Incident Object Description Exchange Format
 | This article needs additional citations for verification. (May 2016) |
 | This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. (July 2024) |
Used for computer security, IODEF (Incident Object Description Exchange Format) is a data format which is used to describe computer security information for the purpose of exchange between Computer Security Incident Response Teams (CSIRTs).
IODEF messages are organized in a human-readable way, and not a machine format. Details of the format are described in RFC 5070 and updated in RFC 6685. Version 2 of the format is defined in RFC 7970, which supersedes the previous version. This RFC presents an implementation of the data model in XML as well as the associated DTD. Further implementation guidance for IODEF v2 is defined in RFC 8274.
One of the main characteristics of IODEF is its compatibility with the IDMEF Intrusion Detection Message Exchange Format developed for intrusion detection systems. For this reason, IODEF is heavily based on IDMEF and provides backward compatibility with it.
Format
IODEF is an object-oriented structured format, composed of 47 classes in the first version. The IODEF and IDMEF formats having a lot in common: the field structure is similar to the IDMEF one and it is an extensible format: in addition to the usual Additional Data Class, which allow adding any information relevant to the IODEF message, most enumerations are provided with an "ext" field. This field is used when none of the proposed choices are fitting.
Here is a list of the main fields:
| Field name | Number of fields | Description |
|---|---|---|
| IncidentID | 1 | An incident identification number assigned to this incident by the CSIRT who creates the IODEF document. |
| AlternativeID | 0 or 1 | The incidents ID numbers used by other CSIRTs to refer to the incident described in the document. |
| RelatedActivity | 0 or 1 | The ID numbers of the incidents linked to the one described in this document. |
| DetectTime | 0 or 1 | Time at which the incident was detected for the first time. |
| StartTime | 0 or 1 | Time at which the incident started. |
| EndTime | 0 or 1 | Time at which the incident ended. |
| ReportTime | 1 | Time at which the incident was reported. |
| Description | 0 or more | (ML_STRING) A non-formatted textual description of the event.
|
| Assessment | 0 or more | A characterization of the incident impact. |
| Method | 0 or more | Techniques used by the intruder during the incident. |
| Contact | 0 or more | Contact information for the groups involved in the incident. |
| EventData | 0 or more | Description of the events involving the incident. |
| History | 0 or more | A log, of the events or the notable actions which took place during the incident management. |
| AdditionalData | 0 or more | Mechanism which extends the data model. |
Software using IODEF
- Prelude SIEM
- IODEFLIB : Python library to create, parse and edit cyber incident reports using the IODEF XML format (RFC 5070)
- RT-IODEF : Perl module for translating RT tickets to IODEF messages and also maps IODEF to RT’s Custom Fields based on their description tag
- Mantis IODEF Importer : An IODEF (v1.0) importer for the Mantis Cyber Threat Intelligence Mgmt. Framework
- ArcSight-IODEF-Perl : A perl module to convert arcsight xml to a standardized iodef message
- IODEF Implementations
- IODEF DBI
- IODEF Pb : This library maps IODEF (RFC 5070) to the google protocol buffer serialization library.
- XML :: IODEF – A perl module for easily creating/parsing IODEF Documents
- Stix output formatter for : Iodef::Pb::Simple
- Library for parsing IODEF in PHP
External links
- RFC 5070 – The Incident Object Description Exchange Format (IODEF)
- RFC 6685 – Expert Review for Incident Object Description Exchange Format (IODEF) Extensions in IANA XML Registry
- RFC 7203 – An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information
- RFC 7970 – The Incident Object Description Exchange Format Version 2
- RFC 8274 – Incident Object Description Exchange Format Usage Guidance
Content Disclaimer
Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.
- The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
- There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
- It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
- Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
- Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.