What is the difference between IDMEF and IODEF?

IODEF (Incident Object Definition Exchange Format) is a format to define an Incident and share it between security teams. It’s a “human” format.

IDMEF is a format to exchange alerts between security tools and security manager (SIEM). It’s a “technical” format, even if at the end it is read by a human operator.

IDMEF and IODEF are complementary. An incident can be described by joining IDMEF object in the IODEF message.

Why is it important to use a standard?

SIEM market is comparable to messaging market in late 90s. Editors trying to impose their own format to the users and thus, impossibility to interoperate between SIEMs. This is becoming a real problem as it prevents interoperability between tools thus collaboration. Even more serious, the same SIEM tool implemented by different team will produce different security result also using the same taxonomy.

A standard is important for collaboration and interoperability but also for conformity.

Give me an (simple) example of IDMEF power?

All alerts have “Source IP”. In IDMEF the source IP is a table where you can define multiple addresses. This is very interesting in case of DoS attacks for example or “Many to one” scan. Most of the alternative format have only a single attribute to describe source IP so it is not possible to have a list. Same problem for target IP.

How are the alternatives compare to IDMEF?

During the first stage of the SECEF project we have been comparing the major alternatives to IDMEF.

You can find the detailed comparison here: Format Comparison.

Alternatives are less exhaustive and propose no structure. It results in lower context, lower correlation, lower automatization and so on.

Why is not IDMEF more implemented?

Today, SIEM tools use internal proprietary format to describe alerts. Most of those formats are inspired of LogManagement tools and based on syslog. The effort of standardization has not been done yet and it’s one of the purpose of the SECEF project.

Who is using IDMEF?

On the manager side, IDMEF is used in Prelude SIEM, both commercial and open-source edition; it is also partially implemented in LogLogic SIEM.

On the agent side, IDMEF is implemented in lots of open-source tools: Snort, Suricata, Ossec, Samhain, Kismit, Armadito, etc … and also some commercial tools : StamusNetwork, 6Cure, etc.

Who defined IDMEF v1?

IDMEF v1 has been defined by the IDWG (Intrusion Detection Work Group) at IETF between 2000 and 2007. This working group was composed of contributors from various field. The RFC 4765 lists on page TBD the major contributors: IBM, Cisco, Boeing, MIT, Nokia, MITRE, Prelude project, etc.

What is an RFC?

RFC stands for Request For Comments. RFCs define the major standards of Internet : SMTP, HTTP, NTP, DNS, LDAP, IMAP, etc.

RFCs validation is managed by the IETF (Internet Engineering Task Force).