Intrusion Detection Message Exchange Format (IDMEF) Parameters (last updated 2007-03-14) Intrusion Detection Message Exchange Format (IDMEF) Class Names and Attribute Names - per [RFC4765] Registration Procedures: IETF Consensus Intrusion Detection Message Exchange Format (IDMEF) Attribute Values - per [RFC4765] Registration Procedures: Specification Required by RFC. IDMEF Class Name: Reference IDMEF Attribute Name: origin Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown Origin of the name is not known [RFC4765] 1 vendor-specific A vendor-specific name (and hence, URL); [RFC4765] this can be used to provide product-specific information 2 user-specific A user-specific name (and hence, URL); [RFC4765] this can be used to provide installation-specific information 3 bugtraqid The SecurityFocus ("Bugtraq") [RFC4765] vulnerability database identifier (http://www.securityfocus.com/bid) 4 cve The Common Vulnerabilities and Exposures [RFC4765] (CVE) name (http://cve.mitre.org/) 5 osvdb The Open Source Vulnerability Database [RFC4765] (http://www.osvdb.org) IDMEF Class Name: Source IDMEF Attribute Name: spoofed Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown Accuracy of source information unknown [RFC4765] 1 yes Source is believed to be a decoy [RFC4765] 2 no Source is believed to be "real" [RFC4765] IDMEF Class Name: Target IDMEF Attribute Name: decoy Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown Accuracy of target information unknown [RFC4765] 1 yes Target is believed to be a decoy [RFC4765] 2 no Target is believed to be "real" [RFC4765] IDMEF Class Name: AdditionalData IDMEF Attribute Name: type Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 boolean The element contains a boolean value, i.e., [RFC4765] the strings "true" or "false" 1 byte The element content is a single 8-bit byte [RFC4765] (see Section 3.2.4) 2 character The element content is a single character [RFC4765] (see Section 3.2.3) 3 date-time The element content is a date-time string [RFC4765] (see Section 3.2.6) 4 integer The element content is an integer (see [RFC4765] Section 3.2.1) 5 ntpstamp The element content is an NTP timestamp (see [RFC4765] Section 3.2.7) 6 portlist The element content is a list of ports (see [RFC4765] Section 3.2.8 7 real The element content is a real number (see [RFC4765] Section 3.2.2 8 string The element content is a string (see [RFC4765] Section 3.2.3 9 byte-string The element content is a byte[] (see [RFC4765] Section 3.2.4 10 xmltext The element content is XML-tagged data (see [RFC4765] Section 5.2 IDMEF Class Name: Impact IDMEF Attribute Name: severity Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 info Information only [RFC4765] 1 low Low severity [RFC4765] 2 medium Medium severity [RFC4765] 3 high High severity [RFC4765] IDMEF Class Name: Impact IDMEF Attribute Name: completion Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 failed The attempt was not successful [RFC4765] 1 succeeded The attempt succeeded [RFC4765] IDMEF Class Name: Impact IDMEF Attribute Name: type Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 admin Administrative privileges were attempted or [RFC4765] obtained 1 dos A denial of service was attempted or [RFC4765] completed 2 file An action on a file was attempted or [RFC4765] completed 3 recon A reconnaissance probe was attempted or [RFC4765] completed 4 user User privileges were attempted or obtained [RFC4765] 5 other Anything not in one of the above categories [RFC4765] IDMEF Class Name: Action IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- ----------------- ------------------------------------------- --------- 0 block-installed A block of some sort was installed to [RFC4765] prevent an attack from reaching its destination. The block could be a port block, address block, etc., or disabling a user account. 1 notification-sent A notification message of some sort [RFC4765] was sent out-of-band (via pager, e-mail, etc.). Does not include the transmission of this alert. 2 taken-offline A system, computer, or user was taken [RFC4765] offline, as when the computer is shut down or a user is logged off. 3 other Anything not in one of the above [RFC4765] categories. IDMEF Class Name: Confidence IDMEF Attribute Name: rating Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 low The analyzer has little confidence in its [RFC4765] validity 1 medium The analyzer has average confidence in its [RFC4765] validity 2 high The analyzer has high confidence in its [RFC4765] validity 3 numeric The analyzer has provided a posterior [RFC4765] probability value indicating its confidence in its validity IDMEF Class Name: Node IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown Domain unknown or not relevant [RFC4765] 1 ads Windows 2000 Advanced Directory Services [RFC4765] 2 afs Andrew File System (Transarc) [RFC4765] 3 coda Coda Distributed File System [RFC4765] 4 dfs Distributed File System (IBM) [RFC4765] 5 dns Domain Name System [RFC4765] 6 hosts Local hosts file [RFC4765] 7 kerberos Kerberos realm [RFC4765] 8 nds Novell Directory Services [RFC4765] 9 nis Network Information Services (Sun) [RFC4765] 10 nisplus Network Information Services Plus (Sun) [RFC4765] 11 nt Windows NT domain [RFC4765] 12 wfw Windows for Workgroups [RFC4765] IDMEF Class Name: Address IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown Address type unknown [RFC4765] 1 atm Asynchronous Transfer Mode network address [RFC4765] 2 e-mail Electronic mail address (RFC 822) [RFC4765] 3 lotus-notes Lotus Notes e-mail address [RFC4765] 4 mac Media Access Control (MAC) address [RFC4765] 5 sna IBM Shared Network Architecture (SNA) [RFC4765] address 6 vm IBM VM ("PROFS") e mail address [RFC4765] 7 ipv4-addr IPv4 host address in dotted decimal [RFC4765] notation (a.b.c.d) 8 ipv4-addr-hex IPv4 host address in hexadecimal notation [RFC4765] 9 ipv4-net IPv4 network address in dotted decimal [RFC4765] notation, slash, significant bits (a.b.c.d/nn) 10 ipv4-net-mask IPv4 network address in dotted decimal [RFC4765] notation, slash, network mask in dotted decimal notation (a.b.c.d/w.x.y.z) 11 ipv6-addr IPv6 host address [RFC4765] 12 ipv6-addr-hex IPv6 host address in hexadecimal notation [RFC4765] 13 ipv6-net IPv6 network address, slash, significant [RFC4765] bits 14 ipv6-net-mask IPv6 network address, slash, network mask [RFC4765] IDMEF Class Name: User IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 unknown User type unknown [RFC4765] 1 application An application user [RFC4765] 2 os-device AN operating system or device user [RFC4765] IDMEF Class Name: UserId IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 current-user The current user id being used by the user [RFC4765] or process. On Unix systems, this would be the "real" user id, in general. 1 original-user The actual identity of the user or process [RFC4765] being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used. 2 target-user The user id the user or process is [RFC4765] attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su," "rlogin," "telnet," etc. 3 user-privs Another user id the user or process has [RFC4765] the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges. 4 current-group The current group id (if applicable) being [RFC4765] used by the user or process. On Unix systems, this would be the "real" group id, in general. 5 group-privs Another group id the group or process has [RFC4765] the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list." 6 other-privs Not used in a user, group, or process [RFC4765] context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions. IDMEF Class Name: File IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 current The file information is from after the [RFC4765] reported change 1 original The file information is from before the [RFC4765] reported change IDMEF Class Name: File IDMEF Attribute Name: fstype Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 ufs Berkeley UNIX Fast File System [RFC4765] 1 efs Linux "efs" file system [RFC4765] 2 nfs Network File System [RFC4765] 3 afs Andrew File System [RFC4765] 4 ntfs Windows NT File System [RFC4765] 5 fat16 16-bit Windows FAT File System [RFC4765] 6 fat32 32-bit Windows FAT File System [RFC4765] 7 pcfs "PC" (MS-DOS) file system on CD-ROM [RFC4765] 8 joliet Joliet CD-ROM file system [RFC4765] 9 iso9660 ISO 9660 CD-ROM file system [RFC4765] IDMEF Class Name: FileAccess IDMEF Attribute Name: permission Registered Values: Rank Keyword Description Reference ---- ----------------- ------------------------------------------- --------- 0 noAccess No access at all is allowed for this [RFC4765] user 1 read This user has read access to the file [RFC4765] 2 write This user has write access to the file [RFC4765] 3 execute This user has the ability to execute [RFC4765] the file 4 search This user has the ability to search [RFC4765] this file (applies to "execute" permission on directories in UNIX) 5 delete This user has the ability to delete [RFC4765] this file 6 executeAs This user has the ability to execute [RFC4765] this file as another user 7 changePermissions This user has the ability to change [RFC4765] the access permissions on this file 8 takeOwnership This user has the ability to take [RFC4765] ownership of this file IDMEF Class Name: Linkage IDMEF Attribute Name: category Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 hard-link The element represents another name [RFC4765] for this file. This information may be more easily obtainable on NTFS file systems than others. 1 mount-point An alias for the directory specified by [RFC4765] the parent's and elements. 2 reparse-point Applies only to Windows; excludes symbolic [RFC4765] links and mount points, which are specific types of reparse points. 3 shortcut The file represented by a Windows [RFC4765] "shortcut." A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager. 4 stream An Alternate Data Stream (ADS) in Windows; [RFC4765] a fork on MacOS. Separate file system entity that is considered an extension of the main . 5 symbolic-link The element represents the file to [RFC4765] which the link points. IDMEF Class Name: Checksum IDMEF Attribute Name: algorithm Registered Values: Rank Keyword Description Reference ---- --------------- ------------------------------------------- --------- 0 MD4 The MD4 algorithm. [RFC4765] 1 MD5 The MD5 algorithm. [RFC4765] 2 SHA1 The SHA1 algorithm. [RFC4765] 3 SHA2-256 The SHA2 algorithm with 256 bits length. [RFC4765] 4 SHA2-384 The SHA2 algorithm with 384 bits length. [RFC4765] 5 SHA2-512 The SHA2 algorithm with 512 bits length. [RFC4765] 6 CRC-32 The CRC algorithm with 32 bits length. [RFC4765] 7 Haval The Haval algorithm. [RFC4765] 8 Tiger The Tiger algorithm. [RFC4765] 9 Gost The Gost algorithm. [RFC4765] References ------------ [RFC4765] H. Debar, D. Curry and B. Feinstein, "The Intrusion Detection Message Exchange Format", RFC 4765, March 2007. (file created 04 October 2006) []