IDMEF Node Zoom¶

Whole Diagram

Alert

• Time
• Analyzer
  • Node/Address
  • Process
• Source/Target
  • Node/Address
  • Process
  • User/UserId
  • Service
  • File
• Assessment
• Classification
• Additional Data

---

---

The Node Class¶

The Node class is used to identify hosts and other network devices (routers, switches, etc.).

The Node class is composed of three aggregate classes :¶

• location

Zero or one. STRING. The location of the equipment.

• name

Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.

• Address

Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified.

The Node class has two attributes:¶

• ident

Optional. A unique identifier for the node;

• category

Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown".

Rank	Keyword	Description
0	unknown	Domain unknown or not relevant
1	ads	Windows 2000 Advanced Directory Services
2	afs	Andrew File System (Transarc)
3	coda	Coda Distributed File System
4	dfs	Distributed File System (IBM)
5	dns	Domain Name System
6	hosts	Local hosts file
7	kerberos	Kerberos realm
8	nds	Novell Directory Services
9	nis	Network Information Services (Sun)
10	nisplus	Network Information Services Plus (Sun)
11	nt	Windows NT domain
12	wfw	Windows for Workgroups

The Address Class¶

The Address class is used to represent network, hardware, and application addresses.

The Address class is composed of two aggregate classes:¶

• address

Exactly one. STRING. The address information. The format of this data is governed by the category attribute.

• netmask

Zero or one. STRING. The network mask for the address, if appropriate.

The Address class has four attributes:¶

• ident

Optional. A unique identifier for the address.

• category

Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown".

Rank	Keyword	Description
0	unknown	Address type unknown
1	atm	Asynchronous Transfer Mode network address
2	e-mail	Electronic mail address (RFC 2822 [12])
3	lotus-notes	Lotus Notes e-mail address
4	mac	Media Access Control (MAC) address
5	sna	IBM Shared Network Architecture (SNA) address
6	vm	IBM VM ("PROFS") e-mail address
7	ipv4-addr	IPv4 host address in dotted-decimal notation (a.b.c.d)
8	ipv4-addr-hex	IPv4 host address in hexadecimal notation
9	ipv4-net	IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
10	ipv4-net-mask	IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
11	ipv6-addr	IPv6 host address
12	ipv6-addr-hex	IPv6 host address in hexadecimal notation
13	ipv6-net	IPv6 network address, slash, significant bits
14	ipv6-net-mask	IPv6 network address, slash, network mask

• vlan-name

Optional. The name of the Virtual LAN to which the address belongs.

• vlan-num

Optional. The number of the Virtual LAN to which the address belongs.