The OASIS CTI is used to share CTI information. IDMEF information can lead/help to create CTI IOC but it’s not systematic. Those format are also complementary.
IODEF (Incident Object Definition Exchange Format) is a format to define an Incident and share it between security teams. It’s a “human” format.
IDMEF is a format to exchange alerts between security tools and security manager (SIEM). It’s a “technical” format, even if at the end it is read by a human operator.
IDMEF and IODEF are complementary. An incident can be described by joining IDMEF object in the IODEF message.
SIEM market is comparable to messaging market in late 90s. Editors trying to impose their own format to the users and thus, impossibility to interoperate between SIEMs. This is becoming a real problem as it prevents interoperability between tools thus collaboration. Even more serious, the same SIEM tool implemented by different team will produce different security result also using the same taxonomy.
A standard is important for collaboration and interoperability but also for conformity.
All alerts have “Source IP”. In IDMEF the source IP is a table where you can define multiple addresses. This is very interesting in case of DoS attacks for example or “Many to one” scan. Most of the alternative format have only a single attribute to describe source IP so it is not possible to have a list. Same problem for target IP.
During the first stage of the SECEF project we have been comparing the major alternatives to IDMEF.
You can find the detailed comparison here: Format Comparison.
Alternatives are less exhaustive and propose no structure. It results in lower context, lower correlation, lower automatization and so on.
Today, SIEM tools use internal proprietary format to describe alerts. Most of those formats are inspired of LogManagement tools and based on syslog. The effort of standardization has not been done yet and it’s one of the purpose of the SECEF project.
Yes. But ArcSight is the only SIEM implementing CEF, QRadar is the only SIEM implementing LEEF, etc. Today, each SIEM is implementing it is own format, IDMEF is the only open standard format.
On the manager side, IDMEF is used in Prelude SIEM, both commercial and open-source edition; it is also partially implemented in LogLogic SIEM.
On the agent side, IDMEF is implemented in lots of open-source tools: Snort, Suricata, Ossec, Samhain, Kismit, Armadito, etc … and also some commercial tools : StamusNetwork, 6Cure, etc.
IDMEF v1 has been defined by the IDWG (Intrusion Detection Work Group) at IETF between 2000 and 2007. This working group was composed of contributors from various field. The RFC 4765 lists on page TBD the major contributors: IBM, Cisco, Boeing, MIT, Nokia, MITRE, Prelude project, etc.
RFC stands for Request For Comments. RFCs define the major standards of Internet : SMTP, HTTP, NTP, DNS, LDAP, IMAP, etc.
RFCs validation is managed by the IETF (Internet Engineering Task Force).