One document matched: draft-glenn-id-notification-mib-02.txt
Differences from draft-glenn-id-notification-mib-01.txt
ID Message Exchange Format Working Group Glenn Mansfield
INTERNET-DRAFT Cyber Solutions Inc.
draft-glenn-id-notification-mib-02.txt Dipankar Gupta
Hewlett Packard Company
January 29, 2000
Intrusion Detection Message MIB
<draft-glenn-id-notification-mib-02.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet Drafts are working documents of the Internet Engineering
Task Force (IETF), its Areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet- Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it defines the contents of messages that will be
exchanged among intrusion detection systems when an intrusion is
detetcted.
Expires: July 28, 2000 [Page 1]
Internet Draft January 29, 2000
Table of Contents
1. The SNMP Network Management Framework ......................... 3
2. The Intrusion Detection Message Exchange Model ................ 4
3. MIB Model for ID Message Exchanges ............................ 5
4. MIB design .................................................... 6
5. The Intrusion Detection Message MIB ........................... 7
6. Intellectual Property .........................................31
7. Acknowledgements ..............................................31
8. References ....................................................32
Security Considerations ...........................................34
Authors' Addresses ................................................35
Full Copyright Statement ..........................................36
Expires: July 28, 2000 [Page 2]
Internet Draft January 29, 2000
1. The SNMP Management Framework
The SNMP Management Framework presently consists of five major
components:
o An overall architecture, described in RFC 2571 [RFC2571].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
STD 16, RFC 1155 [RFC1155], STD 16, RFC 1212 [RFC1212] and RFC
1215 [RFC1215]. The second version, called SMIv2, is described
in STD 58, RFC 2578 [RFC2578], RFC 2579 [RFC2579] and RFC 2580
[RFC2580].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in STD 15, RFC 1157 [RFC1157]. A second version of the
SNMP message protocol, which is not an Internet standards track
protocol, is called SNMPv2c and described in RFC 1901 [RFC1901]
and RFC 1906 [RFC1906]. The third version of the message
protocol is called SNMPv3 and described in RFC 1906 [RFC1906],
RFC 2572 [RFC2572] and RFC 2574 [RFC2574].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in STD 15, RFC 1157 [RFC1157]. A second set of
protocol operations and associated PDU formats is described in
RFC 1905 [RFC1905].
o A set of fundamental applications described in RFC 2573
[RFC2573] and the view-based access control mechanism described
in RFC 2575 [RFC2575].
A more detailed introduction to the current SNMP Management Framework
can be found in RFC 2570 [RFC2570].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
Expires: July 28, 2000 [Page 3]
Internet Draft January 29, 2000
readable information is not considered to change the semantics of the
MIB.
2. The Intrusion detection model.
An Intrusion Detection system (ID1) generally comprises an
Analyzer which scans Data Sources for signs of intrusions. When
it detects a sign or a signature an event occurs and the analyzer
then sends a Message or Alert to the Manager(s). Managers in turn
may exchange Messages or Alerts for cooperative or collaborative
purposes.
ID Message Exchange Model
=========================
.............................................................
ID1 :
:
+------------+------------+ +----------------+ :
| | | | | :
| | |Message | | :
| DataSource | Analyzer |---------->| Manager | :
| | ..........|Alert | | :
| | : Event | | | :
+------------+------------+ +--------X-------+ :
ID1 | :
Message/| ID2 :
Alert | :
| :
| :
+--------X-------+ :
| | :
| | :
| Manager | :
| | :
| | :
+----------------+ :
Expires: July 28, 2000 [Page 4]
Internet Draft January 29, 2000
3. MIB Model for ID Message Exchanges.
In Intrusion detection and management, the communication between the
different components of the system will essentially be event based.
Presumably, some components (analysers or agents) will be assigned
the tasks for watching some data-sources and looking out for signs of
(attepmpted) intrusions or attacks. In case any such sign is detected
it is brought to the notice of the Manager. The Manager will then
take the appropriate action which may involve relaying the
notification and/or carrying out further investigation by talking to
peers, higher level managers and/or the entity that originated the
notification.
The investigation carried out by the manager will possibly involve
getting
o more information on some of the fields that are
present in the messages from the agents. [Maybe using Http,
ftp ]
o more host-related information on the circumstances under which
the intrusion/attack was detected - this may involve fetching
further information from the various MIBs of the entity that
originated the notification.
o more network-related information on the circumstances under
which the intrusion/attack was detected - this may involve
fetching further information from the various MIBs of the
relevant network entities in the network
The notification to the manager will take the form of an inform-
request. There may be several types of notifications. The constraint
on a notification is its size. It is desirable that the packet
carrying the notification is not fragmented at the IP level.
The MIB defined in this document covers the portion which is
specific to the Intrusion Detection Message itself. The other
components of information that may be of relevance to the
investigation will probably be found in the various MIBs defined. If
they are absent then newer MIBs will have to be defined.
Expires: July 28, 2000 [Page 5]
Internet Draft January 29, 2000
4. MIB design.
The basic principle has been to keep the MIB as simple as possible.
The generic requirements on the message are
o ID messages should contain the minimum information required
by the manager to assess the situation correctly and to take
appropriate defensive or investigative steps.
o ID messages, if carried in UDP datagrams, should not be
too large as to require IP fragmentation. Moreover if the SNMP
protocol is being used, some managers may not accept SNMP-PDUs
that are larger than 484 bytes. Over other transports this
problem may not be encountered.
The MIB comprises of two parts, the idMesageObjects and idMessages
described below.
o The idMessageObjects subtree defines the objects that are used
in the notifications. This contains objects of three categories
(i) Objects pertaining to the message originator
(ii) A table in which each row represents details pertaining
to a message
(iii)Supplementary tables
- idMessageSrcDetailsTable which contains details
of the source(s) of the attack
- idMessageDstDetailsTable which contains details
of the destinations of the attack
- idMessageSrcPortTable containing details of the
ports of the source from which the attack
originated
- idMessageDstPortTable containing details of the
ports at the destination that have been targeted
in the attack.
o The idMessages subtree defines the actual messages.
Expires: July 28, 2000 [Page 6]
Internet Draft January 29, 2000
5. The Intrusion Detection Message MIB.
INTRUSION-DETECTION-MESSAGE-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, Counter32, Gauge32, OBJECT-TYPE
mib-2 FROM SNMPv2-SMI
DateAndTime, TimeStamp
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpEngineID, SnmpAdminString
FROM SNMP-FRAMEWORK-MIB
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
URLString
FROM NETWORK-SERVICES-MIB;
idMIB MODULE-IDENTITY
LAST-UPDATED "200001250000Z" -- 25th January 2000
ORGANIZATION "IETF Intrusion Detection Message Exchange Format
Working Group"
CONTACT-INFO
" Glenn Mansfield
Postal: Cyber Solutions Inc.
6-6-3, Minami Yoshinari
Aoba-ku, Sendai, Japan 989-3204.
Tel: +81-22-303-4012
Fax: +81-22-303-4015
E-mail: glenn@cysols.com
Dipankar Gupta
Postal: Hewlett Packard Company
690 East Middlefield Road, MS 31R
Mountain View California 94043.
Tel: +1-650-919-8066
Fax: +1-650-919-8540
E-mail: dipankar_gupta@hp.com
Working Group E-mail: idwg-public@zurich.ibm.com
To subscribe: idwg-public-request@zurich.ibm.com"
DESCRIPTION
" The MIB for Intrusion Detection Messages."
Expires: July 28, 2000 [Page 7]
Internet Draft January 29, 2000
-- revision information
REVISION "9911070000Z" -- 25th January 2000
DESCRIPTION "1. Added the tables for details at the source
end and destination end of the attack
2. Added tables for containing the source and
destination information in case of multiple
attacks"
REVISION "9910230000Z" -- 23rd October 1999
DESCRIPTION "1. fixed a few nits in the MODULE-INDENTITY
2. put the mib under the mib-2 tree
3. editorial changes"
REVISION "9908250000Z" -- 25th August 1999
DESCRIPTION "First draft of the idMIB"
::= { mib-2 xxx } -- to be assigned by IANA
idMessageObjects OBJECT-IDENTITY
STATUS current
DESCRIPTION
" This is the base object for the objects used in the
notifications."
::= {idMIB 1}
idMessages OBJECT-IDENTITY
STATUS current
DESCRIPTION
" This is the base object for the objects defining the
notifications."
::= {idMIB 2}
idMessageSysAddress OBJECT-TYPE
SYNTAX SnmpEngineID
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An address associated with the message. This will be the
engineID of the generator of the message. The first bit
will be 1 and the syntax will be in accordance with the
syntax specified in RFC 2571."
::= {idMessageObjects 1}
idMessageSysProductID OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-only
STATUS mandatory
DESCRIPTION
Expires: July 28, 2000 [Page 8]
Internet Draft January 29, 2000
"A reference to MIB definitions specific to the
analyzer generating the message. If this information
is not present, its value should be set to the OBJECT
IDENTIFIER { 0 0 }, which is a syntatically valid
object identifier."
::= { idMessageObjects 2 }
-- SnmpAdminString length is 255 characters max. It contains
-- information represented using the ISO/IEC IS 10646-1
-- character set, encoded using the UTF-8 transformation format
-- to facilitate internationalization.
idMessageSysManufacturer OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the Manufacturer of the tool that detected the event."
::= {idMessageObjects 3}
idMessageSysProductName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the name of the product that detected the event."
::= {idMessageObjects 4}
idMessageSysVersion OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the version number of the tool that detected the event."
::= {idMessageObjects 5}
idMessageSysLocation OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the location of the analyzer that detected the event."
::= {idMessageObjects 6}
idMessageTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageEntry
MAX-ACCESS not-accessible
STATUS current
Expires: July 28, 2000 [Page 9]
Internet Draft January 29, 2000
DESCRIPTION
" Each row of this table contains information
pertaining to each message. "
::= { idMessageObjects 7 }
idMessageEntry OBJECT-TYPE
SYNTAX IdMessageEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Entry containing information pertaining to each
message type."
INDEX { idMessageIndex}
::= { idMessageTable 1 }
IdMessageEntry ::= SEQUENCE {
idMessageIndex
INTEGER,
idMessageTimeStamp
DateAndTime,
idMessageAttackName
SnmpAdminString
idMessageDetectionMethod
SnmpAdminString
idMessageActionsTaken
SnmpAdminString,
idMessagePotentialImpact
INTEGER,
idMessageSignature
SnmpAdminString
idMessageMoreInfo
OBJECT IDENTIFIER
idMessageAdvisory
URLString
idMessageDegreeOfConfidence
INTEGER
idMessageAttackToolName
SNMPAdminString
idMessageAttackProtocol
OBJECT IDENTIFIER
idMessageVulnerabilityName OBJECT-TYPE
SNMPAdminString
idMessageSrcs
INTEGER
idMessageDsts
INTEGER
}
Expires: July 28, 2000 [Page 10]
Internet Draft January 29, 2000
idMessageIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The index to uniquely identify the message in the
message table maintained by the message generator."
::= {idMessageEntry 1}
idMessageTimeStamp OBJECT-TYPE
SYNTAX DateAndTime
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The local date and time when this message was generated."
::= {idMessageEntry 2}
idMessageAttackName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the name of the atack, if known. If not known this field
will be inaccessile."
::= {idMessageEntry 3}
idMessageDetectionMethod OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" the name of the method used to detect the ID, if known.
If not known this field will be inaccessile."
::= {idMessageEntry 4}
-- the actions will probably be a comma separated list of action
-- codes or a pointer to another MIB table from which the actions
-- may be fetched.
--
-- May be better to put this object as a secondary Object
idMessageActionsTaken OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The list of automatic actions taken by the originator"
::= {idMessageEntry 5}
Expires: July 28, 2000 [Page 11]
Internet Draft January 29, 2000
-- the potential impact taxonomy will need be carried out and
-- then the MO will need to be enumerated.
idMessagePotentialImpact OBJECT-TYPE
SYNTAX INTEGER {
VeryVerySerious(1),
VerySerious(2),
Serious(3),
Others(4),
etc(5)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" An indication of the potentiall impact of the detected
attack/intrusion"
::= {idMessageEntry 6}
--
-- relation between Signature and Method needs to be clarified
--
idMessageSignature OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The description of the signature based on which the
attack is detected"
::= {idMessageEntry 7}
-- Do the following need to be in the primary set ?
-- Probably secondary will be better
--
idMessageMoreInfo OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
ACCESS read-only
STATUS mandatory
DESCRIPTION
"A reference to MIB definitions specific to this
message. If this information is not
present, its value should be set to the OBJECT
IDENTIFIER { 0 0 }, which is a syntatically valid
object identifier."
::= { idMessageEntry 8}
-- Only one advisory is provisioned for
idMessageAdvisory OBJECT-TYPE
Expires: July 28, 2000 [Page 12]
Internet Draft January 29, 2000
SYNTAX URLString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" URL of the related advisory, if any"
::= {idMessageEntry 9}
-- semantics of "degree of confidence needs to be well defined
-- what happens when the message is not generated - just relayed?
idMessageDegreeOfConfidence OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" A measure of the degree of confidence the originator
has on the report it is generating"
::= {idMessageEntry 10}
-- there may be many names or potential names of the tool used
-- in the attack
idMessageAttackToolName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The name of the tool that was used in the attack"
::= {idMessageEntry 11}
idMessageAttackProtocol OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The protocol that is the base or the target of the attack.
It will be one of the IANA assigned protocol IDs"
::= {idMessageEntry 12}
idMessageVulnerabilityName OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The well known name of the vulnerability."
REFERENCE "Refer to the CVE recommendations "
::= {idMessageEntry 13}
idMessageSrcs OBJECT-TYPE
SYNTAX INTEGER
Expires: July 28, 2000 [Page 13]
Internet Draft January 29, 2000
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of source(s) from which the attack is being
launched."
::= {idMessageDstEntry 14}
idMessageDsts OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The number of destinations being targeted for the attack "
::= {idMessageDstEntry 15}
-- This table contains the information related to source end(s) of
-- the attack. In case of a network-based attack there will be
-- atleast one entry for the attack in this table.
--
idMessageSrcDetailsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageSrcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Each row of this table contains information
pertaining to the source related details of each
attack. "
::= { idMessageObjects 8}
idMessageSrcEntry OBJECT-TYPE
SYNTAX IdMessageSrcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Entry containing information pertaining to the
source related details of an attack."
INDEX { idMessageIndex, idMessageSrcIndex}
::= { idMessageSrcDetailsTable 1 }
IdMessageSrcEntry{
idMessageSrcIndex
INTEGER
idMessageSrcInetAddrType
InetAddressType
idMessageSrcInetAddr
Expires: July 28, 2000 [Page 14]
Internet Draft January 29, 2000
InetAddress
idMessageSrcToInetAddr
InetAddress
idMessageSrcAddrSpoofed
INTEGER
idMessageSrcPorts
INTEGER
idMessageSrcPortTableIndex
INTEGER
idMessageUserIDOnSrc
SNMPAdminString
}
idMessageSrcIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An index to uniquely identify the source information
row in the source information table."
::= {idMessageSrcEntry 1}
idMessageSrcInetAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the Internet address that is being described
in the following Object."
::= {idMessageSrcEntry 2}
idMessageSrcInetAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" One of the Internet addresses of the entity from which
the attack originated, if known. If not known this field
will be inaccessible."
::= {idMessageSrcEntry 3}
idMessageSrcToInetAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" One of the Internet addresses of the entity from which
Expires: July 28, 2000 [Page 15]
Internet Draft January 29, 2000
the attack originated, if known. If not known this field
will be inaccessible."
::= {idMessageSrcEntry 4}
idMessageSrcAddrSpoofed OBJECT-TYPE
SYNTAX INTEGER {
true(1),
false(2),
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" An indication that the source address is spoofed."
::= {idMessageSrcEntry 5}
idMessageSrcPorts OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The number of ports on the host from where the attack
is launched "
::= {idMessageSrcEntry 6}
-- In the most general case the there will be a port list for
-- every source and the idMessageSrcIndex should suffice as an
-- index for the port list
-- But to allow more flexibility the following
-- idMessageSrcPortTableIndex is provided. It allows several hosts
-- to have the same the port list. In this case all the hosts that
-- are attacked on the same ports will have the same
-- idMessageSrcPortTableIndex value.
idMessageSrcPortTableIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An index that along with idMessageIndex uniquely
identifies the rows describing the ports of the
source from which attacks have originated.
This index allows several hosts to point to the same
range of port addresses."
::= {idMessageSrcEntry 7}
idMessageUserIDOnSrc OBJECT-TYPE
SYNTAX SNMPAdminString
Expires: July 28, 2000 [Page 16]
Internet Draft January 29, 2000
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The identifier of the user on the machine originating the
attack"
::= {idMessageSrcEntry 8}
-- This table contains the information related to target end(s) of
-- the attack. In case of a network-based attack there will be atleast
-- one entry for the attack in this table
-- A Range of addresses - a set of contiguous addresses-
-- is represented by a TO Address in the row.
-- The absence of the TOaddress indicates the existence of a single
-- address in the range.
-- Note: Though a host may be represented by its v4, v6, address or DNS
-- name, for a range both the addresses MUST be the IP(v4/v6) addresses.
idMessageDstDetailsTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageDstEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Each row of this table contains information
pertaining to the destination related details of each
attack. "
::= { idMessageObjects 9 }
idMessageDstEntry OBJECT-TYPE
SYNTAX IdMessageDstEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Entry containing information pertaining to the
destination related details of an attack."
INDEX { idMessageIndex, idMessageDstIndex}
::= { idMessageDstDetailsTable 1 }
IdMessageDstEntry{
idMessageDstIndex
INTEGER
idMessageDstInetAddrType
InetAddressType
idMessageDstInetAddr
InetAddress
idMessageToDstInetAddr
InetAddress
idMessageDstPorts
INTEGER
Expires: July 28, 2000 [Page 17]
Internet Draft January 29, 2000
idMessageDstPortTableIndex
INTEGER
idMessageUserLoginIDOnDst
SNMPAdminString
idMessageUserPresentIDOnDst
SNMPAdminString
idMessageFileID
SNMPAdminString
idMessageFileOperationType
INTEGER
idMessageProcessID
SNMPAdminString
idMessageProcessOwner
SNMPAdminString
idMessageProcessPermissions
SNMPAdminString
}
idMessageDstIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An index to uniquely identify the destination information
row in the destination information table."
::= {idMessageDstEntry 1}
idMessageDstInetAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The type of the Internet address that is being described
in the following Object."
::= {idMessageDstEntry 2}
idMessageDstInetAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" One of the IP addresses of the entity to which the attack
was destined, if known. If not known, this field will be
inaccessible"
::= {idMessageDstEntry 3}
idMessageDstToInetAddr OBJECT-TYPE
SYNTAX InetAddress
Expires: July 28, 2000 [Page 18]
Internet Draft January 29, 2000
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The upper end of the contiguous range of addresses which
were the the attack was destined. If it has a value of zero
then this range contains a single address only."
::= {idMessageDstEntry 4}
idMessageDstPorts OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The number of ports on the host(s) which were targets
of the attack."
::= {idMessageSrcEntry 5}
-- see discussion on idMessageSrcPortTableIndex
idMessageDstPortTableIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An index that along with idMessageIndex uniquely
identifies the rows describing the ports of the
destination(s) that have been attacked.
This index allows several hosts to point to the same
range of port addresses."
::= {idMessageSrcEntry 6}
idMessageUserLoginIDOnDst OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The ID with which the user logged onto the target Machine"
::= {idMessageDstEntry 7}
idMessageUserPresentIDOnDst OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The current identifier of the user on the target Machine"
::= {idMessageDstEntry 8}
Expires: July 28, 2000 [Page 19]
Internet Draft January 29, 2000
idMessageFileID OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The full path and name of the file that is being accessed"
::= {idMessageDstEntry 9}
idMessageFileOperationType OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The illegal operation on the file that gave rise to the
alert"
::= {idMessageDstEntry 10}
idMessageProcessID OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The identifier of the process involved in the illegal
access"
::= {idMessageDstEntry 11}
idMessageProcessOwner OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The identifier of the owner of the process involved in
the illegal access"
::= {idMessageDstEntry 12}
idMessageProcessPermissions OBJECT-TYPE
SYNTAX SNMPAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The permissions of the process involved in the illegal
access"
::= {idMessageDstEntry 13}
idMessageSrcPortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageSrcPortRangeEntry
MAX-ACCESS not-accessible
STATUS current
Expires: July 28, 2000 [Page 20]
Internet Draft January 29, 2000
DESCRIPTION
" Each row of this table contains a part of the range
of ports that are the sources of the intrusion."
::= { idMessageObjects 10 }
idMessageSrcPortRangeEntry OBJECT-TYPE
SYNTAX IdMessageSrcPortRangeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Entry representing a list of contiguous addresses that
are the sources of the intrusion."
INDEX { idMessageIndex, idMessageSrcPortTableIndex,
idMessageSrcPortRangeIndex}
::= { idMessageSrcPortRangeTable 1 }
IdMessageSrcPortRangeEntry ::= SEQUENCE {
idMessageSrcPortRangeIndex
INTEGER
idMessageSrcPort
INTEGER
idMessageToSrcPort
INTEGER
}
idMessageSrcPortRangeIndex OBJECT-TYPE
SYNTAX INTEGER (1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An index to uniquely identify the destination information
row in the destination information table."
::= {idMessageSrcPortRangeEntry 1}
idMessageSrcPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The port number from which the attack originated"
::= {idMessageSrcPortRangeEntry 2}
idMessageToSrcPort OBJECT-TYPE
SYNTAX INTEGER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
" The upper end of the port number range from which the
attack originated"
Expires: July 28, 2000 [Page 21]
Internet Draft January 29, 2000
::= {idMessageSrcPortRangeEntry 3}
idMessageDstPortTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageDstPortRangeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Each row of this table contains a part of the range
of ports that are the destinations of the intrusion."
::= { idMessageObjects 11 }
idMessageDstPortRangeEntry OBJECT-TYPE
SYNTAX IdMessageDstPortRangeEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Entry representing a list of contiguous addresses
that are the destinations of the intrusion."
INDEX { idMessageIndex, idMessageDstPortTableIndex,
idMessageDstPortRangeIndex}
::= { idMessageDstPortTable 1 }
IdMessageDstPortRangeEntry ::= SEQUENCE {
idMessageDstPortRangeIndex
INTEGER
idMessageFromDstInetPort
INTEGER
idMessageToDstInetPort
INTEGER
}
idMessageReferencesTable OBJECT-TYPE
SYNTAX SEQUENCE OF IdMessageReferenceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" Each row of this table points to a message that should
be referenced in connection with the current intrusion
related message."
::= { idMessageObjects 12 }
idMessageReferenceEntry OBJECT-TYPE
SYNTAX IdMessageReferenceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
" A pointer to the referenced message in the Messages table."
INDEX { idMessageIndex, idMessageReferenceIndex}
Expires: July 28, 2000 [Page 22]
Internet Draft January 29, 2000
::= { idMessageReferencesTable 1 }
IdMessageReferenceEntry ::= SEQUENCE {
idMessageReferenceIndex
INTEGER
idMessageReferencePointer
INDEX
}
-- Interaction table ? It may contain statistical data on the peer
-- Managers with which the monitored Manager interacts or, attempts
-- to interact. This table may provide a useful insight into the
-- performance of the ID system on a large scale
-- The control may be carried out using the SNMP tables available
-- for configuring Informs.
idMessageGeneric NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
}
STATUS current
DESCRIPTION
" This is the generic message that is sent
when an intrusion is detected."
::= {idMessages 1}
idMessageSingleSrc NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
Expires: July 28, 2000 [Page 23]
Internet Draft January 29, 2000
idMessageDegreeOfConfidence
idMessageVulnerabilityName
idMessageSrcInetAddrType
idMessageSrcInetAddr
idMessageSrcToInetAddr
idMessageSrcAddrSpoofed
idMessageSrcPorts
idMessageSrcPortTableIndex
idMessageUserIDOnSrc
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from a single
source."
::= {idMessages 2}
idMessageMultipleSrc NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
idMessageSrcs
idMessageSrcPortTableIndex
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from multiple
sources."
::= {idMessages 3}
idMessageSingleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
Expires: July 28, 2000 [Page 24]
Internet Draft January 29, 2000
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
idMessageDstInetAddrType
idMessageDstInetAddr
idMessageToDstInetAddr
idMessageDstPorts
idMessageDstPortTableIndex
idMessageUserLoginIDOnDst
idMessageUserPresentIDOnDst
idMessageFileID
idMessageFileOperationType
idMessageProcessID
idMessageProcessOwner
idMessageProcessPermissions
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is targeted to a
single destination."
::= {idMessages 4}
idMessageMultipleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
idMessageDsts
idMessageDstPortTableIndex
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is targeted to a
single destination."
::= {idMessages 5}
Expires: July 28, 2000 [Page 25]
Internet Draft January 29, 2000
idMessageSingleSrcSingleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
-- Source details
idMessageSrcInetAddrType
idMessageSrcInetAddr
idMessageSrcToInetAddr
idMessageSrcAddrSpoofed
idMessageSrcPorts
idMessageSrcPortTableIndex
idMessageUserIDOnSrc
-- Destination details
idMessageDstInetAddrType
idMessageDstInetAddr
idMessageToDstInetAddr
idMessageDstPorts
idMessageDstPortTableIndex
idMessageUserLoginIDOnDst
idMessageUserPresentIDOnDst
idMessageFileID
idMessageFileOperationType
idMessageProcessID
idMessageProcessOwner
idMessageProcessPermissions
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from a single
source and directed to multiple destinations."
::= {idMessages 6}
idMessageSingleSrcMultipleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
Expires: July 28, 2000 [Page 26]
Internet Draft January 29, 2000
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
-- Source details
idMessageSrcInetAddrType
idMessageSrcInetAddr
idMessageSrcToInetAddr
idMessageSrcAddrSpoofed
idMessageSrcPorts
idMessageSrcPortTableIndex
idMessageUserIDOnSrc
-- Destination details
idMessageDsts
idMessageDstPortTableIndex
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from multiple
sources."
::= {idMessages 7}
idMessageMultipleSrcSingleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
-- Source details
idMessageSrcs
idMessageSrcPortTableIndex
-- Destination details
idMessageDstInetAddrType
idMessageDstInetAddr
idMessageToDstInetAddr
idMessageDstPorts
Expires: July 28, 2000 [Page 27]
Internet Draft January 29, 2000
idMessageDstPortTableIndex
idMessageUserLoginIDOnDst
idMessageUserPresentIDOnDst
idMessageFileID
idMessageFileOperationType
idMessageProcessID
idMessageProcessOwner
idMessageProcessPermissions
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from multiple
sources."
::= {idMessages 8}
idMessageMultipleSrcMultipleDst NOTIFICATION-TYPE
OBJECTS {
idMessageIndex
idMessageTimeStamp
idMessageAttackName
idMessageDetectionMethod
idMessageActionsTaken
idMessagePotentialImpact
idMessageSignature
idMessageMoreInfo
idMessageAdvisory
idMessageDegreeOfConfidence
idMessageVulnerabilityName
-- Source details
idMessageSrcs
idMessageSrcPortTableIndex
-- Destination details
idMessageDsts
idMessageDstPortTableIndex
}
STATUS current
DESCRIPTION
" This is the generic message that is sent when
an intrusion is detected and it is from multiple
sources."
::= {idMessages 9}
Expires: July 28, 2000 [Page 28]
Internet Draft January 29, 2000
-- Conformance information
idConformance OBJECT IDENTIFIER ::= { idMIB 4 }
idGroups OBJECT IDENTIFIER ::= { idConformance 1 }
idCompliances OBJECT IDENTIFIER ::= { idConformance 2 }
-- Compliance statements
idMessageCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the
INTRUSION-DETECTION-MESSAGE-MIB."
MODULE -- this module
MANDATORY-GROUPS { idMessageGroup }
::= { idCompliances 1 }
-- Units of conformance
idMessageGroup OBJECT-GROUP
OBJECTS {
idMessageSysAddress idMessageSysProductID
idMessageSysManufacture idMessageSysProductName
idMessageSysVersion idMessageSysLocation
idMessageIndex idMessageTimeStamp
idMessageAttackName idMessageDetectionMethod
idMessageActionsTaken idMessagePotentialImpact
idMessageSignature idMessageMoreInfo
idMessageAdvisory idMessageDegreeOfConfidence
idMessageAttackToolName idMessageAttackProtocol
idMessageVulnerabilityName idMessageSrcs
idMessageDsts
idMessageSrcIndex idMessageSrcInetAddrType
idMessageSrcInetAddr idMessageSrcToInetAddr
idMessageSrcAddrSpoofed idMessageSrcPorts
idMessageSrcPortTableIndex idMessageUserIDOnSrc
idMessageDstIndex idMessageDstInetAddrType
idMessageDstInetAddr idMessageToDstInetAddr
idMessageDstPorts idMessageDstPortTableIndex
idMessageUserLoginIDOnDst idMessageUserPresentIDOnDst
idMessageFileID idMessageFileOperationType
idMessageProcessID idMessageProcessOwner
idMessageProcessPermissions
idMessageReferenceIndex idMessageReferencePointer
Expires: July 28, 2000 [Page 29]
Internet Draft January 29, 2000
idMessageGeneric idMessageSingleSrc
idMessageMultipleSrc idMessageSingleDst
idMessageMultipleDst idMessageSingleSrcSingleDst
idMessageSingleSrcMultipleDst idMessageMultipleSrcSingleDst
idMessageMultipleSrcMultipleDst
}
STATUS current
DESCRIPTION
" A collection of objects for generation and despatch of
messages pertaining to Intrusions detected."
::= { idGroups 1 }
END
Expires: July 28, 2000 [Page 30]
Internet Draft January 29, 2000
6. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
7. Acknowledgements
This draft is the product of discussions and deliberations
carried out in the IETF intrusion detection message exchange
format working group(ietf-idwg-wg).
Expires: July 28, 2000 [Page 31]
Internet Draft January 29, 2000
References
[RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture
for Describing SNMP Management Frameworks", RFC 2571, April
1999
[RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification
of Management Information for TCP/IP-based Internets", STD
16, RFC 1155, May 1990
[RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD
16, RFC 1212, March 1991
[RFC1215] M. Rose, "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Textual Conventions for
SMIv2", STD 58, RFC 2579, April 1999
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999
[RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
[RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Transport Mappings for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1906, January 1996.
[RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999
[RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model
(USM) for version 3 of the Simple Network Management
Protocol (SNMPv3)", RFC 2574, April 1999
Expires: July 28, 2000 [Page 32]
Internet Draft January 29, 2000
[RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
"Protocol Operations for Version 2 of the Simple Network
Management Protocol (SNMPv2)", RFC 1905, January 1996.
[RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications",
RFC 2573, April 1999
[RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based
Access Control Model (VACM) for the Simple Network
[RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction to Version 3 of the Internet-standard Network
Management Framework", RFC 2570, April 1999
[INETMIB] http://www.ietf.org/internet-drafts/draft-ops-endpoint-mib-04.txt
- work in progress.
Expires: July 28, 2000 [Page 33]
Internet Draft January 29, 2000
Security Considerations
There are no management objects defined in this MIB that have a MAX-
ACCESS clause of read-write and/or read-create. So, if this MIB is
implemented correctly, then there is no risk that an intruder can
alter or create any management objects of this MIB via direct SNMP
SET operations.
However, the information itself may partly reveal the configuration
of the intrusion detection system and passively increase its
vulnerability. The information could also be used to analyze network
usage and traffic patterns.
Therefore, it may be important in some environments to control read
access to these objects and possibly to even encrypt the values of
these object when sending them over the network via SNMP. Not all
versions of SNMP provide features for such a secure environment.
SNMPv1 by itself is such an insecure environment. Even if the
network itself is secure (for example by using IPSec), even then,
there is no control as to who on the secure network is allowed to
access and GET (read) and SET (write) the objects in this MIB.
It is strongly recommended that the implementors consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2574 [RFC2574] and the View-based
Access Control Model RFC 2575 [RFC2575] is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to those objects only to those principals
(users) that have legitimate rights to access them.
Expires: July 28, 2000 [Page 34]
Internet Draft January 29, 2000
Authors' Addresses
Glenn Mansfield
Cyber Solutions Inc.
6-6-3 Minami Yoshinari
Aoba-ku, Sendai 989-3204
Japan
Phone: +81-22-303-4012
EMail: glenn@cysols.com
Dipankar Gupta
Hewlett Packard Company
690 East Middlefield Road, MS 31R
Mountain View California 94043.
Phone: +1-650-919-8066
E-mail: dipankar_gupta@hp.com
Expires: July 28, 2000 [Page 35]
Internet Draft January 29, 2000
Full Copyright statement
"Copyright (C) The Internet Society (date). All Rights
Reserved.
This document and translations of it may be copied and
furnished to others, and derivative works that comment on or
otherwise explain it or assist in its implmentation may be
prepared, copied, published and distributed, in whole or in
part, without restriction of any kind, provided that the above
copyright notice and this paragraph are included on all such
copies and derivative works. However, this document itself may
not be modified in any way, such as by removing the copyright
notice or references to the Internet Society or other Internet
organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights
defined in the Internet Standards process must be followed, or
as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will
not be revoked by the Internet Society or its successors or
assigns.
This document and the information contained herein is provided
on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
Expires: July 28, 2000 [Page 36]
| PAFTECH AB 2003-2026 | 2026-04-23 16:52:50 |