{"id":331,"date":"2015-02-22T18:51:55","date_gmt":"2015-02-22T18:51:55","guid":{"rendered":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=331"},"modified":"2017-11-25T17:08:53","modified_gmt":"2017-11-25T17:08:53","slug":"the-iodef-module","status":"publish","type":"page","link":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=331","title":{"rendered":"The iodef module"},"content":{"rendered":"<p>The <code>iodef<\/code> module is an <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=656\">extension module<\/a>, which allows Orchids to produce alerts in the <a href=\"https:\/\/www.ietf.org\/rfc\/rfc5070.txt\">IODEF<\/a>\u00a0format (Incident Object Description Exchange Format).<\/p>\n<h3>Configuration options<\/h3>\n<p><code>&lt;module iodef&gt;<\/code><\/p>\n<ul>\n<li><code>IODEFTemplatesDir<\/code> <em>templates-dir<\/em>: instructs Orchids that it should look for IODEF reporting templates in the\u00a0<em>templates-dir<\/em>\u00a0directory. \u00a0See below for reporting.<br \/>\nDefault value is\u00a0<code><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=48\">$OCONF<\/a>\/iodef<\/code>.<\/li>\n<li><code>IODEFOutputDir<\/code> <i>output-dir<\/i>: instructs Orchids that IODEF reports should go into the <em>output-dir<\/em> directory.<br \/>\nDefault value is <code><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=48\">$OCONF<\/a>\/reports<\/code>.<\/li>\n<li><code>CSIRTName<\/code>\u00a0<i>string<\/i>: sets the name of the\u00a0Computer Security Incident Response Team (CSIRT) to use in the <code>name<\/code> property of the <code>Incident\/IncidentID<\/code> node of the IODEF XML report.<br \/>\nDefault value is <code>\"Orchids.LSV\"<\/code>, although that is not a CSIRT.<\/li>\n<\/ul>\n<p><code>&lt;\/module&gt;<\/code><\/p>\n<h3>Reporting<\/h3>\n<p>Although the <code>iodef<\/code> module provides a few primitives to create and write IODEF reports, the recommended way to use the <code>iodef<\/code> module is\u00a0to use the <code>report()<\/code> <a title=\"Primitives\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=246\">primitive<\/a>.<\/p>\n<p>Here is how it works. Imagine you are currently running the OrchIDS code of rule <code>pid_tracker<\/code>. (This is in file <code><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=48\">$OCONF<\/a>\/rules\/pid_tracker_auditd.rule<\/code>.) On finding an attack, this rule will enter the following state, named <code>alert<\/code>:<\/p>\n<pre>state alert!\r\n  {\r\n    $str = \"Attack perpetrated by $uid=\" + str_from_int($uid);\r\n    report();\r\n  }\r\n<\/pre>\n<p>The <code>report()<\/code> primitive will generate reports according to different formats. If the <code>iodef<\/code> module is loaded, IODEF will be one of these formats, and a report will be generated, as file <em>report-dir<\/em><code>\/report-<\/code><em>secs<\/em><code>-<\/code><em>msecs<\/em><code>.xml<\/code>, where <em>secs<\/em> and <em>msecs<\/em> are the current time, split into seconds and microseconds, as 8 hexadecimal digits. The <em>report-dir<\/em>\u00a0directory is given as argument to the <code>IODEFOutputDir<\/code> configuration directive.<\/p>\n<p>The report itself is generated from a <em>template file<\/em>. The IODEF module takes the name <em>rule<\/em> of the current rule (here, <code>pid_tracker<\/code>), and looks for a template file in the <code><a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=48\">$OCONF<\/a>\/iodef\/<\/code> directory, of name <em>rule<\/em><code>.iodef<\/code>. In our example, it will find <code>pid_tracker.iodef<\/code>, which contains the following template:<\/p>\n<pre>&lt;?xml version=\"1.0\"?&gt;\r\n&lt;IODEF-Template&gt;\r\n  &lt;insert path=\"\/*\/iodef:Incident\"&gt;\r\n    &lt;Description&gt;PID Tracker alert&lt;\/Description&gt;\r\n    &lt;Description&gt;$str&lt;\/Description&gt;\r\n    &lt;Assessment&gt;\r\n      &lt;Impact type=\"policy\" completion=\"succeeded\"\/&gt;\r\n    &lt;\/Assessment&gt;\r\n    &lt;Contact role=\"creator\" type=\"organization\"&gt;\r\n      &lt;ContactName&gt;Orchids&lt;\/ContactName&gt;\r\n      &lt;Email&gt;orchids@lsv.ens-paris-saclay.fr&lt;\/Email&gt;\r\n    &lt;\/Contact&gt;\r\n  &lt;\/insert&gt;\r\n&lt;\/IODEF-Template&gt;\r\n<\/pre>\n<p>The report is then constructed by replacing all XML nodes that contain an OrchIDS variable name by its value. Here, the second <code>Description<\/code> node will be filled in by a message of the form <code>\"Attack perpetrated by $uid=<\/code><em>uid<\/em><code>\"<\/code>, where <em>uid<\/em> is the value of the OrchIDS variable <code>$uid<\/code>.<\/p>\n<h3>Primitives<\/h3>\n<ul>\n<li><strong><code>iodef_new_report<\/code><\/strong> : <code>str<\/code> \u2192 <code>xmldoc<\/code><br \/>\ncreate a new IODEF report from the template file given as argument<\/p>\n<ul>\n<li>the template file will be read in, parsed as an XML document, and all XML nodes containing the name of an OrchIDS variable will be replaced by the value of that variable<\/li>\n<li>returns:\u00a01 (true) if all went well, 0 (false) otherwise<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li><strong><code>iodef_write_report<\/code><\/strong> : <code>xmldoc<\/code> \u2192 <code>int<\/code><br \/>\nwrite the given IODEF report into the Orchids report directory (typically <code>\/usr\/local\/var\/orchids\/reports\/<\/code>)<\/p>\n<ul>\n<li>file name is <em>report-directory<\/em><code>\/report-<\/code><em>secs<\/em><code>-<\/code><em>msecs<\/em><code>.xml<\/code>, where <em>secs<\/em> and <em>msecs<\/em> are the current time, split into seconds and microseconds, as 8 hexadecimal digits<\/li>\n<li>returns: 1 (true) if all went well, 0 (false) otherwise<br \/>\nthe causes of error can be: the reports directory is not set, or there was not enough space left on the device<\/li>\n<\/ul>\n<\/li>\n<li>Setting additional values and attributes is done by using the primitives provided by the <a title=\"The xml module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=362\"><code>xml<\/code><\/a> module (<code>xml_set_str<\/code>, <code>xml_set_prop<\/code>). \u00a0Contrarily to how the <a title=\"The idmef module\" href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=327\"><code>idmef<\/code><\/a> module operates, IODEF reports are generated from template files.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The iodef module is an extension module, which allows Orchids to produce alerts in the IODEF\u00a0format (Incident Object Description Exchange Format). Configuration options &lt;module iodef&gt; IODEFTemplatesDir templates-dir: instructs Orchids that it should look for IODEF reporting templates in the\u00a0templates-dir\u00a0directory. \u00a0See below for reporting. Default value is\u00a0$OCONF\/iodef. IODEFOutputDir output-dir: instructs Orchids that IODEF reports should go &hellip; <a href=\"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/?page_id=331\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">The iodef module<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-331","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/331","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=331"}],"version-history":[{"count":9,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/331\/revisions"}],"predecessor-version":[{"id":671,"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=\/wp\/v2\/pages\/331\/revisions\/671"}],"wp:attachment":[{"href":"https:\/\/projects.lsv.ens-paris-saclay.fr\/orchidsdoc\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}