Network Working Group H. Debar
Request for Comments: 4765 France Telecom
Category: Experimental D. Curry
Guardian
B. Feinstein
SecureWorks, Inc.
March 2007
The Intrusion Detection Message Exchange Format (IDMEF)
Status of This Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
IESG Note
The content of this RFC was at one time considered by the IETF, but
the working group concluded before this work was approved as a
standards-track protocol. This RFC is not a candidate for any level
of Internet Standard. The IETF disclaims any knowledge of the
fitness of this RFC for any purpose and in particular notes that the
decision to publish is not based on complete IETF review for such
things as security, congestion control, or inappropriate interaction
with deployed protocols. The IESG has chosen to publish this
document in order to document the work as it was when the working
group concluded and to encourage experimentation and development of
the technology. Readers of this RFC should exercise caution in
evaluating its value for implementation and deployment.
Abstract
The purpose of the Intrusion Detection Message Exchange Format
(IDMEF) is to define data formats and exchange procedures for sharing
information of interest to intrusion detection and response systems
and to the management systems that may need to interact with them.
This document describes a data model to represent information
exported by intrusion detection systems and explains the rationale
for using this model. An implementation of the data model in the
Extensible Markup Language (XML) is presented, an XML Document Type
Definition is developed, and examples are provided.
Debar, et al. Experimental [Page 1]
RFC 4765 The IDMEF March 2007
Table of Contents
1. Introduction ....................................................4
1.1. About the IDMEF Data Model .................................4
1.1.1. Problems Addressed by the Data Model ................5
1.1.2. Data Model Design Goals .............................6
1.2. About the IDMEF XML Implementation .........................7
1.2.1. The Extensible Markup Language ......................7
1.2.2. Rationale for Implementing IDMEF in XML .............8
2. Notices and Conventions Used in This Document ..................10
3. Notational Conventions and Formatting Issues ...................10
3.1. IDMEF XML Documents .......................................10
3.1.1. The Document Prolog ................................10
3.1.2. Character Data Processing in IDMEF .................11
3.1.3. Languages in IDMEF .................................12
3.2. IDMEF Data Types ..........................................12
3.2.1. Integers ...........................................12
3.2.2. Real Numbers .......................................12
3.2.3. Characters and Strings .............................13
3.2.4. Bytes ..............................................14
3.2.5. Enumerated Types ...................................14
3.2.6. Date-Time Strings ..................................14
3.2.7. NTP Timestamps .....................................16
3.2.8. Port Lists .........................................16
3.2.9. Unique Identifiers .................................17
4. The IDMEF Data Model and DTD ...................................18
4.1. Data Model Overview .......................................18
4.2. The Message Classes .......................................20
4.2.1. The IDMEF-Message Class ............................20
4.2.2. The Alert Class ....................................20
4.2.3. The Heartbeat Class ................................27
4.2.4. The Core Classes ...................................29
4.2.5. The Time Classes ...................................41
4.2.6. The Assessment Classes .............................42
datatracker.ietf.org