Incident Object Description Exchange Format

Last updated

Used for computer security, IODEF (Incident Object Description Exchange Format) is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).

Contents

IODEF messages are organized in a human-readable way, and not a machine format. Details of the format are described in RFC 5070 and updated in RFC 6685. Version 2 of the format is defined in RFC 7970, which supersedes the previous version. This RFC presents an implementation of the data model in XML as well as the associated DTD. Further implementation guidance for IODEF v2 is defined in RFC 8274.

One of the main characteristics of IODEF is its compatibility with the IDMEF Intrusion Detection Message Exchange Format developed for intrusion detection systems. For this reason, IODEF is heavily based on IDMEF and provides backward compatibility with it.

Format

Graphical schema of the format IODEF-Schema.png
Graphical schema of the format

IODEF is an object-oriented structured format, composed of 47 classes in the first version. The IODEF and IDMEF formats having a lot in common: the field structure is similar to the IDMEF one and it is an extensible format: in addition to the usual Additional Data Class, which allow adding any information relevant to the IODEF message, most enumerations are provided with an "ext" field. This field is used when none of the proposed choices are fitting.

Here is a list of the main fields:

Field nameNumber of fieldsDescription
IncidentID1An incident identification number assigned to this incident by the CSIRT who creates the IODEF document.
AlternativeID0 or 1The incidents ID numbers used by other CSIRTs to refer to the incident described in the document.
RelatedActivity0 or 1The ID numbers of the incidents linked to the one described in this document.
DetectTime0 or 1Time at which the incident was detected for the first time.
StartTime0 or 1Time at which the incident started.
EndTime0 or 1Time at which the incident ended.
ReportTime1Time at which the incident was reported.
Description0 or more(ML_STRING) A non-formatted textual description of the event.
Assessment0 or moreA characterization of the incident impact.
Method0 or moreTechniques used by the intruder during the incident.
Contact0 or moreContact information for the groups involved in the incident.
EventData0 or moreDescription of the events involving the incident.
History0 or moreA log, of the events or the notable actions which took place during the incident management.
AdditionalData0 or moreMechanism which extends the data model.

Software using IODEF

Related Research Articles

<span class="mw-page-title-main">Perl</span> Interpreted programming language first released in 1987

Perl is a high-level, general-purpose, interpreted, dynamic programming language. Though Perl is not officially an acronym, there are various backronyms in use, including "Practical Extraction and Reporting Language".

In distributed computing, a remote procedure call (RPC) is when a computer program causes a procedure (subroutine) to execute in a different address space, which is written as if it were a normal (local) procedure call, without the programmer explicitly writing the details for the remote interaction. That is, the programmer writes essentially the same code whether the subroutine is local to the executing program, or remote. This is a form of client–server interaction, typically implemented via a request–response message passing system. In the object-oriented programming paradigm, RPCs are represented by remote method invocation (RMI). The RPC model implies a level of location transparency, namely that calling procedures are largely the same whether they are local or remote, but usually, they are not identical, so local calls can be distinguished from remote calls. Remote calls are usually orders of magnitude slower and less reliable than local calls, so distinguishing them is important.

In computing, serialization is the process of translating a data structure or object state into a format that can be stored or transmitted and reconstructed later. When the resulting series of bits is reread according to the serialization format, it can be used to create a semantically identical clone of the original object. For many complex objects, such as those that make extensive use of references, this process is not straightforward. Serialization of objects does not include any of their associated methods with which they were previously linked.

<span class="mw-page-title-main">SOAP</span> Messaging protocol for web services

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

<span class="mw-page-title-main">XML</span> Markup language by the W3C for encoding of data

Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.

Abstract Syntax Notation One (ASN.1) is a standard interface description language (IDL) for defining data structures that can be serialized and deserialized in a cross-platform way. It is broadly used in telecommunications and computer networking, and especially in cryptography.

<span class="mw-page-title-main">Perl module</span>

A Perl module is a discrete component of software for the Perl programming language. Technically, it is a particular set of conventions for using Perl's package mechanism that has become universally adopted.

Extensible Application Markup Language is a declarative XML-based language developed by Microsoft for initializing structured values and objects. It is available under Microsoft's Open Specification Promise.

Plain Old Documentation (pod) is a lightweight markup language used to document the Perl programming language as well as Perl modules and programs.

<span class="mw-page-title-main">Raku (programming language)</span> Programming language derived from Perl

Raku is a member of the Perl family of programming languages. Formerly known as Perl 6, it was renamed in October 2019. Raku introduces elements of many modern and historical languages. Compatibility with Perl was not a goal, though a compatibility mode is part of the specification. The design process for Raku began in 2000.

Transport Neutral Encapsulation Format or TNEF is a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange Server. An attached file with TNEF encoding is most often named winmail.dat or win.dat, and has a MIME type of Application/MS-TNEF. The official (IANA) media type, however, is application/vnd.ms-tnef.

<span class="mw-page-title-main">JSON</span> Open standard file format and data interchange

JSON is an open standard file format and data interchange format that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and arrays. It is a commonly used data format with diverse uses in electronic data interchange, including that of web applications with servers.

SCXML stands for State Chart XML: State Machine Notation for Control Abstraction. It is an XML-based markup language that provides a generic state-machine-based execution environment based on Harel statecharts.

Prelude SIEM is a Security information and event management (SIEM).

Protocol Buffers (Protobuf) is a free and open-source cross-platform data format used to serialize structured data. It is useful in developing programs that communicate with each other over a network or for storing data. The method involves an interface description language that describes the structure of some data and a program that generates source code from that description for generating or parsing a stream of bytes that represents the structured data.

Extensible HyperText Markup Language (XHTML) is part of the family of XML markup languages which mirrors or extends versions of the widely used HyperText Markup Language (HTML), the language in which Web pages are formulated.

Used as part of computer security, IDMEF is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

Indicator of compromise (IoC) in computer forensics is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.

JSON streaming comprises communications protocols to delimit JSON objects built upon lower-level stream-oriented protocols, that ensures individual JSON objects are recognized, when the server and clients use the same one. This is necessary as JSON is a non-concatenative protocol.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.