idmef

README

IDMEF for Go

Intrusion Detection Message Exchange Format

Go library for authoring and parsing data in IDMEF format (IETF RFC 4765).

Status

• IDMEF-Message
  • Alert
    • Analyzer
    • CreateTime
    • DetectTime
    • AnalyzerTime
    • Source
      • Node
      • User
      • Process
      • Service
    • Target
      • Node
      • User
      • Process
      • Service
    • Classification
    • Assessment
    • AdditionalData
  • Heartbeat
    • Analyzer
    • CreateTime
    • AdditionalData

Notes

1. idmef is the authoring package and creates XML with the idmef tag.
2. unmarshal is the parsing package which reads in XML files but does not support the idmef tag prefix due to Go issue 9519. Unmarshal or parse a file using unmarshal to receive a *unmarshal.Message which can then be converted to an authoring struct with *unmarshal.Message.Common().

References

IDMEF

• IETF RFC 4765: Format Details
• IETF RFC 4766: Format Requirements
• IETF RFC 4767: Recommended Transport Protocol (IDXP)
• IDMEF on Wikipedia

Alternative Formats

• OSSEC: https://www.ossec.net/docs/formats/alerts.html
• OSSEM: https://github.com/OTRF/OSSEM

Go XML situation

1. encoding/xml: support for XML namespace prefixes
2. xml namespace prefix issue at go
3. Unable to parse xml in GO with : in tags

Credits

timestamp.Timestamp is based on code from github.com/coreos/mantle under the Apache 2.0 license. This is a large, archived codebase with many dependencies.

Documentation

Index

• Constants
• type Address
• type Alert
• type Analyzer
• type Classification
• type Message
  • func (m *Message) Bytes(prefix, indent string) ([]byte, error)
• type Node
• type Reference
• type Source
• type Time
  • func (t *Time) InflateNtpStamp()

Constants

const (
	XMLNSIDMEFUrl     = "http://iana.org/idmef"
	XMLNSIDMEFVersion = "1.0"
)

Types

type Address

type Address struct {
	Address  string `xml:"idmef:address"`
	Indent   string `xml:"ident,attr"`
	Category string `xml:"category,attr"`
}

type Alert

type Alert struct {
	MessageId      string         `xml:"messageid,attr"`
	Analyzer       Analyzer       `xml:"idmef:Analyzer"`       // Exactly one.
	CreateTime     Time           `xml:"idmef:CreateTime"`     // Exactly one.
	DetectTime     *Time          `xml:"idmef:DetectTime"`     // Zero or one
	AnalyzerTime   *Time          `xml:"idmef:AnalyzerTime"`   // Zero or one.
	Source         []Source       `xml:"idmef:Source"`         // Zero or more.
	Target         []Source       `xml:"idmef:Target"`         // Zero or more.
	Classification Classification `xml:"idmef:Classification"` // Exactly one.
}

type Analyzer

type Analyzer struct {
	AnalyzerId string `xml:"analyzerid,attr"`
	Node       *Node  `xml:"idmef:Node"`
}

type Classification

type Classification struct {
	Text      string     `xml:"text,attr"`
	Reference *Reference `xml:"idmef:Reference"`
}

type Message

type Message struct {
	XMLName    xml.Name `xml:"idmef:IDMEF-Message"`
	XMLNSIDMEF string   `xml:"xmlns:idmef,attr"`
	Version    string   `xml:"version,attr"`
	Alert      *Alert   `xml:"idmef:Alert"`
}

Message is for authoring. For parsing use `github.com/grokify/go-idmef/unmarshal/Message`.

func (*Message) Bytes

func (m *Message) Bytes(prefix, indent string) ([]byte, error)

type Node

type Node struct {
	Indent   string   `xml:"ident,attr,omitempty"`
	Category string   `xml:"category,attr,omitempty"`
	Address  *Address `xml:"idmef:Address,omitempty"`
	Location string   `xml:"idmef:location,omitempty"`
	Name     string   `xml:"idmef:name,omitempty"`
}

type Reference

type Reference struct {
	Origin string `xml:"origin,attr"`
	Name   string `xml:"idmef:name"`
	URL    string `xml:"idmef:url"`
}

type Source

type Source struct {
	Indent  string `xml:"ident,attr,omitempty"`
	Spoofed string `xml:"spoofed,attr,omitempty"`
	Node    *Node  `xml:"idmef:Node"`
}

type Time

type Time struct {
	Time     time.Time `xml:",chardata"`
	NtpStamp string    `xml:"ntpstamp,attr"`
}

func (*Time) InflateNtpStamp

func (t *Time) InflateNtpStamp()