Project

General

Profile

IDMEFV2 » History » Version 20

Anonymous, 02/11/2016 11:33 AM

1 1 Gilles Lehmann
h1. IDMEFV2
2 2 Anonymous
3 2 Anonymous
One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.
4 2 Anonymous
5 8 Anonymous
Here are listed the changes that we think could be insteresting to include in the V2.
6 2 Anonymous
7 8 Anonymous
All of these changes were discussed during meetings or on the forum.
8 2 Anonymous
9 20 Anonymous
h4. Issues
10 20 Anonymous
11 20 Anonymous
|_.Ident|_.Name|_.Issue|_.Solutions|
12 20 Anonymous
|[[Enumeration|1]]|[[Enumeration|Enumeration]]|Add the possibility of expanding the enumerations in IDMEF (like IODEFv2)|Add an option "other" in the enumeration and a field ext-, to extend it easily.|
13 20 Anonymous
|[[Classification category|2]]|[[classification category|Classification category]]|Put alerts in different (optionals) categories to simplify the work of people supervising.|Add a field "category" in the Classification Class (should be an [[Enumeration|enumeration]])|
14 20 Anonymous
|/2.[[Start time end time|3]]|/2.[[Start time end time|Event's duration]]|/2.Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information.|Add a Class StartTime and EndTime (like IODEF)|
15 20 Anonymous
|Add a field duration, and consider the detectTime as the beginning of the event|
16 20 Anonymous
|/2.[[Identify transport protocol|4]]|/2.[[Identify transport protocol|Transport Protocol]]|/2.Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol|Add a field transport_protocol in Service Class|
17 20 Anonymous
|Specify the port in the format : TCP:53 or UDP:53|
18 20 Anonymous
|/2.[[Translated addresses and ports|5]]|/2.[[Translated addresses and ports|Translated addresses]]|/2.Handle translated addresses and ports|Add an option ipv4-addr-nat/ipv6-addr-nat in address.category|
19 20 Anonymous
|Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)|
20 20 Anonymous
|/2.[[Original log|6]]|/2.[[Original log|Original log]]|/2.Add the original log and the signature that triggered the alert in case of a log analysis sensor.|Add a field original_log to Alert|
21 20 Anonymous
|Add a Class Origin which contain the original_log in a field|
22 20 Anonymous
|[[Counters|7]]|[[Counters|Counter]]|Count occurrences of particular event repeated over a short period time.|Add a field (Integer) counter in Alert Class|
23 20 Anonymous
|[[Thread ID|8]] |[[Thread ID|TID]]| TID is not present in the IDMEF format|Add a field tid in the Process Class|
24 20 Anonymous
|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|9]]|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Impact class]]|Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Add the fields target_vulnerability and target_criticity in the Impact Class|
25 20 Anonymous
|/2.[[Remove OverflowAlerts|10]]|/2.[[Remove OverflowAlerts|OverflowAlerts]]|/2.OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own.|Remove OverflowAlerts|
26 20 Anonymous
|Add more subclasses of Alert to each known Attack|
27 20 Anonymous
|[[host category|11]]|[[host category|Host category]]|Explain what category the host belongs to. (firewall, router, ...)|Add an [[Enumeration|enumeration]] category in Host Class|
28 20 Anonymous
|[[Location data|12]]|[[Location data|Location data]]|Add More explicit location data (latitude, longitude, country, city, etc.)|Replace the field location in Node by a normalised class.|
29 20 Anonymous
|[[Expand WebService class|13]]|[[Expand WebService class|WebService]]|Expand the WebService class (eg. Add ways to add parameters)|Add a class WebServiceParams to extend WebService|
30 20 Anonymous
|[[Expand Service class|14]]|[[Expand Service class|Service class]]|Add complementary information in the Service class by offering more sub-classes to choose from.|Add subclasses to Service class|
31 20 Anonymous
32 20 Anonymous
h4. Solutions
33 20 Anonymous
34 8 Anonymous
In red are the fields or class to be suppressed, the others are to be added.
35 2 Anonymous
36 17 Anonymous
|_.Evolution|_.Impacted Class|_.Proposed Field|_.Type   |
37 17 Anonymous
|/2. [[Start time end time|Indicate start time and end time or a duration for an event such as worm propagation or scan]]
38 9 Anonymous
| StartTime     |   Date | Date|
39 1 Gilles Lehmann
                                                                                                         | EndTime       |   Date | Date|
40 17 Anonymous
|[[Identify transport protocol|Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol]] 
41 9 Anonymous
| Service       | transport_protocol |ATP
42 2 Anonymous
CUDP
43 2 Anonymous
DCCP
44 2 Anonymous
FCP
45 2 Anonymous
IL
46 2 Anonymous
MPTCP
47 2 Anonymous
RDP
48 2 Anonymous
RUDP
49 2 Anonymous
SCTP
50 2 Anonymous
SPX
51 2 Anonymous
SST
52 2 Anonymous
TCP
53 1 Gilles Lehmann
UDP
54 1 Gilles Lehmann
UDP Lite
55 1 Gilles Lehmann
µTP|
56 1 Gilles Lehmann
|[[Translated addresses and ports|Handle translated addresses and ports]]
57 2 Anonymous
| Address | translation |no_translation
58 2 Anonymous
pre_trabslation
59 17 Anonymous
post_translation|
60 18 Anonymous
|[[Original log|Add original log attachment]]|Alert|original_log|string|
61 18 Anonymous
|[[Counters|Occurrence counter of aggregated events]]|Alert|event_number|Integer|
62 18 Anonymous
|[[Counters|Occurrence counter of aggregated alerts in correlation alerts]]|CorrelationAlert|alert_number|Integer|
63 18 Anonymous
|[[Thread ID|Add Thread ID]] |Process| TID|Integer|
64 17 Anonymous
|/2.[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert]]
65 9 Anonymous
|/2.Impact|target_vulnerability|Enum|
66 13 Guillaume Hiet
|target_criticity|Enum|
67 16 Yoann Vandoorselaere
|[[Remove OverflowAlerts]]
68 9 Anonymous
|\3{background:#e99b9b}.OverflowAlerts|
69 18 Anonymous
|[[host category|Specify host category]]|Node|category|Rethink the enumeration|
70 17 Anonymous
|/6.[[Location data|Add More explicit location data (latitude, longitude, country, city, etc.)]]|/5.Node->Location|latitude|float|
71 2 Anonymous
|longitude|float|
72 1 Gilles Lehmann
|city|String|
73 2 Anonymous
|country|String|
74 2 Anonymous
|state|String|
75 2 Anonymous
|{background:#e99b9b}.Node|\2{background:#e99b9b}.Location|
76 17 Anonymous
|/4.[[Expand WebService class]]|/2.WebService->WebServiceHeaderParams|parameter|host
77 2 Anonymous
referer
78 2 Anonymous
user-agent
79 1 Gilles Lehmann
server
80 2 Anonymous
cookie
81 9 Anonymous
http-method
82 9 Anonymous
other|
83 10 Anonymous
|value|String|
84 16 Yoann Vandoorselaere
|/2.WebService->WebServiceParams
85 9 Anonymous
|parameter|String|
86 2 Anonymous
|value|String|
87 17 Anonymous
|/16.[[Expand Service class|Add subclasses to Service class]]|/4.Service->LDAPService|url|String|
88 2 Anonymous
|operation|start_tls
89 2 Anonymous
bind
90 2 Anonymous
search
91 2 Anonymous
compare
92 2 Anonymous
add
93 2 Anonymous
delete
94 2 Anonymous
modify
95 2 Anonymous
modify_dn
96 2 Anonymous
abandon
97 2 Anonymous
extended-operation
98 2 Anonymous
unbind
99 2 Anonymous
other|
100 2 Anonymous
|ext-operation|String|
101 2 Anonymous
|dn|String|
102 2 Anonymous
|/2.LDAPService->LDAPServiceParams|parameter|scope
103 2 Anonymous
filter
104 2 Anonymous
deref_aliases
105 2 Anonymous
attribute
106 2 Anonymous
sizelimit
107 2 Anonymous
timelimit
108 2 Anonymous
sizeonly
109 2 Anonymous
ext-type|
110 2 Anonymous
|ext-type|String|
111 2 Anonymous
|/4.Service->SIPService|uri|String|
112 2 Anonymous
|request|INVITE
113 2 Anonymous
ACK
114 2 Anonymous
BYE
115 2 Anonymous
CANCEL
116 2 Anonymous
OPTIONS
117 2 Anonymous
REGISTER
118 2 Anonymous
PRACK
119 2 Anonymous
SUBSCRIBE
120 2 Anonymous
NOTIFY
121 2 Anonymous
PUBLISH
122 2 Anonymous
INFO
123 2 Anonymous
referer
124 2 Anonymous
MESSAGE
125 2 Anonymous
UPDATE
126 2 Anonymous
other|
127 2 Anonymous
|ext-request|String|
128 2 Anonymous
|response|integer|
129 2 Anonymous
|/2.SIPService->HeaderSIPService|parameter|Enum|
130 2 Anonymous
|value|String|
131 2 Anonymous
|/4.Service->SMTPService|messsageid|String|
132 2 Anonymous
|user-agent|String|
133 2 Anonymous
|subject|String|
134 2 Anonymous
|references|String|
135 19 Anonymous
|[[classification category|Specify classification category]]|Classification|category|(authentification, ...)|