Network Working Group H. Debar Request for Comments: 4765 France Telecom Category: Experimental D. Curry Guardian B. Feinstein SecureWorks, Inc. March 2007
Network Working Group H. Debar Request for Comments: 4765 France Telecom Category: Experimental D. Curry Guardian B. Feinstein SecureWorks, Inc. March 2007
The Intrusion Detection Message Exchange Format (IDMEF)
入侵检测消息交换格式(IDMEF)
Status of This Memo
关于下段备忘
This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited.
这份备忘录为互联网社区定义了一个实验性协议。它没有规定任何类型的互联网标准。要求进行讨论并提出改进建议。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
IESG Note
IESG注释
The content of this RFC was at one time considered by the IETF, but the working group concluded before this work was approved as a standards-track protocol. This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose and in particular notes that the decision to publish is not based on complete IETF review for such things as security, congestion control, or inappropriate interaction with deployed protocols. The IESG has chosen to publish this document in order to document the work as it was when the working group concluded and to encourage experimentation and development of the technology. Readers of this RFC should exercise caution in evaluating its value for implementation and deployment.
IETF曾一度审议过该RFC的内容,但工作组在该工作被批准为标准跟踪协议之前结束了该工作。本RFC不适用于任何级别的互联网标准。IETF不承认本RFC适用于任何目的的任何知识,特别注意到,发布决定并非基于IETF对安全、拥塞控制或与已部署协议的不当交互等事项的全面审查。IESG选择出版本文件,以记录工作组结束时的工作,并鼓励试验和开发该技术。本RFC的读者应谨慎评估其实施和部署价值。
Abstract
摘要
The purpose of the Intrusion Detection Message Exchange Format (IDMEF) is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems and to the management systems that may need to interact with them.
入侵检测消息交换格式(IDMEF)的目的是定义数据格式和交换程序,以共享入侵检测和响应系统以及可能需要与之交互的管理系统感兴趣的信息。
This document describes a data model to represent information exported by intrusion detection systems and explains the rationale for using this model. An implementation of the data model in the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided.
本文档描述了一个表示入侵检测系统导出的信息的数据模型,并解释了使用该模型的基本原理。介绍了该数据模型在可扩展标记语言(XML)中的实现,开发了XML文档类型定义,并给出了示例。
Table of Contents
目录
1. Introduction ....................................................4 1.1. About the IDMEF Data Model .................................4 1.1.1. Problems Addressed by the Data Model ................5 1.1.2. Data Model Design Goals .............................6 1.2. About the IDMEF XML Implementation .........................7 1.2.1. The Extensible Markup Language ......................7 1.2.2. Rationale for Implementing IDMEF in XML .............8 2. Notices and Conventions Used in This Document ..................10 3. Notational Conventions and Formatting Issues ...................10 3.1. IDMEF XML Documents .......................................10 3.1.1. The Document Prolog ................................10 3.1.2. Character Data Processing in IDMEF .................11 3.1.3. Languages in IDMEF .................................12 3.2. IDMEF Data Types ..........................................12 3.2.1. Integers ...........................................12 3.2.2. Real Numbers .......................................12 3.2.3. Characters and Strings .............................13 3.2.4. Bytes ..............................................14 3.2.5. Enumerated Types ...................................14 3.2.6. Date-Time Strings ..................................14 3.2.7. NTP Timestamps .....................................16 3.2.8. Port Lists .........................................16 3.2.9. Unique Identifiers .................................17 4. The IDMEF Data Model and DTD ...................................18 4.1. Data Model Overview .......................................18 4.2. The Message Classes .......................................20 4.2.1. The IDMEF-Message Class ............................20 4.2.2. The Alert Class ....................................20 4.2.3. The Heartbeat Class ................................27 4.2.4. The Core Classes ...................................29 4.2.5. The Time Classes ...................................41 4.2.6. The Assessment Classes .............................42 4.2.7. The Support Classes ................................47 5. Extending the IDMEF ............................................79 5.1. Extending the Data Model ..................................79 5.2. Extending the IDMEF DTD ...................................80 6. Special Considerations .........................................81 6.1. XML Validity and Well-Formedness ..........................81 6.2. Unrecognized XML Tags .....................................82 6.3. Analyzer-Manager Time Synchronization .....................82 6.4. NTP Timestamp Wrap-Around .................................84 6.5. Digital Signatures ........................................85 7. Examples .......................................................85 7.1. Denial-of-Service Attacks .................................86 7.1.1. The "teardrop" Attack ..............................86 7.1.2. The "ping of death" Attack .........................87
1. Introduction ....................................................4 1.1. About the IDMEF Data Model .................................4 1.1.1. Problems Addressed by the Data Model ................5 1.1.2. Data Model Design Goals .............................6 1.2. About the IDMEF XML Implementation .........................7 1.2.1. The Extensible Markup Language ......................7 1.2.2. Rationale for Implementing IDMEF in XML .............8 2. Notices and Conventions Used in This Document ..................10 3. Notational Conventions and Formatting Issues ...................10 3.1. IDMEF XML Documents .......................................10 3.1.1. The Document Prolog ................................10 3.1.2. Character Data Processing in IDMEF .................11 3.1.3. Languages in IDMEF .................................12 3.2. IDMEF Data Types ..........................................12 3.2.1. Integers ...........................................12 3.2.2. Real Numbers .......................................12 3.2.3. Characters and Strings .............................13 3.2.4. Bytes ..............................................14 3.2.5. Enumerated Types ...................................14 3.2.6. Date-Time Strings ..................................14 3.2.7. NTP Timestamps .....................................16 3.2.8. Port Lists .........................................16 3.2.9. Unique Identifiers .................................17 4. The IDMEF Data Model and DTD ...................................18 4.1. Data Model Overview .......................................18 4.2. The Message Classes .......................................20 4.2.1. The IDMEF-Message Class ............................20 4.2.2. The Alert Class ....................................20 4.2.3. The Heartbeat Class ................................27 4.2.4. The Core Classes ...................................29 4.2.5. The Time Classes ...................................41 4.2.6. The Assessment Classes .............................42 4.2.7. The Support Classes ................................47 5. Extending the IDMEF ............................................79 5.1. Extending the Data Model ..................................79 5.2. Extending the IDMEF DTD ...................................80 6. Special Considerations .........................................81 6.1. XML Validity and Well-Formedness ..........................81 6.2. Unrecognized XML Tags .....................................82 6.3. Analyzer-Manager Time Synchronization .....................82 6.4. NTP Timestamp Wrap-Around .................................84 6.5. Digital Signatures ........................................85 7. Examples .......................................................85 7.1. Denial-of-Service Attacks .................................86 7.1.1. The "teardrop" Attack ..............................86 7.1.2. The "ping of death" Attack .........................87
7.2. Port Scanning Attacks .....................................88 7.2.1. Connection to a Disallowed Service .................88 7.2.2. Simple Port Scanning ...............................89 7.3. Local Attacks .............................................90 7.3.1. The "loadmodule" Attack ............................90 7.3.2. The "phf" Attack ...................................93 7.3.3. File Modification ..................................94 7.4. System Policy Violation ...................................96 7.5. Correlated Alerts .........................................98 7.6. Analyzer Assessments ......................................99 7.7. Heartbeat ................................................100 7.8. XML Extension ............................................101 8. The IDMEF Document Type Definition (Normative) ................104 9. Security Considerations .......................................117 10. IANA Considerations ..........................................118 10.1. Adding Values to Existing Attributes ....................118 10.1.1. Attribute Registrations ..........................119 10.1.2. Registration Template ............................130 10.2. Adding New Attributes and Classes .......................131 11. References ...................................................131 11.1. Normative References ....................................131 11.2. Informative References ..................................132 Appendix A. Acknowledgements ....................................134 Appendix B. The IDMEF Schema Definition (Non-normative) .........135
7.2. Port Scanning Attacks .....................................88 7.2.1. Connection to a Disallowed Service .................88 7.2.2. Simple Port Scanning ...............................89 7.3. Local Attacks .............................................90 7.3.1. The "loadmodule" Attack ............................90 7.3.2. The "phf" Attack ...................................93 7.3.3. File Modification ..................................94 7.4. System Policy Violation ...................................96 7.5. Correlated Alerts .........................................98 7.6. Analyzer Assessments ......................................99 7.7. Heartbeat ................................................100 7.8. XML Extension ............................................101 8. The IDMEF Document Type Definition (Normative) ................104 9. Security Considerations .......................................117 10. IANA Considerations ..........................................118 10.1. Adding Values to Existing Attributes ....................118 10.1.1. Attribute Registrations ..........................119 10.1.2. Registration Template ............................130 10.2. Adding New Attributes and Classes .......................131 11. References ...................................................131 11.1. Normative References ....................................131 11.2. Informative References ..................................132 Appendix A. Acknowledgements ....................................134 Appendix B. The IDMEF Schema Definition (Non-normative) .........135
The Intrusion Detection Message Exchange Format (IDMEF) [2] is intended to be a standard data format that automated intrusion detection systems can use to report alerts about events that they deem suspicious. The development of this standard format will enable interoperability among commercial, open source, and research systems, allowing users to mix-and-match the deployment of these systems according to their strong and weak points to obtain an optimal implementation.
入侵检测消息交换格式(IDMEF)[2]是一种标准数据格式,自动化入侵检测系统可以使用它来报告有关其认为可疑的事件的警报。此标准格式的开发将实现商业、开源和研究系统之间的互操作性,允许用户根据其优缺点混合和匹配这些系统的部署,以获得最佳实现。
The most obvious place to implement the IDMEF is in the data channel between an intrusion detection analyzer (or "sensor") and the manager (or "console") to which it sends alarms. But there are other places where the IDMEF can be useful:
实现IDMEF最明显的地方是入侵检测分析仪(或“传感器”)和管理器(或“控制台”)之间的数据通道,它向管理器(或“控制台”)发送警报。但IDMEF在其他地方也很有用:
o a single database system that could store the results from a variety of intrusion detection products would make it possible for data analysis and reporting activities to be performed on "the whole picture" instead of just a part of it;
o 一个能够存储各种入侵检测产品结果的单一数据库系统将使数据分析和报告活动能够在“整个画面”上进行,而不仅仅是其中的一部分;
o an event correlation system that could accept alerts from a variety of intrusion detection products would be capable of performing more sophisticated cross-correlation and cross-confirmation calculations than one that is limited to a single product;
o 可以接受来自各种入侵检测产品的警报的事件关联系统将能够执行比仅限于单个产品的系统更复杂的互关联和互确认计算;
o a graphical user interface that could display alerts from a variety of intrusion detection products would enable the user to monitor all of the products from a single screen, and require him or her to learn only one interface, instead of several; and
o 可显示各种入侵检测产品警报的图形用户界面将使用户能够从单个屏幕监控所有产品,并要求用户只学习一个界面,而不是几个界面;和
o a common data exchange format would make it easier for different organizations (users, vendors, response teams, law enforcement) to not only exchange data, but also communicate about it.
o 一种通用的数据交换格式将使不同的组织(用户、供应商、响应团队、执法部门)不仅可以更轻松地交换数据,还可以就数据进行交流。
The diversity of uses for the IDMEF needs to be considered when selecting its method of implementation.
在选择IDMEF的实施方法时,需要考虑其用途的多样性。
The IDMEF data model is an object-oriented representation of the alert data sent to intrusion detection managers by intrusion detection analyzers.
IDMEF数据模型是入侵检测分析器发送给入侵检测管理器的警报数据的面向对象表示。
The data model addresses several problems associated with representing intrusion detection alert data:
数据模型解决了与表示入侵检测警报数据相关的几个问题:
o Alert information is inherently heterogeneous. Some alerts are defined with very little information, such as origin, destination, name, and time of the event. Other alerts provide much more information, such as ports or services, processes, user information, and so on. The data model that represents this information must be flexible to accommodate different needs.
o 警报信息本质上是异构的。某些警报的定义信息非常少,例如事件的来源、目的地、名称和时间。其他警报提供更多信息,如端口或服务、进程、用户信息等。表示此信息的数据模型必须灵活,以适应不同的需求。
An object-oriented model is naturally extensible via aggregation and subclassing. If an implementation of the data model extends it with new classes, either by aggregation or subclassing, an implementation that does not understand these extensions will still be able to understand the subset of information that is defined by the data model. Subclassing and aggregation provide extensibility while preserving the consistency of the model.
面向对象的模型自然可以通过聚合和子类化进行扩展。如果数据模型的实现通过聚合或子类化使用新类对其进行扩展,那么不理解这些扩展的实现仍然能够理解数据模型定义的信息子集。子类化和聚合提供了可扩展性,同时保持了模型的一致性。
o Intrusion detection environments are different. Some analyzers detect attacks by analyzing network traffic; others use operating system logs or application audit trail information. Alerts for the same attack, sent by analyzers with different information sources, will not contain the same information.
o 入侵检测环境是不同的。一些分析器通过分析网络流量来检测攻击;其他人使用操作系统日志或应用程序审计跟踪信息。由具有不同信息源的分析器发送的相同攻击的警报将不包含相同的信息。
The data model defines support classes that accommodate the differences in data sources among analyzers. In particular, the notions of source and target for the alert are represented by the combination of Node, Process, Service, and User classes.
数据模型定义了支持类,以适应分析器之间数据源的差异。特别是,警报的源和目标概念由节点、进程、服务和用户类的组合表示。
o Analyzer capabilities are different. Depending on the environment, one may install a lightweight analyzer that provides little information in its alerts, or a more complex analyzer that will have a greater impact on the running system but provide more detailed alert information. The data model must allow for conversion to formats used by tools other than intrusion detection analyzers, for the purpose of further processing the alert information.
o 分析器的功能是不同的。根据环境的不同,可以安装在警报中提供很少信息的轻型分析器,也可以安装对正在运行的系统有较大影响但提供更详细警报信息的更复杂分析器。为了进一步处理警报信息,数据模型必须允许转换为入侵检测分析仪以外的工具使用的格式。
The data model defines extensions to the basic Document Type Definition (DTD) that allow carrying both simple and complex alerts. Extensions are accomplished through subclassing or association of new classes.
数据模型定义了对基本文档类型定义(DTD)的扩展,允许携带简单和复杂警报。扩展是通过新类的子类化或关联来完成的。
o Operating environments are different. Depending on the kind of network or operating system used, attacks will be observed and reported with different characteristics. The data model should accommodate these differences.
o 操作环境不同。根据所使用的网络或操作系统的类型,将以不同的特征观察和报告攻击。数据模型应该适应这些差异。
Significant flexibility in reporting is provided by the Node and Service support classes. If additional information must be reported, subclasses may be defined that extend the data model with additional attributes.
节点和服务支持类在报告方面提供了极大的灵活性。如果必须报告附加信息,可以定义子类,用附加属性扩展数据模型。
o Commercial vendor objectives are different. For various reasons, vendors may wish to deliver more or less information about certain types of attacks.
o 商业供应商的目标是不同的。出于各种原因,供应商可能希望提供更多或更少关于某些类型攻击的信息。
The object-oriented approach allows this flexibility while the subclassing rules preserve the integrity of the model.
面向对象的方法允许这种灵活性,而子类化规则保持了模型的完整性。
The data model was designed to provide a standard representation of alerts in an unambiguous fashion, and to permit the relationship between simple and complex alerts to be described.
数据模型旨在以明确的方式提供警报的标准表示,并允许描述简单警报和复杂警报之间的关系。
The goal of the data model is to provide a standard representation of the information that an intrusion detection analyzer reports when it detects an occurrence of some unusual event(s). These alerts may be simple or complex, depending on the capabilities of the analyzer that creates them.
数据模型的目标是提供入侵检测分析器在检测到某些异常事件时报告的信息的标准表示形式。这些警报可能简单,也可能复杂,具体取决于创建它们的分析器的功能。
The design of the data model is content-driven. This means that new objects are introduced to accommodate additional content, not semantic differences between alerts. This is an important goal, as the task of classifying and naming computer vulnerabilities is both extremely difficult and very subjective.
数据模型的设计是内容驱动的。这意味着引入新对象是为了适应额外的内容,而不是警报之间的语义差异。这是一个重要的目标,因为对计算机漏洞进行分类和命名既极其困难,又非常主观。
The data model must be unambiguous. This means that while we allow analyzers to be more or less precise than one another (i.e., one analyzer may report more information about an event than another), we do not allow them to produce contradictory information in two alerts describing the same event (i.e., the common subset of information reported by both analyzers must be identical and inserted in the same placeholders within the alert data structure). Of course, it is always possible to insert all "interesting" information about an
数据模型必须是明确的。这意味着,虽然我们允许分析仪比另一个更精确或更不精确(即,一个分析仪可能会比另一个分析仪报告更多有关事件的信息),但我们不允许它们在描述同一事件的两个警报中产生矛盾的信息(即,两个分析器报告的公共信息子集必须相同,并插入警报数据结构中的相同占位符中)。当然,始终可以插入有关警报的所有“有趣”信息
event in extension fields of the alert instead of in the fields where it belongs; however, such practice reduces interoperability and should be avoided whenever possible.
警报扩展字段中的事件,而不是警报所属字段中的事件;但是,这种做法会降低互操作性,应尽可能避免。
Intrusion detection alerts can be transmitted at several levels. This document applies to the entire range, from very simple alerts (e.g., those alerts that are the result of a single action or operation in the system, such as a failed login report) to very complex ones (e.g., the aggregation of several events causing an alert to be generated).
入侵检测警报可以在多个级别传输。本文档适用于整个范围,从非常简单的警报(例如,系统中单个操作或操作的结果,如失败的登录报告)到非常复杂的警报(例如,导致生成警报的多个事件的聚合)。
As such, the data model must provide a way for complex alerts that aggregate several simple alerts to identify those simple alerts in the complex alert's content.
因此,数据模型必须为复杂警报提供一种方法,将多个简单警报聚合在一起,以识别复杂警报内容中的那些简单警报。
Two implementations of the IDMEF were originally proposed to the Intrusion Detection Working Group (IDWG): one using the Structure of Management Information (SMI) to describe a Simple Network Management Protocol (SNMP) MIB, and the other using a DTD to describe XML documents.
IDMEF的两个实现最初向入侵检测工作组(IDWG)提出:一个使用管理信息结构(SMI)来描述简单网络管理协议(SNMP)MIB,另一个使用DTD来描述XML文档。
These proposed implementations were reviewed by the IDWG at its September 1999 and February 2000 meetings; it was decided at the February meeting that the XML solution was best at fulfilling the IDWG requirements.
IDWG在1999年9月和2000年2月的会议上审查了这些拟议的实施方案;在2月份的会议上决定,XML解决方案最适合满足IDWG需求。
The Extensible Markup Language (XML) [3] is a simplified version of the Standard Generalized Markup Language (SGML), a syntax for specifying text markup defined by the ISO 8879 standard. XML is gaining widespread attention as a language for representing and exchanging documents and data on the Internet, and as the solution to most of the problems inherent in HyperText Markup Language (HTML). XML was published as a recommendation by the World Wide Web Consortium (W3C) on February 10, 1998.
可扩展标记语言(XML)[3]是标准通用标记语言(SGML)的简化版本,SGML是一种用于指定ISO 8879标准定义的文本标记的语法。XML作为一种在Internet上表示和交换文档和数据的语言,以及作为解决超文本标记语言(HTML)所固有的大多数问题的解决方案,正受到广泛关注。XML是由万维网联盟(W3C)于1998年2月10日推荐发布的。
XML is a metalanguage -- a language for describing other languages -- that enables an application to define its own markup. XML allows the definition of customized markup languages for different types of documents and different applications. This differs from HTML, in which there is a fixed set of identifiers with preset meanings that must be "adapted" for specialized uses. Both XML and HTML use elements (tags) (identifiers delimited by '<' and '>') and attributes
XML是一种元语言——一种描述其他语言的语言——它使应用程序能够定义自己的标记。XML允许为不同类型的文档和不同的应用程序定义自定义标记语言。这与HTML不同,HTML中有一组具有预设含义的固定标识符,必须“调整”以用于特定用途。XML和HTML都使用元素(标记)(由“<”和“>”分隔的标识符)和属性
(of the form "name='value'"). But where "<p>" always means "paragraph" in HTML, it may mean "paragraph", "person", "price", or "platypus" in XML, or it might have no meaning at all, depending on the particular application.
(形式为“name='value'”。但是,如果在HTML中“<p>”始终表示“段落”,那么它在XML中可能表示“段落”、“人员”、“价格”或“鸭嘴兽”,或者它可能根本没有任何意义,具体取决于特定的应用程序。
NOTE: XML provides both a syntax for declaring document markup and structure (i.e., defining elements and attributes, specifying the order in which they appear, and so on) and a syntax for using that markup in documents. Because markup declarations look radically different from markup, many people are confused as to which syntax is called XML. The answer is that they both are, because they are actually both part of the same language.
注意:XML提供了一种用于声明文档标记和结构的语法(即定义元素和属性,指定它们出现的顺序,等等),以及一种用于在文档中使用该标记的语法。因为标记声明看起来与标记完全不同,所以许多人对哪种语法称为XML感到困惑。答案是它们都是,因为它们实际上都是同一种语言的一部分。
For clarity in this document, we will use the terms "XML" and "XML documents" when speaking in the general case, and the term "IDMEF markup" when speaking specifically of the elements (tags) and attributes that describe IDMEF messages.
为了在本文档中保持清晰,在一般情况下,我们将使用术语“XML”和“XML文档”,在具体谈到描述IDMEF消息的元素(标记)和属性时,将使用术语“IDMEF标记”。
The publication of XML was followed by the publication of a second recommendation [4] by the World Wide Web Consortium, defining the use of namespaces in XML documents. An XML namespace is a collection of names, identified by a Uniform Resource Identifier (URI) [5]. When using namespaces, each tag is identified with the namespace it comes from, allowing tags from different namespaces with the same names to occur in the same document. For example, a single document could contain both "usa:football" and "europe:football" tags, each with different meanings.
XML发布之后,万维网联盟发布了第二条建议[4],定义了XML文档中名称空间的使用。XML名称空间是由统一资源标识符(URI)标识的名称集合[5]。当使用名称空间时,每个标记都用它所来自的名称空间来标识,从而允许来自不同名称空间且具有相同名称的标记出现在同一文档中。例如,一个文档可以同时包含“usa:football”和“europe:football”标签,每个标签都有不同的含义。
In anticipation of the widespread use of XML namespaces, this memo includes the definition of the URI to be used to identify the IDMEF namespace.
鉴于XML名称空间的广泛使用,本备忘录包含了用于标识IDMEF名称空间的URI的定义。
XML-based applications are being used or developed for a wide variety of purposes, including electronic data interchange in a variety of fields, financial data interchange, electronic business cards, calendar and scheduling, enterprise software distribution, web "push" technology, and markup languages for chemistry, mathematics, music, molecular dynamics, astronomy, book and periodical publishing, web publishing, weather observations, real estate transactions, and many others.
基于XML的应用程序正在被广泛地用于或开发,包括各种领域的电子数据交换、金融数据交换、电子名片、日历和日程安排、企业软件分发、web“推送”技术以及用于化学、数学、音乐的标记语言,分子动力学,天文学,书籍和期刊出版,网络出版,天气观测,房地产交易,以及许多其他。
XML's flexibility makes it a good choice for these applications; that same flexibility makes it a good choice for implementing the IDMEF as well. Other, more specific reasons for choosing XML to implement the IDMEF are:
XML的灵活性使其成为这些应用程序的良好选择;同样的灵活性也使它成为实现IDMEF的好选择。选择XML实现IDMEF的其他更具体的原因有:
o XML allows a custom language to be developed specifically for the purpose of describing intrusion detection alerts. It also defines a standard way to extend this language, either for later revisions of this document ("standard" extensions) or for vendor-specific use ("non-standard" extensions).
o XML允许专门为描述入侵检测警报而开发自定义语言。它还定义了扩展该语言的标准方法,用于本文档的后续修订(“标准”扩展)或供应商特定用途(“非标准”扩展)。
o Software tools for processing XML documents are widely available, in both commercial and open source forms. Numerous tools and APIs for parsing and/or validating XML are available in a variety of languages, including Java, C, C++, Tcl, Perl, Python, and GNU Emacs Lisp. Widespread access to tools will make adoption of the IDMEF by product developers easier, and hopefully, faster.
o 处理XML文档的软件工具在商业和开源形式中都广泛可用。用于解析和/或验证XML的许多工具和API可用多种语言,包括java、C++、TCL、Perl、Python和GNU Emacs Lisp。工具的广泛使用将使产品开发人员更容易、更快速地采用IDMEF。
o XML meets IDMEF Requirement 5.1 [2], that message formats support full internationalization and localization. The XML standard requires support for both the UTF-8 and UTF-16 encodings of ISO/ IEC 10646 (Universal Multiple-Octet Coded Character Set, "UCS") and Unicode, making all XML applications (and therefore all IDMEF-compliant applications) compatible with these common character encodings.
o XML满足IDMEF要求5.1[2],即消息格式支持完全国际化和本地化。XML标准要求同时支持ISO/IEC 10646(通用多八位编码字符集,“UCS”)和Unicode的UTF-8和UTF-16编码,使所有XML应用程序(因此所有符合IDMEF的应用程序)与这些通用字符编码兼容。
XML also provides support for specifying, on a per-element basis, the language in which the element's content is written, making IDMEF easy to adapt to "Natural Language Support" versions of a product.
XML还支持在每个元素的基础上指定用于编写元素内容的语言,使IDMEF易于适应产品的“自然语言支持”版本。
o XML meets IDMEF Requirement 5.2 [2], that message formats must support filtering and aggregation. XML's integration with XSL, a style language, allows messages to be combined, discarded, and rearranged.
o XML满足IDMEF要求5.2[2],即消息格式必须支持过滤和聚合。XML与XSL(一种风格语言)的集成允许合并、丢弃和重新排列消息。
o Ongoing XML development projects, in the W3C and elsewhere, will provide object-oriented extensions, database support, and other useful features. If implemented in XML, the IDMEF immediately gains these features as well.
o W3C和其他地方正在进行的XML开发项目将提供面向对象的扩展、数据库支持和其他有用的特性。如果用XML实现,IDMEF也会立即获得这些特性。
o XML is free, with no license, no license fees, and no royalties.
o XML是免费的,没有许可证,没有许可费,也没有版税。
The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不得”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[1]中所述进行解释。
An "IDMEF-compliant application" is a program or program component, such as an analyzer or manager, that reads and/or writes messages in the format specified by this memo.
“IDMEF兼容应用程序”是一个程序或程序组件,如分析器或管理器,它以本备忘录指定的格式读取和/或写入消息。
An "IDMEF document" is a message that adheres to the requirements specified by this memo and that is exchanged by two or more IDMEF applications. "IDMEF message" is another term for an "IDMEF document".
“IDMEF文件”是符合本备忘录规定要求的信息,由两个或多个IDMEF应用程序交换。“IDMEF消息”是“IDMEF文档”的另一个术语。
This document uses three notations: Unified Modeling Language to describe the data model [14], XML to describe the markup used in IDMEF documents, and IDMEF markup to represent the documents themselves.
本文档使用三种符号:统一建模语言来描述数据模型[14],XML来描述IDMEF文档中使用的标记,以及IDMEF标记来表示文档本身。
This section describes IDMEF XML document formatting rules. Most of these rules are "inherited" from the rules for formatting XML documents.
本节介绍IDMEF XML文档格式规则。这些规则中的大多数是从格式化XML文档的规则中“继承”来的。
The format of an IDMEF XML document prolog is described in the following sections.
IDMEF XML文档prolog的格式将在以下部分中描述。
IDMEF documents being exchanged between IDMEF-compliant applications MUST begin with an XML declaration, and MUST specify the XML version in use. Specification of the encoding in use is RECOMMENDED.
在符合IDMEF的应用程序之间交换的IDMEF文档必须以XML声明开头,并且必须指定正在使用的XML版本。建议指定正在使用的编码。
An IDMEF message SHOULD therefore start with:
因此,IDMEF消息应以以下内容开头:
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"/>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"/>
IDMEF-compliant applications MAY choose to omit the XML declaration internally to conserve space, adding it only when the message is sent to another destination (e.g., a web browser). This practice is NOT RECOMMENDED unless it can be accomplished without loss of each message's version and encoding information.
符合IDMEF的应用程序可能会选择在内部省略XML声明以节省空间,仅当消息发送到另一个目的地(例如,web浏览器)时才添加它。除非可以在不丢失每条消息的版本和编码信息的情况下完成此操作,否则不建议使用此操作。
In order to be valid (see Section 6.1), an XML document must contain a document type definition. However, this represents significant overhead to an IDMEF-compliant application, both in the bandwidth it consumes as well as the requirements it places on the XML processor (not only to parse the declaration itself, but also to parse the DTD it references).
为了有效(参见第6.1节),XML文档必须包含文档类型定义。然而,这对符合IDMEF的应用程序来说意味着巨大的开销,包括它所消耗的带宽以及它对XML处理器的要求(不仅解析声明本身,还解析它引用的DTD)。
Implementors MAY decide, therefore, to have analyzers and managers agree out-of-band on the particular document type definition they will be using to exchange messages (the standard one as defined here, or one with extensions), and then omit the document type definition from IDMEF messages. The method for negotiating this agreement is outside the scope of this document. Note that great care must be taken in negotiating any such agreements, as the manager may have to accept messages from many different analyzers, each using a DTD with a different set of extensions.
因此,实现者可能会决定让分析人员和管理人员就他们将用于交换消息的特定文档类型定义(此处定义的标准文档类型定义,或具有扩展名的文档类型定义)达成带外协议,然后从IDMEF消息中省略文档类型定义。协商本协议的方法不在本文件范围内。请注意,在协商任何此类协议时必须非常小心,因为经理可能必须接受来自许多不同分析器的消息,每个分析器使用具有不同扩展集的DTD。
For portability reasons, IDMEF-compliant applications SHOULD NOT use, and IDMEF messages SHOULD NOT be encoded in, character encodings other than UTF-8 and UTF-16. Consistent with the XML standard, if no encoding is specified for an IDMEF message, UTF-8 is assumed.
出于可移植性的原因,符合IDMEF的应用程序不应使用UTF-8和UTF-16以外的字符编码,也不应使用IDMEF消息编码。与XML标准一致,如果没有为IDMEF消息指定编码,则假定为UTF-8。
NOTE: The ASCII character set is a subset of the UTF-8 encoding, and therefore may be used to encode IDMEF messages.
注意:ASCII字符集是UTF-8编码的子集,因此可用于编码IDMEF消息。
Per the XML standard, IDMEF documents encoded in UTF-16 MUST begin with the Byte Order Mark described by ISO/IEC 10646 Annex E and Unicode Appendix B (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF).
根据XML标准,以UTF-16编码的IDMEF文档必须以ISO/IEC 10646附录E和Unicode附录B中描述的字节顺序标记开头(“零宽度无中断空间”字符#xFEFF)。
It is RECOMMENDED that IDMEF-compliant applications use the entity reference form (see Section 3.2.3.1) of the characters '&', ,'<', '>', '"', and ''' (single-quote) whenever writing these characters in data, to avoid any possibility of misinterpretation.
建议符合IDMEF的应用程序在将这些字符写入数据时使用字符“&”、“<”、“>”、““”和“”(单引号)的实体引用形式(见第3.2.3.1节),以避免任何误解的可能性。
All IDMEF elements MUST support the "xml:space" attribute.
所有IDMEF元素都必须支持“xml:space”属性。
IDMEF-compliant applications MUST specify the language in which their contents are encoded; in general this can be done by specifying the "xml:lang" attribute for the top-level element and letting all other elements "inherit" that definition [10].
符合IDMEF的应用程序必须指定其内容的编码语言;通常,这可以通过为顶级元素指定“xml:lang”属性并让所有其他元素“继承”该定义来实现[10]。
Within an XML IDMEF message, all data will be expressed as "text" (as opposed to "binary"), since XML is a text formatting language. We provide typing information for the attributes of the classes in the data model, however, to convey to the reader the type of data that the model expects for each attribute.
在XMLIDMEF消息中,所有数据都将表示为“文本”(而不是“二进制”),因为XML是一种文本格式语言。但是,我们为数据模型中的类的属性提供类型信息,以便向读者传达模型对每个属性所期望的数据类型。
Each data type in the model has specific formatting requirements in an XML IDMEF message; these requirements are set forth in this section.
模型中的每个数据类型在XML IDMEF消息中都有特定的格式要求;本节规定了这些要求。
Integer attributes are represented by the INTEGER data type. Integer data MUST be encoded in Base 10 or Base 16.
整数属性由整数数据类型表示。整数数据必须以10或16为基数进行编码。
Base 10 integer encoding uses the digits '0' through '9' and an optional sign ('+' or '-'). For example, "123", "-456".
基10整数编码使用数字“0”到“9”以及可选符号(“+”或“-”)。例如,“123”、“-456”。
Base 16 integer encoding uses the digits '0' through '9' and 'a' through 'f' (or their uppercase equivalents), and is preceded by the characters "0x". For example, "0x1a2b".
基16整数编码使用数字“0”到“9”和“a”到“f”(或其大写等效形式),前面是字符“0x”。例如,“0x1a2b”。
Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10.
实数(浮点)属性由实数数据类型表示。实际数据必须以10为基数进行编码。
Real encoding is that of the POSIX 1003.1 "strtod" library function: an optional sign ('+' or '-') followed by a non-empty string of decimal digits, optionally containing a radix character, then an optional exponent part. An exponent part consists of an 'e' or 'E', followed by an optional sign, followed by one or more decimal digits. For example, "123.45e02", "-567,89e-03".
实编码是POSIX 1003.1“strtod”库函数的编码:可选符号(“+”或“-”)后跟十进制数字的非空字符串,可选包含基数字符,然后是可选的指数部分。指数部分由“e”或“e”组成,后跟可选符号,后跟一个或多个十进制数字。例如,“123.45e02”、“-567,89e-03”。
IDMEF-compliant applications MUST support both the '.' and ',' radix characters.
符合IDMEF的应用程序必须同时支持“.”和“,”基数字符。
Single-character attributes are represented by the CHARACTER data type. Multi-character attributes of known length are represented by the STRING data type.
单个字符属性由字符数据类型表示。已知长度的多字符属性由字符串数据类型表示。
Character and string data have no special formatting requirements, other than the need to occasionally use character references (see Section 3.2.3.1 and Section 3.2.3.2) to represent special characters.
除了偶尔需要使用字符引用(见第3.2.3.1节和第3.2.3.2节)来表示特殊字符外,字符和字符串数据没有特殊的格式要求。
Within XML documents, certain characters have special meanings in some contexts. To include the actual character itself in one of these contexts, a special escape sequence, called an entity reference, must be used.
在XML文档中,某些字符在某些上下文中具有特殊含义。要将实际字符本身包含在其中一个上下文中,必须使用称为实体引用的特殊转义序列。
The characters that sometimes need to be escaped, and their entity references, are:
有时需要转义的字符及其实体引用包括:
+-----------+------------------+ | Character | Entity Reference | +-----------+------------------+ | & | & | | | | | < | < | | | | | > | > | | | | | " | " | | | | | ' | ' | +-----------+------------------+
+-----------+------------------+ | Character | Entity Reference | +-----------+------------------+ | & | & | | | | | < | < | | | | | > | > | | | | | " | " | | | | | ' | ' | +-----------+------------------+
Any character defined by the ISO/IEC 10646 and Unicode standards may be included in an XML document by the use of a character reference. A character reference is started with the characters '&' and '#', and ended with the character ';'. Between these characters, the character code for the character is inserted.
通过使用字符引用,可将ISO/IEC 10646和Unicode标准定义的任何字符包括在XML文档中。字符引用以字符“&”和“#”开头,以字符“;”结尾。在这些字符之间插入字符的字符代码。
If the character code is preceded by an 'x' it is interpreted in hexadecimal (base 16); otherwise, it is interpreted in decimal (base 10). For instance, the ampersand (&) is encoded as & or & and the less-than sign (<) is encoded as < or <.
如果字符代码前面有一个“x”,则以十六进制(以16为基数)进行解释;否则,将以十进制(以10为基数)进行解释。例如,符号(&)被编码为&;或&;小于号(<)编码为<;或<;。
Any one-, two-, or four-byte character specified in the ISO/IEC 10646 and Unicode standards can be included in a document using this technique.
使用此技术,ISO/IEC 10646和Unicode标准中指定的任何一个、两个或四个字节的字符都可以包含在文档中。
Binary data is represented by the BYTE (and BYTE[]) data type.
二进制数据由字节(和字节[])数据类型表示。
Binary data MUST be encoded in its entirety using base64.
必须使用base64对二进制数据进行整体编码。
Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values.
枚举类型由枚举数据类型表示,并由可接受值的有序列表组成。
Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported.
日期时间字符串由日期时间数据类型表示。每个日期时间字符串标识特定的时间瞬间;不支持范围。
Date-time strings are formatted according to a subset of ISO 8601: 2000 [6], as show below. Section references in parentheses refer to sections of the ISO 8601:2000 standard [6].
日期时间字符串按照ISO 8601:2000[6]的子集进行格式化,如下所示。括号中的章节参考参考ISO 8601:2000标准[6]的章节。
1. Dates MUST be formatted as follows:
1. 日期的格式必须如下所示:
YYYY-MM-DD
YYYY-MM-DD
where YYYY is the four-digit year, MM is the two-digit month (01-12), and DD is the two-digit day (01-31). (Section 5.2.1.1, "Complete representation -- Extended format".)
其中,YYYY是四位数的年份,MM是两位数的月份(01-12),DD是两位数的日期(01-31)。(第5.2.1.1节,“完整表示——扩展格式”。)
2. Times MUST be formatted as follows:
2. 时间的格式必须如下所示:
hh:mm:ss
hh:mm:ss
where hh is the two-digit hour (00-24), mm is the two-digit minute (00-59), and ss is the two-digit second (00-60). (Section 5.3.1.1, "Complete representation -- Extended format".)
其中hh是两位数的小时(00-24),mm是两位数的分钟(00-59),ss是两位数的秒(00-60)。(第5.3.1.1节,“完整表示——扩展格式”。)
Note that midnight has two representations, 00:00:00 and 24:00:00. Both representations MUST be supported by IDMEF-compliant applications; however, the 00:00:00 representation SHOULD be used whenever possible.
请注意,午夜有两种表示形式,00:00:00和24:00:00。这两种表述必须得到IDMEF兼容应用程序的支持;但是,应尽可能使用00:00:00表示。
Note also that this format accounts for leap seconds. Positive leap seconds are inserted between 23:59:59Z and 24:00:00Z and are represented as 23:59:60Z. Negative leap seconds are achieved by the omission of 23:59:59Z. IDMEF-compliant applications MUST support leap seconds.
还请注意,此格式用于闰秒。正闰秒插入在23:59:59Z和24:00:00Z之间,表示为23:59:60Z。通过省略23:59:59Z实现负闰秒。符合IDMEF的应用程序必须支持闰秒。
3. Times MAY be formatted to include a decimal fraction of seconds, as follows:
3. 时间的格式可以包括秒的小数部分,如下所示:
hh:mm:ss.ss or hh:mm:ss,ss
hh:mm:ss.ss or hh:mm:ss,ss
As many digits as necessary may follow the decimal sign (at least one digit must follow the decimal sign). Decimal fractions of hours and minutes are not supported. (Section 5.3.1.3, "Representation of decimal fractions".)
小数点后可以有尽可能多的数字(小数点后必须至少有一个数字)。不支持小时和分钟的小数。(第5.3.1.3节,“小数点的表示”。)
IDMEF-compliant applications MUST support the use of both decimal signs ('.' and ',').
符合IDMEF的应用程序必须支持使用十进制符号(“.”和“,”)。
Note that the number of digits in the fraction part does not imply anything about accuracy -- i.e., "00.100000", "00,1000", and "00.1" are all equivalent.
请注意,分数部分中的位数并不意味着与精度有关的任何内容,即“00.100000”、“001000”和“00.1”都是等效的。
4. Times MUST be formatted to include (a) an indication that the time is in Coordinated Universal Time (UTC) or (b) an indication of the difference between the specified time and Coordinated Universal Time.
4. 时间的格式必须包括(a)表示时间为协调世界时(UTC)或(b)表示指定时间与协调世界时之间的差异。
* Times in UTC MUST be formatted by appending the letter 'Z' to the time string as follows:
* UTC时间的格式必须通过在时间字符串后添加字母“Z”,如下所示:
hh:mm:ssZ hh:mm:ss.ssZ hh:mm:ss,ssZ
hh:mm:ssZ hh:mm:ss.ssZ hh:mm:ss,ssZ
(Section 5.3.3, "Coordinated Universal Time (UTC) -- Extended format".)
(第5.3.3节,“协调世界时(UTC)-扩展格式”。)
* If the time is ahead of or equal to UTC, a '+' sign is appended to the time string; if the time is behind UTC, a '-' sign is appended. Following the sign, the number of hours and minutes representing the different from UTC is appended, as follows:
* 如果时间早于或等于UTC,则在时间字符串后附加“+”号;如果时间晚于UTC,则会附加“-”符号。在符号后,附加表示与UTC不同的小时数和分钟数,如下所示:
hh:mm:ss+hh:mm hh:mm:ss-hh:mm hh:mm:ss.ss+hh:mm
hh:mm:ss+hh:mm hh:mm:ss-hh:mm hh:mm:ss.ss+hh:mm
hh:mm:ss.ss-hh:mm hh:mm:ss,ss+hh:mm hh:mm:ss,ss-hh:mm
hh:mm:ss.ss-hh:mm hh:mm:ss,ss+hh:mm hh:mm:ss,ss-hh:mm
The difference from UTC MUST be specified in both hours and minutes, even if the minutes component is 0. A "difference" of "+00:00" is equivalent to UTC. (Section 5.3.4.2, "Local time and the difference with Coordinated Universal Time -- Extended Format".)
与UTC的差值必须以小时和分钟为单位指定,即使分钟分量为0。“+00:00”的“差”等于UTC。(第5.3.4.2节,“当地时间及其与协调世界时的差异——扩展格式”。)
5. Date-time strings are created by joining the date and time strings with the letter 'T', as shown below:
5. 日期时间字符串是通过将日期和时间字符串与字母“T”连接起来创建的,如下所示:
YYYY-MM-DDThh:mm:ssZ YYYY-MM-DDThh:mm:ss.ssZ YYYY-MM-DDThh:mm:ss,ssZ YYYY-MM-DDThh:mm:ss+hh:mm YYYY-MM-DDThh:mm:ss-hh:mm YYYY-MM-DDThh:mm:ss.ss+hh:mm YYYY-MM-DDThh:mm:ss.ss-hh:mm YYYY-MM-DDThh:mm:ss,ss+hh:mm YYYY-MM-DDThh:mm:ss,ss-hh:mm
YYYY-MM-DDThh:mm:ssZ YYYY-MM-DDThh:mm:ss.ssZ YYYY-MM-DDThh:mm:ss,ssZ YYYY-MM-DDThh:mm:ss+hh:mm YYYY-MM-DDThh:mm:ss-hh:mm YYYY-MM-DDThh:mm:ss.ss+hh:mm YYYY-MM-DDThh:mm:ss.ss-hh:mm YYYY-MM-DDThh:mm:ss,ss+hh:mm YYYY-MM-DDThh:mm:ss,ss-hh:mm
(Section 5.4.1, "Complete representation -- Extended format".)
(第5.4.1节,“完整表示——扩展格式”。)
In summary, IDMEF date-time strings MUST adhere to one of the nine templates identified in Paragraph 5, above.
总之,IDMEF日期时间字符串必须符合上文第5段中确定的九个模板之一。
NTP timestamps are represented by the NTPSTAMP data type and are described in detail in [7] and [8]. An NTP timestamp is a 64-bit unsigned fixed-point number. The integer part is in the first 32 bits, and the fraction part is in the last 32 bits.
NTP时间戳由NTPSTAMP数据类型表示,并在[7]和[8]中详细描述。NTP时间戳是64位无符号定点数字。整数部分在前32位,小数部分在后32位。
Within IDMEF messages, NTP timestamps MUST be encoded as two 32-bit hexadecimal values, separated by a period ('.'). For example, "0x12345678.0x87654321".
在IDMEF消息中,NTP时间戳必须编码为两个32位十六进制值,用句点('.')分隔。例如,“0x12345678.0x87654321”。
See also Section 6.4 for more information on NTP timestamps.
有关NTP时间戳的更多信息,请参见第6.4节。
Port lists are represented by the PORTLIST data type and consist of a comma-separated list of numbers (individual integers) and ranges (N-M means ports N through M, inclusive). Any combination of numbers and ranges may be used in a single list. For example, "5-25,37,42,43,53,69-119,123-514".
端口列表由端口列表数据类型表示,由逗号分隔的数字列表(单个整数)和范围(N-M表示端口N到M,包括在内)组成。可以在单个列表中使用数字和范围的任意组合。例如,“5-25,37,42,43,53,69-119123-514”。
There are two types of unique identifiers used in this specification. Both types are represented by STRING data types.
本规范中使用了两种类型的唯一标识符。这两种类型都由字符串数据类型表示。
These identifiers are implemented as attributes on the relevant XML elements, and they must have unique values as follows:
这些标识符作为相关XML元素上的属性实现,它们必须具有唯一值,如下所示:
1. The Analyzer class' (Section 4.2.4.1) "analyzerid" attribute, if specified, MUST have a value that is unique across all analyzers in the intrusion detection environment.
1. Analyzer class”(第4.2.4.1节)“analyzerid”属性(如果指定)的值必须在入侵检测环境中的所有分析仪中唯一。
The "analyzerid" attribute is not required to be globally unique, only unique within the intrusion detection environment of which the analyzer is a member. It is permissible for two analyzers, in different intrusion detection environments, to have the same value for "analyzerid".
“analyzerid”属性不要求全局唯一,仅在analyzer所属的入侵检测环境中唯一。在不同的入侵检测环境中,允许两个分析器具有相同的“analyzerid”值。
The default value is "0", which indicates that the analyzer cannot generate unique identifiers.
默认值为“0”,表示分析器无法生成唯一标识符。
2. The Alert and Heartbeat messages (Sections 4.2.2, 4.2.3) must be uniquely identified by the couple (analyzerid,messageid), if the analyzer supports the generation of message identifiers.
2. 如果分析仪支持生成消息标识符,则警报和心跳消息(第4.2.2节、第4.2.3节)必须由该对(analyzerid、messageid)唯一标识。
3. The Classification, Source, Target, Node, User, Process, Service, File, Address, and UserId classes' (Sections 4.2.4.2, 4.2.4.3, 4.2.4.4, 4.2.7.2, 4.2.7.3, 4.2.7.4, 4.2.7.5, 4.2.7.6, 4.2.7.2.1, and 4.2.7.3.1) "ident" attribute, if specified, MUST have a value that is unique across all messages sent by the individual analyzer.
3. 分类、源、目标、节点、用户、流程、服务、文件、地址和用户标识类”(第4.2.4.2节、第4.2.4.3节、第4.2.4.4节、第4.2.7.2节、第4.2.7.3节、第4.2.7.4节、第4.2.7.5节、第4.2.7.6节、第4.2.7.1节和第4.2.7.3.1节)“ident”属性(如有规定)的值必须在单个分析仪发送的所有消息中唯一。
The "ident" attribute value MUST be unique for each particular combination of data identifying an object, not for each object. Objects may have more than one "ident" value associated with them. For example, an identification of a host by name would have one value, while an identification of that host by address would have another value, and an identification of that host by both name and address would have still another value. Furthermore, different analyzers may produce different values for the same information.
对于标识对象的每个特定数据组合,“ident”属性值必须是唯一的,而不是每个对象。对象可能有多个与之关联的“ident”值。例如,按名称对主机的标识将有一个值,而按地址对该主机的标识将有另一个值,而按名称和地址对该主机的标识将还有另一个值。此外,对于相同的信息,不同的分析仪可能会产生不同的值。
The "ident" attribute by itself provides a unique identifier only among all the "ident" values sent by a particular analyzer. But when combined with the "analyzerid" value for the analyzer, a value that is unique across the intrusion detection environment is created. Again, there is no requirement for global uniqueness.
“ident”属性本身仅在特定分析器发送的所有“ident”值中提供唯一标识符。但是,当与分析器的“analyzerid”值结合使用时,会创建一个在整个入侵检测环境中唯一的值。同样,不需要全局唯一性。
The default value is "0", which indicates that the analyzer cannot generate unique identifiers.
默认值为“0”,表示分析器无法生成唯一标识符。
The specification of methods for creating the unique values contained in these attributes is outside the scope of this document.
创建这些属性中包含的唯一值的方法规范不在本文档的范围内。
In this section, the individual components of the IDMEF data model are explained in detail. Unified Modeling Language (UML) diagrams of the model are provided to show how the components are related to each other, and relevant sections of the IDMEF DTD are presented to show how the model is translated into XML.
在本节中,将详细说明IDMEF数据模型的各个组件。提供了模型的统一建模语言(UML)图,以显示组件之间的相互关系,并提供了IDMEF DTD的相关部分,以显示如何将模型转换为XML。
The relationship between the principal components of the data model is shown in Figure 1 (occurrence indicators and attributes are omitted).
数据模型的主要组件之间的关系如图1所示(省略了发生指标和属性)。
The top-level class for all IDMEF messages is IDMEF-Message; each type of message is a subclass of this top-level class. There are presently two types of messages defined: Alerts and Heartbeats. Within each message, subclasses of the message class are used to provide the detailed information carried in the message.
所有IDMEF消息的顶级类都是IDMEF消息;每种类型的消息都是这个顶级类的一个子类。目前定义了两种类型的消息:警报和心跳。在每个消息中,消息类的子类用于提供消息中包含的详细信息。
It is important to note that the data model does not specify how an alert should be classified or identified. For example, a port scan may be identified by one analyzer as a single attack against multiple targets, while another analyzer might identify it as multiple attacks from a single source. However, once an analyzer has determined the type of alert it plans to send, the data model dictates how that alert should be formatted.
需要注意的是,数据模型没有指定警报应如何分类或识别。例如,一台分析仪可能会将端口扫描识别为针对多个目标的单一攻击,而另一台分析仪可能会将其识别为来自单一来源的多个攻击。但是,一旦分析仪确定了其计划发送的警报类型,数据模型将指示该警报的格式。
IDMEF-Message /_\ | +--------------------+-------------+ | | +-------+ +--------------+ +-----------+ +----------------+ | Alert |<>-| Analyzer | | Heartbeat |<>-| Analyzer | +-------+ +--------------+ +-----------+ +----------------+ | | +--------------+ | | +----------------+ | |<>-| CreateTime | | |<>-| CreateTime | | | +--------------+ | | +----------------+ | | +--------------+ | | +----------------+ | |<>-| DetectTime | | |<>-| AdditionalData | | | +--------------+ +-----------+ +----------------+ | | +--------------+ | |<>-| AnalyzerTime | | | +--------------+ | | +--------+ +----------+ | |<>-| Source |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | | | +--------+ +----------+ | | +--------+ +----------+ | |<>-| Target |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | +----------------+ | | | | +----------+ +----| Classification | | | | | +----------+ | +----------------+ | | | |<>-| File | | +----------------+ | | +--------+ +----------+ | +--| Assessment | | |<>----------------------------+ | +----------------+ | |<>------------------------------+ +----------------+ | |<>---------------------------------| AdditionalData | +-------+ +----------------+
IDMEF-Message /_\ | +--------------------+-------------+ | | +-------+ +--------------+ +-----------+ +----------------+ | Alert |<>-| Analyzer | | Heartbeat |<>-| Analyzer | +-------+ +--------------+ +-----------+ +----------------+ | | +--------------+ | | +----------------+ | |<>-| CreateTime | | |<>-| CreateTime | | | +--------------+ | | +----------------+ | | +--------------+ | | +----------------+ | |<>-| DetectTime | | |<>-| AdditionalData | | | +--------------+ +-----------+ +----------------+ | | +--------------+ | |<>-| AnalyzerTime | | | +--------------+ | | +--------+ +----------+ | |<>-| Source |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | | | +--------+ +----------+ | | +--------+ +----------+ | |<>-| Target |<>-| Node | | | +--------+ +----------+ | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| Process | | | | | +----------+ | | | | +----------+ | | | |<>-| Service | +----------------+ | | | | +----------+ +----| Classification | | | | | +----------+ | +----------------+ | | | |<>-| File | | +----------------+ | | +--------+ +----------+ | +--| Assessment | | |<>----------------------------+ | +----------------+ | |<>------------------------------+ +----------------+ | |<>---------------------------------| AdditionalData | +-------+ +----------------+
Figure 1: Data Model Overview
图1:数据模型概述
The individual classes are described in the following sections.
以下各节介绍了各个类。
All IDMEF messages are instances of the IDMEF-Message class; it is the top-level class of the IDMEF data model, as well as the IDMEF DTD. There are currently two types (subclasses) of IDMEF-Message: Alert and Heartbeat.
所有IDMEF消息都是IDMEF消息类的实例;它是IDMEF数据模型以及IDMEF DTD的顶级类。IDMEF消息目前有两种类型(子类):警报和心跳。
The IDMEF-Message class has a single attribute:
IDMEF消息类只有一个属性:
version
版本
The version of the IDMEF-Message specification (this document) this message conforms to. Applications specifying a value for this attribute MUST specify the value "1.0".
此消息符合的IDMEF消息规范(本文档)版本。为该属性指定值的应用程序必须指定值“1.0”。
Generally, every time an analyzer detects an event that it has been configured to look for, it sends an Alert message to its manager(s). Depending on the analyzer, an Alert message may correspond to a single detected event or multiple detected events. Alerts occur asynchronously in response to outside events.
通常,每次分析仪检测到其配置为查找的事件时,都会向其管理器发送警报消息。根据分析仪的不同,警报消息可能对应于单个检测到的事件或多个检测到的事件。警报以异步方式响应外部事件。
An Alert message is composed of several aggregate classes, as shown in Figure 2. The aggregate classes themselves are described in Section 4.2.4, Section 4.2.5, and Section 4.2.6.
警报消息由几个聚合类组成,如图2所示。第4.2.4节、第4.2.5节和第4.2.6节描述了骨料类别本身。
+-------------------+ | Alert | +-------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | +------------------+ | |<>----------| Classification | | | +------------------+ | | 0..1 +------------------+ | |<>----------| DetectTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| Source | | | +------------------+ | | 0..* +------------------+ | |<>----------| Target | | | +------------------+ | | 0..1 +------------------+ | |<>----------| Assessment | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +-------------------+ /_\ | +----+------------+-------------+ | | | +-------------------+ | +-------------------+ | ToolAlert | | | CorrelationAlert | +-------------------+ | +-------------------+ | +-------------------+ | OverflowAlert | +-------------------+
+-------------------+ | Alert | +-------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | +------------------+ | |<>----------| Classification | | | +------------------+ | | 0..1 +------------------+ | |<>----------| DetectTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| Source | | | +------------------+ | | 0..* +------------------+ | |<>----------| Target | | | +------------------+ | | 0..1 +------------------+ | |<>----------| Assessment | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +-------------------+ /_\ | +----+------------+-------------+ | | | +-------------------+ | +-------------------+ | ToolAlert | | | CorrelationAlert | +-------------------+ | +-------------------+ | +-------------------+ | OverflowAlert | +-------------------+
Figure 2: The Alert Class
图2:警报类
The aggregate classes that make up Alert are:
构成警报的聚合类包括:
Analyzer
分析器
Exactly one. Identification information for the analyzer that originated the alert.
正好一个。发出警报的分析仪的标识信息。
CreateTime
创建时间
Exactly one. The time the alert was created. Of the three times that may be provided with an Alert, this is the only one that is required.
正好一个。创建警报的时间。在三次警报中,这是唯一需要的一次。
Classification
分类
Exactly one. The "name" of the alert, or other information allowing the manager to determine what it is.
正好一个。警报的“名称”,或允许管理员确定警报内容的其他信息。
DetectTime
探测时间
Zero or one. The time the event(s) leading up to the alert was detected. In the case of more than one event, the time the first event was detected. In some circumstances, this may not be the same value as CreateTime.
零或一。检测到导致警报的事件的时间。如果发生多个事件,则为检测到第一个事件的时间。在某些情况下,这可能与CreateTime的值不同。
AnalyzerTime
分析时间
Zero or one. The current time on the analyzer (see Section 6.3).
零或一。分析仪上的当前时间(见第6.3节)。
Source
来源
Zero or more. The source(s) of the event(s) leading up to the alert.
零或更多。导致警报的事件源。
Target
目标
Zero or more. The target(s) of the event(s) leading up to the alert.
零或更多。导致警报的事件的目标。
Assessment
看法
Zero or one. Information about the impact of the event, actions taken by the analyzer in response to it, and the analyzer's confidence in its evaluation.
零或一。有关事件影响的信息、分析仪针对事件采取的措施以及分析仪对其评估的信心。
AdditionalData
附加数据
Zero or more. Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data, or a large amount of data provided through an extension to the IDMEF (see Section 5).
零或更多。分析器包含的不适合数据模型的信息。这可能是一段原子数据,也可能是通过IDMEF扩展提供的大量数据(参见第5节)。
Alert is represented in the IDMEF DTD as follows:
警报在IDMEF DTD中表示如下:
<!ELEMENT Alert ( Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification, Assessment?, (ToolAlert | OverflowAlert | CorrelationAlert)?, AdditionalData* )> <!ATTLIST Alert messageid CDATA '0' %attlist.global; >
<!元素警报(Analyzer,CreateTime,DetectTime?,AnalyzerTime?,源*,目标*,分类,评估?,(ToolAlert | OverflowAlert | CorrelationAlert)?,附加数据*)><!ATTLIST警报消息ID CDATA“0”%ATTLIST.global;>
The Alert class has one attribute:
警报类有一个属性:
messageid
消息ID
Optional. A unique identifier for the alert; see Section 3.2.9.
可选择的警报的唯一标识符;见第3.2.9节。
The ToolAlert class carries additional information related to the use of attack tools or malevolent programs such as Trojan horses and can be used by the analyzer when it is able to identify these tools. It is intended to group one or more previously-sent alerts together, to say "these alerts were all the result of someone using this tool".
ToolAlert类包含与攻击工具或恶意程序(如特洛伊木马)的使用相关的附加信息,分析仪可以在识别这些工具时使用这些信息。它旨在将一个或多个以前发送的警报组合在一起,表示“这些警报都是某人使用此工具的结果”。
The ToolAlert class is composed of three aggregate classes, as shown in Figure 3.
ToolAlert类由三个聚合类组成,如图3所示。
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | ToolAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 0..1 +-------------------+ | |<>----------| command | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | ToolAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 0..1 +-------------------+ | |<>----------| command | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+
Figure 3: The ToolAlert Class
图3:ToolAlert类
The aggregate classes that make up ToolAlert are:
组成ToolAlert的聚合类包括:
name
名称
Exactly one. STRING. The reason for grouping the alerts together, for example, the name of a particular tool.
正好一个。一串将警报分组在一起的原因,例如,特定工具的名称。
command
命令
Zero or one. STRING. The command or operation that the tool was asked to perform, for example, a BackOrifice ping.
零或一。一串要求刀具执行的命令或操作,例如,反向孔板ping。
alertident
警报识别
One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the ToolAlert.
一个或多个。一串与此警报相关的警报标识符列表。由于警报标识符仅在单个分析仪发送的警报中是唯一的,“AlertIdentit”的可选“analyzerid”属性应用于标识特定警报来自的分析仪。如果未提供“analyzerid”,则假定警报来自发送ToolAlert的同一分析仪。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT ToolAlert ( name, command?, alertident+ )> <!ATTLIST ToolAlert %attlist.global; >
<!ELEMENT ToolAlert ( name, command?, alertident+ )> <!ATTLIST ToolAlert %attlist.global; >
The CorrelationAlert class carries additional information related to the correlation of alert information. It is intended to group one or more previously-sent alerts together, to say "these alerts are all related".
CorrelationAlert类包含与警报信息相关性相关的附加信息。它旨在将一个或多个以前发送的警报组合在一起,表示“这些警报都是相关的”。
The CorrelationAlert class is composed of two aggregate classes, as shown in Figure 4.
CorrelationAlert类由两个聚合类组成,如图4所示。
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | CorrelationAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | CorrelationAlert | +------------------+ +-------------------+ | |<>----------| name | | | +-------------------+ | | 1..* +-------------------+ | |<>----------| alertident | | | +-------------------+ | | | STRING analyzerid | | | +-------------------+ +------------------+
Figure 4: The CorrelationAlert Class
图4:CorrelationAlert类
The aggregate classes that make up CorrelationAlert are:
组成CorrelationAlert的聚合类包括:
name
名称
Exactly one. STRING. The reason for grouping the alerts together, for example, a particular correlation method.
正好一个。一串将警报分组在一起的原因,例如,特定的关联方法。
alertident
警报识别
One or more. STRING. The list of alert identifiers that are related to this alert. Because alert identifiers are only unique across the alerts sent by a single analyzer, the optional "analyzerid" attribute of "alertident" should be used to identify the analyzer that a particular alert came from. If the "analyzerid" is not provided, the alert is assumed to have come from the same analyzer that is sending the CorrelationAlert.
一个或多个。一串与此警报相关的警报标识符列表。由于警报标识符仅在单个分析仪发送的警报中是唯一的,“AlertIdentit”的可选“analyzerid”属性应用于标识特定警报来自的分析仪。如果未提供“analyzerid”,则假定警报来自发送CorrelationAlert的同一分析仪。
This is represented in the IDMEF DTD as follows.
这在IDMEF DTD中表示如下。
<!ELEMENT CorrelationAlert ( name, alertident+ )> <!ATTLIST CorrelationAlert %attlist.global; >
<!ELEMENT CorrelationAlert ( name, alertident+ )> <!ATTLIST CorrelationAlert %attlist.global; >
The OverflowAlert carries additional information related to buffer overflow attacks. It is intended to enable an analyzer to provide the details of the overflow attack itself.
OverflowAlert包含与缓冲区溢出攻击相关的附加信息。它旨在使分析器能够提供溢出攻击本身的详细信息。
The OverflowAlert class is composed of three aggregate classes, as shown in Figure 5.
OverflowAlert类由三个聚合类组成,如图5所示。
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | OverflowAlert | +------------------+ +---------+ | |<>----------| program | | | +---------+ | | 0..1 +---------+ | |<>----------| size | | | +---------+ | | 0..1 +---------+ | |<>----------| buffer | | | +---------+ +------------------+
+------------------+ | Alert | +------------------+ /_\ | +------------------+ | OverflowAlert | +------------------+ +---------+ | |<>----------| program | | | +---------+ | | 0..1 +---------+ | |<>----------| size | | | +---------+ | | 0..1 +---------+ | |<>----------| buffer | | | +---------+ +------------------+
Figure 5: The OverflowAlert Class
图5:OverflowAlert类
The aggregate classes that make up OverflowAlert are:
构成OverflowAlert的聚合类包括:
program
程序
Exactly one. STRING. The program that the overflow attack attempted to run (NOTE: this is not the program that was attacked).
正好一个。一串溢出攻击试图运行的程序(注意:这不是被攻击的程序)。
size
大小
Zero or one. INTEGER. The size, in bytes, of the overflow (i.e., the number of bytes the attacker sent).
零或一。整数溢出的大小(以字节为单位)(即攻击者发送的字节数)。
buffer
缓冲器
Zero or one. BYTE[]. Some or all of the overflow data itself (dependent on how much the analyzer can capture).
零或一。字节[]。部分或全部溢出数据本身(取决于分析器可以捕获的数据量)。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT OverflowAlert ( program, size?, buffer? )> <!ATTLIST OverflowAlert %attlist.global; >
<!元素溢出警报(程序、大小、缓冲区?>)!ATTLIST溢出警报%ATTLIST.global;>
Analyzers use Heartbeat messages to indicate their current status to managers. Heartbeats are intended to be sent in a regular period, say, every ten minutes or every hour. The receipt of a Heartbeat message from an analyzer indicates to the manager that the analyzer is up and running; lack of a Heartbeat message (or more likely, lack of some number of consecutive Heartbeat messages) indicates that the analyzer or its network connection has failed.
分析器使用心跳消息向管理员指示其当前状态。心跳是按一定的周期发送的,比如说,每十分钟或每小时发送一次。从分析仪接收到心跳消息,向管理器表明分析仪已启动并正在运行;缺少心跳消息(或者更可能的是,缺少一些连续的心跳消息)表示分析仪或其网络连接失败。
All managers MUST support the receipt of Heartbeat messages; however, the use of these messages by analyzers is OPTIONAL. Developers of manager software SHOULD permit the software to be configured on a per-analyzer basis to use/not use Heartbeat messages.
所有经理必须支持接收心跳消息;但是,分析器使用这些消息是可选的。manager软件的开发人员应允许在每个分析器的基础上配置软件,以使用/不使用心跳消息。
A Heartbeat message is composed of several aggregate classes, as shown in Figure 6. The aggregate classes themselves are described in Sections 4.2.4 and 4.2.5.
心跳消息由几个聚合类组成,如图6所示。第4.2.4节和第4.2.5节描述了骨料类别本身。
+------------------+ | Heartbeat | +------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| HeartbeatInterval| | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +------------------+
+------------------+ | Heartbeat | +------------------+ +------------------+ | STRING messageid |<>----------| Analyzer | | | +------------------+ | | +------------------+ | |<>----------| CreateTime | | | +------------------+ | | 0..1 +------------------+ | |<>----------| HeartbeatInterval| | | +------------------+ | | 0..1 +------------------+ | |<>----------| AnalyzerTime | | | +------------------+ | | 0..* +------------------+ | |<>----------| AdditionalData | | | +------------------+ +------------------+
Figure 6: The Heartbeat Class
图6:Heartbeat类
The aggregate classes that make up Heartbeat are:
构成Heartbeat的聚合类有:
Analyzer
分析器
Exactly one. Identification information for the analyzer that originated the heartbeat.
正好一个。发起心跳信号的分析器的标识信息。
CreateTime
创建时间
Exactly one. The time the heartbeat was created.
正好一个。创建心跳的时间。
HeartbeatInterval
心跳间隔
Zero or one. The interval in seconds at which heartbeats are generated.
零或一。产生心跳的间隔(秒)。
AnalyzerTime
分析时间
Zero or one. The current time on the analyzer (see Section 6.3).
零或一。分析仪上的当前时间(见第6.3节)。
AdditionalData
附加数据
Zero or more. Information included by the analyzer that does not fit into the data model. This may be an atomic piece of data or a large amount of data provided through an extension to the IDMEF (see Section 5).
零或更多。分析器包含的不适合数据模型的信息。这可能是一段原子数据,也可能是通过IDMEF的扩展提供的大量数据(参见第5节)。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Heartbeat ( Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?, AdditionalData* )> <!ATTLIST Heartbeat messageid CDATA '0' %attlist.global; >
<!元素心跳(Analyzer、CreateTime、HeartbeatInterval?、AnalyzerTime?、附加数据*)><!ATTLIST心跳消息ID CDATA“0”%ATTLIST.global;>
The Heartbeat class has one attribute:
Heartbeat类有一个属性:
messageid
消息ID
Optional. A unique identifier for the heartbeat; see Section 3.2.9.
可选择的心跳信号的唯一标识符;见第3.2.9节。
The core classes -- Analyzer, Source, Target, Classification, and AdditionalData -- are the main parts of Alerts and Heartbeats, as shown in Figure 7.
核心类——Analyzer、Source、Target、Classification和AdditionalData——是警报和心跳的主要部分,如图7所示。
+-----------+ +----------------+ | Heartbeat | +-------| Analyzer | +-----------+ | +----------------+ | |<>---+--+ +-----------+ | | 0..* +----------------+ | +-------| AdditionalData | | +----------------+ +-----------+ | | Alert | | 0..* +----------------+ +-----------+ | +-------| Source | | |<>---+ | +----------------+ | | | 0..* +----------------+ | | +-------| Target | | | | +----------------+ | |<>------+ +-----------+ | +----------------+ +-------| Classification | +----------------+
+-----------+ +----------------+ | Heartbeat | +-------| Analyzer | +-----------+ | +----------------+ | |<>---+--+ +-----------+ | | 0..* +----------------+ | +-------| AdditionalData | | +----------------+ +-----------+ | | Alert | | 0..* +----------------+ +-----------+ | +-------| Source | | |<>---+ | +----------------+ | | | 0..* +----------------+ | | +-------| Target | | | | +----------------+ | |<>------+ +-----------+ | +----------------+ +-------| Classification | +----------------+
Figure 7: The Core Classes
图7:核心类
The Analyzer class identifies the analyzer from which the Alert or Heartbeat message originates. Only one analyzer may be encoded for each alert or heartbeat, and that MUST be the analyzer at which the alert or heartbeat originated. Although the IDMEF data model does not prevent the use of hierarchical intrusion detection systems (where alerts get relayed up the tree), it does not provide any way to record the identity of the "relay" analyzers along the path from the originating analyzer to the manager that ultimately receives the alert.
Analyzer类标识发出警报或心跳消息的分析器。对于每个警报或心跳,只能对一个分析器进行编码,并且该分析器必须是发出警报或心跳的分析器。尽管IDMEF数据模型不阻止使用分层入侵检测系统(警报在树上中继),但它不提供任何方式来记录从原始分析器到最终接收警报的管理器的路径上的“中继”分析器的身份。
The Analyzer class is composed of three aggregate classes, as shown in Figure 8.
Analyzer类由三个聚合类组成,如图8所示。
+---------------------+ | Analyzer | +---------------------+ 0..1 +----------+ | STRING analyzerid |<>----------| Node | | STRING name | +----------+ | STRING manufacturer | | STRING model | 0..1 +----------+ | STRING version |<>----------| Process | | STRING class | +----------+ | STRING ostype | 0..1 +----------+ | STRING osversion |<>----------| Analyzer | +---------------------+ +----------+
+---------------------+ | Analyzer | +---------------------+ 0..1 +----------+ | STRING analyzerid |<>----------| Node | | STRING name | +----------+ | STRING manufacturer | | STRING model | 0..1 +----------+ | STRING version |<>----------| Process | | STRING class | +----------+ | STRING ostype | 0..1 +----------+ | STRING osversion |<>----------| Analyzer | +---------------------+ +----------+
Figure 8: The Analyzer Class
图8:Analyzer类
The aggregate classes that make up Analyzer are:
组成Analyzer的聚合类包括:
Node
节点
Zero or one. Information about the host or device on which the analyzer resides (network address, network name, etc.).
零或一。有关分析仪所在主机或设备的信息(网络地址、网络名称等)。
Process
过程
Zero or one. Information about the process in which the analyzer is executing.
零或一。有关分析器正在执行的进程的信息。
Analyzer
分析器
Zero or one. Information about the analyzer from which the message may have gone through. The idea behind this mechanism is that when a manager receives an alert and wants to forward it to another analyzer, it needs to substitute the original analyzer
零或一。有关消息可能已通过的分析器的信息。此机制背后的思想是,当经理收到警报并希望将其转发给另一个分析器时,需要替换原始分析器
information with its own. To preserve the original analyzer information, it may be included in the new analyzer definition. This will allow analyzer path tracking.
信息本身。为保留原始分析仪信息,可将其包括在新的分析仪定义中。这将允许分析器路径跟踪。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Analyzer ( Node?, Process?, Analyzer? )> <!ATTLIST Analyzer analyzerid CDATA '0' name CDATA #IMPLIED manufacturer CDATA #IMPLIED model CDATA #IMPLIED version CDATA #IMPLIED class CDATA #IMPLIED ostype CDATA #IMPLIED osversion CDATA #IMPLIED %attlist.global; >
<!元素分析器(节点?、过程?、分析器?><!ATTLIST Analyzer Analyzer ID CDATA“0”名称CDATA#隐含制造商CDATA#隐含模型CDATA#隐含版本CDATA#隐含类CDATA#隐含ostype CDATA#隐含osversion CDATA#隐含%ATTLIST.global;>
The Analyzer class has eight attributes:
Analyzer类有八个属性:
analyzerid
分析器ID
Optional (but see below). A unique identifier for the analyzer; see Section 3.2.9.
可选(但请参见下文)。分析仪的唯一标识符;见第3.2.9节。
This attribute is only "partially" optional. If the analyzer makes use of the "ident" attributes on other classes to provide unique identifiers for those objects, then it MUST also provide a valid "analyzerid" attribute. This requirement is dictated by the uniqueness requirements of the "ident" attribute (they are unique only within the context of a particular "analyzerid"). If the analyzer does not make use of the "ident" attributes, however, it may also omit the "analyzerid" attribute.
此属性仅“部分”可选。如果分析器利用其他类上的“ident”属性为这些对象提供唯一标识符,那么它还必须提供有效的“analyzerid”属性。此要求由“ident”属性的唯一性要求决定(它们仅在特定“analyzerid”的上下文中是唯一的)。但是,如果分析器没有使用“ident”属性,它也可以省略“analyzerid”属性。
name
名称
Optional. An explicit name for the analyzer that may be easier to understand than the analyzerid.
可选择的分析器的显式名称,可能比analyzerid更容易理解。
manufacturer
制造商
Optional. The manufacturer of the analyzer software and/or hardware.
可选择的分析仪软件和/或硬件的制造商。
model
模型
Optional. The model name/number of the analyzer software and/or hardware.
可选择的分析仪软件和/或硬件的型号名称/编号。
version
版本
Optional. The version number of the analyzer software and/or hardware.
可选择的分析仪软件和/或硬件的版本号。
class
班
Optional. The class of analyzer software and/or hardware.
可选择的分析仪软件和/或硬件的类别。
ostype
ostype
Optional. Operating system name. On POSIX 1003.1 compliant systems, this is the value returned in utsname.sysname by the uname() system call, or the output of the "uname -s" command.
可选择的操作系统名称。在符合POSIX 1003.1的系统上,这是uname()系统调用在utsname.sysname中返回的值,或者是“uname-s”命令的输出。
osversion
渗透压
Optional. Operating system version. On POSIX 1003.1 compliant systems, this is the value returned in utsname.release by the uname() system call, or the output of the "uname -r" command.
可选择的操作系统版本。在符合POSIX 1003.1的系统上,这是uname()系统调用在utsname.release中返回的值,或者是“uname-r”命令的输出。
The "manufacturer", "model", "version", and "class" attributes' contents are vendor-specific, but may be used together to identify different types of analyzers (and perhaps make determinations about the contents to expect in other vendor-specific fields of IDMEF messages).
“制造商”、“型号”、“版本”和“类别”属性的内容是特定于供应商的,但可一起用于识别不同类型的分析仪(并可能确定IDMEF消息的其他特定于供应商的字段中预期的内容)。
The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is. This name is chosen by the alert provider.
分类类提供警报的“名称”或其他信息,允许管理员确定警报的内容。此名称由警报提供程序选择。
The Classification class is composed of one aggregate class, as shown in Figure 9.
分类类由一个聚合类组成,如图9所示。
+----------------+ | Classification | +----------------+ 0..* +-----------+ | STRING ident |<>----------| Reference | | STRING text | +-----------+ +----------------+
+----------------+ | Classification | +----------------+ 0..* +-----------+ | STRING ident |<>----------| Reference | | STRING text | +-----------+ +----------------+
Figure 9: The Classification Class
图9:分类类别
The aggregate class that makes up Classification is:
构成分类的聚合类为:
Reference
参考
Zero or more. Information about the message, pointing to external documentation sites, that will provide background information about the alert.
零或更多。有关消息的信息,指向外部文档站点,这些站点将提供有关警报的背景信息。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Classification ( Reference* )> <!ATTLIST Classification ident CDATA '0' text CDATA #REQUIRED >
<!元素分类(参考*)><!ATTLIST分类标识CDATA“0”文本CDATA#必需>
The Classification class has two attributes:
分类类有两个属性:
ident
识别
Optional. A unique identifier for this classification; see Section 3.2.9.
可选择的此分类的唯一标识符;见第3.2.9节。
text
文本
Required. A vendor-provided string identifying the Alert message.
必修的。供应商提供的用于标识警报消息的字符串。
The Source class contains information about the possible source(s) of the event(s) that generated an alert. An event may have more than one source (e.g., in a distributed denial-of-service attack).
Source类包含有关生成警报的事件的可能来源的信息。一个事件可能有多个来源(例如,在分布式拒绝服务攻击中)。
The Source class is composed of four aggregate classes, as shown in Figure 10.
源类由四个聚合类组成,如图10所示。
+------------------+ | Source | +------------------+ 0..1 +---------+ | STRING ident |<>----------| Node | | ENUM spoofed | +---------+ | STRING interface | 0..1 +---------+ | |<>----------| User | | | +---------+ | | 0..1 +---------+ | |<>----------| Process | | | +---------+ | | 0..1 +---------+ | |<>----------| Service | | | +---------+ +------------------+
+------------------+ | Source | +------------------+ 0..1 +---------+ | STRING ident |<>----------| Node | | ENUM spoofed | +---------+ | STRING interface | 0..1 +---------+ | |<>----------| User | | | +---------+ | | 0..1 +---------+ | |<>----------| Process | | | +---------+ | | 0..1 +---------+ | |<>----------| Service | | | +---------+ +------------------+
Figure 10: The Source Class
图10:源类
The aggregate classes that make up Source are:
构成源的聚合类包括:
Node
节点
Zero or one. Information about the host or device that appears to be causing the events (network address, network name, etc.).
零或一。有关可能导致事件的主机或设备的信息(网络地址、网络名称等)。
User
使用者
Zero or one. Information about the user that appears to be causing the event(s).
零或一。有关似乎导致事件的用户的信息。
Process
过程
Zero or one. Information about the process that appears to be causing the event(s).
零或一。有关导致事件的进程的信息。
Service
服务
Zero or one. Information about the network service involved in the event(s).
零或一。有关事件中涉及的网络服务的信息。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Source ( Node?, User?, Process?, Service? )> <!ATTLIST Source ident CDATA '0' spoofed %attvals.yesno; 'unknown' interface CDATA #IMPLIED %attlist.global; >
<!元素源(节点?、用户?、流程?、服务?><!收件人列表源标识CDATA“0”伪造了%attvals.yesno;'未知的“接口CDATA”#隐含%attlist.global;>
The Source class has three attributes:
源类有三个属性:
ident
识别
Optional. A unique identifier for this source; see Section 3.2.9.
可选择的此源的唯一标识符;见第3.2.9节。
spoofed
欺骗
Optional. An indication of whether the source is, as far as the analyzer can determine, a spoofed address used for hiding the real origin of the attack. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)
可选择的就分析器所能确定的范围而言,指示源是否是用于隐藏攻击真正来源的伪造地址。此属性的允许值如下所示。默认值为“未知”。(另见第10节。)
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of source information unknown | | | | | | 1 | yes | Source is believed to be a decoy | | | | | | 2 | no | Source is believed to be "real" | +------+---------+----------------------------------------+
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of source information unknown | | | | | | 1 | yes | Source is believed to be a decoy | | | | | | 2 | no | Source is believed to be "real" | +------+---------+----------------------------------------+
interface
界面
Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this source was seen on.
可选择的可由具有多个接口的基于网络的分析仪使用,以指示在哪个接口上看到此源。
The Target class contains information about the possible target(s) of the event(s) that generated an alert. An event may have more than one target (e.g., in the case of a port sweep).
Target类包含有关生成警报的事件的可能目标的信息。一个事件可能有多个目标(例如,在端口扫描的情况下)。
The Target class is composed of four aggregate classes, as shown in Figure 11.
目标类由四个聚合类组成,如图11所示。
+------------------+ | Target | +------------------+ 0..1 +----------+ | STRING ident |<>----------| Node | | ENUM decoy | +----------+ | STRING interface | 0..1 +----------+ | |<>----------| User | | | +----------+ | | 0..1 +----------+ | |<>----------| Process | | | +----------+ | | 0..1 +----------+ | |<>----------| Service | | | +----------+ | | 0..n +----------+ | |<>----------| File | | | +----------+ +------------------+
+------------------+ | Target | +------------------+ 0..1 +----------+ | STRING ident |<>----------| Node | | ENUM decoy | +----------+ | STRING interface | 0..1 +----------+ | |<>----------| User | | | +----------+ | | 0..1 +----------+ | |<>----------| Process | | | +----------+ | | 0..1 +----------+ | |<>----------| Service | | | +----------+ | | 0..n +----------+ | |<>----------| File | | | +----------+ +------------------+
Figure 11: The Target Class
图11:目标类
The aggregate classes that make up Target are:
构成目标的聚合类包括:
Node
节点
Zero or one. Information about the host or device at which the event(s) (network address, network name, etc.) is being directed.
零或一。有关事件(网络地址、网络名称等)所指向的主机或设备的信息。
User
使用者
Zero or one. Information about the user at which the event(s) is being directed.
零或一。有关事件指向的用户的信息。
Process
过程
Zero or one. Information about the process at which the event(s) is being directed.
零或一。有关事件所处进程的信息。
Service
服务
Zero or one. Information about the network service involved in the event(s).
零或一。有关事件中涉及的网络服务的信息。
File
文件
Optional. Information about file(s) involved in the event(s).
可选择的有关事件中涉及的文件的信息。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Target ( Node?, User?, Process?, Service?, File* )> <!ATTLIST Target ident CDATA '0' decoy %attvals.yesno; 'unknown' interface CDATA #IMPLIED %attlist.global; >
<!元素目标(节点、用户、流程、服务、文件*)><!收件人列表目标标识CDATA“0”诱饵%attvals.yesno;'未知的“接口CDATA”#隐含%attlist.global;>
The Target class has three attributes:
目标类有三个属性:
ident
识别
Optional. A unique identifier for this target, see Section 3.2.9.
可选择的该目标的唯一标识符,见第3.2.9节。
decoy
动物
Optional. An indication of whether the target is, as far as the analyzer can determine, a decoy. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)
可选择的在分析仪能够确定的范围内,目标是否为诱饵的指示。此属性的允许值如下所示。默认值为“未知”。(另见第10节。)
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of target information unknown | | | | | | 1 | yes | Target is believed to be a decoy | | | | | | 2 | no | Target is believed to be "real" | +------+---------+----------------------------------------+
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of target information unknown | | | | | | 1 | yes | Target is believed to be a decoy | | | | | | 2 | no | Target is believed to be "real" | +------+---------+----------------------------------------+
interface
界面
Optional. May be used by a network-based analyzer with multiple interfaces to indicate which interface this target was seen on.
可选择的可由具有多个接口的基于网络的分析仪使用,以指示在哪个接口上看到此目标。
The Assessment class is used to provide the analyzer's assessment of an event -- its impact, actions taken in response, and confidence.
评估类用于提供分析器对事件的评估——事件的影响、响应所采取的措施和可信度。
The Assessment class is composed of three aggregate classes, as shown in Figure 12.
评估类由三个聚合类组成,如图12所示。
+------------------+ | Assessment | +------------------+ 0..1 +------------+ | |<>----------| Impact | | | +------------+ | | 0..* +------------+ | |<>----------| Action | | | +------------+ | | 0..1 +------------+ | |<>----------| Confidence | | | +------------+ +------------------+
+------------------+ | Assessment | +------------------+ 0..1 +------------+ | |<>----------| Impact | | | +------------+ | | 0..* +------------+ | |<>----------| Action | | | +------------+ | | 0..1 +------------+ | |<>----------| Confidence | | | +------------+ +------------------+
Figure 12: The Assessment Class
图12:评估类
The aggregate classes that make up Assessment are:
构成评估的总类包括:
Impact
影响
Zero or one. The analyzer's assessment of the impact of the event on the target(s).
零或一。分析仪对事件对目标影响的评估。
Action
行动
Zero or more. The action(s) taken by the analyzer in response to the event.
零或更多。分析仪响应事件所采取的操作。
Confidence
信心
Zero or one. A measurement of the confidence the analyzer has in its evaluation of the event.
零或一。分析仪对事件评估的置信度测量。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Assessment ( Impact?, Action*, Confidence? )> <!ATTLIST Assessment %attlist.global; >
<!ELEMENT Assessment ( Impact?, Action*, Confidence? )> <!ATTLIST Assessment %attlist.global; >
The AdditionalData class is used to provide information that cannot be represented by the data model. AdditionalData can be used to provide atomic data (integers, strings, etc.) in cases where only small amounts of additional information need to be sent; it can also be used to extend the data model and the DTD to support the transmission of complex data (such as packet headers). Detailed instructions for extending the data model and the DTD are provided in Section 5.
AdditionalData类用于提供数据模型无法表示的信息。在只需要发送少量附加信息的情况下,附加数据可用于提供原子数据(整数、字符串等);它还可用于扩展数据模型和DTD,以支持复杂数据(如数据包头)的传输。第5节提供了扩展数据模型和DTD的详细说明。
+------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | | | | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | | | | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | | | | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | | | | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | | | | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | | | | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | | | | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | | | | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | | | | | 9 | byte-string | The element is a byte[] (see Section 3.2.4) | | | | | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+
+------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | | | | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | | | | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | | | | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | | | | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | | | | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | | | | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | | | | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | | | | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | | | | | 9 | byte-string | The element is a byte[] (see Section 3.2.4) | | | | | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+
The AdditionalData element is declared in the IDMEF DTD as follows:
AdditionalData元素在IDMEF DTD中声明如下:
<!ENTITY % attvals.adtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | byte-string | xmltext ) ">
<!实体%attvals.adtype“(布尔值|字节|字符|日期时间|整数| ntpstamp |端口列表|实数|字符串|字节字符串| xmltext)>
<!ELEMENT AdditionalData ( (boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | byte-string | xmltext ) )>
<!元素附加数据((布尔值|字节|字符|日期时间|整数| ntpstamp |端口列表|实数|字符串|字节字符串| xmltext))>
<!ATTLIST AdditionalData type %attvals.adtype; 'string' meaning CDATA #IMPLIED %attlist.global; >
<!ATTLIST附加数据类型%attvals.adtype;'字符串的含义是CDATA#隐含的%attlist.global;>
The AdditionalData class has one attribute:
AdditionalData类有一个属性:
meaning
意思
Optional. A string describing the meaning of the element content. These values will be vendor/implementation dependent; the method for ensuring that managers understand the strings sent by analyzers is outside the scope of this specification. A list of acceptable meaning keywords is not within the scope of the document, although later versions may undertake to establish such a list.
可选择的描述元素内容含义的字符串。这些值将取决于供应商/实施情况;确保管理人员理解分析器发送的字符串的方法不在本规范的范围内。可接受意义关键词列表不在本文件范围内,尽管后续版本可能会建立此类列表。
The data model provides three classes for representing time. These classes are elements of the Alert and Heartbeat classes.
数据模型提供了三个表示时间的类。这些类是Alert和Heartbeat类的元素。
The time classes are represented in the IDMEF DTD as follows:
时间类在IDMEF DTD中表示如下:
<!ELEMENT ntpstamp (#PCDATA) > <!ATTLIST ntpstamp %attlist.global; >
<!ELEMENT ntpstamp (#PCDATA) > <!ATTLIST ntpstamp %attlist.global; >
<!ELEMENT CreateTime (#PCDATA) > <!ATTLIST CreateTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT CreateTime (#PCDATA) > <!ATTLIST CreateTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT DetectTime (#PCDATA) > <!ATTLIST DetectTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT DetectTime (#PCDATA) > <!ATTLIST DetectTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT AnalyzerTime (#PCDATA) > <!ATTLIST AnalyzerTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT AnalyzerTime (#PCDATA) > <!ATTLIST AnalyzerTime ntpstamp CDATA #REQUIRED %attlist.global; >
The DATETIME format of the <CreateTime> element content is described in Section 3.2.6.
<CreateTime>元素内容的日期时间格式如第3.2.6节所述。
If the date and time represented by the element content and the NTP timestamp differ (should "never" happen), the value in the NTP timestamp MUST be used.
如果元素内容和NTP时间戳表示的日期和时间不同(如果“永不”发生),则必须使用NTP时间戳中的值。
The CreateTime class is used to indicate the date and time the alert or heartbeat was created by the analyzer.
CreateTime类用于指示分析器创建警报或心跳的日期和时间。
The DetectTime class is used to indicate the date and time that the event(s) producing an alert was detected by the analyzer. In the case of more than one event, it is the time that the first event was detected. (This may or may not be the same time as CreateTime; analyzers are not required to send alerts immediately upon detection).
DetectTime类用于指示分析器检测到产生警报的事件的日期和时间。如果发生多个事件,则是检测到第一个事件的时间。(这可能与CreateTime同时进行,也可能与CreateTime不同时进行;分析仪不需要在检测到时立即发送警报)。
The AnalyzerTime class is used to indicate the current date and time on the analyzer. Its values should be filled in as late as possible in the message transmission process, ideally immediately before placing the message "on the wire".
AnalyzerTime类用于指示分析器上的当前日期和时间。其值应在消息传输过程中尽可能晚地填写,最好是在消息“在线”之前立即填写。
The use of <AnalyzerTime> to perform rudimentary time synchronization between analyzers and managers is discussed in Section 6.3.
第6.3节讨论了使用<AnalyzerTime>在分析器和管理器之间执行基本时间同步。
The data model provides three types of "assessments" that an analyzer can make about an event. These classes are aggregates of the Assessment class.
数据模型提供了分析器可以对事件进行的三种类型的“评估”。这些类是评估类的集合。
The Impact class is used to provide the analyzer's assessment of the impact of the event on the target(s). It is represented in the IDMEF DTD as follows:
影响等级用于提供分析仪对事件对目标影响的评估。它在IDMEF DTD中表示如下:
<!ENTITY % attvals.severity " ( info | low | medium | high ) "> <!ENTITY % attvals.completion " ( failed | succeeded ) "> <!ENTITY % attvals.impacttype " ( admin | dos | file | recon | user | other ) ">
<!实体%attvals.severity”(信息|低|中|高)><!实体%attvals.completion“(失败|成功)”><!实体%attvals.impacttype“(管理| dos |文件|侦察|用户|其他)”>
<!ELEMENT Impact (#PCDATA) > <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; 'other' %attlist.global; >
<!ELEMENT Impact (#PCDATA) > <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; 'other' %attlist.global; >
The Impact class has three attributes:
影响类有三个属性:
severity
严重程度
An estimate of the relative severity of the event. The permitted values are shown below. There is no default value. (See also Section 10.)
对事件相对严重程度的估计。允许值如下所示。没有默认值。(另见第10节。)
+------+---------+-----------------------------------------+ | Rank | Keyword | Description | +------+---------+-----------------------------------------+ | 0 | info | Alert represents informational activity | | | | | | 1 | low | Low severity | | | | | | 2 | medium | Medium severity | | | | | | 3 | high | High severity | +------+---------+-----------------------------------------+
+------+---------+-----------------------------------------+ | Rank | Keyword | Description | +------+---------+-----------------------------------------+ | 0 | info | Alert represents informational activity | | | | | | 1 | low | Low severity | | | | | | 2 | medium | Medium severity | | | | | | 3 | high | High severity | +------+---------+-----------------------------------------+
completion
完成
An indication of whether the analyzer believes the attempt that the event describes was successful or not. The permitted values are shown below. There is no default value. (See also Section 10.)
指示分析器是否相信事件描述的尝试成功。允许值如下所示。没有默认值。(另见第10节。)
+------+-----------+--------------------------------+ | Rank | Keyword | Description | +------+-----------+--------------------------------+ | 0 | failed | The attempt was not successful | | | | | | 1 | succeeded | The attempt succeeded | +------+-----------+--------------------------------+
+------+-----------+--------------------------------+ | Rank | Keyword | Description | +------+-----------+--------------------------------+ | 0 | failed | The attempt was not successful | | | | | | 1 | succeeded | The attempt succeeded | +------+-----------+--------------------------------+
type
类型
The type of attempt represented by this event, in relatively broad categories. The permitted values are shown below. The default value is "other". (See also Section 10.)
此事件所代表的尝试类型,在相对广泛的类别中。允许值如下所示。默认值为“其他”。(另见第10节。)
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | | | | | 1 | dos | A denial of service was attempted or completed | | | | | | 2 | file | An action on a file was attempted or completed | | | | | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | | | | | 4 | user | User privileges were attempted or obtained | | | | | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | | | | | 1 | dos | A denial of service was attempted or completed | | | | | | 2 | file | An action on a file was attempted or completed | | | | | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | | | | | 4 | user | User privileges were attempted or obtained | | | | | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+
All three attributes are optional. The element itself may be empty, or may contain a textual description of the impact, if the analyzer is able to provide additional details.
这三个属性都是可选的。元素本身可能为空,或者可能包含影响的文本描述(如果分析器能够提供其他详细信息)。
The Action class is used to describe any actions taken by the analyzer in response to the event. Is is represented in the IDMEF DTD as follows:
Action类用于描述分析器响应事件所采取的任何操作。在IDMEF DTD中表示为:
<!ENTITY % attvals.actioncat " ( block-installed | notification-sent | taken-offline | other ) ">
<!实体%attvals.actioncat“(已安装块|已发送通知|脱机|其他)”>
<!ELEMENT Action (#PCDATA) > <!ATTLIST Action category %attvals.actioncat; 'other' %attlist.global; >
<!ELEMENT Action (#PCDATA) > <!ATTLIST Action category %attvals.actioncat; 'other' %attlist.global; >
Action has one attribute:
操作有一个属性:
category
类别
The type of action taken. The permitted values are shown below. The default value is "other". (See also Section 10.)
采取的行动类型。允许值如下所示。默认值为“其他”。(另见第10节。)
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | | | | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | | | | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | | | | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | | | | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | | | | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | | | | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+
The element itself may be empty, or may contain a textual description of the action, if the analyzer is able to provide additional details.
元素本身可能为空,或者可能包含操作的文本描述(如果分析器能够提供其他详细信息)。
The Confidence class is used to represent the analyzer's best estimate of the validity of its analysis. It is represented in the IDMEF DTD as follows:
置信等级用于表示分析仪对其分析有效性的最佳估计。它在IDMEF DTD中表示如下:
<!ENTITY % attvals.rating " ( low | medium | high | numeric ) ">
<!实体%attvals.rating“(低|中|高|数字)”>
<!ELEMENT Confidence (#PCDATA) > <!ATTLIST Confidence rating %attvals.rating; 'numeric' %attlist.global; >
<!ELEMENT Confidence (#PCDATA) > <!ATTLIST Confidence rating %attvals.rating; 'numeric' %attlist.global; >
The Confidence class has one attribute:
置信等级有一个属性:
rating
评级
The analyzer's rating of its analytical validity. The permitted values are shown below. The default value is "numeric". (See also Section 10.)
分析仪对其分析有效性的评级。允许值如下所示。默认值为“数值”。(另见第10节。)
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | low | The analyzer has little confidence in its | | | | validity | | | | | | 1 | medium | The analyzer has average confidence in its | | | | validity | | | | | | 2 | high | The analyzer has high confidence in its validity | | | | | | 3 | numeric | The analyzer has provided a posterior | | | | probability value indicating its confidence in | | | | its validity | +------+---------+--------------------------------------------------+
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | low | The analyzer has little confidence in its | | | | validity | | | | | | 1 | medium | The analyzer has average confidence in its | | | | validity | | | | | | 2 | high | The analyzer has high confidence in its validity | | | | | | 3 | numeric | The analyzer has provided a posterior | | | | probability value indicating its confidence in | | | | its validity | +------+---------+--------------------------------------------------+
This element should be used only when the analyzer can produce meaningful information. Systems that can output only a rough heuristic should use "low", "medium", or "high" as the rating value. In this case, the element content should be omitted.
只有当分析器能够产生有意义的信息时,才应使用此元素。只能输出粗略启发的系统应使用“低”、“中”或“高”作为评级值。在这种情况下,应省略元素内容。
Systems capable of producing reasonable probability estimates should use "numeric" as the rating value and include a numeric confidence value in the element content. This numeric value should reflect a posterior probability (the probability that an attack has occurred given the data seen by the detection system and the model used by the system). It is a floating point number between 0.0 and 1.0, inclusive. The number of digits should be limited to those representable by a single precision floating point value, and may be represented as described in Section 3.2.2.
能够产生合理概率估计的系统应使用“数值”作为评级值,并在元素含量中包含数值置信值。该数值应反映后验概率(根据检测系统看到的数据和系统使用的模型,攻击发生的概率)。它是介于0.0和1.0(含0.0和1.0)之间的浮点数。位数应限制为可由单精度浮点值表示的位数,并可按第3.2.2节所述表示。
NOTE: It should be noted that different types of analyzers may compute confidence values in different ways and that in many cases, confidence values from different analyzers should not be compared (for example, if the analyzers use different methods of computing or representing confidence, or are of different types or configurations). Care should be taken when implementing systems that process confidence values (such as event correlators) not to make comparisons or assumptions that cannot be supported by the system's knowledge of the environment in which it is working.
注:应注意,不同类型的分析仪可能以不同的方式计算置信值,并且在许多情况下,不应比较来自不同分析仪的置信值(例如,如果分析仪使用不同的计算或表示置信度的方法,或具有不同的类型或配置)。在实施处理置信值的系统(如事件相关器)时,应注意不要进行无法由系统工作环境知识支持的比较或假设。
The support classes make up the major parts of the core classes, and are shared between them.
支持类构成核心类的主要部分,并在它们之间共享。
The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is.
Reference类提供警报的“名称”或其他信息,允许管理员确定警报的内容。
The Reference class is composed of two aggregate classes, as shown in Figure 13.
引用类由两个聚合类组成,如图13所示。
+----------------+ | Reference | +----------------+ +------+ | STRING origin |<>----------| name | | STRING meaning | +------+ | | +------+ | |<>----------| url | | | +------+ +----------------+
+----------------+ | Reference | +----------------+ +------+ | STRING origin |<>----------| name | | STRING meaning | +------+ | | +------+ | |<>----------| url | | | +------+ +----------------+
Figure 13: The Reference Class
图13:参考类
The aggregate classes that make up Reference are:
构成引用的聚合类包括:
name
名称
Exactly one. STRING. The name of the alert, from one of the origins listed below.
正好一个。一串警报的名称,来自下列来源之一。
url
网址
Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.
正好一个。一串管理器(或管理器的人工操作员)可以在其中查找有关警报的其他信息的URL。URL指向的文档可能包括对攻击的深入描述、适当的对策或供应商认为相关的其他信息。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.origin " ( unknown | vendor-specific | user-specific | bugtraqid | cve | osvdb ) ">
<!实体%attvals.origin“(未知|特定于供应商|特定于用户| bugtraqid | cve | osvdb)”>
<!ELEMENT Reference ( name, url )> <!ATTLIST Reference origin %attvals.origin; 'unknown' meaning CDATA #IMPLIED >
<!元素引用(名称、url)><!附件列表引用源%attvals.origin;'“未知”含义CDATA#隐含>
The Reference class has two attributes:
引用类有两个属性:
origin
起源
Required. The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)
必修的。警报名称的来源。此属性的允许值如下所示。默认值为“未知”。(另见第10节。)
+------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | | | | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | | | | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | | | | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | | | | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://www.cve.mitre.org/) | | | | | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
+------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | | | | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | | | | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | | | | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | | | | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://www.cve.mitre.org/) | | | | | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
meaning
意思
Optional. The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the <origin> attribute is set to "vendor-specific" or "user-specific".
可选择的警报提供程序理解的参考含义。仅当<origin>属性的值设置为“特定于供应商”或“特定于用户”时,此字段才有效。
The Node class is used to identify hosts and other network devices (routers, switches, etc.).
Node类用于标识主机和其他网络设备(路由器、交换机等)。
The Node class is composed of three aggregate classes, as shown in Figure 14.
节点类由三个聚合类组成,如图14所示。
+---------------+ | Node | +---------------+ 0..1 +----------+ | STRING ident |<>----------| location | | ENUM category | +----------+ | | 0..1 +----------+ | |<>----------| name | | | +----------+ | | 0..* +----------+ | |<>----------| Address | | | +----------+ +---------------+
+---------------+ | Node | +---------------+ 0..1 +----------+ | STRING ident |<>----------| location | | ENUM category | +----------+ | | 0..1 +----------+ | |<>----------| name | | | +----------+ | | 0..* +----------+ | |<>----------| Address | | | +----------+ +---------------+
Figure 14: The Node Class
图14:节点类
The aggregate classes that make up Node are:
组成节点的聚合类包括:
location
地方
Zero or one. STRING. The location of the equipment.
零或一。一串设备的位置。
name
名称
Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given.
零或一。一串设备的名称。如果未提供地址信息,则必须提供此信息。
Address
住址
Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified.
零或更多。设备的网络或硬件地址。除非提供名称(如上),否则必须至少指定一个地址。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.nodecat " ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos | nds | nis | nisplus | nt | wfw ) ">
<!实体%attvals.nodecat“(未知| ads | afs | coda | dfs | dns |主机| kerberos | nds | nis | nisplus | nt | wfw)>
<!ELEMENT Node ( location?, (name | Address), Address* )> <!ATTLIST Node ident CDATA '0' category %attvals.nodecat; 'unknown' %attlist.global; >
<!元素节点(位置?,(名称|地址),地址*)><!ATTLIST节点标识CDATA“0”类别%attvals.nodecat;'未知“%attlist.global;”
The Node class has two attributes:
节点类有两个属性:
ident
识别
Optional. A unique identifier for the node; see Section 3.2.9.
可选择的节点的唯一标识符;见第3.2.9节。
category
类别
Optional. The "domain" from which the name information was obtained, if relevant. The permitted values for this attribute are shown in the table below. The default value is "unknown". (See also Section 10 for extensions to the table.)
可选择的从中获取名称信息的“域”(如果相关)。此属性的允许值如下表所示。默认值为“未知”。(另请参见第10节,了解表格的扩展。)
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | unknown | Domain unknown or not relevant | | | | | | 1 | ads | Windows 2000 Advanced Directory Services | | | | | | 2 | afs | Andrew File System (Transarc) | | | | | | 3 | coda | Coda Distributed File System | | | | | | 4 | dfs | Distributed File System (IBM) | | | | | | 5 | dns | Domain Name System | | | | | | 6 | hosts | Local hosts file | | | | | | 7 | kerberos | Kerberos realm | | | | | | 8 | nds | Novell Directory Services | | | | | | 9 | nis | Network Information Services (Sun) | | | | | | 10 | nisplus | Network Information Services Plus (Sun) | | | | | | 11 | nt | Windows NT domain | | | | | | 12 | wfw | Windows for Workgroups | +------+----------+------------------------------------------+
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | unknown | Domain unknown or not relevant | | | | | | 1 | ads | Windows 2000 Advanced Directory Services | | | | | | 2 | afs | Andrew File System (Transarc) | | | | | | 3 | coda | Coda Distributed File System | | | | | | 4 | dfs | Distributed File System (IBM) | | | | | | 5 | dns | Domain Name System | | | | | | 6 | hosts | Local hosts file | | | | | | 7 | kerberos | Kerberos realm | | | | | | 8 | nds | Novell Directory Services | | | | | | 9 | nis | Network Information Services (Sun) | | | | | | 10 | nisplus | Network Information Services Plus (Sun) | | | | | | 11 | nt | Windows NT domain | | | | | | 12 | wfw | Windows for Workgroups | +------+----------+------------------------------------------+
The Address class is used to represent network, hardware, and application addresses.
Address类用于表示网络、硬件和应用程序地址。
The Address class is composed of two aggregate classes, as shown in Figure 15.
Address类由两个聚合类组成,如图15所示。
+------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+
+------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+
Figure 15: The Address Class
图15:Address类
The aggregate classes that make up Address are:
组成地址的聚合类有:
address
住址
Exactly one. STRING. The address information. The format of this data is governed by the category attribute.
正好一个。一串地址信息。此数据的格式由category属性控制。
netmask
网络掩码
Zero or one. STRING. The network mask for the address, if appropriate.
零或一。一串地址的网络掩码(如果适用)。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.addrcat " ( unknown | atm | e-mail | lotus-notes | mac | sna | vm | ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask | ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask ) ">
<!实体%attvals.addrcat“(未知| atm |电子邮件| lotus notes | mac | sna | vm | ipv4地址| ipv4地址十六进制| ipv4网络| ipv4网络掩码| ipv6地址| ipv6地址十六进制| ipv6网络掩码)>
<!ELEMENT Address ( address, netmask? )> <!ATTLIST Address ident CDATA '0' category %attvals.addrcat; 'unknown' vlan-name CDATA #IMPLIED vlan-num CDATA #IMPLIED %attlist.global; >
<!元素地址(地址、网络掩码?)><!收件人列表地址标识CDATA“0”类别%attvals.addrcat;'未知的“vlan名称CDATA#隐含的vlan num CDATA#隐含的%attlist.global;>
The Address class has four attributes:
Address类有四个属性:
ident
识别
Optional. A unique identifier for the address; see Section 3.2.9.
可选择的地址的唯一标识符;见第3.2.9节。
category
类别
Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)
可选择的表示的地址类型。此属性的允许值如下所示。默认值为“未知”。(另见第10节。)
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | | | | | 1 | atm | Asynchronous Transfer Mode network address | | | | | | 2 | e-mail | Electronic mail address (RFC 2822 [12]) | | | | | | 3 | lotus-notes | Lotus Notes e-mail address | | | | | | 4 | mac | Media Access Control (MAC) address | | | | | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | | | | | 6 | vm | IBM VM ("PROFS") e-mail address | | | | | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | | | | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | | | | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | | | | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | | | | | 11 | ipv6-addr | IPv6 host address | | | | | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | | | | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | | | | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | | | | | 1 | atm | Asynchronous Transfer Mode network address | | | | | | 2 | e-mail | Electronic mail address (RFC 2822 [12]) | | | | | | 3 | lotus-notes | Lotus Notes e-mail address | | | | | | 4 | mac | Media Access Control (MAC) address | | | | | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | | | | | 6 | vm | IBM VM ("PROFS") e-mail address | | | | | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | | | | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | | | | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | | | | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | | | | | 11 | ipv6-addr | IPv6 host address | | | | | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | | | | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | | | | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+
vlan-name
vlan名称
Optional. The name of the Virtual LAN to which the address belongs.
可选择的地址所属的虚拟LAN的名称。
vlan-num
vlan数
Optional. The number of the Virtual LAN to which the address belongs.
可选择的地址所属的虚拟LAN的编号。
The User class is used to describe users. It is primarily used as a "container" class for the UserId aggregate class, as shown in Figure 16.
用户类用于描述用户。它主要用作UserId聚合类的“容器”类,如图16所示。
+---------------+ | User | +---------------+ 1..* +--------+ | STRING ident |<>----------| UserId | | ENUM category | +--------+ +---------------+
+---------------+ | User | +---------------+ 1..* +--------+ | STRING ident |<>----------| UserId | | ENUM category | +--------+ +---------------+
Figure 16: The User Class
图16:用户类
The aggregate class contained in User is:
用户中包含的聚合类是:
UserId
用户ID
One or more. Identification of a user, as indicated by its type attribute (see Section 4.2.7.3.1).
一个或多个。用户标识,如其类型属性所示(见第4.2.7.3.1节)。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.usercat " ( unknown | application | os-device ) ">
<!实体%attvals.usercat“(未知的|应用程序|操作系统设备)”>
<!ELEMENT User ( UserId+ )> <!ATTLIST User ident CDATA '0' category %attvals.usercat; 'unknown' %attlist.global; >
<!元素用户(UserId+)><!ATTLIST用户标识CDATA“0”类别%attvals.usercat;'未知“%attlist.global;”
The User class has two attributes:
用户类有两个属性:
ident
识别
Optional. A unique identifier for the user; see Section 3.2.9.
可选择的用户的唯一标识符;见第3.2.9节。
category
类别
Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)
可选择的表示的用户类型。此属性的允许值如下所示。默认值为“未知”。(另见第10节。)
+------+-------------+------------------------------------+ | Rank | Keyword | Description | +------+-------------+------------------------------------+ | 0 | unknown | User type unknown | | | | | | 1 | application | An application user | | | | | | 2 | os-device | An operating system or device user | +------+-------------+------------------------------------+
+------+-------------+------------------------------------+ | Rank | Keyword | Description | +------+-------------+------------------------------------+ | 0 | unknown | User type unknown | | | | | | 1 | application | An application user | | | | | | 2 | os-device | An operating system or device user | +------+-------------+------------------------------------+
The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges.
UserId类提供有关用户的特定信息。用户类中可以使用多个UserId来指示从一个用户转换到另一个用户的尝试,或者提供有关用户(或进程)权限的完整信息。
The UserId class is composed of two aggregate classes, as shown in Figure 17.
UserId类由两个聚合类组成,如图17所示。
+--------------+ | UserId | +--------------+ 0..1 +--------+ | STRING ident |<>----------| name | | ENUM type | +--------+ | STRING tty | 0..1 +--------+ | |<>----------| number | | | +--------+ +--------------+
+--------------+ | UserId | +--------------+ 0..1 +--------+ | STRING ident |<>----------| name | | ENUM type | +--------+ | STRING tty | 0..1 +--------+ | |<>----------| number | | | +--------+ +--------------+
Figure 17: The UserId Class
图17:UserId类
The aggregate classes that make up UserId are:
组成UserId的聚合类有:
name
名称
Zero or one. STRING. A user or group name.
零或一。一串用户名或组名。
number
数字
Zero or one. INTEGER. A user or group number.
零或一。整数用户或组号。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.idtype " ( current-user | original-user | target-user | user-privs | current-group | group-privs | other-privs ) ">
<!实体%attvals.idtype“(当前用户|原始用户|目标用户|用户权限|当前组|组权限|其他权限)”>
<!ELEMENT UserId ( (name, number?) | (number, name?) )> <!ATTLIST UserId ident CDATA '0' type %attvals.idtype; 'original-user' tty CDATA #IMPLIED %attlist.global; >
<!元素用户ID((名称、编号?)|(编号、名称?)><!ATTLIST用户ID标识CDATA“0”类型%attvals.idtype;'原始用户的tty CDATA#隐含%attlist.global;>
The UserId class has three attributes:
UserId类有三个属性:
ident
识别
Optional. A unique identifier for the user id, see Section 3.2.9.
可选择的用户id的唯一标识符,见第3.2.9节。
type
类型
Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)
可选择的表示的用户信息的类型。此属性的允许值如下所示。默认值为“原始用户”。(另见第10节。)
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | | | | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | | | | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. | | | | | | 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | | | | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | | | | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". |
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | | | | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | | | | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. | | | | | | 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | | | | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | | | | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". |
| 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+
| 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+
tty
tty
Optional. STRING. The tty the user is using.
可选择的一串用户正在使用的tty。
The Process class is used to describe processes being executed on sources, targets, and analyzers.
Process类用于描述在源、目标和分析器上执行的流程。
The Process class is composed of five aggregate classes, as shown in Figure 18.
Process类由五个聚合类组成,如图18所示。
+--------------+ | Process | +--------------+ +------+ | STRING ident |<>----------| name | | | +------+ | | 0..1 +------+ | |<>----------| pid | | | +------+ | | 0..1 +------+ | |<>----------| path | | | +------+ | | 0..* +------+ | |<>----------| arg | | | +------+ | | 0..* +------+ | |<>----------| env | | | +------+ +--------------+
+--------------+ | Process | +--------------+ +------+ | STRING ident |<>----------| name | | | +------+ | | 0..1 +------+ | |<>----------| pid | | | +------+ | | 0..1 +------+ | |<>----------| path | | | +------+ | | 0..* +------+ | |<>----------| arg | | | +------+ | | 0..* +------+ | |<>----------| env | | | +------+ +--------------+
Figure 18: The Process Class
图18:流程类
The aggregate classes that make up Process are:
组成流程的聚合类包括:
name
名称
Exactly one. STRING. The name of the program being executed. This is a short name; path and argument information are provided elsewhere.
正好一个。一串正在执行的程序的名称。这是一个简短的名字;路径和参数信息在别处提供。
pid
pid
Zero or one. INTEGER. The process identifier of the process.
零或一。整数进程的进程标识符。
path
路径
Zero or one. STRING. The full path of the program being executed.
零或一。一串正在执行的程序的完整路径。
arg
arg
Zero or more. STRING. A command-line argument to the program. Multiple arguments may be specified (they are assumed to have occurred in the same order they are provided) with multiple uses of arg.
零或更多。一串程序的命令行参数。可以通过多次使用arg来指定多个参数(假定这些参数的出现顺序与提供的顺序相同)。
env
环境
Zero or more. STRING. An environment string associated with the process; generally of the format "VARIABLE=value". Multiple environment strings may be specified with multiple uses of env.
零或更多。一串与进程关联的环境字符串;通常采用“变量=值”格式。可以通过多次使用env指定多个环境字符串。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Process ( name, pid?, path?, arg*, env* )> <!ATTLIST Process ident CDATA '0' %attlist.global; >
<!ELEMENT Process ( name, pid?, path?, arg*, env* )> <!ATTLIST Process ident CDATA '0' %attlist.global; >
The Process class has one attribute:
流程类有一个属性:
ident
识别
Optional. A unique identifier for the process; see Section 3.2.9.
可选择的过程的唯一标识符;见第3.2.9节。
The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is "attached" to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class.
服务类描述源和目标上的网络服务。它可以通过名称、端口和协议识别服务。当服务作为源的聚合类出现时,可以理解该服务是感兴趣的活动的来源;并且服务“附加”到源中还包含的节点、进程和用户信息。类似地,当服务作为目标的聚合类出现时,可以理解,该服务是感兴趣的活动所指向的服务;并且服务“附加”到目标中还包含的节点、进程和用户信息。如果服务同时发生在源和目标中,则两个位置中的信息应该相同。如果两个位置的信息相同,并且实现者希望只在一个位置携带信息,那么他们应该将其指定为目标类的聚合。
The Service class is composed of four aggregate classes, as shown in Figure 19.
服务类由四个聚合类组成,如图19所示。
+-----------------------------+ | Service | +-----------------------------+ 0..1 +----------+ | STRING ident |<>----------| name | | INTEGER ip_version | +----------+ | INTEGER iana_protocol_number| 0..1 +----------+ | STRING iana_protocol_name |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +-----------------------------+ /_\ | +---------+--------+ | | +-------------+ +-------------+ | SNMPService | | WebService | +-------------+ +-------------+
+-----------------------------+ | Service | +-----------------------------+ 0..1 +----------+ | STRING ident |<>----------| name | | INTEGER ip_version | +----------+ | INTEGER iana_protocol_number| 0..1 +----------+ | STRING iana_protocol_name |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +-----------------------------+ /_\ | +---------+--------+ | | +-------------+ +-------------+ | SNMPService | | WebService | +-------------+ +-------------+
Figure 19: The Service Class
图19:服务类
The aggregate classes that make up Service are:
构成服务的聚合类包括:
name
名称
Zero or one. STRING. The name of the service. Whenever possible, the name from the IANA list of well-known ports SHOULD be used.
零或一。一串服务的名称。尽可能使用IANA已知端口列表中的名称。
port
港口城市
Zero or one. INTEGER. The port number being used.
零或一。整数正在使用的端口号。
portlist
端口列表
Zero or one. PORTLIST. A list of port numbers being used; see Section 3.2.8 for formatting rules. If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list.
零或一。端口列表。正在使用的端口号列表;格式规则见第3.2.8节。如果给出了端口列表,iana_协议编号和iana_协议名称必须应用于列表的所有元素。
protocol
协议
Zero or one. STRING. Additional information about the protocol being used. The intent of the protocol field is to carry additional information related to the protocol being used when the <Service> attributes iana_protocol_number or/and iana_protocol_name are filed.
零或一。一串有关正在使用的协议的其他信息。协议字段的目的是在归档属性iana_协议编号或/和iana_协议名称时,携带与正在使用的协议相关的附加信息。
A Service MUST be specified as either (a) a name or a port or (b) a portlist. The protocol is optional in all cases, but no other combinations are permitted.
必须将服务指定为(A)名称或端口或(b)端口列表。该协议在所有情况下都是可选的,但不允许其他组合。
Service is represented in the IDMEF DTD as follows:
服务在IDMEF DTD中表示如下:
<!ELEMENT Service ( (((name, port?) | (port, name?)) | portlist), protocol?, SNMPService?, WebService? )> <!ATTLIST Service ident CDATA '0' ip_version CDATA #IMPLIED iana_protocol_number CDATA #IMPLIED iana_protocol_name CDATA #IMPLIED %attlist.global; >
<!元素服务(((名称,端口?)|(端口,名称?)|端口列表),协议?,SNMPService?,WebService?><!ATTLIST服务标识CDATA“0”ip#版本CDATA#隐含iana#U协议(U编号CDATA#隐含iana#U协议(U名称CDATA#隐含%ATTLIST.global;>
The Service class has four attributes:
服务类有四个属性:
ident
识别
Optional. A unique identifier for the service; see Section 3.2.9.
可选择的服务的唯一标识符;见第3.2.9节。
ip_version
ip_版本
Optional. INTEGER. The IP version number.
可选择的整数IP版本号。
iana_protocol_number
iana_协议_编号
Optional. INTEGER. The IANA protocol number.
可选择的整数IANA协议编号。
iana_protocol_name
iana_协议_名称
Optional. STRING. The IANA protocol name.
可选择的一串IANA协议名称。
The WebService class carries additional information related to web traffic.
WebService类包含与web流量相关的附加信息。
The WebService class is composed of four aggregate classes, as shown in Figure 20.
WebService类由四个聚合类组成,如图20所示。
+-------------+ | Service | +-------------+ /_\ | +-------------+ | WebService | +-------------+ +-------------+ | |<>----------| url | | | +-------------+ | | 0..1 +-------------+ | |<>----------| cgi | | | +-------------+ | | 0..1 +-------------+ | |<>----------| http-method | | | +-------------+ | | 0..* +-------------+ | |<>----------| arg | | | +-------------+ +-------------+
+-------------+ | Service | +-------------+ /_\ | +-------------+ | WebService | +-------------+ +-------------+ | |<>----------| url | | | +-------------+ | | 0..1 +-------------+ | |<>----------| cgi | | | +-------------+ | | 0..1 +-------------+ | |<>----------| http-method | | | +-------------+ | | 0..* +-------------+ | |<>----------| arg | | | +-------------+ +-------------+
Figure 20: The WebService Class
图20:WebService类
The aggregate classes that make up WebService are:
构成WebService的聚合类包括:
url
网址
Exactly one. STRING. The URL in the request.
正好一个。一串请求中的URL。
cgi
cgi
Zero or one. STRING. The CGI script in the request, without arguments.
零或一。一串请求中的CGI脚本,不带参数。
http-method
http方法
Zero or one. STRING. The HTTP method (PUT, GET) used in the request.
零或一。一串请求中使用的HTTP方法(PUT,GET)。
arg
arg
Zero or more. STRING. The arguments to the CGI script.
零或更多。一串CGI脚本的参数。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT WebService ( url, cgi?, http-method?, arg* )> <!ATTLIST WebService %attlist.global; >
<!ELEMENT WebService ( url, cgi?, http-method?, arg* )> <!ATTLIST WebService %attlist.global; >
The SNMPService class carries additional information related to SNMP traffic. The aggregate classes composing SNMPService must be interpreted as described in RFC 3411 [15] and RFC 3584 [16].
SNMPService类包含与SNMP流量相关的附加信息。组成SNMPService的聚合类必须按照RFC 3411[15]和RFC 3584[16]中的描述进行解释。
The SNMPService class is composed of eight aggregate classes, as shown in Figure 21.
SNMPService类由八个聚合类组成,如图21所示。
+-------------+ | Service | +-------------+ /_\ | +-------------+ | SNMPService | +-------------+ 0..1 +----------------------+ | |<>----------| oid | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------|messageProcessingModel| | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityModel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityLevel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextEngineID | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| command | | | +----------------------+ +-------------+
+-------------+ | Service | +-------------+ /_\ | +-------------+ | SNMPService | +-------------+ 0..1 +----------------------+ | |<>----------| oid | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------|messageProcessingModel| | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityModel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityLevel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextEngineID | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| command | | | +----------------------+ +-------------+
Figure 21: The SNMPService Class
图21:SNMPService类
The aggregate classes that make up SNMPService are:
组成SNMPService的聚合类包括:
oid
老年人
Zero or one. STRING. The object identifier in the request.
零或一。一串请求中的对象标识符。
messageProcessingModel
消息处理模型
Zero or one. INTEGER. The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values.
零或一。整数SNMP版本,通常0表示SNMPv1,1表示SNMPv2c,2表示SNMPv2u和SNMPv2*,3表示SNMPv3;有关适当的值,请参见RFC 3411[15]第5节。
securityModel
证券模型
Zero or one. INTEGER. The identification of the security model in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3 for USM; see RFC 3411 [15] Section 5 for appropriate values.
零或一。整数正在使用的安全模型的标识,通常0表示任何,1表示SNMPv1,2表示SNMPv2c,3表示USM;有关适当的值,请参见RFC 3411[15]第5节。
securityName
安全名称
Zero or one. STRING. The object's security name; see RFC 3411 [15] Section 3.2.2.
零或一。一串对象的安全名称;参见RFC 3411[15]第3.2.2节。
securityLevel
安全级别
Zero or one. INTEGER. The security level of the SNMP request; see RFC 3411 [15] Section 3.4.3.
零或一。整数SNMP请求的安全级别;参见RFC 3411[15]第3.4.3节。
contextName
上下文名称
Zero or one. STRING. The object's context name; see RFC 3411 [15] Section 3.3.3.
零或一。一串对象的上下文名称;参见RFC 3411[15]第3.3.3节。
contextEngineID
contextEngineID
Zero or one. STRING. The object's context engine identifier; see RFC 3411 [15] Section 3.3.2.
零或一。一串对象的上下文引擎标识符;参见RFC 3411[15]第3.3.2节。
command
命令
Zero or one. STRING. The command sent to the SNMP server (GET, SET, etc.).
零或一。一串发送到SNMP服务器的命令(GET、SET等)。
If other fields of an SNMP message are available and should be incorporated in the IDMEF alert, they must be located in the additionaldata structure with the meaning being an object definition defined in RFC 3411 [15] Section 5 and the value located within the additionaldata payload.
如果SNMP消息的其他字段可用且应合并到IDMEF警报中,则这些字段必须位于additionaldata结构中,其含义为RFC 3411[15]第5节中定义的对象定义以及additionaldata有效负载中的值。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT SNMPService ( oid?, messageProcessingModel?, securityModel?, securityName?, securityLevel?, contextName?, contextEngineID?, command? )> <!ATTLIST SNMPService %attlist.global; >
<!元素SNMPService(oid?、messageProcessingModel?、securityModel?、securityName?、securityLevel?、contextName?、contextEngineID?、command?)><!ATTLIST SNMPService%ATTLIST.global;>
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute.
File类提供有关已在目标上创建、删除或修改的文件或其他类似文件的对象的特定信息。描述可以提供事件之前的文件设置,也可以提供事件发生时的文件设置,如使用“类别”属性指定的。
The File class is composed of eleven aggregate classes, as shown in Figure 22. +--------------+ | File | +--------------+ +-------------+ | |<>----------| name | | | +-------------+ | | +-------------+ | |<>----------| path | | | +-------------+ | | 0..1 +-------------+ | |<>----------| create-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| modify-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| access-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| data-size | | | +-------------+ | | 0..1 +-------------+ | |<>----------| disk-size | | | +-------------+ | | 0..* +-------------+ | |<>----------| FileAccess | | | +-------------+ | | 0..* +-------------+ | |<>----------| Linkage | | | +-------------+ | | 0..1 +-------------+ | |<>----------| Inode | | | +-------------+ | | 0..* +-------------+ | |<>----------| Checksum | | | +-------------+ +--------------+
The File class is composed of eleven aggregate classes, as shown in Figure 22. +--------------+ | File | +--------------+ +-------------+ | |<>----------| name | | | +-------------+ | | +-------------+ | |<>----------| path | | | +-------------+ | | 0..1 +-------------+ | |<>----------| create-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| modify-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| access-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| data-size | | | +-------------+ | | 0..1 +-------------+ | |<>----------| disk-size | | | +-------------+ | | 0..* +-------------+ | |<>----------| FileAccess | | | +-------------+ | | 0..* +-------------+ | |<>----------| Linkage | | | +-------------+ | | 0..1 +-------------+ | |<>----------| Inode | | | +-------------+ | | 0..* +-------------+ | |<>----------| Checksum | | | +-------------+ +--------------+
Figure 22: The File Class
图22:文件类
The aggregate classes that make up File are:
构成文件的聚合类有:
name
名称
Exactly one. STRING. The name of the file to which the alert applies, not including the path to the file.
正好一个。一串警报应用到的文件的名称,不包括文件的路径。
path
路径
Exactly one. STRING. The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
正好一个。一串文件的完整路径,包括名称。路径名应尽可能以“通用”的方式表示,以便于处理警报。
For Windows systems, the path should be specified using the Universal Naming Convention (UNC) for remote files, and using a drive letter for local files (e.g., "C:\boot.ini"). For Unix systems, paths on network file systems should use the name of the mounted resource instead of the local mount point (e.g., "fileserver:/usr/local/bin/foo"). The mount point can be provided using the <Linkage> element.
对于Windows系统,应使用通用命名约定(UNC)为远程文件指定路径,并使用驱动器号为本地文件指定路径(例如,“C:\boot.ini”)。对于Unix系统,网络文件系统上的路径应使用装载资源的名称,而不是本地装载点(例如,“fileserver:/usr/local/bin/foo”)。可使用<Linkage>元件提供安装点。
create-time
创造时间
Zero or one. DATETIME. Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.
零或一。日期时间。创建文件的时间。请注意,这不是Unix“st_ctime”文件属性(不是文件创建时间)。Unix“st_ctime”属性包含在“Inode”类中。
modify-time
修改时间
Zero or one. DATETIME. Time the file was last modified.
零或一。日期时间。上次修改文件的时间。
access-time
存取时间
Zero or one. DATETIME. Time the file was last accessed.
零或一。日期时间。上次访问该文件的时间。
data-size
数据大小
Zero or one. INTEGER. The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).
零或一。整数数据的大小,以字节为单位。通常指的是文件大小。在Unix UFS文件系统上,此值对应于stat.st_size。在Windows NTFS上,此值对应于有效数据长度(VDL)。
disk-size
磁盘大小
Zero or one. INTEGER. The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).
零或一。整数文件在磁盘上消耗的物理空间,以字节为单位。在Unix UFS文件系统上,此值对应于512*stat.st_块。在Windows NTFS上,此值对应于文件结尾(EOF)。
FileAccess
文件访问
Zero or more. Access permissions on the file.
零或更多。对文件的访问权限。
Linkage
联动
Zero or more. File system objects to which this file is linked (other references for the file).
零或更多。此文件链接到的文件系统对象(文件的其他引用)。
Inode
伊诺德
Zero or one. Inode information for this file (relevant to Unix).
零或一。此文件的Inode信息(与Unix相关)。
Checksum
校验和
Zero or more. Checksum information for this file.
零或更多。此文件的校验和信息。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.filecat " ( current | original ) ">
<!实体%attvals.filecat”(当前版本|原始版本)>
<!ELEMENT File ( name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?, Checksum* )> <!ATTLIST File ident CDATA '0' category %attvals.filecat; #REQUIRED fstype CDATA #IMPLIED file-type CDATA #IMPLIED %attlist.global; >
<!ELEMENT File ( name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?, Checksum* )> <!ATTLIST File ident CDATA '0' category %attvals.filecat; #REQUIRED fstype CDATA #IMPLIED file-type CDATA #IMPLIED %attlist.global; >
The File class has four attributes (one required and three optional):
File类有四个属性(一个是必需的,三个是可选的):
ident
识别
Optional. A unique identifier for this file; see Section 3.2.9.
可选择的此文件的唯一标识符;见第3.2.9节。
category
类别
Required. The context for the information being provided. The permitted values are shown below. There is no default value. (See also Section 10.)
必修的。所提供信息的上下文。允许值如下所示。没有默认值。(另见第10节。)
+------+----------+-------------------------------------------------+ | Rank | Keyword | Description | +------+----------+-------------------------------------------------+ | 0 | current | The file information is from after the reported | | | | change | | | | | | 1 | original | The file information is from before the | | | | reported change | +------+----------+-------------------------------------------------+
+------+----------+-------------------------------------------------+ | Rank | Keyword | Description | +------+----------+-------------------------------------------------+ | 0 | current | The file information is from after the reported | | | | change | | | | | | 1 | original | The file information is from before the | | | | reported change | +------+----------+-------------------------------------------------+
fstype
fstype
Optional. The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.
可选择的文件所在的文件系统的类型。此属性控制如何解释路径名和其他属性。
+------+---------+-------------------------------------+ | Rank | Keyword | Description | +------+---------+-------------------------------------+ | 0 | ufs | Berkeley Unix Fast File System | | 1 | efs | Linux "efs" file system | | 2 | nfs | Network File System | | 3 | afs | Andrew File System | | 4 | ntfs | Windows NT File System | | 5 | fat16 | 16-bit Windows FAT File System | | 6 | fat32 | 32-bit Windows FAT File System | | 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM | | 8 | joliet | Joliet CD-ROM file system | | 9 | iso9660 | ISO 9660 CD-ROM file system | +------+---------+-------------------------------------+
+------+---------+-------------------------------------+ | Rank | Keyword | Description | +------+---------+-------------------------------------+ | 0 | ufs | Berkeley Unix Fast File System | | 1 | efs | Linux "efs" file system | | 2 | nfs | Network File System | | 3 | afs | Andrew File System | | 4 | ntfs | Windows NT File System | | 5 | fat16 | 16-bit Windows FAT File System | | 6 | fat32 | 32-bit Windows FAT File System | | 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM | | 8 | joliet | Joliet CD-ROM file system | | 9 | iso9660 | ISO 9660 CD-ROM file system | +------+---------+-------------------------------------+
file-type
文件类型
Optional. The type of file, as a mime-type.
可选择的文件的类型,作为mime类型。
The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems.
FileAccess类表示对文件的访问权限。该表示法旨在跨操作系统使用。
The FileAccess class is composed of two aggregate classes, as shown in Figure 23.
FileAccess类由两个聚合类组成,如图23所示。
+--------------+ | FileAccess | +--------------+ +------------+ | |<>----------| UserId | | | +------------+ | | 1..* +------------+ | |<>----------| Permission | | | +------------+ +--------------+
+--------------+ | FileAccess | +--------------+ +------------+ | |<>----------| UserId | | | +------------+ | | 1..* +------------+ | |<>----------| Permission | | | +------------+ +--------------+
Figure 23: The FileAccess Class
图23:FileAccess类
The aggregate classes that make up FileAccess are:
组成FileAccess的聚合类包括:
UserId
用户ID
Exactly one. The user (or group) to which these permissions apply. The value of the "type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context.
正好一个。应用这些权限的用户(或组)。“type”属性的值必须是“user priv”、“group priv”或“other priv”(视情况而定)。“类型”的其他值不得在此上下文中使用。
Permission
准许
One or more. ENUM. Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)
一个或多个。枚举。允许的访问级别。允许值如下所示。没有默认值。(另见第10节。)
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | noAccess | No access at all is allowed for this | | | | user | | | | | | 1 | read | This user has read access to the file | | | | | | 2 | write | This user has write access to the file | | | | | | 3 | execute | This user has the ability to execute | | | | the file | | | | | | 4 | search | This user has the ability to search | | | | this file (applies to "execute" | | | | permission on directories in Unix) | | | | | | 5 | delete | This user has the ability to delete | | | | this file | | | | | | 6 | executeAs | This user has the ability to execute | | | | this file as another user | | | | | | 7 | changePermissions | This user has the ability to change | | | | the access permissions on this file | | | | | | 8 | takeOwnership | This user has the ability to take | | | | ownership of this file | +------+-------------------+----------------------------------------+
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | noAccess | No access at all is allowed for this | | | | user | | | | | | 1 | read | This user has read access to the file | | | | | | 2 | write | This user has write access to the file | | | | | | 3 | execute | This user has the ability to execute | | | | the file | | | | | | 4 | search | This user has the ability to search | | | | this file (applies to "execute" | | | | permission on directories in Unix) | | | | | | 5 | delete | This user has the ability to delete | | | | this file | | | | | | 6 | executeAs | This user has the ability to execute | | | | this file as another user | | | | | | 7 | changePermissions | This user has the ability to change | | | | the access permissions on this file | | | | | | 8 | takeOwnership | This user has the ability to take | | | | ownership of this file | +------+-------------------+----------------------------------------+
The "changePermissions" and "takeOwnership" strings represent those concepts in Windows. On Unix, the owner of the file always has "changePermissions" access, even if no other access is allowed for that user. "Full Control" in Windows is represented by enumerating the permissions it contains. The "executeAs" string represents the set-user-id and set-group-id features in Unix.
“changePermissions”和“takeOwnership”字符串表示Windows中的这些概念。在Unix上,文件所有者始终具有“changePermissions”访问权限,即使该用户不允许其他访问权限。Windows中的“完全控制”通过枚举其包含的权限来表示。“executeAs”字符串表示Unix中的设置用户id和设置组id功能。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Permission EMPTY > <!ATTLIST Permission perms %attvals.fileperm; #REQUIRED %attlist.global; >
<!ELEMENT Permission EMPTY > <!ATTLIST Permission perms %attvals.fileperm; #REQUIRED %attlist.global; >
<!ENTITY % attvals.fileperm "( noAccess | read | write | execute | search | delete | executeAs | changePermissions | takeOwnership)" >
<!实体%attvals.fileperm”(无访问|读|写|执行|搜索|删除|执行|更改权限|收购所有权)>
The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate.
Linkage类表示<file>元素中描述的文件与文件系统中的其他对象之间的文件系统连接。例如,如果<File>元素是符号链接或快捷方式,则<Linkage>元素应包含链接指向的对象的名称。如果合适,可以在<Linkage>元素和另一个<File>元素中提供有关对象的更多信息。
The Linkage class is composed of three aggregate classes, as shown in Figure 24.
链接类由三个聚合类组成,如图24所示。
+--------------+ | Linkage | +--------------+ +------+ | |<>----------| name | | | +------+ | | +------+ | |<>----------| path | | | +------+ | | +------+ | |<>----------| File | | | +------+ +--------------+
+--------------+ | Linkage | +--------------+ +------+ | |<>----------| name | | | +------+ | | +------+ | |<>----------| path | | | +------+ | | +------+ | |<>----------| File | | | +------+ +--------------+
Figure 24: The Linkage Class
图24:悬挂机构类别
The aggregate classes that make up Linkage are:
构成链接的聚合类包括:
name
名称
Exactly one. STRING. The name of the file system object, not including the path.
正好一个。一串文件系统对象的名称,不包括路径。
path
路径
Exactly one. STRING. The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
正好一个。一串文件系统对象的完整路径,包括名称。路径名应尽可能以“通用”的方式表示,以便于处理警报。
File
文件
Exactly one. A <File> element may be used in place of the <name> and <path> elements if additional information about the file is to be included.
正好一个。如果要包含有关文件的附加信息,可以使用<File>元素代替<name>和<path>元素。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.linkcat " ( hard-link | mount-point | reparse-point | shortcut | stream | symbolic-link ) ">
<!实体%attvals.linkcat“(硬链接|装入点|重新分析点|快捷方式|流|符号链接)”>
<!ELEMENT Linkage ( (name, path) | File )> <!ATTLIST Linkage category %attvals.linkcat; #REQUIRED %attlist.global; >
<!ELEMENT Linkage ( (name, path) | File )> <!ATTLIST Linkage category %attvals.linkcat; #REQUIRED %attlist.global; >
The Linkage class has one attribute:
链接类有一个属性:
category
类别
The type of object that the link describes. The permitted values are shown below. There is no default value. (See also Section 10.)
链接描述的对象类型。允许值如下所示。没有默认值。(另见第10节。)
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | hard-link | The <name> element represents another name | | | | for this file. This information may be | | | | more easily obtainable on NTFS file | | | | systems than others. | | | | | | 1 | mount-point | An alias for the directory specified by | | | | the parent's <name> and <path> elements. | | | | | | 2 | reparse-point | Applies only to Windows; excludes symbolic | | | | links and mount points, which are specific | | | | types of reparse points. | | | | | | 3 | shortcut | The file represented by a Windows | | | | "shortcut". A shortcut is distinguished | | | | from a symbolic link because of the | | | | difference in their contents, which may be | | | | of importance to the manager. | | | | | | 4 | stream | An Alternate Data Stream (ADS) in Windows; | | | | a fork on MacOS. Separate file system | | | | entity that is considered an extension of | | | | the main <File>. | | 5 | symbolic-link | The <name> element represents the file to | | | | which the link points. | +------+---------------+--------------------------------------------+
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | hard-link | The <name> element represents another name | | | | for this file. This information may be | | | | more easily obtainable on NTFS file | | | | systems than others. | | | | | | 1 | mount-point | An alias for the directory specified by | | | | the parent's <name> and <path> elements. | | | | | | 2 | reparse-point | Applies only to Windows; excludes symbolic | | | | links and mount points, which are specific | | | | types of reparse points. | | | | | | 3 | shortcut | The file represented by a Windows | | | | "shortcut". A shortcut is distinguished | | | | from a symbolic link because of the | | | | difference in their contents, which may be | | | | of importance to the manager. | | | | | | 4 | stream | An Alternate Data Stream (ADS) in Windows; | | | | a fork on MacOS. Separate file system | | | | entity that is considered an extension of | | | | the main <File>. | | 5 | symbolic-link | The <name> element represents the file to | | | | which the link points. | +------+---------------+--------------------------------------------+
The Inode class is used to represent the additional information contained in a Unix file system i-node.
Inode类用于表示Unix文件系统i节点中包含的附加信息。
The Inode class is composed of six aggregate classes, as shown in Figure 25.
Inode类由六个聚合类组成,如图25所示。
+--------------+ | Inode | +--------------+ +----------------+ | |<>----------| change-time | | | +----------------+ | | +----------------+ | |<>----------| number | | | +----------------+ | | +----------------+ | |<>----------| major-device | | | +----------------+ | | +----------------+ | |<>----------| minor-device | | | +----------------+ | | +----------------+ | |<>----------| c-major-device | | | +----------------+ | | +----------------+ | |<>----------| c-minor-device | | | +----------------+ +--------------+
+--------------+ | Inode | +--------------+ +----------------+ | |<>----------| change-time | | | +----------------+ | | +----------------+ | |<>----------| number | | | +----------------+ | | +----------------+ | |<>----------| major-device | | | +----------------+ | | +----------------+ | |<>----------| minor-device | | | +----------------+ | | +----------------+ | |<>----------| c-major-device | | | +----------------+ | | +----------------+ | |<>----------| c-minor-device | | | +----------------+ +--------------+
Figure 25: The Inode Class
图25:Inode类
The aggregate classes that make up Inode are:
构成Inode的聚合类包括:
change-time
换乘时间
Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat".
零或一。日期时间。最后一次inode更改的时间,由“struct stat”的st_ctime元素给出。
number
数字
Zero or one. INTEGER. The inode number.
零或一。整数inode编号。
major-device
主要设备
Zero or one. INTEGER. The major device number of the device the file resides on.
零或一。整数文件所在设备的主设备号。
minor-device
次要装置
Zero or one. INTEGER. The minor device number of the device the file resides on.
零或一。整数文件所在设备的次要设备号。
c-major-device
c-主要设备
Zero or one. INTEGER. The major device of the file itself, if it is a character special device.
零或一。整数文件本身的主要设备(如果是字符专用设备)。
c-minor-device
c-次要装置
Zero or one. INTEGER. The minor device of the file itself, if it is a character special device.
零或一。整数文件本身的次要设备(如果是字符专用设备)。
Note that <number>, <major-device>, and <minor-device> must be given together, and the <c-major-device> and <c-minor-device> must be given together.
请注意,<number>、<major-device>和<minor-device>必须一起给出,<c-major-device>和<c-minor-device>必须一起给出。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ELEMENT Inode ( change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)? )> <!ATTLIST Inode %attlist.global; >
<!元件索引节点(更改时间?,(编号,主要设备,次要设备)?,(c-主要设备,c-次要设备)?><!ATTLIST索引节点%ATTLIST.global;>
The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others.
Checksum类表示与文件关联的校验和信息。此校验和信息可由文件完整性检查器等提供。
The checksum class is composed of two aggregate classes, as shown in Figure 26.
校验和类由两个聚合类组成,如图26所示。
+--------------+ | Checksum | +--------------+ +-------+ | algorithm |<>----------| value | | | +-------+ | | 0..1+-------+ | |<>----------| key | | | +-------+ +--------------+
+--------------+ | Checksum | +--------------+ +-------+ | algorithm |<>----------| value | | | +-------+ | | 0..1+-------+ | |<>----------| key | | | +-------+ +--------------+
Figure 26: The Checksum Class
图26:校验和类
The aggregate classes that make up Checksum are:
构成校验和的聚合类包括:
value
价值
Exactly one. STRING. The value of the checksum.
正好一个。一串校验和的值。
key
钥匙
Zero or one. STRING. The key to the checksum, if appropriate.
零或一。一串校验和的键(如果适用)。
This is represented in the IDMEF DTD as follows:
这在IDMEF DTD中表示如下:
<!ENTITY % attvals.checksumalgos " ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 | Haval | Tiger | Gost ) ">
<!实体%attvals.checksumalgos”(MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |哈弗|老虎| Gost)>
<!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
<!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
The Checksum class has one attribute:
校验和类有一个属性:
algorithm
算法
The cryptographic algorithm used for the computation of the checksum. The permitted values are shown below. There is no default value. (See also Section 10.)
用于计算校验和的加密算法。允许值如下所示。没有默认值。(另见第10节。)
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | MD4 | The MD4 algorithm. | | | | | | 1 | MD5 | The MD5 algorithm. | | | | | | 2 | SHA1 | The SHA1 algorithm. | | | | | | 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. | | | | | | 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. | | | | | | 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. | | | | | | 6 | CRC-32 | The CRC algorithm with 32 bits length. | | | | | | 7 | Haval | The Haval algorithm. | | | | | | 8 | Tiger | The Tiger algorithm. | | | | | | 9 | Gost | The Gost algorithm. | +------+----------+------------------------------------------+
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | MD4 | The MD4 algorithm. | | | | | | 1 | MD5 | The MD5 algorithm. | | | | | | 2 | SHA1 | The SHA1 algorithm. | | | | | | 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. | | | | | | 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. | | | | | | 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. | | | | | | 6 | CRC-32 | The CRC algorithm with 32 bits length. | | | | | | 7 | Haval | The Haval algorithm. | | | | | | 8 | Tiger | The Tiger algorithm. | | | | | | 9 | Gost | The Gost algorithm. | +------+----------+------------------------------------------+
As intrusion detection systems evolve, the IDMEF data model and DTD will have to evolve along with them. To allow new features to be added as they are developed, both the data model and the DTD can be extended as described in this section. As these extensions mature, they can then be incorporated into future versions of the specification.
随着入侵检测系统的发展,IDMEF数据模型和DTD也将随之发展。为了允许在开发新功能时添加新功能,可以按照本节所述扩展数据模型和DTD。随着这些扩展的成熟,可以将它们合并到规范的未来版本中。
There are two mechanisms for extending the IDMEF data model, inheritance and aggregation:
扩展IDMEF数据模型有两种机制:继承和聚合:
o Inheritance denotes a superclass/subclass type of relationship where the subclass inherits all the attributes, operations, and
o 继承表示关系的超类/子类类型,其中子类继承所有属性、操作和属性
relationships of the superclass. This type of relationship is also called a "is-a" or "kind-of" relationship. Subclasses may have additional attributes or operations that apply only to the subclass and not to the superclass.
超类的关系。这种关系也叫一种关系。子类可能具有仅适用于子类而不适用于超类的附加属性或操作。
o Aggregation is a form of association in which the whole is related to its parts. This type of relationship is also referred to as a "part-of" relationship. In this case, the aggregate class contains all of its own attributes and as many of the attributes associated with its parts as required and specified by occurrence indicators.
o 聚合是一种关联形式,其中整体与其部分相关。这种类型的关系也称为“部分”关系。在这种情况下,聚合类包含它自己的所有属性以及与它的部分相关联的、由引用指示符指定的尽可能多的属性。
Of the two mechanisms, inheritance is preferred, because it preserves the existing data model structure and also preserves the operations (methods) executed on the classes of the structure.
在这两种机制中,继承是首选的,因为它保留了现有的数据模型结构,还保留了对结构类执行的操作(方法)。
Note that the rules for extending the IDMEF DTD (see below) set limits on the places where extensions to the data model may be made.
请注意,扩展IDMEF DTD的规则(见下文)对可能进行数据模型扩展的位置设置了限制。
There are two ways to extend the IDMEF DTD:
有两种方法可以扩展IDMEF DTD:
1. The AdditionalData class (see Section 4.2.4.6) allows implementors to include arbitrary "atomic" data items (integers, strings, etc.) in an Alert or Heartbeat message. This approach SHOULD be used whenever possible. See Section 7.4 and Section 7.5.
1. AdditionalData类(参见第4.2.4.6节)允许实现者在警报或心跳消息中包含任意“原子”数据项(整数、字符串等)。应尽可能采用这种方法。见第7.4节和第7.5节。
2. The AdditionalData class allows implementors to extend the IDMEF DTD with additional DTD "modules" that describe arbitrarily complex data types and relationships. The remainder of this section describes this extension method.
2. AdditionalData类允许实现者使用描述任意复杂数据类型和关系的附加DTD“模块”扩展IDMEF DTD。本节的其余部分将介绍此扩展方法。
To extend the IDMEF DTD with a new DTD "module", the following steps MUST be followed:
要使用新的DTD“模块”扩展IDMEF DTD,必须遵循以下步骤:
1. The document declaration MUST define a DTD location that defines the namespace and contains the location of the extension DTD, and then reference that namespace.
1. 文档声明必须定义定义名称空间并包含扩展DTD位置的DTD位置,然后引用该名称空间。
2. Multiple extensions may be included by defining multiple namespaces and DTD locations, and referencing them.
2. 通过定义多个名称空间和DTD位置并引用它们,可以包括多个扩展。
3. Extension DTDs MUST declare all of their elements and attributes in a separate XML namespace. Extension DTDs MUST NOT declare any elements or attributes in the "idmef" or default namespaces.
3. 扩展DTD必须在单独的XML命名空间中声明其所有元素和属性。扩展DTD不得在“idmef”或默认名称空间中声明任何元素或属性。
4. Extensions MUST only be included in IDMEF Alert and Heartbeat messages under an <AdditionalData> element whose "type" attribute contains the value "xml". For example:
4. 扩展只能包含在IDMEF警报和心跳消息中的<AdditionalData>元素下,该元素的“type”属性包含值“xml”。例如:
In this example, the "vendorco" namespace is defined and then referenced, causing the DTD for the extension to be read by the XML parser.
在本例中,定义并引用了“vendorco”名称空间,从而导致XML解析器读取扩展的DTD。
<idmef:IDMEF-Message version="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:idmef="http://iana.org/idmef" xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://vendor.com/idmef http://v.com/vidmef.xsd">
<idmef:IDMEF-Message version="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:idmef="http://iana.org/idmef" xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://vendor.com/idmef http://v.com/vidmef.xsd">
<idmef:Alert messageid="..."> ... <idmef:AdditionalData type="xml" meaning="VendorExtension"> <idmef:xml> <vendorco:TestVendor a="attribute of example" xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://vendor.com/idmef http://v.com/vidmef.xsd"> <vendorco:content>content element of example</vendorco:content> </vendorco:TestVendor> </idmef:xml> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Alert messageid="..."> ... <idmef:AdditionalData type="xml" meaning="VendorExtension"> <idmef:xml> <vendorco:TestVendor a="attribute of example" xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://vendor.com/idmef http://v.com/vidmef.xsd"> <vendorco:content>content element of example</vendorco:content> </vendorco:TestVendor> </idmef:xml> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
See Section 7.8 for another example of extending the IDMEF DTD.
有关扩展IDMEF DTD的另一个示例,请参见第7.8节。
This section discusses some of the special considerations that must be taken into account by implementors of the IDMEF.
本节讨论IDMEF实现者必须考虑的一些特殊注意事项。
It is expected that IDMEF-compliant applications will not normally include the IDMEF DTD itself in their communications. Instead, the DTD will be referenced in the document type definition in the IDMEF message. Such IDMEF documents will be well-formed and valid as defined in [3].
预计符合IDMEF的应用程序通常不会在其通信中包含IDMEF DTD本身。相反,DTD将在IDMEF消息的文档类型定义中引用。此类IDMEF文件应格式良好且有效,如[3]所述。
Other IDMEF documents will be specified that do not include the document prolog (e.g., entries in an IDMEF-format database). Such IDMEF documents will be well-formed but not valid.
将指定不包括文档序言的其他IDMEF文档(例如,IDMEF格式数据库中的条目)。此类IDMEF文件格式良好,但无效。
Generally, well-formedness implies that a document has a single element that contains everything else (e.g., "<Book>") and that all the other elements nest nicely within each other without any overlapping (e.g., a "chapter" does not start in the middle of another "chapter").
一般来说,良好的FordMeod意味着一个文档有一个包含所有其他元素的元素(例如,“<书>”),并且所有其他元素在彼此之间很好地嵌套而没有任何重叠(例如,“章节”)不会在另一个“章节”的中间开始。
Validity further implies that not only is the document well-formed, but it also follows specific rules (contained in the Document Type Definition) about which elements are "legal" in the document, how those elements nest within other elements, and so on (e.g., a "chapter" does not begin in the middle of a "title"). A document cannot be valid unless it references a DTD.
有效性还意味着文档不仅形成良好,而且还遵循文档中的哪些元素“合法”、文档中的元素如何嵌套在其他元素中(例如,“章节”不在标题中)的特定规则(包含在文档类型定义中)。除非文档引用DTD,否则该文档将无效。
XML processors are required to be able to parse any well-formed document, valid or not. The purpose of validation is to make the processing of that document (what's done with the data after it's parsed) easier. Without validation, a document may contain elements in nonsense order, elements "invented" by the author that the processing application doesn't understand, and so forth.
XML处理器需要能够解析任何格式良好的文档,无论是否有效。验证的目的是使该文档的处理(解析后的数据处理)更容易。未经验证,文档可能包含按无意义顺序排列的元素、处理应用程序不理解的作者“发明”的元素,等等。
IDMEF documents MUST be well-formed. IDMEF documents SHOULD be valid whenever both possible and practical.
IDMEF文件必须格式正确。IDMEF文件应尽可能在可行的情况下有效。
On occasion, an IDMEF-compliant application may receive a well-formed, or even well-formed and valid, IDMEF message containing tags that it does not understand. The tags may be either:
有时,符合IDMEF的应用程序可能会收到格式良好、甚至格式良好且有效的IDMEF消息,其中包含它不理解的标记。标签可以是:
o Recognized as "legitimate" (a valid document), but the application does not know the semantic meaning of the element's content; or
o 被识别为“合法”(有效文档),但应用程序不知道元素内容的语义;或
o Not recognized at all.
o 一点也不认识。
IDMEF-compliant applications MUST continue to process IDMEF messages that contain unknown tags, provided that such messages meet the well-formedness requirement of Section 6.1. It is up to the individual application to decide how to process (or ignore) any content from the unknown elements(s).
符合IDMEF的应用程序必须继续处理包含未知标记的IDMEF消息,前提是此类消息满足第6.1节的格式良好要求。由单个应用程序决定如何处理(或忽略)来自未知元素的任何内容。
Synchronization of time-of-day clocks between analyzers and managers is outside the scope of this document. However, the following comments and suggestions are offered:
分析仪和管理器之间的时钟同步不在本文件范围内。但是,提出了以下意见和建议:
1. Whenever possible, all analyzers and managers should have their time-of-day clocks synchronized to an external source such as NTP [7] or SNTP [8] Global Positioning System (GPS), Geosynchronous Operational Environmental Satellite (GOES), NIST radio station WWV clocks, or some other reliable time standard.
1. 只要有可能,所有分析仪和管理人员的时钟应与外部源同步,如NTP[7]或SNTP[8]全球定位系统(GPS)、地球同步运行环境卫星(GOES)、NIST无线电台WWV时钟或其他可靠的时间标准。
2. When external time synchronization is not possible, the IDMEF provides the <AnalyzerTime> element, which may be used to perform rudimentary time synchronization (see below).
2. 当无法进行外部时间同步时,IDMEF提供<AnalyzerTime>元素,该元素可用于执行基本的时间同步(见下文)。
3. IDMEF-compliant applications SHOULD permit the user to enable/ disable the <AnalyzerTime> method of time synchronization as a configuration option.
3. 符合IDMEF的应用程序应允许用户启用/禁用时间同步的<AnalyzerTime>方法作为配置选项。
A number of caveats apply to the use of <AnalyzerTime> for time synchronization:
使用<AnalyzerTime>进行时间同步时,有许多注意事项:
1. <AnalyzerTime> works best in a "flat" environment where analyzers report up to a single level of managers. When a tree topology of high-level managers, intermediate relays, and analyzers is used, the problem becomes more complex.
1. <AnalyzerTime>在“扁平”环境中工作得最好,在这种环境中,分析人员最多向一级管理人员报告。当使用高层管理器、中间继电器和分析器的树形拓扑时,问题变得更加复杂。
2. When intermediate message relays (managers or otherwise) are involved, two scenarios are possible:
2. 当涉及中间消息中继(管理器或其他)时,可能出现两种情况:
* The intermediaries may forward entire IDMEF messages, or may perform aggregation or correlation, but MUST NOT inject delay. In this case, time synchronization is end-to-end between the analyzer and the highest-level manager.
* 中介可以转发整个IDMEF消息,也可以执行聚合或关联,但不得注入延迟。在这种情况下,时间同步是分析仪和最高级别管理器之间的端到端同步。
* The intermediaries may inject delay, due to storage or additional processing. In this case, time synchronization MUST be performed at each hop. This means each intermediary must decompose the IDMEF message, adjust all time values, and then reconstruct the message before sending it on.
* 由于存储或附加处理,中介可能会注入延迟。在这种情况下,必须在每个跃点执行时间同步。这意味着每个中介体必须分解IDMEF消息,调整所有时间值,然后在发送消息之前重新构建消息。
3. When the environment is mixed, with some analyzers and managers using external time synchronization and some not, all managers and intermediaries must perform <AnalyzerTime> synchronization. This is because determining whether or not compensation is actually needed between two parties rapidly becomes very complex, and requires knowledge of other parts of the topology.
3. 当环境混合时,有些分析器和管理器使用外部时间同步,有些则不使用,所有的管理器和中介都必须执行<AnalyzerTime>同步。这是因为确定双方之间是否确实需要补偿变得非常复杂,并且需要了解拓扑的其他部分。
4. If an alert can take alternate paths, or be stored in multiple locations, the recorded times may be different depending on the path taken.
4. 如果警报可以采用其他路径,或存储在多个位置,则记录的时间可能会因所采用的路径而异。
The above being said, <AnalyzerTime> synchronization is probably still better than nothing in many environments. To implement this type of synchronization, the following procedure is suggested:
如上所述,<AnalyzerTime>同步在许多环境中可能仍然比不同步好。要实现这种类型的同步,建议执行以下步骤:
1. When an analyzer or manager sends an IDMEF message, it should place the current value of its time-of-day clock in an <AnalyzerTime> element. This should occur as late as possible in the message transmission process, ideally right before the message is "put on the wire".
1. 当分析仪或管理器发送IDMEF消息时,它应将其一天中时钟的当前值放入<AnalyzerTime>元素中。这应该在消息传输过程中尽可能晚地发生,最好是在消息“上线”之前。
2. When a manager receives an IDMEF message, it should compute the difference between its own time-of-day clock and the time in the <AnalyzerTime> element of the message. This difference should then be used to adjust the times in the <CreateTime> and <DetectTime> elements (NTP timestamps should also be adjusted).
2. 当管理器接收到IDMEF消息时,它应该计算自己的一天中的时间时钟与消息的<AnalyzerTime>元素中的时间之间的差。然后应使用此差异调整<CreateTime>和<DetectTime>元素中的时间(也应调整NTP时间戳)。
3. If the manager is an intermediary and sends the IDMEF message on to a higher-level manager, and hop-by-hop synchronization is in effect, it should regenerate the <AnalyzerTime> value to contain the value of its own time-of-day clock.
3. 如果管理器是一个中介,将IDMEF消息发送到更高级别的管理器,并且逐跳同步生效,则它应该重新生成<AnalyzerTime>值,以包含其自己的时间时钟值。
From [8]:
从[8]:
Note that, since some time in 1968 (second 2,147,483,648) the most significant bit (bit 0 of the integer part) has been set and that the 64-bit field will overflow some time in 2036 (second 4,294,967,296). Should NTP or SNTP be in use in 2036, some external means will be necessary to qualify time relative to 1900 and time relative to 2036 (and other multiples of 136 years). There will exist a 200-picosecond interval, henceforth ignored, every 136 years when the 64-bit field will be 0, which by convention is interpreted as an invalid or unavailable timestamp.
请注意,自1968年某个时间(第二个2147483648)以来,最高有效位(整数部分的位0)已设置,并且64位字段将在2036年某个时间溢出(第二个4294967296)。如果2036年使用NTP或SNTP,则需要一些外部手段来限定相对于1900年的时间和相对于2036年的时间(以及其他136年的倍数)。当64位字段为0时,每136年将存在200皮秒间隔,此后将被忽略,按照惯例,该间隔被解释为无效或不可用的时间戳。
IDMEF-compliant applications MUST NOT send a zero-valued NTP timestamp unless they mean to indicate that it is invalid or unavailable. If an IDMEF-compliant application must send an IDMEF message at the time of rollover, the application should wait for 200 picoseconds until the timestamp will have a non-zero value.
符合IDMEF的应用程序不得发送零值NTP时间戳,除非它们表示该时间戳无效或不可用。如果符合IDMEF的应用程序必须在翻滚时发送IDMEF消息,则应用程序应等待200皮秒,直到时间戳具有非零值。
Also from [8]:
同样来自[8]:
As the NTP timestamp format has been in use for the last 17 years, it remains a possibility that it will be in use 40 years from now when the seconds field overflows. As it is probably inappropriate to archive NTP timestamps before bit 0 was set in 1968, a
由于NTP时间戳格式在过去17年中一直在使用,因此,当秒字段溢出时,它仍有可能在40年后使用。由于在1968年设置位0之前归档NTP时间戳可能不合适,因此
convenient way to extend the useful life of NTP timestamps is the following convention:
延长NTP时间戳使用寿命的便捷方法是以下约定:
If bit 0 is set, the UTC time is in the range 1968-2036 and UTC time is reckoned from 0h 0m 0s UTC on 1 January 1900.
如果设置了位0,则UTC时间在1968-2036范围内,UTC时间从1900年1月1日的0h 0m 0s UTC开始计算。
If bit 0 is not set, the time is in the range 2036-2104 and UTC time is reckoned from 6h 28m 16s UTC on 7 February 2036.
如果未设置位0,则时间在2036-2104范围内,UTC时间从2036年2月7日的6h 28m 16s UTC开始计算。
Note that when calculating the correspondence, 2000 is not a leap year. Note also that leap seconds are not counted in the reckoning.
请注意,在计算对应关系时,2000年不是闰年。还请注意,计算中不计算闰秒。
IDMEF-compliant applications in use after 2036-02-07T06:28:16Z MUST adhere to the above convention.
2036-02-07T06:28:16Z之后使用的符合IDMEF的应用程序必须遵守上述约定。
Standard XML digital signature processing rules and syntax are specified in [13]. XML Signatures provide integrity, message authentication, and/or signer authentication services for data of any type, whether located within the XML that includes the signature or elsewhere.
[13]中规定了标准XML数字签名处理规则和语法。XML签名为任何类型的数据提供完整性、消息身份验证和/或签名者身份验证服务,无论是位于包含签名的XML内还是其他地方。
The IDMEF requirements document [2] assigns responsibility for message integrity and authentication to the communications protocol, not the message format. However, in situations where IDMEF messages are exchanged over other, less secure protocols, or in cases where the digital signatures must be archived for later use, the inclusion of digital signatures within an IDMEF message itself may be desirable.
IDMEF要求文件[2]将消息完整性和身份验证的责任分配给通信协议,而不是消息格式。然而,在IDMEF消息通过其他不太安全的协议交换的情况下,或者在数字签名必须存档以供以后使用的情况下,可能需要在IDMEF消息本身中包含数字签名。
Specifications for the use of digital signatures within IDMEF messages are outside the scope of this document. However, if such functionality is needed, use of the XML Signature standard is RECOMMENDED.
IDMEF消息中数字签名的使用规范不在本文档范围内。但是,如果需要这种功能,建议使用XML签名标准。
The examples shown in this section demonstrate how the IDMEF is used to encode alert data. These examples are for illustrative purposes only, and do not necessarily represent the only (or even the "best") way to encode these particular alerts. These examples should not be taken as guidelines on how alerts should be classified.
本节中的示例演示了如何使用IDMEF对警报数据进行编码。这些示例仅用于说明目的,不一定代表对这些特定警报进行编码的唯一(甚至“最佳”)方法。这些示例不应作为警报分类的指南。
The following examples show how some common denial-of-service attacks could be represented in the IDMEF.
以下示例显示了一些常见的拒绝服务攻击如何在IDMEF中表示。
Network-based detection of the "teardrop" attack. This shows the basic format of an alert.
基于网络的“泪滴”攻击检测。这显示了警报的基本格式。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message xmlns:idmef="http://iana.org/idmef" version="1.0"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </idmef:CreateTime> <idmef:Source ident="a1b2c3d4"> <idmef:Node ident="a1b2c3d4-001" category="dns"> <idmef:name>badguy.example.net</idmef:name> <idmef:Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <idmef:address>192.0.2.50</idmef:address> <idmef:netmask>255.255.255.255</idmef:netmask> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="d1c2b3a4"> <idmef:Node ident="d1c2b3a4-001" category="dns"> <idmef:Address category="ipv4-addr-hex"> <idmef:address>0xde796f70</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Classification text="Teardrop detected"> <idmef:Reference origin="bugtraqid"> <idmef:name>124</idmef:name> <idmef:url>http://www.securityfocus.com/bid/124</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert>
<idmef:IDMEF-Message xmlns:idmef="http://iana.org/idmef" version="1.0"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </idmef:CreateTime> <idmef:Source ident="a1b2c3d4"> <idmef:Node ident="a1b2c3d4-001" category="dns"> <idmef:name>badguy.example.net</idmef:name> <idmef:Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <idmef:address>192.0.2.50</idmef:address> <idmef:netmask>255.255.255.255</idmef:netmask> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="d1c2b3a4"> <idmef:Node ident="d1c2b3a4-001" category="dns"> <idmef:Address category="ipv4-addr-hex"> <idmef:address>0xde796f70</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Classification text="Teardrop detected"> <idmef:Reference origin="bugtraqid"> <idmef:name>124</idmef:name> <idmef:url>http://www.securityfocus.com/bid/124</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert>
</idmef:IDMEF-Message>
</idmef:IDMEF-Message>
Network-based detection of the "ping of death" attack. Note the identification of multiple targets, and the identification of the source as a spoofed address.
基于网络的“ping of death”攻击检测。注意多个目标的标识,以及源作为伪造地址的标识。
NOTE: The URL has been cut to fit the IETF formating requirements.
注意:URL已被剪切以符合IETF格式化要求。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71f4f5.0xef449129"> 2000-03-09T10:01:25.93464Z </idmef:CreateTime> <idmef:Source ident="a1a2" spoofed="yes"> <idmef:Node ident="a1a2-1"> <idmef:Address ident="a1a2-2" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="b3b4"> <idmef:Node> <idmef:Address ident="b3b4-1" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Target ident="c5c6"> <idmef:Node ident="c5c6-1" category="nisplus"> <idmef:name>lollipop</idmef:name> </idmef:Node> </idmef:Target> <idmef:Target ident="d7d8"> <idmef:Node ident="d7d8-1"> <idmef:location>Cabinet B10</idmef:location> <idmef:name>Cisco.router.b10</idmef:name> </idmef:Node> </idmef:Target>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71f4f5.0xef449129"> 2000-03-09T10:01:25.93464Z </idmef:CreateTime> <idmef:Source ident="a1a2" spoofed="yes"> <idmef:Node ident="a1a2-1"> <idmef:Address ident="a1a2-2" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="b3b4"> <idmef:Node> <idmef:Address ident="b3b4-1" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Target ident="c5c6"> <idmef:Node ident="c5c6-1" category="nisplus"> <idmef:name>lollipop</idmef:name> </idmef:Node> </idmef:Target> <idmef:Target ident="d7d8"> <idmef:Node ident="d7d8-1"> <idmef:location>Cabinet B10</idmef:location> <idmef:name>Cisco.router.b10</idmef:name> </idmef:Node> </idmef:Target>
<idmef:Classification text="Ping-of-death detected"> <idmef:Reference origin="cve"> <idmef:name>CVE-1999-128</idmef:name> <idmef:url>http://www.cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-1999-128</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Classification text="Ping-of-death detected"> <idmef:Reference origin="cve"> <idmef:name>CVE-1999-128</idmef:name> <idmef:url>http://www.cve.mitre.org/cgi-bin/ cvename.cgi?name=CVE-1999-128</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
The following examples show how some common port scanning attacks could be represented in the IDMEF.
以下示例显示了一些常见的端口扫描攻击如何在IDMEF中表示。
Host-based detection of a policy violation (attempt to obtain information via "finger"). Note the identification of the target service, as well as the originating user (obtained, e.g., through RFC 1413 [11]).
基于主机的策略违反检测(尝试通过“finger”获取信息)。注意目标服务以及发起用户的标识(例如通过RFC 1413[11]获得)。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72541d.0x00000000"> 2000-03-09T18:47:25+02:00 </idmef:CreateTime> <idmef:Source ident="a123"> <idmef:Node ident="a123-01"> <idmef:Address ident="a123-02" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> <idmef:User ident="q987-03" category="os-device"> <idmef:UserId ident="q987-04" type="target-user"> <idmef:name>badguy</idmef:name> </idmef:UserId> </idmef:User> <idmef:Service ident="a123-03"> <idmef:port>31532</idmef:port>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72541d.0x00000000"> 2000-03-09T18:47:25+02:00 </idmef:CreateTime> <idmef:Source ident="a123"> <idmef:Node ident="a123-01"> <idmef:Address ident="a123-02" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> <idmef:User ident="q987-03" category="os-device"> <idmef:UserId ident="q987-04" type="target-user"> <idmef:name>badguy</idmef:name> </idmef:UserId> </idmef:User> <idmef:Service ident="a123-03"> <idmef:port>31532</idmef:port>
</idmef:Service> </idmef:Source> <idmef:Target ident="z456"> <idmef:Node ident="z456-01" category="nis"> <idmef:name>myhost</idmef:name> <idmef:Address ident="z456-02" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="z456-03"> <idmef:name>finger</idmef:name> <idmef:port>79</idmef:port> </idmef:Service> </idmef:Target> <idmef:Classification text="Portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>finger</idmef:name> <idmef:url>http://www.vendor.com/finger</idmef:url> </idmef:Reference> <idmef:Reference origin="vendor-specific" meaning="general documentation"> <idmef:name>Distributed attack</idmef:name> <idmef:url>http://www.vendor.com/distributed</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
</idmef:Service> </idmef:Source> <idmef:Target ident="z456"> <idmef:Node ident="z456-01" category="nis"> <idmef:name>myhost</idmef:name> <idmef:Address ident="z456-02" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="z456-03"> <idmef:name>finger</idmef:name> <idmef:port>79</idmef:port> </idmef:Service> </idmef:Target> <idmef:Classification text="Portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>finger</idmef:name> <idmef:url>http://www.vendor.com/finger</idmef:url> </idmef:Reference> <idmef:Reference origin="vendor-specific" meaning="general documentation"> <idmef:name>Distributed attack</idmef:name> <idmef:url>http://www.vendor.com/distributed</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
Network-based detection of a port scan. This shows detection by a single analyzer; see Section 7.5 for the same attack as detected by a correlation engine. Note the use of <portlist> to show the ports that were scanned.
基于网络的端口扫描检测。这显示由单个分析仪进行检测;参见第7.5节,了解相关引擎检测到的相同攻击。请注意使用<portlist>显示已扫描的端口。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer62"> <idmef:Node category="dns"> <idmef:location>Headquarters Web Server</idmef:location> <idmef:name>analyzer62.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72b2b4.0x00000000"> 2000-03-09T15:31:00-08:00
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer62"> <idmef:Node category="dns"> <idmef:location>Headquarters Web Server</idmef:location> <idmef:name>analyzer62.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72b2b4.0x00000000"> 2000-03-09T15:31:00-08:00
</idmef:CreateTime> <idmef:Source ident="abc01"> <idmef:Node ident="abc01-01"> <idmef:Address ident="abc01-02" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="def01"> <idmef:Node ident="def01-01" category="dns"> <idmef:name>www.example.com</idmef:name> <idmef:Address ident="def01-02" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="def01-03"> <idmef:portlist>5-25,37,42,43,53,69-119,123-514 </idmef:portlist> </idmef:Service> </idmef:Target> <idmef:Classification text="simple portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>portscan</idmef:name> <idmef:url>http://www.vendor.com/portscan</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
</idmef:CreateTime> <idmef:Source ident="abc01"> <idmef:Node ident="abc01-01"> <idmef:Address ident="abc01-02" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="def01"> <idmef:Node ident="def01-01" category="dns"> <idmef:name>www.example.com</idmef:name> <idmef:Address ident="def01-02" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="def01-03"> <idmef:portlist>5-25,37,42,43,53,69-119,123-514 </idmef:portlist> </idmef:Service> </idmef:Target> <idmef:Classification text="simple portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>portscan</idmef:name> <idmef:url>http://www.vendor.com/portscan</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
The following examples show how some common local host attacks could be represented in the IDMEF.
以下示例显示了一些常见的本地主机攻击如何在IDMEF中表示。
Host-based detection of the "loadmodule" exploit. This attack involves tricking the "loadmodule" program into running another program; since "loadmodule" is set-user-id "root", the executed program runs with super-user privileges. Note the use of <User> and <Process> to identify the user attempting the exploit and how he's doing it.
基于主机的“loadmodule”漏洞检测。这种攻击包括欺骗“loadmodule”程序运行另一个程序;由于“loadmodule”设置为用户id“root”,因此执行的程序以超级用户权限运行。请注意使用<User>和<Process>来识别试图利用此漏洞的用户及其操作方式。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789">
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789">
<idmef:Analyzer analyzerid="bc-fs-sensor13"> <idmef:Node category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:Process> <idmef:name>monitor</idmef:name> <idmef:pid>8956</idmef:pid> <idmef:arg>monitor</idmef:arg> <idmef:arg>-d</idmef:arg> <idmef:arg>-m</idmef:arg> <idmef:arg>idmanager.example.com</idmef:arg> <idmef:arg>-l</idmef:arg> <idmef:arg>/var/logs/idlog</idmef:arg> </idmef:Process> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc7221c0.0x4ccccccc"> 2000-03-09T08:12:32.3-05:00 </idmef:CreateTime> <idmef:Source ident="a1a2"> <idmef:User ident="a1a2-01" category="os-device"> <idmef:UserId ident="a1a2-02" type="original-user"> <idmef:name>joe</idmef:name> <idmef:number>13243</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process ident="a1a2-03"> <idmef:name>loadmodule</idmef:name> <idmef:path>/usr/openwin/bin</idmef:path> </idmef:Process> </idmef:Source> <idmef:Target ident="z3z4"> <idmef:Node ident="z3z4-01" category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> </idmef:Target> <idmef:Classification text="Loadmodule attack" ident="loadmodule"> <idmef:Reference origin="bugtraqid"> <idmef:name>33</idmef:name> <idmef:url>http://www.securityfocus.com</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Analyzer analyzerid="bc-fs-sensor13"> <idmef:Node category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:Process> <idmef:name>monitor</idmef:name> <idmef:pid>8956</idmef:pid> <idmef:arg>monitor</idmef:arg> <idmef:arg>-d</idmef:arg> <idmef:arg>-m</idmef:arg> <idmef:arg>idmanager.example.com</idmef:arg> <idmef:arg>-l</idmef:arg> <idmef:arg>/var/logs/idlog</idmef:arg> </idmef:Process> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc7221c0.0x4ccccccc"> 2000-03-09T08:12:32.3-05:00 </idmef:CreateTime> <idmef:Source ident="a1a2"> <idmef:User ident="a1a2-01" category="os-device"> <idmef:UserId ident="a1a2-02" type="original-user"> <idmef:name>joe</idmef:name> <idmef:number>13243</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process ident="a1a2-03"> <idmef:name>loadmodule</idmef:name> <idmef:path>/usr/openwin/bin</idmef:path> </idmef:Process> </idmef:Source> <idmef:Target ident="z3z4"> <idmef:Node ident="z3z4-01" category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> </idmef:Target> <idmef:Classification text="Loadmodule attack" ident="loadmodule"> <idmef:Reference origin="bugtraqid"> <idmef:name>33</idmef:name> <idmef:url>http://www.securityfocus.com</idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
The Intrusion Detection System (IDS) could also indicate that the target user is the "root" user, and show the attempted command; the alert might then look like:
入侵检测系统(IDS)还可以指示目标用户是“root”用户,并显示试图执行的命令;然后,警报可能看起来像:
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-fs-sensor13"> <idmef:Node category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:Process> <idmef:name>monitor</idmef:name> <idmef:pid>8956</idmef:pid> <idmef:arg>monitor</idmef:arg> <idmef:arg>-d</idmef:arg> <idmef:arg>-m</idmef:arg> <idmef:arg>idmanager.example.com</idmef:arg> <idmef:arg>-l</idmef:arg> <idmef:arg>/var/logs/idlog</idmef:arg> </idmef:Process> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc7221c0.0x4ccccccc"> 2000-03-09T08:12:32.3-05:00 </idmef:CreateTime> <idmef:Source ident="a1a2"> <idmef:User ident="a1a2-01" category="os-device"> <idmef:UserId ident="a1a2-02" type="original-user"> <idmef:name>joe</idmef:name> <idmef:number>13243</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process ident="a1a2-03"> <idmef:name>loadmodule</idmef:name> <idmef:path>/usr/openwin/bin</idmef:path> </idmef:Process> </idmef:Source> <idmef:Target ident="z3z4"> <idmef:Node ident="z3z4-01" category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:User ident="z3z4-02" category="os-device"> <idmef:UserId ident="z3z4-03" type="target-user"> <idmef:name>root</idmef:name> <idmef:number>0</idmef:number> </idmef:UserId>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-fs-sensor13"> <idmef:Node category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:Process> <idmef:name>monitor</idmef:name> <idmef:pid>8956</idmef:pid> <idmef:arg>monitor</idmef:arg> <idmef:arg>-d</idmef:arg> <idmef:arg>-m</idmef:arg> <idmef:arg>idmanager.example.com</idmef:arg> <idmef:arg>-l</idmef:arg> <idmef:arg>/var/logs/idlog</idmef:arg> </idmef:Process> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc7221c0.0x4ccccccc"> 2000-03-09T08:12:32.3-05:00 </idmef:CreateTime> <idmef:Source ident="a1a2"> <idmef:User ident="a1a2-01" category="os-device"> <idmef:UserId ident="a1a2-02" type="original-user"> <idmef:name>joe</idmef:name> <idmef:number>13243</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process ident="a1a2-03"> <idmef:name>loadmodule</idmef:name> <idmef:path>/usr/openwin/bin</idmef:path> </idmef:Process> </idmef:Source> <idmef:Target ident="z3z4"> <idmef:Node ident="z3z4-01" category="dns"> <idmef:name>fileserver.example.com</idmef:name> </idmef:Node> <idmef:User ident="z3z4-02" category="os-device"> <idmef:UserId ident="z3z4-03" type="target-user"> <idmef:name>root</idmef:name> <idmef:number>0</idmef:number> </idmef:UserId>
</idmef:User> <idmef:Process ident="z3z4-04"> <idmef:name>sh</idmef:name> <idmef:pid>25134</idmef:pid> <idmef:path>/bin/sh</idmef:path> </idmef:Process> </idmef:Target> <idmef:Classification text="Loadmodule attack" ident="loadmodule"> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
</idmef:User> <idmef:Process ident="z3z4-04"> <idmef:name>sh</idmef:name> <idmef:pid>25134</idmef:pid> <idmef:path>/bin/sh</idmef:path> </idmef:Process> </idmef:Target> <idmef:Classification text="Loadmodule attack" ident="loadmodule"> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
Note that the identification of the classification is used.
请注意,使用了分类的标识。
Network-based detection of the "phf" attack. Note the use of the <WebService> element to provide more details about this particular attack.
基于网络的“phf”攻击检测。请注意使用<WebService>元素提供有关此特定攻击的更多详细信息。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source ident="abc123"> <idmef:Node ident="abc123-001"> <idmef:Address ident="abc123-002" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="abc123-003"> <idmef:port>21534</idmef:port> </idmef:Service> </idmef:Source> <idmef:Target ident="xyz789"> <idmef:Node ident="xyz789-001" category="dns"> <idmef:name>www.example.com</idmef:name>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-sensor01"> <idmef:Node category="dns"> <idmef:name>sensor.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source ident="abc123"> <idmef:Node ident="abc123-001"> <idmef:Address ident="abc123-002" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="abc123-003"> <idmef:port>21534</idmef:port> </idmef:Service> </idmef:Source> <idmef:Target ident="xyz789"> <idmef:Node ident="xyz789-001" category="dns"> <idmef:name>www.example.com</idmef:name>
<idmef:Address ident="xyz789-002" category="ipv4-addr"> <idmef:address>192.0.2.100</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service> <idmef:port>8080</idmef:port> <idmef:WebService> <idmef:url> http://www.example.com/cgi-bin/phf?/etc/group </idmef:url> <idmef:cgi>/cgi-bin/phf</idmef:cgi> <idmef:http-method>GET</idmef:http-method> </idmef:WebService> </idmef:Service> </idmef:Target> <idmef:Classification text="phf attack"> <idmef:Reference origin="bugtraqid"> <idmef:name>629</idmef:name> <idmef:url> http://www.securityfocus.com/bid/629 </idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Address ident="xyz789-002" category="ipv4-addr"> <idmef:address>192.0.2.100</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service> <idmef:port>8080</idmef:port> <idmef:WebService> <idmef:url> http://www.example.com/cgi-bin/phf?/etc/group </idmef:url> <idmef:cgi>/cgi-bin/phf</idmef:cgi> <idmef:http-method>GET</idmef:http-method> </idmef:WebService> </idmef:Service> </idmef:Target> <idmef:Classification text="phf attack"> <idmef:Reference origin="bugtraqid"> <idmef:name>629</idmef:name> <idmef:url> http://www.securityfocus.com/bid/629 </idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
Host-based detection of a race condition attack. Note the use of the <File> to provide information about the files that are used to perform the attack.
基于主机的竞争条件攻击检测。请注意使用<File>提供有关用于执行攻击的文件的信息。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert> <idmef:Analyzer analyzerid="bids-192.0.2.1" ostype="Linux" osversion="2.2.16-3"> <idmef:Node category="hosts"> <idmef:name>etude</idmef:name> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Analyzer>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert> <idmef:Analyzer analyzerid="bids-192.0.2.1" ostype="Linux" osversion="2.2.16-3"> <idmef:Node category="hosts"> <idmef:name>etude</idmef:name> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Analyzer>
<idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source spoofed="no"> <idmef:Node> <idmef:location>console</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target decoy="no"> <idmef:Node> <idmef:location>local</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:User category="os-device"> <idmef:UserId type="original-user"> <idmef:number>456</idmef:number> </idmef:UserId> <idmef:UserId type="current-user"> <idmef:name>fred</idmef:name> <idmef:number>456</idmef:number> </idmef:UserId> <idmef:UserId type="user-privs"> <idmef:number>456</idmef:number> </idmef:UserId> </idmef:User> <idmef:File category="current" fstype="tmpfs"> <idmef:name>xxx000238483</idmef:name> <idmef:path>/tmp/xxx000238483</idmef:path> <idmef:FileAccess> <idmef:UserId type="user-privs"> <idmef:name>alice</idmef:name> <idmef:number>777</idmef:number> </idmef:UserId> <idmef:permission perms="read" /> <idmef:permission perms="write" /> <idmef:permission perms="delete" /> <idmef:permission perms="changePermissions" /> </idmef:FileAccess> <idmef:FileAccess> <idmef:UserId type="group-privs"> <idmef:name>user</idmef:name> <idmef:number>42</idmef:number> </idmef:UserId>
<idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source spoofed="no"> <idmef:Node> <idmef:location>console</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target decoy="no"> <idmef:Node> <idmef:location>local</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:User category="os-device"> <idmef:UserId type="original-user"> <idmef:number>456</idmef:number> </idmef:UserId> <idmef:UserId type="current-user"> <idmef:name>fred</idmef:name> <idmef:number>456</idmef:number> </idmef:UserId> <idmef:UserId type="user-privs"> <idmef:number>456</idmef:number> </idmef:UserId> </idmef:User> <idmef:File category="current" fstype="tmpfs"> <idmef:name>xxx000238483</idmef:name> <idmef:path>/tmp/xxx000238483</idmef:path> <idmef:FileAccess> <idmef:UserId type="user-privs"> <idmef:name>alice</idmef:name> <idmef:number>777</idmef:number> </idmef:UserId> <idmef:permission perms="read" /> <idmef:permission perms="write" /> <idmef:permission perms="delete" /> <idmef:permission perms="changePermissions" /> </idmef:FileAccess> <idmef:FileAccess> <idmef:UserId type="group-privs"> <idmef:name>user</idmef:name> <idmef:number>42</idmef:number> </idmef:UserId>
<idmef:permission perms="read" /> <idmef:permission perms="write" /> <idmef:permission perms="delete" /> </idmef:FileAccess> <idmef:FileAccess> <idmef:UserId type="other-privs"> <idmef:name>world</idmef:name> </idmef:UserId> <idmef:permission perms="noAccess" /> </idmef:FileAccess> <idmef:Linkage category="symbolic-link"> <idmef:name>passwd</idmef:name> <idmef:path>/etc/passwd</idmef:path> </idmef:Linkage> </idmef:File> </idmef:Target> <idmef:Classification text="DOM race condition"> <idmef:Reference origin="vendor-specific"> <idmef:name>DOM race condition</idmef:name> <idmef:url>file://attack-info/race.html </idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:permission perms="read" /> <idmef:permission perms="write" /> <idmef:permission perms="delete" /> </idmef:FileAccess> <idmef:FileAccess> <idmef:UserId type="other-privs"> <idmef:name>world</idmef:name> </idmef:UserId> <idmef:permission perms="noAccess" /> </idmef:FileAccess> <idmef:Linkage category="symbolic-link"> <idmef:name>passwd</idmef:name> <idmef:path>/etc/passwd</idmef:path> </idmef:Linkage> </idmef:File> </idmef:Target> <idmef:Classification text="DOM race condition"> <idmef:Reference origin="vendor-specific"> <idmef:name>DOM race condition</idmef:name> <idmef:url>file://attack-info/race.html </idmef:url> </idmef:Reference> </idmef:Classification> </idmef:Alert> </idmef:IDMEF-Message>
In this example, logins are restricted to daytime hours. The alert reports a violation of this policy that occurs when a user logs in a little after 10:00 pm. Note the use of <AdditionalData> to provide information about the policy being violated.
在本例中,登录仅限于白天。当用户在晚上10:00后不久登录时,警报会报告违反此策略的情况。注意使用<AdditionalData>提供有关违反策略的信息。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-ds-01"> <idmef:Node category="dns"> <idmef:name>dialserver.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72e7ef.0x00000000"> 2000-03-09T22:18:07-05:00 </idmef:CreateTime> <idmef:Source ident="s01"> <idmef:Node ident="s01-1">
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-ds-01"> <idmef:Node category="dns"> <idmef:name>dialserver.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72e7ef.0x00000000"> 2000-03-09T22:18:07-05:00 </idmef:CreateTime> <idmef:Source ident="s01"> <idmef:Node ident="s01-1">
<idmef:Address category="ipv4-addr"> <idmef:address>127.0.0.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="s01-2"> <idmef:port>4325</idmef:port> </idmef:Service> </idmef:Source> <idmef:Target ident="t01"> <idmef:Node ident="t01-1" category="dns"> <idmef:name>mainframe.example.com</idmef:name> </idmef:Node> <idmef:User ident="t01-2" category="os-device"> <idmef:UserId ident="t01-3" type="current-user"> <idmef:name>louis</idmef:name> <idmef:number>501</idmef:number> </idmef:UserId> </idmef:User> <idmef:Service ident="t01-4"> <idmef:name>login</idmef:name> <idmef:port>23</idmef:port> </idmef:Service> </idmef:Target> <idmef:Classification text="Login policy violation"> <idmef:Reference origin="user-specific"> <idmef:name>out-of-hours activity</idmef:name> <idmef:url>http://my.company.com/policies </idmef:url> </idmef:Reference> </idmef:Classification> <idmef:AdditionalData type="date-time" meaning="start-time"> <idmef:date-time>2000-03-09T07:00:00-05:00</idmef:date-time> </idmef:AdditionalData> <idmef:AdditionalData type="date-time" meaning="stop-time"> <idmef:date-time>2000-03-09T19:30:00-05:00</idmef:date-time> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Address category="ipv4-addr"> <idmef:address>127.0.0.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="s01-2"> <idmef:port>4325</idmef:port> </idmef:Service> </idmef:Source> <idmef:Target ident="t01"> <idmef:Node ident="t01-1" category="dns"> <idmef:name>mainframe.example.com</idmef:name> </idmef:Node> <idmef:User ident="t01-2" category="os-device"> <idmef:UserId ident="t01-3" type="current-user"> <idmef:name>louis</idmef:name> <idmef:number>501</idmef:number> </idmef:UserId> </idmef:User> <idmef:Service ident="t01-4"> <idmef:name>login</idmef:name> <idmef:port>23</idmef:port> </idmef:Service> </idmef:Target> <idmef:Classification text="Login policy violation"> <idmef:Reference origin="user-specific"> <idmef:name>out-of-hours activity</idmef:name> <idmef:url>http://my.company.com/policies </idmef:url> </idmef:Reference> </idmef:Classification> <idmef:AdditionalData type="date-time" meaning="start-time"> <idmef:date-time>2000-03-09T07:00:00-05:00</idmef:date-time> </idmef:AdditionalData> <idmef:AdditionalData type="date-time" meaning="stop-time"> <idmef:date-time>2000-03-09T19:30:00-05:00</idmef:date-time> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
The following example shows how the port scan alert from Section 7.2.2 could be represented if it had been detected and sent from a correlation engine, instead of a single analyzer.
以下示例显示了如果第7.2.2节中的端口扫描警报是从相关引擎(而不是单个分析仪)检测并发送的,则如何表示该警报。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-corr-01"> <idmef:Node category="dns"> <idmef:name>correlator01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72423b.0x00000000"> 2000-03-09T15:31:07Z </idmef:CreateTime> <idmef:Source ident="a1"> <idmef:Node ident="a1-1"> <idmef:Address ident="a1-2" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="a2"> <idmef:Node ident="a2-1" category="dns"> <idmef:name>www.example.com</idmef:name> <idmef:Address ident="a2-2" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="a2-3"> <idmef:portlist>5-25,37,42,43,53,69-119,123-514 </idmef:portlist> </idmef:Service> </idmef:Target> <idmef:Classification text="Portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>portscan</idmef:name> <idmef:url>http://www.vendor.com/portscan</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:CorrelationAlert> <idmef:name>multiple ports in short time</idmef:name> <idmef:alertident>123456781</idmef:alertident> <idmef:alertident>123456782</idmef:alertident>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="bc-corr-01"> <idmef:Node category="dns"> <idmef:name>correlator01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc72423b.0x00000000"> 2000-03-09T15:31:07Z </idmef:CreateTime> <idmef:Source ident="a1"> <idmef:Node ident="a1-1"> <idmef:Address ident="a1-2" category="ipv4-addr"> <idmef:address>192.0.2.200</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="a2"> <idmef:Node ident="a2-1" category="dns"> <idmef:name>www.example.com</idmef:name> <idmef:Address ident="a2-2" category="ipv4-addr"> <idmef:address>192.0.2.50</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ident="a2-3"> <idmef:portlist>5-25,37,42,43,53,69-119,123-514 </idmef:portlist> </idmef:Service> </idmef:Target> <idmef:Classification text="Portscan"> <idmef:Reference origin="vendor-specific"> <idmef:name>portscan</idmef:name> <idmef:url>http://www.vendor.com/portscan</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:CorrelationAlert> <idmef:name>multiple ports in short time</idmef:name> <idmef:alertident>123456781</idmef:alertident> <idmef:alertident>123456782</idmef:alertident>
<idmef:alertident>123456783</idmef:alertident> <idmef:alertident>123456784</idmef:alertident> <idmef:alertident>123456785</idmef:alertident> <idmef:alertident>123456786</idmef:alertident> <idmef:alertident analyzerid="a1b2c3d4">987654321 </idmef:alertident> <idmef:alertident analyzerid="a1b2c3d4">987654322 </idmef:alertident> </idmef:CorrelationAlert> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:alertident>123456783</idmef:alertident> <idmef:alertident>123456784</idmef:alertident> <idmef:alertident>123456785</idmef:alertident> <idmef:alertident>123456786</idmef:alertident> <idmef:alertident analyzerid="a1b2c3d4">987654321 </idmef:alertident> <idmef:alertident analyzerid="a1b2c3d4">987654322 </idmef:alertident> </idmef:CorrelationAlert> </idmef:Alert> </idmef:IDMEF-Message>
Host-based detection of a successful unauthorized acquisition of root access through the eject buffer overflow. Note the use of <Assessment> to provide information about the analyzer's evaluation of and reaction to the attack.
基于主机的检测通过弹出缓冲区溢出成功获取未经授权的根访问权限。注意使用<Assessment>提供有关分析仪对攻击的评估和反应的信息。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert> <idmef:Analyzer analyzerid="bids-192.0.2.1"> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source spoofed="no"> <idmef:Node> <idmef:location>console</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target decoy="no"> <idmef:Node> <idmef:location>local</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:User category="os-device"> <idmef:UserId type="original-user"> <idmef:number>456</idmef:number> </idmef:UserId>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Alert> <idmef:Analyzer analyzerid="bids-192.0.2.1"> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc71e980.0x00000000"> 2000-03-09T08:12:32-01:00 </idmef:CreateTime> <idmef:Source spoofed="no"> <idmef:Node> <idmef:location>console</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target decoy="no"> <idmef:Node> <idmef:location>local</idmef:location> <idmef:Address category="ipv4-addr"> <idmef:address>192.0.2.1</idmef:address> </idmef:Address> </idmef:Node> <idmef:User category="os-device"> <idmef:UserId type="original-user"> <idmef:number>456</idmef:number> </idmef:UserId>
<idmef:UserId type="current-user"> <idmef:name>root</idmef:name> <idmef:number>0</idmef:number> </idmef:UserId> <idmef:UserId type="user-privs"> <idmef:number>0</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process> <idmef:name>eject</idmef:name> <idmef:pid>32451</idmef:pid> <idmef:path>/usr/bin/eject</idmef:path> <idmef:arg>\x90\x80\x3f\xff...\x08/bin/sh</idmef:arg> </idmef:Process> </idmef:Target> <idmef:Classification text="Unauthorized administrative access"> <idmef:Reference origin="vendor-specific"> <idmef:name>Unauthorized user to superuser</idmef:name> <idmef:url>file://attack-info/u2s.html</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:Assessment> <idmef:Impact severity="high" completion="succeeded" type="admin"/> <idmef:Action category="notification-sent"> page </idmef:Action> <idmef:Action category="block-installed"> disabled user (fred) </idmef:Action> <idmef:Action category="taken-offline"> logout user (fred) </idmef:Action> <idmef:Confidence rating="high"/> </idmef:Assessment> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:UserId type="current-user"> <idmef:name>root</idmef:name> <idmef:number>0</idmef:number> </idmef:UserId> <idmef:UserId type="user-privs"> <idmef:number>0</idmef:number> </idmef:UserId> </idmef:User> <idmef:Process> <idmef:name>eject</idmef:name> <idmef:pid>32451</idmef:pid> <idmef:path>/usr/bin/eject</idmef:path> <idmef:arg>\x90\x80\x3f\xff...\x08/bin/sh</idmef:arg> </idmef:Process> </idmef:Target> <idmef:Classification text="Unauthorized administrative access"> <idmef:Reference origin="vendor-specific"> <idmef:name>Unauthorized user to superuser</idmef:name> <idmef:url>file://attack-info/u2s.html</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:Assessment> <idmef:Impact severity="high" completion="succeeded" type="admin"/> <idmef:Action category="notification-sent"> page </idmef:Action> <idmef:Action category="block-installed"> disabled user (fred) </idmef:Action> <idmef:Action category="taken-offline"> logout user (fred) </idmef:Action> <idmef:Confidence rating="high"/> </idmef:Assessment> </idmef:Alert> </idmef:IDMEF-Message>
This example shows a Heartbeat message that provides "I'm alive and working" information to the manager. Note the use of <AdditionalData> elements, with "meaning" attributes, to provide some additional information.
此示例显示一条心跳消息,该消息向经理提供“我还活着,正在工作”信息。请注意使用带有“含义”属性的<AdditionalData>元素来提供一些附加信息。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Heartbeat messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc722ebe.0x00000000"> 2000-03-09T14:07:58Z </idmef:CreateTime> <idmef:AdditionalData type="real" meaning="%memused"> <idmef:real>62.5</idmef:real> </idmef:AdditionalData> <idmef:AdditionalData type="real" meaning="%diskused"> <idmef:real>87.1</idmef:real> </idmef:AdditionalData> </idmef:Heartbeat> </idmef:IDMEF-Message>
<idmef:IDMEF-Message version="1.0" xmlns:idmef="http://iana.org/idmef"> <idmef:Heartbeat messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc722ebe.0x00000000"> 2000-03-09T14:07:58Z </idmef:CreateTime> <idmef:AdditionalData type="real" meaning="%memused"> <idmef:real>62.5</idmef:real> </idmef:AdditionalData> <idmef:AdditionalData type="real" meaning="%diskused"> <idmef:real>87.1</idmef:real> </idmef:AdditionalData> </idmef:Heartbeat> </idmef:IDMEF-Message>
The following example shows how to extend the IDMEF DTD. In the example, the VendorCo company has decided it wants to add geographic information to the Node class. To do this, VendorCo creates a Document Type Definition or DTD that defines how their class will be formatted:
下面的示例演示如何扩展IDMEF DTD。在本例中,VendorCo公司决定将地理信息添加到节点类中。为此,VendorCo创建一个文档类型定义或DTD,用于定义其类的格式:
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:vendorco="http://vendor.com/idmef" targetNamespace="http://vendor.com/idmef" elementFormDefault="qualified" >
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:vendorco="http://vendor.com/idmef" targetNamespace="http://vendor.com/idmef" elementFormDefault="qualified" >
<xsd:annotation> <xsd:documentation> Intrusion Detection Message Exchange Format (IDMEF) Extension for geographic information </xsd:documentation> </xsd:annotation>
<xsd:annotation> <xsd:documentation> Intrusion Detection Message Exchange Format (IDMEF) Extension for geographic information </xsd:documentation> </xsd:annotation>
<xsd:complexType name="NodeGeoType"> <xsd:sequence> <xsd:element name="latitude" type="xsd:string" /> <xsd:element name="longitude"
<xsd:complexType name="NodeGeoType"> <xsd:sequence> <xsd:element name="latitude" type="xsd:string" /> <xsd:element name="longitude"
type="xsd:string" />
type="xsd:string" />
<xsd:element name="elevation" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="node-ident" type="xsd:integer" use="required"/> </xsd:complexType>
<xsd:element name="elevation" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="node-ident" type="xsd:integer" use="required"/> </xsd:complexType>
<xsd:element name="NodeGeography" type="vendorco:NodeGeoType" />
<xsd:element name="NodeGeography" type="vendorco:NodeGeoType" />
</xsd:schema>
</xsd:schema>
The VendorCo:NodeGeography class will contain the geographic data in three aggregate classes, VendorCo:latitude, VendorCo:longitude, and VendorCo:elevation. To associate the information in this class with a particular node, the "VendorCo:node-ident" attribute is provided; it must contain the same value as the "ident" attribute on the relevant Node element.
VendorCo:NodeGeography类将包含三个聚合类中的地理数据:VendorCo:纬度、VendorCo:经度和VendorCo:高程。为了将此类中的信息与特定节点关联,提供了“VendorCo:node ident”属性;它必须包含与相关节点元素上的“ident”属性相同的值。
To make use of this DTD now, VendorCo follows the rules in Section 5.2 and defines a parameter entity called "x-vendorco" within the Document Type Definition, and then references this entity. In the alert, the VendorCo elements are included under the AdditionalData element, with a "type" attribute of "xml", as shown below.
为了立即使用此DTD,VendorCo遵循第5.2节中的规则,在文档类型定义中定义一个名为“x-VendorCo”的参数实体,然后引用该实体。在警报中,VendorCo元素包含在AdditionalData元素下,其“type”属性为“xml”,如下所示。
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:idmef="http://iana.org/idmef" xmlns:vendorco="http://v.com/idmef" xsi:schemaLocation="http://v.com/idmef http://v.com/geo.xsd">
<idmef:IDMEF-Message version="1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:idmef="http://iana.org/idmef" xmlns:vendorco="http://v.com/idmef" xsi:schemaLocation="http://v.com/idmef http://v.com/geo.xsd">
<idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </idmef:CreateTime>
<idmef:Alert messageid="abc123456789"> <idmef:Analyzer analyzerid="hq-dmz-analyzer01"> <idmef:Node category="dns"> <idmef:location>Headquarters DMZ Network</idmef:location> <idmef:name>analyzer01.example.com</idmef:name> </idmef:Node> </idmef:Analyzer> <idmef:CreateTime ntpstamp="0xbc723b45.0xef449129"> 2000-03-09T10:01:25.93464-05:00 </idmef:CreateTime>
<idmef:Source ident="a1b2c3d4"> <idmef:Node ident="a1b2c3d4-001" category="dns"> <idmef:name>badguy.example.net</idmef:name> <idmef:Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <idmef:address>192.0.2.50</idmef:address> <idmef:netmask>255.255.255.255</idmef:netmask> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="d1c2b3a4"> <idmef:Node ident="d1c2b3a4-001" category="dns"> <idmef:Address category="ipv4-addr-hex"> <idmef:address>0xde796f70</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Classification text="Teardrop"> <idmef:Reference origin="bugtraqid"> <idmef:name>124</idmef:name> <idmef:url>http://www.securityfocus.com/bid/124</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:AdditionalData type="xml" meaning="node geo info"> <idmef:xml> <vendorco:NodeGeography xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://v.com/idmef http://v.com/geo.xsd" vendorco:node-ident="a1b2c3d4-001"> <vendorco:latitude>38.89</vendorco:latitude> <vendorco:longitude>-77.02</vendorco:longitude> </vendorco:NodeGeography> </idmef:xml> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
<idmef:Source ident="a1b2c3d4"> <idmef:Node ident="a1b2c3d4-001" category="dns"> <idmef:name>badguy.example.net</idmef:name> <idmef:Address ident="a1b2c3d4-002" category="ipv4-net-mask"> <idmef:address>192.0.2.50</idmef:address> <idmef:netmask>255.255.255.255</idmef:netmask> </idmef:Address> </idmef:Node> </idmef:Source> <idmef:Target ident="d1c2b3a4"> <idmef:Node ident="d1c2b3a4-001" category="dns"> <idmef:Address category="ipv4-addr-hex"> <idmef:address>0xde796f70</idmef:address> </idmef:Address> </idmef:Node> </idmef:Target> <idmef:Classification text="Teardrop"> <idmef:Reference origin="bugtraqid"> <idmef:name>124</idmef:name> <idmef:url>http://www.securityfocus.com/bid/124</idmef:url> </idmef:Reference> </idmef:Classification> <idmef:AdditionalData type="xml" meaning="node geo info"> <idmef:xml> <vendorco:NodeGeography xmlns:vendorco="http://vendor.com/idmef" xsi:schemaLocation="http://v.com/idmef http://v.com/geo.xsd" vendorco:node-ident="a1b2c3d4-001"> <vendorco:latitude>38.89</vendorco:latitude> <vendorco:longitude>-77.02</vendorco:longitude> </vendorco:NodeGeography> </idmef:xml> </idmef:AdditionalData> </idmef:Alert> </idmef:IDMEF-Message>
<?xml version="1.0" encoding="UTF-8"?>
<?xml version="1.0" encoding="UTF-8"?>
<!-- *************************************************************** ******************************************************************* *** Intrusion Detection Message Exchange Format (IDMEF) XML DTD *** *** Version 1.0, 07 March 2006 *** *** *** *** The use and extension of the IDMEF XML DTD are described in *** *** RFC 4765, "The Intrusion Detection Message Exchange *** *** Format", H. Debar, D. Curry, B. Feinstein. *** ******************************************************************* *************************************************************** -->
<!-- *************************************************************** ******************************************************************* *** Intrusion Detection Message Exchange Format (IDMEF) XML DTD *** *** Version 1.0, 07 March 2006 *** *** *** *** The use and extension of the IDMEF XML DTD are described in *** *** RFC 4765, "The Intrusion Detection Message Exchange *** *** Format", H. Debar, D. Curry, B. Feinstein. *** ******************************************************************* *************************************************************** -->
<!-- =============================================================== =================================================================== === SECTION 1. Attribute list declarations. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 1. Attribute list declarations. =================================================================== =============================================================== -->
<!-- | Attributes of the IDMEF element. In general, the fixed values of | these attributes will change each time a new version of the DTD | is released. -->
<!-- | Attributes of the IDMEF element. In general, the fixed values of | these attributes will change each time a new version of the DTD | is released. -->
<!ENTITY % attlist.idmef " version CDATA #FIXED '1.0' ">
<!实体%attlist.idmef“版本CDATA#修复了“1.0”>
<!-- | Attributes of all elements. These are the "XML" attributes that | every element should have. Space handling, language, and name | space. --> <!ENTITY % attlist.global " xmlns:idmef CDATA #FIXED 'http://iana.org/idmef' xmlns CDATA #FIXED 'http://iana.org/idmef' xml:space (default | preserve) 'default' xml:lang NMTOKEN #IMPLIED ">
<!-- | Attributes of all elements. These are the "XML" attributes that | every element should have. Space handling, language, and name | space. --> <!ENTITY % attlist.global " xmlns:idmef CDATA #FIXED 'http://iana.org/idmef' xmlns CDATA #FIXED 'http://iana.org/idmef' xml:space (default | preserve) 'default' xml:lang NMTOKEN #IMPLIED ">
<!-- =============================================================== =================================================================== === SECTION 2. Attribute value declarations. Enumerated values for === many of the element-specific attribute lists. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 2. Attribute value declarations. Enumerated values for === many of the element-specific attribute lists. =================================================================== =============================================================== -->
<!-- | Values for the Action.category attribute. --> <!ENTITY % attvals.actioncat " ( block-installed | notification-sent | taken-offline | other ) ">
<!-- | Action.category属性的值。--><!实体%attvals.actioncat“(已安装块|已发送通知|脱机|其他)”>
<!-- | Values for the Address.category attribute. --> <!ENTITY % attvals.addrcat " ( unknown | atm | e-mail | lotus-notes | mac | sna | vm | ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask | ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask ) ">
<!-- | Address.category属性的值。--><!实体%attvals.addrcat“(未知| atm |电子邮件| lotus notes | mac | sna | vm | ipv4地址| ipv4地址十六进制| ipv4网络| ipv4网络掩码| ipv6地址| ipv6地址十六进制| ipv6网络掩码)>
<!-- | Values for the AdditionalData.type attribute. --> <!ENTITY % attvals.adtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | byte-string | xmltext ) ">
<!-- | AdditionalData.type属性的值。--><<!实体%attvals.adtype“(布尔值|字节|字符|日期时间|整数| ntpstamp |端口列表|实数|字符串|字节字符串| xmltext)>
<!-- | Values for the Impact.completion attribute. --> <!ENTITY % attvals.completion " ( failed | succeeded ) "> <!-- | Values for the File.category attribute. --> <!ENTITY % attvals.filecat " ( current | original ) ">
<!-- | Values for the Impact.completion attribute. --> <!ENTITY % attvals.completion " ( failed | succeeded ) "> <!-- | Values for the File.category attribute. --> <!ENTITY % attvals.filecat " ( current | original ) ">
<!ENTITY % attvals.fileperm "( noAccess | read | write | execute | search | delete | executeAs | changePermissions | takeOwnership)" >
<!实体%attvals.fileperm”(无访问|读|写|执行|搜索|删除|执行|更改权限|收购所有权)>
<!-- | Values for the UserId.type attribute. --> <!ENTITY % attvals.idtype " ( current-user | original-user | target-user | user-privs | current-group | group-privs | other-privs ) ">
<!-- | UserId.type属性的值。--><!实体%attvals.idtype“(当前用户|原始用户|目标用户|用户权限|当前组|组权限|其他权限)”>
<!-- | Values for the Impact.type attribute. --> <!ENTITY % attvals.impacttype " ( admin | dos | file | recon | user | other ) ">
<!-- | Impact.type属性的值。--><!实体%attvals.impacttype“(管理| dos |文件|侦察|用户|其他)”>
<!-- | Values for the Linkage.category attribute. --> <!ENTITY % attvals.linkcat " ( hard-link | mount-point | reparse-point | shortcut | stream | symbolic-link ) ">
<!-- | Linkage.category属性的值。--><!实体%attvals.linkcat“(硬链接|装入点|重新分析点|快捷方式|流|符号链接)”>
<!-- | Values for the Checksum.algorithm attribute --> <!ENTITY % attvals.checksumalgos " ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 | Haval | Tiger | Gost ) ">
<!-- | Checksum.algorithm属性的值--><!实体%attvals.checksumalgos”(MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |哈弗|老虎| Gost)>
<!-- | Values for the Node.category attribute. --> <!ENTITY % attvals.nodecat " ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos | nds | nis | nisplus | nt | wfw ) ">
<!-- | Node.category属性的值。--><!实体%attvals.nodecat“(未知| ads | afs | coda | dfs | dns |主机| kerberos | nds | nis | nisplus | nt | wfw)>
<!-- | Values for the Reference.origin attribute. --> <!ENTITY % attvals.origin " ( unknown | vendor-specific | user-specific | bugtraqid | cve | osvdb ) ">
<!-- | Reference.origin属性的值。--><!实体%attvals.origin“(未知|特定于供应商|特定于用户| bugtraqid | cve | osvdb)”>
<!--
<!--
| Values for the Confidence.rating attribute. --> <!ENTITY % attvals.rating " ( low | medium | high | numeric ) ">
|Confidence.rating属性的值。--><<!实体%attvals.rating“(低|中|高|数字)”>
<!-- | Values for the Impact.severity attribute. --> <!ENTITY % attvals.severity " ( info | low | medium | high ) ">
<!-- | Impact.severity属性的值。-->!实体%attvals.severity”(信息|低|中|高)>
<!-- | Values for the User.category attribute. --> <!ENTITY % attvals.usercat " ( unknown | application | os-device ) ">
<!-- | User.category属性的值。--><!实体%attvals.usercat“(未知的|应用程序|操作系统设备)”>
<!-- | Values for yes/no attributes such as Source.spoofed and | Target.decoy. --> <!ENTITY % attvals.yesno " ( unknown | yes | no ) ">
<!-- | 是/否属性的值,如Source.spoofed和| Target.decoy。-->!实体%attvals.yesno“(未知|是|否)”>
<!-- =============================================================== =================================================================== === SECTION 3. Top-level element declarations. The IDMEF-Message === element and the types of messages it can include. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 3. Top-level element declarations. The IDMEF-Message === element and the types of messages it can include. =================================================================== =============================================================== -->
<!ELEMENT IDMEF-Message ( (Alert | Heartbeat)* )> <!ATTLIST IDMEF-Message %attlist.global; %attlist.idmef; >
<!ELEMENT IDMEF-Message ( (Alert | Heartbeat)* )> <!ATTLIST IDMEF-Message %attlist.global; %attlist.idmef; >
<!ELEMENT Alert ( Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification, Assessment?, (ToolAlert | OverflowAlert | CorrelationAlert)?, AdditionalData* )>
<!元素警报(Analyzer、CreateTime、DetectTime?、AnalyzerTime?、源*、目标*、分类、评估?、(ToolAlert | OverflowAlert | CorrelationAlert)?、附加数据*)>
<!ATTLIST Alert messageid CDATA '0' %attlist.global; >
<!ATTLIST警报消息ID CDATA“0”%ATTLIST.global;>
<!ELEMENT Heartbeat ( Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?, AdditionalData* )> <!ATTLIST Heartbeat messageid CDATA '0' %attlist.global; >
<!元素心跳(Analyzer、CreateTime、HeartbeatInterval?、AnalyzerTime?、附加数据*)><!ATTLIST心跳消息ID CDATA“0”%ATTLIST.global;>
<!-- =============================================================== =================================================================== === SECTION 4. Subclasses of the Alert element that provide more === data for specific types of alerts. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 4. Subclasses of the Alert element that provide more === data for specific types of alerts. =================================================================== =============================================================== -->
<!ELEMENT CorrelationAlert ( name, alertident+ )> <!ATTLIST CorrelationAlert %attlist.global; >
<!ELEMENT CorrelationAlert ( name, alertident+ )> <!ATTLIST CorrelationAlert %attlist.global; >
<!ELEMENT OverflowAlert ( program, size?, buffer? )> <!ATTLIST OverflowAlert %attlist.global; >
<!元素溢出警报(程序、大小、缓冲区?>)!ATTLIST溢出警报%ATTLIST.global;>
<!ELEMENT ToolAlert ( name, command?, alertident+ )> <!ATTLIST ToolAlert %attlist.global; >
<!ELEMENT ToolAlert ( name, command?, alertident+ )> <!ATTLIST ToolAlert %attlist.global; >
<!-- =============================================================== =================================================================== === SECTION 5. The AdditionalData element. This element allows an === alert to include additional information that cannot === be encoded elsewhere in the data model. ===================================================================
<!-- =============================================================== =================================================================== === SECTION 5. The AdditionalData element. This element allows an === alert to include additional information that cannot === be encoded elsewhere in the data model. ===================================================================
=============================================================== -->
=============================================================== -->
<!ELEMENT AdditionalData ( (boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | byte-string | xmltext ) )>
<!元素附加数据((布尔值|字节|字符|日期时间|整数| ntpstamp |端口列表|实数|字符串|字节字符串| xmltext))>
<!ATTLIST AdditionalData type %attvals.adtype; 'string' meaning CDATA #IMPLIED %attlist.global; >
<!ATTLIST附加数据类型%attvals.adtype;'字符串的含义是CDATA#隐含的%attlist.global;>
<!-- =============================================================== =================================================================== === SECTION 6. Elements related to identifying entities - analyzers === (the senders of these messages), sources (of === attacks), and targets (of attacks). =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 6. Elements related to identifying entities - analyzers === (the senders of these messages), sources (of === attacks), and targets (of attacks). =================================================================== =============================================================== -->
<!ELEMENT Analyzer ( Node?, Process?, Analyzer? )> <!ATTLIST Analyzer analyzerid CDATA '0' name CDATA #IMPLIED manufacturer CDATA #IMPLIED model CDATA #IMPLIED version CDATA #IMPLIED class CDATA #IMPLIED ostype CDATA #IMPLIED osversion CDATA #IMPLIED %attlist.global; >
<!元素分析器(节点?、过程?、分析器?><!ATTLIST Analyzer Analyzer ID CDATA“0”名称CDATA#隐含制造商CDATA#隐含模型CDATA#隐含版本CDATA#隐含类CDATA#隐含ostype CDATA#隐含osversion CDATA#隐含%ATTLIST.global;>
<!ELEMENT Classification ( Reference* )> <!ATTLIST Classification ident CDATA '0' text CDATA #REQUIRED >
<!元素分类(参考*)><!ATTLIST分类标识CDATA“0”文本CDATA#必需>
<!ELEMENT Source ( Node?, User?, Process?, Service?
<!元素源(节点、用户、流程、服务)?
)> <!ATTLIST Source ident CDATA '0' spoofed %attvals.yesno; 'unknown' interface CDATA #IMPLIED %attlist.global; >
)> <!收件人列表源标识CDATA“0”伪造了%attvals.yesno;'未知的“接口CDATA”#隐含%attlist.global;>
<!ELEMENT Target ( Node?, User?, Process?, Service?, File* )> <!ATTLIST Target ident CDATA '0' decoy %attvals.yesno; 'unknown' interface CDATA #IMPLIED %attlist.global; >
<!元素目标(节点、用户、流程、服务、文件*)><!收件人列表目标标识CDATA“0”诱饵%attvals.yesno;'未知的“接口CDATA”#隐含%attlist.global;>
<!ELEMENT Assessment ( Impact?, Action*, Confidence? )> <!ATTLIST Assessment %attlist.global; >
<!ELEMENT Assessment ( Impact?, Action*, Confidence? )> <!ATTLIST Assessment %attlist.global; >
<!-- =============================================================== =================================================================== === SECTION 7. Support elements used for providing detailed info === about entities - addresses, names, etc. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 7. Support elements used for providing detailed info === about entities - addresses, names, etc. =================================================================== =============================================================== -->
<!ELEMENT Reference ( name, url )> <!ATTLIST Reference origin %attvals.origin; 'unknown' meaning CDATA #IMPLIED >
<!元素引用(名称、url)><!附件列表引用源%attvals.origin;'“未知”含义CDATA#隐含>
<!ELEMENT Node ( location?, (name | Address), Address* )> <!ATTLIST Node ident CDATA '0' category %attvals.nodecat; 'unknown' %attlist.global; >
<!元素节点(位置?,(名称|地址),地址*)><!ATTLIST节点标识CDATA“0”类别%attvals.nodecat;'未知“%attlist.global;”
<!ELEMENT Address ( address, netmask? )> <!ATTLIST Address ident CDATA '0' category %attvals.addrcat; 'unknown' vlan-name CDATA #IMPLIED vlan-num CDATA #IMPLIED %attlist.global; >
<!元素地址(地址、网络掩码?)><!收件人列表地址标识CDATA“0”类别%attvals.addrcat;'未知的“vlan名称CDATA#隐含的vlan num CDATA#隐含的%attlist.global;>
<!ELEMENT File ( name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?, Checksum* )> <!ATTLIST File ident CDATA '0' category %attvals.filecat; #REQUIRED fstype CDATA #IMPLIED file-type CDATA #IMPLIED %attlist.global; >
<!ELEMENT File ( name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?, Checksum* )> <!ATTLIST File ident CDATA '0' category %attvals.filecat; #REQUIRED fstype CDATA #IMPLIED file-type CDATA #IMPLIED %attlist.global; >
<!ELEMENT Permission EMPTY > <!ATTLIST Permission perms %attvals.fileperm; #REQUIRED %attlist.global; >
<!ELEMENT Permission EMPTY > <!ATTLIST Permission perms %attvals.fileperm; #REQUIRED %attlist.global; >
<!ELEMENT FileAccess ( UserId, Permission+ )> <!ATTLIST FileAccess %attlist.global; >
<!ELEMENT FileAccess ( UserId, Permission+ )> <!ATTLIST FileAccess %attlist.global; >
<!ELEMENT Inode ( change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)? )> <!ATTLIST Inode %attlist.global; >
<!元件索引节点(更改时间?,(编号,主要设备,次要设备)?,(c-主要设备,c-次要设备)?><!ATTLIST索引节点%ATTLIST.global;>
<!ELEMENT Linkage ( (name, path) | File )>
<!元素链接((名称、路径)|文件)>
<!ATTLIST Linkage category %attvals.linkcat; #REQUIRED %attlist.global; >
<!ATTLIST Linkage category %attvals.linkcat; #REQUIRED %attlist.global; >
<!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
<!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
<!ELEMENT Process ( name, pid?, path?, arg*, env* )> <!ATTLIST Process ident CDATA '0' %attlist.global; >
<!ELEMENT Process ( name, pid?, path?, arg*, env* )> <!ATTLIST Process ident CDATA '0' %attlist.global; >
<!ELEMENT Service ( (((name, port?) | (port, name?)) | portlist), protocol?, SNMPService?, WebService? )> <!ATTLIST Service ident CDATA '0' ip_version CDATA #IMPLIED iana_protocol_number CDATA #IMPLIED iana_protocol_name CDATA #IMPLIED %attlist.global; >
<!元素服务(((名称,端口?)|(端口,名称?)|端口列表),协议?,SNMPService?,WebService?><!ATTLIST服务标识CDATA“0”ip#版本CDATA#隐含iana#U协议(U编号CDATA#隐含iana#U协议(U名称CDATA#隐含%ATTLIST.global;>
<!ELEMENT SNMPService ( oid?, messageProcessingModel?, securityModel?, securityName?, securityLevel?, contextName?, contextEngineID?, command? )> <!ATTLIST SNMPService %attlist.global; >
<!元素SNMPService(oid?、messageProcessingModel?、securityModel?、securityName?、securityLevel?、contextName?、contextEngineID?、command?)><!ATTLIST SNMPService%ATTLIST.global;>
<!ELEMENT User ( UserId+ )> <!ATTLIST User ident CDATA '0' category %attvals.usercat; 'unknown' %attlist.global;
<!元素用户(UserId+)><!ATTLIST用户标识CDATA“0”类别%attvals.usercat;'未知“%attlist.global”;
>
>
<!ELEMENT UserId ( (name, number?) | (number, name?) )> <!ATTLIST UserId ident CDATA '0' type %attvals.idtype; 'original-user' tty CDATA #IMPLIED %attlist.global; >
<!元素用户ID((名称、编号?)|(编号、名称?)><!ATTLIST用户ID标识CDATA“0”类型%attvals.idtype;'原始用户的tty CDATA#隐含%attlist.global;>
<!ELEMENT WebService ( url, cgi?, http-method?, arg* )> <!ATTLIST WebService %attlist.global; >
<!ELEMENT WebService ( url, cgi?, http-method?, arg* )> <!ATTLIST WebService %attlist.global; >
<!-- =============================================================== =================================================================== === SECTION 8. Simple elements with sub-elements or attributes of a === special nature. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 8. Simple elements with sub-elements or attributes of a === special nature. =================================================================== =============================================================== -->
<!ELEMENT Action (#PCDATA) > <!ATTLIST Action category %attvals.actioncat; 'other' %attlist.global; >
<!ELEMENT Action (#PCDATA) > <!ATTLIST Action category %attvals.actioncat; 'other' %attlist.global; >
<!ELEMENT CreateTime (#PCDATA) > <!ATTLIST CreateTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT CreateTime (#PCDATA) > <!ATTLIST CreateTime ntpstamp CDATA #REQUIRED %attlist.global; >
<!ELEMENT DetectTime (#PCDATA) > <!ATTLIST DetectTime ntpstamp CDATA #REQUIRED %attlist.global;
<!ELEMENT DetectTime (#PCDATA) > <!ATTLIST DetectTime ntpstamp CDATA #REQUIRED %attlist.global;
>
>
<!ELEMENT AnalyzerTime (#PCDATA) > <!ATTLIST AnalyzerTime ntpstamp CDATA #REQUIRED
<!ELEMENT AnalyzerTime (#PCDATA) > <!ATTLIST AnalyzerTime ntpstamp CDATA #REQUIRED
%attlist.global; >
%attlist.global;>
<!ELEMENT Confidence (#PCDATA) > <!ATTLIST Confidence rating %attvals.rating; 'numeric' %attlist.global; >
<!ELEMENT Confidence (#PCDATA) > <!ATTLIST Confidence rating %attvals.rating; 'numeric' %attlist.global; >
<!ELEMENT Impact (#PCDATA) > <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; 'other' %attlist.global; >
<!ELEMENT Impact (#PCDATA) > <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; 'other' %attlist.global; >
<!ELEMENT alertident (#PCDATA) > <!ATTLIST alertident analyzerid CDATA #IMPLIED %attlist.global; >
<!ELEMENT alertident (#PCDATA) > <!ATTLIST alertident analyzerid CDATA #IMPLIED %attlist.global; >
<!-- =============================================================== =================================================================== === SECTION 9. Simple elements with no sub-elements and no special === attributes. =================================================================== =============================================================== -->
<!-- =============================================================== =================================================================== === SECTION 9. Simple elements with no sub-elements and no special === attributes. =================================================================== =============================================================== -->
<!ELEMENT boolean (#PCDATA) > <!ATTLIST boolean %attlist.global; >
<!ELEMENT boolean (#PCDATA) > <!ATTLIST boolean %attlist.global; >
<!ELEMENT byte (#PCDATA) > <!ATTLIST byte %attlist.global; >
<!ELEMENT byte (#PCDATA) > <!ATTLIST byte %attlist.global; >
<!ELEMENT character (#PCDATA) > <!ATTLIST character %attlist.global; >
<!ELEMENT character (#PCDATA) > <!ATTLIST character %attlist.global; >
<!ELEMENT date-time (#PCDATA) > <!ATTLIST date-time %attlist.global; >
<!ELEMENT date-time (#PCDATA) > <!ATTLIST date-time %attlist.global; >
<!ELEMENT integer (#PCDATA) > <!ATTLIST integer %attlist.global; >
<!ELEMENT integer (#PCDATA) > <!ATTLIST integer %attlist.global; >
<!ELEMENT ntpstamp (#PCDATA) > <!ATTLIST ntpstamp %attlist.global; >
<!ELEMENT ntpstamp (#PCDATA) > <!ATTLIST ntpstamp %attlist.global; >
<!ELEMENT real (#PCDATA) > <!ATTLIST real %attlist.global; >
<!ELEMENT real (#PCDATA) > <!ATTLIST real %attlist.global; >
<!ELEMENT string (#PCDATA) > <!ATTLIST string %attlist.global; >
<!ELEMENT string (#PCDATA) > <!ATTLIST string %attlist.global; >
<!ELEMENT byte-string (#PCDATA) > <!ATTLIST byte-string %attlist.global; >
<!ELEMENT byte-string (#PCDATA) > <!ATTLIST byte-string %attlist.global; >
<!ELEMENT xmltext ANY > <!ATTLIST xmltext %attlist.global; >
<!ELEMENT xmltext ANY > <!ATTLIST xmltext %attlist.global; >
<!ELEMENT access-time (#PCDATA) > <!ATTLIST access-time %attlist.global; >
<!ELEMENT access-time (#PCDATA) > <!ATTLIST access-time %attlist.global; >
<!ELEMENT address (#PCDATA) > <!ATTLIST address %attlist.global; >
<!ELEMENT address (#PCDATA) > <!ATTLIST address %attlist.global; >
<!ELEMENT arg (#PCDATA) > <!ATTLIST arg %attlist.global; >
<!ELEMENT arg (#PCDATA) > <!ATTLIST arg %attlist.global; >
<!ELEMENT buffer (#PCDATA) > <!ATTLIST buffer %attlist.global; >
<!ELEMENT buffer (#PCDATA) > <!ATTLIST buffer %attlist.global; >
<!ELEMENT c-major-device (#PCDATA) > <!ATTLIST c-major-device %attlist.global; >
<!ELEMENT c-major-device (#PCDATA) > <!ATTLIST c-major-device %attlist.global; >
<!ELEMENT c-minor-device (#PCDATA) > <!ATTLIST c-minor-device %attlist.global; >
<!ELEMENT c-minor-device (#PCDATA) > <!ATTLIST c-minor-device %attlist.global; >
<!ELEMENT cgi (#PCDATA) > <!ATTLIST cgi %attlist.global; >
<!ELEMENT cgi (#PCDATA) > <!ATTLIST cgi %attlist.global; >
<!ELEMENT change-time (#PCDATA) > <!ATTLIST change-time %attlist.global; >
<!ELEMENT change-time (#PCDATA) > <!ATTLIST change-time %attlist.global; >
<!ELEMENT command (#PCDATA) > <!ATTLIST command %attlist.global; >
<!ELEMENT command (#PCDATA) > <!ATTLIST command %attlist.global; >
<!ELEMENT create-time (#PCDATA) > <!ATTLIST create-time %attlist.global; >
<!ELEMENT create-time (#PCDATA) > <!ATTLIST create-time %attlist.global; >
<!ELEMENT data-size (#PCDATA) > <!ATTLIST data-size %attlist.global; >
<!ELEMENT data-size (#PCDATA) > <!ATTLIST data-size %attlist.global; >
<!ELEMENT disk-size (#PCDATA) > <!ATTLIST disk-size %attlist.global; >
<!ELEMENT disk-size (#PCDATA) > <!ATTLIST disk-size %attlist.global; >
<!ELEMENT env (#PCDATA) > <!ATTLIST env %attlist.global; >
<!ELEMENT env (#PCDATA) > <!ATTLIST env %attlist.global; >
<!ELEMENT http-method (#PCDATA) > <!ATTLIST http-method %attlist.global; >
<!ELEMENT http-method (#PCDATA) > <!ATTLIST http-method %attlist.global; >
<!ELEMENT location (#PCDATA) > <!ATTLIST location %attlist.global; >
<!ELEMENT location (#PCDATA) > <!ATTLIST location %attlist.global; >
<!ELEMENT major-device (#PCDATA) > <!ATTLIST major-device %attlist.global; >
<!ELEMENT major-device (#PCDATA) > <!ATTLIST major-device %attlist.global; >
<!ELEMENT minor-device (#PCDATA) > <!ATTLIST minor-device %attlist.global; >
<!ELEMENT minor-device (#PCDATA) > <!ATTLIST minor-device %attlist.global; >
<!ELEMENT modify-time (#PCDATA) > <!ATTLIST modify-time %attlist.global; >
<!ELEMENT modify-time (#PCDATA) > <!ATTLIST modify-time %attlist.global; >
<!ELEMENT name (#PCDATA) > <!ATTLIST name %attlist.global; >
<!ELEMENT name (#PCDATA) > <!ATTLIST name %attlist.global; >
<!ELEMENT netmask (#PCDATA) > <!ATTLIST netmask %attlist.global; >
<!ELEMENT netmask (#PCDATA) > <!ATTLIST netmask %attlist.global; >
<!ELEMENT number (#PCDATA) > <!ATTLIST number %attlist.global; >
<!ELEMENT number (#PCDATA) > <!ATTLIST number %attlist.global; >
<!ELEMENT oid (#PCDATA) > <!ATTLIST oid %attlist.global; >
<!ELEMENT oid (#PCDATA) > <!ATTLIST oid %attlist.global; >
<!ELEMENT path (#PCDATA) > <!ATTLIST path %attlist.global; >
<!ELEMENT path (#PCDATA) > <!ATTLIST path %attlist.global; >
<!ELEMENT permission (#PCDATA) > <!ATTLIST permission %attlist.global; >
<!ELEMENT permission (#PCDATA) > <!ATTLIST permission %attlist.global; >
<!ELEMENT pid (#PCDATA) > <!ATTLIST pid %attlist.global; >
<!ELEMENT pid (#PCDATA) > <!ATTLIST pid %attlist.global; >
<!ELEMENT port (#PCDATA) > <!ATTLIST port %attlist.global; >
<!ELEMENT port (#PCDATA) > <!ATTLIST port %attlist.global; >
<!ELEMENT portlist (#PCDATA) > <!ATTLIST portlist %attlist.global; >
<!ELEMENT portlist (#PCDATA) > <!ATTLIST portlist %attlist.global; >
<!ELEMENT program (#PCDATA) > <!ATTLIST program %attlist.global; >
<!ELEMENT program (#PCDATA) > <!ATTLIST program %attlist.global; >
<!ELEMENT protocol (#PCDATA) > <!ATTLIST protocol %attlist.global; >
<!ELEMENT protocol (#PCDATA) > <!ATTLIST protocol %attlist.global; >
<!ELEMENT size (#PCDATA) > <!ATTLIST size %attlist.global; >
<!ELEMENT size (#PCDATA) > <!ATTLIST size %attlist.global; >
<!ELEMENT url (#PCDATA) > <!ATTLIST url %attlist.global; >
<!ELEMENT url (#PCDATA) > <!ATTLIST url %attlist.global; >
<!ELEMENT HeartbeatInterval (#PCDATA) > <!ATTLIST HeartbeatInterval %attlist.global; >
<!ELEMENT HeartbeatInterval (#PCDATA) > <!ATTLIST HeartbeatInterval %attlist.global; >
<!ELEMENT messageProcessingModel (#PCDATA) > <!ATTLIST messageProcessingModel %attlist.global;>
<!ELEMENT messageProcessingModel (#PCDATA) > <!ATTLIST messageProcessingModel %attlist.global;>
<!ELEMENT securityModel (#PCDATA) > <!ATTLIST securityModel %attlist.global; >
<!ELEMENT securityModel (#PCDATA) > <!ATTLIST securityModel %attlist.global; >
<!ELEMENT securityName (#PCDATA) > <!ATTLIST securityName %attlist.global; >
<!ELEMENT securityName (#PCDATA) > <!ATTLIST securityName %attlist.global; >
<!ELEMENT securityLevel (#PCDATA) > <!ATTLIST securityLevel %attlist.global; >
<!ELEMENT securityLevel (#PCDATA) > <!ATTLIST securityLevel %attlist.global; >
<!ELEMENT contextName (#PCDATA) > <!ATTLIST contextName %attlist.global; >
<!ELEMENT contextName (#PCDATA) > <!ATTLIST contextName %attlist.global; >
<!ELEMENT contextEngineID (#PCDATA) > <!ATTLIST contextEngineID %attlist.global; >
<!ELEMENT contextEngineID (#PCDATA) > <!ATTLIST contextEngineID %attlist.global; >
<!ELEMENT value (#PCDATA) > <!ATTLIST value %attlist.global; >
<!ELEMENT value (#PCDATA) > <!ATTLIST value %attlist.global; >
<!ELEMENT key (#PCDATA) > <!ATTLIST key %attlist.global; >
<!ELEMENT key (#PCDATA) > <!ATTLIST key %attlist.global; >
<!-- End of IDMEF DTD -->
<!-- End of IDMEF DTD -->
This document describes a data representation for exchanging security-related information between intrusion detection system implementations. Although there are no security concerns directly applicable to the format of this data, the data itself may contain security-sensitive information whose confidentiality, integrity, and/or availability may need to be protected.
本文档描述了用于在入侵检测系统实现之间交换安全相关信息的数据表示。尽管不存在直接适用于此数据格式的安全问题,但数据本身可能包含安全敏感信息,其机密性、完整性和/或可用性可能需要保护。
This suggests that the systems used to collect, transmit, process, and store this data should be protected against unauthorized use and that the data itself should be protected against unauthorized access. The means for achieving this protection are outside the scope of this document.
这表明,用于收集、传输、处理和存储这些数据的系统应受到保护,以防未经授权的使用,数据本身也应受到保护,以防未经授权的访问。实现这种保护的方法不在本文件的范围内。
Section 5 of [2] describes the required and recommended security characteristics of the transmission protocol that will be used to deliver IDMEF data from analyzers to managers. These requirements include message confidentiality, message integrity, non-repudiation, and avoidance of duplicate messages. Both standard and proposed protocols exist that provide these features.
[2]的第5节描述了传输协议的要求和推荐安全特性,该传输协议将用于将IDMEF数据从分析仪传送到管理器。这些要求包括消息机密性、消息完整性、不可否认性和避免重复消息。标准协议和提议的协议都提供了这些特性。
Where a protocol that does not meet the requirements of Section 5 of [2] is used to exchange IDMEF messages, it may be desirable to use digital signatures to certify the integrity of these messages; this is discussed in Section 6.5 of this document.
如果使用不符合[2]第5节要求的协议交换IDMEF消息,可能需要使用数字签名来证明这些消息的完整性;本文件第6.5节对此进行了讨论。
Section 5 describes how to use the AdditionalData class to include arbitrary "atomic" data items in an IDMEF message, as well as how AdditionalData may be used to extend the DTD itself by adding new classes and attributes.
第5节描述了如何使用AdditionalData类在IDMEF消息中包含任意“原子”数据项,以及如何使用AdditionalData通过添加新的类和属性来扩展DTD本身。
From time to time, it may be desirable to move an extension from its private or local use status (as all extensions made via the above mechanism are) to "standard" status that should be supported by all implementations.
不时地,可能需要将扩展从其私有或本地使用状态(正如通过上述机制进行的所有扩展)移动到所有实现都应支持的“标准”状态。
This may be accomplished as described in this section.
这可以按照本节所述完成。
Several of the attributes specified in this document have lists of permissible values that they may contain. To allow the addition of new values to these lists, the IANA created a repository for attribute values called "Intrusion Detection Message Exchange Format (IDMEF) Attribute Values".
本文档中指定的几个属性都有可能包含的允许值列表。为了允许向这些列表中添加新值,IANA创建了一个名为“入侵检测消息交换格式(IDMEF)属性值”的属性值存储库。
Following the policies outlined in [9], this repository is "Specification Required" by RFC. Section 10.1.1 describes the initial values for this repository.
按照[9]中概述的策略,此存储库是RFC的“规范要求”。第10.1.1节描述了该存储库的初始值。
To create a new attribute, you MUST publish an RFC to document the type. In the RFC, include a copy of the registration template found in Section 10.1.2 of this document. Put the template in your IANA Considerations section, filling in the appropriate fields. You MUST describe any interoperability and security issues in your document.
要创建新属性,必须发布RFC以记录该类型。在RFC中,包括本文件第10.1.2节中的注册模板副本。将模板放在您的IANA注意事项部分,填写适当的字段。您必须在文档中描述任何互操作性和安全性问题。
When adding a new attribute value to the repository, the IANA shall assign the next rank number in numerical sequence for the value.
当向存储库添加新属性值时,IANA应按数值顺序为该值分配下一个等级编号。
IDMEF Class Name: Reference
IDMEF类名:引用
IDMEF Attribute Name: origin
IDMEF属性名称:原点
Registered Values:
注册价值:
+------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://cve.mitre.org/) | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
+------+-----------------+------------------------------------------+ | Rank | Keyword | Description | +------+-----------------+------------------------------------------+ | 0 | unknown | Origin of the name is not known | | 1 | vendor-specific | A vendor-specific name (and hence, URL); | | | | this can be used to provide | | | | product-specific information | | 2 | user-specific | A user-specific name (and hence, URL); | | | | this can be used to provide | | | | installation-specific information | | 3 | bugtraqid | The SecurityFocus ("Bugtraq") | | | | vulnerability database identifier | | | | (http://www.securityfocus.com/bid) | | 4 | cve | The Common Vulnerabilities and Exposures | | | | (CVE) name (http://cve.mitre.org/) | | 5 | osvdb | The Open Source Vulnerability Database | | | | (http://www.osvdb.org) | +------+-----------------+------------------------------------------+
IDMEF Class Name: Source
IDMEF类名:源
IDMEF Attribute Name: spoofed
IDMEF属性名称:欺骗
Registered Values:
注册价值:
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of source information unknown | | 1 | yes | Source is believed to be a decoy | | 2 | no | Source is believed to be "real" | +------+---------+----------------------------------------+
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of source information unknown | | 1 | yes | Source is believed to be a decoy | | 2 | no | Source is believed to be "real" | +------+---------+----------------------------------------+
IDMEF Class Name: Target
IDMEF类名:目标
IDMEF Attribute Name: decoy
IDMEF属性名称:诱饵
Registered Values:
注册价值:
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of target information unknown | | 1 | yes | Target is believed to be a decoy | | 2 | no | Target is believed to be "real" | +------+---------+----------------------------------------+
+------+---------+----------------------------------------+ | Rank | Keyword | Description | +------+---------+----------------------------------------+ | 0 | unknown | Accuracy of target information unknown | | 1 | yes | Target is believed to be a decoy | | 2 | no | Target is believed to be "real" | +------+---------+----------------------------------------+
IDMEF Class Name: AdditionalData
IDMEF类名:AdditionalData
IDMEF Attribute Name: type
IDMEF属性名称:类型
Registered Values:
注册价值:
+------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | 9 | byte-string | The element content is a byte[] (see | | | | Section 3.2.4) | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+
+------+-------------+----------------------------------------------+ | Rank | Keyword | Description | +------+-------------+----------------------------------------------+ | 0 | boolean | The element contains a boolean value, i.e., | | | | the strings "true" or "false" | | 1 | byte | The element content is a single 8-bit byte | | | | (see Section 3.2.4) | | 2 | character | The element content is a single character | | | | (see Section 3.2.3) | | 3 | date-time | The element content is a date-time string | | | | (see Section 3.2.6) | | 4 | integer | The element content is an integer (see | | | | Section 3.2.1) | | 5 | ntpstamp | The element content is an NTP timestamp (see | | | | Section 3.2.7) | | 6 | portlist | The element content is a list of ports (see | | | | Section 3.2.8) | | 7 | real | The element content is a real number (see | | | | Section 3.2.2) | | 8 | string | The element content is a string (see | | | | Section 3.2.3) | | 9 | byte-string | The element content is a byte[] (see | | | | Section 3.2.4) | | 10 | xmltext | The element content is XML-tagged data (see | | | | Section 5.2) | +------+-------------+----------------------------------------------+
IDMEF Class Name: Impact
IDMEF类名:Impact
IDMEF Attribute Name: severity
IDMEF属性名称:严重性
Registered Values:
注册价值:
+------+---------+-----------------------------------------+ | Rank | Keyword | Description | +------+---------+-----------------------------------------+ | 0 | info | Alert represents informational activity | | | | | | 1 | low | Low severity | | | | | | 2 | medium | Medium severity | | | | | | 3 | high | High severity | +------+---------+-----------------------------------------+
+------+---------+-----------------------------------------+ | Rank | Keyword | Description | +------+---------+-----------------------------------------+ | 0 | info | Alert represents informational activity | | | | | | 1 | low | Low severity | | | | | | 2 | medium | Medium severity | | | | | | 3 | high | High severity | +------+---------+-----------------------------------------+
IDMEF Class Name: Impact
IDMEF类名:Impact
IDMEF Attribute Name: completion
IDMEF属性名称:完成
Registered Values:
注册价值:
+------+-----------+--------------------------------+ | Rank | Keyword | Description | +------+-----------+--------------------------------+ | 0 | failed | The attempt was not successful | | 1 | succeeded | The attempt succeeded | +------+-----------+--------------------------------+
+------+-----------+--------------------------------+ | Rank | Keyword | Description | +------+-----------+--------------------------------+ | 0 | failed | The attempt was not successful | | 1 | succeeded | The attempt succeeded | +------+-----------+--------------------------------+
IDMEF Class Name: Impact
IDMEF类名:Impact
IDMEF Attribute Name: type
IDMEF属性名称:类型
Registered Values:
注册价值:
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | 1 | dos | A denial of service was attempted or completed | | 2 | file | An action on a file was attempted or completed | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | 4 | user | User privileges were attempted or obtained | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | admin | Administrative privileges were attempted or | | | | obtained | | 1 | dos | A denial of service was attempted or completed | | 2 | file | An action on a file was attempted or completed | | 3 | recon | A reconnaissance probe was attempted or | | | | completed | | 4 | user | User privileges were attempted or obtained | | 5 | other | Anything not in one of the above categories | +------+---------+--------------------------------------------------+
IDMEF Class Name: Action
IDMEF类名:操作
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | block-installed | A block of some sort was installed to | | | | prevent an attack from reaching its | | | | destination. The block could be a | | | | port block, address block, etc., or | | | | disabling a user account. | | 1 | notification-sent | A notification message of some sort | | | | was sent out-of-band (via pager, | | | | e-mail, etc.). Does not include the | | | | transmission of this alert. | | 2 | taken-offline | A system, computer, or user was taken | | | | offline, as when the computer is shut | | | | down or a user is logged off. | | 3 | other | Anything not in one of the above | | | | categories. | +------+-------------------+----------------------------------------+
IDMEF Class Name: Confidence
IDMEF类名:Confidence
IDMEF Attribute Name: rating
IDMEF属性名称:额定值
Registered Values:
注册价值:
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | low | The analyzer has little confidence in its | | | | validity | | 1 | medium | The analyzer has average confidence in its | | | | validity | | 2 | high | The analyzer has high confidence in its validity | | 3 | numeric | The analyzer has provided a posterior | | | | probability value indicating its confidence in | | | | its validity | +------+---------+--------------------------------------------------+
+------+---------+--------------------------------------------------+ | Rank | Keyword | Description | +------+---------+--------------------------------------------------+ | 0 | low | The analyzer has little confidence in its | | | | validity | | 1 | medium | The analyzer has average confidence in its | | | | validity | | 2 | high | The analyzer has high confidence in its validity | | 3 | numeric | The analyzer has provided a posterior | | | | probability value indicating its confidence in | | | | its validity | +------+---------+--------------------------------------------------+
IDMEF Class Name: Node
IDMEF类名:节点
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | unknown | Domain unknown or not relevant | | 1 | ads | Windows 2000 Advanced Directory Services | | 2 | afs | Andrew File System (Transarc) | | 3 | coda | Coda Distributed File System | | 4 | dfs | Distributed File System (IBM) | | 5 | dns | Domain Name System | | 6 | hosts | Local hosts file | | 7 | kerberos | Kerberos realm | | 8 | nds | Novell Directory Services | | 9 | nis | Network Information Services (Sun) | | 10 | nisplus | Network Information Services Plus (Sun) | | 11 | nt | Windows NT domain | | 12 | wfw | Windows for Workgroups | +------+----------+------------------------------------------+
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | unknown | Domain unknown or not relevant | | 1 | ads | Windows 2000 Advanced Directory Services | | 2 | afs | Andrew File System (Transarc) | | 3 | coda | Coda Distributed File System | | 4 | dfs | Distributed File System (IBM) | | 5 | dns | Domain Name System | | 6 | hosts | Local hosts file | | 7 | kerberos | Kerberos realm | | 8 | nds | Novell Directory Services | | 9 | nis | Network Information Services (Sun) | | 10 | nisplus | Network Information Services Plus (Sun) | | 11 | nt | Windows NT domain | | 12 | wfw | Windows for Workgroups | +------+----------+------------------------------------------+
IDMEF Class Name: Address
IDMEF类名:地址
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | 1 | atm | Asynchronous Transfer Mode network address | | 2 | e-mail | Electronic mail address (RFC 822) | | 3 | lotus-notes | Lotus Notes e-mail address | | 4 | mac | Media Access Control (MAC) address | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | 6 | vm | IBM VM ("PROFS") e-mail address | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | 11 | ipv6-addr | IPv6 host address | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | 1 | atm | Asynchronous Transfer Mode network address | | 2 | e-mail | Electronic mail address (RFC 822) | | 3 | lotus-notes | Lotus Notes e-mail address | | 4 | mac | Media Access Control (MAC) address | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | 6 | vm | IBM VM ("PROFS") e-mail address | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | 11 | ipv6-addr | IPv6 host address | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+
IDMEF Class Name: User
IDMEF类名:用户
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+-------------+------------------------------------+ | Rank | Keyword | Description | +------+-------------+------------------------------------+ | 0 | unknown | User type unknown | | 1 | application | An application user | | 2 | os-device | An operating system or device user | +------+-------------+------------------------------------+
+------+-------------+------------------------------------+ | Rank | Keyword | Description | +------+-------------+------------------------------------+ | 0 | unknown | User type unknown | | 1 | application | An application user | | 2 | os-device | An operating system or device user | +------+-------------+------------------------------------+
IDMEF Class Name: UserId
IDMEF类名:UserId
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. |
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. |
| 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". | | 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+
| 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". | | 6 | other-privs | Not used in a user, group, or process | | | | context, only used in the file context. | | | | The file permissions assigned to users who | | | | do not match either the user or group | | | | permissions on the file. On Unix systems, | | | | this would be the "world" permissions. | +------+---------------+--------------------------------------------+
IDMEF Class Name: File
IDMEF类名:文件
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+----------+-------------------------------------------------+ | Rank | Keyword | Description | +------+----------+-------------------------------------------------+ | 0 | current | The file information is from after the reported | | | | change | | 1 | original | The file information is from before the | | | | reported change | +------+----------+-------------------------------------------------+
+------+----------+-------------------------------------------------+ | Rank | Keyword | Description | +------+----------+-------------------------------------------------+ | 0 | current | The file information is from after the reported | | | | change | | 1 | original | The file information is from before the | | | | reported change | +------+----------+-------------------------------------------------+
IDMEF Class Name: File
IDMEF类名:文件
IDMEF Attribute Name: fstype
IDMEF属性名称:fstype
Registered Values:
注册价值:
+------+---------+-------------------------------------+ | Rank | Keyword | Description | +------+---------+-------------------------------------+ | 0 | ufs | Berkeley Unix Fast File System | | 1 | efs | Linux "efs" file system | | 2 | nfs | Network File System | | 3 | afs | Andrew File System | | 4 | ntfs | Windows NT File System | | 5 | fat16 | 16-bit Windows FAT File System | | 6 | fat32 | 32-bit Windows FAT File System | | 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM | | 8 | joliet | Joliet CD-ROM file system | | 9 | iso9660 | ISO 9660 CD-ROM file system | +------+---------+-------------------------------------+
+------+---------+-------------------------------------+ | Rank | Keyword | Description | +------+---------+-------------------------------------+ | 0 | ufs | Berkeley Unix Fast File System | | 1 | efs | Linux "efs" file system | | 2 | nfs | Network File System | | 3 | afs | Andrew File System | | 4 | ntfs | Windows NT File System | | 5 | fat16 | 16-bit Windows FAT File System | | 6 | fat32 | 32-bit Windows FAT File System | | 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM | | 8 | joliet | Joliet CD-ROM file system | | 9 | iso9660 | ISO 9660 CD-ROM file system | +------+---------+-------------------------------------+
IDMEF Class Name: FileAccess
IDMEF类名:FileAccess
IDMEF Attribute Name: permission
IDMEF属性名称:权限
Registered Values:
注册价值:
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | noAccess | No access at all is allowed for this | | | | user | | 1 | read | This user has read access to the file | | 2 | write | This user has write access to the file | | 3 | execute | This user has the ability to execute | | | | the file | | 4 | search | This user has the ability to search | | | | this file (applies to "execute" | | | | permission on directories in Unix) | | 5 | delete | This user has the ability to delete | | | | this file | | 6 | executeAs | This user has the ability to execute | | | | this file as another user | | 7 | changePermissions | This user has the ability to change | | | | the access permissions on this file | | 8 | takeOwnership | This user has the ability to take | | | | ownership of this file | +------+-------------------+----------------------------------------+
+------+-------------------+----------------------------------------+ | Rank | Keyword | Description | +------+-------------------+----------------------------------------+ | 0 | noAccess | No access at all is allowed for this | | | | user | | 1 | read | This user has read access to the file | | 2 | write | This user has write access to the file | | 3 | execute | This user has the ability to execute | | | | the file | | 4 | search | This user has the ability to search | | | | this file (applies to "execute" | | | | permission on directories in Unix) | | 5 | delete | This user has the ability to delete | | | | this file | | 6 | executeAs | This user has the ability to execute | | | | this file as another user | | 7 | changePermissions | This user has the ability to change | | | | the access permissions on this file | | 8 | takeOwnership | This user has the ability to take | | | | ownership of this file | +------+-------------------+----------------------------------------+
IDMEF Class Name: Linkage
IDMEF类名:链接
IDMEF Attribute Name: category
IDMEF属性名称:类别
Registered Values:
注册价值:
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | hard-link | The <name> element represents another name | | | | for this file. This information may be | | | | more easily obtainable on NTFS file | | | | systems than others. | | 1 | mount-point | An alias for the directory specified by | | | | the parent's <name> and <path> elements. | | 2 | reparse-point | Applies only to Windows; excludes symbolic | | | | links and mount points, which are specific | | | | types of reparse points. | | 3 | shortcut | The file represented by a Windows | | | | "shortcut". A shortcut is distinguished | | | | from a symbolic link because of the | | | | difference in their contents, which may be | | | | of importance to the manager. | | 4 | stream | An Alternate Data Stream (ADS) in Windows; | | | | a fork on MacOS. Separate file system | | | | entity that is considered an extension of | | | | the main <File>. | | 5 | symbolic-link | The <name> element represents the file to | | | | which the link points. | +------+---------------+--------------------------------------------+
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | hard-link | The <name> element represents another name | | | | for this file. This information may be | | | | more easily obtainable on NTFS file | | | | systems than others. | | 1 | mount-point | An alias for the directory specified by | | | | the parent's <name> and <path> elements. | | 2 | reparse-point | Applies only to Windows; excludes symbolic | | | | links and mount points, which are specific | | | | types of reparse points. | | 3 | shortcut | The file represented by a Windows | | | | "shortcut". A shortcut is distinguished | | | | from a symbolic link because of the | | | | difference in their contents, which may be | | | | of importance to the manager. | | 4 | stream | An Alternate Data Stream (ADS) in Windows; | | | | a fork on MacOS. Separate file system | | | | entity that is considered an extension of | | | | the main <File>. | | 5 | symbolic-link | The <name> element represents the file to | | | | which the link points. | +------+---------------+--------------------------------------------+
IDMEF Class Name: Checksum
IDMEF类名:校验和
IDMEF Attribute Name: algorithm
IDMEF属性名称:算法
Registered Values:
注册价值:
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | MD4 | The MD4 algorithm. | | 1 | MD5 | The MD5 algorithm. | | 2 | SHA1 | The SHA1 algorithm. | | 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. | | 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. | | 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. | | 6 | CRC-32 | The CRC algorithm with 32 bits length. | | 7 | Haval | The Haval algorithm. | | 8 | Tiger | The Tiger algorithm. | | 9 | Gost | The Gost algorithm. | +------+----------+------------------------------------------+
+------+----------+------------------------------------------+ | Rank | Keyword | Description | +------+----------+------------------------------------------+ | 0 | MD4 | The MD4 algorithm. | | 1 | MD5 | The MD5 algorithm. | | 2 | SHA1 | The SHA1 algorithm. | | 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. | | 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. | | 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. | | 6 | CRC-32 | The CRC algorithm with 32 bits length. | | 7 | Haval | The Haval algorithm. | | 8 | Tiger | The Tiger algorithm. | | 9 | Gost | The Gost algorithm. | +------+----------+------------------------------------------+
IDMEF Class Name:
IDMEF类名:
<provide the name of the class that contains the attribute to which you want to add a new value, e.g., "Address">
<提供包含要向其添加新值的属性的类的名称,例如“Address”>
IDMEF Attribute Name:
IDMEF属性名称:
<provide the name of the attribute to which you want to add a new value, e.g., "category">
<提供要添加新值的属性的名称,例如“category”>
New Attribute Value to Be Defined:
要定义的新属性值:
<provide the name of the new attribute value that you want to add, e.g., "sneaker-net">
<提供要添加的新属性值的名称,例如“sneaker net”>
Meaning of New Attribute Value:
新属性值的含义:
<describe in detail what the attribute value means -- i.e., if an analyzer sends this value, what is it telling the receiver of the information?>
<详细描述属性值的含义--即,如果分析仪发送此值,它会告诉信息接收者什么?>
Contact Person and E-Mail Address:
联系人和电子邮件地址:
<your name and e-mail address>
<您的姓名和电子邮件地址>
To the extent possible, the IDMEF classes and attributes specified in this document have been designed to accommodate all current and near-future needs. Although it is recognized that the addition of new classes, as well as the addition of new attributes to existing classes, will be necessary in the future, these actions should not be taken lightly.
在可能的范围内,本文档中指定的IDMEF类和属性已设计为满足所有当前和近期的需求。虽然人们认识到,将来需要添加新类以及向现有类添加新属性,但不应轻率地采取这些措施。
Any addition of new attributes or classes should only be undertaken when the current classes and attributes simply cannot be used to represent the information in a "clean" way -- and such additions should only be made to represent generally-useful types of data. Vendor-specific information, obscure information provided by only a particular type of analyzer or used only by a particular type of manager, "pet" attributes, and the like are not good reasons to make class and attribute additions.
只有当当前的类和属性不能用于以“干净”的方式表示信息时,才应该添加新的属性或类,并且这种添加只应该用于表示通常有用的数据类型。特定于供应商的信息、仅由特定类型的分析器提供或仅由特定类型的管理器使用的模糊信息、“pet”属性等都不是添加类和属性的好理由。
At the time this RFC was written, the first anticipated case for which new classes and attributes will need to be added is to handle host-based intrusion detection systems. However, such additions should not be made until some level of consensus has been reached about the set of data that will be provided by these systems.
在编写此RFC时,第一个需要添加新类和属性的预期情况是处理基于主机的入侵检测系统。然而,在就这些系统将提供的数据集达成某种程度的共识之前,不应进行此类补充。
Following the policies outlined in [9], the addition of new classes and attributes to the IDMEF requires "IETF Consensus".
按照[9]中概述的策略,向IDMEF添加新类和属性需要“IETF共识”。
To add new attributes or classes, you MUST publish an RFC to document them, and get that RFC approved by the IESG. Typically, the IESG will seek input on prospective additions from appropriate persons (e.g., a relevant working group if one exists). You MUST describe any interoperability and security issues in your document.
若要添加新属性或类,必须发布RFC以记录它们,并获得IESG批准的RFC。通常情况下,IESG将寻求适当人员(例如,相关工作组,如果存在)对预期新增项目的投入。您必须在文档中描述任何互操作性和安全性问题。
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[2] Wood, M. and M. Erlinger, "Intrusion Detection Mesage Exchange Requirements", RFC 4766, March 2007.
[2] Wood,M.和M.Erlinger,“入侵检测平台交换要求”,RFC 4766,2007年3月。
[3] Sperberg-McQueen, C., Paoli, J., Maler, E., and T. Bray, "Extensible Markup Language (XML) 1.0 (Second Edition)", World Wide Web Consortium FirstEdition http://www.w3.org/TR/2000/REC-xml-20001006, October 2000.
[3] Sperberg McQueen,C.,Paoli,J.,Maler,E.,和T.Bray,“可扩展标记语言(XML)1.0(第二版)”,万维网联盟第一版http://www.w3.org/TR/2000/REC-xml-20001006,2000年10月。
[4] Bray, T., Hollander, D., and A. Layman, "Namespaces in XML", World Wide Web Consortium Recommendation http://www.w3.org/TR/1999/ REC-xml-names-19990114, January 1999.
[4] Bray,T.,Hollander,D.,和A.Layman,“XML中的名称空间”,万维网联盟推荐http://www.w3.org/TR/1999/ REC-xml-NAME-19990114,1999年1月。
[5] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005.
[5] Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,2005年1月。
[6] International Organization for Standardization, "Data elements and interchange formats - Information interchange - Representation of dates and times", ISO Standard 8601, Second Edition, December 2000.
[6] 国际标准化组织,“数据元和交换格式-信息交换-日期和时间的表示”,ISO标准8601,第二版,2000年12月。
[7] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation", RFC 1305, March 1992.
[7] Mills,D.,“网络时间协议(版本3)规范,实施”,RFC13051992年3月。
[8] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI", RFC 4330, January 2006.
[8] Mills,D.,“IPv4、IPv6和OSI的简单网络时间协议(SNTP)第4版”,RFC 4330,2006年1月。
[9] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[9] Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
[10] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 4646, September 2006.
[10] Phillips,A.和M.Davis,“识别语言的标签”,BCP 47,RFC 46462006年9月。
[11] St. Johns, M., "Identification Protocol", RFC 1413, February 1993.
[11] 圣约翰,M.,“身份确认协议”,RFC 1413,1993年2月。
[12] Resnick, P., "Internet Message Format", RFC 2822, April 2001.
[12] Resnick,P.,“互联网信息格式”,RFC 2822,2001年4月。
[13] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002.
[13] Eastlake,D.,Reagle,J.,和D.Solo,“(可扩展标记语言)XML签名语法和处理”,RFC3275,2002年3月。
[14] Rumbaugh, J., Jacobson, I., and G. Booch, "The Unified Modeling Language Reference Model", ISBN 020130998X, 1998.
[14] Rumbaugh,J.,Jacobson,I.,和G.Booch,“统一建模语言参考模型”,ISBN 02030998X,1998年。
[15] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002.
[15] Harrington,D.,Presohn,R.,和B.Wijnen,“描述简单网络管理协议(SNMP)管理框架的体系结构”,STD 62,RFC 3411,2002年12月。
[16] Frye, R., Levi, D., Routhier, S., and B. Wijnen, "Coexistence between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework", BCP 74, RFC 3584, August 2003.
[16] Frye,R.,Levi,D.,Routhier,S.,和B.Wijnen,“互联网标准网络管理框架版本1,版本2和版本3之间的共存”,BCP 74,RFC 3584,2003年8月。
The following individuals contributed substantially to this document and should be recognized for their efforts. This document would not exist without their help:
以下个人对本文件作出了重大贡献,他们的努力应得到认可。没有他们的帮助,本文件将不存在:
Dominique Alessandri, IBM Corporation Spencer Allain, Teknowledge Corporation James L. Burden, California Independent Systems Operator Marc Dacier, IBM Corporation Oliver Dain, MIT Lincoln Laboratory Nicolas Delon, Prelude Hybrid IDS project David J. Donahoo, AFIWC Michael Erlinger, Harvey Mudd College Reinhard Handwerker, Internet Security Systems, Inc. Ming-Yuh Huang, The Boeing Company Glenn Mansfield, Cyber Solutions, Inc. Joe McAlerney, Silicon Defense Cynthia McLain, MIT Lincoln Laboratory Paul Osterwald, Intrusion.com Jean-Philippe Pouzol James Riordan, IBM Corporation Paul Sangree, Cisco Systems Stephane Schitter, IBM Corporation Michael J. Slifcak, Trusted Network Technologies, Inc. Steven R. Snapp, CyberSafe Corporation Stuart Staniford-Chen, Silicon Defense Michael Steiner, University of Saarland Maureen Stillman, Nokia IP Telephony Vimal Vaidya, AXENT Yoann Vandoorselaere, Prelude Hybrid IDS project Andy Walther, Harvey Mudd College Andreas Wespi, IBM Corporation John C. C. White, MITRE Eric D. Williams, Information Brokers, Inc. S. Felix Wu, University of California Davis
Dominique Alessandri、IBM公司Spencer Allain、Teknowledge公司James L.Burden、加利福尼亚独立系统运营商Marc Dacier、IBM公司Oliver Dain、麻省理工学院林肯实验室Nicolas Delon、Prelude Hybrid IDS项目David J.Donahoo、AFIWC Michael Erlinger、Harvey Mudd College Reinhard Handwerker、,互联网安全系统有限公司黄明宇、波音公司格伦·曼斯菲尔德、网络解决方案有限公司乔·麦卡勒尼、硅防御辛西娅·麦克莱恩、麻省理工学院林肯实验室保罗·奥斯特瓦尔德、Intrusion.com Jean-Philippe Pouzol James Riordan、IBM公司保罗·桑格里、思科系统斯蒂芬·席特、IBM公司迈克尔·斯里夫卡克、,可信网络技术公司,Steven R. Snapp,CyeSurvices公司StuART SteiFord陈,硅防御米迦勒斯坦纳,萨莱大学Morurn SteLman,诺基亚IP电话VMAL VaIDYA,AXENT Yoann Vandoorselaere,前奏混合IDS项目Andy Walther,哈维穆德学院安德烈亚斯WESPI,IBM公司J.C.C.怀特,MITRE Eric D. Williams,信息经纪人,公司S. Felix Wu,加利福尼亚大学戴维斯
Appendix B. The IDMEF Schema Definition (Non-normative)
附录B.IDMEF模式定义(非规范性)
<?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:idmef="http://iana.org/idmef" targetNamespace="http://iana.org/idmef" elementFormDefault="qualified" >
<?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:idmef="http://iana.org/idmef" targetNamespace="http://iana.org/idmef" elementFormDefault="qualified" >
<xsd:annotation> <xsd:documentation> Intrusion Detection Message Exchange Format (IDMEF) Version 1.0 </xsd:documentation> </xsd:annotation>
<xsd:annotation> <xsd:documentation> Intrusion Detection Message Exchange Format (IDMEF) Version 1.0 </xsd:documentation> </xsd:annotation>
<!-- Section 1 --> <!-- Omitted. This section did namespace magic and is not needed with XSD validation. -->
<!-- Section 1 --> <!-- Omitted. This section did namespace magic and is not needed with XSD validation. -->
<!-- Section 2 -->
<!-- Section 2 -->
<!-- Values for the Action.category attribute. --> <xsd:simpleType name="action-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="block-installed" /> <xsd:enumeration value="notification-sent" /> <xsd:enumeration value="taken-offline" /> <xsd:enumeration value="other" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Action.category attribute. --> <xsd:simpleType name="action-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="block-installed" /> <xsd:enumeration value="notification-sent" /> <xsd:enumeration value="taken-offline" /> <xsd:enumeration value="other" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Address.category attribute. --> <xsd:simpleType name="address-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="atm" /> <xsd:enumeration value="e-mail" /> <xsd:enumeration value="lotus-notes" /> <xsd:enumeration value="mac" /> <xsd:enumeration value="sna" /> <xsd:enumeration value="vm" /> <xsd:enumeration value="ipv4-addr" /> <xsd:enumeration value="ipv4-addr-hex" /> <xsd:enumeration value="ipv4-net" /> <xsd:enumeration value="ipv4-net-mask" />
<!-- Values for the Address.category attribute. --> <xsd:simpleType name="address-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="atm" /> <xsd:enumeration value="e-mail" /> <xsd:enumeration value="lotus-notes" /> <xsd:enumeration value="mac" /> <xsd:enumeration value="sna" /> <xsd:enumeration value="vm" /> <xsd:enumeration value="ipv4-addr" /> <xsd:enumeration value="ipv4-addr-hex" /> <xsd:enumeration value="ipv4-net" /> <xsd:enumeration value="ipv4-net-mask" />
<xsd:enumeration value="ipv6-addr" /> <xsd:enumeration value="ipv6-addr-hex" /> <xsd:enumeration value="ipv6-net" /> <xsd:enumeration value="ipv6-net-mask" /> </xsd:restriction> </xsd:simpleType>
<xsd:enumeration value="ipv6-addr" /> <xsd:enumeration value="ipv6-addr-hex" /> <xsd:enumeration value="ipv6-net" /> <xsd:enumeration value="ipv6-net-mask" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Impact.severity attribute. --> <xsd:simpleType name="impact-severity"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="info" /> <xsd:enumeration value="low" /> <xsd:enumeration value="medium" /> <xsd:enumeration value="high" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Impact.severity attribute. --> <xsd:simpleType name="impact-severity"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="info" /> <xsd:enumeration value="low" /> <xsd:enumeration value="medium" /> <xsd:enumeration value="high" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Impact.completion attribute. --> <xsd:simpleType name="impact-completion"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="failed" /> <xsd:enumeration value="succeeded" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Impact.completion attribute. --> <xsd:simpleType name="impact-completion"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="failed" /> <xsd:enumeration value="succeeded" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Impact.type attribute. --> <xsd:simpleType name="impact-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="admin" /> <xsd:enumeration value="dos" /> <xsd:enumeration value="file" /> <xsd:enumeration value="recon" /> <xsd:enumeration value="user" /> <xsd:enumeration value="other" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Impact.type attribute. --> <xsd:simpleType name="impact-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="admin" /> <xsd:enumeration value="dos" /> <xsd:enumeration value="file" /> <xsd:enumeration value="recon" /> <xsd:enumeration value="user" /> <xsd:enumeration value="other" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the File.category attribute. --> <xsd:simpleType name="file-category"> <xsd:restriction base="xsd:token">
<!-- Values for the File.category attribute. --> <xsd:simpleType name="file-category"> <xsd:restriction base="xsd:token">
<xsd:enumeration value="current" /> <xsd:enumeration value="original" /> </xsd:restriction> </xsd:simpleType>
<xsd:enumeration value="current" /> <xsd:enumeration value="original" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the FileAccess.Permissions attribute --> <xsd:simpleType name="file-permission"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="noAccess"/> <xsd:enumeration value="read"/> <xsd:enumeration value="write"/> <xsd:enumeration value="execute"/> <xsd:enumeration value="search" /> <xsd:enumeration value="delete" /> <xsd:enumeration value="executeAs" /> <xsd:enumeration value="changePermissions" /> <xsd:enumeration value="takeOwnership" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the FileAccess.Permissions attribute --> <xsd:simpleType name="file-permission"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="noAccess"/> <xsd:enumeration value="read"/> <xsd:enumeration value="write"/> <xsd:enumeration value="execute"/> <xsd:enumeration value="search" /> <xsd:enumeration value="delete" /> <xsd:enumeration value="executeAs" /> <xsd:enumeration value="changePermissions" /> <xsd:enumeration value="takeOwnership" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Id.type attribute. --> <xsd:simpleType name="id-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="current-user" /> <xsd:enumeration value="original-user" /> <xsd:enumeration value="target-user" /> <xsd:enumeration value="user-privs" /> <xsd:enumeration value="current-group" /> <xsd:enumeration value="group-privs" /> <xsd:enumeration value="other-privs" /> </xsd:restriction> </xsd:simpleType>
<!-- Values for the Id.type attribute. --> <xsd:simpleType name="id-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="current-user" /> <xsd:enumeration value="original-user" /> <xsd:enumeration value="target-user" /> <xsd:enumeration value="user-privs" /> <xsd:enumeration value="current-group" /> <xsd:enumeration value="group-privs" /> <xsd:enumeration value="other-privs" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Linkage.category attribute. --> <xsd:simpleType name="linkage-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="hard-link" /> <xsd:enumeration value="mount-point" /> <xsd:enumeration value="reparse-point" /> <xsd:enumeration value="shortcut" /> <xsd:enumeration value="stream" /> <xsd:enumeration value="symbolic-link" />
<!-- | Values for the Linkage.category attribute. --> <xsd:simpleType name="linkage-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="hard-link" /> <xsd:enumeration value="mount-point" /> <xsd:enumeration value="reparse-point" /> <xsd:enumeration value="shortcut" /> <xsd:enumeration value="stream" /> <xsd:enumeration value="symbolic-link" />
</xsd:restriction> </xsd:simpleType>
</xsd:restriction> </xsd:simpleType>
<!-- | Values for the Checksum.algorithm attribute --> <xsd:simpleType name="checksum-algorithm"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="MD4" /> <xsd:enumeration value="MD5" /> <xsd:enumeration value="SHA1" /> <xsd:enumeration value="SHA2-256" /> <xsd:enumeration value="SHA2-384" /> <xsd:enumeration value="SHA2-512" /> <xsd:enumeration value="CRC-32" /> <xsd:enumeration value="Haval" /> <xsd:enumeration value="Tiger" /> <xsd:enumeration value="Gost" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Checksum.algorithm attribute --> <xsd:simpleType name="checksum-algorithm"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="MD4" /> <xsd:enumeration value="MD5" /> <xsd:enumeration value="SHA1" /> <xsd:enumeration value="SHA2-256" /> <xsd:enumeration value="SHA2-384" /> <xsd:enumeration value="SHA2-512" /> <xsd:enumeration value="CRC-32" /> <xsd:enumeration value="Haval" /> <xsd:enumeration value="Tiger" /> <xsd:enumeration value="Gost" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Node.category attribute. --> <xsd:simpleType name="node-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="ads" /> <xsd:enumeration value="afs" /> <xsd:enumeration value="coda" /> <xsd:enumeration value="dfs" /> <xsd:enumeration value="dns" /> <xsd:enumeration value="hosts" /> <xsd:enumeration value="kerberos" /> <xsd:enumeration value="nds" /> <xsd:enumeration value="nis" /> <xsd:enumeration value="nisplus" /> <xsd:enumeration value="nt" /> <xsd:enumeration value="wfw" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Node.category attribute. --> <xsd:simpleType name="node-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="ads" /> <xsd:enumeration value="afs" /> <xsd:enumeration value="coda" /> <xsd:enumeration value="dfs" /> <xsd:enumeration value="dns" /> <xsd:enumeration value="hosts" /> <xsd:enumeration value="kerberos" /> <xsd:enumeration value="nds" /> <xsd:enumeration value="nis" /> <xsd:enumeration value="nisplus" /> <xsd:enumeration value="nt" /> <xsd:enumeration value="wfw" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the reference.origin attribute. --> <xsd:simpleType name="reference-origin"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" />
<!-- | Values for the reference.origin attribute. --> <xsd:simpleType name="reference-origin"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" />
<xsd:enumeration value="vendor-specific" /> <xsd:enumeration value="user-specific" /> <xsd:enumeration value="bugtraqid" /> <xsd:enumeration value="cve" /> <xsd:enumeration value="osvdb" /> </xsd:restriction> </xsd:simpleType>
<xsd:enumeration value="vendor-specific" /> <xsd:enumeration value="user-specific" /> <xsd:enumeration value="bugtraqid" /> <xsd:enumeration value="cve" /> <xsd:enumeration value="osvdb" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Confidence.rating attribute. --> <xsd:simpleType name="confidence-rating"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="low" /> <xsd:enumeration value="medium" /> <xsd:enumeration value="high" /> <xsd:enumeration value="numeric" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the Confidence.rating attribute. --> <xsd:simpleType name="confidence-rating"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="low" /> <xsd:enumeration value="medium" /> <xsd:enumeration value="high" /> <xsd:enumeration value="numeric" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the User.category attribute. --> <xsd:simpleType name="user-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="application" /> <xsd:enumeration value="os-device" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for the User.category attribute. --> <xsd:simpleType name="user-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="application" /> <xsd:enumeration value="os-device" /> </xsd:restriction> </xsd:simpleType>
<!-- / Values for the additionaldata.type attribute. --> <xsd:simpleType name="additionaldata-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="boolean" /> <xsd:enumeration value="byte" /> <xsd:enumeration value="character" /> <xsd:enumeration value="date-time" /> <xsd:enumeration value="integer" /> <xsd:enumeration value="ntpstamp" /> <xsd:enumeration value="portlist" /> <xsd:enumeration value="real" /> <xsd:enumeration value="string" /> <xsd:enumeration value="byte-string" /> <xsd:enumeration value="xml" /> </xsd:restriction>
<!-- / Values for the additionaldata.type attribute. --> <xsd:simpleType name="additionaldata-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="boolean" /> <xsd:enumeration value="byte" /> <xsd:enumeration value="character" /> <xsd:enumeration value="date-time" /> <xsd:enumeration value="integer" /> <xsd:enumeration value="ntpstamp" /> <xsd:enumeration value="portlist" /> <xsd:enumeration value="real" /> <xsd:enumeration value="string" /> <xsd:enumeration value="byte-string" /> <xsd:enumeration value="xml" /> </xsd:restriction>
</xsd:simpleType>
</xsd:simpleType>
<!-- | Values for yes/no attributes such as Source.spoofed and | Target.decoy. --> <xsd:simpleType name="yes-no-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="yes" /> <xsd:enumeration value="no" /> </xsd:restriction> </xsd:simpleType>
<!-- | Values for yes/no attributes such as Source.spoofed and | Target.decoy. --> <xsd:simpleType name="yes-no-type"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="yes" /> <xsd:enumeration value="no" /> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="port-range"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[0-9]{1,5}(\-[0-9]{1,5})?"/> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="port-range"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[0-9]{1,5}(\-[0-9]{1,5})?"/> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="port-list"> <xsd:list itemType="idmef:port-range" /> </xsd:simpleType>
<xsd:simpleType name="port-list"> <xsd:list itemType="idmef:port-range" /> </xsd:simpleType>
<xsd:simpleType name="ntpstamp"> <xsd:restriction base="xsd:string"> <xsd:pattern value="0x[A-Fa-f0-9]{8}.0x[A-Fa-f0-9]{8}"/> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="ntpstamp"> <xsd:restriction base="xsd:string"> <xsd:pattern value="0x[A-Fa-f0-9]{8}.0x[A-Fa-f0-9]{8}"/> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="mime-type"> <xsd:restriction base="xsd:string"> </xsd:restriction> </xsd:simpleType>
<xsd:simpleType name="mime-type"> <xsd:restriction base="xsd:string"> </xsd:restriction> </xsd:simpleType>
<!-- Section 3: Top-level element declarations. The IDMEF-Message element and the types of messages it can include. -->
<!-- Section 3: Top-level element declarations. The IDMEF-Message element and the types of messages it can include. -->
<xsd:complexType name="IDMEF-Message" > <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element ref="idmef:Alert" /> <xsd:element ref="idmef:Heartbeat" /> </xsd:choice> <xsd:attribute name="version" type="xsd:decimal" fixed="1.0" /> </xsd:complexType>
<xsd:complexType name="IDMEF-Message" > <xsd:choice minOccurs="1" maxOccurs="unbounded"> <xsd:element ref="idmef:Alert" /> <xsd:element ref="idmef:Heartbeat" /> </xsd:choice> <xsd:attribute name="version" type="xsd:decimal" fixed="1.0" /> </xsd:complexType>
<xsd:element name="IDMEF-Message" type="idmef:IDMEF-Message" />
<xsd:element name="IDMEF-Message" type="idmef:IDMEF-Message" />
<xsd:complexType name="Alert"> <xsd:sequence> <xsd:element name="Analyzer" type="idmef:Analyzer" /> <xsd:element name="CreateTime" type="idmef:TimeWithNtpstamp" /> <xsd:element name="DetectTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="AnalyzerTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="Source" type="idmef:Source" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Target" type="idmef:Target" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Classification" type="idmef:Classification" /> <xsd:element name="Assessment" type="idmef:Assessment" minOccurs="0" maxOccurs="1" /> <xsd:choice minOccurs="0" maxOccurs="1"> <xsd:element name="ToolAlert" type="idmef:ToolAlert" /> <xsd:element name="OverflowAlert" type="idmef:OverflowAlert" /> <xsd:element name="CorrelationAlert" type="idmef:CorrelationAlert" /> </xsd:choice> <xsd:element name="AdditionalData" type="idmef:AdditionalData" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="messageid" type="xsd:string" default="0" /> </xsd:complexType>
<xsd:complexType name="Alert"> <xsd:sequence> <xsd:element name="Analyzer" type="idmef:Analyzer" /> <xsd:element name="CreateTime" type="idmef:TimeWithNtpstamp" /> <xsd:element name="DetectTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="AnalyzerTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="Source" type="idmef:Source" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Target" type="idmef:Target" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Classification" type="idmef:Classification" /> <xsd:element name="Assessment" type="idmef:Assessment" minOccurs="0" maxOccurs="1" /> <xsd:choice minOccurs="0" maxOccurs="1"> <xsd:element name="ToolAlert" type="idmef:ToolAlert" /> <xsd:element name="OverflowAlert" type="idmef:OverflowAlert" /> <xsd:element name="CorrelationAlert" type="idmef:CorrelationAlert" /> </xsd:choice> <xsd:element name="AdditionalData" type="idmef:AdditionalData" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="messageid" type="xsd:string" default="0" /> </xsd:complexType>
<xsd:element name="Alert" type="idmef:Alert" />
<xsd:element name="Alert" type="idmef:Alert" />
<xsd:complexType name="Heartbeat"> <xsd:sequence> <xsd:element name="Analyzer" type="idmef:Analyzer" /> <xsd:element name="CreateTime" type="idmef:TimeWithNtpstamp" /> <xsd:element name="HeartbeatInterval" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="AnalyzerTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="AdditionalData" type="idmef:AdditionalData" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="messageid" type="xsd:string" default="0" /> </xsd:complexType>
<xsd:complexType name="Heartbeat"> <xsd:sequence> <xsd:element name="Analyzer" type="idmef:Analyzer" /> <xsd:element name="CreateTime" type="idmef:TimeWithNtpstamp" /> <xsd:element name="HeartbeatInterval" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="AnalyzerTime" type="idmef:TimeWithNtpstamp" minOccurs="0" maxOccurs="1" /> <xsd:element name="AdditionalData" type="idmef:AdditionalData" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="messageid" type="xsd:string" default="0" /> </xsd:complexType>
<xsd:element name="Heartbeat" type="idmef:Heartbeat" />
<xsd:element name="Heartbeat" type="idmef:Heartbeat" />
<!-- Section 4: Subclasses of the Alert class that provide more data for specific types of alerts. -->
<!-- Section 4: Subclasses of the Alert class that provide more data for specific types of alerts. -->
<xsd:complexType name="CorrelationAlert"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="alertident" type="idmef:Alertident" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="CorrelationAlert"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="alertident" type="idmef:Alertident" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="OverflowAlert"> <xsd:sequence> <xsd:element name="program" type="xsd:string" /> <xsd:element name="size" type="xsd:string" />
<xsd:complexType name="OverflowAlert"> <xsd:sequence> <xsd:element name="program" type="xsd:string" /> <xsd:element name="size" type="xsd:string" />
<xsd:element name="buffer" type="xsd:hexBinary" /> </xsd:sequence> </xsd:complexType>
<xsd:element name="buffer" type="xsd:hexBinary" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="ToolAlert"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="command" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="alertident" type="idmef:Alertident" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="ToolAlert"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="command" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="alertident" type="idmef:Alertident" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<!-- Section 5: The AdditionalData element. This element allows an alert to include additional information that cannot be encoded elsewhere in the data model. -->
<!-- Section 5: The AdditionalData element. This element allows an alert to include additional information that cannot be encoded elsewhere in the data model. -->
<xsd:complexType name="AdditionalData"> <xsd:choice> <xsd:element name="boolean" type="xsd:boolean" /> <xsd:element name="byte" type="xsd:byte" /> <xsd:element name="character"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:minLength value="1"/> <xsd:maxLength value="1"/> </xsd:restriction> </xsd:simpleType> </xsd:element> <xsd:element name="date-time" type="xsd:dateTime" /> <xsd:element name="integer" type="xsd:integer" /> <xsd:element name="ntpstamp" type="idmef:ntpstamp" /> <xsd:element name="portlist" type="idmef:port-list" /> <xsd:element name="real" type="xsd:decimal" />
<xsd:complexType name="AdditionalData"> <xsd:choice> <xsd:element name="boolean" type="xsd:boolean" /> <xsd:element name="byte" type="xsd:byte" /> <xsd:element name="character"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:minLength value="1"/> <xsd:maxLength value="1"/> </xsd:restriction> </xsd:simpleType> </xsd:element> <xsd:element name="date-time" type="xsd:dateTime" /> <xsd:element name="integer" type="xsd:integer" /> <xsd:element name="ntpstamp" type="idmef:ntpstamp" /> <xsd:element name="portlist" type="idmef:port-list" /> <xsd:element name="real" type="xsd:decimal" />
<xsd:element name="string" type="xsd:string" /> <xsd:element name="byte-string" type="xsd:hexBinary" /> <xsd:element name="xml" type="idmef:xmltext" /> </xsd:choice> <xsd:attribute name="type" type="idmef:additionaldata-type" /> <xsd:attribute name="meaning" type="xsd:string" /> </xsd:complexType>
<xsd:element name="string" type="xsd:string" /> <xsd:element name="byte-string" type="xsd:hexBinary" /> <xsd:element name="xml" type="idmef:xmltext" /> </xsd:choice> <xsd:attribute name="type" type="idmef:additionaldata-type" /> <xsd:attribute name="meaning" type="xsd:string" /> </xsd:complexType>
<!-- Section 6: Elements related to identifying entities - analyzers (the senders of these messages), sources (of attacks), and targets (of attacks). -->
<!-- Section 6: Elements related to identifying entities - analyzers (the senders of these messages), sources (of attacks), and targets (of attacks). -->
<xsd:complexType name="Analyzer"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Analyzer" type="idmef:Analyzer" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="analyzerid" type="xsd:string" default="0" /> <xsd:attribute name="name" type="xsd:string" /> <xsd:attribute name="manufacturer" type="xsd:string" /> <xsd:attribute name="model" type="xsd:string" /> <xsd:attribute name="version" type="xsd:string" /> <xsd:attribute name="class" type="xsd:string" /> <xsd:attribute name="ostype" type="xsd:string" /> <xsd:attribute name="osversion"
<xsd:complexType name="Analyzer"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Analyzer" type="idmef:Analyzer" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="analyzerid" type="xsd:string" default="0" /> <xsd:attribute name="name" type="xsd:string" /> <xsd:attribute name="manufacturer" type="xsd:string" /> <xsd:attribute name="model" type="xsd:string" /> <xsd:attribute name="version" type="xsd:string" /> <xsd:attribute name="class" type="xsd:string" /> <xsd:attribute name="ostype" type="xsd:string" /> <xsd:attribute name="osversion"
type="xsd:string" /> </xsd:complexType>
type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Source"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="User" type="idmef:User" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Service" type="idmef:Service" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="spoofed" type="idmef:yes-no-type" default="unknown" /> <xsd:attribute name="interface" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Source"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="User" type="idmef:User" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Service" type="idmef:Service" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="spoofed" type="idmef:yes-no-type" default="unknown" /> <xsd:attribute name="interface" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Target"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="User" type="idmef:User" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Service" type="idmef:Service"
<xsd:complexType name="Target"> <xsd:sequence> <xsd:element name="Node" type="idmef:Node" minOccurs="0" maxOccurs="1" /> <xsd:element name="User" type="idmef:User" minOccurs="0" maxOccurs="1" /> <xsd:element name="Process" type="idmef:Process" minOccurs="0" maxOccurs="1" /> <xsd:element name="Service" type="idmef:Service"
minOccurs="0" maxOccurs="1" /> <xsd:element name="File" type="idmef:File" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="decoy" type="idmef:yes-no-type" default="unknown" /> <xsd:attribute name="interface" type="xsd:string" /> </xsd:complexType>
minOccurs="0" maxOccurs="1" /> <xsd:element name="File" type="idmef:File" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="decoy" type="idmef:yes-no-type" default="unknown" /> <xsd:attribute name="interface" type="xsd:string" /> </xsd:complexType>
<!-- Section 7: Support elements used for providing detailed info about entities - addresses, names, etc. -->
<!-- Section 7: Support elements used for providing detailed info about entities - addresses, names, etc. -->
<xsd:complexType name="Address"> <xsd:sequence> <xsd:element name="address" type="xsd:string" /> <xsd:element name="netmask" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:address-category" default="unknown" /> <xsd:attribute name="vlan-name" type="xsd:string" /> <xsd:attribute name="vlan-num" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Address"> <xsd:sequence> <xsd:element name="address" type="xsd:string" /> <xsd:element name="netmask" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:address-category" default="unknown" /> <xsd:attribute name="vlan-name" type="xsd:string" /> <xsd:attribute name="vlan-num" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Assessment"> <xsd:sequence> <xsd:element name="Impact" type="idmef:Impact" minOccurs="0" maxOccurs="1" /> <xsd:element name="Action"
<xsd:complexType name="Assessment"> <xsd:sequence> <xsd:element name="Impact" type="idmef:Impact" minOccurs="0" maxOccurs="1" /> <xsd:element name="Action"
type="idmef:Action" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Confidence" type="idmef:Confidence" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:complexType> <xsd:complexType name="Reference"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="url" type="xsd:string" /> </xsd:sequence> <xsd:attribute name="origin" type="idmef:reference-origin" default="unknown" /> <xsd:attribute name="meaning" type="xsd:string" /> </xsd:complexType>
type="idmef:Action" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Confidence" type="idmef:Confidence" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:complexType> <xsd:complexType name="Reference"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="url" type="xsd:string" /> </xsd:sequence> <xsd:attribute name="origin" type="idmef:reference-origin" default="unknown" /> <xsd:attribute name="meaning" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="Classification"> <xsd:sequence> <xsd:element name="Reference" type="idmef:Reference" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="text" type="xsd:string" use="required" /> </xsd:complexType>
<xsd:complexType name="Classification"> <xsd:sequence> <xsd:element name="Reference" type="idmef:Reference" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="text" type="xsd:string" use="required" /> </xsd:complexType>
<xsd:complexType name="File"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="path" type="xsd:string" /> <xsd:element name="create-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" />
<xsd:complexType name="File"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="path" type="xsd:string" /> <xsd:element name="create-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" />
<xsd:element name="modify-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" /> <xsd:element name="access-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" /> <xsd:element name="data-size" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="disk-size" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="FileAccess" type="idmef:FileAccess" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Linkage" type="idmef:Linkage" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Inode" type="idmef:Inode" minOccurs="0" maxOccurs="1" /> <xsd:element name="Checksum" type="idmef:Checksum" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:file-category" use="required" /> <xsd:attribute name="fstype" type="xsd:string" use="required" /> <xsd:attribute name="file-type" type="idmef:mime-type" /> </xsd:complexType>
<xsd:element name="modify-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" /> <xsd:element name="access-time" type="xsd:dateTime" minOccurs="0" maxOccurs="1" /> <xsd:element name="data-size" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="disk-size" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="FileAccess" type="idmef:FileAccess" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Linkage" type="idmef:Linkage" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="Inode" type="idmef:Inode" minOccurs="0" maxOccurs="1" /> <xsd:element name="Checksum" type="idmef:Checksum" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:file-category" use="required" /> <xsd:attribute name="fstype" type="xsd:string" use="required" /> <xsd:attribute name="file-type" type="idmef:mime-type" /> </xsd:complexType>
<xsd:complexType name="Permission"> <xsd:attribute name="perms"
<xsd:complexType name="Permission"> <xsd:attribute name="perms"
type="idmef:file-permission" use="required" /> </xsd:complexType>
type="idmef:file-permission" use="required" /> </xsd:complexType>
<xsd:complexType name="FileAccess"> <xsd:sequence> <xsd:element name="UserId" type="idmef:UserId" /> <xsd:element name="permission" type="idmef:Permission" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="FileAccess"> <xsd:sequence> <xsd:element name="UserId" type="idmef:UserId" /> <xsd:element name="permission" type="idmef:Permission" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="Inode"> <xsd:sequence> <xsd:element name="change-time" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:sequence minOccurs="0" maxOccurs="1"> <xsd:element name="number" type="xsd:string" /> <xsd:element name="major-device" type="xsd:string" /> <xsd:element name="minor-device" type="xsd:string" /> </xsd:sequence> <xsd:sequence minOccurs="0" maxOccurs="1"> <xsd:element name="c-major-device" type="xsd:string" /> <xsd:element name="c-minor-device" type="xsd:string" /> </xsd:sequence> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="Inode"> <xsd:sequence> <xsd:element name="change-time" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:sequence minOccurs="0" maxOccurs="1"> <xsd:element name="number" type="xsd:string" /> <xsd:element name="major-device" type="xsd:string" /> <xsd:element name="minor-device" type="xsd:string" /> </xsd:sequence> <xsd:sequence minOccurs="0" maxOccurs="1"> <xsd:element name="c-major-device" type="xsd:string" /> <xsd:element name="c-minor-device" type="xsd:string" /> </xsd:sequence> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="Linkage"> <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="path" type="xsd:string" /> </xsd:sequence> <xsd:element name="File" type="idmef:File" /> </xsd:choice> <xsd:attribute name="category" type="idmef:linkage-category"
<xsd:complexType name="Linkage"> <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="path" type="xsd:string" /> </xsd:sequence> <xsd:element name="File" type="idmef:File" /> </xsd:choice> <xsd:attribute name="category" type="idmef:linkage-category"
use="required" /> </xsd:complexType>
use="required" /> </xsd:complexType>
<xsd:complexType name="Checksum"> <xsd:sequence> <xsd:element name="value" type="xsd:string" /> <xsd:element name="key" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="algorithm" type="idmef:checksum-algorithm" use="required" /> </xsd:complexType>
<xsd:complexType name="Checksum"> <xsd:sequence> <xsd:element name="value" type="xsd:string" /> <xsd:element name="key" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="algorithm" type="idmef:checksum-algorithm" use="required" /> </xsd:complexType>
<xsd:complexType name="Node"> <xsd:sequence> <xsd:element name="location" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:choice> <xsd:element name="name" type="xsd:string" /> <xsd:element name="Address" type="idmef:Address" /> </xsd:choice> <xsd:element name="Address" type="idmef:Address" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:node-category" default="unknown" /> </xsd:complexType>
<xsd:complexType name="Node"> <xsd:sequence> <xsd:element name="location" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:choice> <xsd:element name="name" type="xsd:string" /> <xsd:element name="Address" type="idmef:Address" /> </xsd:choice> <xsd:element name="Address" type="idmef:Address" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:node-category" default="unknown" /> </xsd:complexType>
<xsd:complexType name="Process"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="pid" type="xsd:integer"
<xsd:complexType name="Process"> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="pid" type="xsd:integer"
minOccurs="0" maxOccurs="1" /> <xsd:element name="path" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="arg" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="env" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> </xsd:complexType>
minOccurs="0" maxOccurs="1" /> <xsd:element name="path" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="arg" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> <xsd:element name="env" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> </xsd:complexType>
<xsd:complexType name="Service"> <xsd:sequence> <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="port" type="xsd:integer" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:sequence> <xsd:element name="port" type="xsd:integer" /> <xsd:element name="name" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:element name="portlist" type="idmef:port-list" /> </xsd:choice> <xsd:element name="protocol" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="SNMPService" type="idmef:SNMPService"
<xsd:complexType name="Service"> <xsd:sequence> <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="port" type="xsd:integer" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:sequence> <xsd:element name="port" type="xsd:integer" /> <xsd:element name="name" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:element name="portlist" type="idmef:port-list" /> </xsd:choice> <xsd:element name="protocol" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="SNMPService" type="idmef:SNMPService"
minOccurs="0" maxOccurs="1" /> <xsd:element name="WebService" type="idmef:WebService" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="ip_version" type="xsd:integer" /> <xsd:attribute name="iana_protocol_number" type="xsd:integer" /> <xsd:attribute name="iana_protocol_name" type="xsd:string" /> </xsd:complexType>
minOccurs="0" maxOccurs="1" /> <xsd:element name="WebService" type="idmef:WebService" minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="ip_version" type="xsd:integer" /> <xsd:attribute name="iana_protocol_number" type="xsd:integer" /> <xsd:attribute name="iana_protocol_name" type="xsd:string" /> </xsd:complexType>
<xsd:complexType name="WebService"> <xsd:sequence> <xsd:element name="url" type="xsd:anyURI" /> <xsd:element name="cgi" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="http-method" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="arg" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="WebService"> <xsd:sequence> <xsd:element name="url" type="xsd:anyURI" /> <xsd:element name="cgi" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="http-method" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="arg" type="xsd:string" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="SNMPService"> <xsd:sequence> <xsd:element name="oid" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="messageProcessingModel" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityModel"
<xsd:complexType name="SNMPService"> <xsd:sequence> <xsd:element name="oid" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="messageProcessingModel" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityModel"
type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityName" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityLevel" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="contextName" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="contextEngineID" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="command" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:complexType>
type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityName" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="securityLevel" type="xsd:integer" minOccurs="0" maxOccurs="1" /> <xsd:element name="contextName" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="contextEngineID" type="xsd:string" minOccurs="0" maxOccurs="1" /> <xsd:element name="command" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:complexType>
<xsd:complexType name="User"> <xsd:sequence> <xsd:element name="UserId" type="idmef:UserId" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:user-category" default="unknown" /> </xsd:complexType>
<xsd:complexType name="User"> <xsd:sequence> <xsd:element name="UserId" type="idmef:UserId" minOccurs="1" maxOccurs="unbounded" /> </xsd:sequence> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="category" type="idmef:user-category" default="unknown" /> </xsd:complexType>
<xsd:complexType name="UserId" > <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="number" type="xsd:integer"
<xsd:complexType name="UserId" > <xsd:choice> <xsd:sequence> <xsd:element name="name" type="xsd:string" /> <xsd:element name="number" type="xsd:integer"
minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:sequence> <xsd:element name="number" type="xsd:integer" /> <xsd:element name="name" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:choice> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="type" type="idmef:id-type" default="original-user" /> <xsd:attribute name="tty" type="xsd:string" /> </xsd:complexType>
minOccurs="0" maxOccurs="1" /> </xsd:sequence> <xsd:sequence> <xsd:element name="number" type="xsd:integer" /> <xsd:element name="name" type="xsd:string" minOccurs="0" maxOccurs="1" /> </xsd:sequence> </xsd:choice> <xsd:attribute name="ident" type="xsd:string" default="0" /> <xsd:attribute name="type" type="idmef:id-type" default="original-user" /> <xsd:attribute name="tty" type="xsd:string" /> </xsd:complexType>
<!-- Section 8: Simple elements with sub-elements or attributes of a special nature. -->
<!-- Section 8: Simple elements with sub-elements or attributes of a special nature. -->
<xsd:complexType name="Action"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="category" type="idmef:action-category" default="other" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Action"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="category" type="idmef:action-category" default="other" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Confidence"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="rating" type="idmef:confidence-rating" use="required" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Confidence"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="rating" type="idmef:confidence-rating" use="required" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="TimeWithNtpstamp"> <xsd:simpleContent> <xsd:extension base="xsd:dateTime">
<xsd:complexType name="TimeWithNtpstamp"> <xsd:simpleContent> <xsd:extension base="xsd:dateTime">
<xsd:attribute name="ntpstamp" type="idmef:ntpstamp" use="required"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:attribute name="ntpstamp" type="idmef:ntpstamp" use="required"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Impact"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="severity" type="idmef:impact-severity" /> <xsd:attribute name="completion" type="idmef:impact-completion" /> <xsd:attribute name="type" type="idmef:impact-type" default="other" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Impact"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="severity" type="idmef:impact-severity" /> <xsd:attribute name="completion" type="idmef:impact-completion" /> <xsd:attribute name="type" type="idmef:impact-type" default="other" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Alertident"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="analyzerid" type="xsd:string" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="Alertident"> <xsd:simpleContent> <xsd:extension base="xsd:string" > <xsd:attribute name="analyzerid" type="xsd:string" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType>
<xsd:complexType name="xmltext"> <xsd:complexContent mixed="true"> <xsd:restriction base="xsd:anyType"> <xsd:sequence> <xsd:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:restriction> </xsd:complexContent> </xsd:complexType>
<xsd:complexType name="xmltext"> <xsd:complexContent mixed="true"> <xsd:restriction base="xsd:anyType"> <xsd:sequence> <xsd:any namespace="##other" processContents="lax" minOccurs="0" maxOccurs="unbounded" /> </xsd:sequence> </xsd:restriction> </xsd:complexContent> </xsd:complexType>
</xsd:schema>
</xsd:schema>
Authors' Addresses
作者地址
Herve Debar France Telecom R & D 42 Rue des Coutures Caen 14000 FR
Herve Debar法国电信研发部卡昂Coutures街42号,邮编14000
Phone: +33 2 31 75 92 61 EMail: herve.debar@orange-ftgroup.com URI: http://www.francetelecom.fr/
Phone: +33 2 31 75 92 61 EMail: herve.debar@orange-ftgroup.com URI: http://www.francetelecom.fr/
David A. Curry Guardian Life Insurance Company of America 7 Hanover Square, 24th Floor New York, NY 10004 US
美国纽约州纽约市汉诺威广场7号24楼美国大卫·A·库里卫士人寿保险公司,邮编:10004
Phone: +1 212 919-3086 EMail: david_a_curry@glic.com URI: http://www.glic.com/
Phone: +1 212 919-3086 EMail: david_a_curry@glic.com URI: http://www.glic.com/
Benjamin S. Feinstein SecureWorks, Inc. PO Box 95007 Atlanta, GA 30347 US
Benjamin S.Feinstein SecureWorks,Inc.美国佐治亚州亚特兰大市邮政信箱95007,邮编30347
Phone: +1 404 327-6339 Email: bfeinstein@acm.org URI: http://www.secureworks.com/
Phone: +1 404 327-6339 Email: bfeinstein@acm.org URI: http://www.secureworks.com/
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。