IDMEF is the Intrusion Detection Message Exchange Format.

The idmef module is a module that is at the same time:

• a dissection module, allowing Orchids to parse IDMEF alerts and pick selected nodes as input through XPath expressions
• an extension module, allowing Orchids to produce IDMEF reports.

The idmef module manipulates IDMEF alerts internally as XML objects, which one may explore and modify through the primitives provided by the xml module.

Configuration options – input

First, the options relevant to IDMEF input.  Typically, input will be obtained from the textfile module, or from the .syslog.msg field from the syslog module, written in XML.

• str_field field-name xpath-expression: declares a new field .idmef.field-name, of type str, which will be read from the node selected by the XPath expression xpath-expression.
  Example:

  str_field c_text "/*/idmef:Alert/idmef:Classification/@text"
  str_field c_ident "/*/idmef:Alert/idmef:Classification/@ident"

• bstr_field field-name xpath-expression: declares a new field .idmef.field-name, of type bstr, which will be read from the node selected by the XPath expression xpath-expression.
• int_field field-name xpath-expression: declares a new field .idmef.field-name, of type int, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type int is automatic.
  Example:

  int_field message_id    "/*/idmef:Alert/@messageid"

• uint_field field-name xpath-expression: declares a new field .idmef.field-name, of type uint, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type uint is automatic.
• float_field field-name xpath-expression: declares a new field .idmef.field-name, of type float, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type float is automatic.
• ctime_field field-name xpath-expression: declares a new field .idmef.field-name, of type ctime, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type ctime is automatic.
  Example:

  ctime_field create_time "/*/idmef:Alert/idmef:CreateTime"
  ctime_field detect_time "/*/idmef:Alert/idmef:DetectTime"

• timeval_field field-name xpath-expression: declares a new field .idmef.field-name, of type timeval, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type timeval is automatic.
• ipv4_field field-name xpath-expression: declares a new field .idmef.field-name, of type ipv4, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type ipv4 is automatic.
  Example:

  ipv4_field analyzer_ip "/*/idmef:Alert/idmef:Analyzer/idmef:Node/idmef:Address/idmef:address"

• ipv6_field field-name xpath-expression: declares a new field .idmef.field-name, of type ipv6, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type ipv6 is automatic.
• snmpoid_field field-name xpath-expression: declares a new field .idmef.field-name, of type snmpoid, which will be read from the node selected by the XPath expression xpath-expression.  Conversion to type snmpoid is automatic.

Configuration options – reports

IDMEF reports can be built and written using the idmef_new_alert and idmef_write_alert primitives, see below.  The following options allow you to set some of the nodes automatically.

• IDMEFOutputDir report-directory: defines the output directory where idmef_write_alert will store the generated IDMEF alerts to report-directory.
  Default value is $OCONF/reports, which will typically point to /usr/local/var/orchids/reports/.
• AnalyzerId id: sets the analyzerid property of the Analyzer node in the generated IDMEF alert to id.
  Default value is 42.
• AnalyzerName analyzer-name: sets the name property of the Analyzer node in the generated IDMEF alert to analyzer-name.
  Default value is orchids.
• AnalyzerNodeName string: sets the value of the Analyzer/Node/name node in the generated IDMEF alert to string.
  Default value is "orchids.lsv.fr".
• AnalyzerNodeLocation string: sets the value of the Analyzer/Node/location node in the generated IDMEF alert to string.
  Default value is "LSV ENS Paris-Saclay", which you are encouraged to modify.
• AnalyzerNodeAddress string: sets the value of the Analyzer/Node/Address/address  node in the generated IDMEF alert to string.  It also sets the property category of that same node to ipv4-addr.
  Default value is "42.42.42.42", but that should of course be modified.

Primitives

• idmef_new_alert : → xmldoc
  create a new IDMEF document
• idmef_write_alert : xmldoc → int
  write the given IDMEF document into the Orchids report directory (typically /usr/local/var/orchids/reports/)
  • file name is report-directory/report-secs-msecs.xml, where secs and msecs are the current time, split into seconds and microseconds, as 8 hexadecimal digits
  • returns: 1 (true) if all went well, 0 (false) otherwise
    the causes of error can be: the reports directory is not set, or there was not enough space left on the device
• Setting values and attributes is done by using the primitives provided by the xml module (xml_set_str, xml_set_prop)