Incident Object Description Exchange Format

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Used for computer security, IODEF (Incident Object Description Exchange Format) is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).

IODEF messages are organized in a human-readable way, and not a machine format. Details of the format are described in RFC 5070 and updated in RFC 6685. Version 2 of the format is defined in RFC 7970, which supersedes the previous version. This RFC presents an implementation of the data model in XML as well as the associated DTD. Further implementation guidance for IODEF v2 is defined in RFC 8274.

One of the main characteristics of IODEF is its compatibility with the IDMEF Intrusion Detection Message Exchange Format developed for intrusion detection systems. For this reason, IODEF is heavily based on IDMEF and provides backward compatibility with it.

Format[edit]

IODEF-Schema.png

IODEF is an object-oriented structured format, composed of 47 classes in the first version. The IODEF and IDMEF formats having a lot in common: the field structure is similar to the IDMEF one and it is an extensible format: in addition to the usual Additional Data Class, which allow adding any information relevant to the IODEF message, most enumerations are provided with an "ext" field. This field is used when none of the proposed choices are fitting.

Here is a list of the main fields:

  • IncidentID : One. An incident identification number assigned to this incident by the CSIRT who creates the IODEF document.
  • AlternativeID : Zero or one. The incidents ID numbers used by other CSIRTs to refer to the incident described in the document.
  • RelatedActivity : Zero or one. The ID numbers of the incidents linked to the one described in this document.
  • DetectTime : Zero or one. Time at which the incident was detected for the first time.
  • StartTime : Zero or one. Time at which the incident started.
  • EndTime : Zero or one. Time at which the incident ended.
  • ReportTime : One. Time at which the incident was reported.
  • Description : Zero or more. ML_STRING. A non-formatted textual description of the event.
  • Assessment : One or more. A characterization of the incident impact.
  • Method : Zero or more. Techniques used by the intruder during the incident.
  • Contact : One or more. Contact information for the groups involved in the incident.
  • EventData : Zero or more. Description of the events involving the incident.
  • History : Zero or more. A log, of the events or the notable actions which took place during the incident management.
  • AdditionalData : Zero or more. Mechanism which extends the data model.

Example[edit]

Below, you can find an example of an IODEF document:[citation needed]

<!--
   ====================================================================
   == IODEF-Document class                                           ==
   ====================================================================
  -->
    <xs:element name="IODEF-Document">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:Incident" 
                      maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="version" 
                      type="xs:string" fixed="1.00"/>
        <xs:attribute name="lang" 
                      type="xs:language" use="required"/>
        <xs:attribute name="formatid" 
                      type="xs:string"/>
      </xs:complexType>
    </xs:element>
  <!--
   ====================================================================
   ===  Incident class                                              ===
   ====================================================================
  -->
    <xs:element name="Incident">
      <xs:complexType>
        <xs:sequence>
          <xs:element ref="iodef:IncidentID"/>
          <xs:element ref="iodef:AlternativeID" 
                      minOccurs="0"/>
          <xs:element ref="iodef:RelatedActivity" 
                      minOccurs="0"/>
          <xs:element ref="iodef:DetectTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:StartTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:EndTime" 
                      minOccurs="0"/>
          <xs:element ref="iodef:ReportTime"/>
          <xs:element ref="iodef:Description" 
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:Assessment" 
                      maxOccurs="unbounded"/>
          <xs:element ref="iodef:Method" 
                      minOccurs="0" maxOccurs="unbounded"/>  <xs:element ref="iodef:Contact" 
                      maxOccurs="unbounded"/>
          <xs:element ref="iodef:EventData" 
                      minOccurs="0" maxOccurs="unbounded"/>
          <xs:element ref="iodef:History" 
                      minOccurs="0"/>
          <xs:element ref="iodef:AdditionalData" 
                      minOccurs="0" maxOccurs="unbounded"/>
        </xs:sequence>
        <xs:attribute name="purpose" use="required">
          <xs:simpleType>
            <xs:restriction base="xs:NMTOKEN">
              <xs:enumeration value="traceback"/>
              <xs:enumeration value="mitigation"/>
              <xs:enumeration value="reporting"/>
              <xs:enumeration value="other"/>
              <xs:enumeration value="ext-value"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:attribute>
        <xs:attribute name="ext-purpose" 
                      type="xs:string" use="optional"/>
        <xs:attribute name="lang" 
                      type="xs:language"/>
        <xs:attribute name="restriction" 
                      type="iodef:restriction-type" default="private"/>
      </xs:complexType>
    </xs:element>

Software using IODEF[edit]

External links[edit]

  • RFC 5070 – The Incident Object Description Exchange Format (IODEF)
  • RFC 6685 – Expert Review for Incident Object Description Exchange Format (IODEF) Extensions in IANA XML Registry
  • RFC 7203 – An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information
  • RFC 7970 – The Incident Object Description Exchange Format Version 2
  • RFC 8274 – Incident Object Description Exchange Format Usage Guidance
  • SECEF, Project to promote the IDMEF and IODEF formats