LibPrelude IDMEF path¶

Here will be listed all the fields available in LibPrelude with their respective paths.

Alert¶

• alert.messageid STRINGSTRING

  Optional. A unique identifier for the alert;

• alert.tool_alert.name STRINGSTRING

  Exactly one. STRING. The reason for grouping the alerts together, for example, the name of a particular tool.

• alert.tool_alert.command STRINGSTRING

  Zero or one. STRING. The command or operation that the tool was asked to perform, for example, a BackOrifice ping.

• alert.tool_alert.alertident.alertident STRINGSTRING

  One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.

• alert.tool_alert.alertident.analyzerid STRING

• alert.correlation_alert.name STRINGSTRING

  Exactly one. STRING. The reason for grouping the alerts together, for example, a particular correlation method.

• alert.correlation_alert.alertident.alertident STRINGSTRING

  One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.

• alert.correlation_alert.alertident.analyzerid STRING

• alert.overflow_alert.program STRINGSTRING

  Exactly one. STRING. The program that the overflow attack attempted to run (NOTE: this is not the program that was attacked).

• alert.overflow_alert.size INTINT

  Zero or one. INTEGER. The size, in bytes, of the overflow (i.e., the number of bytes the attacker sent).

• alert.overflow_alert.buffer DATADATA

  Zero or one. BYTE[]. Some or all of the overflow data itself (dependent on how much the analyzer can capture).

Time¶

• alert.analyzer_time TIMETIME

  The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message "on the wire".

• alert.create_time TIMETIME

  In LibPrelude, this attribute is set automatically.

  The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer.

• alert.detect_time TIMETIME

  The DetectTime class is used to indicate the date and time that the event(s) producing an alert was detected by the analyzer. In the case of more than one event, it is the time that the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection).

Analyzer¶

• alert.analyzer().analyzerid STRINGSTRING

  In LibPrelude, this attribute is set automatically.

  Optional (but see below). A unique identifier for the analyzer

  This attribute is only "partially" optional. If the analyzer makes use of the "ident" attributes on other classes to provide unique identifiers for those objects, then it MUST also provide a valid "analyzerid" attribute. This requirement is dictated by the uniqueness requirements of the "ident" attribute (they are unique only within the context of a particular "analyzerid"). If the analyzer does not make use of the "ident" attributes, however, it may also omit the "analyzerid" attribute.

• alert.analyzer().name STRINGSTRING

  Optional. An explicit name for the analyzer that may be easier to understand than the analyzerid.

• alert.analyzer().manufacturer STRINGSTRING

  Optional. The manufacturer of the analyzer software and/or hardware.

• alert.analyzer().model STRINGSTRING

  Optional. The model name/number of the analyzer software and/or hardware.

• alert.analyzer().version STRINGSTRING

  Optional. The version number of the analyzer software and/or hardware.

• alert.analyzer().class STRINGSTRING

  Optional. The class of analyzer software and/or hardware.

• alert.analyzer().ostype STRINGSTRING

  In LibPrelude, this attribute is set automatically.

  Optional. Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command.

• alert.analyzer().osversion STRINGSTRING

  In LibPrelude, this attribute is set automatically.

  Optional. Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command.

Node/Address¶

• alert.analyzer().node.ident STRINGSTRING

  Optional. A unique identifier for the node;

• alert.analyzer().node.category ENUMENUM

  Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Domain unknown or not relevant
  1	ads	Windows 2000 Advanced Directory Services
  2	afs	Andrew File System (Transarc)
  3	coda	Coda Distributed File System
  4	dfs	Distributed File System (IBM)
  5	dns	Domain Name System
  6	hosts	Local hosts file
  7	kerberos	Kerberos realm
  8	nds	Novell Directory Services
  9	nis	Network Information Services (Sun)
  10	nisplus	Network Information Services Plus (Sun)
  11	nt	Windows NT domain
  12	wfw	Windows for Workgroups

• alert.analyzer().node.location STRINGSTRING

  Zero or one. STRING. The location of the equipment.

• alert.analyzer().node.name STRINGSTRING

  Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.

• alert.analyzer().node.address().ident STRINGSTRING

  Optional. A unique identifier for the address.

• alert.analyzer().node.address().category ENUMENUM

  Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Address type unknown
  1	atm	Asynchronous Transfer Mode network address
  2	e-mail	Electronic mail address (RFC 2822 [12])
  3	lotus-notes	Lotus Notes e-mail address
  4	mac	Media Access Control (MAC) address
  5	sna	IBM Shared Network Architecture (SNA) address
  6	vm	IBM VM ("PROFS") e-mail address
  7	ipv4-addr	IPv4 host address in dotted-decimal notation (a.b.c.d)
  8	ipv4-addr-hex	IPv4 host address in hexadecimal notation
  9	ipv4-net	IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
  10	ipv4-net-mask	IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
  11	ipv6-addr	IPv6 host address
  12	ipv6-addr-hex	IPv6 host address in hexadecimal notation
  13	ipv6-net	IPv6 network address, slash, significant bits
  14	ipv6-net-mask	IPv6 network address, slash, network mask

• alert.analyzer().node.address().vlan_name STRINGSTRING

  Optional. The name of the Virtual LAN to which the address belongs.

• alert.analyzer().node.address().vlan_num INTINT

  Optional. The number of the Virtual LAN to which the address belongs.

• alert.analyzer().node.address().address STRINGSTRING

  Exactly one. STRING. The address information. The format of this data is governed by the category attribute.

• alert.analyzer().node.address().netmask STRINGSTRING

  Zero or one. STRING. The network mask for the address, if appropriate.

Process¶

• alert.analyzer().process.ident STRINGSTRING

  Optional. A unique identifier for the process.

• alert.analyzer().process.name STRINGSTRING

  Exactly one. STRING. The name of the program being executed. This is a short name; path and argument information are provided elsewhere.

• alert.analyzer().process.pid INTINT

  Zero or one. INTEGER. The process identifier of the process.

• alert.analyzer().process.path STRINGSTRING

  Zero or one. STRING. The full path of the program being executed.

• alert.analyzer().process.arg STRINGSTRING

  Zero or more. STRING. A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.

• alert.analyzer().process.env STRINGSTRING

  Zero or more. STRING. An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env.

Source¶

• alert.source().ident STRINGSTRING

  Optional. A unique identifier for this source.

• alert.source().spoofed ENUM)ENUM)

  Optional. An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Accuracy of source information unknown
  1	yes	Source is believed to be a decoy
  2	no	Source is believed to be "real"

• alert.source().interface STRINGSTRING

  Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on.

Node/Address¶

• alert.source().node.ident STRINGSTRING

  Optional. A unique identifier for the node;

• alert.source().node.category ENUMENUM

  Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Domain unknown or not relevant
  1	ads	Windows 2000 Advanced Directory Services
  2	afs	Andrew File System (Transarc)
  3	coda	Coda Distributed File System
  4	dfs	Distributed File System (IBM)
  5	dns	Domain Name System
  6	hosts	Local hosts file
  7	kerberos	Kerberos realm
  8	nds	Novell Directory Services
  9	nis	Network Information Services (Sun)
  10	nisplus	Network Information Services Plus (Sun)
  11	nt	Windows NT domain
  12	wfw	Windows for Workgroups

• alert.source().node.location STRINGSTRING

  Zero or one. STRING. The location of the equipment.

• alert.source().node.name STRINGSTRING

  Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.

• alert.source().node.address().ident STRINGSTRING

  Optional. A unique identifier for the address.

• alert.source().node.address().category ENUMENUM

  Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Address type unknown
  1	atm	Asynchronous Transfer Mode network address
  2	e-mail	Electronic mail address (RFC 2822 [12])
  3	lotus-notes	Lotus Notes e-mail address
  4	mac	Media Access Control (MAC) address
  5	sna	IBM Shared Network Architecture (SNA) address
  6	vm	IBM VM ("PROFS") e-mail address
  7	ipv4-addr	IPv4 host address in dotted-decimal notation (a.b.c.d)
  8	ipv4-addr-hex	IPv4 host address in hexadecimal notation
  9	ipv4-net	IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
  10	ipv4-net-mask	IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
  11	ipv6-addr	IPv6 host address
  12	ipv6-addr-hex	IPv6 host address in hexadecimal notation
  13	ipv6-net	IPv6 network address, slash, significant bits
  14	ipv6-net-mask	IPv6 network address, slash, network mask

• alert.source().node.address().vlan_name STRINGSTRING

  Optional. The name of the Virtual LAN to which the address belongs.

• alert.source().node.address().vlan_num INTINT

  Optional. The number of the Virtual LAN to which the address belongs.

• alert.source().node.address().address STRINGSTRING

  Exactly one. STRING. The address information. The format of this data is governed by the category attribute.

• alert.source().node.address().netmask STRINGSTRING

  Zero or one. STRING. The network mask for the address, if appropriate.

Process¶

• alert.source().process.ident STRINGSTRING

  Optional. A unique identifier for the process.

• alert.source().process.name STRINGSTRING

  Exactly one. STRING. The name of the program being executed. This is a short name; path and argument information are provided elsewhere.

• alert.source().process.pid INTINT

  Zero or one. INTEGER. The process identifier of the process.

• alert.source().process.path STRINGSTRING

  Zero or one. STRING. The full path of the program being executed.

• alert.source().process.arg STRINGSTRING

  Zero or more. STRING. A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.

• alert.source().process.env STRINGSTRING

  Zero or more. STRING. An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env.

User/UserId¶

• alert.source().user.ident STRINGSTRING

  Optional. A unique identifier for the user.

• alert.source().user.category ENUMENUM

  Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	User type unknown
  1	application	An application user
  2	os-device	An operating system or device user

• alert.source().user.user_id().ident STRINGSTRING

  Optional. A unique identifier for the user id, see Section 3.2.9.

• alert.source().user.user_id().type ENUMENUM

  Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user".

  Rank	Keyword	Description
  0	current-user	The current user id being used by the user or process. On Unix systems, this would be the "real" user id, in general.
  1	original-user	The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used.
  2	target-user	The user id the user or process is attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su", "rlogin", "telnet", etc.
  3	user-privs	Another user id the user or process has the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges.
  4	current-group	The current group id (if applicable) being used by the user or process. On Unix systems, this would be the "real" group id, in general.
  5	group-privs	Another group id the group or process has the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list".
  6	other-privs	Not used in a user, group, or process context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions.

• alert.source().user.user_id().tty STRINGSTRING

  Optional. STRING. The tty the user is using.

• alert.source().user.user_id().name STRINGSTRING

  Zero or one. STRING. A user or group name.

• alert.source().user.user_id().number INTINT

  Zero or one. INTEGER. A user or group number.

Service¶

• alert.source().service.ident STRINGSTRING

  Optional. A unique identifier for the service.

• alert.source().service.ip_version INTINT

  Optional. INTEGER. The IP version number.

• alert.source().service.iana_protocol_number INTINT

  Optional. INTEGER. The IANA protocol number.

• alert.source().service.iana_protocol_name STRINGSTRING

  Optional. STRING. The IANA protocol name.

• alert.source().service.name STRINGSTRING

  Zero or one. STRING. The name of the service. Whenever possible, the name from the IANA list of well-known ports SHOULD be used.

• alert.source().service.port INTINT

  Zero or one. INTEGER. The port number being used.

• alert.source().service.portlist STRINGSTRING

  Zero or one. PORTLIST. A list of port numbers being used. If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list.

• alert.source().service.protocol STRINGSTRING

  Zero or one. STRING. Additional information about the protocol being used. The intent of the protocol field is to carry additional information related to the protocol being used when the <Service> attributes iana_protocol_number or/and iana_protocol_name are filed.

• alert.source().service.web_service.url STRINGSTRING

  Exactly one. STRING. The URL in the request.

• alert.source().service.web_service.cgi STRINGSTRING

  Zero or one. STRING. The CGI script in the request, without arguments.

• alert.source().service.web_service.http_method STRINGSTRING

  Zero or one. STRING. The HTTP method (PUT, GET) used in the request.

• alert.source().service.web_service.arg STRINGSTRING

  Zero or more. STRING. The arguments to the CGI script.

• alert.source().service.snmp_service.oid STRINGSTRING

  Zero or one. STRING. The object identifier in the request.

• alert.source().service.snmp_service.message_processing_model INTINT

  Zero or one. INTEGER. The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values.

• alert.source().service.snmp_service.security_model STRINGSTRING

  Zero or one. INTEGER. The identification of the security model in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3 for USM; see RFC 3411 [15] Section 5 for appropriate values.

• alert.source().service.snmp_service.security_name STRINGSTRING

  Zero or one. STRING. The object's security name; see RFC 3411 [15] Section 3.2.2.

• alert.source().service.snmp_service.security_level INTINT

  Zero or one. INTEGER. The security level of the SNMP request; see RFC 3411 [15] Section 3.4.3.

• alert.source().service.snmp_service.context_name STRINGSTRING

  Zero or one. STRING. The object's context name; see RFC 3411 [15] Section 3.3.3.

• alert.source().service.snmp_service.context_engine_id STRINGSTRING

  Zero or one. STRING. The object's context engine identifier; see RFC 3411 [15] Section 3.3.2.

• alert.source().service.snmp_service.command STRINGSTRING

  Zero or one. STRING. The command sent to the SNMP server (GET, SET, etc.).

• alert.source().service.snmp_service.community STRINGSTRING

  Only in LibPrelude

Target¶

• alert.target().ident STRINGSTRING

  Optional. A unique identifier for this target.

• alert.target().decoy ENUMENUM

  Optional. An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  Rank	Keyword	Description
  0	unknown	Accuracy of target information unknown
  1	yes	Target is believed to be a decoy
  2	no	Target is believed to be "real"

• alert.target().interface STRINGSTRING

  Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on.

Node/Address¶

• alert.target().node.ident STRINGSTRING

  Optional. A unique identifier for the node;

• alert.target().node.category ENUM)ENUM)

  Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Domain unknown or not relevant
  1	ads	Windows 2000 Advanced Directory Services
  2	afs	Andrew File System (Transarc)
  3	coda	Coda Distributed File System
  4	dfs	Distributed File System (IBM)
  5	dns	Domain Name System
  6	hosts	Local hosts file
  7	kerberos	Kerberos realm
  8	nds	Novell Directory Services
  9	nis	Network Information Services (Sun)
  10	nisplus	Network Information Services Plus (Sun)
  11	nt	Windows NT domain
  12	wfw	Windows for Workgroups

• alert.target().node.location STRINGSTRING

  Zero or one. STRING. The location of the equipment.

• alert.target().node.name STRINGSTRING

  Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.

• alert.target().node.address().ident STRINGSTRING

  Optional. A unique identifier for the address.

• alert.target().node.address().category ENUMENUM

  Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Address type unknown
  1	atm	Asynchronous Transfer Mode network address
  2	e-mail	Electronic mail address (RFC 2822 [12])
  3	lotus-notes	Lotus Notes e-mail address
  4	mac	Media Access Control (MAC) address
  5	sna	IBM Shared Network Architecture (SNA) address
  6	vm	IBM VM ("PROFS") e-mail address
  7	ipv4-addr	IPv4 host address in dotted-decimal notation (a.b.c.d)
  8	ipv4-addr-hex	IPv4 host address in hexadecimal notation
  9	ipv4-net	IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
  10	ipv4-net-mask	IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
  11	ipv6-addr	IPv6 host address
  12	ipv6-addr-hex	IPv6 host address in hexadecimal notation
  13	ipv6-net	IPv6 network address, slash, significant bits
  14	ipv6-net-mask	IPv6 network address, slash, network mask

• alert.target().node.address().vlan_name STRINGSTRING

  Optional. The name of the Virtual LAN to which the address belongs.

• alert.target().node.address().vlan_num INTINT

  Optional. The number of the Virtual LAN to which the address belongs.

• alert.target().node.address().address STRINGSTRING

  Exactly one. STRING. The address information. The format of this data is governed by the category attribute.

• alert.target().node.address().netmask STRINGSTRING

  Zero or one. STRING. The network mask for the address, if appropriate.

Process¶

• alert.target().process.ident STRINGSTRING

  Optional. A unique identifier for the process.

• alert.target().process.name STRINGSTRING

  Exactly one. STRING. The name of the program being executed. This is a short name; path and argument information are provided elsewhere.

• alert.target().process.pid INTINT

  Zero or one. INTEGER. The process identifier of the process.

• alert.target().process.path STRINGSTRING

  Zero or one. STRING. The full path of the program being executed.

• alert.target().process.arg STRINGSTRING

  Zero or more. STRING. A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.

• alert.target().process.env STRINGSTRING

  Zero or more. STRING. An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env.

User/UserId¶

• alert.target().user.ident STRINGSTRING

  Optional. A unique identifier for the user.

• alert.target().user.category ENUMENUM

  Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown".

• alert.target().user.user_id().ident STRINGSTRING

  Optional. A unique identifier for the user id, see Section 3.2.9.

• alert.target().user.user_id().type ENUMENUM

  Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user".

  Rank	Keyword	Description
  0	current-user	The current user id being used by the user or process. On Unix systems, this would be the "real" user id, in general.
  1	original-user	The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used.
  2	target-user	The user id the user or process is attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su", "rlogin", "telnet", etc.
  3	user-privs	Another user id the user or process has the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges.
  4	current-group	The current group id (if applicable) being used by the user or process. On Unix systems, this would be the "real" group id, in general.
  5	group-privs	Another group id the group or process has the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list".
  6	other-privs	Not used in a user, group, or process context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions.

• alert.target().user.user_id().tty STRINGSTRING

  Optional. STRING. The tty the user is using.

• alert.target().user.user_id().name STRINGSTRING

  Zero or one. STRING. A user or group name.

• alert.target().user.user_id().number INTINT

  Zero or one. INTEGER. A user or group number.

Service¶

• alert.target().service.ident STRINGSTRING

  Optional. A unique identifier for the service.

• alert.target().service.ip_version INTINT

  Optional. INTEGER. The IP version number.

• alert.target().service.iana_protocol_number STRINGSTRING

  Optional. INTEGER. The IANA protocol number.

• alert.target().service.iana_protocol_name INTINT

  Optional. STRING. The IANA protocol name.

• alert.target().service.name STRINGSTRING

  Zero or one. STRING. The name of the service. Whenever possible, the name from the IANA list of well-known ports SHOULD be used.

• alert.target().service.port INTINT

  Zero or one. INTEGER. The port number being used.

• alert.target().service.portlist STRINGSTRING

  Zero or one. PORTLIST. A list of port numbers being used. If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list.

• alert.target().service.protocol STRINGSTRING

  Zero or one. STRING. Additional information about the protocol being used. The intent of the protocol field is to carry additional information related to the protocol being used when the <Service> attributes iana_protocol_number or/and iana_protocol_name are filed.

• alert.target().service.web_service.url STRINGSTRING

  Exactly one. STRING. The URL in the request.

• alert.target().service.web_service.cgi STRINGSTRING

  Zero or one. STRING. The CGI script in the request, without arguments.

• alert.target().service.web_service.http_method STRINGSTRING

  Zero or one. STRING. The HTTP method (PUT, GET) used in the request.

• alert.target().service.web_service.arg STRINGSTRING

  Zero or more. STRING. The arguments to the CGI script.

• alert.target().service.snmp_service.oid STRINGSTRING

  Zero or one. STRING. The object identifier in the request.

• alert.target().service.snmp_service.message_processing_model INTINT

  Zero or one. INTEGER. The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values.

• alert.target().service.snmp_service.security_model STRINGSTRING

  Zero or one. INTEGER. The identification of the security model in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3 for USM; see RFC 3411 [15] Section 5 for appropriate values.

• alert.target().service.snmp_service.security_name STRINGSTRING

  Zero or one. STRING. The object's context name; see RFC 3411 [15] Section 3.3.3.

• alert.target().service.snmp_service.security_level INTINT

  Zero or one. INTEGER. The security level of the SNMP request; see RFC 3411 [15] Section 3.4.3.

• alert.target().service.snmp_service.context_name STRINGSTRING

  Zero or one. STRING. The object's context name; see RFC 3411 [15] Section 3.3.3.

• alert.target().service.snmp_service.context_engine_id STRINGSTRING

  Zero or one. STRING. The object's context engine identifier; see RFC 3411 [15] Section 3.3.2.

• alert.target().service.snmp_service.command STRINGSTRING

  Zero or one. STRING. The command sent to the SNMP server (GET, SET, etc.).

• alert.target().service.snmp_service.community STRINGSTRING

  Only in LibPrelude

File¶

• alert.target().file().ident STRINGSTRING

  Optional. A unique identifier for this file.

• alert.target().file().name STRINGSTRING

  Exactly one. STRING. The name of the file to which the alert applies, not including the path to the file.

• alert.target().file().path STRINGSTRING

  Exactly one. STRING. The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.

  For Windows systems, the path should be specified using the Universal Naming Convention (UNC) for remote files, and using a drive letter for local files (e.g., "C:\boot.ini"). For Unix systems, paths on network file systems should use the name of the mounted resource instead of the local mount point (e.g., "fileserver:/usr/local/bin/foo"). The mount point can be provided using the <Linkage> element.

• alert.target().file().create_time TIMETIME

  Zero or one. DATETIME. Time the file was created. Note that this is not the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.

• alert.target().file().modify_time TIMETIME

  Zero or one. DATETIME. Time the file was last modified.

• alert.target().file().access_time TIMETIME

  Zero or one. DATETIME. Time the file was last accessed.

• alert.target().file().data_size INTINT

  Zero or one. INTEGER. The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).

• alert.target().file().disk_size INTINT

  Zero or one. INTEGER. The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).

• alert.target().file().file_access().permissionENUMENUM

  One or more. ENUM. Level of access allowed. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	noAccess	No access at all is allowed for this user
  1	read	This user has read access to the file
  2	write	This user has write access to the file
  3	execute	This user has the ability to execute the file
  4	search	This user has the ability to search this file (applies to "execute" permission on directories in Unix)
  5	delete	This user has the ability to delete this file
  6	executeAs	This user has the ability to execute this file as another user
  7	changePermissions	This user has the ability to change the access permissions on this file
  8	takeOwnership	This user has the ability to take ownership of this file

• alert.target().file().file_access().user_id().ident STRINGSTRING

  Optional. A unique identifier for the user.

• alert.target().file().file_access().user_id().type ENUMENUM

  Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user".

  Rank	Keyword	Description
  0	current-user	The current user id being used by the user or process. On Unix systems, this would be the "real" user id, in general.
  1	original-user	The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used.
  2	target-user	The user id the user or process is attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su", "rlogin", "telnet", etc.
  3	user-privs	Another user id the user or process has the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges.
  4	current-group	The current group id (if applicable) being used by the user or process. On Unix systems, this would be the "real" group id, in general.
  5	group-privs	Another group id the group or process has the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list".
  6	other-privs	Not used in a user, group, or process context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions.

• alert.target().file().file_access().user_id().tty STRINGSTRING

  Optional. STRING. The tty the user is using.

• alert.target().file().file_access().user_id().name STRINGSTRING

  Zero or one. STRING. A user or group name.

• alert.target().file().file_access().user_id().number INTINT

  Zero or one. INTEGER. A user or group number.

• alert.target().file().linkage().category ENUMENUM

  The type of object that the link describes. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	hard-link	The <name> element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others.
  1	mount-point	An alias for the directory specified by the parent's <name> and <path> elements.
  2	reparse-point	Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points.
  3	shortcut	The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager.
  4	stream	An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main <File>.
  5	symbolic-link	The <name> element represents the file to which the link points.

• alert.target().file().linkage().name STRINGSTRING

  Exactly one. STRING. The name of the file system object, not including the path.

• alert.target().file().linkage().path STRINGSTRING

  Exactly one. STRING. The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.

• alert.target().file().linkage().file... _FILE__FILE_

  Exactly one. A <File> element may be used in place of the <name> and <path> elements if additional information about the file is to be included.

  You can use a path like alert.target().file().linkage().file.linkage().file 5 times.

• alert.target().file().inode.change_time _TIME__TIME_

  Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat".

• alert.target().file().inode.number INTINT

  Zero or one. INTEGER. The inode number.

• alert.target().file().inode.major_device INTINT

  Zero or one. INTEGER. The major device number of the device the file resides on.

• alert.target().file().inode.minor_device INTINT

  Zero or one. INTEGER. The minor device number of the device the file resides on.

• alert.target().file().inode.c_major_device INTINT

  Zero or one. INTEGER. The major device of the file itself, if it is a character special device.

• alert.target().file().inode.c_minor_device INTINT

  Zero or one. INTEGER. The minor device of the file itself, if it is a character special device.

• alert.target().file().checksum.value STRINGSTRING

  Exactly one. STRING. The value of the checksum.

• alert.target().file().checksum.key STRINGSTRING

  Zero or one. STRING. The key to the checksum, if appropriate.

• alert.target().file().checksum.algorithm ENUMENUM

  The cryptographic algorithm used for the computation of the checksum. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	MD4	The MD4 algorithm.
  1	MD5	The MD5 algorithm.
  2	SHA1	The SHA1 algorithm.
  3	SHA2-256	The SHA2 algorithm with 256 bits length.
  4	SHA2-384	The SHA2 algorithm with 384 bits length.
  5	SHA2-512	The SHA2 algorithm with 512 bits length.
  6	CRC-32	The CRC algorithm with 32 bits length.
  7	Haval	The Haval algorithm.
  8	Tiger	The Tiger algorithm.
  9	Gost	The Gost algorithm.

• alert.target().file().category ENUMENUM

  Required. The context for the information being provided. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	current	The file information is from after the reported
  1	original	The file information is from before the reported change

• alert.target().file().fstype ENUMENUM

  Optional. The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.

  Rank	Keyword	Description
  0	ufs	Berkeley Unix Fast File System
  1	efs	Linux "efs" file system
  2	nfs	Network File System
  3	afs	Andrew File System
  4	ntfs	Windows NT File System
  5	fat16	16-bit Windows FAT File System
  6	fat32	32-bit Windows FAT File System
  7	pcfs	"PC" (MS-DOS) file system on CD-ROM
  8	joliet	Joliet CD-ROM file system
  9	iso9660	ISO 9660 CD-ROM file system

• alert.target().file().file_type STRINGSTRING

  Optional. The type of file, as a mime-type.

Assessment¶

• alert.assessment.impact.severity ENUMENUM

  An estimate of the relative severity of the event. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	info	Alert represents informational activity
  1	low	Low severity
  2	medium	Medium severity
  3	high	High severity

• alert.assessment.impact.completion ENUMENUM

  An indication of whether the analyzer believes the attempt that the event describes was successful or not. The permitted values are shown below. There is no default value.

  Rank	Keyword	Description
  0	failed	The attempt was not successful
  1	succeeded	The attempt succeeded

• alert.assessment.impact.type ENUMENUM

  The type of attempt represented by this event, in relatively broad categories. The permitted values are shown below. The default value is "other".

  Rank	Keyword	Description
  0	admin	Administrative privileges were attempted or obtained
  1	dos	A denial of service was attempted or completed
  2	file	An action on a file was attempted or completed
  3	recon	A reconnaissance probe was attempted or completed
  4	user	User privileges were attempted or obtained
  5	other	Anything not in one of the above categories

• alert.assessment.impact.description STRINGSTRING

  Only in libprelude (It's the value of the class impact in the RFC)

• alert.assessment.action.category ENUMENUM

  The type of action taken. The permitted values are shown below. The default value is "other".

  Rank	Keyword	Description
  0	block-installed	A block of some sort was installed to prevent an attack from reaching its destination. The block could be a port block, address block, etc., or disabling a user account.
  1	notification-sent	A notification message of some sort was sent out-of-band (via pager, e-mail, etc.). Does not include the transmission of this alert.
  2	taken-offline	A system, computer, or user was taken offline, as when the computer is shut down or a user is logged off.
  3	other	Anything not in one of the above categories.

• alert.assessment.action.description STRINGSTRING

  Only in libprelude (It's the value of the class assessment in the RFC)

• alert.assessment.confidence.rating ENUMENUM

  The analyzer's rating of its analytical validity. The permitted values are shown below. The default value is "numeric".

  Rank	Keyword	Description
  0	low	The analyzer has little confidence in its validity
  1	medium	The analyzer has average confidence in its validity
  2	high	The analyzer has high confidence in its validity
  3	numeric	The analyzer has provided a posterior probability value indicating its confidence in its validity

  This element should be used only when the analyzer can produce meaningful information. Systems that can output only a rough heuristic should use "low", "medium", or "high" as the rating value. In this case, the element content should be omitted.

  Systems capable of producing reasonable probability estimates should use "numeric" as the rating value and include a numeric confidence value in the element content. This numeric value should reflect a posterior probability (the probability that an attack has occurred given the data seen by the detection system and the model used by the system). It is a floating point number between 0.0 and 1.0, inclusive. The number of digits should be limited to those representable by a single precision floating point value.

  NOTE: It should be noted that different types of analyzers may compute confidence values in different ways and that in many cases, confidence values from different analyzers should not be compared (for example, if the analyzers use different methods of computing or representing confidence, or are of different types or configurations). Care should be taken when implementing systems that process confidence values (such as event correlators) not to make comparisons or assumptions that cannot be supported by the system's knowledge of the environment in which it is working.

• alert.assessment.confidence.confidence _FLOAT__FLOAT_

  Only in libprelude (It's the value of the class assessment in the RFC)

Classification¶

• alert.classification.ident STRINGSTRING

  Optional. A unique identifier for this classification.

• alert.classification.text STRINGSTRING

  Required. A vendor-provided string identifying the Alert message.

• alert.classification.reference().origin ENUMENUM

  Required. The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown".

  Rank	Keyword	Description
  0	unknown	Origin of the name is not known
  1	vendor-specific	A vendor-specific name (and hence, URL); this can be used to provide product-specific information
  2	user-specific	A user-specific name (and hence, URL); this can be used to provide installation-specific information
  3	bugtraqid	The SecurityFocus ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/bid)
  4	cve	The Common Vulnerabilities and Exposures (CVE) name (http://www.cve.mitre.org/)
  5	osvdb	The Open Source Vulnerability Database (http://www.osvdb.org)

• alert.classification.reference().name STRINGSTRING

  Exactly one. STRING. The name of the alert, from one of the origins listed below.

• alert.classification.reference().url STRINGSTRING

  Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.

• alert.classification.reference().meaning STRINGSTRING

  Optional. The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the <origin> attribute is set to "vendor-specific" or "user-specific".

Additional Data¶

• alert.additional_data().meaning STRINGSTRING

  Optional. A string describing the meaning of the element content. These values will be vendor/implementation dependent; the method for ensuring that managers understand the strings sent by analyzers is outside the scope of this specification. A list of acceptable meaning keywords is not within the scope of the document, although later versions may undertake to establish such a list.

• alert.additional_data().type ENUMENUM

  Rank	Keyword	Description
  0	boolean	The element contains a boolean value, i.e., the strings "true" or "false"
  1	byte	The element content is a single 8-bit byte
  2	character	The element content is a single character
  3	date-time	The element content is a date-time string
  4	integer	The element content is an integer
  5	ntpstamp	The element content is an NTP timestamp
  6	portlist	The element content is a list of ports
  7	real	The element content is a real number
  8	string	The element content is a string
  9	byte-string	The element is a byte[]
  10	xmltext	The element content is XML-tagged data

• alert.additional_data().data DATADATA

  Only in libprelude (It's the value of the class AdditionalData in the RFC)