CEE Field List: Feedback

View: New views

1 Messages — Rating Filter: Alert me

CEE Field List: Feedback

by Joël Winteregg-3 :: Rate this Message:

Reply (Restricted by the Administrator) | Reply to Author | View Threaded | Show Only this Message

Hello List,

When I saw Raffy field list (related to Common Log Syntax - CLS), I
found them very interesting and very similar to IDMEF fields. So I
decided to compare this field list to IDMEF fields... The result is
attached to this email (CSV file) where almost 70% of CEE fields
proposal are directly available into the current IDMEF standard. As you
will notice, IDMEF event interactions are similar too David Corlette
proposal ( http://www.nabble.com/Re%3A-CEE-Field-List-p15885885.html )
where initiator = alert.source, originator = alert.analyzer, and target
= alert.target.

So I don't really understand why IDMEF is defined (into CEE whitepaper)
as follow: "It also suffers from a narrow focus on intrusion event, thus
unsuitable for audit logging and system troubleshooting logging"

Many IDMEF missing fields (given as "?" into attached file) could be
simple IDMEF extensions like a new Service Class inheritance (sub-class)
like the actual alert.source.WebService Class.

Don't you think that IDMEF could be used as a basis for CLS where CEET
(Common Event Expression Taxonomy) could be seen as a way to better
define/structure IDMEF fields values ?

Regards,

Joël Winteregg

[CEE-fields_IDMEF.csv]

"*field name*","*data type*","*IDMEF*","*Explanation*" "actedon_user","string","alert.target.user.userid.name","User name that is being acted upon. For example password for a specific user was changed." "action","string","alert.assessment.action","The action as reported by the logging device." "app","string","alert.source.service / alert.target.service","application layer protocol--e.g. HTTP, HTTPS, SSH, IMAP." "bytes_in","number","?","How many bytes this device/interface took in." "bytes_out","number","?","How many bytes this device/interface sent out." "category","string","alert.classification.ident","A category that a device may have assigned an event to." "channel","string","?","802.11 channel number of a wireless transmission" "count","number","?","The number of times the event has been seen." "cve","string","alert.classification.reference with: alert.classification.reference.meaning = cve","CVE vulnerability reference." "database_name","String","?","Name of a database." "database_table","String","?","Name of a database table." "database_query","String","?","Query issued against a database." "delay","integer","?","Delay in seconds. For example the delay when processing an email message." "dest_country","string","?","Country of where the destination in the log record resides. In case of a point event (e.g., an operating system event), the country is kept here." "dest_host","string","alert.target.node.name","Fully qualified host name of the machine targeted in the record. In case of a point event (e.g., an operating system event), the machine's host name is kept here." "dest_ipv6","ipv6 address","alert.target.node.address.address with: alert.target.node.address.category = ipv6-addr","IPv6 address of the machine targeted in the record. In case of a point event (e.g., an operating system event), the machine's IPv6 address is kept here." "dest_ip","ipv4 address","alert.target.node.address.address with: alert.target.node.address.category = ipv4-addr","IPv4 address of the machine targeted in the record. In case of a point event (e.g., an operating system event), the machine's IP address is kept here." "dest_lat","number","?","Latitude of the destination in the log record. In case of a point event (e.g., an operating system event), the latitude is kept here." "dest_long","number","?","Longitude of the destination in the log record. In case of a point event (e.g., an operating system event), the longitude is kept here." "dest_mac","mac address","alert.target.node.address.address with: alert.target.node.address.category = mac","Destination MAC (layer 2) address. In case of a point event (e.g., an operating system event), the machine's MAC address is kept here." "dest_nt_domain","string","alert.target.node.name with: alert.target.node.category = wfw","The Windows NT domain for the machine targeted in the record. In case of a point event (e.g., an operating system event), the machine's NT domain name is kept here. In Windows, this is also called the WORKGROUP." "dest_nt_host","string","alert.target.node.name with: alert.target.node.category = nt","The Windows NT host name for the machine targeted in the record. In case of a point event (e.g., an operating system event), the machine's NT host name is kept here. In Windows this is also called the WORKSTATION." "dest_port","number","alert.target.service.port","The network port expressed as the target in the log record. In case of a point event (e.g., an operating system event), the port that was used is kept here." "dest_translated_ip","ipv4 address","alert.target.node.address.address with: alert.target.node.address.category = ipv4-addr","The translated (e.g., NATted) network address expressed as the destination in the log record." "dest_translated_port","number","alert.target.service.portlist","The translated (e.g., NATted) network port expressed as the destination in the log record." "direction","enumeration","?","The direction the packet is traveling, allowed values: inbound or outbound." "duration","number","?","The amount of time the event lasted, measured in seconds (e.g., 12.321)." "dvc_host","string","alert.analyzer.name","Fully qualified host name of the device reporting the log record." "dvc_ipv6","ipv6 address","alert.analyzer.node.address.address with: alert.analyzer.node.address.category = ipv6-addr","IPv6 address of the device reporting the log record." "dvc_ip","ipv4 address","alert.analyzer.node.address.address with: alert.analyzer.node.address.category = ipv4-addr","IPv4 address of the device reporting the log record." "dvc_location","string","alert.analyzer.node.location","Free-text description of the physical location of the device." "dvc_mac","mac address","alert.analyzer.node.address.address with: alert.analyzer.node.address.category = mac","MAC (layer 2) address of the device reporting the log record." "dvc_nt_domain","string","alert.analyzer.node.name with: alert.analyzer.node.category = wfw","Windows domain name of the device reporting the log record." "dvc_nt_host","string","alert.analyzer.node.name with: alert.analyzer.node.category = nt","Windows host name of the device reporting the log record." "dvc_severity","string","?","Severity exactly as reported in the log record. Sometimes called priority." "dvc_time","timestamp","alert.analyzertime","Time at which the device received the log record." "end_time","timestamp","?","The event's specified end time." "event_id","number","alert.alertident","Number, unique to the application domain, identifying the event. In case of email logs, this is the message ID." "file_access_time","timestamp","alert.target.file.access-time","The time the file (the object of the event) was accessed." "file_create_time","timestamp","alert.target.file.create-time","The time the file (the object of the event) was created." "file_hash","string","alert.target.file.checksum.value alert.target.file.checksum.key alert.target.file.checksum.algorithm","The file hash identifying the file that is object of the event." "file_modify_time","timestamp","alert.target.file.modifiy-time","The time the file (the object of the event) was altered." "file_name","string","alert.target.file.name","The name of the file that is the object of the event, with no path information." "file_path","string","alert.target.file.path","The path to the file that is the object of the event, without the file name." "file_permission","enumeration","alert.target.file.fileaccess.permission","The permissions of the file that is the object of the event." "file_size","number","alert.target.file.data-size","The size of the file (in bytes) that is the object of the event." "http_client","string","?","The HTTP client identified in the event." "http_content_type","string","?","The HTTP content type." "http_method","string","alert.target.webservice.http-method","The HTTP method used in the event." "http_referrer","string","?","The HTTP referrer listed in the event." "http_response","number","?","The HTTP response code." "http_user_agent","string","?","The HTTP user agent." "inbound_interface","string","alert.source.interface","The interface the record referenced, such as eth0 for a Linux box's first Ethernet card." "name","string","alert.classification.ident","Name of the event as reported by the device. The name should not contain information that's already being parsed into fields from the event, such as IP addresses." "outbound_interface","string","alert.target.interface ","The interface the record referenced, such as eth0 for a Linux box's first Ethernet card." "packets_in","number","?","How many packets this device/interface took in." "packets_out","number","?","How many packets this device/interface sent out." "pid","number","alert.target.process.pid alert.analyzer.process.pid","Process id corresponding with the process." "priority","number","alert.assessment.impact.severity","The priority assigned to the event, in terms of 0 (lowest) to 10 (highest)." "process","string","alert.target.process.name alert.analyzer.process.name","Process name involved in generating the log record (e.g., process name mentioned in syslog header)." "product_version","string","alert.analyzer.version","The version of the product that generated the event." "product","string","alert.analyzer.model","The product that generated the event." "proto","string","alert.target.service.protocol","network layer protocol--e.g. IP, ICMP, IPsec, ARP." "receiver","string","alert.target.node.address.address with: alert.target.node.address.category = email","Email recipient." "relay","string","?","A relay server used to forward a message. For example an email relay." "signature","string","alert.alertident + alert.analyzer.analyzerid","A unique identifier for a class of events. Snort for example uses the SID. Other IDSs use a signature ID, could be the eventID in Windows, could be the firewall rule number." "src_country","string","alert.source.node.location","Country of where the source in the log record resides." "src_host","string","alert.source.node.name","Fully qualified host name of the source machine in the record." "src_ipv6","ipv6 address","alert.source.node.address.address with: alert.source.node.address.category = ipv6-addr","IPv6 address of the source machine in the record." "src_ip","ipv4 address","alert.source.node.address.address with: alert.source.node.address.category = ipv4-addr","IPv4 address of the source machine in the record." "src_lat","number","?","Latitude of the source in the log record." "src_long","number","?","Longitude of the source in the log record." "src_mac","mac address","alert.source.node.address.address with: alert.source.node.address.category = mac","Source MAC (layer 2) address." "src_nt_domain","string","alert.source.node.name with: alert.source.node.category = wfw","The Windows NT domain for the source machine in the record." "src_nt_host","string","alert.source.node.name with: alert.source.node.category = nt","The Windows NT host for the source machine in the record." "src_port","number","alert.source.service.port","The network port expressed as the source in the log record." "src_translated_ip","ipv4 address","alert.source.node.address.address with: alert.source.node.address.category = ipv4-addr","The translated (e.g. NATted) network address expressed as the source in the log record.," "src_translated_port","number","alert.source.service.portlist","The translated (e.g., NATted) network port expressed as the source in the log record." "src_user_id","number","alert.source.user.userid.number","ID number of the user that is the source of an event. The one executing the action." "src_user_privilege","enumeration","alert.source.user.userid.type","One of administrator, user, or guest/anonymous, the privilege the source/acting user has assigned." "src_user","string","alert.source.user.userid.name","User that is the source of an event. The one executing the action." "sender","string","alert.source.node.address.address with: alert.source.node.address.category = e-mail","Email sender." "ssid","string","?","The 802.11 ssid of a wireless transmission." "size","integer","alert.target.file.data-size","The size of an application layer protocol. For example, the size of an email, a document, or an HTTP response." "start_time","timestamp","alert.detecttime","The event's specified start time." "subject","string","?","Email subject line." "syslog_facility","string","?","The syslog facility assigned to this record." "syslog_priority","string","?","The syslog priority assigned to this record." "tax_object","enumeration","?","The Object field from the CEE taxonomy." "tax_action","enumeration","?","The Action field from the CEE taxonomy." "tax_status","enumeration","?","The Status field from the CEE taxonomy." "tcp_flags","list","?","The TCP flag specified in the event. One or more of SYN, ACK, FIN, RST, URG, or PSH." "url","string","alert.target.webservice.url","The URL that is the object of the event." "user_group_id","number","alert.target.user.userid.number with: alert.target.user.userid.type = current-group ","ID number of the user group that is the object of an event." "user_group","string","alert.target.user.userid.name with: alert.target.user.userid.type = current-group ","User group that is the object of an event." "user_id","number","alert.target.user.userid.number","ID number of the user that is the object of an event." "user_privilege","enumeration","?","One of administrator, user, or guest/anonymous, the privilege the user has assigned." "user","string","alert.target.user.userid.name ","User that is the object of an event." "vendor","string","alert.analyzer.manufacturer","The vendor who made the product that generated the event." "vlan_id","number","alert.target.node.address.vlan-num","The numeric ID assigned to the vlan in the event." "vlan_name","string","alert.target.node.address.vlan-name","The name assigned to the vlan in the event."