Project

General

Profile

IDMEF Analyzer Zoom » History » Version 6

Anonymous, 06/09/2015 12:00 PM

1 1 Anonymous
h1. IDMEF Analyzer Zoom
2 1 Anonymous
3 2 Anonymous
[[IDMEFDiag#Whole-Diagram| Whole Diagram]]
4 2 Anonymous
5 2 Anonymous
[[IDMEF Alert Zoom|Alert]]
6 2 Anonymous
* [[IDMEF Time Zoom|Time]]
7 2 Anonymous
* *Analyzer*
8 2 Anonymous
** [[IDMEF Node Zoom|Node/Address]]
9 2 Anonymous
** [[IDMEF Process Zoom|Process]]
10 2 Anonymous
* [[IDMEF Target/Source Zoom|Source/Target]]
11 2 Anonymous
** [[IDMEF Node Zoom|Node/Address]]
12 6 Anonymous
** [[IDMEF Process Zoom|Process]]
13 2 Anonymous
** [[IDMEF User Zoom|User/UserId]]
14 2 Anonymous
** [[IDMEF Service Zoom|Service]]
15 2 Anonymous
** [[IDMEF File Zoom|File]]
16 2 Anonymous
* [[IDMEF Assessment Zoom|Assessment]]
17 2 Anonymous
* [[IDMEF Classification Zoom|Classification]]
18 5 Anonymous
* [[IDMEF AdditionalData Zoom|Additional Data]]
19 2 Anonymous
20 2 Anonymous
----
21 2 Anonymous
22 4 Anonymous
!/attachments/download/64/Analyzer%20Zoom.svg!
23 3 Anonymous
24 3 Anonymous
----
25 3 Anonymous
26 3 Anonymous
h2. The Analyzer Class
27 3 Anonymous
28 3 Anonymous
The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates.  Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated.  Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the "relay" analyzers along the path from the originating analyzer to the manager that ultimately receives the alert.
29 3 Anonymous
30 3 Anonymous
h4. The Analyzer class is composed of three aggregate classes :
31 3 Anonymous
32 3 Anonymous
* Node
33 3 Anonymous
34 3 Anonymous
> Zero or one.  Information about the host or device on which the analyzer resides (network address, network name, etc.).
35 3 Anonymous
36 3 Anonymous
* Process
37 3 Anonymous
38 3 Anonymous
> Zero or one.  Information about the process in which the analyzer is executing.
39 3 Anonymous
40 3 Anonymous
* Analyzer
41 3 Anonymous
42 3 Anonymous
> Zero or one.  Information about the analyzer from which the message may have gone through.  The idea behind this mechanism is that when a manager receives an alert and wants to forward it to another analyzer, it needs to substitute the original analyzer
43 3 Anonymous
44 3 Anonymous
h4. The Analyzer class has eight attributes:
45 3 Anonymous
46 3 Anonymous
* analyzerid
47 3 Anonymous
48 3 Anonymous
> Optional (but see below).  A unique identifier for the analyzer
49 3 Anonymous
50 3 Anonymous
> This attribute is only "partially" optional.  If the analyzer makes use of the "ident" attributes on other classes to provide unique identifiers for those objects, then it MUST also provide a valid "analyzerid" attribute.  This requirement is dictated by the uniqueness requirements of the "ident" attribute (they are unique only within the context of a particular "analyzerid"). If the analyzer does not make use of the "ident" attributes, however, it may also omit the "analyzerid" attribute.
51 3 Anonymous
52 3 Anonymous
* name
53 3 Anonymous
54 3 Anonymous
> Optional.  An explicit name for the analyzer that may be easier to understand than the analyzerid.
55 3 Anonymous
56 3 Anonymous
* manufacturer
57 3 Anonymous
58 3 Anonymous
> Optional.  The manufacturer of the analyzer software and/or hardware.
59 3 Anonymous
60 3 Anonymous
* model
61 3 Anonymous
62 3 Anonymous
> Optional.  The model name/number of the analyzer software and/or hardware.
63 3 Anonymous
64 3 Anonymous
* version
65 3 Anonymous
66 3 Anonymous
> Optional.  The version number of the analyzer software and/or hardware.
67 3 Anonymous
68 3 Anonymous
* class
69 3 Anonymous
70 3 Anonymous
> Optional.  The class of analyzer software and/or hardware.
71 3 Anonymous
72 3 Anonymous
* ostype
73 3 Anonymous
74 3 Anonymous
> Optional.  Operating system name.  On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command.
75 3 Anonymous
76 3 Anonymous
* osversion
77 3 Anonymous
78 3 Anonymous
> Optional.  Operating system version.  On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command.
79 3 Anonymous
80 3 Anonymous
The "manufacturer", "model", "version", and "class" attributes' contents are vendor-specific, but may be used together to identify different types of analyzers (and perhaps make determinations about the contents to expect in other vendor-specific fields of IDMEF messages).