IDMEF for dummies, part 3: vocabulary and architecture
By Sebastien Tricaud on Thursday, August 16 2007, 09:40 - Permalink
Before continuing with my IDMEF serie, I would like to give you some vocabulary for a better understanding of the standard. Because the vocabulary is important, this has been subject of ... a standard ! This is RFC 4766.If you already know the actions a NIDS can take and where should it be in a network etc. just skip the next two sections and go read "IDMEF Vocabulary"
Introduction
To introduce the vocabulary, an attack example, as seen in an IDS point of view will be distilled.
We take a simple attack architecture, where the Target is a SIP proxy that REGISTER users and allow them to communicate with each other. If we take a regular registration, the SIP message will look like this:REGISTER sip:<frog@example.com> SIP/2.0
Via: SIP/2.0/UDP 192.168.1.1:5060;rport;branch=123456789
From: Croa Croa <sip:frog@example.com>;tag=123456789
To: <sip:frog@example.com>
Call-ID: 000001@192.168.1.1
CSeq: 20 REGISTER
Accept: application/sdp
Content-Length: 0
This is the SIP way to say "Register the user frog@example.com using the version 2 of the protocol".
Now, if we change the first line with:
REGISTER sip:<frog@example.com AND 1=(UPDATE voip_users SET password = ’cracked’ WHERE sipfrom = ’frog@example.com’);> SIP/2.0With this very simple SQL injection, we can alter the database, if the VoIP provider simply insert in it's database to username retrieved by the parser.
And even though you are not vulnerable, you still would like to know and block potential intruders.
What your IDS do ?
Following the SIP attack example in the introduction, your network IDS will inspect packets and, browse its signatures to see whether your data match or not.If your IDS can check for SQL syntax into a SIP message, that will trigger an alert. This can be subject of a counter measure, a SMS sent to the administrator or your coffee machine startup.
Any step is defined by IDMEF and, as stated previously, is part of an accurate vocabulary.
IDMEF Vocabulary
Activity
An activity is an emitted information triggered from the data source to a sensor to the attention of the operator. That can range from an unimportant event, such as the successful login of an authorized user until a discovered vulnerability exploitation. It may not result in an IDMEF alert.Administrator
Designer of the internal security policies, responsible of the good machines and network health. In the conceptual manner, the administrator is not the operator. However in practice, the administrator usually work as the operator.Data Source
From where the activity is discovered. Can be packet payload in the case of a NIDS, system logs, security policies compliance checks, etc.Event
It is the activity that successfully match a given sensor criteria for further analysis to the analyzer. In practice, the event is analyzed by the sensor towards the manager which then send an IDMEF alert.IDS
Intrusion detection system. Some combination of one or more of the following components: sensor, analyzer, manager.Manager
Manages sensors (alerts and heartbeats) and are responsible of the following: sensor registration and configuration, analyzer registration and configuration, event notification management, data consolidation, and reporting.
Notification
This is the way of handling how the operator knows about a certain attack instantaneously. That can be a SMS, a popup on his desktop etc.Operator
The IDS manager user.Response
This is the action of what is done with IDMEF alerts. It can be an event notification, a storage of the activity into a database for further review or a counter measure to a network device.Sensor
Event forwarder to the manager from an activity.Signature
Pattern of intrusion that triggers the analyzer when an event is received.Security Policy
Defines the organization's requirements for its network activity.Vocabulary architecture
To make a clear picture about all this vocabulary:
Please note that this is an abstract view. Most IDS do everything in a single place. However this vocabulary architecture strangely looks like the Prelude IDS architecture, the free software hybrid IDS.
Comments