The Cover PagesThe OASIS Cover Pages: The Online Resource for Markup Language Technologies
SEARCH | ABOUT | INDEX | NEWS | CORE STANDARDS | TECHNOLOGY REPORTS | EVENTS | LIBRARY
SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic
Last modified: November 02, 2004
Intrusion Detection Message Exchange Format

[January 15, 2001] "The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. The goals and requirements of the IDMEF are described in 'Intrusion Detection Message Exchange Requirements' (draft-ietf-idwg-requirements-02.txt). This Internet-Draft describes a proposed implementation of the data format component of the IDMEF, using the Extensible Markup Language (XML) to represent the class hierarchy defined by Debar, Huang and Donahoo. The rationale for choosing XML is explained, a Document Type Definition (DTD) is developed, and examples are provided. An earlier version of this implementation was reviewed, along with other proposed implementations, by the IDWG at its September, 1999 and February, 2000 meetings. At the February meeting, it was decided that the XML solution was best at fulfilling the IDWG requirements. The rationale for this decision is presented in Mansfield, Glenn and David A. Curry, 'Intrusion Detection Message Exchange Format: Comparison of SMI and XML Implementations,' (draft-ietf-idwg-xmlsmi-00.txt)..." [from the IETF draft abstract]

"Rationale for Implementing IDMEF in XML: XML-based applications are being used or developed for a wide variety of uses, including electronic data interchange in a variety of fields, financial data interchange, electronic business cards, calendar and scheduling, enterprise software distribution, web 'push' technology, and markup languages for chemistry, mathematics, music, molecular dynamics, astronomy, book and periodical publishing, web publishing, weather observations, real estate transactions, and many others. XML's flexibility makes it a good choice for these applications; that same flexibility makes it a good choice for implementing the IDMEF as well. Other, more specific reasons for choosing XML to implement the IDMEF are: (1) XML allows a custom language to be developed specifically for the purpose of describing intrusion detection alerts. It also defines a standard way to extend this language, either for later revisions of this document ('standard' extensions), or for vendor-specific use ('non-standard' extensions). (2) Software tools for processing XML documents are widely available, in both commercial and open source forms. A variety of tools and APIs for parsing and/or validating XML are available in a variety of languages, including Java, C, C++, Tcl, Perl, Python, and GNU Emacs Lisp. Widespread access to tools will make adoption of the IDMEF by product developers easier, and hopefully, faster. (3) XML meets IDMEF Requirement 5.1, that message formats support full internationalization and localization. The XML standard specifies support for both the UTF-8 and UTF-16 encodings of ISO 10646 (Unicode), making IDMEF compatible with both one- and two-byte character sets. XML also provides support for specifying, on a per-element basis, the language in which the element's content is written, making IDMEF easy to adapt to 'Natural Language Support' versions of a product. (4) XML meets IDMEF Requirement 5.2, that message formats must support filtering and aggregation. XML's integration with XSL, a style language, allows messages to be combined, discarded, and rearranged. (5) Ongoing XML development projects, in the W3C and elsewhere, will provide object-oriented extensions, database support, and other useful features. If implemented in XML, the IDMEF immediately gains these features as well. (6) XML is free, with no license, no license fees, and no royalties..."

Intrusion Detection Exchange Format - WG Charter. "Security incidents are becoming more common and more serious, and intrusion detection systems are becoming of increasing commercial importance. Numerous intrusion detection systems are important in the market and different sites will select different vendors. Since incidents are often distributed over multiple sites, it is likely that different aspects of a single incident will be visible to different systems. Thus it would be advantageous for diverse intrusion detection systems to be able to share data on attacks in progress. The purpose of the Intrusion Detection Working Group is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them. The Intrusion Detection Working Group will coordinate its efforts with other IETF Working Groups. The outputs of this working group will be: 1. A requirements document, which describes the high-level functional requirements for communication between intrusion detection systems and requirements for communication between intrusion detection systems and with management systems, including the rationale for those requirements. Scenarios will be used to illustrate the requirements. 2. A common intrusion language specification, which describes data formats that satisfy the requirements. 3. A framework document, which identifies existing protocols best used for communication between intrusion detection systems, and describes how the devised data formats relate to them."

References:

  • IETF Intrusion Detection Exchange Format [idwg] Working Group

  • See also "Incident Object Description and Exchange Format (IODEF)"

  • See also: "Application Security Standards."

  • "The Intrusion Detection Message Exchange Format." IETF Intrusion Detection Exchange Format Working Group. Internet Draft. Reference: 'draft-ietf-idwg-idmef-xml-12'. July 8, 2004.

  • [February 11, 2004] "Intrusion Detection Exchange Format." By David A. Curry (Merrill Lynch & Co), Herve Debar (France Telecom R & D), and Benjamin S. Feinstein (Trusted Network Technologies, Inc). IETF Internet Draft. Reference: 'draft-ietf-idwg-idmef-xml-11'. January 8, 2004, expires July 8, 2004. 152 pages. [IETF source URL]

  • [February 11, 2004] "XML Schema Definition for IDMEF Message." By Kohei OHTA (Cyber Solutions Inc). IETF Network Working Group, Internet Draft. Reference: 'draft-kohei-idmef-schema-00.txt'. February 09, 2004; expires August 9, 2004. 33 pages. Prepared for consideration by the IETF Intrusion Detection Exchange Format Working Group. "The purpose of this document is to define a message format of IDMEF in XML Schema. The Intrusion Detection Message Exchange Format is formally defined in an XML DTD. The data model and basic definitions are specified according to the original definition in the DTD format. In the original definition in the DTD, urn:iana:xml:ns:idmef is used as the namespace and defined as attribute. In this definition in XML Schema, we use urn:ietf:params:xml:ns:idmef as the namespace according to the document The IETF XML Registry..." From the main IDMEF spec: "The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes a data model to represent information exported by intrusion detection systems, and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided." [IETF source URL]

  • [January 30, 2003] "Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition." By D. Curry (Merrill Lynch) and H. Debar (France Telecom). IETF Intrusion Detection Working Group. Reference: 'draft-ietf-idwg-idmef-xml-10.txt'. January 30, 2003, expires July 31, 2003. 120 pages. "The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes a data model to represent information exported by intrusion detection systems, and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided..."

  • [November 8, 2002] "Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition." By David A. Curry (Merrill Lynch & Co.) and Herve Debar (France Telecom R & D). IETF Intrusion Detection Working Group. Reference: draft-ietf-idwg-idmef-xml-09.txt. November 8, 2002, expires May 7, 2003. [cache]

  • [December 5, 2002] "The TUNNEL Profile." By Darren New. IETF Network Working Group Internet-Draft. Reference: 'draft-ietf-idwg-beep-tunnel-05'. December 5, 2002, expires June 5, 2003. Section 3 "Message Syntax" provides the XML DTD for the TUNNEL Profile. "This memo describes a BEEP profile that allows a BEEP peer to serve as an application-layer proxy. It allows authorized users to access services through a firewall." [cache]

  • [October 22, 2002] "The Intrusion Detection Exchange Protocol (IDXP)." By Benjamin S. Feinstein (CipherTrust, Inc), Gregory A. Matthews (CSC/NASA Ames Research Center), and John C. C. White (MITRE Corporation). IEFT Internet-Draft, Intrusion Detection Exchange Format. Reference: 'draft-ietf-idwg-beep-idxp-07'. October 22, 2002, expires April 22, 2003. Section 9 provides the XML DTDs: 9.1 The IDXP DTD, 9.2 The channelPriority Option DTD, 9.3 The streamType DTD. "This memo describes the Intrusion Detection Exchange Protocol (IDXP), an application-level protocol for exchanging data between intrusion detection entities. IDXP supports mutual-authentication, integrity, and confidentiality over a connection-oriented protocol. The protocol provides for the exchange of IDMEF messages, unstructured text, and binary data. The IDMEF message elements are described in the Intrusion Detection Message Exchange Format (IDMEF), a companion document of the Intrusion Detection Exchange Format (IDWG)." [cache]

  • [October 22, 2002] Intrusion Detection Message Exchange Requirements. Reference: 'draft-ietf-idwg-requirements-10'. October 22, 2002, expires April 22, 2003. "The purpose of the Intrusion Detection Exchange Format Working Group (IDWG) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes the high-level requirements for such a communication mechanism, including the rationale for those requirements where clarification is needed. Scenarios are used to illustrate some requirements."

  • IDMEF XML DTD [from 2000-07 draft]

  • [January 13, 2001] "Intrusion Detection Message Exchange Format. Extensible Markup Language (XML) Document Type Definition." Intrusion Detection Working Group. IETF Internet Draft 'draft-ietf-idwg-idmef-xml-01.txt'. By David A. Curry (Internet Security Systems, Inc.). 2000-07. [cache]

  • [January 13, 2001] IDMEF Data Model and XML DTD." Provisional 'draft-ietf-idwg-idmef-xml-02.txt'. By D. Curry, H. Debar, M. Huang. December 05, 2000. 86 pages. [This provisional version "is (under version -02 of the XML draft) an attempt to merge the data model and the XML representation, to avoid divergences between the two.'] "The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems that may need to interact with them. The goals and requirements of the IDMEF are described in [req document]. This Internet-Draft describes a proposed data model to represent the information exported by the intrusion-detection systems, including the rationale for this model, and a proposed implementation of this data model, using the Extensible Markup Language (XML). The rationale for choosing XML is explained, a Document Type Definition (DTD) is developed, and examples are provided. An earlier version of this implementation was reviewed, along with other proposed implementations, by the IDWG at its September 1999 and February 2000 meetings. At the February meeting, it was decided that the XML solution was best at fulfilling the IDWG requirements." Extracted from http://www.semper.org/idwg-public/0247.html.

  • [January 13, 2001] IDMEF Proposed changes 2001-01-03. "The following is a list of changes that are being made to the IDMEF Data Model and/or the IDMEF XML DTD, or to the Internet-Draft that describes them, following the San Diego IETF/IDWG meetings."

  • [January 13, 2001] "Intrusion Detection Exchange Format Data Model." Internet Engineering Task Force, Internet Draft draft-ietf-idwg-data-model-03.txt. By Herve Debar, Ming-Yuh Huang, and David J. Donahoo. "The purpose of the Intrusion Detection Exchange Format is to define data formats and exchange procedures for sharing information of interest with intrusion detection and response systems, and with the management sys- tems that may need to interact with them. This Internet-Draft describes a proposed data model to represent the information exported by the intrusion-detection systems, including the rationale for this model. This information is herein refered to as 'Alert'..." [cache]

  • [January 13, 2001] "Intrusion Detection Message Exchange Format. Comparison of SMI and XML Implementations." Intrusion Detection Working Group. IETF Draft 'draft-ietf-idwg-xmlsmi-01.txt." By Glenn Mansfield (Cyber Solutions, Inc.) and David A. Curry (Internet Security Systems). "The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. Two implementations of the IDMEF data format have been proposed: one using the Structure of Management Information (SMI) to describe a MIB, and the other using a Document Type Definition (DTD) to describe XML documents. Both representations appear to have their good and bad traits, and deciding between them is difficult. To arrive at an informed decision, the working group tasked the authors to identify and analyze the pros and cons of both approaches, and to present the results in the form of an Internet-Draft. The initial version of this draft was reviewed by the IDWG at the February, 2000 interim meeting where it was tentatively decided that the XML/DTD solution was best at fulfilling the IDWG requirements. This decision was finalized at the March, 2000 IETF IDWG meeting." [cache]

  • [January 13, 2001] "Intrusion Detection Message Exchange Requirements." Intrusion Detection Exchange Format Working Group . Internet Engineering Task Force, Internet Draft 'draft-ietf-idwg-requirements-04.txt'. By Mark Wood (Internet Security Systems, Inc.). " The purpose of the Intrusion Detection Exchange Format is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them. This Internet-Draft describes the high-level requirements for such communication, including the rationale for those requirements where clarification is needed. Scenarios are used to illustrate the requirements." [cache]

  • IAP: Intrusion Alert Protocol Internet Engineering Task Force. IDWG Internet Draft 'draft-ietf-idwg-iap-03.txt' "Intrusion Alert Protocol (IAP) is an application--level protocol for exchanging intrusion alert data between intrusion detection elements, notably sensor/analyzers and managers across IP networks. The protocol's design is compatible with the goals for the HyperText Transfer Protocol (HTTP). The specification of alerts carried using this protocol is described in a companion document of the intrusion detection working group of the IETF."

  • IDMEF Extension for Incident Object Description and Exchange Format. Alignment issues: IDMEF and IODEF. See below on Incident Object Description and Exchange Format (IODEF). [cache]

  • Incident Object Description and Exchange Format." IETF INTERNET DRAFT 'draft-terena-itdwg-iodef-requirements-00.txt'. By Jimmy Arvidsson, Andrew Cormack, Yuri Demchenko, and Jan Meijer. November 15, 2000. "The purpose of the Incident object Description and Exchange Format is to define a common data format for the description, archiving and exchange of information about incidents between CSIRTs (including alert, incident in investigation, archiving, statistics, reporting, etc.). This document describes the high-level requirements for such a description and exchange format, including the reasons for those requirements. Examples are used to illustrate the requirements where necessary... This document defines requirements for the Incident object Description and Exchange Format (IODEF), which is the intended product of the Incident Taxonomy Working Group (ITDWG) at TERENA. IODEF is planned as a standard format which allows CSIRTs to exchange operational and statistical information; it may also provide a basis for the development of compatible and inter-operable tools for Incident recording, tracking and exchange. Another aim is to extend the work of IETF IDWG (currently focused on Intrusion Detection exchange format and communication protocol) to the description of incidents as higher level elements in Network Security. This will involve CSIRTs and their constituency related issues. The IODEF set of documents of which the current document is the first will contain IODEF Data Model and XML DTD specification..." Note that one of the of the Incident Taxonomy and Description Working Group (TF-CSIRT) is an "Incident Object Elements Description and XML Data Type Description (XML DTD)." [cache]

  • TF-CSIRT - CERT and System Security Information
Hosted By
OASIS - Organization for the Advancement of Structured Information Standards

Sponsored By

IBM Corporation
ISIS Papyrus
Microsoft Corporation
Oracle Corporation

Primeton

XML Daily Newslink
Receive daily news updates from Managing Editor, Robin Cover.

 Newsletter Subscription
 Newsletter Archives
Globe Image

Document URI: http://xml.coverpages.org/idmef.html  —  Legal stuff
Robin Cover, Editor: robin@oasis-open.org