IDMEF TargetSource Zoom¶

Whole Diagram

Alert

• Time
• Analyzer
  • Node/Address
  • Process
• Source/Target
  • Node/Address
  • Process
  • User/UserId
  • Service
  • File
• Assessment
• Classification
• Additional Data

---

---

The Source Class¶

The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack).

The Source class is composed of four aggregate classes:¶

• Node

Zero or one. Information about the host or device that appears to be causing the events (network address, network name, etc.).

• User

Zero or one. Information about the user that appears to be causing the event(s).

• Process

Zero or one. Information about the process that appears to be causing the event(s).

• Service

Zero or one. Information about the network service involved in the event(s).

The Source class has three attributes:¶

• ident

Optional. A unique identifier for this source.

• spoofed

Optional. An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is "unknown".

Rank	Keyword	Description
0	unknown	Accuracy of source information unknown
1	yes	Source is believed to be a decoy
2	no	Source is believed to be "real"

• interface

Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on.

The Target Class¶

The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep).

The Target class is composed of four aggregate classes:¶

• Node

Zero or one. Information about the host or device at which the event(s) (network address, network name, etc.) is being directed.

• User

Zero or one. Information about the user at which the event(s) is being directed.

• Process

Zero or one. Information about the process at which the event(s) is being directed.

• Service

Zero or one. Information about the network service involved in the event(s).

The Target class has three attributes:¶

• ident

Optional. A unique identifier for this target.

• decoy

Optional. An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is "unknown".

Rank	Keyword	Description
Rank	Keyword	Description
0	unknown	Accuracy of target information unknown
1	yes	Target is believed to be a decoy
2	no	Target is believed to be "real"

• interface

Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on.