IDMEF Node Zoom¶
Alert- Time
- Analyzer
- Node/Address
- Process
- Source/Target
- Node/Address
- Process
- User/UserId
- Service
- File
- Assessment
- Classification
- Additional Data
The Node Class¶
The Node class is used to identify hosts and other network devices (routers, switches, etc.).
The Node class is composed of three aggregate classes :¶
- location
Zero or one. STRING. The location of the equipment.
- name
Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.
- Address
Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified.
The Node class has two attributes:¶
- ident
Optional. A unique identifier for the node;
- category
Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown".
Rank Keyword Description 0 unknown Domain unknown or not relevant 1 ads Windows 2000 Advanced Directory Services 2 afs Andrew File System (Transarc) 3 coda Coda Distributed File System 4 dfs Distributed File System (IBM) 5 dns Domain Name System 6 hosts Local hosts file 7 kerberos Kerberos realm 8 nds Novell Directory Services 9 nis Network Information Services (Sun) 10 nisplus Network Information Services Plus (Sun) 11 nt Windows NT domain 12 wfw Windows for Workgroups
The Address Class¶
The Address class is used to represent network, hardware, and application addresses.
The Address class is composed of two aggregate classes:¶
- address
Exactly one. STRING. The address information. The format of this data is governed by the category attribute.
- netmask
Zero or one. STRING. The network mask for the address, if appropriate.
The Address class has four attributes:¶
- ident
Optional. A unique identifier for the address.
- category
Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description 0 unknown Address type unknown 1 atm Asynchronous Transfer Mode network address 2 Electronic mail address (RFC 2822 [12]) 3 lotus-notes Lotus Notes e-mail address 4 mac Media Access Control (MAC) address 5 sna IBM Shared Network Architecture (SNA) address 6 vm IBM VM ("PROFS") e-mail address 7 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d) 8 ipv4-addr-hex IPv4 host address in hexadecimal notation 9 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn) 10 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z) 11 ipv6-addr IPv6 host address 12 ipv6-addr-hex IPv6 host address in hexadecimal notation 13 ipv6-net IPv6 network address, slash, significant bits 14 ipv6-net-mask IPv6 network address, slash, network mask
- vlan-name
Optional. The name of the Virtual LAN to which the address belongs.
- vlan-num
Optional. The number of the Virtual LAN to which the address belongs.