Project

General

Profile

IDMEFV2 » History » Version 21

Anonymous, 02/12/2016 03:18 PM

1 1 Gilles Lehmann
h1. IDMEFV2
2 2 Anonymous
3 2 Anonymous
One of SECEF's projects was to build a new IDMEF structure, that referred to as IDMEF V2.
4 2 Anonymous
5 8 Anonymous
Here are listed the changes that we think could be insteresting to include in the V2.
6 2 Anonymous
7 8 Anonymous
All of these changes were discussed during meetings or on the forum.
8 2 Anonymous
9 20 Anonymous
h4. Issues
10 20 Anonymous
11 20 Anonymous
|_.Ident|_.Name|_.Issue|_.Solutions|
12 20 Anonymous
|[[Enumeration|1]]|[[Enumeration|Enumeration]]|Add the possibility of expanding the enumerations in IDMEF (like IODEFv2)|Add an option "other" in the enumeration and a field ext-, to extend it easily.|
13 20 Anonymous
|[[Classification category|2]]|[[classification category|Classification category]]|Put alerts in different (optionals) categories to simplify the work of people supervising.|Add a field "category" in the Classification Class (should be an [[Enumeration|enumeration]])|
14 20 Anonymous
|/2.[[Start time end time|3]]|/2.[[Start time end time|Event's duration]]|/2.Whereas many formats display a duration for the events, including IODEF, IDMEF doesn't have a way to indicate this information.|Add a Class StartTime and EndTime (like IODEF)|
15 20 Anonymous
|Add a field duration, and consider the detectTime as the beginning of the event|
16 20 Anonymous
|/2.[[Identify transport protocol|4]]|/2.[[Identify transport protocol|Transport Protocol]]|/2.Identify transport protocol (TCP, UDP, etc.) regardless of the applicative protocol|Add a field transport_protocol in Service Class|
17 20 Anonymous
|Specify the port in the format : TCP:53 or UDP:53|
18 20 Anonymous
|/2.[[Translated addresses and ports|5]]|/2.[[Translated addresses and ports|Translated addresses]]|/2.Handle translated addresses and ports|Add an option ipv4-addr-nat/ipv6-addr-nat in address.category|
19 20 Anonymous
|Add an enumeration translation in Address Class (no_translation/post_translation/pre_translation)|
20 20 Anonymous
|/2.[[Original log|6]]|/2.[[Original log|Original log]]|/2.Add the original log and the signature that triggered the alert in case of a log analysis sensor.|Add a field original_log to Alert|
21 20 Anonymous
|Add a Class Origin which contain the original_log in a field|
22 20 Anonymous
|[[Counters|7]]|[[Counters|Counter]]|Count occurrences of particular event repeated over a short period time.|Add a field (Integer) counter in Alert Class|
23 20 Anonymous
|[[Thread ID|8]] |[[Thread ID|TID]]| TID is not present in the IDMEF format|Add a field tid in the Process Class|
24 20 Anonymous
|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|9]]|[[Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Impact class]]|Specify the attack severity, the target supposed vulnerability, the target criticity and the final priority of the alert|Add the fields target_vulnerability and target_criticity in the Impact Class|
25 20 Anonymous
|/2.[[Remove OverflowAlerts|10]]|/2.[[Remove OverflowAlerts|OverflowAlerts]]|/2.OverflowAlerts are too specific to really have a meaning when they are the only type of alerts to have a class of their own.|Remove OverflowAlerts|
26 20 Anonymous
|Add more subclasses of Alert to each known Attack|
27 20 Anonymous
|[[host category|11]]|[[host category|Host category]]|Explain what category the host belongs to. (firewall, router, ...)|Add an [[Enumeration|enumeration]] category in Host Class|
28 20 Anonymous
|[[Location data|12]]|[[Location data|Location data]]|Add More explicit location data (latitude, longitude, country, city, etc.)|Replace the field location in Node by a normalised class.|
29 20 Anonymous
|[[Expand WebService class|13]]|[[Expand WebService class|WebService]]|Expand the WebService class (eg. Add ways to add parameters)|Add a class WebServiceParams to extend WebService|
30 20 Anonymous
|[[Expand Service class|14]]|[[Expand Service class|Service class]]|Add complementary information in the Service class by offering more sub-classes to choose from.|Add subclasses to Service class|