Incident Object Description Exchange Format is described in IETF RFC 5070 : http://tools.ietf.org/html/rfc5070
Just like IDMEF, IODEF is an open standard. It is still undergoing modifications, as MILE project tries to write a new version of the RFC, which you can find here on this wiki.
Since MILE is still writing drafts and hasn't published any official correction for the RFC, we will only focus here on the first IODEF version.
Transport and encoding¶
If the RFC does not restrain the transport and encoding formats to only one, it is strongly suggested to use XML as an encoding format, since XML examples are provided using a DTD.
IODEF is a well-structured object-oriented format. It consists of 47 classes for the first version. There is no inheritance in IODEF, contrary to IDMEF. However, the field structure is pretty much similar: both IODEF and IDMEF have fields used in conjunction with a category field. This particularity help them being much more complete than regular "flat" formats.
In addition to the usual AdditionalData class, which provides a way to add whatever seems relevant to the IODEF message, most enumerations are provided with an "ext" field. This field is meant to be used when none of the choices available in the enumeration fits your needs.
IOMEF UML diagrams¶
Zooms with explanations¶Incident