IDMEF TargetSource Zoom¶
Alert- Time
- Analyzer
- Source/Target
- Assessment
- Classification
- Additional Data
The Source Class¶
The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack).
The Source class is composed of four aggregate classes:¶
- Node
Zero or one. Information about the host or device that appears to be causing the events (network address, network name, etc.).
- User
Zero or one. Information about the user that appears to be causing the event(s).
- Process
Zero or one. Information about the process that appears to be causing the event(s).
- Service
Zero or one. Information about the network service involved in the event(s).
The Source class has three attributes:¶
- ident
Optional. A unique identifier for this source.
- spoofed
Optional. An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description 0 unknown Accuracy of source information unknown 1 yes Source is believed to be a decoy 2 no Source is believed to be "real"
- interface
Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on.
The Target Class¶
The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep).
The Target class is composed of four aggregate classes:¶
- Node
Zero or one. Information about the host or device at which the event(s) (network address, network name, etc.) is being directed.
- User
Zero or one. Information about the user at which the event(s) is being directed.
- Process
Zero or one. Information about the process at which the event(s) is being directed.
- Service
Zero or one. Information about the network service involved in the event(s).
The Target class has three attributes:¶
- ident
Optional. A unique identifier for this target.
- decoy
Optional. An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description Rank Keyword Description 0 unknown Accuracy of target information unknown 1 yes Target is believed to be a decoy 2 no Target is believed to be "real"
- interface
Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on.