Add the fields target_vulnerability and target_criticity in the Impact Class
10 OverflowAlerts OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own. Remove OverflowAlerts
Add more subclasses of Alert to each known Attack
11 Host category Explain what category the host belongs to. (firewall, router, ...) Add an enumeration category in Host Class
12 Location data Add More explicit location data (latitude, longitude, country, city, etc.) Replace the field location in Node by a normalised class.
13 WebService Expand the WebService class (eg. Add ways to add parameters) Add a class WebServiceParams to extend WebService
14 Service class Add complementary information in the Service class by offering more sub-classes to choose from. Add subclasses to Service class

Solutions

In red are the fields or class to be suppressed, the others are to be added.

Evolution Impacted Class Proposed Field Type
Indicate start time and end time or a duration for an event such as worm propagation or scan
StartTime Date Date
EndTime Date Date
Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol
Service transport_protocol ATP
CUDP
DCCP
FCP
IL
MPTCP
RDP
RUDP
SCTP
SPX
SST
TCP
UDP
UDP Lite
µTP
Handle translated addresses and ports
Address translation no_translation
pre_trabslation
post_translation
Add original log attachment Alert original_log string
Occurrence counter of aggregated events Alert event_number Integer
Occurrence counter of aggregated alerts in correlation alerts CorrelationAlert alert_number Integer
Add Thread ID Process TID Integer
Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert
Impact target_vulnerability Enum
target_criticity Enum
Remove OverflowAlerts
OverflowAlerts
Specify host category Node category Rethink the enumeration
Add More explicit location data (latitude, longitude, country, city, etc.) Node->Location latitude float
longitude float
city String
country String
state String
Node Location
Expand WebService class WebService->WebServiceHeaderParams parameter host
referer
user-agent
server
cookie
http-method
other
value String
WebService->WebServiceParams
parameter String
value String
Add subclasses to Service class Service->LDAPService url String
operation start_tls
bind
search
compare
add
delete
modify
modify_dn
abandon
extended-operation
unbind
other
ext-operation String
dn String
LDAPService->LDAPServiceParams parameter scope
filter
deref_aliases
attribute
sizelimit
timelimit
sizeonly
ext-type
ext-type String
Service->SIPService uri String
request INVITE
ACK
BYE
CANCEL
OPTIONS
REGISTER
PRACK
SUBSCRIBE
NOTIFY
PUBLISH
INFO
referer
MESSAGE
UPDATE
other
ext-request String
response integer
SIPService->HeaderSIPService parameter Enum
value String
Service->SMTPService messsageid String
user-agent String
subject String
references String
Specify classification category Classification category (authentification, ...)

Alert.png View (634 KB) Anonymous, 05/26/2016 10:15 AM

Alert.png View (656 KB) Anonymous, 05/26/2016 12:03 PM