Intrusion Detection Message Exchange Format (IDMEF) Parameters 

(last updated 2007-03-14)

Intrusion Detection Message Exchange Format (IDMEF) Class 
Names and Attribute Names - per [RFC4765]
Registration Procedures: IETF Consensus

Intrusion Detection Message Exchange Format (IDMEF) Attribute 
Values - per [RFC4765]
Registration Procedures: Specification Required by RFC. 


IDMEF Class Name: Reference
IDMEF Attribute Name: origin
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          Origin of the name is not known              [RFC4765] 
   1  vendor-specific  A vendor-specific name (and hence, URL);     [RFC4765] 
                       this can be used to provide             
                       product-specific information        
   2  user-specific    A user-specific name (and hence, URL);       [RFC4765]   
                       this can be used to provide         
                       installation-specific information   
   3  bugtraqid        The SecurityFocus ("Bugtraq")                [RFC4765]    
                       vulnerability database identifier       
                       (http://www.securityfocus.com/bid)       
   4  cve              The Common Vulnerabilities and Exposures     [RFC4765]  
                       (CVE) name (http://cve.mitre.org/)       
   5  osvdb            The Open Source Vulnerability Database       [RFC4765]  
                       (http://www.osvdb.org)                   


IDMEF Class Name: Source
IDMEF Attribute Name: spoofed
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          Accuracy of source information unknown       [RFC4765]  
   1  yes              Source is believed to be a decoy             [RFC4765]  
   2  no               Source is believed to be "real"              [RFC4765]  



IDMEF Class Name: Target
IDMEF Attribute Name: decoy
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          Accuracy of target information unknown       [RFC4765]  
   1  yes              Target is believed to be a decoy             [RFC4765]      
   2  no               Target is believed to be "real"              [RFC4765]  
   
   

IDMEF Class Name: AdditionalData
IDMEF Attribute Name: type
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  boolean          The element contains a boolean value, i.e.,  [RFC4765] 
                       the strings "true" or "false"
   1  byte             The element content is a single 8-bit byte   [RFC4765] 
                       (see Section 3.2.4) 
   2  character        The element content is a single character    [RFC4765] 
                       (see Section 3.2.3)
   3  date-time        The element content is a date-time string    [RFC4765] 
                       (see Section 3.2.6) 
   4  integer          The element content is an integer (see       [RFC4765] 
                       Section 3.2.1) 
   5  ntpstamp         The element content is an NTP timestamp (see [RFC4765] 
                       Section 3.2.7) 
   6  portlist         The element content is a list of ports (see  [RFC4765]
                       Section 3.2.8
   7  real             The element content is a real number (see    [RFC4765]
                       Section 3.2.2
   8  string           The element content is a string (see         [RFC4765]
                       Section 3.2.3
   9  byte-string      The element content is a byte[] (see         [RFC4765]
                       Section 3.2.4
  10  xmltext          The element content is XML-tagged data (see  [RFC4765]
                       Section 5.2
                       
                       

IDMEF Class Name: Impact
IDMEF Attribute Name: severity
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  info             Information only                             [RFC4765]
   1  low              Low severity                                 [RFC4765]
   2  medium           Medium severity                              [RFC4765]
   3  high             High severity                                [RFC4765]
   
   
IDMEF Class Name: Impact
IDMEF Attribute Name: completion
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  failed           The attempt was not successful               [RFC4765]
   1  succeeded        The attempt succeeded                        [RFC4765]



IDMEF Class Name: Impact
IDMEF Attribute Name: type
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  admin            Administrative privileges were attempted or  [RFC4765]
                       obtained
   1  dos              A denial of service was attempted or         [RFC4765]
                       completed
   2  file             An action on a file was attempted or         [RFC4765]
                       completed
   3  recon            A reconnaissance probe was attempted or      [RFC4765]
                       completed
   4  user             User privileges were attempted or obtained   [RFC4765]
   5  other            Anything not in one of the above categories  [RFC4765]
   
   

IDMEF Class Name: Action
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword            Description                                  Reference
----  -----------------  -------------------------------------------  ---------
   0  block-installed    A block of some sort was installed to        [RFC4765]
                         prevent an attack from reaching its 
                         destination.  The block could be a 
                         port block, address block, etc., or 
                         disabling a user account.
   1  notification-sent  A notification message of some sort          [RFC4765]
                         was sent out-of-band (via pager,   
                         e-mail, etc.).  Does not include the
                         transmission of this alert. 
   2  taken-offline      A system, computer, or user was taken        [RFC4765]
                         offline, as when the computer is shut 
                         down or a user is logged off.
   3  other              Anything not in one of the above             [RFC4765]
                         categories.
                         
                        
IDMEF Class Name: Confidence
IDMEF Attribute Name: rating
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  low              The analyzer has little confidence in its    [RFC4765]
                       validity
   1  medium           The analyzer has average confidence in its   [RFC4765]
                       validity
   2  high             The analyzer has high confidence in its      [RFC4765]
                       validity
   3  numeric          The analyzer has provided a posterior        [RFC4765]
                       probability value indicating its
                       confidence in its validity
    
    
    
IDMEF Class Name: Node
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          Domain unknown or not relevant               [RFC4765]
   1  ads              Windows 2000 Advanced Directory Services     [RFC4765]
   2  afs              Andrew File System (Transarc)                [RFC4765]
   3  coda             Coda Distributed File System                 [RFC4765]
   4  dfs              Distributed File System (IBM)                [RFC4765]
   5  dns              Domain Name System                           [RFC4765]
   6  hosts            Local hosts file                             [RFC4765]
   7  kerberos         Kerberos realm                               [RFC4765]
   8  nds              Novell Directory Services                    [RFC4765]
   9  nis              Network Information Services (Sun)           [RFC4765]
  10  nisplus          Network Information Services Plus (Sun)      [RFC4765]
  11  nt               Windows NT domain                            [RFC4765]
  12  wfw              Windows for Workgroups                       [RFC4765]
  
  
IDMEF Class Name: Address
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          Address type unknown                         [RFC4765]                 
   1  atm              Asynchronous Transfer Mode network address   [RFC4765]  
   2  e-mail           Electronic mail address (RFC 822)            [RFC4765]  
   3  lotus-notes      Lotus Notes e-mail address                   [RFC4765]  
   4  mac              Media Access Control (MAC) address           [RFC4765]  
   5  sna              IBM Shared Network Architecture (SNA)        [RFC4765]  
                       address                                     
   6  vm               IBM VM ("PROFS") e mail address              [RFC4765]  
   7  ipv4-addr        IPv4 host address in dotted decimal          [RFC4765]  
                       notation (a.b.c.d)                          
   8  ipv4-addr-hex    IPv4 host address in hexadecimal notation    [RFC4765]  
   9  ipv4-net         IPv4 network address in dotted decimal       [RFC4765]  
                       notation, slash, significant bits           
                       (a.b.c.d/nn)                                
  10  ipv4-net-mask    IPv4 network address in dotted decimal       [RFC4765]  
                       notation, slash, network mask in            
                       dotted decimal notation (a.b.c.d/w.x.y.z)   
  11  ipv6-addr        IPv6 host address                            [RFC4765]  
  12  ipv6-addr-hex    IPv6 host address in hexadecimal notation    [RFC4765]  
  13  ipv6-net         IPv6 network address, slash, significant     [RFC4765]  
                       bits                                        
  14  ipv6-net-mask    IPv6 network address, slash, network mask    [RFC4765]  



IDMEF Class Name: User
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  unknown          User type unknown                            [RFC4765] 
   1  application      An application user                          [RFC4765] 
   2  os-device        AN operating system or device user           [RFC4765] 



IDMEF Class Name: UserId
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  current-user     The current user id being used by the user   [RFC4765] 
                       or process.  On Unix systems, this would    
                       be the "real" user id, in general.          
                                                                        
   1  original-user    The actual identity of the user or process   [RFC4765] 
                       being reported on.  On those systems that   
                       (a) do some type of auditing and (b)        
                       support extracting a user id from the       
                       "audit id" token, that value should be      
                       used.  On those systems that do not         
                       support this, and where the user has        
                       logged into the system, the "login id"      
                       should be used.                             
                                                                        
   2  target-user      The user id the user or process is           [RFC4765] 
                       attempting to become.  This would apply,    
                       on Unix systems for example, when the user  
                       attempts to use "su," "rlogin," "telnet,"   
                       etc.                                        
                                                                        
   3  user-privs       Another user id the user or process has      [RFC4765] 
                       the ability to use, or a user id            
                       associated with a file permission.  On      
                       Unix systems, this would be the             
                       "effective" user id in a user or process    
                       context, and the owner permissions in a     
                       file context.  Multiple UserId elements of  
                       this type may be used to specify a list of  
                       privileges.                                 
                                                                        
   4  current-group    The current group id (if applicable) being   [RFC4765] 
                       used by the user or process.  On Unix       
                       systems, this would be the "real" group     
                       id, in general.                             
                                                                        
   5  group-privs      Another group id the group or process has    [RFC4765] 
                       the ability to use, or a group id           
                       associated with a file permission.  On      
                       Unix systems, this would be the             
                       "effective" group id in a group or process  
                       context, and the group permissions in a     
                       file context.  On BSD-derived Unix          
                       systems, multiple UserId elements of this   
                       type would be used to include all the       
                       group ids on the "group list."              
                                                                        
   6  other-privs      Not used in a user, group, or process        [RFC4765] 
                       context, only used in the file context.     
                       The file permissions assigned to users who  
                       do not match either the user or group       
                       permissions on the file.  On Unix systems,  
                       this would be the "world" permissions.      



IDMEF Class Name: File
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  current          The file information is from after the       [RFC4765] 
                       reported change
   1  original         The file information is from before the      [RFC4765] 
                       reported change


IDMEF Class Name: File
IDMEF Attribute Name: fstype
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  ufs              Berkeley UNIX Fast File System               [RFC4765]
   1  efs              Linux "efs" file system                      [RFC4765]
   2  nfs              Network File System                          [RFC4765]
   3  afs              Andrew File System                           [RFC4765]
   4  ntfs             Windows NT File System                       [RFC4765]
   5  fat16            16-bit Windows FAT File System               [RFC4765]
   6  fat32            32-bit Windows FAT File System               [RFC4765]
   7  pcfs             "PC" (MS-DOS) file system on CD-ROM          [RFC4765]
   8  joliet           Joliet CD-ROM file system                    [RFC4765]
   9  iso9660          ISO 9660 CD-ROM file system                  [RFC4765]



IDMEF Class Name: FileAccess
IDMEF Attribute Name: permission
Registered Values:
Rank  Keyword           Description                                  Reference
----  ----------------- -------------------------------------------  ---------
   0  noAccess          No access at all is allowed for this         [RFC4765]
                        user                                    
   1  read              This user has read access to the file        [RFC4765]
   2  write             This user has write access to the file       [RFC4765]
   3  execute           This user has the ability to execute         [RFC4765]
                        the file                                
   4  search            This user has the ability to search          [RFC4765]
                        this file (applies to "execute"         
                        permission on directories in UNIX)      
   5  delete            This user has the ability to delete          [RFC4765]
                        this file                               
   6  executeAs         This user has the ability to execute         [RFC4765]
                        this file as another user               
   7  changePermissions This user has the ability to change          [RFC4765]
                        the access permissions on this file     
   8  takeOwnership     This user has the ability to take            [RFC4765]
                        ownership of this file                  


IDMEF Class Name: Linkage
IDMEF Attribute Name: category
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  hard-link        The <name> element represents another name   [RFC4765]
                       for this file.  This information may be     
                       more easily obtainable on NTFS file         
                       systems than others.                        
   1  mount-point      An alias for the directory specified by      [RFC4765]
                       the parent's <name> and <path> elements.    
   2  reparse-point    Applies only to Windows; excludes symbolic   [RFC4765]
                       links and mount points, which are specific  
                       types of reparse points.                    
   3  shortcut         The file represented by a Windows            [RFC4765]
                       "shortcut."  A shortcut is distinguished    
                       from a symbolic link because of the         
                       difference in their contents, which may be  
                       of importance to the manager.               
   4  stream           An Alternate Data Stream (ADS) in Windows;   [RFC4765]
                       a fork on MacOS.  Separate file system      
                       entity that is considered an extension of   
                       the main <File>.                            
   5  symbolic-link    The <name> element represents the file to    [RFC4765]
                       which the link points.                      


IDMEF Class Name: Checksum
IDMEF Attribute Name: algorithm
Registered Values:
Rank  Keyword          Description                                  Reference
----  ---------------  -------------------------------------------  ---------
   0  MD4              The MD4 algorithm.                           [RFC4765]
   1  MD5              The MD5 algorithm.                           [RFC4765]
   2  SHA1             The SHA1 algorithm.                          [RFC4765]
   3  SHA2-256         The SHA2 algorithm with 256 bits length.     [RFC4765]
   4  SHA2-384         The SHA2 algorithm with 384 bits length.     [RFC4765]
   5  SHA2-512         The SHA2 algorithm with 512 bits length.     [RFC4765]
   6  CRC-32           The CRC algorithm with 32 bits length.       [RFC4765]
   7  Haval            The Haval algorithm.                         [RFC4765]
   8  Tiger            The Tiger algorithm.                         [RFC4765]
   9  Gost             The Gost algorithm.                          [RFC4765]


References
------------
[RFC4765]  H. Debar, D. Curry and B. Feinstein, "The Intrusion 
           Detection Message Exchange Format", RFC 4765, March 2007.


(file created 04 October 2006)

[]

