2 Oct 2005 16:18
Re: Proposal for additional asset infos in IDMEF
Sandro Poppi <spoppi <at> gmx.net>
2005-10-02 14:18:21 GMT
2005-10-02 14:18:21 GMT
Hervé et al, Find attached a new version of my asset proposal. The changes are: - Incorporated Anton Chuvakin's considerations about the OS class - Switched from DTD to schema representation I'm looking forward for further discussions and input on that topic. Regards, Sandro Herve Debar wrote: > Sandro Poppi a écrit : > >> Hello all, >> >> I'd like to propose inclusion of additional information within IDMEF: >> >> When dealing with IDS/IPS data it's very helpful if there was also >> information available about the target attacked, e.g. for event >> correlation, like os, open ports, software running on the target, >> known vulnerabilities etc. >> >> As this helps in understanding attacks reported by analyzers and >> mitigating risks this for me is also part of Intrusion >> Detection/Prevention and thus should be reflected within IDMEF. >> >> To generate that kind of information lots of open source and >> commercial tools are available (nmap, nessus, ISS Internet Scanner, >> Microsoft Baseline Security Analyzer, ...). >> >> In terms of IDMEF I'd see such kind of tool also as an "analyzer", but >> this analyzer does not generate any alarm but asset information which >> didn't fit to any of the current classes (it's not an alert nor a >> heartbeat). >> > I'd probably see it as an other type of info than alert or heartbeat as > well. > > Without commenting on the content, you may want to move the formalism > from DTD to schema, as IDMEF has made the move a while back, and schemas > represent much better what we want to do. > > I'd be looking at the content and commenting in more details soon. > > BTW, I'd like to take this opportunity to attach version 15 of the draft > for comments. The main changes are summarized at the end of the > document, repeated here for help: > > - [HD] Corrected choice imbrication in service class in schema > - [HD] Reworded definition of spoofed in source class > - [HD] Homogenous representation of additionaldata between dtd and schema > - [HD] Corrected missing analyzer name in schema > - [HD] Corrected missing analyzer recursion in schema > - [HD] Removed UML/XML primer, look at W3C site for documentation ! > - [HD] Fixed cardinality of Alert/Heartbeat in schema > - [HD] Cleaned extension, works properly and validates schemas and examples > > Hervé -- "Linux is like a wigwam: no windows, no gates ... apache inside!" http://www.lug-burghausen.org/
+---------------+
| IDMEF-Message |
+---------------+
/_\
|
+--------------+--------------+
| | |
+-------+ +-----------+ +-------+
| Alert | | Heartbeat | | Asset |
+-------+ +-----------+ +-------+
The Asset Class
The Asset class defines assets to include data "offline" generated by various
tools or manually to allow better correlation and minimize false positives.
[The Asset Class reuses existing classes and adds some new]
+--------------+
| Asset |
+--------------+ 0..1 +----------------+
| STRING ident |<>---------| Analyzer |
| | +----------------+
| | +----------------+
| |<>---------| Target |
| | +----------------+
| | 1..* +----------------+
| |<>---------| Tool |
| | +----------------+
+--------------+
The aggregate classes that make up Asset are:
Analyzer
Zero or one. Information about the system the tool runs on.
Target
One or more. The target this asset is for.
Tool
Exactly one. The tool(s) used for this asset.
This is represented in the IDMEF schema as follows:
<xsd:complexType name="Asset">
<xsd:sequence>
<xsd:element name="Analyzer"
type="idmef:Analyzer"
minOccurs="0"
maxOccurs="1" />
<xsd:element name="Target"
type="idmef:Target" />
<xsd:element name="Tool"
type="idmef:Tool"
minOccurs="1"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:attribute name="ident"
type="xsd:string"
default="0" />
</xsd:complexType>
<xsd:element name="Asset" type="idmef:Asset" />
The Asset class has one attribute:
ident
Optional. A unique identifier for this asset, see Section 4.2.9.
[Addition to 4.2.9] The Asset must be uniquely identified by the couple
(asset.ident,tool.name).
The Tool Class
The Tool Class is used to define which tool created the information and what
the results are for further processing.
+---------------------+
| Tool |
+---------------------+ 0..1 +----------+
| STRING name |<>----------| url |
| STRING manufacturer | +----------+
| STRING model | 0..* +----------+
| STRING version |<>----------| arg |
| STRING class | +----------+
| STRING ostype | 1..* +----------+
| STRING osversion |<>----------| Result |
| | +----------+
| | 0..* +----------------+
| |<>----------| AdditionalData |
+---------------------+ +----------------+
The aggregate classes that make up Tool are:
url
Zero or one. STRING. A URL at which the tool (or the human
operator of the manager) can find additional information about it.
The document pointed to by the URL may include an in-depth
description of the tool, most likely its homepage.
arg
Zero or more. STRING. A command-line argument to the tool.
Multiple arguments may be specified (they are assumed to have
occurred in the same order they are provided) with multiple uses
of arg. This could be e.g. a nessus commandline of a certain nasl
script or an nmap commandline.
Result
One or more. The result set the tool found for the target. This is a
list of what the tool identified on the target, e.g. a list of open
ports, the operating system, the vulnerabilities found etc.
AdditionalData
Zero or more. Information included by the analyzer that does not
fit into the data model. This may be an atomic piece of data, or
a large amount of data provided through an extension to the IDMEF
(see Section 6).
This is represented in the IDMEF schema as follows:
<xsd:complexType name="Tool">
<xsd:sequence>
<xsd:element name="Result"
type="idmef:Result"
minOccurs="1"
maxOccurs="unbounded" />
<xsd:element name="AddidtionalData"
type="idmef:AdditionalData"
minOccurs="0"
maxOccurs="unbounded" />
<xsd:element name="url"
type="xsd:string"
minOccurs="0"
maxOccurs="1" />
<xsd:element name="arg"
type="xsd:string"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:attribute name="name"
type="xsd:string" />
<xsd:attribute name="manufacturer"
type="xsd:string" />
<xsd:attribute name="model"
type="xsd:string" />
<xsd:attribute name="version"
type="xsd:string" />
<xsd:attribute name="class"
type="xsd:string" />
<xsd:attribute name="ostype"
type="xsd:string" />
<xsd:attribute name="osversion"
type="xsd:string" />
</xsd:complexType>
The Tool class has seven attributes:
name
Required. An explicit name for the tool used. This could also be
"manual" if the data was generated "by hand".
manufacturer
Optional. The manufacturer of the tool software.
model
Optional. The model name/number of the tool software.
version
Optional. The version number of the tool software.
class
Optional. The class of tool software.
ostype
Optional. Operating system name the tool runs on. On POSIX 1003.1
compliant systems, this is the value returned in utsname.sysname by the
uname() system call, or the output of the "uname -s" command.
osversion
Optional. Operating system version the tool runs on. On POSIX 1003.1
compliant systems, this is the value returned in utsname.release by the
uname() system call, or the output of the "uname -r" command.
The Result Class
The Result class provides information about the tool's findings. It is
intended to exactly define what the tool thinks it has found on the target.
+-----------------+
| Result |
+-----------------+ 0..1 +--------------+
| STRING ident |<>------| Confidence |
| ENUM severity | +--------------+
| STRING version | +--------------+
| STRING category |<>------| Service |
| ENUM type | +--------------+
| | +--------------+
| |<>------| Vulnerability|
| | +--------------+
| | +--------------+
| |<>------| OS |
| | +--------------+
| | 1..* +--------------+
| |<>------| Rule |
| | +--------------+
| | 0..* +--------------+
| |<>------| Reference |
| | +--------------+
| | +--------------+
| |<>------| CreateTime |
| | +--------------+
| | 0..1 +--------------+
| |<>------| banner |
| | +--------------+
| | 0..1 +--------------+
| |<>------| summary |
| | +--------------+
| | 0..1 +--------------+
| |<>------| description |
| | +--------------+
+-----------------+
There MUST be exactly one of the classes Service, Vulnerability, OS, Rule set
(mutual exclusion).
Multiple Vulnerabilities found result in multiple Result classes.
The aggregate classes that make up Result are:
Confidence
Zero or one. A measurement of the confidence the tool has in its
evaluation of the event.
Service
Exactly one. Information about the network service involved in
the event. This is used for indicating open ports.
Vulnerability
Exactly one. The vulnerability found by the tool on the target.
OS
Exactly one. The operating system of the target as provided by the tool.
Rule
One or more. The rule(s) what's allowed on the target and for whom if
it's secured by a firewall. This can be used for providing knowledge about
firewall rules such as iptables.
Reference
Zero or more. Information about the result, pointing to external
documentation sites, that will provide background information.
banner
Zero or one. STRING. The service's banner as provided by connecting to
the given Service. If banner is set, Service MUST be set too.
summary
Zero or one. STRING. A brief summary of the result.
description
Zero or one. STRING. A detailed description of the result.
This is represented in the IDMEF schema as follows:
<xsd:simpleType name="result-severity">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="info" />
<xsd:enumeration value="low" />
<xsd:enumeration value="medium" />
<xsd:enumeration value="high" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="result-type">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="automatic" />
<xsd:enumeration value="manual" />
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="Result">
<xsd:choice>
<xsd:sequence>
<xsd:element name="Service"
type="idmef:Service" />
<xsd:element name="banner"
type="xsd:string"
minOccurs="0"
maxOccurs="1" />
</xsd:sequence>
<xsd:element name="Vulnerability"
type="idmef:Vulnerability" />
<xsd:element name="OS"
type="idmef:OS" />
<xsd:element name="Rule"
type="idmef:Rule"
minOccurs="1"
maxOccurs="unbounded" />
</xsd:choice>
<xsd:sequence>
<xsd:element name="Confidence"
type="idmef:Confidence"
minOccurs="0"
maxOccurs="1" />
<xsd:element name="Reference"
type="idmef:Reference"
minOccurs="0"
maxOccurs="unbounded" />
<xsd:element name="CreateTime"
type="idmef:CreateTime" />
<xsd:element name="summary"
type="xsd:string"
minOccurs="0"
maxOccurs="1" />
<xsd:element name="description"
type="xsd:string"
minOccurs="0"
maxOccurs="1" />
</xsd:sequence>
<xsd:attribute name="ident"
type="xsd:string" />
<xsd:attribute name="severity"
type="idmef:result-severity" />
<xsd:attribute name="version"
type="xsd:string" />
<xsd:attribute name="category"
type="xsd:string" />
<xsd:attribute name="type"
type="idemf:result-type" />
</xsd:complexType>
The Result class has five attributes:
ident
Optional. A unique identifier for this Result, e.g. the corresponding
tool's id for the result.
severity
Required. An estimate of the relative severity of the event. The permitted
values are shown below. There is no default value.
+------+---------+-----------------------------------------+
| Rank | Keyword | Description |
+------+---------+-----------------------------------------+
| O | info | Alert represents informational activity |
| | | |
| 1 | low | Low severity |
| | | |
| 2 | medium | Medium severity |
| | | |
| 3 | high | High severity |
+------+---------+-----------------------------------------+
version
Optional. The version/revision of the script/rule if applicable.
category
Optional. The category the result belongs to.
type
Required. The type of the result. The permitted values for this attribute
are shown below. The default value is "automatic".
+----------------------+-----------+--------------------------+
| Rank | Keyword | Description |
+----------------------+-----------+--------------------------+
| 0 | automatic | The result was generated |
| | | automatically. |
| | | |
| 1 | manual | The result was generated |
| | | manually. |
+----------------------+-----------+--------------------------+
The Vulnerability Class
The vulnerability class provides detailed information of the vulnerability
found.
[the attributes are mainly inspired by OSVDB http://www.osvdb.org]
+-------------------+
| Vulnerability |
+-------------------+ 0..* +--------------+
| STRING ident |<>------| exploit |
| ENUM expoitable | +--------------+
| ENUM location |
| ENUM attacktype |
| ENUM attackimpact |
| ENUM grade |
| ENUM web |
+-------------------+
The aggregate classes that make up Vulnerability are:
exploit
Zero or more. STRING. If 'exploitable' is set to "available" this class
holds information about the published exploit(s), else exploit has to be
omitted.
This is represented in the IDMEF schema as follows:
<xsd:simpleType name="vulnerability-exploitable">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="available" />
<xsd:enumeration value="unavailable" />
<xsd:enumeration value="rumored" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="vulnerability-location">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="local" />
<xsd:enumeration value="remote" />
<xsd:enumeration value="physical" />
<xsd:enumeration value="dialup" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="vulnerability-attacktype">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="auth_manage" />
<xsd:enumeration value="crypt" />
<xsd:enumeration value="dos" />
<xsd:enumeration value="hijack" />
<xsd:enumeration value="info_disclosure" />
<xsd:enumeration value="infrastruct" />
<xsd:enumeration value="input_manip" />
<xsd:enumeration value="miss_config" />
<xsd:enumeration value="race" />
<xsd:enumeration value="other" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="vulnerability-attackimpact">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="confidential" />
<xsd:enumeration value="integrity" />
<xsd:enumeration value="available" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="vulnerability-grade">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="verified" />
<xsd:enumeration value="myth" />
<xsd:enumeration value="best_practice" />
<xsd:enumeration value="concern" />
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="Vulnerability">
<xsd:sequence>
<xsd:element name="exploit"
type="xsd:string"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:attribute name="ident"
type="xsd:string" />
<xsd:attribute name="exploitable"
type="idmef:vulnerability-exploitable"
default="unknown" />
<xsd:attribute name="location"
type="idmef:vulnerability-location"
default="unknown" />
<xsd:attribute name="attacktype"
type="idmef:vulnerability-attacktype"
default="unknown" />
<xsd:attribute name="attackimpact"
type="idmef:vulnerability-attackimpact"
default="unknown" />
<xsd:attribute name="grade"
type="idmef:vulnerability-grade" />
<xsd:attribute name="web"
type="idmef:yes-no-type"
default="unknown" />
</xsd:complexType>
The Vulnerability class has five attributes:
ident
Optional. A unique identifier for this Vulnerability, e.g. the
corresponding tool's id for the result.
exploitable
Required. Is an exploit for the vulnerability found available. The
permitted values are shown below. The default value is "unknown".
+------+-------------+------------------------------------------+
| Rank | Keyword | Description |
+------+-------------+------------------------------------------+
| O | unknown | It's not sure if an exploit exists |
| | | |
| 1 | available | An exploit is publicly available |
| | | |
| 2 | unavailable | An exploit is not available |
| | | |
| 3 | rumored | Rumors has it that there seems to be an |
| | | exploit floating around |
+------+-------------+------------------------------------------+
location
Optional. The way how this vulnerability can be exploited. The
permitted values are shown below. The default value is "unknown".
+------+---------+------------------------------------------+
| Rank | Keyword | Description |
+------+---------+------------------------------------------+
| 0 | unknown | It's not sure which kind of access is |
| | | required to exploit this vulnerability |
| | | |
| 1 | local | To exploit this vulnerability local shell|
| | | access is required. |
| | | |
| 2 | remote | To exploit this vulnerability remote |
| | | access is required |
| | | |
| 3 | physical| To exploit this vulnerability physical |
| | | console access is required |
| | | |
| 4 | dialup | To exploit this vulnerability dialup |
| | | access is required |
+------+---------+------------------------------------------+
attacktype
Optional. The type of this attack. The permitted values are shown
below. The default value is "unknown".
+------+---------------+------------------------------------------+
| Rank | Keyword | Description |
+------+---------------+------------------------------------------+
| O | unknown | The attack type is unknown |
| | | |
| 1 | auth_manage | This is an authentication attack |
| | | |
| 2 | crypt | This is a cryptographic attack |
| | | |
| 3 | dos | This attack leads to a Denial of Service |
| | | |
| 4 | hijack | This attack leads to session hijacking |
| | | |
| 5 | info_disclose | This attack leads to information |
| | | disclosure |
| | | |
| 6 | infrastruct | This is an infrastructure attack |
| | | |
| 7 | input_manip | This is an input manipulation attack |
| | | |
| 8 | miss_config | This attack is possible because of a |
| | | missconfiguration |
| | | |
| 9 | race | This attack uses a race condition |
| | | |
| 10 | other | The type doesn't fit to any of the above |
| | | types but is not unknown |
+------+---------------+------------------------------------------+
attackimpact
Optional. The impact of this attack. The permitted values are shown
below. The default value is "unknown".
+------+--------------+------------------------------------------+
| Rank | Keyword | Description |
+------+--------------+------------------------------------------+
| O | unknown | The impact is unknown |
| | | |
| 1 | confidential | The impact leads to loss of |
| | | confidentiality |
| | | |
| 2 | integrity | The impact leads to loss of integrity |
| | | |
| 3 | available | The impact leads to loss of availability |
+------+--------------+------------------------------------------+
grade
Required. The grade of this attack. The permitted values are shown
below. There's no default value.
+------+--------------+------------------------------------------+
| Rank | Keyword | Description |
+------+--------------+------------------------------------------+
| O | verified | The vulnerability has been verified |
| | | |
| 1 | myth | The vulnerability is a myth aka not real |
| | | |
| 2 | best_practice| The vulnerability gives best practices |
| | | |
| 3 | concern | The vulnerability is concerning |
+------+--------------+------------------------------------------+
web
Optional. Describes if this vulnerability is web related. The permitted
values are shown below. The default value is "unknown".
+------+--------------+------------------------------------------+
| Rank | Keyword | Description |
+------+--------------+------------------------------------------+
| O | unknown | It is unknown if this vulnerability is |
| | | web related |
| | | |
| 1 | yes | The vulnerability is web related |
| | | |
| 2 | no | The vulnerability is not web related |
+------+--------------+------------------------------------------+
The OS Class
The OS class provides information about the operating system the tool thinks
is running on the target.
+---------------------+
| OS |
+---------------------+ 0..1 +--------------+
| |<>------| patchlevel |
| ENUM arch | +--------------+
| STRING vendor | 0..* +--------------+
| ENUM family |<>------| hotfix |
| STRING version | +--------------+
| STRING name |
+---------------------+
The aggregate classes that make up OS are:
patchlevel
Zero or one. The OS's patchlevel as provided by the tool (aka Service Pack).
hotfix
Zero or more. The installed hotfixes of the OS. These SHOULD be ordered
by release date.
This is represented in the IDMEF schema as follows:
<xsd:simpleType name="os-arch">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="x86" />
<xsd:enumeration value="x86-64" />
<xsd:enumeration value="amd" />
<xsd:enumeration value="amd64" />
<xsd:enumeration value="ppc" />
<xsd:enumeration value="mips" />
<xsd:enumeration value="sparc" />
<xsd:enumeration value="arm" />
<xsd:enumeration value="pa-risc" />
<xsd:enumeration value="other" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="os-family">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="Windows" />
<xsd:enumeration value="Linux" />
<xsd:enumeration value="OpenBSD" />
<xsd:enumeration value="FreeBSD" />
<xsd:enumeration value="NetBSD" />
<xsd:enumeration value="Solaris" />
<xsd:enumeration value="AIX" />
<xsd:enumeration value="HP-UX" />
<xsd:enumeration value="OS2" />
<xsd:enumeration value="DOS" />
<xsd:enumeration value="Unix-other" />
<xsd:enumeration value="other" />
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="OS">
<xsd:sequence>
<xsd:element name="patchlevel"
type="xsd:string"
minOccurs="0"
maxOccurs="1" />
<xsd:element name="hotfix"
type="xsd:string"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:attribute name="arch"
type="idmef:os-arch"
default="unknown" />
<xsd:attribute name="vendor"
type="xsd:string" />
<xsd:attribute name="family"
type="idmef:os-family" />
<xsd:attribute name="version"
type="xsd:string" />
<xsd:attribute name="name"
type="xsd:string" />
</xsd:complexType>
The OS class has three attributes:
arch
Required. The architecture of the processor the OS runs on. The permitted
values are shown below. The default value is "unknown".
+------+---------+-----------------------------------------+
| Rank | Keyword | Description |
+------+---------+-----------------------------------------+
| O | unknown | The processor type is unknown |
| | | |
| 1 | x86 | Intel based PC 32 bit processor |
| | | |
| 2 | x86-64 | Intel based PC 64 bit processor |
| | | |
| 3 | amd | AMD based PC 32 bit processor |
| | | |
| 4 | amd64 | AMD based PC 64 bit processor |
| | | |
| 5 | ppc | Power PC |
| | | |
| 6 | mips | MIPS processor |
| | | |
| 7 | sparc | Sun Sparc/UltraSparc processor |
| | | |
| 8 | arm | ARM based processor |
| | | |
| 9 | pa-risc | PA-RISC based processor |
| | | |
| 10 | other | Any processor not mentioned above |
| | | |
+------+---------+-----------------------------------------+
vendor
Required. The vendor of the operating system, like Microsoft, RedHat, Sun, ...
family
Required. The os family. The permitted
values are shown below. There is no default value.
+------+------------+---------------------------------------------+
| Rank | Keyword | Description |
+------+------------+---------------------------------------------+
| O | Windows | Microsoft Windows |
| | | |
| 1 | Linux | Linux based distributions |
| | | |
| 2 | OpenBSD | OpenBSD |
| | | |
| 3 | FreeBSD | FreeBSD |
| | | |
| 4 | NetBSD | NetBSD |
| | | |
| 5 | Solaris | Sun Solaris |
| | | |
| 6 | AIX | IBM AIX |
| | | |
| 7 | HP-UX | Hewlett-Packard HP-UX |
| | | |
| 8 | OS2 | IBM OS/2 |
| | | |
| 9 | DOS | good old MS-DOS based system |
| | | |
| 10 | Unix-other | Any other Unix-based os not mentioned above |
| | | |
| 11 | other | Any other os not mentioned above |
| | | |
+------+------------+---------------------------------------------+
version
Required. The version of the OS.
name
Required. The os' name like 2003 for family Windows.
The Rule Class
This is an optional class to define policy rules defined by firewalls for a
specific target. This supports finding holes in a firewall's policy (by
correlating with other analyzers' findings) as well as filtering unwanted
probes the firewall blocks anyway although reported by an analyzer.
+------------------+
| Rule |
+------------------+
| STRING ident |
| ENUM log |
| ENUM action | 0..* +---------+
| STRING interface |<>---------| Node |
| | +---------+
| | 0..* +---------+
| |<>---------| User |
| | +---------+
| | 0..* +---------+
| |<>---------| Service |
| | +---------+
| | 0..* +---------+
| |<>---------| Nat |
| | +---------+
| | +---------+
| |<>---------| fwtype |
| | +---------+
| | +-----------+
| |<>---------| fwversion |
| | +-----------+
+------------------+
The aggregate classes that make up Rule are:
fwtype
Exactly one. The rule's type definition, the firewall type.
fwversion
Exactly one. The rule's type definition, the firewall version.
Node
Zero or more. The source(s) defined in the policy.
User
Zero or more. The User(s) defined in the policy if it's a user based
rule.
Service
Zero or more. Information about the network service(s) involved in
the rule.
Nat
Zero or more. Detailed information about Network Address Translation
(NAT) rules.
One of the classes Node, User or Nat MUST be set but no combination.
If a Nat class is provided none of the classes Node, User and Service have
to be set. In all other cases a Service class MUST be provided.
This is represented in the IDMEF schema as follows:
<xsd:simpleType name="rule-log">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="unknown" />
<xsd:enumeration value="none" />
<xsd:enumeration value="log" />
<xsd:enumeration value="user" />
<xsd:enumeration value="other" />
</xsd:restriction>
</xsd:simpleType>
<xsd:simpleType name="rule-action">
<xsd:restriction base="xsd:token">
<xsd:enumeration value="accept" />
<xsd:enumeration value="drop" />
<xsd:enumeration value="reject" />
<xsd:enumeration value="accounting" />
</xsd:restriction>
</xsd:simpleType>
<xsd:complexType name="Rule">
<xsd:choice minOccurs="0" maxOccurs="unbounded">
<xsd:sequence>
<xsd:element name="Node"
type="idmef:Node"
minOccurs="0"
maxOccurs="unbounded" />
<xsd:element name="Service"
type="idmef:Service"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:element name="User"
type="idmef:User"
minOccurs="0"
maxOccurs="unbounded" />
<xsd:element name="Service"
type="idmef:Service"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:sequence>
<xsd:element name="Nat"
type="idmef:Nat"
minOccurs="0"
maxOccurs="unbounded" />
</xsd:choice>
<xsd:sequence>
<xsd:element name="fwtype"
type="xsd:string" />
<xsd:element name="fwversion"
type="xsd:string" />
</xsd:sequence>
<xsd:attribute name="ident"
type="xsd:string" />
<xsd:attribute name="log"
type="idmef:rule-log"
default="unknown" />
<xsd:attribute name="family"
type="idmef:os-family" />
<xsd:attribute name="action"
type="idmef:action" />
<xsd:attribute name="interface"
type="xsd:string" />
</xsd:complexType>
The Rule class has three attributes:
ident
Optional. A unique identifier for this Policy, see Section 4.2.9.
log
Required. Defines if there was logging enabled and when what exactly.
The permitted values are shown below. The default value is "unknown".
+------+--------------+------------------------------------------+
| Rank | Keyword | Description |
+------+--------------+------------------------------------------+
| O | unknown | The logging is unknown |
| | | |
| 1 | none | The logging is disabled for this rule |
| | | |
| 2 | log | Normal logging, e.g. syslog or firewall |
| | | default logging |
| | | |
| 3 | user | The logging is user-defined |
| | | |
| 4 | other | The logging is something else (email, |
| | | snmp, ...) |
+------+--------------+------------------------------------------+
action
Required. The action defined on this specific rule. The permitted values
are shown below. There is no default value.
+------+--------------+------------------------------------------+
| Rank | Keyword | Description |
+------+--------------+------------------------------------------+
| O | accept | The rule allows access |
| | | |
| 1 | drop | The rule drops any packet without sending|
| | | information back |
| | | |
| 2 | reject | The rule drops any packet and sends back |
| | | icmp unreachable or tcp reset packets |
| | | |
| 3 | accounting | The rule only counts matches |
+------+--------------+------------------------------------------+
interface
Optional. The interface this rule is bound to such as "eth0" with Linux,
or "any".
The Nat Class
The Nat class provides detailed information about the Network Address
Tranlsation (NAT) rules. It is intended to gain knowledge about which ip
addresses and/or ports are affected by an attack behind the NAT'ing device.
+--------------+
| Nat |
+--------------+ +----------+
| STRING ident |<>---------| OrgSrc |
| | +----------+
| | +----------+
| |<>---------| OrgTgt |
| | +----------+
| | +----------+
| |<>---------| TransSrc |
| | +----------+
| | +----------+
| |<>---------| TransTgt |
| | +----------+
+--------------+
The aggregate classes that make up Nat are:
OrgSrc
Exactly one. The original source address(es).
OrgTgt
Exactly one. The original target address(es)
TransSrc
Exactly one. The translated source address.
TransTgt
Exactly one. The translated target address.
This is represented in the IDMEF schema as follows:
<xsd:complexType name="Nat">
<xsd:sequence>
<xsd:element name="OrgSrc"
type="idmef:OrgSrc" />
<xsd:element name="OrgTgt"
type="idmef:OrgTgt" />
<xsd:element name="OrgSrc"
type="idmef:TransSrc" />
<xsd:element name="OrgSrc"
type="idmef:TransTgt" />
</xsd:sequence>
<xsd:attribute name="ident"
type="xsd:string"
default="0" />
</xsd:complexType>
The Nat class has one attribute:
ident
Optional. A unique identifier for this Nat rule, see Section 4.2.9.
The OrgSrc Class
The OrgSrc class defines the source node(s) which have to be NAT'ed.
+--------------+
| OrgSrc |
+--------------+ 1..* +----------+
| |<>---------| Node |
| | +----------+
+--------------+
The aggregate classes that make up OrgSrc are:
Node
One or more. The source node(s) to be NAT'ed
This is represented in the IDMEF schema as follows:
<xsd:complexType name="OrgSrc">
<xsd:sequence>
<xsd:element name="Node"
type="idmef:Node"
minOccurs="1"
maxOccurs="unbounded" />
</xsd:sequence>
The OrgSrc class has no attributes.
The OrgTgt Class
The OrgTgt class defines the target node(s) and port which have to be NAT'ed.
+--------------+
| OrgTgt |
+--------------+ 1..* +----------+
| |<>---------| Node |
| | +----------+
| | +----------+
| |<>---------| Service |
| | +----------+
+--------------+
The aggregate classes that make up OrgTgt are:
Node
One or more. The target node(s) to be NAT'ed
Service
Exactly one. The target service definition to be NAT'ed
This is represented in the IDMEF schema as follows:
<xsd:complexType name="OrgTgt">
<xsd:sequence>
<xsd:element name="Node"
type="idmef:Node"
minOccurs="1"
maxOccurs="unbounded" />
<xsd:element name="Service"
type="idmef:Service" />
</xsd:sequence>
The OrgTgt class has no attributes.
The TransSrc Class
This class defines the translated source node for NAT'ing.
+--------------+
| TransSrc |
+--------------+ +----------+
| |<>---------| Node |
| | +----------+
+--------------+
The aggregate classes that make up TransSrc are:
Node
Exactly one. The translated source node for NAT'ing
This is represented in the IDMEF schema as follows:
<xsd:complexType name="TransSrc">
<xsd:sequence>
<xsd:element name="Node"
type="idmef:Node" />
</xsd:sequence>
The TransSrc class has no attributes.
The TransTgt Class
The TransTgt class defines the target node and port for NAT'ing.
+--------------+
| TransTgt |
+--------------+ +----------+
| |<>---------| Node |
| | +----------+
| | +----------+
| |<>---------| Service |
| | +----------+
+--------------+
The aggregate classes that make up TransTgt are:
Node
Exactly one. The target node for NAT'ing
Service
Exactly one. The target service definition to be NAT'ed to
This is represented in the IDMEF schema as follows:
<xsd:complexType name="TransTgt">
<xsd:sequence>
<xsd:element name="Node"
type="idmef:Node" />
<xsd:element name="Service"
type="idmef:Service" />
</xsd:sequence>
The TransTgt class has no attributes.
Examples
Nessus scan result for MySQL Server version
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message xmlns:idmef="http://iana.org/idmef"
version="1.0">
<idmef:Asset ident="neptun-nessus-check1">
<idmef:Analyzer analyzerid="hq-nessus01">
<idmef:Node category="dns">
<idmef:location>Headquarters Scan Network</idmef:location>
<idmef:name>nessus01.example.com</idmef:name>
</idmef:Node>
</idmef:Analyzer>
<idmef:Target ident="d1c2b3a4">
<idmef:Node ident="d1c2b3a4-001" category="dns">
<idmef:Address category="ipv4-addr-hex">
<idmef:address>0xde796f70</idmef:address>
</idmef:Address>
</idmef:Node>
</idmef:Target>
<idmef:Tool name="nessus" version="2.2.5" class="vulnerability-scanner"
ostype="Linux" osversion="2.6.12-1.1398_FC4smp">
<idmef:url>http://www.nessus.org</idmef:url>
<idmef:Result severity="info" version="1.14" type="automatic">
<idmef:Vulnerability ident="10719" exploitable="unavailable"
grade="verified" web="no">
</idmef:Vulnerability>
<idmef:CreateTime ntpstamp="0xc694c70c.0xfc87980f">
2005-07-29T15:17:32Z
</idmef:CreateTime>
<idmef:Reference origin="vendor-specific">
<idmef:name>10719</idmef:name>
<idmef:url>
http://www.nessus.org/plugins/index.php?view=single&id=10719
</idmef:url>
</idmef:Reference>
<idmef:summary>
MySQL Server version
</idmef:summary>
<idmef:description>
This detects MySQL Server's version by connecting to the server and
processing the buffer received. This information gives potential
attackers additional information about the system they are attacking.
Versions should be omitted where possible.
</idmef:description>
</idmef:Result>
</idmef:Tool>
</idmef:Asset>
</idmef:IDMEF-Message>
Nmap Operating System Guess
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message xmlns:idmef="http://iana.org/idmef"
version="1.0">
<idmef:Asset ident="neptun-nmap01">
<idmef:Analyzer analyzerid="hq-nmap01">
<idmef:Node category="dns">
<idmef:location>Headquarters Scan Network</idmef:location>
<idmef:name>nmap01.example.com</idmef:name>
</idmef:Node>
</idmef:Analyzer>
<idmef:Target ident="d1c2b3a4">
<idmef:Node ident="d1c2b3a4-001" category="dns">
<idmef:Address category="ipv4-addr">
<idmef:address>192.168.0.123</idmef:address>
</idmef:Address>
</idmef:Node>
</idmef:Target>
<idmef:Tool name="nmap" version="3.81" class="portscanner"
ostype="Linux" osversion="2.6.12-1.1398_FC4smp">
<idmef:url>http://www.nmap.org</idmef:url>
<idmef:arg>-O</idmef:arg>
<idmef:arg>192.168.0.123</idmef:arg>
<idmef:Result severity="info" type="automatic">
<idmef:OS arch="x86" vendor="Fedora" family="Linux"
version="2.4.22 - 2.6.3" name="Core 3"/>
<idmef:CreateTime ntpstamp="0xc694c70c.0xfc87980f">
2005-07-29T15:17:32Z
</idmef:CreateTime>
<idmef:summary>
Operating System guess
</idmef:summary>
</idmef:Result>
</idmef:Tool>
</idmef:Asset>
</idmef:IDMEF-Message>
RSS Feed