IDMEF Alert Zoom¶

Whole Diagram

Alert

• Time
• Analyzer
  • Node/Address
  • Process
• Source/Target
  • Node/Address
  • Process
  • User/UserId
  • Service
  • File
• Assessment
• Classification
• Additional Data

---

---

The Alert Class¶

Generally, every time an analyzer detects an event that it has been configured to look for, it sends an Alert message to its manager(s). Depending on the analyzer, an Alert message may correspond to a single detected event or multiple detected events. Alerts occur asynchronously in response to outside events.

The Alert class has one attribute:¶

• messageid

Optional. A unique identifier for the alert;

The ToolAlert Class¶

The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool".

The ToolAlert class is composed of three aggregate classes :¶

• name

Exactly one. STRING. The reason for grouping the alerts together, for example, the name of a particular tool.

• command

Zero or one. STRING. The command or operation that the tool was asked to perform, for example, a BackOrifice ping.

• alertident

One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.

The CorrelationAlert Class¶

The CorrelationAlert class carries additional information related to the correlation of alert information. It is intended to group one or more previously-sent alerts together, to say "these alerts are all related".

The CorrelationAlert class is composed of two aggregate classes :¶

• name

Exactly one. STRING. The reason for grouping the alerts together, for example, a particular correlation method.

• alertident

One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.

The OverflowAlert Class¶

The OverflowAlert carries additional information related to buffer overflow attacks. It is intended to enable an analyzer to provide the details of the overflow attack itself.

The OverflowAlert class is composed of three aggregate classes :¶

• program

Exactly one. STRING. The program that the overflow attack attempted to run (NOTE: this is not the program that was attacked).

• size

Zero or one. INTEGER. The size, in bytes, of the overflow (i.e., the number of bytes the attacker sent).

• buffer

Zero or one. BYTE[]. Some or all of the overflow data itself (dependent on how much the analyzer can capture).