IDMEF Classification Zoom¶Alert
- Additional Data
The Classification Class¶
The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider.
The Classification class is composed of one aggregate class:¶
Zero or more. Information about the message, pointing to external documentation sites, that will provide background information about the alert.
The Classification class has two attributes:¶
Optional. A unique identifier for this classification.
Required. A vendor-provided string identifying the Alert message.
The Reference Class¶
The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is.
The Reference class is composed of two aggregate classes:¶
Exactly one. STRING. The name of the alert, from one of the origins listed below.
Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.
The Reference class has two attributes:¶
Required. The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description 0 unknown Origin of the name is not known 1 vendor-specific A vendor-specific name (and hence, URL); this can be used to provide product-specific information 2 user-specific A user-specific name (and hence, URL); this can be used to provide installation-specific information 3 bugtraqid The SecurityFocus ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/bid) 4 cve The Common Vulnerabilities and Exposures (CVE) name (http://www.cve.mitre.org/) 5 osvdb The Open Source Vulnerability Database (http://www.osvdb.org)
Optional. The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the <origin> attribute is set to "vendor-specific" or "user-specific".