Internet Assigned Numbers Authority Intrusion Detection Message Exchange Format (IDMEF) Parameters Created 2006-10-04 Last Updated 2007-03-14 Available Formats [IMG] XML [IMG] HTML [IMG] Plain text Registries included below * Class and Attribute Names * Attribute Values Class and Attribute Names Registration Procedure(s) IETF Review Reference [RFC4765] Available Formats [IMG] CSV Class Name Attribute Name Reference Reference origin [RFC4765] Source spoofed [RFC4765] Target decoy [RFC4765] AdditionalData type [RFC4765] Impact severity [RFC4765] Impact completion [RFC4765] Impact type [RFC4765] Action category [RFC4765] Confidence rating [RFC4765] Node category [RFC4765] Address category [RFC4765] User category [RFC4765] UserId category [RFC4765] File category [RFC4765] File fstype [RFC4765] FileAccess permission [RFC4765] Linkage category [RFC4765] Checksum algorithm [RFC4765] Attribute Values Registration Procedure(s) Specification Required Expert(s) Unassigned Reference [RFC4765] Available Formats [IMG] CSV Class Name Attribute Name Rank Keyword Description Reference Reference origin 0 unknown Origin of the name is not known [RFC4765] Reference origin 1 vendor-specific A vendor-specific name (and hence, URL); this can be used to provide [RFC4765] product-specific information Reference origin 2 user-specific A user-specific name (and hence, URL); this can be used to provide [RFC4765] installation-specific information Reference origin 3 bugtraqid The SecurityFocus ("Bugtraq") vulnerability database identifier [RFC4765] (http://www.securityfocus.com/bid) Reference origin 4 cve The Common Vulnerabilities and Exposures (CVE) name (http://cve.mitre.org/) [RFC4765] Reference origin 5 osvdb The Open Source Vulnerability Database (http://www.osvdb.org) [RFC4765] Source spoofed 0 unknown Accuracy of source information unknown [RFC4765] Source spoofed 1 yes Source is believed to be a decoy [RFC4765] Source spoofed 2 no Source is believed to be "real" [RFC4765] Target decoy 0 unknown Accuracy of target information unknown [RFC4765] Target decoy 1 yes Target is believed to be a decoy [RFC4765] Target decoy 2 no Target is believed to be "real" [RFC4765] AdditionalData type 0 boolean The element contains a boolean value, i.e., the strings "true" or "false" [RFC4765] AdditionalData type 1 byte The element content is a single 8-bit byte (see Section 3.2.4) [RFC4765] AdditionalData type 2 character The element content is a single character (see Section 3.2.3) [RFC4765] AdditionalData type 3 date-time The element content is a date-time string (see Section 3.2.6) [RFC4765] AdditionalData type 4 integer The element content is an integer (see Section 3.2.1) [RFC4765] AdditionalData type 5 ntpstamp The element content is an NTP timestamp (see Section 3.2.7) [RFC4765] AdditionalData type 6 portlist The element content is a list of ports (see Section 3.2.8 [RFC4765] AdditionalData type 7 real The element content is a real number (see Section 3.2.2 [RFC4765] AdditionalData type 8 string The element content is a string (see Section 3.2.3 [RFC4765] AdditionalData type 9 byte-string The element content is a byte[] (see Section 3.2.4 [RFC4765] AdditionalData type 10 xmltext The element content is XML-tagged data (see Section 5.2 [RFC4765] Impact severity 0 info Information only [RFC4765] Impact severity 1 low Low severity [RFC4765] Impact severity 2 medium Medium severity [RFC4765] Impact severity 3 high High severity [RFC4765] Impact completion 0 failed The attempt was not successful [RFC4765] Impact completion 1 succeeded The attempt succeeded [RFC4765] Impact type 0 admin Administrative privileges were attempted or obtained [RFC4765] Impact type 1 dos A denial of service was attempted or completed [RFC4765] Impact type 2 file An action on a file was attempted or completed [RFC4765] Impact type 3 recon A reconnaissance probe was attempted or completed [RFC4765] Impact type 4 user User privileges were attempted or obtained [RFC4765] Impact type 5 other Anything not in one of the above categories [RFC4765] A block of some sort was installed to prevent an attack from reaching its Action category 0 block-installed destination. The block could be a port block, address block, etc., or disabling a [RFC4765] user account. Action category 1 notification-sent A notification message of some sort was sent out-of-band (via pager, e-mail, [RFC4765] etc.). Does not include the transmission of this alert. Action category 2 taken-offline A system, computer, or user was taken offline, as when the computer is shut down [RFC4765] or a user is logged off. Action category 3 other Anything not in one of the above categories. [RFC4765] Confidence rating 0 low The analyzer has little confidence in its validity [RFC4765] Confidence rating 1 medium The analyzer has average confidence in its validity [RFC4765] Confidence rating 2 high The analyzer has high confidence in its validity [RFC4765] Confidence rating 3 numeric The analyzer has provided a posterior probability value indicating its confidence [RFC4765] in its validity Node category 0 unknown Domain unknown or not relevant [RFC4765] Node category 1 ads Windows 2000 Advanced Directory Services [RFC4765] Node category 2 afs Andrew File System (Transarc) [RFC4765] Node category 3 coda Coda Distributed File System [RFC4765] Node category 4 dfs Distributed File System (IBM) [RFC4765] Node category 5 dns Domain Name System [RFC4765] Node category 6 hosts Local hosts file [RFC4765] Node category 7 kerberos Kerberos realm [RFC4765] Node category 8 nds Novell Directory Services [RFC4765] Node category 9 nis Network Information Services (Sun) [RFC4765] Node category 10 nisplus Network Information Services Plus (Sun) [RFC4765] Node category 11 nt Windows NT domain [RFC4765] Node category 12 wfw Windows for Workgroups [RFC4765] Address category 0 unknown Address type unknown [RFC4765] Address category 1 atm Asynchronous Transfer Mode network address [RFC4765] Address category 2 e-mail Electronic mail address (RFC 822) [RFC4765] Address category 3 lotus-notes Lotus Notes e-mail address [RFC4765] Address category 4 mac Media Access Control (MAC) address [RFC4765] Address category 5 sna IBM Shared Network Architecture (SNA) address [RFC4765] Address category 6 vm IBM VM ("PROFS") e mail address [RFC4765] Address category 7 ipv4-addr IPv4 host address in dotted decimal notation (a.b.c.d) [RFC4765] Address category 8 ipv4-addr-hex IPv4 host address in hexadecimal notation [RFC4765] Address category 9 ipv4-net IPv4 network address in dotted decimal notation, slash, significant bits [RFC4765] (a.b.c.d/nn) Address category 10 ipv4-net-mask IPv4 network address in dotted decimal notation, slash, network mask in dotted [RFC4765] decimal notation (a.b.c.d/w.x.y.z) Address category 11 ipv6-addr IPv6 host address [RFC4765] Address category 12 ipv6-addr-hex IPv6 host address in hexadecimal notation [RFC4765] Address category 13 ipv6-net IPv6 network address, slash, significant bits [RFC4765] Address category 14 ipv6-net-mask IPv6 network address, slash, network mask [RFC4765] User category 0 unknown User type unknown [RFC4765] User category 1 application An application user [RFC4765] User category 2 os-device AN operating system or device user [RFC4765] UserId category 0 current-user The current user id being used by the user or process. On Unix systems, this [RFC4765] would be the "real" user id, in general. The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the UserId category 1 original-user "audit id" token, that value should be used. On those systems that do not support [RFC4765] this, and where the user has logged into the system, the "login id" should be used. The user id the user or process is attempting to become. This would apply, on UserId category 2 target-user Unix systems for example, when the user attempts to use "su," "rlogin," "telnet," [RFC4765] etc. Another user id the user or process has the ability to use, or a user id associated with a file permission. On Unix systems, this would be the "effective" UserId category 3 user-privs user id in a user or process context, and the owner permissions in a file [RFC4765] context. Multiple UserId elements of this type may be used to specify a list of privileges. UserId category 4 current-group The current group id (if applicable) being used by the user or process. On Unix [RFC4765] systems, this would be the "real" group id, in general. Another group id the group or process has the ability to use, or a group id associated with a file permission. On Unix systems, this would be the "effective" UserId category 5 group-privs group id in a group or process context, and the group permissions in a file [RFC4765] context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list." Not used in a user, group, or process context, only used in the file context. The UserId category 6 other-privs file permissions assigned to users who do not match either the user or group [RFC4765] permissions on the file. On Unix systems, this would be the "world" permissions. File category 0 current The file information is from after the reported change [RFC4765] File category 1 original The file information is from before the reported change [RFC4765] File fstype 0 ufs Berkeley UNIX Fast File System [RFC4765] File fstype 1 efs Linux "efs" file system [RFC4765] File fstype 2 nfs Network File System [RFC4765] File fstype 3 afs Andrew File System [RFC4765] File fstype 4 ntfs Windows NT File System [RFC4765] File fstype 5 fat16 16-bit Windows FAT File System [RFC4765] File fstype 6 fat32 32-bit Windows FAT File System [RFC4765] File fstype 7 pcfs "PC" (MS-DOS) file system on CD-ROM [RFC4765] File fstype 8 joliet Joliet CD-ROM file system [RFC4765] File fstype 9 iso9660 ISO 9660 CD-ROM file system [RFC4765] FileAccess permission 0 noAccess No access at all is allowed for this user [RFC4765] FileAccess permission 1 read This user has read access to the file [RFC4765] FileAccess permission 2 write This user has write access to the file [RFC4765] FileAccess permission 3 execute This user has the ability to execute the file [RFC4765] FileAccess permission 4 search This user has the ability to search this file (applies to "execute" permission on [RFC4765] directories in UNIX) FileAccess permission 5 delete This user has the ability to delete this file [RFC4765] FileAccess permission 6 executeAs This user has the ability to execute this file as another user [RFC4765] FileAccess permission 7 changePermissions This user has the ability to change the access permissions on this file [RFC4765] FileAccess permission 8 takeOwnership This user has the ability to take ownership of this file [RFC4765] Linkage category 0 hard-link The element represents another name for this file. This information may be [RFC4765] more easily obtainable on NTFS file systems than others. Linkage category 1 mount-point An alias for the directory specified by the parent's and elements. [RFC4765] Linkage category 2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are [RFC4765] specific types of reparse points. The file represented by a Windows "shortcut." A shortcut is distinguished from a Linkage category 3 shortcut symbolic link because of the difference in their contents, which may be of [RFC4765] importance to the manager. Linkage category 4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system [RFC4765] entity that is considered an extension of the main . Linkage category 5 symbolic-link The element represents the file to which the link points. [RFC4765] Checksum algorithm 0 MD4 The MD4 algorithm. [RFC4765] Checksum algorithm 1 MD5 The MD5 algorithm. [RFC4765] Checksum algorithm 2 SHA1 The SHA1 algorithm. [RFC4765] Checksum algorithm 3 SHA2-256 The SHA2 algorithm with 256 bits length. [RFC4765] Checksum algorithm 4 SHA2-384 The SHA2 algorithm with 384 bits length. [RFC4765] Checksum algorithm 5 SHA2-512 The SHA2 algorithm with 512 bits length. [RFC4765] Checksum algorithm 6 CRC-32 The CRC algorithm with 32 bits length. [RFC4765] Checksum algorithm 7 Haval The Haval algorithm. [RFC4765] Checksum algorithm 8 Tiger The Tiger algorithm. [RFC4765] Checksum algorithm 9 Gost The Gost algorithm. [RFC4765] Licensing Terms