Analyzer

The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the "relay" analyzers along the path from the originating analyzer to the manager that ultimately receives the alert.

digraph Analyzer { graph [rankdir=LR]; node [label="\N"]; graph [bb="0,0,856,294"]; Analyzer [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#99993d" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the &quot;relay&quot; analyzers along the path from the originating analyzer to the manager that ultimately receives the alert. ">Analyzer</td> </tr>" %<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="(but see below). A unique identifier for the analyzer; see Section 3.2.9.">[STRING] analyzerid (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="An explicit name for the analyzer that may be easier to understand than the analyzerid.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The manufacturer of the analyzer software and/or hardware.">[STRING] manufacturer (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The model name/number of the analyzer software and/or hardware.">[STRING] model (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The version number of the analyzer software and/or hardware.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The class of analyzer software and/or hardware.">[STRING] class (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the &quot;uname -s&quot; command.">[STRING] ostype (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the &quot;uname -r&quot; command.">[STRING] osversion (Optional) </td></tr>%</table>>, shape=plaintext, pos="132,120", width="3.6667", height="2.625"]; "Node" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The Node class is used to identify hosts and other network devices (routers, switches, etc.). ">Node</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The location of the equipment.">[STRING] location (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The name of the equipment. This information MUST be provided if no Address information is given.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="A unique identifier for the node; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The &quot;domain&quot; from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is &quot;unknown&quot;. (See also Section 10 for extensions to the table.)">[ENUM] category (Optional) </td></tr>%</table>>, shape=plaintext, pos="438,220", width="3.0278", height="1.5139"]; Address [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The Address class is used to represent network, hardware, and application addresses. ">Address</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The address information. The format of this data is governed by the category attribute.">[STRING] address (1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The network mask for the address, if appropriate.">[STRING] netmask (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="A unique identifier for the address; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] category (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[INTEGER] vlan-num (Optional) </td></tr>%</table>>, shape=plaintext, pos="733,220", width="3.3889", height="2.0694"]; Process [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The Process class is used to describe processes being executed on sources, targets, and analyzers. ">Process</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The name of the program being executed. This is a short name; path and argument information are provided elsewhere.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The process identifier of the process.">[INTEGER] pid (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The full path of the program being executed.">[STRING] path (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.">[STRING] arg (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="An environment string associated with the process; generally of the format &quot;VARIABLE=value&quot;. Multiple environment strings may be specified with multiple uses of env.">[STRING] env (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A unique identifier for the process; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%</table>>, shape=plaintext, pos="438,74", width="2.8611", height="2.0694"]; "Node" -> Address [label="0..*", pos="e,610.16,220 547.85,220 564.83,220 582.52,220 599.94,220", lp="579,228.5"]; Analyzer -> "Node" [label="0..1", pos="e,328.33,184.16 264.44,163.28 282.43,169.16 300.8,175.16 318.54,180.96", lp="296,184.5"]; Analyzer -> Process [label="0..1", pos="e,334.88,89.502 264.44,100.09 284.61,97.059 305.27,93.953 324.98,90.99", lp="296,105.5"]; Analyzer -> Analyzer [label="0..1", pos="e,158.06,214.37 105.94,214.37 110.82,225.07 119.51,232 132,232 140.78,232 147.69,228.57 152.71,222.82", lp="132,240.5"]; }


Aggregates

Node (0..1)

Information about the host or device on which the analyzer resides (network address, network name, etc.).

Process (0..1)

Information about the process in which the analyzer is executing.

Analyzer (0..1)

Information about the analyzer from which the message may have gone through. The idea behind this mechanism is that when a manager receives an alert and wants to forward it to another analyzer, it needs to substitute the original analyzer

Attributes

analyzerid (Optional)

(but see below). A unique identifier for the analyzer; see Section 3.2.9.

name (Optional)

An explicit name for the analyzer that may be easier to understand than the analyzerid.

manufacturer (Optional)

The manufacturer of the analyzer software and/or hardware.

model (Optional)

The model name/number of the analyzer software and/or hardware.

version (Optional)

The version number of the analyzer software and/or hardware.

class (Optional)

The class of analyzer software and/or hardware.

ostype (Optional)

Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command.

osversion (Optional)

Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command.


IDMEF


IODEF