h1. IDMEFV2

One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.

Here are listed the changes that we think could be insteresting to include in the V2.

All of these changes were discussed during meetings or on the forum.

h4. Issues

|_.Ident|_.Name|_.Issue|_.Solutions|

|[[Enumeration|1]]|[[Enumeration|Enumeration]]|Add the possibility of expanding the enumerations in IDMEF (like IODEFv2)|Add an option "other" in the enumeration and a field ext-, to extend it easily.|

|[[Classification category|2]]|[[classification category|Classification category]]|Put alerts in different (optionals) categories to simplify the work of people supervising.|Add a field "category" in the Classification Class (should be an [[Enumeration|enumeration]])|

|/2.[[Start time end time|3]]|/2.[[Start time end time|Event's duration]]|/2.Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information.|Add a Class StartTime and EndTime (like IODEF)|

|Add a field duration, and consider the detectTime as the beginning of the event|

|/2.[[Identify transport protocol|4]]|/2.[[Identify transport protocol|Transport Protocol]]|/2.Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol|Add a field transport_protocol in Service Class|

|Specify the port in the format : TCP:53 or UDP:53|

|/2.[[Translated addresses and ports|5]]|/2.[[Translated addresses and ports|Translated addresses]]|/2.Handle translated addresses and ports|Add an option ipv4-addr-nat/ipv6-addr-nat in address.category|

|Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)|

|/2.[[Original log|6]]|/2.[[Original log|Original log]]|/2.Add the original log and the signature that triggered the alert in case of a log analysis sensor.|Add a field original_log to Alert|

|Add a Class Origin which contain the original_log in a field|

|[[Counters|7]]|[[Counters|Counter]]|Count occurrences of particular event repeated over a short period time.|Add a field (Integer) counter in Alert Class|

|[[Thread ID|8]] |[[Thread ID|TID]]| TID is not present in the IDMEF format|Add a field tid in the Process Class|

|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|9]]|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Impact class]]|Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Add the fields target_vulnerability and target_criticity in the Impact Class|

|/2.[[Remove OverflowAlerts|10]]|/2.[[Remove OverflowAlerts|OverflowAlerts]]|/2.OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own.|Remove OverflowAlerts|

|Add more subclasses of Alert to each known Attack|

|[[host category|11]]|[[host category|Host category]]|Explain what category the host belongs to. (firewall, router, ...)|Add an [[Enumeration|enumeration]] category in Host Class|

|[[Location data|12]]|[[Location data|Location data]]|Add More explicit location data (latitude, longitude, country, city, etc.)|Replace the field location in Node by a normalised class.|

|[[Expand WebService class|13]]|[[Expand WebService class|WebService]]|Expand the WebService class (eg. Add ways to add parameters)|Add a class WebServiceParams to extend WebService|

|[[Expand Service class|14]]|[[Expand Service class|Service class]]|Add complementary information in the Service class by offering more sub-classes to choose from.|Add subclasses to Service class|