One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.
Here are listed the changes that we think could be insteresting to include in the V2.
All of these changes were discussed during meetings or on the forum.
|1||Enumeration||Add the possibility of expanding the enumerations in IDMEF (like IODEFv2)||Add an option "other" in the enumeration and a field ext-, to extend it easily.|
|2||Classification category||Put alerts in different (optionals) categories to simplify the work of people supervising.||Add a field "category" in the Classification Class (should be an enumeration)|
|3||Event's duration||Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information.||Add a Class StartTime and EndTime (like IODEF)|
|Add a field duration, and consider the detectTime as the beginning of the event|
|4||Transport Protocol||Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol||Add a field transport_protocol in Service Class|
|Specify the port in the format : TCP:53 or UDP:53|
|5||Translated addresses||Handle translated addresses and ports||Add an option ipv4-addr-nat/ipv6-addr-nat in address.category|
|Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)|
|6||Original log||Add the original log and the signature that triggered the alert in case of a log analysis sensor.||Add a field original_log to Alert|
|Add a Class Origin which contain the original_log in a field|
|7||Counter||Count occurrences of particular event repeated over a short period time.||Add a field (Integer) counter in Alert Class|
|8||TID||TID is not present in the IDMEF format||Add a field tid in the Process Class|
|9||Impact class||Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert||Add the fields target_vulnerability and target_criticity in the Impact Class|
|10||OverflowAlerts||OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own.||Remove OverflowAlerts|
|Add more subclasses of Alert to each known Attack|
|11||Host category||Explain what category the host belongs to. (firewall, router, ...)||Add an enumeration category in Host Class|
|12||Location data||Add More explicit location data (latitude, longitude, country, city, etc.)||Replace the field location in Node by a normalised class.|
|13||WebService||Expand the WebService class (eg. Add ways to add parameters)||Add a class WebServiceParams to extend WebService|
|14||Service class||Add complementary information in the Service class by offering more sub-classes to choose from.||Add subclasses to Service class|