IDEF Working Group S.F. Wu, X. Zhao, J. Yuill, P. Chen INTERNET-DRAFT NC State University draft-wu-ids-eventcorr-mib-00.txt M. Erlanger HMC/Aerospace F. Gong, F. Wang MCNC M.Y. Huang Boeing October 21, 1999 Intrusion Detection System Event Correlation MIB Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet Drafts are working documents of the Internet Engineering Task Force (IETF), its Areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Copyright Notice Copyright (C) The Internet Society (1999). All Rights Reserved. Abstract This memo defines, using the MIB format, the data model for intrusion event correlation. In particular, it defines how the relationship among low-level and high-level events can be represented, and how this information model can be extended to support different type of intrusion detection and security management applications. Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 1] INTERNET-DRAFT IDS Event Correlation October 21, 1999 Table of Contents 1. The SNMP Network Management Framework ......................... ? 2. Problems addressed and goals .................................. 4 3. MIB design .................................................... 5 4. The Intrusion Detection System Event MIB ...................... 7 5. Examples to use IDS Event MIB ................................. 7 6. Intellectual Property .........................................17 7. Acknowledgements ..............................................17 8. References ....................................................18 Security Considerations ...........................................20 Authors' Addresses ................................................21 Full Copyright Statement ..........................................22 1. The SNMP Network Management Framework The SNMP Network Management Framework presently consists of five major components: o An overall architecture, described in RFC 2571 [1]. o Mechanisms for describing and naming objects and events for the purpose of management. The first version of this Structure of Management Information (SMI) is called SMIv1 and described in RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version, called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC 1904 [7]. o Message protocols for transferring management information. The first version of the SNMP message protocol is called SNMPv1 and described in RFC 1157 [8]. A second version of the SNMP message protocol, which is not an Internet standards track protocol, is called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10]. The third version of the message protocol is called SNMPv3 and described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12]. o Protocol operations for accessing management information. The first set of protocol operations and associated PDU formats is described in RFC 1157 [8]. A second set of protocol operations and associated PDU formats is described in RFC 1905 [13]. o A set of fundamental applications described in RFC 2573 [14] and the view-based access control mechanism described in RFC 2575 [15]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. Objects in the MIB are defined using the mechanisms defined in the SMI. This memo specifies a MIB module that is compliant to the SMIv2. A MIB conforming to the SMIv1 can be produced through the appropriate translations. The resulting translated MIB must be semantically equivalent, except where objects or events are omitted because no translation is possible (use of Counter64). Some machine readable information in SMIv2 will be converted into textual descriptions in SMIv1 during the translation process. However, this loss of machine readable information is not considered to change the semantics of the MIB. 2. Problems addressed and goals The emergence of collaborated attacks in recent years requires IDS technology to move ahead to a new frontier, where different IDSs Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 2] INTERNET-DRAFT IDS Event Correlation October 21, 1999 work in a distributed and cooperated fashion. Basically they need talk to others and talk in a same 'language', which should be in a common format and unambiguous, as well as has enough descriptive power. For practical reason, it should be easily implemented and involves little overheads. A few internet drafts [???] have been proposed to represent the data format for intrusion information/events. And, a few commercial products such as ISS's RealSecure provide an interface to access and interact with intrusion detection information and systems. A typical example is the interaction between RealSecure and Checkpoint firewall using "opsec." However, none of the current works addressed the issue of correlation among events in different levels of abstraction. For instance, when the IDS detected a portscan attack, how detailed should IDS report to the security manager? How does the manager find out whether it is a slow portscan or how many machines or IP addresses (please note that some of the "ghost" addresses might have been scanned) have been scanned and in what rate? For another example, when an IDS detected a SynFlood attack, how will it report the details if the security manager is interested in knowing: how many SynFlood packets? how long? How about source IP addresses -- are they the same or random? If random, what are they? What we have today is a set of non-structure events, and their relationship is not uniformally represented. Our objective in this proposal is to define a structure to relate low-level and high-level events as well as a framework to extend new relations. 3. MIB design In the real world, people often describe an event with a tuple of five elements: . Borrowed from this idea, our MIB also use the same tuple to describe the attacks in the cyberspace. Our MIB organizes the information of an event into these five categories. 'WHERE' contains the information on where an attack is launched, where is the target and where this event is observed. 'WHEN' is a timestamp of a event, which specifies the beginning time, ending time of an event and/or the informaiton of frequency or times of occurrences. 'WHO' will indicate which IDS observed the event and, if possible, which user and/or process triggered it. 'WHAT' records the detailed information, such as protocol type, protocol-specific data, and packet content. The links between abstract events and raw events specify 'HOW', which we will explain in the following. Most of currently developed or developing IDSs fall into two categories: signature-based IDS and statistic-based IDS. Signature-based IDSs use signature recognition approach to detect intrusions, which can be implemented, for example, by finite state machines. Under this approach, a set of low level "raw" events will Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 3] INTERNET-DRAFT IDS Event Correlation October 21, 1999 trigger the state transitions. When such a finite state machine stopped in a particular critical state, a particular intrusion has been detected and thus a high level abstract event is generated. Statistic-based IDSs use statistical approach which monitors deviations from a long-term profile. A single significant deviation can be regarded as a raw event. When an IDS detects a list of deviations and believes an intrusion is in progress, an abstract event can be produced. Therefore, in order to represent the relations among raw and high-level events, we use another table, reference table, to link abstract event with corresponding raw events, which specify the 'HOW' as we explained above. 4. The Intrusion Detection System Event Correlation MIB idsEventMIB DEFIITIONS ::= BEGIN IMPORTS TRAP-TYPE FROM RFC-1215 PhysAddress, DisplayString FROM RFC1213-MIB OBJECT-TYPE FROM RFC-1212 TimeTicks, Gauge, Counter FROM RFC1155-SMI MODULE-IDENTITY, OBJECT-TYPE, experimental, Integer32, Unsigned32, NOTIFICATION-TYPE FROM SNMPv2-SMI mib-2 FROM RFC1213-MIB TEXTUAL-CONVENTION, RowStatus, TimeStamp, DisplayString, AutonomousType, DateAndTime FROM SNMPv2-TC MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF FailureReason FROM NOTIFICATION-MIB SnmpTagValue FROM SNMP-TARGET-MIB SnmpAdminString FROM SNMP-FRAMEWORK-MIB; idsEvent MODULE-IDENTITY LAST-UPDATED "990625" ORGANIZATION "NCSU." CONTACT-INFO " S. Felix Wu Tel: +1-919-515-7920 E-mail: wu@csc.ncsu.edu Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 4] INTERNET-DRAFT IDS Event Correlation October 21, 1999 Xiaoliang Zhao Tel: +1-919-513-1894 E-mail: xzhao@unity.ncsu.edu Ping Chen Tel: +1-919-513-1894 E-mail: pchen3@unity.ncsu.edu " DESCRIPTION "The MIB module for exchanging information between IDS systems." ::= { experimental } -- -- textual conventions -- Utf8String ::= TEXTUAL-CONVENTION DISPLAY-HINT "255a" STATUS current DESCRIPTION "To facilitate internationalization, this TC represents information taken from the ISO/IEC IS 10646-1 character set, encoded as an octet string using the UTF-8 character encoding scheme described in RFC 2044 [11]. For strings in 7-bit US-ASCII, there is no impact since the UTF-8 representation is identical to the US-ASCII encoding." SYNTAX OCTET STRING (SIZE (0..255)) idsEvents OBJECT IDENTIFIER ::= { idsEventMIB 1 } -- -- idsAbstractEventTable -- idsAbstractEventTable OBJECT-TYPE SYNTAX SEQUENCE OF idsAbstractEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Table of abstract events originated by IDS." ::= { idsEvents 1 } idsAbstractEventEntry OBJECT-TYPE SYNTAX idsAbstractEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing high level information about a suspicious event." ::= { idsAbstractEventTable 1 } Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 5] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsAbstractEventEntry ::= SEQUENCE { idsAbstractEventOriginator SnmpAdminString idsAbstractEventIndex INTEGER(1..2147483647) idsAbstractEventGeneralType Utf8String idsAbstractEventSpecificType Utf8String idsAbstractEventConfidency INTEGER(0..100) idsAbstractEventReferencesBegin OBJECT IDENTIFIER idsAbstractEventReferencesEnd OBJECT IDENTIFIER idsAbstractEventReasoningModelID Utf8String idsAbstractEventUserID Utf8String idsAbstractEventProcessID INTEGER(0..65535) idsAbstractEventTimeBegin TimeStamp idsAbstractEventTimeEnd TimeStamp idsAbstractEventInterval INTEGER(0..65535) idsAbstractEventSourceNetworkAddress IPAddress idsAbstractEventTargetNetworkAddress IPAddress idsAbstractEventAttackedProtocol Utf8String idsAbstractEventAttackedProtocolDetail OCTET STRING (SIZE (0..2048)) idsAbstractEventLocationExt OCTET STRING (SIZE (0..2048)) idsAbstractEventAttackImpact DisplayString idsAbstractEventAttackPenetration DisplayString idsAbstractEventIDSResponse DisplayString idsAbstractEventIDSAdvisory DisplayString idsAbstractEventVendorSpecificDataValue OCTET STRING (SIZE \ (0..2048)) } idsAbstractEventOriginator OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The ID agent name who generate the event, which should be unique in a management domain." ::= { idsAbstractEventEntry 1 } idsAbstractEventIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an entry in the abstract event table. These indices are assigned beginning with 1 and increase by one with each new entry. The agent may choose to delete the instances of idsAbstractEventEntry as required because of lack of memory. It is an implementation specific matter as to when this deletion may occur and as to which entries are deleted." ::= { idsAbstractEventEntry 2 } idsAbstractEventGeneralType OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 6] INTERNET-DRAFT IDS Event Correlation October 21, 1999 STATUS current DESCRIPTION "A general type to facilitate the classfication of attacks, e.g. network based attack vs host based attack, misuse or anomaly, etc." ::= { idsAbstractEventEntry 3 } idsAbstractEventSpecificType OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Using CVE [18] recommendations, which provide an uniform naming space, to identify the attack type known by IDS, e.g. Denial of Service/Net/Teardrop or Map/Net/Tcp Scan." ::= { idsAbstractEventEntry 4 } idsAbstractEventConfidency OBJECT-TYPE SYNTAX INTEGER(0..100) MAX-ACCESS read-only STATUS current DESCRIPTION "To which degree, IDS believe it is an attack." ::= { idsAbstractEventEntry 5 } idsAbstractEventReferencesBegin OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "The index value of the beginning raw in the idsReferenceTable. Pairing with idsAbstractEventReferencesEnd, we can locate all of the raw event which uncovered this attack." ::= { idsAbstractEventEntry 6 } idsAbstractEventReferencesEnd OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "To point to the ending raw in the idsReferenceTable." ::= { idsAbstractEventEntry 7 } idsAbstractEventReasoningModelID OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "To specify the relationship between abstract events and raw events. e.g., abstract events come from the signature recognition or anomaly detection of a list of raw events." ::= { idsAbstractEventEntry 8 } Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 7] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsAbstractEventUserID OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "If possible, specify who launched the attack." ::= { idsAbstractEventEntry 9 } idsAbstractEventProcessID OBJECT-TYPE SYNTAX INTEGER(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "If possible, specify which process was involved in the attack." ::= { idsAbstractEventEntry 10 } idsAbstractEventTimeBegin OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "When is the first time IDS noticed the attack." ::= { idsAbstractEventEntry 11 } idsAbstractEventTimeEnd OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "when is the last raw event occurred related with this attack." ::= { idsAbstractEventEntry 12 } idsAbstractEventInterval OBJECT-TYPE SYNTAX INTEGER(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "To measure the intensity of an attack, i.e. how many related raw events occurred within a specific period." ::= { idsAbstractEventEntry 13 } idsAbstractEventSourceNetworkAddress OBJECT-TYPE SYNTAX IPAddress MAX-ACCESS read-only STATUS current DESCRIPTION "To specify the source of a network based attack, maybe variable." ::= { idsAbstractEventEntry 14 } idsAbstractEventTargetNetworkAddress OBJECT-TYPE SYNTAX IPAddress Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 8] INTERNET-DRAFT IDS Event Correlation October 21, 1999 MAX-ACCESS read-only STATUS current DESCRIPTION "The target of a network based attack, maybe variable." ::= { idsAbstractEventEntry 15 } idsAbstractEventAttackedProtocol OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Which protocol(s) is attacked, The format of this field must follow Network Protocol Name/Transportation Protocol Name/Application Protocol Name, e.g. TCP, TCP/BGP, IP/TCP/HTTP." ::= { idsAbstractEventEntry 16 } idsAbstractEventAttackedProtocolDetail OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..2048)) MAX-ACCESS read-only STATUS current DESCRIPTION "The detailed protocol-specific information. For each protocol specified in idsAbstractEventAttackedProtocol, here has a corresponding list of pairs which contains protocol-specific data. The list will be enclosed in a pair of braces and be seperated by slash from each other. The synax of pair will be "name=value;". For example, if idsAbstractEventAttackedProtocol = TCP/HTTP, then idsAbstractEventAttackedProtocolDetail = {source port=1234;}/{url=www4.ncsu.edu/~xzhao;method=get;} ::= { idsAbstractEventEntry 17 } idsAbstractEventLocationExt OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..2048)) MAX-ACCESS read-only STATUS current DESCRIPTION "If it is not a TCP/IP network, provide all necessary information here about the source, target, and detailed data." ::= { idsAbstractEventEntry 18 } idsAbstractEventAttackImpact OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "To indicate the potential impact of the attack, as required by IDWG." ::= { idsAbstractEventEntry 19 } idsAbstractEventAttackPenetration OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 9] INTERNET-DRAFT IDS Event Correlation October 21, 1999 STATUS current DESCRIPTION "To indicate the degree of the penetration achieved by the attack." := { idsAbstractEventEntry 20 } idsAbstractEventIDSResponse OBJECT-TYPE SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "The automatic actions taken by the IDS in the response to the event (if any)." ::= { idsAbstractEventEntry 21 } idsAbstractEventIDSAdvisory OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "An advisory from a noted authority such as CERT." ::= { idsAbstractEventEntry 22 } idsAbstractEventVendorSpecificDataValue OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..2048)) MAX-ACCESS read-only STATUS current DESCRIPTION "To define vendor specific data." ::= { idsAbstractEventEntry 23 } -- -- ids RawEventTable -- idsRawEventTable OBJECT-TYPE SYNTAX SEQUENCE OF idsRawEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The table of raw events caught by IDS." ::= { idsEvents 2 } idsRawEventEntry OBJECT-TYPE SYNTAX idsRawEventEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table, containing all necessary information about a raw event." := { idsRawEventTable 1 } idsRawEventEntry ::= SEQUENCE { idsRawEventOrigator SnmpAdminString Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 10] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsRawEventIndex INTEGER(1..2147483647) idsRawEventGeneralInfo Utf8String idsRawEventDetailedInfo OCTET STRING (SIZE (0..8192)) idsRawEventUserID Utf8String idsRawEventProcessID INTEGER(0..65535) idsRawEventTimeStamp TimeStamp idsRawEventSourceNetworkAddress IPAddress idsRawEventTargetNetworkAddress IPAddress idsRawEventAttackedProtocol Utf8String idsRawEventAttackedProtocolDetail OCTET STRING (SIZE (0..2048)) idsRawEventLocationExt OCTET STRING (SIZE (0..2048)) } idsRawEventOriginator OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "The IDS name who record the raw event." ::= { idsRawEventEntry 1 } idsRawEventIndex OBJECT-TYPE SYNTAX INTEGER(1..2147483647) MAX-ACCESS read-only STATUS current DESCRIPTION "An unique value for each raw event. It is recommended that values are assigned continousely starting from 1." ::= { idsRawEventEntry 2 } idsRawEventGeneralInfo OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "A general description of raw event, e.g. it is a abnomaly from users normal behavior or a failed attempt of a connection." ::= { idsRawEventEntry 3 } idsRawEventDetailedInfo OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..8192)) MAX-ACCESS read-only STATUS current DESCRIPTION "The most detailed information about raw event should be put here, e.g. in a network based attack, the data portion in IP packet is the most detailed information." ::= { idsRawEventEntry 4 } idsRawEventUserID OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 11] INTERNET-DRAFT IDS Event Correlation October 21, 1999 DESCRIPTION "If possible, put user name here." ::= { idsRawEventEntry 5 } idsRawEventProcessID OBJECT-TYPE SYNTAX INTEGER(0..65535) MAX-ACCESS read-only STATUS current DESCRIPTION "If possible, put process ID here." ::= { idsRawEventEntry 6 } idsRawEventTimeStamp OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "When this raw event occurred." ::= { idsRawEventEntry 7 } idsRawEventSourceNetworkAddress OBJECT-TYPE SYNTAX IPAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Where the attack is launched." ::= { idsRawEventEntry 8 } idsRawEventTargetNetworkAddress OBJECT-TYPE SYNTAX IPAddress MAX-ACCESS read-only STATUS current DESCRIPTION "Who is the target." ::= { idsRawEventEntry 9 } idsRawEventAttackedProtocol OBJECT-TYPE SYNTAX Utf8String MAX-ACCESS read-only STATUS current DESCRIPTION "Which protocol(s) is attacked. The format is the same as described in the DESCRIPTION of idsAbstractEventAttackedProtocol." ::= { idsRawEventEntry 10 } idsRawEventAttackedProtocolDetail OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..2048)) MAX-ACCESS read-only STATUS current DESCRIPTION "The detailed protocol-specific information. The format is the same as described in the DESCRIPTION of Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 12] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsAbstractEventAttackedProtocolDetail." ::= { idsRawEventEntry 11 } idsRawEventLocationExt OBJECT-TYPE SYNTAX OCTET STRING (SIZE (0..2048)) MAX-ACCESS read-only STATUS current DESCRIPTION "If it is not a TCP/IP network, provide all necessary information here about the source, target, and detailed data." ::= { idsRawEventEntry 12 } -- -- idsReferenceTable -- idsReferenceTable OBJECT-TYPE SYNTAX SEQUENCE OF idsReferenceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "This table is a bridge between abstract events and raw events. One abstract event is supported by a list of raw events. These raw events' index is continously stored in the table thus be able to be located by specifying the beginning and ending points." ::= { idsEvents 3 } idsReferenceEntry OBJECT-TYPE SYNTAX idsReferenceEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "An entry in the table. Each entry contains one raw events index which support the abstract event." ::= { idsReferenceTable 1 } idsReferenceEntry ::= SEQUENCE { idsReferenceOriginator SnmpAdminString idsReferenceIndex INTEGER(0..2147483647) idsReferenceRawEventTag OBJECT IDENTIFIER } idsReferenceOriginator OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "Who create this entry, generally it is the IDS agent name." ::= { idsReferenceEntry 1 } idsReferenceIndex OBJECT-TYPE SYNTAX INTEGER(0..2147483647) MAX-ACCESS read-only Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 13] INTERNET-DRAFT IDS Event Correlation October 21, 1999 STATUS current DESCRIPTION "The unique index in the table. All entries between a particular starting point and ending point are related to the same abstract event." ::= { idsReferenceEntry 2 } idsReferenceRawEventTag OBJECT-TYPE SYNTAX OBJECT IDENTIFIER MAX-ACCESS read-only STATUS current DESCRIPTION "To point the corresponding raw event's index in idsRawEventTable." ::= { idsReferenceEntry 3 } -- Conformance information idsEventConformance OBJECT IDENTIFIER ::= { idsEventMIB 2 } idsEventGroups OBJECT IDENTIFIER ::= { idsEventConformance 1 } idsEventCompliances OBJECT IDENTIFIER ::= { idsEventConformance 2 } -- Compliance statements idsEventsCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implement the INTRUSION-DETECTION-EVENT-MIB." MODULE -- this module MANDATORY-GROUPS { idsAbstractEventGroup, idsRawEventGroup, idsReferenceGroup } ::= { idsEventCompliances 1 } -- Units of conformance idsAbstractEventGroup OBJECT-GROUP OBJECTS { idsAbstractEventOriginator, idsAbstractEventIndex, idsAbstractEventGeneralType, idsAbstractEventSpecificType, idsAbstractEventConfidency, idsAbstractEventReferencesBegin, idsAbstractEventReferencesEnd, idsAbstractEventReasoningModelID, idsAbstractEventUserID, Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 14] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsAbstractEventProcessID, idsAbstractEventTimeBegin, idsAbstractEventTimeEnd, idsAbstractEventInterval, idsAbstractEventSourceNetworkAddress, idsAbstractEventTargetNetworkAddress, idsAbstractEventAttackedProtocol, idsAbstractEventAttackedProtocolDetail, idsAbstractEventLocationExt, idsAbstractEventAttackImpact, idsAbstractEventAttackPenetration, idsAbstractEventIDSResponse, idsAbstractEventIDSAdvisory, idsAbstractEventVendorSpecificDataValue } STATUS current DESCRIPTION " A collection of information to describe the high-level abstract event." ::= { idsEventGroups 1 } idsRawEventGroup OBJECT-GROUP OBJECTS { idsRawEventOrigator, idsRawEventIndex, idsRawEventGeneralInfo, idsRawEventDetailedInfo, idsRawEventUserID, idsRawEventProcessID, idsRawEventTimeStamp, idsRawEventSourceNetworkAddress, idsRawEventTargetNetworkAddress, idsRawEventAttackedProtocol, idsRawEventAttackedProtocolDetail, idsRawEventLocationExt } STATUS current DESCRIPTION " A collection of information to describe the low-level raw event." ::= { idsEventGroups 2 } idsReferenceGroup OBJECT-GROUP OBJECTS { idsReferenceOriginator, idsReferenceIndex, idsReferenceRawEventTag } STATUS current DESCRIPTION Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 15] INTERNET-DRAFT IDS Event Correlation October 21, 1999 " A collection of objects for generation and despatch ofmessages pertaining to intrusions detected." ::= { idsEventGroups 3 } END 5. Examples to use IDS Event MIB In the following examples, we define 2 special values: if all bits are 0, it means no value avaiable for the corresponding field, while all bits 1 means any value is possible. - Port Scanning attack: Port scanning is usually the first step of a real attack, by which attackers try to gather information of the victim. Once they find a running service has security hole, they can exploit it and launch an attack. /* the following record is in idsAbstractEventTable */ { idsAbstractEventOriginator = sniffer-1 idsAbstractEventIndex = 103 idsAbstractEventGeneralType = network, misuse idsAbstractEventSpecificType = Map/Net/Tcp Scan idsAbstractEventConfidency = 0.85 idsAbstractEventReferencesBegin = 400 idsAbstractEventReferencesEnd = 500 idsAbstractEventReasoningModelID = Signature Recognition idsAbstractEventUserID = 0 (unknown user) idsAbstractEventProcessID = 0 (unknown PID, not root PID) idsAbstractEventTimeBegin = Tue Jun 22 17:34:57 EDT 1999 idsAbstractEventTimeEnd = Tue Jun 22 17:40:21 EDT 1999 idsAbstractEventInterval = 20 packets / second idsAbstractEventSourceNetworkAddress = 152.1.75.161 idsAbstractEventTargetNetworkAddress = 152.1.75.160 idsAbstractEventAttackedProtocol = TCP idsAbstractEventAttackedProtocolDetail = {SrcPort:65535;DestPort:65535;} idsAbstractEventLocationExt = 0 idsAbstractEventAttackImpact = Configuration Info. Disclosure idsAbstractEventAttackPenetration = localhost only idsAbstractEventIDSResponse = raised alarm idsAbstractEventIDSAdvisory = CERT advisory xxxxx idsAbstractEventVendorSpecificDataValue = 0 } /* the following is in the idsRawEventTable */ { idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1300 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 16] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsRawEventGeneralInfo = failed connection idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:34:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.160 idsRawEventAttackProtocol = TCP idsRawEventAttackedProtocolDetail = {SrcPort:2300;DestPort:5;} idsRawEventLocationExt = 0 idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1301 idsRawEventGeneralInfo = half connection idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:35:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.160 idsRawEventAttackProtocol = TCP idsRawEventAttackedProtocolDetail = {SrcPort:2301;DestPort:7;} idsRawEventLocationExt = 0 ... idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1305 idsRawEventGeneralInfo = half connection idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:36:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.160 idsRawEventAttackProtocol = TCP idsRawEventAttackedProtocolDetail = {SrcPort:2302;DestPort:23;} idsRawEventLocationExt = 0 ... } /* the following is in the idsReferenceTable */ { idsReferenceOriginator = sniffer-1 idsReferenceIndex = 400 idsReferenceRawDataTag = 1300 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 401 idsReferenceRawDataTag = 1301 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 17] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 402 idsReferenceRawDataTag = 1305 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 403 idsReferenceRawDataTag = 1309 ... } - Ping-O-Death Event Ping-O-Death is a kind of attack that attackers send very large packet to crash network module of some systems. /* the following record is in idsAbstractEventTable */ { idsAbstractEventOriginator = sniffer-1 idsAbstractEventIndex = 105 idsAbstractEventGeneralType = network, misuse idsAbstractEventSpecificType = Denial of Services/ Net/Ping-o-Death idsAbstractEventConfidency = 0.9 idsAbstractEventReferencesBegin = 501 idsAbstractEventReferencesEnd = 599 idsAbstractEventReasoningModelID = Signature Recognition idsAbstractEventUserID = 0 (unknown user) idsAbstractEventProcessID = 0 (unknown PID, not root PID) idsAbstractEventTimeBegin = Tue Jun 22 17:34:57 EDT 1999 idsAbstractEventTimeEnd = Tue Jun 22 17:54:21 EDT 1999 idsAbstractEventInterval = 50 packets / second idsAbstractEventSourceNetworkAddress = 152.1.75.161 idsAbstractEventTargetNetworkAddress = 152.1.75.170 idsAbstractEventAttackedProtocol = ICMP idsAbstractEventAttackedProtocolDetail = {PacketSize:65510} idsAbstractEventLocationExt = 0 idsAbstractEventAttackImpact = system crash idsAbstractEventAttackPenetration = localhost only idsAbstractEventIDSResponse = raised alarm idsAbstractEventIDSAdvisory = CERT advisory xxxxx idsAbstractEventVendorSpecificDataValue = 0 } /* the following is in the idsRawEventTable */ { idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1500 idsRawEventGeneralInfo = defragmented ICMP packet idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 17] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:34:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.170 idsRawEventAttackProtocol = ICMP idsRawEventAttackedProtocolDetail = {PacketSize:1480;} idsRawEventLocationExt = 0 idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1501 idsRawEventGeneralInfo = defragmented ICMP packet idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:35:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.170 idsRawEventAttackProtocol = ICMP idsRawEventAttackedProtocolDetail = {PacketSize:1480;} idsRawEventLocationExt = 0 ... idsRawEventOriginator = sniffer-1 idsRawEventIndex = 1505 idsRawEventGeneralInfo = defragmented ICMP packet idsRawEventDetailedInfo = 0 idsRawEventUserID = 0 idsRawEventProcessID = 0 idsRawEventTimeStamp = Tue Jun 22 17:36:57 EDT 1999 idsRawEventSourceNetworkAddress = 152.1.75.161 idsRawEventTargetNetworkAddress = 152.1.75.170 idsRawEventAttackProtocol = ICMP idsRawEventAttackedProtocolDetail = {PacketSize:1480;} idsRawEventLocationExt = 0 ... } /* the following is in the idsReferenceTable */ { idsReferenceOriginator = sniffer-1 idsReferenceIndex = 501 idsReferenceRawDataTag = 1500 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 502 idsReferenceRawDataTag = 1501 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 503 idsReferenceRawDataTag = 1505 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 18] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsReferenceOriginator = sniffer-1 idsReferenceIndex = 504 idsReferenceRawDataTag = 1509 ... } - User Activity Anomaly Event: User Activity Anomaly generally means a user's behavior significantly deviated from his normal profile. For example, a user usually just uses word processing software, suddenly, he seems begin to use compliers more. That indicates his account maybe has been compromised. /* the following record is in idsAbstractEventTable */ { idsAbstractEventOriginator = syslog-analyzer-1 idsAbstractEventIndex = 106 idsAbstractEventGeneralType = host, anomaly idsAbstractEventSpecificType = User Activity Anomaly idsAbstractEventConfidency = 0.67 idsAbstractEventReferencesBegin = 600 idsAbstractEventReferencesEnd = 700 idsAbstractEventReasoningModelID = Anomaly Detection idsAbstractEventUserID = aaa idsAbstractEventProcessID = 65535 idsAbstractEventTimeBegin = Tue Jun 22 17:54:57 EDT 1999 idsAbstractEventTimeEnd = Tue Jun 22 18:10:21 EDT 1999 idsAbstractEventInterval = 0.1 activities / second idsAbstractEventSourceNetworkAddress = localhost idsAbstractEventTargetNetworkAddress = localhost idsAbstractEventAttackedProtocol = 0 idsAbstractEventAttackedProtocolDetail = 0 idsAbstractEventLocationExt = 0 idsAbstractEventAttackImpact = Localhost May Be Hacked idsAbstractEventAttackPenetration = unknown, localhost at least idsAbstractEventIDSResponse = raised alarm idsAbstractEventIDSAdvisory = CERT advisory xxxxx idsAbstractEventVendorSpecificDataValue = 0 } /* the following is in the idsRawEventTable */ { idsRawEventOriginator = syslog-analyzer-1 idsRawEventIndex = 2300 idsRawEventGeneralInfo = User Activity Deviation idsRawEventDetailedInfo = using gcc 10 times than normal idsRawEventUserID = aaa idsRawEventProcessID = 1011 idsRawEventTimeStamp = Tue Jun 22 17:54:57 EDT 1999 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 19] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsRawEventSourceNetworkAddress = localhost idsRawEventTargetNetworkAddress = localhost idsRawEventAttackProtocol = 0 idsRawEventAttackedProtocolDetail = 0 idsRawEventLocationExt = 0 idsRawEventOriginator = syslog-analyzer-1 idsRawEventIndex = 2301 idsRawEventGeneralInfo = root access attempt idsRawEventDetailedInfo = su: incorrect password idsRawEventUserID = aaa idsRawEventProcessID = 1012 idsRawEventTimeStamp = Tue Jun 22 17:55:57 EDT 1999 idsRawEventSourceNetworkAddress = localhost idsRawEventTargetNetworkAddress = localhost idsRawEventAttackProtocol = 0 idsRawEventAttackedProtocolDetail = 0 idsRawEventLocationExt = 0 ... idsRawEventOriginator = syslog-analyzer-1 idsRawEventIndex = 2305 idsRawEventGeneralInfo = access control violation idsRawEventDetailedInfo = socket: Operation not permitted idsRawEventUserID = aaa idsRawEventProcessID = 1014 idsRawEventTimeStamp = Tue Jun 22 17:56:57 EDT 1999 idsRawEventSourceNetworkAddress = localhost idsRawEventTargetNetworkAddress = localhost idsRawEventAttackProtocol = 0 idsRawEventAttackedProtocolDetail = 0 idsRawEventLocationExt = 0 ... } /* the following is in the idsReferenceTable */ { idsReferenceOriginator = syslog-analyzer-1 idsReferenceIndex = 600 idsReferenceRawDataTag = 2300 idsReferenceOriginator = syslog-analyzer-1 idsReferenceIndex = 601 idsReferenceRawDataTag = 2301 idsReferenceOriginator = syslog-analyzer-1 idsReferenceIndex = 602 idsReferenceRawDataTag = 2305 idsReferenceOriginator = syslog-analyzer-1 Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 20] INTERNET-DRAFT IDS Event Correlation October 21, 1999 idsReferenceIndex = 603 idsReferenceRawDataTag = 2309 ... } 6. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 7. Acknowledgements This draft is the product of discussions and deliberations carried out in the IETF intrusion detection message exchange format working group (ietf-idwg-wg). 8. References [1] D. Harrington, R. Presuhn and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999. [2] Rose, M. and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990. [3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991. [4] Rose, M., "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991. [5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999. Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 21] INTERNET-DRAFT IDS Event Correlation October 21, 1999 [6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999. [7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999. [8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. [9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999. [12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999. [13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999. [15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [16] M. Wood, "Intrusion Detection Exchange Format Requirement", Internet Draft, IETF, July 1999. Work in Progress. [17] H. Debar and M. Huang, "Intrusion Detection Exchange Format Data Model", Internet Draft, IETF, August 1999. Work in Progress. [18] S. Christey, Mann, and Hill, "Development of a common vunerability enumeration." Workshop RAID99, Sep, 99 Security Considerations There are management objects defined in this MIB that have a MAX- ACCESS clause of read-write and read-create. There is the risk that an intruder can alter or create any management objects of this MIB via direct SNMP SET operations. So, care must be taken to put in Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 22] INTERNET-DRAFT IDS Event Correlation October 21, 1999 place the security provisions of SNMP for authentication and access control. Not all versions of SNMP provide features for such a secure environment. SNMPv1 by itself is such an insecure environment. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET (read) and SET (write) the objects in this MIB. It is strongly recommended that the implementors consider the security features as provided by the SNMPv3 framework. Specifically, the use of the User-based Security Model RFC 2274 [12] and the View-based Access Control Model RFC 2275 [15] is recommended. It is then a customer/user responsibility to ensure that the SNMP entity giving access to an instance of this MIB, is properly configured to give access to those objects only to those principals (users) that have legitimate rights to access them. Authors' Addresses S. Felix Wu Xiao-Liang Zhao Jim Yuill Ping Chen Dept. of Computer Science North Carolina State University Box 7550, NCSU Centennial Campus Raleigh, NC 27695 U.S.A. Phone: +1-919-515-7920 EMail: wu@eos.ncsu.edu Mike Erlanger Department of Computer Science HMC Aerospace EMail: mike@cs.hmc.edu Ming-Yu Huang Boeing EMail: Fengmin Gong Feiyi Wang Advance Networking Research MCNC EMail: gong@anr.mcnc.org Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 23] INTERNET-DRAFT IDS Event Correlation October 21, 1999 Full Copyright statement "Copyright (C) The Internet Society (date). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implmentation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."