Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
| Field | Type | Label | Description |
| IP | string | IP address (either version 4 or version 6) |
|
| Name | string | Name of the analyzer, which must be reasonably unique, however still bear some meaningful sense. Usually denotes hierarchy of organizational units which detector belongs to and its own name or it can distinguish multiple analyzers running with the same IP |
|
| Hostname | string | Hostname of this analyzer. SHOULD be a fully-qualified domain name |
|
| Type | Analyzer.AnalyzerTypeEnum | Analyzer type |
|
| Model | string | Generic name, brand, version |
|
| Category | Analyzer.AnalyzerCategoryEnum | repeated | Analyzer categories |
| Data | Analyzer.AnalyzerDataEnum | repeated | Data analyzed for detection |
| Method | Analyzer.AnalyzerMethodEnum | repeated | Detection method |
| GeoLocation | string | GPS coordinates for the sensor |
|
| UnLocation | string | Standard UN/LOCODE location |
|
| Location | string | Internal location of the agent/sensor |
Possible analyzer categories
| Name | Number | Description |
| Category_1DLiS | 0 | 1D LIDAR Sensor |
| Category_2DLiS | 1 | 2D LIDAR Sensor |
| Category_3DLiS | 2 | 3D LIDAR Sensor |
| Category_1DLaS | 3 | 1D Laser Sensor |
| Category_2DLaS | 4 | 2D Laser Sensor |
| Category_3DLaS | 5 | 3D Laser Sensor |
| Category_VAD | 6 | Voice Activity Detection |
| Category_HAR | 7 | Human Activity Recognition |
| Category_FRC | 8 | Face Recognition Camera |
| Category_VNIR | 9 | Visible and Near-InfraRed |
| Category_SWIR | 10 | Short Wavelength InfraRed |
| Category_LWIR | 11 | Long Wavelength InfraRed |
| Category_MWIR | 12 | Middle Wavelength InfraRed |
| Category_ADS | 13 | Anti Drone System |
| Category_ODC | 14 | Object Detection Camera |
| Category_WEA | 15 | |
| Category_DDOS | 16 | Anti-DDoS protection |
| Category_SPAM | 17 | Detect Spam, Phishing, etc. |
| Category_AV | 18 | Detect malware (signature) |
| Category_EDR | 19 | Endpoint Detection and Response |
| Category_FW | 20 | Firewall |
| Category_NIDS | 21 | Network Intrusion detection System |
| Category_HIDS | 22 | Host Intrusion detection System |
| Category_WIDS | 23 | Wifi Intrusion detection System |
| Category_PROX | 24 | Proxy: Detect trying to use wrong ACL or wrong TLS session |
| Category_WAF | 25 | Web Application Firewall |
| Category_HPT | 26 | Honeypot |
| Category_LOG | 27 | Log analysis |
| Category_IAM | 28 | Identity & Access Management |
| Category_VPN | 29 | Virtual Private Network |
| Category_ETL | 30 | Ex : Logstash, Fluend, Vector |
| Category_RASP | 31 | Runtime Application Self Protection |
| Category_BAST | 32 | Clientless remote desktop gateway |
| Category_NAC | 33 | Network Access Control |
| Category_SIEM | 34 | System Information and Event Management |
| Category_NMS | 35 | Network Management System |
Possible types of data/sensors
| Name | Number | Description |
| Data_Light | 0 | |
| Data_Noise | 1 | |
| Data_Touch | 2 | |
| Data_Images | 3 | |
| Data_Vibration | 4 | |
| Data_Lidar | 5 | |
| Data_Thermic | 6 | |
| Data_Seismic | 7 | |
| Data_Temperature | 8 | |
| Data_Rain | 9 | |
| Data_Water | 10 | |
| Data_Humidity | 11 | |
| Data_Particles | 12 | |
| Data_Contact | 13 | |
| Data_MagneticField | 14 | |
| Data_Acoustics | 15 | |
| Data_Fog | 16 | |
| Data_External | 17 | |
| Data_Reporting | 18 | |
| Data_Connection | 19 | |
| Data_Datagram | 20 | |
| Data_Content | 21 | |
| Data_Data | 22 | |
| Data_File | 23 | |
| Data_Flow | 24 | |
| Data_Log | 25 | |
| Data_Protocol | 26 | |
| Data_Host | 27 | |
| Data_Network | 28 | |
| Data_Alert | 29 | |
| Data_Relay | 30 | |
| Data_Auth | 31 | |
| Data_SNMP | 32 | Simple Network Management Protocol |
Possible detection methods
| Name | Number | Description |
| Method_Biometric | 0 | |
| Method_Signature | 1 | |
| Method_Monitor | 2 | |
| Method_Policy | 3 | |
| Method_Statistical | 4 | |
| Method_AI | 5 | |
| Method_Heat | 6 | |
| Method_Movement | 7 | |
| Method_Blackhole | 8 | |
| Method_Heuristic | 9 | |
| Method_Integrity | 10 | |
| Method_Honeypot | 11 | |
| Method_Tarpit | 12 | |
| Method_Recon | 13 | |
| Method_Correlation | 14 | |
| Method_Threshold | 15 | Detection threshold for values |
Possible analyzer types
| Name | Number | Description |
| Type_Cyber | 0 | The analyzer is a cyber analyzer |
| Type_Physical | 1 | The analyzer is a physical analyzer |
| Type_Availability | 2 | The analyzer is an availability analyzer |
| Type_Combined | 3 | The analyzer is an other type of analyzer |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Attachment class contains information about data linked to a
source, target or vector
| Field | Type | Label | Description |
| Name | string | Unique identifier among attachments that can be used to reference this attachment from other classes using the "Attachment" attribute |
|
| FileName | string | Attachment filename |
|
| Hash | string | Checksum of the attachment's content. The use of a hash function from the SHA-2 or SHA-3 family is recommended |
|
| Size | int64 | Length of the content (Bytes) |
|
| Ref | string | repeated | References to known sources, related to the attack and/or vulnerability, and specific to this attachment. This MAY be a URL to additional info, or a URN (according to RFC 2141) in a registered (IANA) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:clamav:Win.Trojan.Banker-14334" |
| ExternalURI | string | repeated | If the attachment's content is available and/or recognizable from an external resource, this is the URI (usually a URL) to that resource. This MAY also be a URN (according to RFC 2141) in a registered (IANA) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a", "magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C" |
| Note | string | Free text human-readable additional note |
|
| ContentType | string | Internet Media Type of the attachment, according to RFC 2046 and related. Along with types standardized by IANA also non standard but widely used media types can be used (for examples see MIME types list at freeformatter.com) |
|
| ContentEncoding | string | Content encoding. The following encodings are defined in this version of the specification: "json" - Content refers to a JSON object which has been serialized to a string using the serialization procedure defined in RFC 7159. "base64" - The Content has been serialized using the Base64 encoding defined in RFC 4648. This encoding SHOULD be used when the content contains binary data. If omitted, the "json" encoding should be assumed |
|
| Content | string | The attachment's content if the content is included inside the message |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
Root message
| Field | Type | Label | Description |
| Version | string | Version of the IDMEFv2 Format |
|
| ID | string | 128-bit Universally Unique IDentifier (UUID) either UUID version 4 (random) or 5 (SHA-1) |
|
| Entity | string | Tenant ID to support multi-tenancy (e.g. decentralized infrastructure, local agency, subsidiary company, etc.). Should be used when there are multiple sites/locations or multiple tenants (e.g. MSSPs) |
|
| Category | IDMEF.CategoryEnum | repeated | The ENISA:RIST incident category & subcategory |
| Cause | IDMEF.CauseEnum | Alert cause's origin, if known at the time of detection. If unknown, this key should not be defined and may be filled later on by a manager or a human operator |
|
| Description | string | Short free text human-readable description |
|
| Status | IDMEF.StatusEnum | Alert state in the overall alert lifecycle |
|
| Severity | IDMEF.SeverityEnum | Severity of the alert |
|
| Confidence | float | Confidence of detector in its own reliability of this particular detection. (0 – surely false, 1 – no doubts)s |
|
| Note | string | Free text human-readable additional note, possibly longer description of incident if not obvious |
|
| CreateTime | google.protobuf.Timestamp | Message creation timestamp. May point out delay between detection and processing of data |
|
| StartTime | google.protobuf.Timestamp | Deduced start of the event, or just time of the event if it is solitary |
|
| CeaseTime | google.protobuf.Timestamp | Deduced end of the event |
|
| DeleteTime | google.protobuf.Timestamp | Message deletion timestamp. MUST be specified if the message has to be deleted after this date for technical, organizational or ethical reasons |
|
| AltNames | string | repeated | Alternative identifiers; strings which help pair the event to internal systems' information (for example tickets in request tracking systems) |
| AltCategory | string | repeated | Alternate category from another reference than RIST (e.g. MISP, MITRE ATT@CK or another proprietary internal reference) |
| Ref | string | repeated | References to known sources, related to the alert and/or vulnerability, and specific to this alert. This MAY be a URL to additional info, or a URN (according to RFC 2141) in a registered (IANA) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as "urn:cve:CVE-2013-2266 |
| CorrelID | string | repeated | Identifiers for the messages which were used as information sources to create this message, in case the message has been created based on correlation/analysis/deduction from other messages |
| AggrCondition | string | repeated | List of IDMEF fields that are shared (with the same value) by all aggregated events. Should be sent mostly by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into a longer one. IDMEF fields syntax: <field> for top-level fields. E.g. "CeaseTime" <class>.<field> for subfields. E.g. "Source.IP" <field>(<N>) to reference the Nth element (0-based) inside a list. N defaults to 0 if omitted. E.g. "Source.IP(0)" refers to the first IP of the first source. The "StartTime" and "CeaseTime" fields are used to describe the aggregation timeframe, in conjunction with this field |
| PredID | string | repeated | Identifiers of previous messages which are obsoleted by this message. The obsoleted alert should no longer be used. This field can be used to "update" an alert |
| RelID | string | repeated | Other messages related to this message |
| Analyzer | Analyzer | The Analyzer class identifies the analyzer from which the message originates |
|
| Sensor | Sensor | repeated | The Sensor class identifies the sensor used by the analyzer for its analysis |
| Source | Source | repeated | The Source class contains information about the possible source(s) of the event(s) that generated this message |
| Target | Target | repeated | The Target class contains information about the possible target(s) of the event(s) that generated this message |
| Vector | Vector | repeated | The Vector class contains information about the vector(s) of the event(s) that generated this message |
| Attachment | Attachment | repeated | The Attachment class contains information about data linked to a source, target or vector |
| Observable | Observable | repeated | The Observable class contains information about metadata linked to a source, target or vector |
Possible alert categories
| Name | Number | Description |
| Category_Abusive_Spam | 0 | Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc. |
| Category_Abusive_Harassment | 1 | Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals. |
| Category_Abusive_Illicit | 2 | Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc. |
| Category_Malicious_System | 3 | System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server |
| Category_Malicious_Botnet | 4 | Command-and-control server contacted by malware on infected systems |
| Category_Malicious_Distribution | 5 | URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites). |
| Category_Malicious_Configuration | 6 | URI hosting a malware configuration file, e.g. web-injects for a banking trojan |
| Category_Recon_Scanning | 7 | Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning. |
| Category_Recon_Sniffing | 8 | Observing and recording of network traffic (wiretapping). |
| Category_Recon_SocialEngineering | 9 | Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats). |
| Category_Attempt_Exploit | 10 | An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.) |
| Category_Attempt_Login | 11 | Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol. |
| Category_Attempt_NewSignature | 12 | An attack using an unknown exploit. |
| Category_Intrusion_AdminCompromise | 13 | Compromise of a system where the attacker gained administrative privileges. |
| Category_Intrusion_UserCompromise | 14 | Compromise of a system using an unprivileged (user/service) account. |
| Category_Intrusion_AppCompromise | 15 | Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection. |
| Category_Intrusion_SysCompromise | 16 | Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems. |
| Category_Intrusion_Burglary | 17 | Physical intrusion, e.g. into corporate building or data-centre. |
| Category_Availability_DoS | 18 | Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down. |
| Category_Availability_DDoS | 19 | Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks. |
| Category_Availability_Misconf | 20 | Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK. |
| Category_Availability_Theft | 21 | |
| Category_Availability_Sabotage | 22 | Physical sabotage, e.g cutting wires or malicious arson. |
| Category_Availability_Outage | 23 | Outage caused e.g. by air condition failure or natural disaster. |
| Category_Availability_Failure | 24 | Failure, malfunction (e.g. : bug, wear, faults, etc.) |
| Category_Information_UnauthorizedAccess | 25 | Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents. |
| Category_Information_UnauthorizedModification | 26 | Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements. |
| Category_Information_DataLoss | 27 | Loss of data, e.g. caused by harddisk failure or physical theft. |
| Category_Information_DataLeak | 28 | Leaked confidential information like credentials or personal data. |
| Category_Fraud_UnauthorizedUsage | 29 | Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes. |
| Category_Fraud_Copyright | 30 | Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez). |
| Category_Fraud_Masquerade | 31 | Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it. |
| Category_Fraud_Phishing | 32 | Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials. |
| Category_Vulnerable_Crypto | 33 | Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks. |
| Category_Vulnerable_DDoS | 34 | Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled. |
| Category_Vulnerable_Surface | 35 | Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC. |
| Category_Vulnerable_Disclosure | 36 | Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis. |
| Category_Vulnerable_System | 37 | A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc. |
| Category_Geophysical_Earthquake | 38 | A hazard originating from solid earth. This term is used interchangeably with the term geological hazard. |
| Category_Geophysical_MassMovement | 39 | A hazard originating from solid earth. This term is used interchangeably with the term geological hazard. |
| Category_Geophysical_Volcanic | 40 | A hazard originating from solid earth. This term is used interchangeably with the term geological hazard. |
| Category_Meteorological_Temperature | 41 | A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days. |
| Category_Meteorological_Fog | 42 | A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days. |
| Category_Meteorological_Storm | 43 | A hazard caused by short-lived, micro- to meso-scale extreme weather and atmospheric conditions that last from minutes to days. |
| Category_Hydrological_Flood | 44 | A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater. |
| Category_Hydrological_Landslide | 45 | A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater. |
| Category_Hydrological_Wave | 46 | A hazard caused by the occurrence, movement, and distribution of surface and subsurface freshwater and saltwater. |
| Category_Climatological_Drought | 47 | A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability. |
| Category_Climatological_LakeOutburst | 48 | A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability. |
| Category_Climatological_Wildfire | 49 | A hazard caused by long-lived, meso- to macro-scale atmospheric processes ranging from intra-seasonal to multi-decadal climate variability. |
| Category_Biological_Epidemic | 50 | A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria). |
| Category_Biological_Insect | 51 | A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria). |
| Category_Biological_Animal | 52 | A hazard caused by the exposure to living organisms and their toxic substances (e.g. venom, mold) or vector-borne diseases that they may carry. Examples are venomous wildlife and insects, poisonous plants, and mosquitoes carrying disease-causing agents such as parasites, bacteria, or viruses (e.g. malaria). |
| Category_Extraterrestrial_Impact | 53 | A hazard caused by asteroids, meteoroids, and comets as they pass near-earth, enter the Earth’s atmosphere, and/or strike the Earth, and by changes in interplanetary conditions that effect the Earth’s magnetosphere, ionosphere, and thermosphere. |
| Category_Extraterrestrial_SpaceWeather | 54 | A hazard caused by asteroids, meteoroids, and comets as they pass near-earth, enter the Earth’s atmosphere, and/or strike the Earth, and by changes in interplanetary conditions that effect the Earth’s magnetosphere, ionosphere, and thermosphere. |
| Category_Other_Uncategorized | 55 | All incidents which don't fit in one of the given categories should be put into this class or the incident is not categorised. |
| Category_Other_Undetermined | 56 | The categorisation of the incident is unknown/undetermined. |
| Category_Test_Test | 57 | Meant for testing. |
Possible alert causes
| Name | Number | Description |
| Cause_Normal | 0 | |
| Cause_Error | 1 | |
| Cause_Malicious | 2 | |
| Cause_Malfunction | 3 | |
| Cause_Natural | 4 | |
| Cause_Unknown | 5 |
Possible alert severities
| Name | Number | Description |
| Severity_Unknown | 0 | |
| Severity_Info | 1 | |
| Severity_Low | 2 | |
| Severity_Medium | 3 | |
| Severity_High | 4 |
Possible alert statuses
| Name | Number | Description |
| Status_Event | 0 | |
| Status_Incident | 1 |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Observable class contains information about metadata linked to a
source, target or vector
| Field | Type | Label | Description |
| Name | string | Unique identifier among observables that can be used to reference this observable from other classes using the "Observable" attribute |
|
| Reference | string | Name of the reference from where the observable is specified |
|
| Content | string | Observable content |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Sensor class identifies the sensor used by the analyzer for its analysis
| Field | Type | Label | Description |
| IP | string | The sensor's IP address (either version 4 or version 6) |
|
| Name | string | Name of the sensor, which must be reasonably unique, however still bear some meaningful sense. Usually denotes the hierarchy of organizational units the detector belongs to and its own name. May also be used to help distinguish sensors running with the same IP address |
|
| Hostname | string | Hostname of this sensor. Should be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string can be used to explicitly state that this value was inquired but not found (missing DNS name) |
|
| Model | string | Generic name, brand, version |
|
| UnLocation | string | Standard UN/LOCODE location |
|
| Location | string | Internal location of the sensor |
|
| CaptureZone | string | String that describes the capture zone of the sensor in a serialized JSON string |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Source class contains information about the possible source(s) of the
event(s) that generated this message
| Field | Type | Label | Description |
| UnLocation | string | Standard UN/LOCODE location for this source |
|
| Location | string | Internal location description (for internal sources) |
|
| GeoLocation | string | GPS coordinates for the source |
|
| Note | string | Free text human-readable additional note |
|
| TI | string | repeated | Threat intelligence information about the source |
| IP | string | Source IP address (either version 4 or version 6) |
|
| Hostname | string | Hostname of this source. Should be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string can be used to explicitly state that this value was inquired but not found (missing DNS name) |
|
| User | string | User ID or login responsible for the alert |
|
| string | Email address (e.g. the value of the "Reply-To" or "From" header inside a phishing e-mail) |
||
| Protocol | string | repeated | Protocols related to connections from/to this source/target. If several protocols are stacked, they must be ordered from the lowest (the closest to the medium) to the highest (the closest to the application) according to the ISO/OSI model |
| Port | int32 | repeated | Source ports involved |
| Attachment | string | repeated | Identifiers for attachments related to this source. Each identifier listed here MUST match the "Name" attribute for one of the attachments described using the "Attachment" class |
| Observable | string | repeated | Identifiers for observables related to this source. Each identifier listed here MUST match the "Name" attribute for one of the observables described using the "Observable" class |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Target class contains information about the possible target(s) of the
event(s) that generated this message
| Field | Type | Label | Description |
| UnLocation | string | Standard UN/LOCODE location for this target |
|
| Location | string | Internal location description (for internal target) |
|
| GeoLocation | string | GPS coordinates for the target |
|
| Note | string | Free text human-readable additional note |
|
| IP | string | Target IP address (either version 4 or version 6) |
|
| Hostname | string | Hostname of this target. Should be a fully qualified domain name, but may not conform exactly because values extracted from logs, messages, DNS, etc. may themselves be malformed. An empty string can be used to explicitly state that this value was inquired but not found (missing DNS name) |
|
| Service | string | Service(s)/process(es) impacted by the event/alert |
|
| User | string | User ID or login responsible for the alert |
|
| string | Email address (e.g. the value of the "To" header inside a phishing e-mail) |
||
| Port | int32 | repeated | Target ports affected |
| Attachment | string | repeated | Identifiers for attachments related to this target. Each identifier listed here MUST match the "Name" attribute for one of the attachments described using the "Attachment" class |
| Observable | string | repeated | Identifiers for observables related to this target. Each identifier listed here MUST match the "Name" attribute for one of the observables described using the "Observable" class |
Intrusion Detection Message Exchange Format (IDMEF) version 2 (revision 0.3)
Protobuf API
The Vector class contains information about the vector(s) of the event(s)
that generated this message
| Field | Type | Label | Description |
| Category | Vector.VectorCategoryEnum | repeated | Category for the detected "vector" |
| TI | string | repeated | Threat intelligence information about the vector |
| Name | string | Name of the detected vector or "Unknown" |
|
| Size | Vector.VectorSizeEnum | Average size of the detected vector |
|
| UnLocation | string | UN Location of the vector (e.g. Storm detected on Athens) |
|
| GeoLocation | string | GPS coordinates for the vector, providing event geolocation (i.e. where a man/car/animal was detected, a storm/drought/fire risk was predicted, etc.) |
|
| GeoRadius | int32 | Estimated radius around the provided geolocation (error margin) in meters. The value can be very precise or approximated (e.g. 100 m) |
|
| Location | string | Internal location |
|
| Note | string | Free text human-readable additional note |
|
| Attachment | string | repeated | Identifiers for attachments related to this vector. Each identifier listed here MUST match the "Name" attribute for one of the attachments described using the "Attachment" class |
| Observable | string | repeated | Identifiers for observables related to this vector. Each identifier listed here MUST match the "Name" attribute for one of the observables described using the "Observable" class |
Possible categories for attack vectors
| Name | Number | Description |
| Vector_Unknown | 0 | |
| Vector_Face | 1 | |
| Vector_RunningMan | 2 | |
| Vector_Human | 3 | |
| Vector_Man | 4 | |
| Vector_Woman | 5 | |
| Vector_Chilren | 6 | |
| Vector_Animal | 7 | |
| Vector_Object | 8 | |
| Vector_Blast | 9 | |
| Vector_Fire | 10 | |
| Vector_Wind | 11 | |
| Vector_Snow | 12 | |
| Vector_Rain | 13 | |
| Vector_Chemical | 14 | |
| Vector_Smoke | 15 | |
| Vector_Vapors | 16 | |
| Vector_Drug | 17 | |
| Vector_Device | 18 | |
| Vector_Drone | 19 | |
| Vector_Car | 20 | |
| Vector_Truck | 21 | |
| Vector_Vehicle | 22 | |
| Vector_Bird | 23 | |
| Vector_Storm | 24 | |
| Vector_HighTemperature | 25 | |
| Vector_Artifact | 26 | |
| Vector_AutonomousSystem | 27 | |
| Vector_Directory | 28 | |
| Vector_DomainName | 29 | |
| Vector_EmailAddress | 30 | |
| Vector_EmailMessage | 31 | |
| Vector_File | 32 | |
| Vector_IPv4Address | 33 | |
| Vector_IPv6Address | 34 | |
| Vector_Mutex | 35 | |
| Vector_NetworkTraffic | 36 | |
| Vector_Process | 37 | |
| Vector_URL | 38 | |
| Vector_UserAccount | 39 | |
| Vector_WindowsRegistryKey | 40 | |
| Vector_X509Certificate | 41 |
Possible sizes for attack vectors
| Name | Number | Description |
| Vector_Small | 0 | |
| Vector_Medium | 1 | |
| Vector_Large | 2 | |
| Vector_Huge | 3 |
| .proto Type | Notes | C++ | Java | Python | Go | C# | PHP | Ruby |
| double | double | double | float | float64 | double | float | Float | |
| float | float | float | float | float32 | float | float | Float | |
| int32 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
| int64 | Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. | int64 | long | int/long | int64 | long | integer/string | Bignum |
| uint32 | Uses variable-length encoding. | uint32 | int | int/long | uint32 | uint | integer | Bignum or Fixnum (as required) |
| uint64 | Uses variable-length encoding. | uint64 | long | int/long | uint64 | ulong | integer/string | Bignum or Fixnum (as required) |
| sint32 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
| sint64 | Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. | int64 | long | int/long | int64 | long | integer/string | Bignum |
| fixed32 | Always four bytes. More efficient than uint32 if values are often greater than 2^28. | uint32 | int | int | uint32 | uint | integer | Bignum or Fixnum (as required) |
| fixed64 | Always eight bytes. More efficient than uint64 if values are often greater than 2^56. | uint64 | long | int/long | uint64 | ulong | integer/string | Bignum |
| sfixed32 | Always four bytes. | int32 | int | int | int32 | int | integer | Bignum or Fixnum (as required) |
| sfixed64 | Always eight bytes. | int64 | long | int/long | int64 | long | integer/string | Bignum |
| bool | bool | boolean | boolean | bool | bool | boolean | TrueClass/FalseClass | |
| string | A string must always contain UTF-8 encoded or 7-bit ASCII text. | string | String | str/unicode | string | string | string | String (UTF-8) |
| bytes | May contain any arbitrary sequence of bytes. | string | ByteString | str | []byte | ByteString | string | String (ASCII-8BIT) |