IODEF format


Incident Object Description Exchange Format is described in IETF RFC 5070 :
Just like IDMEF, IODEF is an open standard. It is still undergoing modifications, as MILE project tries to write a new version of the RFC, which you can find here on this wiki.
Since MILE is still writing drafts and hasn't published any official correction for the RFC, we will only focus here on the first IODEF version.

Transport and encoding

If the RFC does not restrain the transport and encoding formats to only one, it is strongly suggested to use XML as an encoding format, since XML examples are provided using a DTD.

Format structure

IODEF is a well-structured object-oriented format. It consists of 47 classes for the first version. There is no inheritance in IODEF, contrary to IDMEF. However, the field structure is pretty much similar: both IODEF and IDMEF have fields used in conjunction with a category field. This particularity help them being much more complete than regular "flat" formats.

Format extensibility

In addition to the usual AdditionalData class, which provides a way to add whatever seems relevant to the IODEF message, most enumerations are provided with an "ext" field. This field is meant to be used when none of the choices available in the enumeration fits your needs.

General remarks

IOMEF UML diagrams

Zooms with explanations


Whole Diagram

IODEF.svg View (433 KB) Anonymous, 06/24/2015 03:42 PM