Project

General

Profile

IDMEF Classification Zoom

Whole Diagram

Alert


The Classification Class

The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider.

The Classification class is composed of one aggregate class:

  • Reference

Zero or more. Information about the message, pointing to external documentation sites, that will provide background information about the alert.

The Classification class has two attributes:

  • ident

Optional. A unique identifier for this classification.

  • text

Required. A vendor-provided string identifying the Alert message.

The Reference Class

The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is.

The Reference class is composed of two aggregate classes:

  • name

Exactly one. STRING. The name of the alert, from one of the origins listed below.

  • url

Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.

The Reference class has two attributes:

  • origin

Required. The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown".

Rank Keyword Description
0 unknown Origin of the name is not known
1 vendor-specific A vendor-specific name (and hence, URL); this can be used to provide product-specific information
2 user-specific A user-specific name (and hence, URL); this can be used to provide installation-specific information
3 bugtraqid The SecurityFocus ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/bid)
4 cve The Common Vulnerabilities and Exposures (CVE) name (http://www.cve.mitre.org/)
5 osvdb The Open Source Vulnerability Database (http://www.osvdb.org)
  • meaning

Optional. The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the <origin> attribute is set to "vendor-specific" or "user-specific".

Classification Zoom.svg View - IDMEF UML Diagram Alert Zoom (27 KB) Vérène Houdebine, 05/07/2015 11:21 AM

Classification Zoom.svg View - IDMEF UML Diagram Classification Zoom (26.3 KB) Sélim Menouar, 06/04/2015 12:05 PM