IDMEF-Message

All IDMEF messages are instances of the IDMEF-Message class; it is the top-level class of the IDMEF data model, as well as the IDMEF DTD. There are currently two types (subclasses) of IDMEF-Message: Alert and Heartbeat.

IDMEF-Message IDMEF-Message IDMEF-Message Heartbeat Heartbeat [INTEGER] HeartbeatInterval (0..1) [STRING] messageid (Optional) IDMEF-Message->Heartbeat Alert Alert [STRING] messageid (Optional) IDMEF-Message->Alert Analyzer Analyzer [STRING] analyzerid (Optional) [STRING] name (Optional) [STRING] manufacturer (Optional) [STRING] model (Optional) [STRING] version (Optional) [STRING] class (Optional) [STRING] ostype (Optional) [STRING] osversion (Optional) Heartbeat->Analyzer 1 CreateTime CreateTime Heartbeat->CreateTime 1 AnalyzerTime AnalyzerTime Heartbeat->AnalyzerTime 0..1 AdditionalData AdditionalData [STRING] meaning (Optional) Heartbeat->AdditionalData 0..* Analyzer->Analyzer 0..1 Node Node [STRING] location (0..1) [STRING] name (0..1) [STRING] ident (Optional) [ENUM] category (Optional) Analyzer->Node 0..1 Process Process [STRING] name (1) [INTEGER] pid (0..1) [STRING] path (0..1) [STRING] arg (0..*) [STRING] env (0..*) [STRING] ident (Optional) Analyzer->Process 0..1 Address Address [STRING] address (1) [STRING] netmask (0..1) [STRING] ident (Optional) [ENUM] category (Optional) [STRING] vlan-name (Optional) [INTEGER] vlan-num (Optional) Node->Address 0..* Alert->Analyzer 1 Alert->CreateTime 1 Alert->AnalyzerTime 0..1 Alert->AdditionalData 0..* OverflowAlert OverflowAlert [STRING] program (1) [INTEGER] size (0..1) [BYTE[]] buffer (0..1) Alert->OverflowAlert ToolAlert ToolAlert [STRING] name (1) [STRING] command (0..1) [STRING] alertident (1..*) Alert->ToolAlert CorrelationAlert CorrelationAlert [STRING] name (1) [STRING] alertident (1..*) Alert->CorrelationAlert Classification Classification [STRING] ident (Optional) [STRING] text (Required) Alert->Classification 1 DetectTime DetectTime Alert->DetectTime 0..1 Source Source [STRING] ident (Optional) [ENUM] spoofed (Optional) [STRING] interface (Optional) Alert->Source 0..* Target Target [STRING] ident (Optional) [ENUM] decoy (Optional) [STRING] interface (Optional) Alert->Target 0..* Assessment Assessment Alert->Assessment 0..1 Reference Reference [STRING] name (1) [STRING] url (1) [ENUM] origin (Required) [STRING] meaning (Optional) Classification->Reference 0..* Source->Node 0..1 Source->Process 0..1 User User [STRING] ident (Optional) [ENUM] category (Optional) Source->User 0..1 Service Service [STRING] name (0..1) [INTEGER] port (0..1) [PORTLIST] portlist (0..1) [STRING] protocol (0..1) [STRING] ident (Optional) [INTEGER] ip_version (Optional) [INTEGER] iana_protocol_number (Optional) [STRING] iana_protocol_name (Optional) Source->Service 0..1 UserId UserId [STRING] name (0..1) [INTEGER] number (0..1) [STRING] ident (Optional) [ENUM] type (Optional) [STRING] tty (Optional) User->UserId 1..* WebService WebService [STRING] url (1) [STRING] cgi (0..1) [STRING] http-method (0..1) [STRING] arg (0..*) Service->WebService SNMPService SNMPService [STRING] oid (0..1) [INTEGER] messageProcessingModel (0..1) [INTEGER] securityModel (0..1) [STRING] securityName (0..1) [INTEGER] securityLevel (0..1) [STRING] contextName (0..1) [STRING] contextEngineID (0..1) [STRING] command (0..1) Service->SNMPService Target->Node 0..1 Target->Process 0..1 Target->User 0..1 Target->Service 0..1 File File [STRING] name (1) [STRING] path (1) [DATETIME] create-time (0..1) [DATETIME] modify-time (0..1) [DATETIME] access-time (0..1) [INTEGER] data-size (0..1) [INTEGER] disk-size (0..1) [STRING] ident (0..1) [ENUM] category (0..1) [STRING] file-type (0..1) Target->File 0..1 FileAccess FileAccess [ENUM] Permission (1..*) File->FileAccess 0..* Linkage Linkage [STRING] name (1) [STRING] path (1) [ENUM] category (Optional) File->Linkage 0..* Inode Inode [DATETIME] change-time (0..1) [INTEGER] number (0..1) [INTEGER] major-device (0..1) [INTEGER] minor-device (0..1) [INTEGER] c-major-device (0..1) [INTEGER] c-minor-device (0..1) File->Inode 0..1 Checksum Checksum [STRING] value (1) [STRING] key (0..1) [ENUM] algorithm (Required) File->Checksum 0..* FileAccess->UserId 1 Linkage->File 1 Impact Impact [ENUM] severity (Optional) [ENUM] completion (Optional) [ENUM] type (Optional) Assessment->Impact 0..1 Action Action [ENUM] category () Assessment->Action 0..* Confidence Confidence [ENUM] rating () Assessment->Confidence 0..1

digraph "IDMEF-Message" { graph [rankdir=LR]; node [label="\N"]; graph [bb="0,0,1806,1281"]; "IDMEF-Message" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#597700" HREF="/idmef_parser/IDMEF/IDMEF-Message.html" TITLE="All IDMEF messages are instances of the IDMEF-Message class; it is the top-level class of the IDMEF data model, as well as the IDMEF DTD. There are currently two types (subclasses) of IDMEF-Message: Alert and Heartbeat. ">IDMEF-Message</td> </tr>" %</table>>, shape=plaintext, pos="66,890", width="1.8333", height="0.5"]; Heartbeat [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#597700" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="Analyzers use Heartbeat messages to indicate their current status to managers. Heartbeats are intended to be sent in a regular period, say, every ten minutes or every hour. The receipt of a Heartbeat message from an analyzer indicates to the manager that the analyzer is up and running; lack of a Heartbeat message (or more likely, lack of some number of consecutive Heartbeat messages) indicates that the analyzer or its network connection has failed. ">Heartbeat</td> </tr>" %<tr><td BGCOLOR="#94C600" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="The interval in seconds at which heartbeats are generated.">[INTEGER] HeartbeatInterval (0..1) </td></tr>%<tr><td BGCOLOR="#94C600" HREF="/idmef_parser/IDMEF/Heartbeat.html" TITLE="A unique identifier for the heartbeat; see Section 3.2.9.">[STRING] messageid (Optional) </td></tr>%</table>>, shape=plaintext, pos="306,992", width="3.7778", height="0.95833"]; Analyzer [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#99993d" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the &quot;relay&quot; analyzers along the path from the originating analyzer to the manager that ultimately receives the alert. ">Analyzer</td> </tr>" %<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="(but see below). A unique identifier for the analyzer; see Section 3.2.9.">[STRING] analyzerid (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="An explicit name for the analyzer that may be easier to understand than the analyzerid.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The manufacturer of the analyzer software and/or hardware.">[STRING] manufacturer (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The model name/number of the analyzer software and/or hardware.">[STRING] model (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The version number of the analyzer software and/or hardware.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="The class of analyzer software and/or hardware.">[STRING] class (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the &quot;uname -s&quot; command.">[STRING] ostype (Optional) </td></tr>%<tr><td BGCOLOR="#FFFF66" HREF="/idmef_parser/IDMEF/Analyzer.html" TITLE="Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the &quot;uname -r&quot; command.">[STRING] osversion (Optional) </td></tr>%</table>>, shape=plaintext, pos="638,1098", width="3.6667", height="2.625"]; "Node" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The Node class is used to identify hosts and other network devices (routers, switches, etc.). ">Node</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The location of the equipment.">[STRING] location (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The name of the equipment. This information MUST be provided if no Address information is given.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="A unique identifier for the node; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Node.html" TITLE="The &quot;domain&quot; from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is &quot;unknown&quot;. (See also Section 10 for extensions to the table.)">[ENUM] category (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,1122", width="3.0278", height="1.5139"]; Address [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#007a00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The Address class is used to represent network, hardware, and application addresses. ">Address</td> </tr>" %<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The address information. The format of this data is governed by the category attribute.">[STRING] address (1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The network mask for the address, if appropriate.">[STRING] netmask (0..1) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="A unique identifier for the address; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] category (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#00CC00" HREF="/idmef_parser/IDMEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[INTEGER] vlan-num (Optional) </td></tr>%</table>>, shape=plaintext, pos="1393,1122", width="3.3889", height="2.0694"]; Process [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The Process class is used to describe processes being executed on sources, targets, and analyzers. ">Process</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The name of the program being executed. This is a short name; path and argument information are provided elsewhere.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The process identifier of the process.">[INTEGER] pid (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="The full path of the program being executed.">[STRING] path (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.">[STRING] arg (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="An environment string associated with the process; generally of the format &quot;VARIABLE=value&quot;. Multiple environment strings may be specified with multiple uses of env.">[STRING] env (0..*) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IDMEF/Process.html" TITLE="A unique identifier for the process; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,976", width="2.8611", height="2.0694"]; CreateTime [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c5c99" HREF="/idmef_parser/IDMEF/CreateTime.html" TITLE="The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer. ">CreateTime</td> </tr>" %</table>>, shape=plaintext, pos="638,1263", width="1.4167", height="0.5"]; AnalyzerTime [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c5c99" HREF="/idmef_parser/IDMEF/AnalyzerTime.html" TITLE="The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message &quot;on the wire&quot;. ">AnalyzerTime</td> </tr>" %</table>>, shape=plaintext, pos="638,968", width="1.6389", height="0.5"]; AdditionalData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#431d60" HREF="/idmef_parser/IDMEF/AdditionalData.html" TITLE="The AdditionalData class is used to provide information that cannot be represented by the data model. AdditionalData can be used to provide atomic data (integers, strings, etc.) in cases where only small amounts of additional information need to be sent; it can also be used to extend the data model and the DTD to support the transmission of complex data (such as packet headers). Detailed instructions for extending the data model and the DTD are provided in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#7030A0" HREF="/idmef_parser/IDMEF/AdditionalData.html" TITLE="A string describing the meaning of the element content. These values will be vendor/implementation dependent; the method for ensuring that managers understand the strings sent by analyzers is outside the scope of this specification. A list of acceptable meaning keywords is not within the scope of the document, although later versions may undertake to establish such a list.">[STRING] meaning (Optional) </td></tr>%</table>>, shape=plaintext, pos="638,908", width="3.1944", height="0.68056"]; Alert [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#597700" HREF="/idmef_parser/IDMEF/Alert.html" TITLE="Generally, every time an analyzer detects an event that it has been configured to look for, it sends an Alert message to its manager(s). Depending on the analyzer, an Alert message may correspond to a single detected event or multiple detected events. Alerts occur asynchronously in response to outside events. ">Alert</td> </tr>" %<tr><td BGCOLOR="#94C600" HREF="/idmef_parser/IDMEF/Alert.html" TITLE="A unique identifier for the alert; see Section 3.2.9.">[STRING] messageid (Optional) </td></tr>%</table>>, shape=plaintext, pos="306,736", width="3.3611", height="0.68056"]; OverflowAlert [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IDMEF/OverflowAlert.html" TITLE="The OverflowAlert carries additional information related to buffer overflow attacks. It is intended to enable an analyzer to provide the details of the overflow attack itself. ">OverflowAlert</td> </tr>" %<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/OverflowAlert.html" TITLE="The program that the overflow attack attempted to run (NOTE: this is not the program that was attacked).">[STRING] program (1) </td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/OverflowAlert.html" TITLE="The size, in bytes, of the overflow (i.e., the number of bytes the attacker sent).">[INTEGER] size (0..1) </td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/OverflowAlert.html" TITLE="Some or all of the overflow data itself (dependent on how much the analyzer can capture).">[BYTE[]] buffer (0..1) </td></tr>%</table>>, shape=plaintext, pos="638,330", width="2.4722", height="1.2361"]; ToolAlert [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IDMEF/ToolAlert.html" TITLE="The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say &quot;these alerts were all the result of someone using this tool&quot;. ">ToolAlert</td> </tr>" %<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/ToolAlert.html" TITLE="The reason for grouping the alerts together, for example, the name of a particular tool.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/ToolAlert.html" TITLE="The command or operation that the tool was asked to perform, for example, a BackOrifice ping.">[STRING] command (0..1) </td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/ToolAlert.html" TITLE="The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional &quot;analyzerid&quot; attribute of &quot;alertident&quot; should be used to identify the analyzer that a particular alert came from. If the &quot;analyzerid&quot; is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.">[STRING] alertident (1..*) </td></tr>%</table>>, shape=plaintext, pos="638,224", width="2.8333", height="1.2361"]; CorrelationAlert [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#737373" HREF="/idmef_parser/IDMEF/CorrelationAlert.html" TITLE="The CorrelationAlert class carries additional information related to the correlation of alert information. It is intended to group one or more previously-sent alerts together, to say &quot;these alerts are all related&quot;. ">CorrelationAlert</td> </tr>" %<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/CorrelationAlert.html" TITLE="The reason for grouping the alerts together, for example, a particular correlation method.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#BFBFBF" HREF="/idmef_parser/IDMEF/CorrelationAlert.html" TITLE="The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional &quot;analyzerid&quot; attribute of &quot;alertident&quot; should be used to identify the analyzer that a particular alert came from. If the &quot;analyzerid&quot; is not provided, the alert is assumed to have come from the same analyzer that is sending the CorrelationAlert.">[STRING] alertident (1..*) </td></tr>%</table>>, shape=plaintext, pos="638,832", width="2.8333", height="0.95833"]; Classification [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IDMEF/Classification.html" TITLE="The Classification class provides the &quot;name&quot; of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider. ">Classification</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Classification.html" TITLE="A unique identifier for this classification; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Classification.html" TITLE="A vendor-provided string identifying the Alert message.">[STRING] text (Required) </td></tr>%</table>>, shape=plaintext, pos="638,480", width="2.8611", height="0.95833"]; Reference [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The Reference class provides the &quot;name&quot; of an alert, or other information allowing the manager to determine what it is. ">Reference</td> </tr>" %<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The name of the alert, from one of the origins listed below.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.">[STRING] url (1) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] origin (Required) </td></tr>%<tr><td BGCOLOR="#996633" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the &lt;origin&gt; attribute is set to &quot;vendor-specific&quot; or &quot;user-specific&quot;.">[STRING] meaning (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,54", width="3.1944", height="1.5139"]; DetectTime [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c5c99" HREF="/idmef_parser/IDMEF/DetectTime.html" TITLE="The DetectTime class is used to indicate the date and time that the event(s) producing an alert was detected by the analyzer. In the case of more than one event, it is the time that the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection). ">DetectTime</td> </tr>" %</table>>, shape=plaintext, pos="638,410", width="1.4167", height="0.5"]; Source [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IDMEF/Source.html" TITLE="The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack). ">Source</td> </tr>" %<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Source.html" TITLE="A unique identifier for this source; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Source.html" TITLE="An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] spoofed (Optional) </td></tr>%<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Source.html" TITLE="May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on.">[STRING] interface (Optional) </td></tr>%</table>>, shape=plaintext, pos="638,736", width="3.1944", height="1.2361"]; User [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#3d7a99" HREF="/idmef_parser/IDMEF/User.html" TITLE="The User class is used to describe users. It is primarily used as a &quot;container&quot; class for the UserId aggregate class, as shown in Figure 16. ">User</td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/User.html" TITLE="A unique identifier for the user; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/User.html" TITLE="The type of user represented. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] category (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,644", width="3.0278", height="0.95833"]; UserId [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#3d7a99" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user&#39;s (or process&#39;) privileges. ">UserId</td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group name.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is &quot;original-user&quot;. (See also Section 10.)">[ENUM] type (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The tty the user is using.">[STRING] tty (Optional) </td></tr>%</table>>, shape=plaintext, pos="1703,626", width="2.8611", height="1.7917"]; Service [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a7a" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is &quot;attached&quot; to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is &quot;attached&quot; to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class. ">Service</td> </tr>" %<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The name of the service. Whenever possible, the name from the IANA list of well-known ports SHOULD be used.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The port number being used.">[INTEGER] port (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="A list of port numbers being used; see Section 3.2.8 for formatting rules. If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list.">[PORTLIST] portlist (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="Additional information about the protocol being used. The intent of the protocol field is to carry additional information related to the protocol being used when the &lt;Service&gt; attributes iana_protocol_number or/and iana_protocol_name are filed.">[STRING] protocol (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="A unique identifier for the service; see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The IP version number.">[INTEGER] ip_version (Optional) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] iana_protocol_number (Optional) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/Service.html" TITLE="The IANA protocol name.">[STRING] iana_protocol_name (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,790", width="4.6111", height="2.625"]; WebService [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a7a" HREF="/idmef_parser/IDMEF/WebService.html" TITLE="The WebService class carries additional information related to web traffic. ">WebService</td> </tr>" %<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/WebService.html" TITLE="The URL in the request.">[STRING] url (1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/WebService.html" TITLE="The CGI script in the request, without arguments.">[STRING] cgi (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/WebService.html" TITLE="The HTTP method (PUT, GET) used in the request.">[STRING] http-method (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/WebService.html" TITLE="The arguments to the CGI script.">[STRING] arg (0..*) </td></tr>%</table>>, shape=plaintext, pos="1393,757", width="3.1389", height="1.5139"]; SNMPService [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a7a" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The SNMPService class carries additional information related to SNMP traffic. The aggregate classes composing SNMPService must be interpreted as described in RFC 3411 [15] and RFC 3584 [16]. ">SNMPService</td> </tr>" %<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The object identifier in the request.">[STRING] oid (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values.">[INTEGER] messageProcessingModel (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The identification of the security model in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3 for USM; see RFC 3411 [15] Section 5 for appropriate values.">[INTEGER] securityModel (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The object&#39;s security name; see RFC 3411 [15] Section 3.2.2.">[STRING] securityName (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The security level of the SNMP request; see RFC 3411 [15] Section 3.4.3.">[INTEGER] securityLevel (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The object&#39;s context name; see RFC 3411 [15] Section 3.3.3.">[STRING] contextName (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The object&#39;s context engine identifier; see RFC 3411 [15] Section 3.3.2.">[STRING] contextEngineID (0..1) </td></tr>%<tr><td BGCOLOR="#FFCCCC" HREF="/idmef_parser/IDMEF/SNMPService.html" TITLE="The command sent to the SNMP server (GET, SET, etc.).">[STRING] command (0..1) </td></tr>%</table>>, shape=plaintext, pos="1393,923", width="4.4444", height="2.625"]; Target [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IDMEF/Target.html" TITLE="The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep). ">Target</td> </tr>" %<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Target.html" TITLE="A unique identifier for this target, see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Target.html" TITLE="An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;. (See also Section 10.)">[ENUM] decoy (Optional) </td></tr>%<tr><td BGCOLOR="#284F9F" HREF="/idmef_parser/IDMEF/Target.html" TITLE="May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on.">[STRING] interface (Optional) </td></tr>%</table>>, shape=plaintext, pos="638,630", width="3.1944", height="1.2361"]; File [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the &quot;category&quot; attribute. ">File</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as &quot;universal&quot; a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was created. Note that this is *not* the Unix &quot;st_ctime&quot; file attribute (which is not file creation time). The Unix &quot;st_ctime&quot; attribute is contained in the &quot;Inode&quot; class.">[DATETIME] create-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last modified.">[DATETIME] modify-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last accessed.">[DATETIME] access-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).">[INTEGER] data-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).">[INTEGER] disk-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="A unique identifier for this file; see Section 3.2.9.">[STRING] ident (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.">[ENUM] category (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file, as a mime-type.">[STRING] file-type (0..1) </td></tr>%</table>>, shape=plaintext, pos="1001,478", width="3.3333", height="3.1806"]; FileAccess [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. ">FileAccess</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)">[ENUM] Permission (1..*) </td></tr>%</table>>, shape=plaintext, pos="1393,589", width="2.75", height="0.68056"]; Linkage [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the &lt;File&gt; element and other objects in the file system. For example, if the &lt;File&gt; element is a symbolic link or shortcut, then the &lt;Linkage&gt; element should contain the name of the object the link points to. Further information can be provided about the object in the &lt;Linkage&gt; element with another &lt;File&gt; element, if appropriate. ">Linkage</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The name of the file system object, not including the path.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as &quot;universal&quot; a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="Section 10.)">[ENUM] category (Optional) </td></tr>%</table>>, shape=plaintext, pos="1393,503", width="3.0278", height="1.2361"]; Inode [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. ">Inode</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of &quot;struct stat&quot;.">[DATETIME] change-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The inode number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device number of the device the file resides on.">[INTEGER] major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device number of the device the file resides on.">[INTEGER] minor-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device of the file itself, if it is a character special device.">[INTEGER] c-major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device of the file itself, if it is a character special device.">[INTEGER] c-minor-device (0..1) </td></tr>%</table>>, shape=plaintext, pos="1393,367", width="3.4444", height="2.0694"]; Checksum [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. ">Checksum</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The value of the checksum.">[STRING] value (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The key to the checksum, if appropriate.">[STRING] key (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="default value. (See also Section 10.)">[ENUM] algorithm (Required) </td></tr>%</table>>, shape=plaintext, pos="1393,231", width="3.1389", height="1.2361"]; Assessment [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IDMEF/Assessment.html" TITLE="The Assessment class is used to provide the analyzer&#39;s assessment of an event -- its impact, actions taken in response, and confidence. ">Assessment</td> </tr>" %</table>>, shape=plaintext, pos="638,550", width="1.4444", height="0.5"]; Impact [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IDMEF/Impact.html" TITLE="The Impact class is used to provide the analyzer&#39;s assessment of the impact of the event on the target(s). It is represented in the IDMEF DTD as follows: ">Impact</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IDMEF/Impact.html" TITLE="Section 10.)">[ENUM] severity (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IDMEF/Impact.html" TITLE="Section 10.)">[ENUM] completion (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IDMEF/Impact.html" TITLE="value is &quot;other&quot;. (See also Section 10.)">[ENUM] type (Optional) </td></tr>%</table>>, shape=plaintext, pos="1001,302", width="3.25", height="1.2361"]; Action [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IDMEF/Action.html" TITLE="The Action class is used to describe any actions taken by the analyzer in response to the event. Is is represented in the IDMEF DTD as follows: ">Action</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IDMEF/Action.html" TITLE="The default value is &quot;other&quot;. (See also Section 10.)">[ENUM] category () </td></tr>%</table>>, shape=plaintext, pos="1001,216", width="2.2222", height="0.68056"]; Confidence [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IDMEF/Confidence.html" TITLE="The Confidence class is used to represent the analyzer&#39;s best estimate of the validity of its analysis. It is represented in the IDMEF DTD as follows: ">Confidence</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IDMEF/Confidence.html" TITLE="also Section 10.)">[ENUM] rating () </td></tr>%</table>>, shape=plaintext, pos="1001,150", width="1.9444", height="0.68056"]; "Node" -> Address [label="0..*", pos="e,1270.2,1122 1110.7,1122 1157,1122 1211.4,1122 1259.9,1122", lp="1200,1130.5"]; Analyzer -> "Node" [label="0..1", pos="e,891.39,1114.8 770.08,1106.7 806.33,1109.1 845.44,1111.7 880.97,1114.1", lp="802,1118.5"]; Analyzer -> Process [label="0..1", pos="e,897.75,1010.7 770.08,1053.6 808.69,1040.6 850.53,1026.6 887.86,1014", lp="802,1053.5"]; Analyzer -> Analyzer [label="0..1", pos="e,664.06,1192.4 611.94,1192.4 616.82,1203.1 625.51,1210 638,1210 646.78,1210 653.69,1206.6 658.71,1200.8", lp="638,1218.5"]; Heartbeat -> Analyzer [label=1, pos="e,505.73,1080.1 365,1026.2 392.99,1041 427.38,1057.5 460,1068 471.53,1071.7 483.64,1075 495.88,1077.9", lp="474,1083.5"]; Heartbeat -> CreateTime [label=1, pos="e,586.49,1260.6 323.84,1026.2 353.79,1080.1 419.48,1183.8 506,1236 527.02,1248.7 553,1255.5 576.33,1259.1", lp="474,1230.5"]; Heartbeat -> AnalyzerTime [label="0..1", pos="e,578.91,972.27 442.47,982.13 485.96,978.99 532.24,975.65 568.85,973", lp="474,989.5"]; Heartbeat -> AdditionalData [label="0..*", pos="e,522.53,903.77 358.17,957.83 386.95,940.93 424.05,922.22 460,913 476.65,908.73 494.46,906.08 512.14,904.55", lp="474,921.5"]; "IDMEF-Message" -> Heartbeat [dir=back, arrowtail=invempty, pos="s,108.35,908 117.81,912.02 149.3,925.4 190.16,942.77 225.76,957.9"]; Alert -> OverflowAlert [dir=back, arrowtail=invempty, pos="s,312.84,711.75 315.83,702.09 337.9,631.91 398.11,470.06 506,383 518.59,372.84 533.38,364.41 548.41,357.49"]; Alert -> ToolAlert [dir=back, arrowtail=invempty, pos="s,309.88,711.89 311.71,701.91 327.43,618.2 378.94,400.42 506,277 514.59,268.66 524.67,261.57 535.35,255.57"]; Alert -> CorrelationAlert [dir=back, arrowtail=invempty, pos="s,389.35,760.1 399.11,762.92 441.5,775.18 491.82,789.73 535.31,802.31"]; Alert -> Analyzer [label=1, pos="e,513.46,1003.7 324.01,760.19 352.04,797.51 408.29,870.97 460,930 471.81,943.48 477.65,944.37 488,959 498.33,973.6 494.67,981.16\ 506,995 506.3,995.37 506.6,995.73 506.9,996.1", lp="474,967.5"]; Alert -> CreateTime [label=1, pos="e,586.35,1266.2 324.16,760.11 352.38,798.46 407.14,876.43 442,949 452.77,971.42 449.36,979.51 460,1002 470.08,1023.3 480.46,1024.7\ 488,1047 501.5,1087 477.8,1204.6 506,1236 523.45,1255.4 550.78,1263 576.05,1265.5", lp="474,1055.5"]; Classification -> Reference [label="0..*", pos="e,885.65,87.778 741.19,460.43 752.27,454.52 762.29,446.88 770,437 805.62,391.34 767.51,231.17 788,177 799.89,145.57 807.02,137.03\ 834,117 846.88,107.44 861.37,99.168 876.31,92.057", lp="802,185.5"]; Alert -> Classification [label=1, pos="e,534.8,508.68 321.76,711.65 351.93,667.07 422.35,572.38 506,523 512.21,519.34 518.77,515.94 525.51,512.8", lp="474,563.5"]; Alert -> DetectTime [label="0..1", pos="e,586.19,411.44 314.64,711.95 336.66,654.28 400.76,507.69 506,437 526.56,423.19 552.69,416.19 576.27,412.72", lp="474,482.5"]; Alert -> AnalyzerTime [label="0..1", pos="e,578.68,968.46 346.34,760.19 387.42,786.74 450.28,833 488,888 502.07,908.52 487.34,924.55 506,941 523.12,956.09 546.36,963.6 568.57\ ,967.12", lp="474,896.5"]; Source -> "Node" [label="0..1", pos="e,891.38,1096.7 753.73,772.88 759.77,777.62 765.28,782.97 770,789 805.67,834.6 774.97,861.6 788,918 791.71,934.06 822.61,1047.1 \ 834,1059 847.4,1073 864.23,1084 882.01,1092.5", lp="802,1021.5"]; User -> UserId [label="1..*", pos="e,1599.7,631.32 1110.5,642.68 1227.3,641.05 1417.8,637.77 1582,632 1584.5,631.91 1587.1,631.82 1589.7,631.72", lp="1393,649.5"]; Source -> User [label="0..1", pos="e,891.49,671.75 753.85,706.64 794.67,696.29 840.61,684.65 881.71,674.23", lp="802,704.5"]; Source -> Process [label="0..1", pos="e,897.58,937.37 753.8,777.46 759.48,781.03 764.92,784.87 770,789 798.61,812.24 797.32,826.23 816,858 824.87,873.08 821.55,880.72\ 834,893 849.69,908.48 868.85,921.59 888.51,932.51", lp="802,866.5"]; Service -> WebService [dir=back, arrowtail=invempty, pos="s,1167.5,775.98 1177.8,775.12 1212.4,772.2 1247.9,769.22 1279.8,766.53"]; Service -> SNMPService [dir=back, arrowtail=invempty, pos="s,1167.5,846.5 1177.1,849.76 1195.5,856 1214.1,862.32 1232.3,868.49"]; Source -> Service [label="0..1", pos="e,834.5,774.54 753.65,761.97 765.22,764.18 776.82,766.24 788,768 799.88,769.88 812.16,771.63 824.55,773.26", lp="802,780.5"]; Alert -> Source [label="0..*", pos="e,522.31,736 427.27,736 454.9,736 484.32,736 512.14,736", lp="474,744.5"]; Target -> "Node" [label="0..1", pos="e,891.27,1100.1 753.76,666.41 759.84,671.26 765.35,676.77 770,683 795.63,717.34 767.49,837.37 788,875 795.58,888.9 808.31,883.17\ 816,897 851.22,960.3 789.56,1001.8 834,1059 846.5,1075.1 863.59,1087.1 882.09,1096", lp="802,905.5"]; Target -> User [label="0..1", pos="e,891.01,635.1 753.88,629.57 774.57,629.8 795.93,630.24 816,631 836.97,631.79 859.25,633.03 880.82,634.42", lp="802,639.5"]; Target -> Process [label="0..1", pos="e,897.86,944.22 753.69,670.44 759.47,674.28 764.95,678.46 770,683 782.71,694.44 778.08,703.07 788,717 798.58,731.86 808.28,730.47\ 816,747 843.66,806.24 796.22,839.64 834,893 847.83,912.54 867.61,927.71 888.73,939.42", lp="802,755.5"]; Target -> Service [label="0..1", pos="e,846.68,695.95 753.74,649.08 775.07,654.87 796.68,662.35 816,672 825.32,676.65 825.55,680.92 834,687 835.43,688.03 836.86,689.05\ 838.31,690.08", lp="802,680.5"]; FileAccess -> UserId [label=1, pos="e,1599.9,613.7 1492.8,600.91 1523.7,604.6 1558,608.69 1589.7,612.48", lp="1577,619.5"]; File -> FileAccess [label="0..*", pos="e,1293.4,570.58 1121.2,521.73 1156.6,533.75 1195.6,546.17 1232,556 1248.5,560.45 1266,564.62 1283.3,568.4", lp="1200,559.5"]; Linkage -> File [label=1, pos="e,1121,485.65 1283.5,496.02 1236.2,493 1180.5,489.45 1131.1,486.3", lp="1200,500.5"]; File -> Linkage [label="0..*", pos="e,1283.2,479.49 1121.1,468.09 1151.5,467.07 1184,467.25 1214,470 1233.2,471.76 1253.5,474.56 1273.2,477.81", lp="1200,478.5"]; File -> Inode [label="0..1", pos="e,1268.7,402.19 1121,444.02 1164.6,431.67 1214.2,417.63 1259,404.96", lp="1200,431.5"]; File -> Checksum [label="0..*", pos="e,1279.1,260.18 1121,394.18 1137.2,381.56 1153.3,368.3 1168,355 1199.5,326.48 1196.4,307.2 1232,284 1243.6,276.44 1256.4,269.86 \ 1269.5,264.17", lp="1200,343.5"]; Target -> File [label="0..1", pos="e,880.73,530.17 748.28,585.94 755.64,582.93 762.93,579.93 770,577 802.97,563.32 838.46,548.27 871.49,534.13", lp="802,578.5"]; Alert -> Target [label="0..*", pos="e,522.24,666.96 381.34,711.95 420.1,699.57 468.39,684.15 512.58,670.04", lp="474,695.5"]; Assessment -> Impact [label="0..1", pos="e,883.97,324.16 690.76,550.74 717.25,548.48 748.25,541.48 770,523 830.89,471.26 775.92,409.88 834,355 845.72,343.93 859.74,335.17\ 874.61,328.24", lp="802,509.5"]; Assessment -> Action [label="0..*", pos="e,920.78,216.4 690.52,553.02 718.12,551.61 750.23,544.7 770,523 794.84,495.73 778.73,393.7 788,358 801.21,307.11 793.22,282.2 834\ ,249 855.54,231.47 883.76,222.36 910.86,217.85", lp="802,366.5"]; Assessment -> Confidence [label="0..1", pos="e,930.37,152.23 690.56,553.37 718.35,552.1 750.63,545.21 770,523 790.13,499.92 777.77,276.86 788,248 799.82,214.64 804.3,202.25 \ 834,183 859.4,166.54 891.21,157.97 920.23,153.61", lp="802,256.5"]; Alert -> Assessment [label="0..1", pos="e,585.45,555 328.71,711.8 363.39,676.38 433.25,610.96 506,577 527.51,566.96 552.7,560.64 575.28,556.66", lp="474,609.5"]; Alert -> AdditionalData [label="0..*", pos="e,523,886.65 375.97,760.12 413.27,775.95 457.6,799.91 488,833 501.74,847.96 490.54,861.83 506,875 508.69,877.29 511.51,879.43 514.45\ ,881.42", lp="474,841.5"]; "IDMEF-Message" -> Alert [dir=back, arrowtail=invempty, pos="s,94.474,871.73 103.04,866.23 147.99,837.39 223.36,789.03 268.51,760.06"]; }


Childs

Heartbeat

Alert




IDMEF


IODEF