IDMEF Frequently Asked Questions

You will find on this pages answers to questions we've been regularly asked. If you have other question don't hesitate to post it in the SECEF mailing list.

What is an RFC?

RFC stands for Request For Comments. RFCs define the major standards of Internet: SMTP, HTTP, NTP, DNS, LDAP, IMAP, etc.

RFCs validation is managed by the IETF (Internet Engineering Task Force).

Who defined IDMEF v1?

IDMEF v1 has been defined by the IDWG (Intrusion Detection Work Group) at IETF between 2000 and 2007. This working group was composed of contributors from various field. The RFC 4765 lists on page XX the major contributors: IBM, Cisco, Boeing, MIT, Nokia, MITRE, Prelude project, etc.

Who is using IDMEF?

On the manager side, IDMEF is used in Prelude SIEM, both commercial and open-source edition; it is also partially implemented in LogLogic SIEM.

On the agent side, IDMEF is implemented in lots of open-source tools: Snort, Suricata, Ossec, Samhain, Kismit, Armadito, etc … and also some commercial tools : StamusNetwork, 6Cure, etc.

Is Prelude the only SIEM implementing IDMEF?

Yes. But ArcSight is the only SIEM implementing CEF, QRadar is the only SIEM implementing LEEF, etc. Today, each SIEM is implementing it is own format, IDMEF is the only open standard format.

Why is not IDMEF more implemented?

Today, SIEM tools use internal proprietary format to describe alerts. Most of those formats are inspired of Log Management tools and based on syslog with simple (but limited) key=value formats. The effort of standardization has not been done yet and it’s one of the purpose of the SECEF project.

How are the alternatives compare to IDMEF?

During the first stage of the SECEF project we have been comparing the major alternatives to IDMEF.

You can find the detailed comparison here: Format Comparison

Alternatives are less exhaustive and propose no structure. It results in lower context, lower correlation, lower automatization and so on.

Give me an (simple) example of IDMEF power?

All alerts have “Source IP”. In IDMEF the source IP is a table where you can define multiple addresses. This is very interesting in case of DoS attacks for example or “Many to one” scan. Most of the alternative formats have only a single attribute to describe source IP so it is not possible to have a list. Same problem for target IP.

Why is it important to use a standard?

SIEM market is comparable to messaging market in late 90s. Editors trying to impose their own format to the users and thus, impossibility to interoperate between SIEMs. This is becoming a real problem as it prevents interoperability between tools thus collaboration. Even more serious, the same SIEM tool implemented by different team will produce different security result also using the same taxonomy.

A standard is important for collaboration and interoperability but also for conformity.

What is the difference between IDMEF and IODEF?

IODEF (Incident Object Definition Exchange Format) is a format to define an Incident and share it between security teams. It’s a “human” format.

IDMEF is a format to exchange alerts between security tools and security manager (SIEM). It’s a “technical” format, even if at the end it is read by a human operator.

IDMEF and IODEF are complementary. An incident can be described by joining IDMEF object in the IODEF message.

What is the difference between IETF IDMEF and the OASIS CTI (STIX/TAXII/CYBOX)?

The OASIS CTI is used to share CTI information. IDMEF information can lead/help to create CTI IOC but it’s not systematic. Those format are also complementary.