Skip to main content

The Intrusion Detection Message Exchange Format (IDMEF)
RFC 4765

Revision differences

Document history

Date Rev. By Action
2018-12-20
16 (System)
Received changes through RFC Editor sync (changed abstract to 'The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and …
Received changes through RFC Editor sync (changed abstract to 'The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.

This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided. This memo defines an Experimental Protocol for the Internet community.')
2015-10-14
16 (System) Notify list changed from ,  to
2012-08-22
16 (System) post-migration administrative database adjustment to the No Objection position for Bert Wijnen
2012-08-22
16 (System) post-migration administrative database adjustment to the No Objection position for Patrik Faltstrom
2007-03-12
16 Amy Vezza State Changes to RFC Published from RFC Ed Queue by Amy Vezza
2007-03-12
16 Amy Vezza [Note]: 'RFC 4765' added by Amy Vezza
2007-03-11
16 (System) RFC published
2007-02-12
16 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2006-10-30
16 (System) IANA Action state changed to Waiting on RFC Editor from RFC-Ed-Ack
2006-10-25
16 (System) IANA Action state changed to RFC-Ed-Ack from In Progress
2006-10-25
16 (System) IANA Action state changed to In Progress from Waiting on Authors
2006-10-20
16 (System) IANA Action state changed to Waiting on Authors from In Progress
2006-10-20
16 (System) IANA Action state changed to In Progress from Waiting on Authors
2006-10-12
16 (System) IANA Action state changed to Waiting on Authors from In Progress
2006-08-28
16 (System) IANA Action state changed to In Progress
2006-03-28
16 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2006-03-23
16 Amy Vezza IESG state changed to Approved-announcement sent
2006-03-23
16 Amy Vezza IESG has approved the document
2006-03-23
16 Amy Vezza Closed "Approve" ballot
2006-03-23
16 Sam Hartman State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Sam Hartman
2006-03-23
16 (System) [Ballot Position Update] Position for Ned Freed has been changed to Yes from No Record
2006-03-23
16 (System) [Ballot Position Update] New position, Yes, has been recorded for Steven Bellovin
2006-03-23
16 (System) [Ballot Position Update] New position, No Objection, has been recorded for Jeffrey Schiller
2006-03-23
16 (System) [Ballot Position Update] New position, No Objection, has been recorded for Thomas Narten
2006-03-23
16 (System) [Ballot Position Update] Position for Randy Bush has been changed to Discuss from No Record
2006-03-23
16 (System) [Ballot Position Update] Position for Patrik Faltstrom has been changed to No Objection from No Record
2006-03-23
16 (System) [Ballot Position Update] Position for Scott Bradner has been changed to Discuss from No Record
2006-03-23
16 Bert Wijnen [Ballot Position Update] Position for Bert Wijnen has been changed to No Objection from Discuss by Bert Wijnen
2006-03-22
16 (System) New version available: draft-ietf-idwg-idmef-xml-16.txt
2006-03-03
16 Brian Carpenter [Ballot Position Update] Position for Brian Carpenter has been changed to No Objection from Undefined by Brian Carpenter
2006-03-03
16 (System) Removed from agenda for telechat - 2006-03-02
2006-03-02
16 Amy Vezza State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Amy Vezza
2006-03-02
16 Allison Mankin [Ballot comment]
It would be helpful to have boilerplate about this not being
a standard.
2006-03-02
16 Allison Mankin [Ballot Position Update] Position for Allison Mankin has been changed to No Objection from Yes by Allison Mankin
2006-03-02
16 Brian Carpenter [Ballot Position Update] Position for Brian Carpenter has been changed to Undefined from No Objection by Brian Carpenter
2006-03-02
16 Brian Carpenter
[Ballot comment]
I'm probably a No Objection on this to avoid delay, but
I note that there is nothing to tell the reader how
its …
[Ballot comment]
I'm probably a No Objection on this to avoid delay, but
I note that there is nothing to tell the reader how
its success or failure as an Experimental spec will
be evaluated. Experimental does not mean de facto standard!
2006-03-02
16 Brian Carpenter
[Ballot comment]
I'm probably a No Objection on this to avoid delay, but
I note that there is nothing to tell the reader how
its …
[Ballot comment]
I'm probably a No Objection on this to avoid delay, but
I note that there is nothing to tell the reader how
its success or failure as an Experimental spec will
be evaluated. Experimental does not mean de facto standard!
2006-03-02
16 Brian Carpenter [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter
2006-03-01
16 David Kessens [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens
2006-03-01
16 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley by Russ Housley
2006-02-27
16 Scott Hollenbeck
[Ballot comment]
If the XML Schema were normative I'd enter this as a discuss.  Since it's not, though, a comment will suffice.

XML namespaces minted …
[Ballot comment]
If the XML Schema were normative I'd enter this as a discuss.  Since it's not, though, a comment will suffice.

XML namespaces minted in the IETF should be registered with IANA as described in RFC 3688.  This document uses an IANA URL to identify the namespace.

There's also some redundancy in the schema.  I see an empty derivation by restriction, for example:


 
 


Any place this type is referenced, xsd:string can be used instead since there's no actual restriction included in this definition.  What they've done with the above is create an alias for the Schema "string" type, which can make things confusing to understand.
2006-02-27
16 Scott Hollenbeck [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck
2006-02-23
16 Sam Hartman State Changes to IESG Evaluation from AD Evaluation by Sam Hartman
2006-02-23
16 Sam Hartman [Ballot Position Update] New position, Yes, has been recorded for Sam Hartman
2006-02-23
16 Sam Hartman Ballot has been issued by Sam Hartman
2006-02-23
16 (System) Ballot writeup text was added
2006-02-23
16 (System) Last call text was added
2006-02-23
16 (System) Ballot approval text was added
2006-02-23
16 Sam Hartman Placed on agenda for telechat - 2006-03-02 by Sam Hartman
2006-02-23
16 Sam Hartman
[Note]: 'Returning for publication as an experimental RFC rather than a
proposed standard.  When I talked to the IESG about this the plan was
to …
[Note]: 'Returning for publication as an experimental RFC rather than a
proposed standard.  When I talked to the IESG about this the plan was
to completely remove the schema.  The authors really want appendix c
to stay as non-normative; if the IESG cannot accept this then we can
use an rfc editor note.' added by Sam Hartman
2006-02-23
16 Sam Hartman Status date has been changed to 2006-02-23 from 2005-02-07
2006-02-23
16 Sam Hartman Intended Status has been changed to Experimental from Proposed Standard
2006-02-13
15 (System) New version available: draft-ietf-idwg-idmef-xml-15.txt
2005-08-18
16 Randy Bush
[Ballot comment]
Comment transferred from old ballot:

i think the point is

both water and air are allowed. one may be better for washing your …
[Ballot comment]
Comment transferred from old ballot:

i think the point is

both water and air are allowed. one may be better for washing your
car.
2005-08-18
16 Ned Freed
[Ballot comment]
Comment transferred from old ballot:
>To: Randy Bush

> discuss

> ...

> 2) Section 3.3.4 mentions XML Schema and how they would …
[Ballot comment]
Comment transferred from old ballot:
>To: Randy Bush

> discuss

> ...

> 2) Section 3.3.4 mentions XML Schema and how they would one day use it.
> Well, it has been out for awhile, so why aren't they? If they
> switched from DTD's to XML Schema, they could probably get rid of half
> of the data type sections (3.4.1 to 3.4.6) and their entire need for UML.

This isssue is discussed in section 4.7 of
draft-hollenbeck-ietf-xml-guidelines-07.txt, recently approved as a BCP.
This section makes it clear that either a DTD or a Schema based approach
is permissible; neither one is inherently better than the other:

    The choice of tool depends on the needs for extensibility or for a
    formal language and mechanism for constraining permissible values
    and validating adherence to the constraints.

I read this as saying that unless a case can be made that these needs
aren't met by the chosen mechanism we should not be insisting they make a
different choice.
2005-08-18
16 Randy Bush
[Ballot discuss]
Dicuss comment transferred from old ballot:

needs to separate into at least two docs, the xml and transport model
and the particular application …
[Ballot discuss]
Dicuss comment transferred from old ballot:

needs to separate into at least two docs, the xml and transport model
and the particular application

xml-dir review comment

1) There is too much description and teaching about XML and UML. The
document should merely reference the XML and UML standards and explain
the restrictions and/or extensions to those specs in the definition of
IDMEF.

2) Section 3.3.4 mentions XML Schema and how they would one day use it.
Well, it has been out for awhile, so why aren't they? If they
switched from DTD's to XML Schema, they could probably get rid of half
of the data type sections (3.4.1 to 3.4.6) and their entire need for UML.
2005-08-18
16 Scott Bradner
[Ballot discuss]
Discuss transferred from old ballot:

note:
      I would have thought that there should eb an IANA considerations
      …
[Ballot discuss]
Discuss transferred from old ballot:

note:
      I would have thought that there should eb an IANA considerations
      section that at least points to sec 5 on how extensions
      can get made but also, I would have thought that sec 5 would
      have included what IETF proocesses (see RFC 2434) should
      be used to extend teh protocol

      I'm sensitive to this because we are getting a pile of
      requests to extend IETF protools (MPLS, RSVP etc) of
      late and we did not have any -must be extened within the
      ietf only- IANA mesage so we are being asked to OK
      some messy extensions - it woudl be good to cut this off at the
      pass and include such restrictions in new docs
2005-08-18
16 Patrik Fältström
[Ballot discuss]
Discuss comment transferred from old ballot:

Yes, I should have discovered this earlier, but this last week has been
too much. I just …
[Ballot discuss]
Discuss comment transferred from old ballot:

Yes, I should have discovered this earlier, but this last week has been
too much. I just passed the document to the xml-directorate for review.
I will send in a new ballot as soon as I get a response.

This imply I hope this only have to wait until say monday, and not next
telechat before it can pass.

So, please, do the rest of the ballot!
2005-08-17
16 Bert Wijnen
[Ballot discuss]
Discuss transferred from old style text ballot:
I think I had a Defer (after initially thought I would be noObj.

But I need …
[Ballot discuss]
Discuss transferred from old style text ballot:
I think I had a Defer (after initially thought I would be noObj.

But I need to rais a Discuss.

Section: 4.2.7.4.2 The SNMPService Class

The description of this Class shows only how to deal with SNMPv1/v2c
where authentication is done by (very weak) communitty String.

WWWWWe just made SNMPv1/v2c Historic. Of course they are still in
wide use, but SNMPv3 (which we just publsihed as STD 62) is already
deployed at many places and will get more and more deployment.

I think this document should recognize that and also address SNMPv3
where we no longer have a community String.

I also wonder if in the many examples on Pages 76 and folloing, if
it is OK to use domain names and IP addresses as they do. In other
words, do they violate one of our NITS:
        Addresses used in examples should prefer use of fully
  qualified domain names to literal IP addresses, and prefer use
  of example fqdn's such as foo.example.com to real-world fqdn's
  See RFC 2606 for example domain names that can be used
        There is also a range of IP addresses set aside for this
  purpose. These are 192.0.2.0/24 (see RFC 3330). Private
  addressess that would be used in the real world should be
  avoided in examples.

Let me add that the IPR section is also missing for this doc
that is targeted for STDs track.
2005-08-17
16 Amy Vezza [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Amy Vezza
2005-08-17
16 Amy Vezza [Ballot Position Update] Position for Bert Wijnen has been changed to Discuss from No Objection by Amy Vezza
2005-08-17
16 Amy Vezza [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Amy Vezza
2005-08-17
16 Amy Vezza [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin by Amy Vezza
2005-08-17
16 Amy Vezza [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Amy Vezza
2005-08-17
16 Amy Vezza Created "Approve" ballot
2005-02-07
16 Sam Hartman Status date has been changed to 2005-02-07 from 2004-02-07
2005-02-07
16 Sam Hartman State Changes to AD Evaluation from AD Evaluation::External Party by Sam Hartman
2005-02-07
16 Sam Hartman [Note]: 'WG chair says document looks good.  Need to review it myself and then talk to someone about XML.' added by Sam Hartman
2005-02-07
16 Sam Hartman Status date has been changed to 2004-02-07 from 2004-11-16
2005-02-03
14 (System) New version available: draft-ietf-idwg-idmef-xml-14.txt
2005-02-01
13 (System) New version available: draft-ietf-idwg-idmef-xml-13.txt
2004-11-16
16 Sam Hartman [Note]: 'Waiting for feedback from WG chair on whether XML and other issues are addressed.' added by Sam Hartman
2004-11-16
16 Sam Hartman Status date has been changed to 2004-11-16 from 2002-07-03
2004-11-12
16 Sam Hartman Shepherding AD has been changed to Sam Hartman from Steve Bellovin
2004-07-19
12 (System) New version available: draft-ietf-idwg-idmef-xml-12.txt
2004-02-06
11 (System) New version available: draft-ietf-idwg-idmef-xml-11.txt
2003-02-09
16 Steven Bellovin Significant XML issues remain.  The XML directorate
has been asked to help edit the document.
2003-02-09
16 Steven Bellovin State Changes to AD Evaluation  :: External Party from AD Evaluation by Bellovin, Steve
2003-02-03
16 Steven Bellovin State Changes to AD Evaluation from AD Evaluation  :: Revised ID Needed by Bellovin, Steve
2003-01-31
10 (System) New version available: draft-ietf-idwg-idmef-xml-10.txt
2003-01-27
16 Steven Bellovin
IESG has finally come to a consensus on what needs to be
done to the document.

There are three major things that need to be …
IESG has finally come to a consensus on what needs to be
done to the document.

There are three major things that need to be done.  First,
and probably the hardest, the XML tutorial needs to be moved to an
appendix.  Second, an
IANA Considerations section needs to be added.  Third, the SNMP
discussion needs to talk about SNMPv3, and not just SNMPv1.
2002-12-12
16 Steven Bellovin Notified authors about the IESG's desire to split
the document.
2002-12-12
16 Steven Bellovin State Changes to AD Evaluation  :: Revised ID Needed from IESG Evaluation by Bellovin, Steve
2002-12-02
16 Steven Bellovin State Changes to IESG Evaluation from AD Evaluation  :: AD Followup by Bellovin, Steve
2002-12-02
09 (System) New version available: draft-ietf-idwg-idmef-xml-09.txt
2002-11-27
16 Steven Bellovin State Changes to AD Evaluation  :: AD Followup from AD Evaluation  :: Revised ID Needed by Bellovin, Steve
2002-11-25
08 (System) New version available: draft-ietf-idwg-idmef-xml-08.txt
2002-11-19
16 Steven Bellovin Wait for -08
2002-11-19
16 Steven Bellovin State Changes to AD Evaluation  :: Revised ID Needed from AD Evaluation  :: AD Followup by Bellovin, Steve
2002-10-28
16 Steven Bellovin State Changes to AD Evaluation  -- AD Evaluation of result from AD Evaluation  -- New ID Needed by bellovin
2002-10-25
16 Steven Bellovin State Changes to AD Evaluation from WG/Author by bellovin
2002-10-04
16 Steven Bellovin State Changes to WG/Author  -- New ID Needed from AD Evaluation  -- External Party by bellovin
2002-09-24
16 Steven Bellovin responsible has been changed to Author from Responsible AD
2002-09-23
16 Steven Bellovin responsible has been changed to Responsible AD from
2002-09-23
16 Steven Bellovin State Changes to AD Evaluation  -- External Party from Wait for Writeup by bellovin
2002-07-05
16 Stephen Coya State changes to Wait for Writeup from Last Call Issued by IETF Secretariat
2002-06-21
07 (System) New version available: draft-ietf-idwg-idmef-xml-07.txt
2002-06-19
16 Jacqueline Hargest Due date has been changed to 07/03/2002 from 02/20/2002
by jhargest
2002-06-19
16 Jacqueline Hargest
State Changes to Last Call Issued                                  from Requested    …
State Changes to Last Call Issued                                  from Requested                                        by jhargest
2002-06-19
16 (System) Last call sent
2002-05-08
16 Jacqueline Hargest Assigned to has been changed to bellovin from members
by jhargest
2002-01-08
06 (System) New version available: draft-ietf-idwg-idmef-xml-06.txt
2001-11-21
05 (System) New version available: draft-ietf-idwg-idmef-xml-05.txt
2001-09-19
04 (System) New version available: draft-ietf-idwg-idmef-xml-04.txt
2001-02-14
03 (System) New version available: draft-ietf-idwg-idmef-xml-03.txt
2001-02-07
02 (System) New version available: draft-ietf-idwg-idmef-xml-02.txt
2000-07-12
01 (System) New version available: draft-ietf-idwg-idmef-xml-01.txt
2000-04-11
00 (System) New version available: draft-ietf-idwg-idmef-xml-00.txt