Used as part of computer security, IDMEF (Intrusion Detection Message Exchange Format) is a data format used to exchange informations between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767
The purpose of IDMEF is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. It is used in computer security for incidents reporting and exchanging. It is intended for easy automatic processing.
IDMEF is a well-structured object-oriented format, which consists of 33 classes containing 108 fields including three mandatory:
The classificationThe unique loginThe date of creation of the alert.There are currently two types of IDMEF messages that can be created, Heartbeat or Alert
The Heartbeats are sent by the analyzers to indicate their status. These messages are sent at regular intervals which period is defined in the Heartbeat Interval Field. If none of these messages are received for several periods of time, consider that this analyzer is not able to trigger alerts.
Alerts are used to describe an attack that took place, the main areas that create the alert are:
CreateTime: Date of creation of the alertDetectTime: alert detection time by the analyzerAnalyzerTime: The time the alert was sent by the analyzerSource: Details about the origin of the attack can be a service, a user, a process and / or a nodeTarget: Details on the target of the attack can be a service, a user, a process and / or a node and a fileClassification: Name of the attack and references, as CVEsAssessment: Evaluation of the attack (severity, potential impact, etc.)AdditionalData: Additional information on the attackThere are three other alert types that inherit from this scheme:
CorrelationAlert: Grouping of alerts related to one anotherToolAlert: alerts from the same Grouping toolOverflowAlert: Alert resulting from attack so-called buffer overflowIDMEF report of ping of death attack can look as follows:
Prelude (Intrustion Detection System)NIDS SnortNIDS Suricata ([1])HIDS Ossec ([2])HIDS Samhain ([3])SaganBarnyard 2OrchidsLibPrelude : Part of the Prelude OSS Project, libprelude permits to communicate between agents using the IDMEF format. Libprelude is coded in C but multiple bindings are available (python, lua, perl, etc.). It can be used in any open-source IDS tools.LibIDMEF : LibIDMEF is an implementation of the IETF (Internet Engineering Task Force), IDWG ( Intrusion Detection Exchange Format Charter Working Group), draft standard IDMEF protocol.IDMEF Framework Dotnet : Dotnet library to create IDMEF objects and export them in XML.DILCA – Distributed IDMEF Logical Correlation Architecture : DILCA is a distributed logical correlation and reaction architecture featuring collection and correlation of IDMEF formatted log events (Intrusion Detection Message Exchange Format – RFC 4765) through a multi-step signature based system.XML::IDMEF – A perl module for building/parsing IDMEF messages : IDMEF.pm is an interface for simply creating and parsing IDMEF messages. IDMEF is an XML based protocol designed mainly for representing Intrusion Detection (IDS) alert messages.Other module for creating/parsing IDMEF messagesSnort IDMEF Plugin : Snort IDMEF is an IDMEF XML plugin for Snort to output alert events in the form of IDMEF messages. The plugin is compatible with Snort 2.xA Broccoli server to send IDMEF alerts via PreludeConverter for the IDMEF formatIDMEF ParserAn IDMEF alerting library for distributed IDPS
