Intrusion Detection Message Exchange Format (IDMEF) Parameters
2006-10-04
2007-03-14
Class and Attribute Names
IETF Review
Reference
origin
Source
spoofed
Target
decoy
AdditionalData
type
Impact
severity
Impact
completion
Impact
type
Action
category
Confidence
rating
Node
category
Address
category
User
category
UserId
category
File
category
File
fstype
FileAccess
permission
Linkage
category
Checksum
algorithm
Attribute Values
Specification Required
Unassigned
Reference
origin
0
unknown
Origin of the name is not known
Reference
origin
1
vendor-specific
A vendor-specific name (and hence, URL);
this can be used to provide
product-specific information
Reference
origin
2
user-specific
A user-specific name (and hence, URL);
this can be used to provide
installation-specific information
Reference
origin
3
bugtraqid
The SecurityFocus ("Bugtraq")
vulnerability database identifier
(http://www.securityfocus.com/bid)
Reference
origin
4
cve
The Common Vulnerabilities and Exposures
(CVE) name (http://cve.mitre.org/)
Reference
origin
5
osvdb
The Open Source Vulnerability Database
(http://www.osvdb.org)
Source
spoofed
0
unknown
Accuracy of source information unknown
Source
spoofed
1
yes
Source is believed to be a decoy
Source
spoofed
2
no
Source is believed to be "real"
Target
decoy
0
unknown
Accuracy of target information unknown
Target
decoy
1
yes
Target is believed to be a decoy
Target
decoy
2
no
Target is believed to be "real"
AdditionalData
type
0
boolean
The element contains a boolean value, i.e.,
the strings "true" or "false"
AdditionalData
type
1
byte
The element content is a single 8-bit byte
(see Section 3.2.4)
AdditionalData
type
2
character
The element content is a single character
(see Section 3.2.3)
AdditionalData
type
3
date-time
The element content is a date-time string
(see Section 3.2.6)
AdditionalData
type
4
integer
The element content is an integer (see
Section 3.2.1)
AdditionalData
type
5
ntpstamp
The element content is an NTP timestamp (see
Section 3.2.7)
AdditionalData
type
6
portlist
The element content is a list of ports (see
Section 3.2.8
AdditionalData
type
7
real
The element content is a real number (see
Section 3.2.2
AdditionalData
type
8
string
The element content is a string (see
Section 3.2.3
AdditionalData
type
9
byte-string
The element content is a byte[] (see
Section 3.2.4
AdditionalData
type
10
xmltext
The element content is XML-tagged data (see
Section 5.2
Impact
severity
0
info
Information only
Impact
severity
1
low
Low severity
Impact
severity
2
medium
Medium severity
Impact
severity
3
high
High severity
Impact
completion
0
failed
The attempt was not successful
Impact
completion
1
succeeded
The attempt succeeded
Impact
type
0
admin
Administrative privileges were attempted or
obtained
Impact
type
1
dos
A denial of service was attempted or
completed
Impact
type
2
file
An action on a file was attempted or
completed
Impact
type
3
recon
A reconnaissance probe was attempted or
completed
Impact
type
4
user
User privileges were attempted or obtained
Impact
type
5
other
Anything not in one of the above categories
Action
category
0
block-installed
A block of some sort was installed to
prevent an attack from reaching its
destination. The block could be a
port block, address block, etc., or
disabling a user account.
Action
category
1
notification-sent
A notification message of some sort
was sent out-of-band (via pager,
e-mail, etc.). Does not include the
transmission of this alert.
Action
category
2
taken-offline
A system, computer, or user was taken
offline, as when the computer is shut
down or a user is logged off.
Action
category
3
other
Anything not in one of the above
categories.
Confidence
rating
0
low
The analyzer has little confidence in its
validity
Confidence
rating
1
medium
The analyzer has average confidence in its
validity
Confidence
rating
2
high
The analyzer has high confidence in its
validity
Confidence
rating
3
numeric
The analyzer has provided a posterior
probability value indicating its
confidence in its validity
Node
category
0
unknown
Domain unknown or not relevant
Node
category
1
ads
Windows 2000 Advanced Directory Services
Node
category
2
afs
Andrew File System (Transarc)
Node
category
3
coda
Coda Distributed File System
Node
category
4
dfs
Distributed File System (IBM)
Node
category
5
dns
Domain Name System
Node
category
6
hosts
Local hosts file
Node
category
7
kerberos
Kerberos realm
Node
category
8
nds
Novell Directory Services
Node
category
9
nis
Network Information Services (Sun)
Node
category
10
nisplus
Network Information Services Plus (Sun)
Node
category
11
nt
Windows NT domain
Node
category
12
wfw
Windows for Workgroups
Address
category
0
unknown
Address type unknown
Address
category
1
atm
Asynchronous Transfer Mode network address
Address
category
2
e-mail
Electronic mail address (RFC 822)
Address
category
3
lotus-notes
Lotus Notes e-mail address
Address
category
4
mac
Media Access Control (MAC) address
Address
category
5
sna
IBM Shared Network Architecture (SNA)
address
Address
category
6
vm
IBM VM ("PROFS") e mail address
Address
category
7
ipv4-addr
IPv4 host address in dotted decimal
notation (a.b.c.d)
Address
category
8
ipv4-addr-hex
IPv4 host address in hexadecimal notation
Address
category
9
ipv4-net
IPv4 network address in dotted decimal
notation, slash, significant bits
(a.b.c.d/nn)
Address
category
10
ipv4-net-mask
IPv4 network address in dotted decimal
notation, slash, network mask in
dotted decimal notation (a.b.c.d/w.x.y.z)
Address
category
11
ipv6-addr
IPv6 host address
Address
category
12
ipv6-addr-hex
IPv6 host address in hexadecimal notation
Address
category
13
ipv6-net
IPv6 network address, slash, significant
bits
Address
category
14
ipv6-net-mask
IPv6 network address, slash, network mask
User
category
0
unknown
User type unknown
User
category
1
application
An application user
User
category
2
os-device
AN operating system or device user
UserId
category
0
current-user
The current user id being used by the user
or process. On Unix systems, this would
be the "real" user id, in general.
UserId
category
1
original-user
The actual identity of the user or process
being reported on. On those systems that
(a) do some type of auditing and (b)
support extracting a user id from the
"audit id" token, that value should be
used. On those systems that do not
support this, and where the user has
logged into the system, the "login id"
should be used.
UserId
category
2
target-user
The user id the user or process is
attempting to become. This would apply,
on Unix systems for example, when the user
attempts to use "su," "rlogin," "telnet,"
etc.
UserId
category
3
user-privs
Another user id the user or process has
the ability to use, or a user id
associated with a file permission. On
Unix systems, this would be the
"effective" user id in a user or process
context, and the owner permissions in a
file context. Multiple UserId elements of
this type may be used to specify a list of
privileges.
UserId
category
4
current-group
The current group id (if applicable) being
used by the user or process. On Unix
systems, this would be the "real" group
id, in general.
UserId
category
5
group-privs
Another group id the group or process has
the ability to use, or a group id
associated with a file permission. On
Unix systems, this would be the
"effective" group id in a group or process
context, and the group permissions in a
file context. On BSD-derived Unix
systems, multiple UserId elements of this
type would be used to include all the
group ids on the "group list."
UserId
category
6
other-privs
Not used in a user, group, or process
context, only used in the file context.
The file permissions assigned to users who
do not match either the user or group
permissions on the file. On Unix systems,
this would be the "world" permissions.
File
category
0
current
The file information is from after the
reported change
File
category
1
original
The file information is from before the
reported change
File
fstype
0
ufs
Berkeley UNIX Fast File System
File
fstype
1
efs
Linux "efs" file system
File
fstype
2
nfs
Network File System
File
fstype
3
afs
Andrew File System
File
fstype
4
ntfs
Windows NT File System
File
fstype
5
fat16
16-bit Windows FAT File System
File
fstype
6
fat32
32-bit Windows FAT File System
File
fstype
7
pcfs
"PC" (MS-DOS) file system on CD-ROM
File
fstype
8
joliet
Joliet CD-ROM file system
File
fstype
9
iso9660
ISO 9660 CD-ROM file system
FileAccess
permission
0
noAccess
No access at all is allowed for this
user
FileAccess
permission
1
read
This user has read access to the file
FileAccess
permission
2
write
This user has write access to the file
FileAccess
permission
3
execute
This user has the ability to execute
the file
FileAccess
permission
4
search
This user has the ability to search
this file (applies to "execute"
permission on directories in UNIX)
FileAccess
permission
5
delete
This user has the ability to delete
this file
FileAccess
permission
6
executeAs
This user has the ability to execute
this file as another user
FileAccess
permission
7
changePermissions
This user has the ability to change
the access permissions on this file
FileAccess
permission
8
takeOwnership
This user has the ability to take
ownership of this file
Linkage
category
0
hard-link
The <name> element represents another name
for this file. This information may be
more easily obtainable on NTFS file
systems than others.
Linkage
category
1
mount-point
An alias for the directory specified by
the parent's <name> and <path> elements.
Linkage
category
2
reparse-point
Applies only to Windows; excludes symbolic
links and mount points, which are specific
types of reparse points.
Linkage
category
3
shortcut
The file represented by a Windows
"shortcut." A shortcut is distinguished
from a symbolic link because of the
difference in their contents, which may be
of importance to the manager.
Linkage
category
4
stream
An Alternate Data Stream (ADS) in Windows;
a fork on MacOS. Separate file system
entity that is considered an extension of
the main <File>.
Linkage
category
5
symbolic-link
The <name> element represents the file to
which the link points.
Checksum
algorithm
0
MD4
The MD4 algorithm.
Checksum
algorithm
1
MD5
The MD5 algorithm.
Checksum
algorithm
2
SHA1
The SHA1 algorithm.
Checksum
algorithm
3
SHA2-256
The SHA2 algorithm with 256 bits length.
Checksum
algorithm
4
SHA2-384
The SHA2 algorithm with 384 bits length.
Checksum
algorithm
5
SHA2-512
The SHA2 algorithm with 512 bits length.
Checksum
algorithm
6
CRC-32
The CRC algorithm with 32 bits length.
Checksum
algorithm
7
Haval
The Haval algorithm.
Checksum
algorithm
8
Tiger
The Tiger algorithm.
Checksum
algorithm
9
Gost
The Gost algorithm.