Intrusion Detection Message Exchange Format

Last updated

Used as part of computer security, IDMEF (Intrusion Detection Message Exchange Format) is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

Contents

IDMEF

IDMEF-Schema.png

The purpose of IDMEF is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. It is used in computer security for incidents reporting and exchanging. It is intended for easy automatic processing.

IDMEF is a well-structured object-oriented format, which consists of 33 classes containing 108 fields, including three mandatory:

There are currently two types of IDMEF messages that can be created, Heartbeat or Alert

Heartbeat

The Heartbeats are sent by the analyzers to indicate their status. These messages are sent at regular intervals which period is defined in the Heartbeat Interval Field. If none of these messages are received for several periods of time, consider that this analyzer is not able to trigger alerts.

Alert

Alerts are used to describe an attack that took place, the main areas that create the alert are:

There are three other alert types that inherit from this scheme:

Example

IDMEF report of ping of death attack can look as follows:

<?xml version="1.0" encoding="UTF-8"?><idmef:IDMEF-Messagexmlns:idmef="http://iana.org/idmef"version="1.0"><idmef:Alertmessageid="abc123456789"><idmef:Analyzeranalyzerid="bc-sensor01"><idmef:Nodecategory="dns"><idmef:name>sensor.example.com</idmef:name></idmef:Node></idmef:Analyzer><idmef:CreateTimentpstamp="0xbc71f4f5.0xef449129">2000-03-09T10:01:25.93464Z</idmef:CreateTime><idmef:Sourceident="a1a2"spoofed="yes"><idmef:Nodeident="a1a2-1"><idmef:Addressident="a1a2-2"category="ipv4-addr"><idmef:address>192.0.2.200</idmef:address></idmef:Address></idmef:Node></idmef:Source><idmef:Targetident="b3b4"><idmef:Node><idmef:Addressident="b3b4-1"category="ipv4-addr"><idmef:address>192.0.2.50</idmef:address></idmef:Address></idmef:Node></idmef:Target><idmef:Targetident="c5c6"><idmef:Nodeident="c5c6-1"category="nisplus"><idmef:name>lollipop</idmef:name></idmef:Node></idmef:Target><idmef:Targetident="d7d8"><idmef:Nodeident="d7d8-1"><idmef:location>Cabinet B10</idmef:location><idmef:name>Cisco.router.b10</idmef:name></idmef:Node></idmef:Target><idmef:Classificationtext="Ping-of-death detected"><idmef:Referenceorigin="cve"><idmef:name>CVE-1999-128</idmef:name><idmef:url>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-128</idmef:url></idmef:Reference></idmef:Classification></idmef:Alert></idmef:IDMEF-Message>

Tools implementing the IDMEF protocol

Competing Frameworks

Many telecommunications network elements produce security alarms [1] that address intrusion detection in conformance with international standards. These security alarms are inserted into the normal alarm stream [2] , where they can be seen and acted upon immediately by personnel in a Network operations center.

Related Research Articles

The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. As an Internet standard, SMTP was first defined in 1982 by RFC 821, and updated in 2008 by RFC 5321 to Extended SMTP additions, which is the protocol variety in widespread use today. Mail servers and other message transfer agents use SMTP to send and receive mail messages. Proprietary systems such as Microsoft Exchange and IBM Notes and webmail systems such as Outlook.com, Gmail and Yahoo! Mail may use non-standard protocols internally, but all use SMTP when sending to or receiving email from outside their own systems. SMTP servers commonly use the Transmission Control Protocol on port number 25.

SOAP Messaging protocol for web services

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. Its purpose is to provide extensibility, neutrality and independence. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

XML Markup language developed by the W3C for encoding of data

Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Security alarm A system that detects unauthorised entry.

A security alarm is a system designed to detect intrusion – unauthorized entry – into a building or other area. Security alarms are used in residential, commercial, industrial, and military properties for protection against burglary (theft) or property damage, as well as personal protection against intruders. Security alarms in residential areas show a correlation with decreased theft. Car alarms likewise help protect vehicles and their contents. Prisons also use security systems for control of inmates.

JSON Text-based open standard designed for human-readable data interchange

JavaScript Object Notation is an open-standard file format or data interchange format that uses human-readable text to transmit data objects consisting of attribute–value pairs and array data types. It is a very common data format, with a diverse range of applications, such as serving as replacement for XML in AJAX systems.

Within data communication protocols, TLV is an encoding scheme used for optional information element in a certain protocol.

Zeek is a free and open-source software network analysis framework; it was originally developed in 1994 by Vern Paxson and was named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events. It is released under the BSD license.

An XML denial-of-service attack is a content-borne denial-of-service attack whose purpose is to shut down a web service or system running that service. A common XDoS attack occurs when an XML message is sent with a multitude of digital signatures and a naive parser would look at each signature and use all the CPU cycles, eating up all resources. These are less common than inadvertent XDoS attacks which occur when a programming error by a trusted customer causes a handshake to go into an infinite loop.

Prelude SIEM is a Security information and event management (SIEM).

Sourcefire

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances are based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

Security Device Event Exchange (SDEE) is a new standard proposed by the International Computer Security Association that specifies the format of messages and protocol used to communicate events generated by security devices.

IEC 62351 is a standard developed by WG15 of IEC TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry.

ACARM-ng

ACARM-ng is an open source IDS/IPS system. ACARM-ng is an alert correlation software which can significantly facilitate analyses of traffic in computer networks. It is responsible for collection and correlation of alerts sent by network and host sensors, also referred to as NIDS and HIDS respectively. Correlation process aims to reduce the total number of messages that need to be viewed by a system administrator to as few as possible by merging similar events into groups representing logical pieces of malicious activity.

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort rule management software and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can record events to the Snort "unified2" output format which makes Sagan compatible with user interfaces such as Snorby, Sguil, BASE and proprietary consoles

Shellshock (software bug) security bug in the Unix Bash shell

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

Used for computer security, IODEF is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).

Octopussy (software)

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an ISMS within ISO/IEC 27001-compliant environments.

Defense strategy is a concept and practice used by computer designers, users, and IT personnel to help reduce the risk of computer security or cyber-security problems.

References

  1. ITU-T. "Recommendation X.736 : Information technology - Open Systems Interconnection - Systems Management: Security alarm reporting function" . Retrieved 5 September 2019.
  2. ITU-T. "Recommendation X.733 : Informations technology - Open Systems Interconnection - Systems Management: Alarm reporting function".

Tutorials