{"id":327,"date":"2015-02-22T18:44:26","date_gmt":"2015-02-22T18:44:26","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327"},"modified":"2017-11-25T17:13:47","modified_gmt":"2017-11-25T17:13:47","slug":"the-idmef-module","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327","title":{"rendered":"The idmef module"},"content":{"rendered":"<p><a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> is the Intrusion Detection Message Exchange Format.<\/p>\n<p>The <code>idmef<\/code>\u00a0module is a module that is at the same time:<\/p>\n<ul>\n<li>a <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=131\">dissection module<\/a>, allowing Orchids to parse <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> alerts and pick selected nodes as <strong>input<\/strong> through XPath expressions<\/li>\n<li>an <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=656\">extension module<\/a>, allowing Orchids to produce <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> <strong>reports<\/strong>.<\/li>\n<\/ul>\n<p>The\u00a0<code>idmef<\/code> module manipulates <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> alerts internally as XML objects, which one may explore and modify through the primitives provided by the <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=362\"><code>xml<\/code><\/a> module.<\/p>\n<h3>Configuration options &#8211; input<\/h3>\n<p>First, the options relevant to IDMEF input. \u00a0Typically, input will be obtained from the <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=87\"><code>textfile<\/code><\/a> module, or from the <code>.syslog.msg<\/code> field from the <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=157\"><code>syslog<\/code><\/a> module, written in XML.<\/p>\n<ul>\n<li><code>str_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>str<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.<br \/>\nExample:<\/p>\n<pre>str_field c_text \"\/*\/idmef:Alert\/idmef:Classification\/@text\"\r\nstr_field c_ident \"\/*\/idmef:Alert\/idmef:Classification\/@ident\"<\/pre>\n<\/li>\n<li><code>bstr_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>bstr<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.<\/li>\n<li><code>int_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>int<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>. \u00a0Conversion to type <code>int<\/code> is automatic.<br \/>\nExample:<\/p>\n<pre>int_field message_id  \u00a0 \"\/*\/idmef:Alert\/@messageid\"<\/pre>\n<\/li>\n<li><code>uint_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>uint<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>. \u00a0Conversion to type <code>uint<\/code> is automatic.<\/li>\n<li><code>float_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>float<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>. \u00a0Conversion to type <code>float<\/code> is automatic.<\/li>\n<li><code>ctime_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>ctime<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.\u00a0\u00a0Conversion to type <code>ctime<\/code> is automatic.<br \/>\nExample:<\/p>\n<pre>ctime_field create_time \"\/*\/idmef:Alert\/idmef:CreateTime\"\r\nctime_field detect_time \"\/*\/idmef:Alert\/idmef:DetectTime\"<\/pre>\n<\/li>\n<li><code>timeval_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>timeval<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.\u00a0\u00a0Conversion to type <code>timeval<\/code> is automatic.<\/li>\n<li><code>ipv4_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>ipv4<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.\u00a0\u00a0Conversion to type <code>ipv4<\/code> is automatic.<br \/>\nExample:<\/p>\n<pre>ipv4_field analyzer_ip \"\/*\/idmef:Alert\/idmef:Analyzer\/idmef:Node\/idmef:Address\/idmef:address\"<\/pre>\n<\/li>\n<li><code>ipv6_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>ipv6<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.\u00a0\u00a0Conversion to type <code>ipv6<\/code> is automatic.<\/li>\n<li><code>snmpoid_field<\/code> <em>field-name<\/em> <em>xpath-expression<\/em>: declares a new field <code>.idmef.<\/code><em>field-name<\/em>, of type <code>snmpoid<\/code>, which will be read from the node selected by the <a href=\"https:\/\/fr.wikipedia.org\/wiki\/XPath\">XPath<\/a> expression <em>xpath-expression<\/em>.\u00a0\u00a0Conversion to type <code>snmpoid<\/code> is automatic.<\/li>\n<\/ul>\n<h3>Configuration options &#8211; reports<\/h3>\n<p>IDMEF reports can be built and written using the <strong><code>idmef_new_alert<\/code><\/strong> and <strong><code>idmef_write_alert<\/code><\/strong> primitives, see below. \u00a0The following options allow you to set some of the nodes automatically.<\/p>\n<ul>\n<li><code>IDMEFOutputDir<\/code>\u00a0<em>report-directory<\/em>: defines the output directory where <strong><code>idmef_write_alert<\/code><\/strong>\u00a0will store the generated IDMEF alerts to\u00a0<em>report-directory<\/em>.<br \/>\nDefault value is\u00a0<code><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=48\">$OCONF<\/a>\/reports<\/code>, which will typically point to <code>\/usr\/local\/var\/orchids\/reports\/<\/code>.<\/li>\n<li><code>AnalyzerId<\/code>\u00a0<em>id<\/em>: sets the <code>analyzerid<\/code> property of the <code>Analyzer<\/code> node in the generated IDMEF alert to\u00a0<em>id<\/em>.<br \/>\nDefault value is <code>42<\/code>.<\/li>\n<li><code>AnalyzerName<\/code> <em>analyzer-name<\/em>: sets the <code>name<\/code> property of the <code>Analyzer<\/code> node in the generated IDMEF alert to\u00a0<em>analyzer-name<\/em>.<br \/>\nDefault value is <code>orchids<\/code>.<\/li>\n<li><code>AnalyzerNodeName<\/code> <em>string<\/em>: sets the value of the <code>Analyzer\/Node\/name<\/code> node\u00a0in the generated IDMEF alert to\u00a0<em>string<\/em>.<br \/>\nDefault value is <code>\"orchids.lsv.ens-paris-saclay.fr\"<\/code>.<\/li>\n<li><code>AnalyzerNodeLocation<\/code> <em>string<\/em>: sets the value of the <code>Analyzer\/Node\/location<\/code> node\u00a0in the generated IDMEF alert to\u00a0<em>string<\/em>.<br \/>\nDefault value is <code>\"LSV ENS Paris-Saclay\"<\/code>, which you are encouraged to modify.<\/li>\n<li><code>AnalyzerNodeAddress<\/code> <em>string<\/em>: sets the value of the <code>Analyzer\/Node\/Address\/address<\/code>\u00a0\u00a0node\u00a0in the generated IDMEF alert to\u00a0<em>string<\/em>. \u00a0It also sets the property <code>category<\/code>\u00a0of that same node to <code>ipv4-addr<\/code>.<br \/>\nDefault value is <code>\"42.42.42.42\"<\/code>, but that should of course be modified.<\/li>\n<\/ul>\n<h3>Primitives<\/h3>\n<ul>\n<li><strong><code>idmef_new_alert<\/code><\/strong> : \u2192 <code>xmldoc<\/code><br \/>\ncreate a new <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> document<\/li>\n<li><strong><code>idmef_write_alert<\/code><\/strong> : <code>xmldoc<\/code> \u2192 <code>int<\/code><br \/>\nwrite the given <a href=\"https:\/\/www.ietf.org\/rfc\/rfc4765.txt\">IDMEF<\/a> document into the Orchids report directory (typically <code>\/usr\/local\/var\/orchids\/reports\/<\/code>)<\/p>\n<ul>\n<li>file name is <em>report-directory<\/em><code>\/report-<\/code><em>secs<\/em><code>-<\/code><em>msecs<\/em><code>.xml<\/code>, where <em>secs<\/em> and <em>msecs<\/em> are the current time, split into seconds and microseconds, as 8 hexadecimal digits<\/li>\n<li>returns: 1 (true) if all went well, 0 (false) otherwise<br \/>\nthe causes of error can be: the reports directory is not set, or there was not enough space left on the device<\/li>\n<\/ul>\n<\/li>\n<li>Setting values and attributes is done by using the primitives provided by the <a title=\"The xml module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=362\"><code>xml<\/code><\/a> module (<code>xml_set_str<\/code>, <code>xml_set_prop<\/code>)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>IDMEF is the Intrusion Detection Message Exchange Format. The idmef\u00a0module is a module that is at the same time: a dissection module, allowing Orchids to parse IDMEF alerts and pick selected nodes as input through XPath expressions an extension module, allowing Orchids to produce IDMEF reports. The\u00a0idmef module manipulates IDMEF alerts internally as XML objects, &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The idmef module<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-327","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/327","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=327"}],"version-history":[{"count":14,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/327\/revisions"}],"predecessor-version":[{"id":672,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/327\/revisions\/672"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}