The Intrusion Detection Message Exchange Format (IDMEF)
Voir toute la rfc dans une seule page
Page : 23 / 157
Télécharger le PDF
Auteur(s) :
H. Debar,
D. Curry,
B. Feinstein
Classé sous :
Security,
Exchange,
Secure,
Xml,
Ids,
Intrusion detection,
Intrusion
RFC 4765 The IDMEF March 2007
AdditionalData
Zero or more. Information included by the analyzer that does not
fit into the data model. This may be an atomic piece of data, or
a large amount of data provided through an extension to the IDMEF
(see Section 5).
Alert is represented in the IDMEF DTD as follows:
<!ELEMENT Alert (
Analyzer, CreateTime, DetectTime?, AnalyzerTime?,
Source*, Target*, Classification, Assessment?, (ToolAlert |
OverflowAlert | CorrelationAlert)?, AdditionalData*
)>
<!ATTLIST Alert
messageid CDATA '0'
%attlist.global;
>
The Alert class has one attribute:
messageid
Optional. A unique identifier for the alert; see Section 3.2.9.
4.2.2.1. The ToolAlert Class
The ToolAlert class carries additional information related to the use
of attack tools or malevolent programs such as Trojan horses and can
be used by the analyzer when it is able to identify these tools. It
is intended to group one or more previously-sent alerts together, to
say "these alerts were all the result of someone using this tool".
The ToolAlert class is composed of three aggregate classes, as shown
in Figure 3.
Debar, et al. Experimental [Page 23]