IDMEF | Overview
The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
As for today, the IDMEF RFC 4765 specifies two major classes of objects:
- Alert Class is used to send alerts from Analyser to Managers
- Hearbeat Class is used to send “hearbeats” from Analyser to Managers
An alert can be send by :
- a log analyzer finding an “authentication failed” line in an application logfile
- a firewall detecting a prohibited and/or a dangerous connexion
- an anti-virus detecting a virus in a file
- a Network IDS detecting a know attack in network flows (IDMEF permits to include Pcap data in the alert)
- a machine learning probe detecting an abnormal behaviour on the network
- a proxy detecting a connexion to a “crime server”
Heartbeats are generally sent by all analysers to inform Managers that they are correctly running.
The major information contained in those classes are:
- Analyser : Identification information for the analyzer that originated the alert.
- CreateTime : The time the alert was created. Among the three times that may be provided with an Alert, this is the only one that is required.
- DetectTime : The time the event(s) leading up to the alert was detected. In the case of more than one event, the time the first event was detected. In some circumstances, this may not be the same value as CreateTime.
- AnalyserTime : The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message “on the wire”. AnalyzerTime can be used to perform rudimentary time synchronization between analyzers and managers.
- Source : The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack).
- Target : The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep).
- Classification : The Classification class provides the “name” of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider.
- Assessment : The Assessment class is used to provide the analyzer’s assessment of an event (its impact, actions taken in response, and confidence).
- AdditionalData : Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data, or a large amount of data provided through an extension to the IDMEF.