datatracker.ietf.org
Sign in
Version 5.7.1.p2, 2014-10-29
Report a bug

The Intrusion Detection Message Exchange Format (IDMEF)
RFC 4765

Document type: RFC - Experimental (March 2007; No errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4765 (Experimental)
Responsible AD: Sam Hartman
Send notices to: <mike@cs.hmc.edu>, <stuart@silicondefense.com>

Network Working Group                                           H. Debar
Request for Comments: 4765                                France Telecom
Category: Experimental                                          D. Curry
                                                                Guardian
                                                            B. Feinstein
                                                       SecureWorks, Inc.
                                                              March 2007

        The Intrusion Detection Message Exchange Format (IDMEF)

Status of This Memo

   This memo defines an Experimental Protocol for the Internet
   community.  It does not specify an Internet standard of any kind.
   Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

IESG Note

   The content of this RFC was at one time considered by the IETF, but
   the working group concluded before this work was approved as a
   standards-track protocol.  This RFC is not a candidate for any level
   of Internet Standard.  The IETF disclaims any knowledge of the
   fitness of this RFC for any purpose and in particular notes that the
   decision to publish is not based on complete IETF review for such
   things as security, congestion control, or inappropriate interaction
   with deployed protocols.  The IESG has chosen to publish this
   document in order to document the work as it was when the working
   group concluded and to encourage experimentation and development of
   the technology.  Readers of this RFC should exercise caution in
   evaluating its value for implementation and deployment.

Abstract

   The purpose of the Intrusion Detection Message Exchange Format
   (IDMEF) is to define data formats and exchange procedures for sharing
   information of interest to intrusion detection and response systems
   and to the management systems that may need to interact with them.

   This document describes a data model to represent information
   exported by intrusion detection systems and explains the rationale
   for using this model.  An implementation of the data model in the
   Extensible Markup Language (XML) is presented, an XML Document Type
   Definition is developed, and examples are provided.

Debar, et al.                 Experimental                      [Page 1]
RFC 4765                       The IDMEF                      March 2007

Table of Contents

   1. Introduction ....................................................4
      1.1. About the IDMEF Data Model .................................4
           1.1.1. Problems Addressed by the Data Model ................5
           1.1.2. Data Model Design Goals .............................6
      1.2. About the IDMEF XML Implementation .........................7
           1.2.1. The Extensible Markup Language ......................7
           1.2.2. Rationale for Implementing IDMEF in XML .............8
   2. Notices and Conventions Used in This Document ..................10
   3. Notational Conventions and Formatting Issues ...................10
      3.1. IDMEF XML Documents .......................................10
           3.1.1. The Document Prolog ................................10
           3.1.2. Character Data Processing in IDMEF .................11
           3.1.3. Languages in IDMEF .................................12
      3.2. IDMEF Data Types ..........................................12
           3.2.1. Integers ...........................................12
           3.2.2. Real Numbers .......................................12
           3.2.3. Characters and Strings .............................13
           3.2.4. Bytes ..............................................14
           3.2.5. Enumerated Types ...................................14
           3.2.6. Date-Time Strings ..................................14
           3.2.7. NTP Timestamps .....................................16
           3.2.8. Port Lists .........................................16
           3.2.9. Unique Identifiers .................................17
   4. The IDMEF Data Model and DTD ...................................18
      4.1. Data Model Overview .......................................18
      4.2. The Message Classes .......................................20
           4.2.1. The IDMEF-Message Class ............................20
           4.2.2. The Alert Class ....................................20
           4.2.3. The Heartbeat Class ................................27
           4.2.4. The Core Classes ...................................29
           4.2.5. The Time Classes ...................................41
           4.2.6. The Assessment Classes .............................42

[include full document text]