Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 4765

The Intrusion Detection Message Exchange Format (IDMEF)

Pages: 157
Experimental
Part 5 of 6 – Pages 104 to 133
First   Prev   Next

Top   ToC   RFC4765 - Page 104   prevText

8. The IDMEF Document Type Definition (Normative)

<?xml version="1.0" encoding="UTF-8"?> <!-- *************************************************************** ******************************************************************* *** Intrusion Detection Message Exchange Format (IDMEF) XML DTD *** *** Version 1.0, 07 March 2006 *** *** *** *** The use and extension of the IDMEF XML DTD are described in *** *** RFC 4765, "The Intrusion Detection Message Exchange *** *** Format", H. Debar, D. Curry, B. Feinstein. *** ******************************************************************* *************************************************************** --> <!-- =============================================================== =================================================================== === SECTION 1. Attribute list declarations. =================================================================== =============================================================== --> <!-- | Attributes of the IDMEF element. In general, the fixed values of | these attributes will change each time a new version of the DTD | is released. --> <!ENTITY % attlist.idmef " version CDATA #FIXED '1.0' "> <!-- | Attributes of all elements. These are the "XML" attributes that | every element should have. Space handling, language, and name | space. --> <!ENTITY % attlist.global " xmlns:idmef CDATA #FIXED 'http://iana.org/idmef' xmlns CDATA #FIXED 'http://iana.org/idmef' xml:space (default | preserve) 'default' xml:lang NMTOKEN #IMPLIED ">
Top   ToC   RFC4765 - Page 105
   <!-- ===============================================================
    ===================================================================
    === SECTION 2.  Attribute value declarations.  Enumerated values for
    ===            many of the element-specific attribute lists.
    ===================================================================
    =============================================================== -->

   <!--
    | Values for the Action.category attribute.
    -->
   <!ENTITY % attvals.actioncat            "
       ( block-installed | notification-sent | taken-offline | other )
     ">

   <!--
    | Values for the Address.category attribute.
    -->
   <!ENTITY % attvals.addrcat              "
       ( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
         ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
         ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
     ">

   <!--
    | Values for the AdditionalData.type attribute.
    -->
   <!ENTITY % attvals.adtype               "
       ( boolean | byte | character | date-time | integer | ntpstamp |
         portlist | real | string | byte-string | xmltext )
     ">

   <!--
    | Values for the Impact.completion attribute.
    -->
   <!ENTITY % attvals.completion           "
       ( failed | succeeded )
     ">
   <!--
    | Values for the File.category attribute.
    -->
   <!ENTITY % attvals.filecat              "
       ( current | original )
     ">

   <!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
     search | delete | executeAs | changePermissions |
     takeOwnership)" >
Top   ToC   RFC4765 - Page 106
   <!--
    | Values for the UserId.type attribute.
    -->
   <!ENTITY % attvals.idtype               "
       ( current-user | original-user | target-user | user-privs |
         current-group | group-privs | other-privs )
     ">

   <!--
    | Values for the Impact.type attribute.
    -->
   <!ENTITY % attvals.impacttype           "
       ( admin | dos | file | recon | user | other )
     ">

   <!--
    | Values for the Linkage.category attribute.
    -->
   <!ENTITY % attvals.linkcat              "
       ( hard-link | mount-point | reparse-point | shortcut | stream |
         symbolic-link )
     ">

   <!--
    | Values for the Checksum.algorithm attribute
    -->
   <!ENTITY % attvals.checksumalgos        "
         ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |
           Haval | Tiger | Gost )
     ">

   <!--
    | Values for the Node.category attribute.
    -->
   <!ENTITY % attvals.nodecat              "
       ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
         nds | nis | nisplus | nt | wfw )
     ">

   <!--
    | Values for the Reference.origin attribute.
    -->
   <!ENTITY % attvals.origin               "
       ( unknown | vendor-specific | user-specific | bugtraqid | cve |
         osvdb )
     ">

   <!--
Top   ToC   RFC4765 - Page 107
    | Values for the Confidence.rating attribute.
    -->
   <!ENTITY % attvals.rating               "
       ( low | medium | high | numeric )
     ">

   <!--
    | Values for the Impact.severity attribute.
    -->
   <!ENTITY % attvals.severity             "
       ( info | low | medium | high )
     ">

   <!--
    | Values for the User.category attribute.
    -->
   <!ENTITY % attvals.usercat              "
       ( unknown | application | os-device )
     ">

   <!--
    | Values for yes/no attributes such as Source.spoofed and
    | Target.decoy.
    -->
   <!ENTITY % attvals.yesno                "
       ( unknown | yes | no )
     ">

   <!-- ===============================================================
    ===================================================================
    === SECTION 3.  Top-level element declarations.  The IDMEF-Message
    ===            element and the types of messages it can include.
    ===================================================================
    =============================================================== -->

   <!ELEMENT IDMEF-Message                 (
       (Alert | Heartbeat)*
     )>
   <!ATTLIST IDMEF-Message
       %attlist.global;
       %attlist.idmef;
     >

   <!ELEMENT Alert                         (
       Analyzer, CreateTime, DetectTime?, AnalyzerTime?,
       Source*, Target*, Classification, Assessment?, (ToolAlert |
       OverflowAlert | CorrelationAlert)?, AdditionalData*
     )>
Top   ToC   RFC4765 - Page 108
   <!ATTLIST Alert
       messageid           CDATA                   '0'
       %attlist.global;
     >

   <!ELEMENT Heartbeat                     (
       Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?,
       AdditionalData*
     )>
   <!ATTLIST Heartbeat
       messageid           CDATA                   '0'
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 4.  Subclasses of the Alert element that provide more
    ===            data for specific types of alerts.
    ===================================================================
    =============================================================== -->

   <!ELEMENT CorrelationAlert              (
       name, alertident+
     )>
   <!ATTLIST CorrelationAlert
       %attlist.global;
     >

   <!ELEMENT OverflowAlert                 (
       program, size?, buffer?
     )>
   <!ATTLIST OverflowAlert
       %attlist.global;
     >

   <!ELEMENT ToolAlert                     (
       name, command?, alertident+
     )>
   <!ATTLIST ToolAlert
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 5.  The AdditionalData element.  This element allows an
    ===             alert to include additional information that cannot
    ===             be encoded elsewhere in the data model.
    ===================================================================
Top   ToC   RFC4765 - Page 109
    =============================================================== -->


   <!ELEMENT AdditionalData           (
     (boolean | byte        | character | date-time |
      integer | ntpstamp    | portlist  | real      |
      string  | byte-string | xmltext   )
    )>

   <!ATTLIST AdditionalData
       type                %attvals.adtype;        'string'
       meaning             CDATA                   #IMPLIED
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 6.  Elements related to identifying entities - analyzers
    ===            (the senders of these messages), sources (of
    ===            attacks), and targets (of attacks).
    ===================================================================
    =============================================================== -->

   <!ELEMENT Analyzer                      (
       Node?, Process?, Analyzer?
     )>
   <!ATTLIST Analyzer
       analyzerid          CDATA                   '0'
       name                CDATA                   #IMPLIED
       manufacturer        CDATA                   #IMPLIED
       model               CDATA                   #IMPLIED
       version             CDATA                   #IMPLIED
       class               CDATA                   #IMPLIED
       ostype              CDATA                   #IMPLIED
       osversion           CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT Classification                (
       Reference*
     )>
   <!ATTLIST Classification
       ident               CDATA                   '0'
       text                CDATA                   #REQUIRED
     >

   <!ELEMENT Source                        (
       Node?, User?, Process?, Service?
Top   ToC   RFC4765 - Page 110
     )>
   <!ATTLIST Source
       ident               CDATA                   '0'
       spoofed             %attvals.yesno;         'unknown'
       interface           CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT Target                        (
       Node?, User?, Process?, Service?, File*
     )>
   <!ATTLIST Target
       ident               CDATA                   '0'
       decoy               %attvals.yesno;         'unknown'
       interface           CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT Assessment                    (
       Impact?, Action*, Confidence?
     )>
   <!ATTLIST Assessment
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 7.  Support elements used for providing detailed info
    ===            about entities - addresses, names, etc.
    ===================================================================
    =============================================================== -->

   <!ELEMENT Reference                (
       name, url
     )>
   <!ATTLIST Reference
       origin              %attvals.origin;        'unknown'
       meaning             CDATA                   #IMPLIED
     >

   <!ELEMENT Node                          (
       location?, (name | Address), Address*
     )>
   <!ATTLIST Node
       ident               CDATA                   '0'
       category            %attvals.nodecat;       'unknown'
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 111
   <!ELEMENT Address                       (
       address, netmask?
     )>
   <!ATTLIST Address
       ident               CDATA                   '0'
       category            %attvals.addrcat;       'unknown'
       vlan-name           CDATA                   #IMPLIED
       vlan-num            CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT File                          (
       name, path, create-time?, modify-time?, access-time?,
       data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
       Checksum*
     )>
   <!ATTLIST File
       ident               CDATA                   '0'
       category            %attvals.filecat;       #REQUIRED
       fstype              CDATA                   #IMPLIED
       file-type           CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT Permission EMPTY >
   <!ATTLIST Permission
       perms               %attvals.fileperm;      #REQUIRED
       %attlist.global;
   >

   <!ELEMENT FileAccess                    (
       UserId, Permission+
     )>
   <!ATTLIST FileAccess
       %attlist.global;
     >

   <!ELEMENT Inode                         (
       change-time?, (number, major-device, minor-device)?,
       (c-major-device, c-minor-device)?
     )>
   <!ATTLIST Inode
       %attlist.global;
     >

   <!ELEMENT Linkage                       (
       (name, path) | File
     )>
Top   ToC   RFC4765 - Page 112
   <!ATTLIST Linkage
       category            %attvals.linkcat;       #REQUIRED
       %attlist.global;
     >

   <!ELEMENT Checksum                      (
       value, key?
     )>
   <!ATTLIST Checksum
       algorithm           %attvals.checksumalgos; #REQUIRED
       %attlist.global;
     >

   <!ELEMENT Process                       (
       name, pid?, path?, arg*, env*
     )>
   <!ATTLIST Process
       ident               CDATA                   '0'
       %attlist.global;
     >

   <!ELEMENT Service                       (
       (((name, port?) | (port, name?)) | portlist), protocol?,
       SNMPService?, WebService?
     )>
   <!ATTLIST Service
       ident                CDATA                   '0'
   ip_version           CDATA                   #IMPLIED
   iana_protocol_number CDATA                  #IMPLIED
   iana_protocol_name   CDATA                  #IMPLIED
       %attlist.global;
     >

   <!ELEMENT SNMPService                   (
       oid?, messageProcessingModel?, securityModel?, securityName?,
       securityLevel?, contextName?, contextEngineID?, command?
     )>
   <!ATTLIST SNMPService
       %attlist.global;
     >

   <!ELEMENT User                          (
       UserId+
     )>
   <!ATTLIST User
       ident               CDATA                   '0'
       category            %attvals.usercat;       'unknown'
       %attlist.global;
Top   ToC   RFC4765 - Page 113
     >

   <!ELEMENT UserId                        (
       (name, number?) | (number, name?)
     )>
   <!ATTLIST UserId
       ident               CDATA                   '0'
       type                %attvals.idtype;        'original-user'
       tty                 CDATA                   #IMPLIED
       %attlist.global;
     >

   <!ELEMENT WebService                    (
       url, cgi?, http-method?, arg*
     )>
   <!ATTLIST WebService
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 8.  Simple elements with sub-elements or attributes of a
    ===            special nature.
    ===================================================================
    =============================================================== -->

   <!ELEMENT Action              (#PCDATA) >
   <!ATTLIST Action
       category            %attvals.actioncat;     'other'
       %attlist.global;
     >

   <!ELEMENT CreateTime          (#PCDATA) >
   <!ATTLIST CreateTime
       ntpstamp            CDATA                   #REQUIRED
       %attlist.global;
     >

   <!ELEMENT DetectTime          (#PCDATA) >
   <!ATTLIST DetectTime
       ntpstamp            CDATA                   #REQUIRED
       %attlist.global;

     >

   <!ELEMENT AnalyzerTime        (#PCDATA) >
   <!ATTLIST AnalyzerTime
       ntpstamp            CDATA                   #REQUIRED
Top   ToC   RFC4765 - Page 114
       %attlist.global;
     >

   <!ELEMENT Confidence          (#PCDATA) >
   <!ATTLIST Confidence
       rating              %attvals.rating;        'numeric'
       %attlist.global;
     >

   <!ELEMENT Impact              (#PCDATA) >
   <!ATTLIST Impact
       severity            %attvals.severity;      #IMPLIED
       completion          %attvals.completion;    #IMPLIED
       type                %attvals.impacttype;    'other'
       %attlist.global;
     >

   <!ELEMENT alertident          (#PCDATA) >
   <!ATTLIST alertident
       analyzerid          CDATA                   #IMPLIED
       %attlist.global;
     >

   <!-- ===============================================================
    ===================================================================
    === SECTION 9.  Simple elements with no sub-elements and no special
    === attributes.
    ===================================================================
    =============================================================== -->

   <!ELEMENT boolean           (#PCDATA)         >
   <!ATTLIST boolean           %attlist.global;  >

   <!ELEMENT byte              (#PCDATA)         >
   <!ATTLIST byte              %attlist.global;  >

   <!ELEMENT character         (#PCDATA)         >
   <!ATTLIST character         %attlist.global;  >

   <!ELEMENT date-time         (#PCDATA)         >
   <!ATTLIST date-time         %attlist.global;  >

   <!ELEMENT integer           (#PCDATA)         >
   <!ATTLIST integer           %attlist.global;  >

   <!ELEMENT ntpstamp          (#PCDATA)         >
   <!ATTLIST ntpstamp          %attlist.global;  >
Top   ToC   RFC4765 - Page 115
   <!ELEMENT real              (#PCDATA)         >
   <!ATTLIST real              %attlist.global;  >

   <!ELEMENT string            (#PCDATA)         >
   <!ATTLIST string            %attlist.global;  >

   <!ELEMENT byte-string       (#PCDATA)         >
   <!ATTLIST byte-string       %attlist.global;  >

   <!ELEMENT xmltext           ANY               >
   <!ATTLIST xmltext           %attlist.global;  >

   <!ELEMENT access-time       (#PCDATA)         >
   <!ATTLIST access-time       %attlist.global;  >

   <!ELEMENT address           (#PCDATA)         >
   <!ATTLIST address           %attlist.global;  >

   <!ELEMENT arg               (#PCDATA)         >
   <!ATTLIST arg               %attlist.global;  >

   <!ELEMENT buffer            (#PCDATA)         >
   <!ATTLIST buffer            %attlist.global;  >

   <!ELEMENT c-major-device    (#PCDATA)         >
   <!ATTLIST c-major-device    %attlist.global;  >

   <!ELEMENT c-minor-device    (#PCDATA)         >
   <!ATTLIST c-minor-device    %attlist.global;  >

   <!ELEMENT cgi               (#PCDATA)         >
   <!ATTLIST cgi               %attlist.global;  >

   <!ELEMENT change-time       (#PCDATA)         >
   <!ATTLIST change-time       %attlist.global;  >

   <!ELEMENT command           (#PCDATA)         >
   <!ATTLIST command           %attlist.global;  >

   <!ELEMENT create-time       (#PCDATA)         >
   <!ATTLIST create-time       %attlist.global;  >

   <!ELEMENT data-size         (#PCDATA)         >
   <!ATTLIST data-size         %attlist.global;  >

   <!ELEMENT disk-size         (#PCDATA)         >
   <!ATTLIST disk-size         %attlist.global;  >
Top   ToC   RFC4765 - Page 116
   <!ELEMENT env               (#PCDATA)         >
   <!ATTLIST env               %attlist.global;  >

   <!ELEMENT http-method       (#PCDATA)         >
   <!ATTLIST http-method       %attlist.global;  >

   <!ELEMENT location          (#PCDATA)         >
   <!ATTLIST location          %attlist.global;  >

   <!ELEMENT major-device      (#PCDATA)         >
   <!ATTLIST major-device      %attlist.global;  >

   <!ELEMENT minor-device      (#PCDATA)         >
   <!ATTLIST minor-device      %attlist.global;  >

   <!ELEMENT modify-time       (#PCDATA)         >
   <!ATTLIST modify-time       %attlist.global;  >

   <!ELEMENT name              (#PCDATA)         >
   <!ATTLIST name              %attlist.global;  >

   <!ELEMENT netmask           (#PCDATA)         >
   <!ATTLIST netmask           %attlist.global;  >

   <!ELEMENT number            (#PCDATA)         >
   <!ATTLIST number            %attlist.global;  >

   <!ELEMENT oid               (#PCDATA)         >
   <!ATTLIST oid               %attlist.global;  >

   <!ELEMENT path              (#PCDATA)         >
   <!ATTLIST path              %attlist.global;  >

   <!ELEMENT permission        (#PCDATA)         >
   <!ATTLIST permission        %attlist.global;  >

   <!ELEMENT pid               (#PCDATA)         >
   <!ATTLIST pid               %attlist.global;  >

   <!ELEMENT port              (#PCDATA)         >
   <!ATTLIST port              %attlist.global;  >

   <!ELEMENT portlist          (#PCDATA)         >
   <!ATTLIST portlist          %attlist.global;  >

   <!ELEMENT program           (#PCDATA)         >
   <!ATTLIST program           %attlist.global;  >
Top   ToC   RFC4765 - Page 117
   <!ELEMENT protocol          (#PCDATA)         >
   <!ATTLIST protocol          %attlist.global;  >

   <!ELEMENT size              (#PCDATA)         >
   <!ATTLIST size              %attlist.global;  >

   <!ELEMENT url               (#PCDATA)         >
   <!ATTLIST url               %attlist.global;  >

   <!ELEMENT HeartbeatInterval (#PCDATA)         >
   <!ATTLIST HeartbeatInterval %attlist.global;  >

   <!ELEMENT messageProcessingModel (#PCDATA)    >
   <!ATTLIST messageProcessingModel %attlist.global;>

   <!ELEMENT securityModel     (#PCDATA)         >
   <!ATTLIST securityModel     %attlist.global;  >

   <!ELEMENT securityName      (#PCDATA)         >
   <!ATTLIST securityName      %attlist.global;  >

   <!ELEMENT securityLevel     (#PCDATA)         >
   <!ATTLIST securityLevel     %attlist.global;  >

   <!ELEMENT contextName       (#PCDATA)         >
   <!ATTLIST contextName       %attlist.global;  >

   <!ELEMENT contextEngineID   (#PCDATA)         >
   <!ATTLIST contextEngineID   %attlist.global;  >

   <!ELEMENT value             (#PCDATA)         >
   <!ATTLIST value             %attlist.global;  >

   <!ELEMENT key               (#PCDATA)         >
   <!ATTLIST key               %attlist.global;  >

   <!-- End of IDMEF DTD -->

9. Security Considerations

This document describes a data representation for exchanging security-related information between intrusion detection system implementations. Although there are no security concerns directly applicable to the format of this data, the data itself may contain security-sensitive information whose confidentiality, integrity, and/or availability may need to be protected.
Top   ToC   RFC4765 - Page 118
   This suggests that the systems used to collect, transmit, process,
   and store this data should be protected against unauthorized use and
   that the data itself should be protected against unauthorized access.
   The means for achieving this protection are outside the scope of this
   document.

   Section 5 of [2] describes the required and recommended security
   characteristics of the transmission protocol that will be used to
   deliver IDMEF data from analyzers to managers.  These requirements
   include message confidentiality, message integrity, non-repudiation,
   and avoidance of duplicate messages.  Both standard and proposed
   protocols exist that provide these features.

   Where a protocol that does not meet the requirements of Section 5 of
   [2] is used to exchange IDMEF messages, it may be desirable to use
   digital signatures to certify the integrity of these messages; this
   is discussed in Section 6.5 of this document.

10. IANA Considerations

Section 5 describes how to use the AdditionalData class to include arbitrary "atomic" data items in an IDMEF message, as well as how AdditionalData may be used to extend the DTD itself by adding new classes and attributes. From time to time, it may be desirable to move an extension from its private or local use status (as all extensions made via the above mechanism are) to "standard" status that should be supported by all implementations. This may be accomplished as described in this section.

10.1. Adding Values to Existing Attributes

Several of the attributes specified in this document have lists of permissible values that they may contain. To allow the addition of new values to these lists, the IANA created a repository for attribute values called "Intrusion Detection Message Exchange Format (IDMEF) Attribute Values". Following the policies outlined in [9], this repository is "Specification Required" by RFC. Section 10.1.1 describes the initial values for this repository.
Top   ToC   RFC4765 - Page 119
   To create a new attribute, you MUST publish an RFC to document the
   type.  In the RFC, include a copy of the registration template found
   in Section 10.1.2 of this document.  Put the template in your IANA
   Considerations section, filling in the appropriate fields.  You MUST
   describe any interoperability and security issues in your document.

   When adding a new attribute value to the repository, the IANA shall
   assign the next rank number in numerical sequence for the value.

10.1.1. Attribute Registrations

IDMEF Class Name: Reference IDMEF Attribute Name: origin Registered Values: +------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://cve.mitre.org/) | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
Top   ToC   RFC4765 - Page 120
   IDMEF Class Name:  Source

   IDMEF Attribute Name:  spoofed

   Registered Values:

        +------+---------+----------------------------------------+
        | Rank | Keyword | Description                            |
        +------+---------+----------------------------------------+
        |    0 | unknown | Accuracy of source information unknown |
        |    1 | yes     | Source is believed to be a decoy       |
        |    2 | no      | Source is believed to be "real"        |
        +------+---------+----------------------------------------+

   IDMEF Class Name:  Target

   IDMEF Attribute Name:  decoy

   Registered Values:

        +------+---------+----------------------------------------+
        | Rank | Keyword | Description                            |
        +------+---------+----------------------------------------+
        |    0 | unknown | Accuracy of target information unknown |
        |    1 | yes     | Target is believed to be a decoy       |
        |    2 | no      | Target is believed to be "real"        |
        +------+---------+----------------------------------------+
Top   ToC   RFC4765 - Page 121
   IDMEF Class Name:  AdditionalData

   IDMEF Attribute Name:  type

   Registered Values:

   +------+-------------+----------------------------------------------+
   | Rank | Keyword     | Description                                  |
   +------+-------------+----------------------------------------------+
   |    0 | boolean     | The element contains a boolean value, i.e.,  |
   |      |             | the strings "true" or "false"                |
   |    1 | byte        | The element content is a single 8-bit byte   |
   |      |             | (see Section 3.2.4)                          |
   |    2 | character   | The element content is a single character    |
   |      |             | (see Section 3.2.3)                          |
   |    3 | date-time   | The element content is a date-time string    |
   |      |             | (see Section 3.2.6)                          |
   |    4 | integer     | The element content is an integer (see       |
   |      |             | Section 3.2.1)                               |
   |    5 | ntpstamp    | The element content is an NTP timestamp (see |
   |      |             | Section 3.2.7)                               |
   |    6 | portlist    | The element content is a list of ports (see  |
   |      |             | Section 3.2.8)                               |
   |    7 | real        | The element content is a real number (see    |
   |      |             | Section 3.2.2)                               |
   |    8 | string      | The element content is a string (see         |
   |      |             | Section 3.2.3)                               |
   |    9 | byte-string | The element content is a byte[] (see         |
   |      |             | Section 3.2.4)                               |
   |   10 | xmltext     | The element content is XML-tagged data (see  |
   |      |             | Section 5.2)                                 |
   +------+-------------+----------------------------------------------+
Top   ToC   RFC4765 - Page 122
   IDMEF Class Name:  Impact

   IDMEF Attribute Name:  severity

   Registered Values:

       +------+---------+-----------------------------------------+
       | Rank | Keyword | Description                             |
       +------+---------+-----------------------------------------+
       |    0 | info    | Alert represents informational activity |
       |      |         |                                         |
       |    1 | low     | Low severity                            |
       |      |         |                                         |
       |    2 | medium  | Medium severity                         |
       |      |         |                                         |
       |    3 | high    | High severity                           |
       +------+---------+-----------------------------------------+

   IDMEF Class Name:  Impact

   IDMEF Attribute Name:  completion

   Registered Values:

           +------+-----------+--------------------------------+
           | Rank | Keyword   | Description                    |
           +------+-----------+--------------------------------+
           |    0 | failed    | The attempt was not successful |
           |    1 | succeeded | The attempt succeeded          |
           +------+-----------+--------------------------------+
Top   ToC   RFC4765 - Page 123
   IDMEF Class Name:  Impact

   IDMEF Attribute Name:  type

   Registered Values:

   +------+---------+--------------------------------------------------+
   | Rank | Keyword | Description                                      |
   +------+---------+--------------------------------------------------+
   |    0 | admin   | Administrative privileges were attempted or      |
   |      |         | obtained                                         |
   |    1 | dos     | A denial of service was attempted or completed   |
   |    2 | file    | An action on a file was attempted or completed   |
   |    3 | recon   | A reconnaissance probe was attempted or          |
   |      |         | completed                                        |
   |    4 | user    | User privileges were attempted or obtained       |
   |    5 | other   | Anything not in one of the above categories      |
   +------+---------+--------------------------------------------------+

   IDMEF Class Name:  Action

   IDMEF Attribute Name:  category

   Registered Values:

   +------+-------------------+----------------------------------------+
   | Rank | Keyword           | Description                            |
   +------+-------------------+----------------------------------------+
   |    0 | block-installed   | A block of some sort was installed to  |
   |      |                   | prevent an attack from reaching its    |
   |      |                   | destination.  The block could be a     |
   |      |                   | port block, address block, etc., or    |
   |      |                   | disabling a user account.              |
   |    1 | notification-sent | A notification message of some sort    |
   |      |                   | was sent out-of-band (via pager,       |
   |      |                   | e-mail, etc.).  Does not include the   |
   |      |                   | transmission of this alert.            |
   |    2 | taken-offline     | A system, computer, or user was taken  |
   |      |                   | offline, as when the computer is shut  |
   |      |                   | down or a user is logged off.          |
   |    3 | other             | Anything not in one of the above       |
   |      |                   | categories.                            |
   +------+-------------------+----------------------------------------+
Top   ToC   RFC4765 - Page 124
   IDMEF Class Name:  Confidence

   IDMEF Attribute Name:  rating

   Registered Values:

   +------+---------+--------------------------------------------------+
   | Rank | Keyword | Description                                      |
   +------+---------+--------------------------------------------------+
   |    0 | low     | The analyzer has little confidence in its        |
   |      |         | validity                                         |
   |    1 | medium  | The analyzer has average confidence in its       |
   |      |         | validity                                         |
   |    2 | high    | The analyzer has high confidence in its validity |
   |    3 | numeric | The analyzer has provided a posterior            |
   |      |         | probability value indicating its confidence in   |
   |      |         | its validity                                     |
   +------+---------+--------------------------------------------------+

   IDMEF Class Name:  Node

   IDMEF Attribute Name:  category

   Registered Values:

      +------+----------+------------------------------------------+
      | Rank | Keyword  | Description                              |
      +------+----------+------------------------------------------+
      |    0 | unknown  | Domain unknown or not relevant           |
      |    1 | ads      | Windows 2000 Advanced Directory Services |
      |    2 | afs      | Andrew File System (Transarc)            |
      |    3 | coda     | Coda Distributed File System             |
      |    4 | dfs      | Distributed File System (IBM)            |
      |    5 | dns      | Domain Name System                       |
      |    6 | hosts    | Local hosts file                         |
      |    7 | kerberos | Kerberos realm                           |
      |    8 | nds      | Novell Directory Services                |
      |    9 | nis      | Network Information Services (Sun)       |
      |   10 | nisplus  | Network Information Services Plus (Sun)  |
      |   11 | nt       | Windows NT domain                        |
      |   12 | wfw      | Windows for Workgroups                   |
      +------+----------+------------------------------------------+
Top   ToC   RFC4765 - Page 125
   IDMEF Class Name:  Address

   IDMEF Attribute Name:  category

   Registered Values:

   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | unknown       | Address type unknown                       |
   |    1 | atm           | Asynchronous Transfer Mode network address |
   |    2 | e-mail        | Electronic mail address (RFC 822)          |
   |    3 | lotus-notes   | Lotus Notes e-mail address                 |
   |    4 | mac           | Media Access Control (MAC) address         |
   |    5 | sna           | IBM Shared Network Architecture (SNA)      |
   |      |               | address                                    |
   |    6 | vm            | IBM VM ("PROFS") e-mail address            |
   |    7 | ipv4-addr     | IPv4 host address in dotted-decimal        |
   |      |               | notation (a.b.c.d)                         |
   |    8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation  |
   |    9 | ipv4-net      | IPv4 network address in dotted-decimal     |
   |      |               | notation, slash, significant bits          |
   |      |               | (a.b.c.d/nn)                               |
   |   10 | ipv4-net-mask | IPv4 network address in dotted-decimal     |
   |      |               | notation, slash, network mask in           |
   |      |               | dotted-decimal notation (a.b.c.d/w.x.y.z)  |
   |   11 | ipv6-addr     | IPv6 host address                          |
   |   12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation  |
   |   13 | ipv6-net      | IPv6 network address, slash, significant   |
   |      |               | bits                                       |
   |   14 | ipv6-net-mask | IPv6 network address, slash, network mask  |
   +------+---------------+--------------------------------------------+
Top   ToC   RFC4765 - Page 126
   IDMEF Class Name:  User

   IDMEF Attribute Name:  category

   Registered Values:

        +------+-------------+------------------------------------+
        | Rank | Keyword     | Description                        |
        +------+-------------+------------------------------------+
        |    0 | unknown     | User type unknown                  |
        |    1 | application | An application user                |
        |    2 | os-device   | An operating system or device user |
        +------+-------------+------------------------------------+

   IDMEF Class Name:  UserId

   IDMEF Attribute Name:  category

   Registered Values:

   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | current-user  | The current user id being used by the user |
   |      |               | or process.  On Unix systems, this would   |
   |      |               | be the "real" user id, in general.         |
   |    1 | original-user | The actual identity of the user or process |
   |      |               | being reported on.  On those systems that  |
   |      |               | (a) do some type of auditing and (b)       |
   |      |               | support extracting a user id from the      |
   |      |               | "audit id" token, that value should be     |
   |      |               | used.  On those systems that do not        |
   |      |               | support this, and where the user has       |
   |      |               | logged into the system, the "login id"     |
   |      |               | should be used.                            |
   |    2 | target-user   | The user id the user or process is         |
   |      |               | attempting to become.  This would apply,   |
   |      |               | on Unix systems for example, when the user |
   |      |               | attempts to use "su", "rlogin", "telnet",  |
   |      |               | etc.                                       |
Top   ToC   RFC4765 - Page 127
   |    3 | user-privs    | Another user id the user or process has    |
   |      |               | the ability to use, or a user id           |
   |      |               | associated with a file permission.  On     |
   |      |               | Unix systems, this would be the            |
   |      |               | "effective" user id in a user or process   |
   |      |               | context, and the owner permissions in a    |
   |      |               | file context.  Multiple UserId elements of |
   |      |               | this type may be used to specify a list of |
   |      |               | privileges.                                |
   |    4 | current-group | The current group id (if applicable) being |
   |      |               | used by the user or process.  On Unix      |
   |      |               | systems, this would be the "real" group    |
   |      |               | id, in general.                            |
   |    5 | group-privs   | Another group id the group or process has  |
   |      |               | the ability to use, or a group id          |
   |      |               | associated with a file permission.  On     |
   |      |               | Unix systems, this would be the            |
   |      |               | "effective" group id in a group or process |
   |      |               | context, and the group permissions in a    |
   |      |               | file context.  On BSD-derived Unix         |
   |      |               | systems, multiple UserId elements of this  |
   |      |               | type would be used to include all the      |
   |      |               | group ids on the "group list".             |
   |    6 | other-privs   | Not used in a user, group, or process      |
   |      |               | context, only used in the file context.    |
   |      |               | The file permissions assigned to users who |
   |      |               | do not match either the user or group      |
   |      |               | permissions on the file.  On Unix systems, |
   |      |               | this would be the "world" permissions.     |
   +------+---------------+--------------------------------------------+

   IDMEF Class Name:  File

   IDMEF Attribute Name:  category

   Registered Values:

   +------+----------+-------------------------------------------------+
   | Rank | Keyword  | Description                                     |
   +------+----------+-------------------------------------------------+
   |    0 | current  | The file information is from after the reported |
   |      |          | change                                          |
   |    1 | original | The file information is from before the         |
   |      |          | reported change                                 |
   +------+----------+-------------------------------------------------+
Top   ToC   RFC4765 - Page 128
   IDMEF Class Name:  File

   IDMEF Attribute Name:  fstype

   Registered Values:

         +------+---------+-------------------------------------+
         | Rank | Keyword | Description                         |
         +------+---------+-------------------------------------+
         |    0 | ufs     | Berkeley Unix Fast File System      |
         |    1 | efs     | Linux "efs" file system             |
         |    2 | nfs     | Network File System                 |
         |    3 | afs     | Andrew File System                  |
         |    4 | ntfs    | Windows NT File System              |
         |    5 | fat16   | 16-bit Windows FAT File System      |
         |    6 | fat32   | 32-bit Windows FAT File System      |
         |    7 | pcfs    | "PC" (MS-DOS) file system on CD-ROM |
         |    8 | joliet  | Joliet CD-ROM file system           |
         |    9 | iso9660 | ISO 9660 CD-ROM file system         |
         +------+---------+-------------------------------------+

   IDMEF Class Name:  FileAccess

   IDMEF Attribute Name:  permission

   Registered Values:

   +------+-------------------+----------------------------------------+
   | Rank | Keyword           | Description                            |
   +------+-------------------+----------------------------------------+
   |    0 | noAccess          | No access at all is allowed for this   |
   |      |                   | user                                   |
   |    1 | read              | This user has read access to the file  |
   |    2 | write             | This user has write access to the file |
   |    3 | execute           | This user has the ability to execute   |
   |      |                   | the file                               |
   |    4 | search            | This user has the ability to search    |
   |      |                   | this file (applies to "execute"        |
   |      |                   | permission on directories in Unix)     |
   |    5 | delete            | This user has the ability to delete    |
   |      |                   | this file                              |
   |    6 | executeAs         | This user has the ability to execute   |
   |      |                   | this file as another user              |
   |    7 | changePermissions | This user has the ability to change    |
   |      |                   | the access permissions on this file    |
   |    8 | takeOwnership     | This user has the ability to take      |
   |      |                   | ownership of this file                 |
   +------+-------------------+----------------------------------------+
Top   ToC   RFC4765 - Page 129
   IDMEF Class Name:  Linkage

   IDMEF Attribute Name:  category

   Registered Values:

   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | hard-link     | The <name> element represents another name |
   |      |               | for this file.  This information may be    |
   |      |               | more easily obtainable on NTFS file        |
   |      |               | systems than others.                       |
   |    1 | mount-point   | An alias for the directory specified by    |
   |      |               | the parent's <name> and <path> elements.   |
   |    2 | reparse-point | Applies only to Windows; excludes symbolic |
   |      |               | links and mount points, which are specific |
   |      |               | types of reparse points.                   |
   |    3 | shortcut      | The file represented by a Windows          |
   |      |               | "shortcut".  A shortcut is distinguished   |
   |      |               | from a symbolic link because of the        |
   |      |               | difference in their contents, which may be |
   |      |               | of importance to the manager.              |
   |    4 | stream        | An Alternate Data Stream (ADS) in Windows; |
   |      |               | a fork on MacOS.  Separate file system     |
   |      |               | entity that is considered an extension of  |
   |      |               | the main <File>.                           |
   |    5 | symbolic-link | The <name> element represents the file to  |
   |      |               | which the link points.                     |
   +------+---------------+--------------------------------------------+
Top   ToC   RFC4765 - Page 130
   IDMEF Class Name:  Checksum

   IDMEF Attribute Name:  algorithm

   Registered Values:

      +------+----------+------------------------------------------+
      | Rank | Keyword  | Description                              |
      +------+----------+------------------------------------------+
      |    0 | MD4      | The MD4 algorithm.                       |
      |    1 | MD5      | The MD5 algorithm.                       |
      |    2 | SHA1     | The SHA1 algorithm.                      |
      |    3 | SHA2-256 | The SHA2 algorithm with 256 bits length. |
      |    4 | SHA2-384 | The SHA2 algorithm with 384 bits length. |
      |    5 | SHA2-512 | The SHA2 algorithm with 512 bits length. |
      |    6 | CRC-32   | The CRC algorithm with 32 bits length.   |
      |    7 | Haval    | The Haval algorithm.                     |
      |    8 | Tiger    | The Tiger algorithm.                     |
      |    9 | Gost     | The Gost algorithm.                      |
      +------+----------+------------------------------------------+

10.1.2. Registration Template

IDMEF Class Name: <provide the name of the class that contains the attribute to which you want to add a new value, e.g., "Address"> IDMEF Attribute Name: <provide the name of the attribute to which you want to add a new value, e.g., "category"> New Attribute Value to Be Defined: <provide the name of the new attribute value that you want to add, e.g., "sneaker-net"> Meaning of New Attribute Value: <describe in detail what the attribute value means -- i.e., if an analyzer sends this value, what is it telling the receiver of the information?> Contact Person and E-Mail Address: <your name and e-mail address>
Top   ToC   RFC4765 - Page 131

10.2. Adding New Attributes and Classes

To the extent possible, the IDMEF classes and attributes specified in this document have been designed to accommodate all current and near- future needs. Although it is recognized that the addition of new classes, as well as the addition of new attributes to existing classes, will be necessary in the future, these actions should not be taken lightly. Any addition of new attributes or classes should only be undertaken when the current classes and attributes simply cannot be used to represent the information in a "clean" way -- and such additions should only be made to represent generally-useful types of data. Vendor-specific information, obscure information provided by only a particular type of analyzer or used only by a particular type of manager, "pet" attributes, and the like are not good reasons to make class and attribute additions. At the time this RFC was written, the first anticipated case for which new classes and attributes will need to be added is to handle host-based intrusion detection systems. However, such additions should not be made until some level of consensus has been reached about the set of data that will be provided by these systems. Following the policies outlined in [9], the addition of new classes and attributes to the IDMEF requires "IETF Consensus". To add new attributes or classes, you MUST publish an RFC to document them, and get that RFC approved by the IESG. Typically, the IESG will seek input on prospective additions from appropriate persons (e.g., a relevant working group if one exists). You MUST describe any interoperability and security issues in your document.

11. References

11.1. Normative References

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Wood, M. and M. Erlinger, "Intrusion Detection Mesage Exchange Requirements", RFC 4766, March 2007.
Top   ToC   RFC4765 - Page 132
   [3]   Sperberg-McQueen, C., Paoli, J., Maler, E., and T. Bray,
         "Extensible Markup Language (XML) 1.0 (Second Edition)", World
         Wide Web Consortium
         FirstEdition http://www.w3.org/TR/2000/REC-xml-20001006,
         October 2000.

   [4]   Bray, T., Hollander, D., and A. Layman, "Namespaces in XML",
         World Wide Web Consortium
         Recommendation http://www.w3.org/TR/1999/
         REC-xml-names-19990114, January 1999.

   [5]   Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
         Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986,
         January 2005.

   [6]   International Organization for Standardization, "Data elements
         and interchange formats - Information interchange -
         Representation of dates and times", ISO Standard 8601, Second
         Edition, December 2000.

   [7]   Mills, D., "Network Time Protocol (Version 3) Specification,
         Implementation", RFC 1305, March 1992.

   [8]   Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for
         IPv4, IPv6 and OSI", RFC 4330, January 2006.

   [9]   Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
         Considerations Section in RFCs", BCP 26, RFC 2434,
         October 1998.

   [10]  Phillips, A. and M. Davis, "Tags for Identifying Languages",
         BCP 47, RFC 4646, September 2006.

11.2. Informative References

[11] St. Johns, M., "Identification Protocol", RFC 1413, February 1993. [12] Resnick, P., "Internet Message Format", RFC 2822, April 2001. [13] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [14] Rumbaugh, J., Jacobson, I., and G. Booch, "The Unified Modeling Language Reference Model", ISBN 020130998X, 1998.
Top   ToC   RFC4765 - Page 133
   [15]  Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
         for Describing Simple Network Management Protocol (SNMP)
         Management Frameworks", STD 62, RFC 3411, December 2002.

   [16]  Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence
         between Version 1, Version 2, and Version 3 of the
         Internet-standard Network Management Framework", BCP 74,
         RFC 3584, August 2003.


(next page on part 6)

Next Section