Intrusion Detection Message Exchange Format

Last updated

Used as part of computer security, IDMEF (Intrusion Detection Message Exchange Format) is a data format used to exchange information between software enabling intrusion detection, intrusion prevention, security information collection and management systems that may need to interact with them. IDMEF messages are designed to be processed automatically. The details of the format are described in the RFC 4765. This RFC presents an implementation of the XML data model and the associated DTD. The requirements for this format are described in RFC 4766, and the recommended transport protocol (IDXP) is documented in RFC 4767

Contents

IDMEF

IDMEF-Schema.png

The purpose of IDMEF is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them. It is used in computer security for incidents reporting and exchanging. It is intended for easy automatic processing.

IDMEF is a well-structured object-oriented format, which consists of 33 classes containing 108 fields, including three mandatory:

There are currently two types of IDMEF messages that can be created, Heartbeat or Alert

Heartbeat

The Heartbeats are sent by the analyzers to indicate their status. These messages are sent at regular intervals which period is defined in the Heartbeat Interval Field. If none of these messages are received for several periods of time, consider that this analyzer is not able to trigger alerts.

Alert

Alerts are used to describe an attack that took place, the main areas that create the alert are:

There are three other alert types that inherit from this scheme:

Example

IDMEF report of ping of death attack can look as follows:

<?xml version="1.0" encoding="UTF-8"?><idmef:IDMEF-Messagexmlns:idmef="http://iana.org/idmef"version="1.0"><idmef:Alertmessageid="abc123456789"><idmef:Analyzeranalyzerid="bc-sensor01"><idmef:Nodecategory="dns"><idmef:name>sensor.example.com</idmef:name></idmef:Node></idmef:Analyzer><idmef:CreateTimentpstamp="0xbc71f4f5.0xef449129">2000-03-09T10:01:25.93464Z</idmef:CreateTime><idmef:Sourceident="a1a2"spoofed="yes"><idmef:Nodeident="a1a2-1"><idmef:Addressident="a1a2-2"category="ipv4-addr"><idmef:address>192.0.2.200</idmef:address></idmef:Address></idmef:Node></idmef:Source><idmef:Targetident="b3b4"><idmef:Node><idmef:Addressident="b3b4-1"category="ipv4-addr"><idmef:address>192.0.2.50</idmef:address></idmef:Address></idmef:Node></idmef:Target><idmef:Targetident="c5c6"><idmef:Nodeident="c5c6-1"category="nisplus"><idmef:name>lollipop</idmef:name></idmef:Node></idmef:Target><idmef:Targetident="d7d8"><idmef:Nodeident="d7d8-1"><idmef:location>Cabinet B10</idmef:location><idmef:name>Cisco.router.b10</idmef:name></idmef:Node></idmef:Target><idmef:Classificationtext="Ping-of-death detected"><idmef:Referenceorigin="cve"><idmef:name>CVE-1999-128</idmef:name><idmef:url>http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-128</idmef:url></idmef:Reference></idmef:Classification></idmef:Alert></idmef:IDMEF-Message>

Tools implementing the IDMEF protocol

Competing frameworks

Many telecommunications network elements produce security alarms [1] that address intrusion detection in conformance with international standards. These security alarms are inserted into the normal alarm stream, [2] where they can be seen and acted upon immediately by personnel in a network operations center.

Related Research Articles

SOAP Messaging protocol for web services

SOAP is a messaging protocol specification for exchanging structured information in the implementation of web services in computer networks. Its purpose is to provide extensibility, neutrality, verbosity and independence. It uses XML Information Set for its message format, and relies on application layer protocols, most often Hypertext Transfer Protocol (HTTP), although some legacy systems communicate over Simple Mail Transfer Protocol (SMTP), for message negotiation and transmission.

Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium's XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.

Denial-of-service attack Cyber attack disrupting service by overloading the provider of the service

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Snort (software)

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

Security alarm A system that detects unauthorised entry

A security alarm is a system designed to detect intrusion – unauthorized entry – into a building or other area such as a home or school. Security alarms are used in residential, commercial, industrial, and military properties for protection against burglary (theft) or property damage, as well as personal protection against intruders. Security alarms in residential areas show a correlation with decreased theft. Car alarms likewise help protect vehicles and their contents. Prisons also use security systems for control of inmates.

JSON Text-based open standard designed for human-readable data interchange

JavaScript Object Notation is an open standard file format, and data interchange format, that uses human-readable text to store and transmit data objects consisting of attribute–value pairs and array data types. It is a very common data format, with a diverse range of applications, such as serving as a replacement for XML in AJAX systems.

Within data communication protocols, TLV is an encoding scheme used for optional information element in a certain protocol.

Zeek is a free and open-source software network analysis framework; it was first developed in 1994 by Vern Paxson and was originally named in reference to George Orwell's Big Brother from his novel Nineteen Eighty-Four. It can be used as a network intrusion detection system (NIDS) but with additional live analysis of network events. It is released under the BSD license.

OSSIM

OSSIM is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

An XML denial-of-service attack is a content-borne denial-of-service attack whose purpose is to shut down a web service or system running that service. A common XDoS attack occurs when an XML message is sent with a multitude of digital signatures and a naive parser would look at each signature and use all the CPU cycles, eating up all resources. These are less common than inadvertent XDoS attacks which occur when a programming error by a trusted customer causes a handshake to go into an infinite loop.

Prelude SIEM is a Security information and event management (SIEM).

Event-driven SOA is a form of service-oriented architecture (SOA), combining the intelligence and proactiveness of event-driven architecture with the organizational capabilities found in service offerings. Before event-driven SOA, the typical SOA platform orchestrated services centrally, through pre-defined business processes, assuming that what should have already been triggered is defined in a business process. This older approach does not account for events that occur across, or outside of, specific business processes. Thus complex events, in which a pattern of activities—both non-scheduled and scheduled—should trigger a set of services is not accounted for in traditional SOA 1.0 architecture.

IEC 62351 is a standard developed by WG15 of IEC TC57. This is developed for handling the security of TC 57 series of protocols including IEC 60870-5 series, IEC 60870-6 series, IEC 61850 series, IEC 61970 series & IEC 61968 series. The different security objectives include authentication of data transfer through digital signatures, ensuring only authenticated access, prevention of eavesdropping, prevention of playback and spoofing, and intrusion detection.

Security information and event management (SIEM) is a subsection within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware.

Aanval is a commercial SIEM product designed specifically for use with Snort, Suricata, and Syslog data. Aanval has been in active development since 2003 and remains one of the longest running Snort capable SIEM products in the industry. Aanval is Dutch for "attack".

ACARM-ng

ACARM-ng is an open source IDS/IPS system. ACARM-ng is an alert correlation software which can significantly facilitate analyses of traffic in computer networks. It is responsible for collection and correlation of alerts sent by network and host sensors, also referred to as NIDS and HIDS respectively. Correlation process aims to reduce the total number of messages that need to be viewed by a system administrator to as few as possible by merging similar events into groups representing logical pieces of malicious activity.

Sagan is an open source (GNU/GPLv2) multi-threaded, high performance, real-time log analysis & correlation engine developed by Quadrant Information Security that runs on Unix operating systems. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. Sagan's structure and rules work similarly to the Sourcefire Snort IDS/IPS engine. This allows Sagan to be compatible with Snort or Suricata rule management softwares and give Sagan the ability to correlate with Snort IDS/IPS data. Sagan can record events to the Snort "unified2" output format which makes Sagan compatible with user interfaces such as Snorby, Sguil, BASE and proprietary consoles

Used for computer security, IODEF is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).

Octopussy (software)

Octopussy, also known as 8Pussy, is a free and open-source computer-software which monitors systems, by constantly analyzing the syslog data they generate and transmit to such a central Octopussy server. Therefore, software like Octopussy plays an important role in maintaining an ISMS within ISO/IEC 27001-compliant environments.

References

  1. ITU-T. "Recommendation X.736 : Information technology - Open Systems Interconnection - Systems Management: Security alarm reporting function" . Retrieved 5 September 2019.
  2. ITU-T. "Recommendation X.733 : Informations technology - Open Systems Interconnection - Systems Management: Alarm reporting function".

Tutorials