Intrusion Detection Message Exchange Requirements
RFC 4766

 
Document Type RFC - Informational (March 2007; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4766 (Informational)
Telechat date
Responsible AD Sam Hartman
Send notices to <mike@cs.hmc.edu>, <stuart@silicondefense.com>
Network Working Group                                            M. Wood
Request for Comments: 4766               Internet Security Systems, Inc.
Category: Informational                                      M. Erlinger
                                                     Harvey Mudd College
                                                              March 2007

           Intrusion Detection Message Exchange Requirements

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   The purpose of the Intrusion Detection Exchange Format Working Group
   (IDWG) is to define data formats and exchange procedures for sharing
   information of interest to intrusion detection and response systems
   and to the management systems that may need to interact with them.
   This document describes the high-level requirements for such a
   communication mechanism, including the rationale for those
   requirements where clarification is needed.  Scenarios are used to
   illustrate some requirements.

Table of Contents

   1. Introduction ....................................................3
      1.1. Conventions Used in This Document ..........................3
   2. Overview ........................................................4
      2.1. Rationale for IDMEF ........................................4
      2.2. Intrusion Detection Terms ..................................4
      2.3. Architectural Assumptions ..................................8
      2.4. Organization of This Document ..............................9
      2.5. Document Impact on IDMEF Designs ..........................10
   3. General Requirements ...........................................10
      3.1. Use of Existing RFCs ......................................10
      3.2. IPv4 and IPv6 .............................................10
   4. Message Format Requirements ....................................11
      4.1. Internationalization and Localization .....................11
      4.2. Message Filtering and Aggregation .........................11

Wood & Erlinger              Informational                      [Page 1]
RFC 4766                   IDME Requirements                  March 2007

   5. IDMEF Communication Protocol (IDP) Requirements ................12
      5.1. Reliable Message Transmission .............................12
      5.2. Interaction with Firewalls ................................12
      5.3. Mutual Authentication .....................................13
      5.4. Message Confidentiality ...................................13
      5.5. Message Integrity .........................................13
      5.6. Per-source Authentication .................................14
      5.7. Denial of Service .........................................14
      5.8. Message Duplication .......................................14
   6. Message Content Requirements ...................................15
      6.1. Detected Data .............................................15
      6.2. Event Identity ............................................15
      6.3. Event Background Information ..............................16
      6.4. Additional Data ...........................................16
      6.5. Event Source and Target Identity ..........................17
      6.6. Device Address Types ......................................17
      6.7. Event Impact ..............................................17
      6.8. Automatic Response ........................................18
      6.9. Analyzer Location .........................................18
      6.10. Analyzer Identity ........................................19
      6.11. Degree of Confidence .....................................19
      6.12. Alert Identification .....................................19
      6.13. Alert Creation Date and Time .............................20
      6.14. Time Synchronization .....................................21
      6.15. Time Format ..............................................21
      6.16. Time Granularity and Accuracy ............................21
      6.17. Message Extensions .......................................22
      6.18. Message Semantics ........................................22
      6.19. Message Extensibility ....................................22
   7. Security Considerations ........................................23
   8. References .....................................................23
      8.1. Normative References ......................................23
      8.2. Informative References ....................................23
   9. Acknowledgements ...............................................23
Show full document text