RFC 4765
The Intrusion Detection Message Exchange Format (IDMEF)
Pages: 157
Experimental
Experimental
Part 5 of 6 – Pages 104 to 133
8. The IDMEF Document Type Definition (Normative)
<?xml version="1.0" encoding="UTF-8"?> <!-- *************************************************************** ******************************************************************* *** Intrusion Detection Message Exchange Format (IDMEF) XML DTD *** *** Version 1.0, 07 March 2006 *** *** *** *** The use and extension of the IDMEF XML DTD are described in *** *** RFC 4765, "The Intrusion Detection Message Exchange *** *** Format", H. Debar, D. Curry, B. Feinstein. *** ******************************************************************* *************************************************************** --> <!-- =============================================================== =================================================================== === SECTION 1. Attribute list declarations. =================================================================== =============================================================== --> <!-- | Attributes of the IDMEF element. In general, the fixed values of | these attributes will change each time a new version of the DTD | is released. --> <!ENTITY % attlist.idmef " version CDATA #FIXED '1.0' "> <!-- | Attributes of all elements. These are the "XML" attributes that | every element should have. Space handling, language, and name | space. --> <!ENTITY % attlist.global " xmlns:idmef CDATA #FIXED 'http://iana.org/idmef' xmlns CDATA #FIXED 'http://iana.org/idmef' xml:space (default | preserve) 'default' xml:lang NMTOKEN #IMPLIED ">
<!-- ===============================================================
===================================================================
=== SECTION 2. Attribute value declarations. Enumerated values for
=== many of the element-specific attribute lists.
===================================================================
=============================================================== -->
<!--
| Values for the Action.category attribute.
-->
<!ENTITY % attvals.actioncat "
( block-installed | notification-sent | taken-offline | other )
">
<!--
| Values for the Address.category attribute.
-->
<!ENTITY % attvals.addrcat "
( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
">
<!--
| Values for the AdditionalData.type attribute.
-->
<!ENTITY % attvals.adtype "
( boolean | byte | character | date-time | integer | ntpstamp |
portlist | real | string | byte-string | xmltext )
">
<!--
| Values for the Impact.completion attribute.
-->
<!ENTITY % attvals.completion "
( failed | succeeded )
">
<!--
| Values for the File.category attribute.
-->
<!ENTITY % attvals.filecat "
( current | original )
">
<!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
search | delete | executeAs | changePermissions |
takeOwnership)" >
<!--
| Values for the UserId.type attribute.
-->
<!ENTITY % attvals.idtype "
( current-user | original-user | target-user | user-privs |
current-group | group-privs | other-privs )
">
<!--
| Values for the Impact.type attribute.
-->
<!ENTITY % attvals.impacttype "
( admin | dos | file | recon | user | other )
">
<!--
| Values for the Linkage.category attribute.
-->
<!ENTITY % attvals.linkcat "
( hard-link | mount-point | reparse-point | shortcut | stream |
symbolic-link )
">
<!--
| Values for the Checksum.algorithm attribute
-->
<!ENTITY % attvals.checksumalgos "
( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |
Haval | Tiger | Gost )
">
<!--
| Values for the Node.category attribute.
-->
<!ENTITY % attvals.nodecat "
( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
nds | nis | nisplus | nt | wfw )
">
<!--
| Values for the Reference.origin attribute.
-->
<!ENTITY % attvals.origin "
( unknown | vendor-specific | user-specific | bugtraqid | cve |
osvdb )
">
<!--
| Values for the Confidence.rating attribute.
-->
<!ENTITY % attvals.rating "
( low | medium | high | numeric )
">
<!--
| Values for the Impact.severity attribute.
-->
<!ENTITY % attvals.severity "
( info | low | medium | high )
">
<!--
| Values for the User.category attribute.
-->
<!ENTITY % attvals.usercat "
( unknown | application | os-device )
">
<!--
| Values for yes/no attributes such as Source.spoofed and
| Target.decoy.
-->
<!ENTITY % attvals.yesno "
( unknown | yes | no )
">
<!-- ===============================================================
===================================================================
=== SECTION 3. Top-level element declarations. The IDMEF-Message
=== element and the types of messages it can include.
===================================================================
=============================================================== -->
<!ELEMENT IDMEF-Message (
(Alert | Heartbeat)*
)>
<!ATTLIST IDMEF-Message
%attlist.global;
%attlist.idmef;
>
<!ELEMENT Alert (
Analyzer, CreateTime, DetectTime?, AnalyzerTime?,
Source*, Target*, Classification, Assessment?, (ToolAlert |
OverflowAlert | CorrelationAlert)?, AdditionalData*
)>
<!ATTLIST Alert
messageid CDATA '0'
%attlist.global;
>
<!ELEMENT Heartbeat (
Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?,
AdditionalData*
)>
<!ATTLIST Heartbeat
messageid CDATA '0'
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 4. Subclasses of the Alert element that provide more
=== data for specific types of alerts.
===================================================================
=============================================================== -->
<!ELEMENT CorrelationAlert (
name, alertident+
)>
<!ATTLIST CorrelationAlert
%attlist.global;
>
<!ELEMENT OverflowAlert (
program, size?, buffer?
)>
<!ATTLIST OverflowAlert
%attlist.global;
>
<!ELEMENT ToolAlert (
name, command?, alertident+
)>
<!ATTLIST ToolAlert
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 5. The AdditionalData element. This element allows an
=== alert to include additional information that cannot
=== be encoded elsewhere in the data model.
===================================================================
=============================================================== -->
<!ELEMENT AdditionalData (
(boolean | byte | character | date-time |
integer | ntpstamp | portlist | real |
string | byte-string | xmltext )
)>
<!ATTLIST AdditionalData
type %attvals.adtype; 'string'
meaning CDATA #IMPLIED
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 6. Elements related to identifying entities - analyzers
=== (the senders of these messages), sources (of
=== attacks), and targets (of attacks).
===================================================================
=============================================================== -->
<!ELEMENT Analyzer (
Node?, Process?, Analyzer?
)>
<!ATTLIST Analyzer
analyzerid CDATA '0'
name CDATA #IMPLIED
manufacturer CDATA #IMPLIED
model CDATA #IMPLIED
version CDATA #IMPLIED
class CDATA #IMPLIED
ostype CDATA #IMPLIED
osversion CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT Classification (
Reference*
)>
<!ATTLIST Classification
ident CDATA '0'
text CDATA #REQUIRED
>
<!ELEMENT Source (
Node?, User?, Process?, Service?
)>
<!ATTLIST Source
ident CDATA '0'
spoofed %attvals.yesno; 'unknown'
interface CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT Target (
Node?, User?, Process?, Service?, File*
)>
<!ATTLIST Target
ident CDATA '0'
decoy %attvals.yesno; 'unknown'
interface CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT Assessment (
Impact?, Action*, Confidence?
)>
<!ATTLIST Assessment
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 7. Support elements used for providing detailed info
=== about entities - addresses, names, etc.
===================================================================
=============================================================== -->
<!ELEMENT Reference (
name, url
)>
<!ATTLIST Reference
origin %attvals.origin; 'unknown'
meaning CDATA #IMPLIED
>
<!ELEMENT Node (
location?, (name | Address), Address*
)>
<!ATTLIST Node
ident CDATA '0'
category %attvals.nodecat; 'unknown'
%attlist.global;
>
<!ELEMENT Address (
address, netmask?
)>
<!ATTLIST Address
ident CDATA '0'
category %attvals.addrcat; 'unknown'
vlan-name CDATA #IMPLIED
vlan-num CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT File (
name, path, create-time?, modify-time?, access-time?,
data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
Checksum*
)>
<!ATTLIST File
ident CDATA '0'
category %attvals.filecat; #REQUIRED
fstype CDATA #IMPLIED
file-type CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT Permission EMPTY >
<!ATTLIST Permission
perms %attvals.fileperm; #REQUIRED
%attlist.global;
>
<!ELEMENT FileAccess (
UserId, Permission+
)>
<!ATTLIST FileAccess
%attlist.global;
>
<!ELEMENT Inode (
change-time?, (number, major-device, minor-device)?,
(c-major-device, c-minor-device)?
)>
<!ATTLIST Inode
%attlist.global;
>
<!ELEMENT Linkage (
(name, path) | File
)>
<!ATTLIST Linkage
category %attvals.linkcat; #REQUIRED
%attlist.global;
>
<!ELEMENT Checksum (
value, key?
)>
<!ATTLIST Checksum
algorithm %attvals.checksumalgos; #REQUIRED
%attlist.global;
>
<!ELEMENT Process (
name, pid?, path?, arg*, env*
)>
<!ATTLIST Process
ident CDATA '0'
%attlist.global;
>
<!ELEMENT Service (
(((name, port?) | (port, name?)) | portlist), protocol?,
SNMPService?, WebService?
)>
<!ATTLIST Service
ident CDATA '0'
ip_version CDATA #IMPLIED
iana_protocol_number CDATA #IMPLIED
iana_protocol_name CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT SNMPService (
oid?, messageProcessingModel?, securityModel?, securityName?,
securityLevel?, contextName?, contextEngineID?, command?
)>
<!ATTLIST SNMPService
%attlist.global;
>
<!ELEMENT User (
UserId+
)>
<!ATTLIST User
ident CDATA '0'
category %attvals.usercat; 'unknown'
%attlist.global;
>
<!ELEMENT UserId (
(name, number?) | (number, name?)
)>
<!ATTLIST UserId
ident CDATA '0'
type %attvals.idtype; 'original-user'
tty CDATA #IMPLIED
%attlist.global;
>
<!ELEMENT WebService (
url, cgi?, http-method?, arg*
)>
<!ATTLIST WebService
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 8. Simple elements with sub-elements or attributes of a
=== special nature.
===================================================================
=============================================================== -->
<!ELEMENT Action (#PCDATA) >
<!ATTLIST Action
category %attvals.actioncat; 'other'
%attlist.global;
>
<!ELEMENT CreateTime (#PCDATA) >
<!ATTLIST CreateTime
ntpstamp CDATA #REQUIRED
%attlist.global;
>
<!ELEMENT DetectTime (#PCDATA) >
<!ATTLIST DetectTime
ntpstamp CDATA #REQUIRED
%attlist.global;
>
<!ELEMENT AnalyzerTime (#PCDATA) >
<!ATTLIST AnalyzerTime
ntpstamp CDATA #REQUIRED
%attlist.global;
>
<!ELEMENT Confidence (#PCDATA) >
<!ATTLIST Confidence
rating %attvals.rating; 'numeric'
%attlist.global;
>
<!ELEMENT Impact (#PCDATA) >
<!ATTLIST Impact
severity %attvals.severity; #IMPLIED
completion %attvals.completion; #IMPLIED
type %attvals.impacttype; 'other'
%attlist.global;
>
<!ELEMENT alertident (#PCDATA) >
<!ATTLIST alertident
analyzerid CDATA #IMPLIED
%attlist.global;
>
<!-- ===============================================================
===================================================================
=== SECTION 9. Simple elements with no sub-elements and no special
=== attributes.
===================================================================
=============================================================== -->
<!ELEMENT boolean (#PCDATA) >
<!ATTLIST boolean %attlist.global; >
<!ELEMENT byte (#PCDATA) >
<!ATTLIST byte %attlist.global; >
<!ELEMENT character (#PCDATA) >
<!ATTLIST character %attlist.global; >
<!ELEMENT date-time (#PCDATA) >
<!ATTLIST date-time %attlist.global; >
<!ELEMENT integer (#PCDATA) >
<!ATTLIST integer %attlist.global; >
<!ELEMENT ntpstamp (#PCDATA) >
<!ATTLIST ntpstamp %attlist.global; >
<!ELEMENT real (#PCDATA) > <!ATTLIST real %attlist.global; > <!ELEMENT string (#PCDATA) > <!ATTLIST string %attlist.global; > <!ELEMENT byte-string (#PCDATA) > <!ATTLIST byte-string %attlist.global; > <!ELEMENT xmltext ANY > <!ATTLIST xmltext %attlist.global; > <!ELEMENT access-time (#PCDATA) > <!ATTLIST access-time %attlist.global; > <!ELEMENT address (#PCDATA) > <!ATTLIST address %attlist.global; > <!ELEMENT arg (#PCDATA) > <!ATTLIST arg %attlist.global; > <!ELEMENT buffer (#PCDATA) > <!ATTLIST buffer %attlist.global; > <!ELEMENT c-major-device (#PCDATA) > <!ATTLIST c-major-device %attlist.global; > <!ELEMENT c-minor-device (#PCDATA) > <!ATTLIST c-minor-device %attlist.global; > <!ELEMENT cgi (#PCDATA) > <!ATTLIST cgi %attlist.global; > <!ELEMENT change-time (#PCDATA) > <!ATTLIST change-time %attlist.global; > <!ELEMENT command (#PCDATA) > <!ATTLIST command %attlist.global; > <!ELEMENT create-time (#PCDATA) > <!ATTLIST create-time %attlist.global; > <!ELEMENT data-size (#PCDATA) > <!ATTLIST data-size %attlist.global; > <!ELEMENT disk-size (#PCDATA) > <!ATTLIST disk-size %attlist.global; >
<!ELEMENT env (#PCDATA) > <!ATTLIST env %attlist.global; > <!ELEMENT http-method (#PCDATA) > <!ATTLIST http-method %attlist.global; > <!ELEMENT location (#PCDATA) > <!ATTLIST location %attlist.global; > <!ELEMENT major-device (#PCDATA) > <!ATTLIST major-device %attlist.global; > <!ELEMENT minor-device (#PCDATA) > <!ATTLIST minor-device %attlist.global; > <!ELEMENT modify-time (#PCDATA) > <!ATTLIST modify-time %attlist.global; > <!ELEMENT name (#PCDATA) > <!ATTLIST name %attlist.global; > <!ELEMENT netmask (#PCDATA) > <!ATTLIST netmask %attlist.global; > <!ELEMENT number (#PCDATA) > <!ATTLIST number %attlist.global; > <!ELEMENT oid (#PCDATA) > <!ATTLIST oid %attlist.global; > <!ELEMENT path (#PCDATA) > <!ATTLIST path %attlist.global; > <!ELEMENT permission (#PCDATA) > <!ATTLIST permission %attlist.global; > <!ELEMENT pid (#PCDATA) > <!ATTLIST pid %attlist.global; > <!ELEMENT port (#PCDATA) > <!ATTLIST port %attlist.global; > <!ELEMENT portlist (#PCDATA) > <!ATTLIST portlist %attlist.global; > <!ELEMENT program (#PCDATA) > <!ATTLIST program %attlist.global; >
<!ELEMENT protocol (#PCDATA) > <!ATTLIST protocol %attlist.global; > <!ELEMENT size (#PCDATA) > <!ATTLIST size %attlist.global; > <!ELEMENT url (#PCDATA) > <!ATTLIST url %attlist.global; > <!ELEMENT HeartbeatInterval (#PCDATA) > <!ATTLIST HeartbeatInterval %attlist.global; > <!ELEMENT messageProcessingModel (#PCDATA) > <!ATTLIST messageProcessingModel %attlist.global;> <!ELEMENT securityModel (#PCDATA) > <!ATTLIST securityModel %attlist.global; > <!ELEMENT securityName (#PCDATA) > <!ATTLIST securityName %attlist.global; > <!ELEMENT securityLevel (#PCDATA) > <!ATTLIST securityLevel %attlist.global; > <!ELEMENT contextName (#PCDATA) > <!ATTLIST contextName %attlist.global; > <!ELEMENT contextEngineID (#PCDATA) > <!ATTLIST contextEngineID %attlist.global; > <!ELEMENT value (#PCDATA) > <!ATTLIST value %attlist.global; > <!ELEMENT key (#PCDATA) > <!ATTLIST key %attlist.global; > <!-- End of IDMEF DTD -->9. Security Considerations
This document describes a data representation for exchanging security-related information between intrusion detection system implementations. Although there are no security concerns directly applicable to the format of this data, the data itself may contain security-sensitive information whose confidentiality, integrity, and/or availability may need to be protected.
This suggests that the systems used to collect, transmit, process, and store this data should be protected against unauthorized use and that the data itself should be protected against unauthorized access. The means for achieving this protection are outside the scope of this document. Section 5 of [2] describes the required and recommended security characteristics of the transmission protocol that will be used to deliver IDMEF data from analyzers to managers. These requirements include message confidentiality, message integrity, non-repudiation, and avoidance of duplicate messages. Both standard and proposed protocols exist that provide these features. Where a protocol that does not meet the requirements of Section 5 of [2] is used to exchange IDMEF messages, it may be desirable to use digital signatures to certify the integrity of these messages; this is discussed in Section 6.5 of this document.10. IANA Considerations
Section 5 describes how to use the AdditionalData class to include arbitrary "atomic" data items in an IDMEF message, as well as how AdditionalData may be used to extend the DTD itself by adding new classes and attributes. From time to time, it may be desirable to move an extension from its private or local use status (as all extensions made via the above mechanism are) to "standard" status that should be supported by all implementations. This may be accomplished as described in this section.10.1. Adding Values to Existing Attributes
Several of the attributes specified in this document have lists of permissible values that they may contain. To allow the addition of new values to these lists, the IANA created a repository for attribute values called "Intrusion Detection Message Exchange Format (IDMEF) Attribute Values". Following the policies outlined in [9], this repository is "Specification Required" by RFC. Section 10.1.1 describes the initial values for this repository.
To create a new attribute, you MUST publish an RFC to document the type. In the RFC, include a copy of the registration template found in Section 10.1.2 of this document. Put the template in your IANA Considerations section, filling in the appropriate fields. You MUST describe any interoperability and security issues in your document. When adding a new attribute value to the repository, the IANA shall assign the next rank number in numerical sequence for the value.10.1.1. Attribute Registrations
IDMEF Class Name: Reference IDMEF Attribute Name: origin Registered Values: +------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://cve.mitre.org/) | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
IDMEF Class Name: Source
IDMEF Attribute Name: spoofed
Registered Values:
+------+---------+----------------------------------------+
| Rank | Keyword | Description |
+------+---------+----------------------------------------+
| 0 | unknown | Accuracy of source information unknown |
| 1 | yes | Source is believed to be a decoy |
| 2 | no | Source is believed to be "real" |
+------+---------+----------------------------------------+
IDMEF Class Name: Target
IDMEF Attribute Name: decoy
Registered Values:
+------+---------+----------------------------------------+
| Rank | Keyword | Description |
+------+---------+----------------------------------------+
| 0 | unknown | Accuracy of target information unknown |
| 1 | yes | Target is believed to be a decoy |
| 2 | no | Target is believed to be "real" |
+------+---------+----------------------------------------+
IDMEF Class Name: AdditionalData IDMEF Attribute Name: type Registered Values: +------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | 9 | byte-string | The element content is a byte[] (see | | | | Section 3.2.4) | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+
IDMEF Class Name: Impact
IDMEF Attribute Name: severity
Registered Values:
+------+---------+-----------------------------------------+
| Rank | Keyword | Description |
+------+---------+-----------------------------------------+
| 0 | info | Alert represents informational activity |
| | | |
| 1 | low | Low severity |
| | | |
| 2 | medium | Medium severity |
| | | |
| 3 | high | High severity |
+------+---------+-----------------------------------------+
IDMEF Class Name: Impact
IDMEF Attribute Name: completion
Registered Values:
+------+-----------+--------------------------------+
| Rank | Keyword | Description |
+------+-----------+--------------------------------+
| 0 | failed | The attempt was not successful |
| 1 | succeeded | The attempt succeeded |
+------+-----------+--------------------------------+
IDMEF Class Name: Impact IDMEF Attribute Name: type Registered Values: +------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | 1 | dos | A denial of service was attempted or completed | | 2 | file | An action on a file was attempted or completed | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | 4 | user | User privileges were attempted or obtained | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+ IDMEF Class Name: Action IDMEF Attribute Name: category Registered Values: +------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+
IDMEF Class Name: Confidence
IDMEF Attribute Name: rating
Registered Values:
+------+---------+--------------------------------------------------+
| Rank | Keyword | Description |
+------+---------+--------------------------------------------------+
| 0 | low | The analyzer has little confidence in its |
| | | validity |
| 1 | medium | The analyzer has average confidence in its |
| | | validity |
| 2 | high | The analyzer has high confidence in its validity |
| 3 | numeric | The analyzer has provided a posterior |
| | | probability value indicating its confidence in |
| | | its validity |
+------+---------+--------------------------------------------------+
IDMEF Class Name: Node
IDMEF Attribute Name: category
Registered Values:
+------+----------+------------------------------------------+
| Rank | Keyword | Description |
+------+----------+------------------------------------------+
| 0 | unknown | Domain unknown or not relevant |
| 1 | ads | Windows 2000 Advanced Directory Services |
| 2 | afs | Andrew File System (Transarc) |
| 3 | coda | Coda Distributed File System |
| 4 | dfs | Distributed File System (IBM) |
| 5 | dns | Domain Name System |
| 6 | hosts | Local hosts file |
| 7 | kerberos | Kerberos realm |
| 8 | nds | Novell Directory Services |
| 9 | nis | Network Information Services (Sun) |
| 10 | nisplus | Network Information Services Plus (Sun) |
| 11 | nt | Windows NT domain |
| 12 | wfw | Windows for Workgroups |
+------+----------+------------------------------------------+
IDMEF Class Name: Address IDMEF Attribute Name: category Registered Values: +------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | 1 | atm | Asynchronous Transfer Mode network address | | 2 | e-mail | Electronic mail address (RFC 822) | | 3 | lotus-notes | Lotus Notes e-mail address | | 4 | mac | Media Access Control (MAC) address | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | 6 | vm | IBM VM ("PROFS") e-mail address | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | 11 | ipv6-addr | IPv6 host address | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+
IDMEF Class Name: User
IDMEF Attribute Name: category
Registered Values:
+------+-------------+------------------------------------+
| Rank | Keyword | Description |
+------+-------------+------------------------------------+
| 0 | unknown | User type unknown |
| 1 | application | An application user |
| 2 | os-device | An operating system or device user |
+------+-------------+------------------------------------+
IDMEF Class Name: UserId
IDMEF Attribute Name: category
Registered Values:
+------+---------------+--------------------------------------------+
| Rank | Keyword | Description |
+------+---------------+--------------------------------------------+
| 0 | current-user | The current user id being used by the user |
| | | or process. On Unix systems, this would |
| | | be the "real" user id, in general. |
| 1 | original-user | The actual identity of the user or process |
| | | being reported on. On those systems that |
| | | (a) do some type of auditing and (b) |
| | | support extracting a user id from the |
| | | "audit id" token, that value should be |
| | | used. On those systems that do not |
| | | support this, and where the user has |
| | | logged into the system, the "login id" |
| | | should be used. |
| 2 | target-user | The user id the user or process is |
| | | attempting to become. This would apply, |
| | | on Unix systems for example, when the user |
| | | attempts to use "su", "rlogin", "telnet", |
| | | etc. |
| 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". | | 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+ IDMEF Class Name: File IDMEF Attribute Name: category Registered Values: +------+----------+-------------------------------------------------+ | Rank | Keyword | Description | +------+----------+-------------------------------------------------+ | 0 | current | The file information is from after the reported | | | | change | | 1 | original | The file information is from before the | | | | reported change | +------+----------+-------------------------------------------------+
IDMEF Class Name: File
IDMEF Attribute Name: fstype
Registered Values:
+------+---------+-------------------------------------+
| Rank | Keyword | Description |
+------+---------+-------------------------------------+
| 0 | ufs | Berkeley Unix Fast File System |
| 1 | efs | Linux "efs" file system |
| 2 | nfs | Network File System |
| 3 | afs | Andrew File System |
| 4 | ntfs | Windows NT File System |
| 5 | fat16 | 16-bit Windows FAT File System |
| 6 | fat32 | 32-bit Windows FAT File System |
| 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM |
| 8 | joliet | Joliet CD-ROM file system |
| 9 | iso9660 | ISO 9660 CD-ROM file system |
+------+---------+-------------------------------------+
IDMEF Class Name: FileAccess
IDMEF Attribute Name: permission
Registered Values:
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | noAccess | No access at all is allowed for this |
| | | user |
| 1 | read | This user has read access to the file |
| 2 | write | This user has write access to the file |
| 3 | execute | This user has the ability to execute |
| | | the file |
| 4 | search | This user has the ability to search |
| | | this file (applies to "execute" |
| | | permission on directories in Unix) |
| 5 | delete | This user has the ability to delete |
| | | this file |
| 6 | executeAs | This user has the ability to execute |
| | | this file as another user |
| 7 | changePermissions | This user has the ability to change |
| | | the access permissions on this file |
| 8 | takeOwnership | This user has the ability to take |
| | | ownership of this file |
+------+-------------------+----------------------------------------+
IDMEF Class Name: Linkage IDMEF Attribute Name: category Registered Values: +------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | hard-link | The <name> element represents another name | | | | for this file. This information may be | | | | more easily obtainable on NTFS file | | | | systems than others. | | 1 | mount-point | An alias for the directory specified by | | | | the parent's <name> and <path> elements. | | 2 | reparse-point | Applies only to Windows; excludes symbolic | | | | links and mount points, which are specific | | | | types of reparse points. | | 3 | shortcut | The file represented by a Windows | | | | "shortcut". A shortcut is distinguished | | | | from a symbolic link because of the | | | | difference in their contents, which may be | | | | of importance to the manager. | | 4 | stream | An Alternate Data Stream (ADS) in Windows; | | | | a fork on MacOS. Separate file system | | | | entity that is considered an extension of | | | | the main <File>. | | 5 | symbolic-link | The <name> element represents the file to | | | | which the link points. | +------+---------------+--------------------------------------------+
IDMEF Class Name: Checksum
IDMEF Attribute Name: algorithm
Registered Values:
+------+----------+------------------------------------------+
| Rank | Keyword | Description |
+------+----------+------------------------------------------+
| 0 | MD4 | The MD4 algorithm. |
| 1 | MD5 | The MD5 algorithm. |
| 2 | SHA1 | The SHA1 algorithm. |
| 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. |
| 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. |
| 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. |
| 6 | CRC-32 | The CRC algorithm with 32 bits length. |
| 7 | Haval | The Haval algorithm. |
| 8 | Tiger | The Tiger algorithm. |
| 9 | Gost | The Gost algorithm. |
+------+----------+------------------------------------------+
10.1.2. Registration Template
IDMEF Class Name:
<provide the name of the class that contains the attribute to
which you want to add a new value, e.g., "Address">
IDMEF Attribute Name:
<provide the name of the attribute to which you want to add a new
value, e.g., "category">
New Attribute Value to Be Defined:
<provide the name of the new attribute value that you want to add,
e.g., "sneaker-net">
Meaning of New Attribute Value:
<describe in detail what the attribute value means -- i.e., if an
analyzer sends this value, what is it telling the receiver of the
information?>
Contact Person and E-Mail Address:
<your name and e-mail address>
10.2. Adding New Attributes and Classes
To the extent possible, the IDMEF classes and attributes specified in this document have been designed to accommodate all current and near- future needs. Although it is recognized that the addition of new classes, as well as the addition of new attributes to existing classes, will be necessary in the future, these actions should not be taken lightly. Any addition of new attributes or classes should only be undertaken when the current classes and attributes simply cannot be used to represent the information in a "clean" way -- and such additions should only be made to represent generally-useful types of data. Vendor-specific information, obscure information provided by only a particular type of analyzer or used only by a particular type of manager, "pet" attributes, and the like are not good reasons to make class and attribute additions. At the time this RFC was written, the first anticipated case for which new classes and attributes will need to be added is to handle host-based intrusion detection systems. However, such additions should not be made until some level of consensus has been reached about the set of data that will be provided by these systems. Following the policies outlined in [9], the addition of new classes and attributes to the IDMEF requires "IETF Consensus". To add new attributes or classes, you MUST publish an RFC to document them, and get that RFC approved by the IESG. Typically, the IESG will seek input on prospective additions from appropriate persons (e.g., a relevant working group if one exists). You MUST describe any interoperability and security issues in your document.11. References
11.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Wood, M. and M. Erlinger, "Intrusion Detection Mesage Exchange Requirements", RFC 4766, March 2007.
[3] Sperberg-McQueen, C., Paoli, J., Maler, E., and T. Bray, "Extensible Markup Language (XML) 1.0 (Second Edition)", World Wide Web Consortium FirstEdition http://www.w3.org/TR/2000/REC-xml-20001006, October 2000. [4] Bray, T., Hollander, D., and A. Layman, "Namespaces in XML", World Wide Web Consortium Recommendation http://www.w3.org/TR/1999/ REC-xml-names-19990114, January 1999. [5] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [6] International Organization for Standardization, "Data elements and interchange formats - Information interchange - Representation of dates and times", ISO Standard 8601, Second Edition, December 2000. [7] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation", RFC 1305, March 1992. [8] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI", RFC 4330, January 2006. [9] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [10] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 4646, September 2006.11.2. Informative References
[11] St. Johns, M., "Identification Protocol", RFC 1413, February 1993. [12] Resnick, P., "Internet Message Format", RFC 2822, April 2001. [13] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [14] Rumbaugh, J., Jacobson, I., and G. Booch, "The Unified Modeling Language Reference Model", ISBN 020130998X, 1998.
[15] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. [16] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003.
(next page on part 6)