Network Working Group H. Debar Request for Comments: 4765 France Telecom Category: Experimental D. Curry Guardian B. Feinstein SecureWorks, Inc. March 2007 The Intrusion Detection Message Exchange Format (IDMEF) Status of This Memo This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). IESG Note The content of this RFC was at one time considered by the IETF, but the working group concluded before this work was approved as a standards-track protocol. This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose and in particular notes that the decision to publish is not based on complete IETF review for such things as security, congestion control, or inappropriate interaction with deployed protocols. The IESG has chosen to publish this document in order to document the work as it was when the working group concluded and to encourage experimentation and development of the technology. Readers of this RFC should exercise caution in evaluating its value for implementation and deployment. Abstract The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided. Debar, et al. Experimental [Page 1] RFC 4765 The IDMEF March 2007 Table of Contents 1. Introduction ....................................................4 1.1. About the IDMEF Data Model .................................4 1.1.1. Problems Addressed by the Data Model ................5 1.1.2. Data Model Design Goals .............................6 1.2. About the IDMEF XML Implementation .........................7 1.2.1. The Extensible Markup Language ......................7 1.2.2. Rationale for Implementing IDMEF in XML .............8 2. Notices and Conventions Used in This Document ..................10 3. Notational Conventions and Formatting Issues ...................10 3.1. IDMEF XML Documents .......................................10 3.1.1. The Document Prolog ................................10 3.1.2. Character Data Processing in IDMEF .................11 3.1.3. Languages in IDMEF .................................12 3.2. IDMEF Data Types ..........................................12 3.2.1. Integers ...........................................12 3.2.2. Real Numbers .......................................12 3.2.3. Characters and Strings .............................13 3.2.4. Bytes ..............................................14 3.2.5. Enumerated Types ...................................14 3.2.6. Date-Time Strings ..................................14 3.2.7. NTP Timestamps .....................................16 3.2.8. Port Lists .........................................16 3.2.9. Unique Identifiers .................................17 4. The IDMEF Data Model and DTD ...................................18 4.1. Data Model Overview .......................................18 4.2. The Message Classes .......................................20 4.2.1. The IDMEF-Message Class ............................20 4.2.2. The Alert Class ....................................20 4.2.3. The Heartbeat Class ................................27 4.2.4. The Core Classes ...................................29 4.2.5. The Time Classes ...................................41 4.2.6. The Assessment Classes .............................42 4.2.7. The Support Classes ................................47 5. Extending the IDMEF ............................................79 5.1. Extending the Data Model ..................................79 5.2. Extending the IDMEF DTD ...................................80 6. Special Considerations .........................................81 6.1. XML Validity and Well-Formedness ..........................81 6.2. Unrecognized XML Tags .....................................82 6.3. Analyzer-Manager Time Synchronization .....................82 6.4. NTP Timestamp Wrap-Around .................................84 6.5. Digital Signatures ........................................85 7. Examples .......................................................85 7.1. Denial-of-Service Attacks .................................86 7.1.1. The "teardrop" Attack ..............................86 7.1.2. The "ping of death" Attack .........................87 Debar, et al. Experimental [Page 2] RFC 4765 The IDMEF March 2007 7.2. Port Scanning Attacks .....................................88 7.2.1. Connection to a Disallowed Service .................88 7.2.2. Simple Port Scanning ...............................89 7.3. Local Attacks .............................................90 7.3.1. The "loadmodule" Attack ............................90 7.3.2. The "phf" Attack ...................................93 7.3.3. File Modification ..................................94 7.4. System Policy Violation ...................................96 7.5. Correlated Alerts .........................................98 7.6. Analyzer Assessments ......................................99 7.7. Heartbeat ................................................100 7.8. XML Extension ............................................101 8. The IDMEF Document Type Definition (Normative) ................104 9. Security Considerations .......................................117 10. IANA Considerations ..........................................118 10.1. Adding Values to Existing Attributes ....................118 10.1.1. Attribute Registrations ..........................119 10.1.2. Registration Template ............................130 10.2. Adding New Attributes and Classes .......................131 11. References ...................................................131 11.1. Normative References ....................................131 11.2. Informative References ..................................132 Appendix A. Acknowledgements ....................................134 Appendix B. The IDMEF Schema Definition (Non-normative) .........135 Debar, et al. Experimental [Page 3] RFC 4765 The IDMEF March 2007 1. Introduction The Intrusion Detection Message Exchange Format (IDMEF) [2] is intended to be a standard data format that automated intrusion detection systems can use to report alerts about events that they deem suspicious. The development of this standard format will enable interoperability among commercial, open source, and research systems, allowing users to mix-and-match the deployment of these systems according to their strong and weak points to obtain an optimal implementation. The most obvious place to implement the IDMEF is in the data channel between an intrusion detection analyzer (or "sensor") and the manager (or "console") to which it sends alarms. But there are other places where the IDMEF can be useful: o a single database system that could store the results from a variety of intrusion detection products would make it possible for data analysis and reporting activities to be performed on "the whole picture" instead of just a part of it; o an event correlation system that could accept alerts from a variety of intrusion detection products would be capable of performing more sophisticated cross-correlation and cross- confirmation calculations than one that is limited to a single product; o a graphical user interface that could display alerts from a variety of intrusion detection products would enable the user to monitor all of the products from a single screen, and require him or her to learn only one interface, instead of several; and o a common data exchange format would make it easier for different organizations (users, vendors, response teams, law enforcement) to not only exchange data, but also communicate about it. The diversity of uses for the IDMEF needs to be considered when selecting its method of implementation. 1.1. About the IDMEF Data Model The IDMEF data model is an object-oriented representation of the alert data sent to intrusion detection managers by intrusion detection analyzers. Debar, et al. Experimental [Page 4] RFC 4765 The IDMEF March 2007 1.1.1. Problems Addressed by the Data Model The data model addresses several problems associated with representing intrusion detection alert data: o Alert information is inherently heterogeneous. Some alerts are defined with very little information, such as origin, destination, name, and time of the event. Other alerts provide much more information, such as ports or services, processes, user information, and so on. The data model that represents this information must be flexible to accommodate different needs. An object-oriented model is naturally extensible via aggregation and subclassing. If an implementation of the data model extends it with new classes, either by aggregation or subclassing, an implementation that does not understand these extensions will still be able to understand the subset of information that is defined by the data model. Subclassing and aggregation provide extensibility while preserving the consistency of the model. o Intrusion detection environments are different. Some analyzers detect attacks by analyzing network traffic; others use operating system logs or application audit trail information. Alerts for the same attack, sent by analyzers with different information sources, will not contain the same information. The data model defines support classes that accommodate the differences in data sources among analyzers. In particular, the notions of source and target for the alert are represented by the combination of Node, Process, Service, and User classes. o Analyzer capabilities are different. Depending on the environment, one may install a lightweight analyzer that provides little information in its alerts, or a more complex analyzer that will have a greater impact on the running system but provide more detailed alert information. The data model must allow for conversion to formats used by tools other than intrusion detection analyzers, for the purpose of further processing the alert information. The data model defines extensions to the basic Document Type Definition (DTD) that allow carrying both simple and complex alerts. Extensions are accomplished through subclassing or association of new classes. Debar, et al. Experimental [Page 5] RFC 4765 The IDMEF March 2007 o Operating environments are different. Depending on the kind of network or operating system used, attacks will be observed and reported with different characteristics. The data model should accommodate these differences. Significant flexibility in reporting is provided by the Node and Service support classes. If additional information must be reported, subclasses may be defined that extend the data model with additional attributes. o Commercial vendor objectives are different. For various reasons, vendors may wish to deliver more or less information about certain types of attacks. The object-oriented approach allows this flexibility while the subclassing rules preserve the integrity of the model. 1.1.2. Data Model Design Goals The data model was designed to provide a standard representation of alerts in an unambiguous fashion, and to permit the relationship between simple and complex alerts to be described. 1.1.2.1. Representing Events The goal of the data model is to provide a standard representation of the information that an intrusion detection analyzer reports when it detects an occurrence of some unusual event(s). These alerts may be simple or complex, depending on the capabilities of the analyzer that creates them. 1.1.2.2. Content-Driven The design of the data model is content-driven. This means that new objects are introduced to accommodate additional content, not semantic differences between alerts. This is an important goal, as the task of classifying and naming computer vulnerabilities is both extremely difficult and very subjective. The data model must be unambiguous. This means that while we allow analyzers to be more or less precise than one another (i.e., one analyzer may report more information about an event than another), we do not allow them to produce contradictory information in two alerts describing the same event (i.e., the common subset of information reported by both analyzers must be identical and inserted in the same placeholders within the alert data structure). Of course, it is always possible to insert all "interesting" information about an Debar, et al. Experimental [Page 6] RFC 4765 The IDMEF March 2007 event in extension fields of the alert instead of in the fields where it belongs; however, such practice reduces interoperability and should be avoided whenever possible. 1.1.2.3. Relationship between Alerts Intrusion detection alerts can be transmitted at several levels. This document applies to the entire range, from very simple alerts (e.g., those alerts that are the result of a single action or operation in the system, such as a failed login report) to very complex ones (e.g., the aggregation of several events causing an alert to be generated). As such, the data model must provide a way for complex alerts that aggregate several simple alerts to identify those simple alerts in the complex alert's content. 1.2. About the IDMEF XML Implementation Two implementations of the IDMEF were originally proposed to the Intrusion Detection Working Group (IDWG): one using the Structure of Management Information (SMI) to describe a Simple Network Management Protocol (SNMP) MIB, and the other using a DTD to describe XML documents. These proposed implementations were reviewed by the IDWG at its September 1999 and February 2000 meetings; it was decided at the February meeting that the XML solution was best at fulfilling the IDWG requirements. 1.2.1. The Extensible Markup Language The Extensible Markup Language (XML) [3] is a simplified version of the Standard Generalized Markup Language (SGML), a syntax for specifying text markup defined by the ISO 8879 standard. XML is gaining widespread attention as a language for representing and exchanging documents and data on the Internet, and as the solution to most of the problems inherent in HyperText Markup Language (HTML). XML was published as a recommendation by the World Wide Web Consortium (W3C) on February 10, 1998. XML is a metalanguage -- a language for describing other languages -- that enables an application to define its own markup. XML allows the definition of customized markup languages for different types of documents and different applications. This differs from HTML, in which there is a fixed set of identifiers with preset meanings that must be "adapted" for specialized uses. Both XML and HTML use elements (tags) (identifiers delimited by '<' and '>') and attributes Debar, et al. Experimental [Page 7] RFC 4765 The IDMEF March 2007 (of the form "name='value'"). But where "

" always means "paragraph" in HTML, it may mean "paragraph", "person", "price", or "platypus" in XML, or it might have no meaning at all, depending on the particular application. NOTE: XML provides both a syntax for declaring document markup and structure (i.e., defining elements and attributes, specifying the order in which they appear, and so on) and a syntax for using that markup in documents. Because markup declarations look radically different from markup, many people are confused as to which syntax is called XML. The answer is that they both are, because they are actually both part of the same language. For clarity in this document, we will use the terms "XML" and "XML documents" when speaking in the general case, and the term "IDMEF markup" when speaking specifically of the elements (tags) and attributes that describe IDMEF messages. The publication of XML was followed by the publication of a second recommendation [4] by the World Wide Web Consortium, defining the use of namespaces in XML documents. An XML namespace is a collection of names, identified by a Uniform Resource Identifier (URI) [5]. When using namespaces, each tag is identified with the namespace it comes from, allowing tags from different namespaces with the same names to occur in the same document. For example, a single document could contain both "usa:football" and "europe:football" tags, each with different meanings. In anticipation of the widespread use of XML namespaces, this memo includes the definition of the URI to be used to identify the IDMEF namespace. 1.2.2. Rationale for Implementing IDMEF in XML XML-based applications are being used or developed for a wide variety of purposes, including electronic data interchange in a variety of fields, financial data interchange, electronic business cards, calendar and scheduling, enterprise software distribution, web "push" technology, and markup languages for chemistry, mathematics, music, molecular dynamics, astronomy, book and periodical publishing, web publishing, weather observations, real estate transactions, and many others. XML's flexibility makes it a good choice for these applications; that same flexibility makes it a good choice for implementing the IDMEF as well. Other, more specific reasons for choosing XML to implement the IDMEF are: Debar, et al. Experimental [Page 8] RFC 4765 The IDMEF March 2007 o XML allows a custom language to be developed specifically for the purpose of describing intrusion detection alerts. It also defines a standard way to extend this language, either for later revisions of this document ("standard" extensions) or for vendor-specific use ("non-standard" extensions). o Software tools for processing XML documents are widely available, in both commercial and open source forms. Numerous tools and APIs for parsing and/or validating XML are available in a variety of languages, including Java, C, C++, Tcl, Perl, Python, and GNU Emacs Lisp. Widespread access to tools will make adoption of the IDMEF by product developers easier, and hopefully, faster. o XML meets IDMEF Requirement 5.1 [2], that message formats support full internationalization and localization. The XML standard requires support for both the UTF-8 and UTF-16 encodings of ISO/ IEC 10646 (Universal Multiple-Octet Coded Character Set, "UCS") and Unicode, making all XML applications (and therefore all IDMEF- compliant applications) compatible with these common character encodings. XML also provides support for specifying, on a per-element basis, the language in which the element's content is written, making IDMEF easy to adapt to "Natural Language Support" versions of a product. o XML meets IDMEF Requirement 5.2 [2], that message formats must support filtering and aggregation. XML's integration with XSL, a style language, allows messages to be combined, discarded, and rearranged. o Ongoing XML development projects, in the W3C and elsewhere, will provide object-oriented extensions, database support, and other useful features. If implemented in XML, the IDMEF immediately gains these features as well. o XML is free, with no license, no license fees, and no royalties. Debar, et al. Experimental [Page 9] RFC 4765 The IDMEF March 2007 2. Notices and Conventions Used in This Document The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1]. An "IDMEF-compliant application" is a program or program component, such as an analyzer or manager, that reads and/or writes messages in the format specified by this memo. An "IDMEF document" is a message that adheres to the requirements specified by this memo and that is exchanged by two or more IDMEF applications. "IDMEF message" is another term for an "IDMEF document". 3. Notational Conventions and Formatting Issues This document uses three notations: Unified Modeling Language to describe the data model [14], XML to describe the markup used in IDMEF documents, and IDMEF markup to represent the documents themselves. 3.1. IDMEF XML Documents This section describes IDMEF XML document formatting rules. Most of these rules are "inherited" from the rules for formatting XML documents. 3.1.1. The Document Prolog The format of an IDMEF XML document prolog is described in the following sections. 3.1.1.1. XML Declaration IDMEF documents being exchanged between IDMEF-compliant applications MUST begin with an XML declaration, and MUST specify the XML version in use. Specification of the encoding in use is RECOMMENDED. An IDMEF message SHOULD therefore start with: Debar, et al. Experimental [Page 10] RFC 4765 The IDMEF March 2007 IDMEF-compliant applications MAY choose to omit the XML declaration internally to conserve space, adding it only when the message is sent to another destination (e.g., a web browser). This practice is NOT RECOMMENDED unless it can be accomplished without loss of each message's version and encoding information. In order to be valid (see Section 6.1), an XML document must contain a document type definition. However, this represents significant overhead to an IDMEF-compliant application, both in the bandwidth it consumes as well as the requirements it places on the XML processor (not only to parse the declaration itself, but also to parse the DTD it references). Implementors MAY decide, therefore, to have analyzers and managers agree out-of-band on the particular document type definition they will be using to exchange messages (the standard one as defined here, or one with extensions), and then omit the document type definition from IDMEF messages. The method for negotiating this agreement is outside the scope of this document. Note that great care must be taken in negotiating any such agreements, as the manager may have to accept messages from many different analyzers, each using a DTD with a different set of extensions. 3.1.2. Character Data Processing in IDMEF For portability reasons, IDMEF-compliant applications SHOULD NOT use, and IDMEF messages SHOULD NOT be encoded in, character encodings other than UTF-8 and UTF-16. Consistent with the XML standard, if no encoding is specified for an IDMEF message, UTF-8 is assumed. NOTE: The ASCII character set is a subset of the UTF-8 encoding, and therefore may be used to encode IDMEF messages. Per the XML standard, IDMEF documents encoded in UTF-16 MUST begin with the Byte Order Mark described by ISO/IEC 10646 Annex E and Unicode Appendix B (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF). 3.1.2.1. Character Entity References It is RECOMMENDED that IDMEF-compliant applications use the entity reference form (see Section 3.2.3.1) of the characters '&', ,'<', '>', '"', and ''' (single-quote) whenever writing these characters in data, to avoid any possibility of misinterpretation. 3.1.2.2. White Space Processing All IDMEF elements MUST support the "xml:space" attribute. Debar, et al. Experimental [Page 11] RFC 4765 The IDMEF March 2007 3.1.3. Languages in IDMEF IDMEF-compliant applications MUST specify the language in which their contents are encoded; in general this can be done by specifying the "xml:lang" attribute for the top-level element and letting all other elements "inherit" that definition [10]. 3.2. IDMEF Data Types Within an XML IDMEF message, all data will be expressed as "text" (as opposed to "binary"), since XML is a text formatting language. We provide typing information for the attributes of the classes in the data model, however, to convey to the reader the type of data that the model expects for each attribute. Each data type in the model has specific formatting requirements in an XML IDMEF message; these requirements are set forth in this section. 3.2.1. Integers Integer attributes are represented by the INTEGER data type. Integer data MUST be encoded in Base 10 or Base 16. Base 10 integer encoding uses the digits '0' through '9' and an optional sign ('+' or '-'). For example, "123", "-456". Base 16 integer encoding uses the digits '0' through '9' and 'a' through 'f' (or their uppercase equivalents), and is preceded by the characters "0x". For example, "0x1a2b". 3.2.2. Real Numbers Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10. Real encoding is that of the POSIX 1003.1 "strtod" library function: an optional sign ('+' or '-') followed by a non-empty string of decimal digits, optionally containing a radix character, then an optional exponent part. An exponent part consists of an 'e' or 'E', followed by an optional sign, followed by one or more decimal digits. For example, "123.45e02", "-567,89e-03". IDMEF-compliant applications MUST support both the '.' and ',' radix characters. Debar, et al. Experimental [Page 12] RFC 4765 The IDMEF March 2007 3.2.3. Characters and Strings Single-character attributes are represented by the CHARACTER data type. Multi-character attributes of known length are represented by the STRING data type. Character and string data have no special formatting requirements, other than the need to occasionally use character references (see Section 3.2.3.1 and Section 3.2.3.2) to represent special characters. 3.2.3.1. Character Entity References Within XML documents, certain characters have special meanings in some contexts. To include the actual character itself in one of these contexts, a special escape sequence, called an entity reference, must be used. The characters that sometimes need to be escaped, and their entity references, are: +-----------+------------------+ | Character | Entity Reference | +-----------+------------------+ | & | & | | | | | < | < | | | | | > | > | | | | | " | " | | | | | ' | ' | +-----------+------------------+ 3.2.3.2. Character Code References Any character defined by the ISO/IEC 10646 and Unicode standards may be included in an XML document by the use of a character reference. A character reference is started with the characters '&' and '#', and ended with the character ';'. Between these characters, the character code for the character is inserted. If the character code is preceded by an 'x' it is interpreted in hexadecimal (base 16); otherwise, it is interpreted in decimal (base 10). For instance, the ampersand (&) is encoded as & or & and the less-than sign (<) is encoded as < or <. Debar, et al. Experimental [Page 13] RFC 4765 The IDMEF March 2007 Any one-, two-, or four-byte character specified in the ISO/IEC 10646 and Unicode standards can be included in a document using this technique. 3.2.4. Bytes Binary data is represented by the BYTE (and BYTE[]) data type. Binary data MUST be encoded in its entirety using base64. 3.2.5. Enumerated Types Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values. 3.2.6. Date-Time Strings Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601: 2000 [6], as show below. Section references in parentheses refer to sections of the ISO 8601:2000 standard [6]. 1. Dates MUST be formatted as follows: YYYY-MM-DD where YYYY is the four-digit year, MM is the two-digit month (01-12), and DD is the two-digit day (01-31). (Section 5.2.1.1, "Complete representation -- Extended format".) 2. Times MUST be formatted as follows: hh:mm:ss where hh is the two-digit hour (00-24), mm is the two-digit minute (00-59), and ss is the two-digit second (00-60). (Section 5.3.1.1, "Complete representation -- Extended format".) Note that midnight has two representations, 00:00:00 and 24:00:00. Both representations MUST be supported by IDMEF- compliant applications; however, the 00:00:00 representation SHOULD be used whenever possible. Debar, et al. Experimental [Page 14] RFC 4765 The IDMEF March 2007 Note also that this format accounts for leap seconds. Positive leap seconds are inserted between 23:59:59Z and 24:00:00Z and are represented as 23:59:60Z. Negative leap seconds are achieved by the omission of 23:59:59Z. IDMEF-compliant applications MUST support leap seconds. 3. Times MAY be formatted to include a decimal fraction of seconds, as follows: hh:mm:ss.ss or hh:mm:ss,ss As many digits as necessary may follow the decimal sign (at least one digit must follow the decimal sign). Decimal fractions of hours and minutes are not supported. (Section 5.3.1.3, "Representation of decimal fractions".) IDMEF-compliant applications MUST support the use of both decimal signs ('.' and ','). Note that the number of digits in the fraction part does not imply anything about accuracy -- i.e., "00.100000", "00,1000", and "00.1" are all equivalent. 4. Times MUST be formatted to include (a) an indication that the time is in Coordinated Universal Time (UTC) or (b) an indication of the difference between the specified time and Coordinated Universal Time. * Times in UTC MUST be formatted by appending the letter 'Z' to the time string as follows: hh:mm:ssZ hh:mm:ss.ssZ hh:mm:ss,ssZ (Section 5.3.3, "Coordinated Universal Time (UTC) -- Extended format".) * If the time is ahead of or equal to UTC, a '+' sign is appended to the time string; if the time is behind UTC, a '-' sign is appended. Following the sign, the number of hours and minutes representing the different from UTC is appended, as follows: hh:mm:ss+hh:mm hh:mm:ss-hh:mm hh:mm:ss.ss+hh:mm Debar, et al. Experimental [Page 15] RFC 4765 The IDMEF March 2007 hh:mm:ss.ss-hh:mm hh:mm:ss,ss+hh:mm hh:mm:ss,ss-hh:mm The difference from UTC MUST be specified in both hours and minutes, even if the minutes component is 0. A "difference" of "+00:00" is equivalent to UTC. (Section 5.3.4.2, "Local time and the difference with Coordinated Universal Time -- Extended Format".) 5. Date-time strings are created by joining the date and time strings with the letter 'T', as shown below: YYYY-MM-DDThh:mm:ssZ YYYY-MM-DDThh:mm:ss.ssZ YYYY-MM-DDThh:mm:ss,ssZ YYYY-MM-DDThh:mm:ss+hh:mm YYYY-MM-DDThh:mm:ss-hh:mm YYYY-MM-DDThh:mm:ss.ss+hh:mm YYYY-MM-DDThh:mm:ss.ss-hh:mm YYYY-MM-DDThh:mm:ss,ss+hh:mm YYYY-MM-DDThh:mm:ss,ss-hh:mm (Section 5.4.1, "Complete representation -- Extended format".) In summary, IDMEF date-time strings MUST adhere to one of the nine templates identified in Paragraph 5, above. 3.2.7. NTP Timestamps NTP timestamps are represented by the NTPSTAMP data type and are described in detail in [7] and [8]. An NTP timestamp is a 64-bit unsigned fixed-point number. The integer part is in the first 32 bits, and the fraction part is in the last 32 bits. Within IDMEF messages, NTP timestamps MUST be encoded as two 32-bit hexadecimal values, separated by a period ('.'). For example, "0x12345678.0x87654321". See also Section 6.4 for more information on NTP timestamps. 3.2.8. Port Lists Port lists are represented by the PORTLIST data type and consist of a comma-separated list of numbers (individual integers) and ranges (N-M means ports N through M, inclusive). Any combination of numbers and ranges may be used in a single list. For example, "5-25,37,42,43,53,69-119,123-514". Debar, et al. Experimental [Page 16] RFC 4765 The IDMEF March 2007 3.2.9. Unique Identifiers There are two types of unique identifiers used in this specification. Both types are represented by STRING data types. These identifiers are implemented as attributes on the relevant XML elements, and they must have unique values as follows: 1. The Analyzer class' (Section 4.2.4.1) "analyzerid" attribute, if specified, MUST have a value that is unique across all analyzers in the intrusion detection environment. The "analyzerid" attribute is not required to be globally unique, only unique within the intrusion detection environment of which the analyzer is a member. It is permissible for two analyzers, in different intrusion detection environments, to have the same value for "analyzerid". The default value is "0", which indicates that the analyzer cannot generate unique identifiers. 2. The Alert and Heartbeat messages (Sections 4.2.2, 4.2.3) must be uniquely identified by the couple (analyzerid,messageid), if the analyzer supports the generation of message identifiers. 3. The Classification, Source, Target, Node, User, Process, Service, File, Address, and UserId classes' (Sections 4.2.4.2, 4.2.4.3, 4.2.4.4, 4.2.7.2, 4.2.7.3, 4.2.7.4, 4.2.7.5, 4.2.7.6, 4.2.7.2.1, and 4.2.7.3.1) "ident" attribute, if specified, MUST have a value that is unique across all messages sent by the individual analyzer. The "ident" attribute value MUST be unique for each particular combination of data identifying an object, not for each object. Objects may have more than one "ident" value associated with them. For example, an identification of a host by name would have one value, while an identification of that host by address would have another value, and an identification of that host by both name and address would have still another value. Furthermore, different analyzers may produce different values for the same information. The "ident" attribute by itself provides a unique identifier only among all the "ident" values sent by a particular analyzer. But when combined with the "analyzerid" value for the analyzer, a value that is unique across the intrusion detection environment is created. Again, there is no requirement for global uniqueness. Debar, et al. Experimental [Page 17] RFC 4765 The IDMEF March 2007 The default value is "0", which indicates that the analyzer cannot generate unique identifiers. The specification of methods for creating the unique values contained in these attributes is outside the scope of this document. 4. The IDMEF Data Model and DTD In this section, the individual components of the IDMEF data model are explained in detail. Unified Modeling Language (UML) diagrams of the model are provided to show how the components are related to each other, and relevant sections of the IDMEF DTD are presented to show how the model is translated into XML. 4.1. Data Model Overview The relationship between the principal components of the data model is shown in Figure 1 (occurrence indicators and attributes are omitted). The top-level class for all IDMEF messages is IDMEF-Message; each type of message is a subclass of this top-level class. There are presently two types of messages defined: Alerts and Heartbeats. Within each message, subclasses of the message class are used to provide the detailed information carried in the message. It is important to note that the data model does not specify how an alert should be classified or identified. For example, a port scan may be identified by one analyzer as a single attack against multiple targets, while another analyzer might identify it as multiple attacks from a single source. However, once an analyzer has determined the type of alert it plans to send, the data model dictates how that alert should be formatted. Debar, et al. Experimental [Page 18] RFC 4765 The IDMEF March 2007 IDMEF-Message /_\ | +--------------------+-------------+ | | +-------+ +--------------+ +-----------+ +----------------+ | Alert |<>-| Analyzer | | Heartbeat |<>-| Analyzer | +-------+ +--------------+ +-----------+ +----------------+ | | +--------------+ | | +----------------+ | |<>-| CreateTime | | |<>-| CreateTime | | | +--------------+ | | +----------------+ | | +--------------+ | | +----------------+ | |<>-| DetectTime | | |<>-| AdditionalData | | | +--------------+ +-----------+ +----------------+ | | +--------------+ | |<>-| AnalyzerTime | | | +--------------+ | | +--------+ +----------+ | |<>-| Source |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | | | +--------+ +----------+ | | +--------+ +----------+ | |<>-| Target |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | +----------------+ | | | | +----------+ +----| Classification | | | | | +----------+ | +----------------+ | | | |<>-| File | | +----------------+ | | +--------+ +----------+ | +--| Assessment | | |<>----------------------------+ | +----------------+ | |<>------------------------------+ +----------------+ | |<>---------------------------------| AdditionalData | +-------+ +----------------+ Debar, et al. Experimental [Page 19] RFC 4765 The IDMEF March 2007 Figure 1: Data Model Overview 4.2. The Message Classes The individual classes are described in the following sections. 4.2.1. The IDMEF-Message Class All IDMEF messages are instances of the IDMEF-Message class; it is the top-level class of the IDMEF data model, as well as the IDMEF DTD. There are currently two types (subclasses) of IDMEF-Message: Alert and Heartbeat. The IDMEF-Message class has a single attribute: version The version of the IDMEF-Message specification (this document) this message conforms to. Applications specifying a value for this attribute MUST specify the value "1.0". 4.2.2. The Alert Class Generally, every time an analyzer detects an event that it has been configured to look for, it sends an Alert message to its manager(s). Depending on the analyzer, an Alert message may correspond to a single detected event or multiple detected events. Alerts occur asynchronously in response to outside events. An Alert message is composed of several aggregate classes, as shown in Figure 2. The aggregate classes themselves are described in Section 4.2.4, Section 4.2.5, and Section 4.2.6. Debar, et al. Experimental [Page 20] RFC 4765 The IDMEF March 2007 +-------------------+ | Alert | +-------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | +------------------+ | |<>----------| Classification | | | +------------------+ | | 0..1 +------------------+ | |<>----------| DetectTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| Source | | | +------------------+ | | 0..* +------------------+ | |<>----------| Target | | | +------------------+ | | 0..1 +------------------+ | |<>----------| Assessment | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +-------------------+ /_\ | +----+------------+-------------+ | | | +-------------------+ | +-------------------+ | ToolAlert | | | CorrelationAlert | +-------------------+ | +-------------------+ | +-------------------+ | OverflowAlert | +-------------------+ Figure 2: The Alert Class Debar, et al. Experimental [Page 21] RFC 4765 The IDMEF March 2007 The aggregate classes that make up Alert are: Analyzer Exactly one. Identification information for the analyzer that originated the alert. CreateTime Exactly one. The time the alert was created. Of the three times that may be provided with an Alert, this is the only one that is required. Classification Exactly one. The "name" of the alert, or other information allowing the manager to determine what it is. DetectTime Zero or one. The time the event(s) leading up to the alert was detected. In the case of more than one event, the time the first event was detected. In some circumstances, this may not be the same value as CreateTime. AnalyzerTime Zero or one. The current time on the analyzer (see Section 6.3). Source Zero or more. The source(s) of the event(s) leading up to the alert. Target Zero or more. The target(s) of the event(s) leading up to the alert. Assessment Zero or one. Information about the impact of the event, actions taken by the analyzer in response to it, and the analyzer's confidence in its evaluation. Debar, et al. Experimental [Page 22] RFC 4765 The IDMEF March 2007 AdditionalData Zero or more. Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data, or a large amount of data provided through an extension to the IDMEF (see Section 5). Alert is represented in the IDMEF DTD as follows: The Alert class has one attribute: messageid Optional. A unique identifier for the alert; see Section 3.2.9. 4.2.2.1. The ToolAlert Class The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool". The ToolAlert class is composed of three aggregate classes, as shown in Figure 3. Debar, et al. Experimental [Page 23] RFC 4765 The IDMEF March 2007 +------------------+ | Alert | +------------------+ /_\ | +------------------+ | ToolAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 0..1 +-------------------+ | |<>----------| command | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+ Figure 3: The ToolAlert Class The aggregate classes that make up ToolAlert are: name Exactly one. STRING. The reason for grouping the alerts together, for example, the name of a particular tool. command Zero or one. STRING. The command or operation that the tool was asked to perform, for example, a BackOrifice ping. alertident One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert. Debar, et al. Experimental [Page 24] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: 4.2.2.2. The CorrelationAlert Class The CorrelationAlert class carries additional information related to the correlation of alert information. It is intended to group one or more previously-sent alerts together, to say "these alerts are all related". The CorrelationAlert class is composed of two aggregate classes, as shown in Figure 4. +------------------+ | Alert | +------------------+ /_\ | +------------------+ | CorrelationAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+ Figure 4: The CorrelationAlert Class The aggregate classes that make up CorrelationAlert are: name Exactly one. STRING. The reason for grouping the alerts together, for example, a particular correlation method. Debar, et al. Experimental [Page 25] RFC 4765 The IDMEF March 2007 alertident One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the CorrelationAlert. This is represented in the IDMEF DTD as follows. 4.2.2.3. The OverflowAlert Class The OverflowAlert carries additional information related to buffer overflow attacks. It is intended to enable an analyzer to provide the details of the overflow attack itself. The OverflowAlert class is composed of three aggregate classes, as shown in Figure 5. +------------------+ | Alert | +------------------+ /_\ | +------------------+ | OverflowAlert | +------------------+ +---------+ | |<>----------| program | | | +---------+ | | 0..1 +---------+ | |<>----------| size | | | +---------+ | | 0..1 +---------+ | |<>----------| buffer | | | +---------+ +------------------+ Figure 5: The OverflowAlert Class Debar, et al. Experimental [Page 26] RFC 4765 The IDMEF March 2007 The aggregate classes that make up OverflowAlert are: program Exactly one. STRING. The program that the overflow attack attempted to run (NOTE: this is not the program that was attacked). size Zero or one. INTEGER. The size, in bytes, of the overflow (i.e., the number of bytes the attacker sent). buffer Zero or one. BYTE[]. Some or all of the overflow data itself (dependent on how much the analyzer can capture). This is represented in the IDMEF DTD as follows: 4.2.3. The Heartbeat Class Analyzers use Heartbeat messages to indicate their current status to managers. Heartbeats are intended to be sent in a regular period, say, every ten minutes or every hour. The receipt of a Heartbeat message from an analyzer indicates to the manager that the analyzer is up and running; lack of a Heartbeat message (or more likely, lack of some number of consecutive Heartbeat messages) indicates that the analyzer or its network connection has failed. All managers MUST support the receipt of Heartbeat messages; however, the use of these messages by analyzers is OPTIONAL. Developers of manager software SHOULD permit the software to be configured on a per-analyzer basis to use/not use Heartbeat messages. A Heartbeat message is composed of several aggregate classes, as shown in Figure 6. The aggregate classes themselves are described in Sections 4.2.4 and 4.2.5. Debar, et al. Experimental [Page 27] RFC 4765 The IDMEF March 2007 +------------------+ | Heartbeat | +------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| HeartbeatInterval| | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +------------------+ Figure 6: The Heartbeat Class The aggregate classes that make up Heartbeat are: Analyzer Exactly one. Identification information for the analyzer that originated the heartbeat. CreateTime Exactly one. The time the heartbeat was created. HeartbeatInterval Zero or one. The interval in seconds at which heartbeats are generated. AnalyzerTime Zero or one. The current time on the analyzer (see Section 6.3). AdditionalData Zero or more. Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data or a large amount of data provided through an extension to the IDMEF (see Section 5). Debar, et al. Experimental [Page 28] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: The Heartbeat class has one attribute: messageid Optional. A unique identifier for the heartbeat; see Section 3.2.9. 4.2.4. The Core Classes The core classes -- Analyzer, Source, Target, Classification, and AdditionalData -- are the main parts of Alerts and Heartbeats, as shown in Figure 7. +-----------+ +----------------+ | Heartbeat | +-------| Analyzer | +-----------+ | +----------------+ | |<>---+--+ +-----------+ | | 0..* +----------------+ | +-------| AdditionalData | | +----------------+ +-----------+ | | Alert | | 0..* +----------------+ +-----------+ | +-------| Source | | |<>---+ | +----------------+ | | | 0..* +----------------+ | | +-------| Target | | | | +----------------+ | |<>------+ +-----------+ | +----------------+ +-------| Classification | +----------------+ Figure 7: The Core Classes Debar, et al. Experimental [Page 29] RFC 4765 The IDMEF March 2007 4.2.4.1. The Analyzer Class The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the "relay" analyzers along the path from the originating analyzer to the manager that ultimately receives the alert. The Analyzer class is composed of three aggregate classes, as shown in Figure 8. +---------------------+ | Analyzer | +---------------------+ 0..1 +----------+ | STRING analyzerid |<>----------| Node | | STRING name | +----------+ | STRING manufacturer | | STRING model | 0..1 +----------+ | STRING version |<>----------| Process | | STRING class | +----------+ | STRING ostype | 0..1 +----------+ | STRING osversion |<>----------| Analyzer | +---------------------+ +----------+ Figure 8: The Analyzer Class The aggregate classes that make up Analyzer are: Node Zero or one. Information about the host or device on which the analyzer resides (network address, network name, etc.). Process Zero or one. Information about the process in which the analyzer is executing. Analyzer Zero or one. Information about the analyzer from which the message may have gone through. The idea behind this mechanism is that when a manager receives an alert and wants to forward it to another analyzer, it needs to substitute the original analyzer Debar, et al. Experimental [Page 30] RFC 4765 The IDMEF March 2007 information with its own. To preserve the original analyzer information, it may be included in the new analyzer definition. This will allow analyzer path tracking. This is represented in the IDMEF DTD as follows: The Analyzer class has eight attributes: analyzerid Optional (but see below). A unique identifier for the analyzer; see Section 3.2.9. This attribute is only "partially" optional. If the analyzer makes use of the "ident" attributes on other classes to provide unique identifiers for those objects, then it MUST also provide a valid "analyzerid" attribute. This requirement is dictated by the uniqueness requirements of the "ident" attribute (they are unique only within the context of a particular "analyzerid"). If the analyzer does not make use of the "ident" attributes, however, it may also omit the "analyzerid" attribute. name Optional. An explicit name for the analyzer that may be easier to understand than the analyzerid. manufacturer Optional. The manufacturer of the analyzer software and/or hardware. Debar, et al. Experimental [Page 31] RFC 4765 The IDMEF March 2007 model Optional. The model name/number of the analyzer software and/or hardware. version Optional. The version number of the analyzer software and/or hardware. class Optional. The class of analyzer software and/or hardware. ostype Optional. Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command. osversion Optional. Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command. The "manufacturer", "model", "version", and "class" attributes' contents are vendor-specific, but may be used together to identify different types of analyzers (and perhaps make determinations about the contents to expect in other vendor-specific fields of IDMEF messages). 4.2.4.2. The Classification Class The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider. The Classification class is composed of one aggregate class, as shown in Figure 9. Debar, et al. Experimental [Page 32] RFC 4765 The IDMEF March 2007 +----------------+ | Classification | +----------------+ 0..* +-----------+ | STRING ident |<>----------| Reference | | STRING text | +-----------+ +----------------+ Figure 9: The Classification Class The aggregate class that makes up Classification is: Reference Zero or more. Information about the message, pointing to external documentation sites, that will provide background information about the alert. This is represented in the IDMEF DTD as follows: The Classification class has two attributes: ident Optional. A unique identifier for this classification; see Section 3.2.9. text Required. A vendor-provided string identifying the Alert message. 4.2.4.3. The Source Class The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack). The Source class is composed of four aggregate classes, as shown in Figure 10. Debar, et al. Experimental [Page 33] RFC 4765 The IDMEF March 2007 +------------------+ | Source | +------------------+ 0..1 +---------+ | STRING ident |<>----------| Node | | ENUM spoofed | +---------+ | STRING interface | 0..1 +---------+ | |<>----------| User | | | +---------+ | | 0..1 +---------+ | |<>----------| Process | | | +---------+ | | 0..1 +---------+ | |<>----------| Service | | | +---------+ +------------------+ Figure 10: The Source Class The aggregate classes that make up Source are: Node Zero or one. Information about the host or device that appears to be causing the events (network address, network name, etc.). User Zero or one. Information about the user that appears to be causing the event(s). Process Zero or one. Information about the process that appears to be causing the event(s). Service Zero or one. Information about the network service involved in the event(s). Debar, et al. Experimental [Page 34] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: The Source class has three attributes: ident Optional. A unique identifier for this source; see Section 3.2.9. spoofed Optional. An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.) +------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of source information unknown | | | | | | 1 | yes | Source is believed to be a decoy | | | | | | 2 | no | Source is believed to be "real" | +------+---------+----------------------------------------+ interface Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on. 4.2.4.4. The Target Class The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep). Debar, et al. Experimental [Page 35] RFC 4765 The IDMEF March 2007 The Target class is composed of four aggregate classes, as shown in Figure 11. +------------------+ | Target | +------------------+ 0..1 +----------+ | STRING ident |<>----------| Node | | ENUM decoy | +----------+ | STRING interface | 0..1 +----------+ | |<>----------| User | | | +----------+ | | 0..1 +----------+ | |<>----------| Process | | | +----------+ | | 0..1 +----------+ | |<>----------| Service | | | +----------+ | | 0..n +----------+ | |<>----------| File | | | +----------+ +------------------+ Figure 11: The Target Class The aggregate classes that make up Target are: Node Zero or one. Information about the host or device at which the event(s) (network address, network name, etc.) is being directed. User Zero or one. Information about the user at which the event(s) is being directed. Process Zero or one. Information about the process at which the event(s) is being directed. Service Zero or one. Information about the network service involved in the event(s). Debar, et al. Experimental [Page 36] RFC 4765 The IDMEF March 2007 File Optional. Information about file(s) involved in the event(s). This is represented in the IDMEF DTD as follows: The Target class has three attributes: ident Optional. A unique identifier for this target, see Section 3.2.9. decoy Optional. An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.) +------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of target information unknown | | | | | | 1 | yes | Target is believed to be a decoy | | | | | | 2 | no | Target is believed to be "real" | +------+---------+----------------------------------------+ interface Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on. Debar, et al. Experimental [Page 37] RFC 4765 The IDMEF March 2007 4.2.4.5. The Assessment Class The Assessment class is used to provide the analyzer's assessment of an event -- its impact, actions taken in response, and confidence. The Assessment class is composed of three aggregate classes, as shown in Figure 12. +------------------+ | Assessment | +------------------+ 0..1 +------------+ | |<>----------| Impact | | | +------------+ | | 0..* +------------+ | |<>----------| Action | | | +------------+ | | 0..1 +------------+ | |<>----------| Confidence | | | +------------+ +------------------+ Figure 12: The Assessment Class The aggregate classes that make up Assessment are: Impact Zero or one. The analyzer's assessment of the impact of the event on the target(s). Action Zero or more. The action(s) taken by the analyzer in response to the event. Confidence Zero or one. A measurement of the confidence the analyzer has in its evaluation of the event. This is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 38] RFC 4765 The IDMEF March 2007 4.2.4.6. The AdditionalData Class The AdditionalData class is used to provide information that cannot be represented by the data model. AdditionalData can be used to provide atomic data (integers, strings, etc.) in cases where only small amounts of additional information need to be sent; it can also be used to extend the data model and the DTD to support the transmission of complex data (such as packet headers). Detailed instructions for extending the data model and the DTD are provided in Section 5. +------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | | | | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | | | | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | | | | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | | | | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | | | | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | | | | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | | | | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | | | | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | | | | | 9 | byte-string | The element is a byte[] (see Section 3.2.4) | | | | | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+ Debar, et al. Experimental [Page 39] RFC 4765 The IDMEF March 2007 The AdditionalData element is declared in the IDMEF DTD as follows: The AdditionalData class has one attribute: meaning Optional. A string describing the meaning of the element content. These values will be vendor/implementation dependent; the method for ensuring that managers understand the strings sent by analyzers is outside the scope of this specification. A list of acceptable meaning keywords is not within the scope of the document, although later versions may undertake to establish such a list. Debar, et al. Experimental [Page 40] RFC 4765 The IDMEF March 2007 4.2.5. The Time Classes The data model provides three classes for representing time. These classes are elements of the Alert and Heartbeat classes. The time classes are represented in the IDMEF DTD as follows: The DATETIME format of the element content is described in Section 3.2.6. If the date and time represented by the element content and the NTP timestamp differ (should "never" happen), the value in the NTP timestamp MUST be used. 4.2.5.1. The CreateTime Class The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer. 4.2.5.2. The DetectTime Class The DetectTime class is used to indicate the date and time that the event(s) producing an alert was detected by the analyzer. In the case of more than one event, it is the time that the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection). Debar, et al. Experimental [Page 41] RFC 4765 The IDMEF March 2007 4.2.5.3. The AnalyzerTime Class The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message "on the wire". The use of to perform rudimentary time synchronization between analyzers and managers is discussed in Section 6.3. 4.2.6. The Assessment Classes The data model provides three types of "assessments" that an analyzer can make about an event. These classes are aggregates of the Assessment class. 4.2.6.1. The Impact Class The Impact class is used to provide the analyzer's assessment of the impact of the event on the target(s). It is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 42] RFC 4765 The IDMEF March 2007 The Impact class has three attributes: severity An estimate of the relative severity of the event. The permitted values are shown below. There is no default value. (See also Section 10.) +------+---------+-----------------------------------------+ | Rank | Keyword | Description | +------+---------+-----------------------------------------+ | 0 | info | Alert represents informational activity | | | | | | 1 | low | Low severity | | | | | | 2 | medium | Medium severity | | | | | | 3 | high | High severity | +------+---------+-----------------------------------------+ completion An indication of whether the analyzer believes the attempt that the event describes was successful or not. The permitted values are shown below. There is no default value. (See also Section 10.) +------+-----------+--------------------------------+ | Rank | Keyword | Description | +------+-----------+--------------------------------+ | 0 | failed | The attempt was not successful | | | | | | 1 | succeeded | The attempt succeeded | +------+-----------+--------------------------------+ Debar, et al. Experimental [Page 43] RFC 4765 The IDMEF March 2007 type The type of attempt represented by this event, in relatively broad categories. The permitted values are shown below. The default value is "other". (See also Section 10.) +------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | | | | | 1 | dos | A denial of service was attempted or completed | | | | | | 2 | file | An action on a file was attempted or completed | | | | | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | | | | | 4 | user | User privileges were attempted or obtained | | | | | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+ All three attributes are optional. The element itself may be empty, or may contain a textual description of the impact, if the analyzer is able to provide additional details. 4.2.6.2. The Action Class The Action class is used to describe any actions taken by the analyzer in response to the event. Is is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 44] RFC 4765 The IDMEF March 2007 Action has one attribute: category The type of action taken. The permitted values are shown below. The default value is "other". (See also Section 10.) +------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | | | | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | | | | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | | | | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+ The element itself may be empty, or may contain a textual description of the action, if the analyzer is able to provide additional details. 4.2.6.3. The Confidence Class The Confidence class is used to represent the analyzer's best estimate of the validity of its analysis. It is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 45] RFC 4765 The IDMEF March 2007 The Confidence class has one attribute: rating The analyzer's rating of its analytical validity. The permitted values are shown below. The default value is "numeric". (See also Section 10.) +------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | low | The analyzer has little confidence in its | | | | validity | | | | | | 1 | medium | The analyzer has average confidence in its | | | | validity | | | | | | 2 | high | The analyzer has high confidence in its validity | | | | | | 3 | numeric | The analyzer has provided a posterior | | | | probability value indicating its confidence in | | | | its validity | +------+---------+--------------------------------------------------+ This element should be used only when the analyzer can produce meaningful information. Systems that can output only a rough heuristic should use "low", "medium", or "high" as the rating value. In this case, the element content should be omitted. Systems capable of producing reasonable probability estimates should use "numeric" as the rating value and include a numeric confidence value in the element content. This numeric value should reflect a posterior probability (the probability that an attack has occurred given the data seen by the detection system and the model used by the system). It is a floating point number between 0.0 and 1.0, inclusive. The number of digits should be limited to those representable by a single precision floating point value, and may be represented as described in Section 3.2.2. NOTE: It should be noted that different types of analyzers may compute confidence values in different ways and that in many cases, confidence values from different analyzers should not be compared (for example, if the analyzers use different methods of computing or representing confidence, or are of different types or configurations). Care should be taken when implementing systems that process confidence values (such as event correlators) not to make comparisons or assumptions that cannot be supported by the system's knowledge of the environment in which it is working. Debar, et al. Experimental [Page 46] RFC 4765 The IDMEF March 2007 4.2.7. The Support Classes The support classes make up the major parts of the core classes, and are shared between them. 4.2.7.1. The Reference Class The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is. The Reference class is composed of two aggregate classes, as shown in Figure 13. +----------------+ | Reference | +----------------+ +------+ | STRING origin |<>----------| name | | STRING meaning | +------+ | | +------+ | |<>----------| url | | | +------+ +----------------+ Figure 13: The Reference Class The aggregate classes that make up Reference are: name Exactly one. STRING. The name of the alert, from one of the origins listed below. url Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor. Debar, et al. Experimental [Page 47] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: The Reference class has two attributes: origin Required. The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.) +------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | | | | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | | | | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | | | | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | | | | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://www.cve.mitre.org/) | | | | | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+ Debar, et al. Experimental [Page 48] RFC 4765 The IDMEF March 2007 meaning Optional. The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the attribute is set to "vendor-specific" or "user-specific". 4.2.7.2. The Node Class The Node class is used to identify hosts and other network devices (routers, switches, etc.). The Node class is composed of three aggregate classes, as shown in Figure 14. +---------------+ | Node | +---------------+ 0..1 +----------+ | STRING ident |<>----------| location | | ENUM category | +----------+ | | 0..1 +----------+ | |<>----------| name | | | +----------+ | | 0..* +----------+ | |<>----------| Address | | | +----------+ +---------------+ Figure 14: The Node Class The aggregate classes that make up Node are: location Zero or one. STRING. The location of the equipment. name Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given. Address Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified. Debar, et al. Experimental [Page 49] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 50] RFC 4765 The IDMEF March 2007 The Node class has two attributes: ident Optional. A unique identifier for the node; see Section 3.2.9. category Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown". (See also Section 10 for extensions to the table.) +------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | unknown | Domain unknown or not relevant | | | | | | 1 | ads | Windows 2000 Advanced Directory Services | | | | | | 2 | afs | Andrew File System (Transarc) | | | | | | 3 | coda | Coda Distributed File System | | | | | | 4 | dfs | Distributed File System (IBM) | | | | | | 5 | dns | Domain Name System | | | | | | 6 | hosts | Local hosts file | | | | | | 7 | kerberos | Kerberos realm | | | | | | 8 | nds | Novell Directory Services | | | | | | 9 | nis | Network Information Services (Sun) | | | | | | 10 | nisplus | Network Information Services Plus (Sun) | | | | | | 11 | nt | Windows NT domain | | | | | | 12 | wfw | Windows for Workgroups | +------+----------+------------------------------------------+ Debar, et al. Experimental [Page 51] RFC 4765 The IDMEF March 2007 4.2.7.2.1. The Address Class The Address class is used to represent network, hardware, and application addresses. The Address class is composed of two aggregate classes, as shown in Figure 15. +------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+ Figure 15: The Address Class The aggregate classes that make up Address are: address Exactly one. STRING. The address information. The format of this data is governed by the category attribute. netmask Zero or one. STRING. The network mask for the address, if appropriate. Debar, et al. Experimental [Page 52] RFC 4765 The IDMEF March 2007 This is represented in the IDMEF DTD as follows: The Address class has four attributes: ident Optional. A unique identifier for the address; see Section 3.2.9. category Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.) Debar, et al. Experimental [Page 53] RFC 4765 The IDMEF March 2007 +------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | | | | | 1 | atm | Asynchronous Transfer Mode network address | | | | | | 2 | e-mail | Electronic mail address (RFC 2822 [12]) | | | | | | 3 | lotus-notes | Lotus Notes e-mail address | | | | | | 4 | mac | Media Access Control (MAC) address | | | | | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | | | | | 6 | vm | IBM VM ("PROFS") e-mail address | | | | | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | | | | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | | | | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | | | | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | | | | | 11 | ipv6-addr | IPv6 host address | | | | | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | | | | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | | | | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+ vlan-name Optional. The name of the Virtual LAN to which the address belongs. Debar, et al. Experimental [Page 54] RFC 4765 The IDMEF March 2007 vlan-num Optional. The number of the Virtual LAN to which the address belongs. 4.2.7.3. The User Class The User class is used to describe users. It is primarily used as a "container" class for the UserId aggregate class, as shown in Figure 16. +---------------+ | User | +---------------+ 1..* +--------+ | STRING ident |<>----------| UserId | | ENUM category | +--------+ +---------------+ Figure 16: The User Class The aggregate class contained in User is: UserId One or more. Identification of a user, as indicated by its type attribute (see Section 4.2.7.3.1). This is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 55] RFC 4765 The IDMEF March 2007 The User class has two attributes: ident Optional. A unique identifier for the user; see Section 3.2.9. category Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.) +------+-------------+------------------------------------+ | Rank | Keyword | Description | +------+-------------+------------------------------------+ | 0 | unknown | User type unknown | | | | | | 1 | application | An application user | | | | | | 2 | os-device | An operating system or device user | +------+-------------+------------------------------------+ 4.2.7.3.1. The UserId Class The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. The UserId class is composed of two aggregate classes, as shown in Figure 17. +--------------+ | UserId | +--------------+ 0..1 +--------+ | STRING ident |<>----------| name | | ENUM type | +--------+ | STRING tty | 0..1 +--------+ | |<>----------| number | | | +--------+ +--------------+ Figure 17: The UserId Class Debar, et al. Experimental [Page 56] RFC 4765 The IDMEF March 2007 The aggregate classes that make up UserId are: name Zero or one. STRING. A user or group name. number Zero or one. INTEGER. A user or group number. This is represented in the IDMEF DTD as follows: The UserId class has three attributes: ident Optional. A unique identifier for the user id, see Section 3.2.9. type Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.) Debar, et al. Experimental [Page 57] RFC 4765 The IDMEF March 2007 +------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | | | | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | | | | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. | | | | | | 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | | | | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | | | | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". | Debar, et al. Experimental [Page 58] RFC 4765 The IDMEF March 2007 | 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+ tty Optional. STRING. The tty the user is using. 4.2.7.4. The Process Class The Process class is used to describe processes being executed on sources, targets, and analyzers. The Process class is composed of five aggregate classes, as shown in Figure 18. +--------------+ | Process | +--------------+ +------+ | STRING ident |<>----------| name | | | +------+ | | 0..1 +------+ | |<>----------| pid | | | +------+ | | 0..1 +------+ | |<>----------| path | | | +------+ | | 0..* +------+ | |<>----------| arg | | | +------+ | | 0..* +------+ | |<>----------| env | | | +------+ +--------------+ Figure 18: The Process Class Debar, et al. Experimental [Page 59] RFC 4765 The IDMEF March 2007 The aggregate classes that make up Process are: name Exactly one. STRING. The name of the program being executed. This is a short name; path and argument information are provided elsewhere. pid Zero or one. INTEGER. The process identifier of the process. path Zero or one. STRING. The full path of the program being executed. arg Zero or more. STRING. A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg. env Zero or more. STRING. An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env. This is represented in the IDMEF DTD as follows: The Process class has one attribute: ident Optional. A unique identifier for the process; see Section 3.2.9. Debar, et al. Experimental [Page 60] RFC 4765 The IDMEF March 2007 4.2.7.5. The Service Class The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is "attached" to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class. The Service class is composed of four aggregate classes, as shown in Figure 19. +-----------------------------+ | Service | +-----------------------------+ 0..1 +----------+ | STRING ident |<>----------| name | | INTEGER ip_version | +----------+ | INTEGER iana_protocol_number| 0..1 +----------+ | STRING iana_protocol_name |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +-----------------------------+ /_\ | +---------+--------+ | | +-------------+ +-------------+ | SNMPService | | WebService | +-------------+ +-------------+ Figure 19: The Service Class Debar, et al. Experimental [Page 61] RFC 4765 The IDMEF March 2007 The aggregate classes that make up Service are: name Zero or one. STRING. The name of the service. Whenever possible, the name from the IANA list of well-known ports SHOULD be used. port Zero or one. INTEGER. The port number being used. portlist Zero or one. PORTLIST. A list of port numbers being used; see Section 3.2.8 for formatting rules. If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list. protocol Zero or one. STRING. Additional information about the protocol being used. The intent of the protocol field is to carry additional information related to the protocol being used when the attributes iana_protocol_number or/and iana_protocol_name are filed. A Service MUST be specified as either (a) a name or a port or (b) a portlist. The protocol is optional in all cases, but no other combinations are permitted. Service is represented in the IDMEF DTD as follows: Debar, et al. Experimental [Page 62] RFC 4765 The IDMEF March 2007 The Service class has four attributes: ident Optional. A unique identifier for the service; see Section 3.2.9. ip_version Optional. INTEGER. The IP version number. iana_protocol_number Optional. INTEGER. The IANA protocol number. iana_protocol_name Optional. STRING. The IANA protocol name. 4.2.7.5.1. The WebService Class The WebService class carries additional information related to web traffic. The WebService class is composed of four aggregate classes, as shown in Figure 20. +-------------+ | Service | +-------------+ /_\ | +-------------+ | WebService | +-------------+ +-------------+ | |<>----------| url | | | +-------------+ | | 0..1 +-------------+ | |<>----------| cgi | | | +-------------+ | | 0..1 +-------------+ | |<>----------| http-method | | | +-------------+ | | 0..* +-------------+ | |<>----------| arg | | | +-------------+ +-------------+ Figure 20: The WebService Class Debar, et al. Experimental [Page 63] RFC 4765 The IDMEF March 2007 The aggregate classes that make up WebService are: url Exactly one. STRING. The URL in the request. cgi Zero or one. STRING. The CGI script in the request, without arguments. http-method Zero or one. STRING. The HTTP method (PUT, GET) used in the request. arg Zero or more. STRING. The arguments to the CGI script. This is represented in the IDMEF DTD as follows: 4.2.7.5.2. The SNMPService Class The SNMPService class carries additional information related to SNMP traffic. The aggregate classes composing SNMPService must be interpreted as described in RFC 3411 [15] and RFC 3584 [16]. The SNMPService class is composed of eight aggregate classes, as shown in Figure 21. Debar, et al. Experimental [Page 64] RFC 4765 The IDMEF March 2007 +-------------+ | Service | +-------------+ /_\ | +-------------+ | SNMPService | +-------------+ 0..1 +----------------------+ | |<>----------| oid | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------|messageProcessingModel| | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityModel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityLevel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextEngineID | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| command | | |