Intrusion Detection Extensible Alert

The specification is nearly definitive. We expect only minor changes.

IDEA stands for Intrusion Detection Extensible Alert. Even though there exists a variety of models for communication between honeypots, agents, detection probes, none of them is really used because of various limitations for general usage. The IDEA is an attempt to define nowadays requirements and propose foundations for viable solution for security event model, taking into consideration existing formats, their benefits and drawbacks.

Many administrators run various types of intrusion detection systems, be it honeypots, analysers of systems or system logs, traffic analysers, netflow probes or others. Multitude of data is generated every day, however most of it stays local. Administrators sieve out what is relevant for them and rest of the data goes mostly unused.

These amounts of data should not go in vain – unusable here might be useful there, moreover when combined and correlated from various sources. Also, in the last couple of years, a number of projects for automated incident report exchange appeared, namely Warden, AbuseHelper, IntelMQ, n6, Megatron, CIF and Prelude).

The format for security event exchange is not something new – the attempts do exist to define languages or formats that would allow for such an exchange, however none of them have been very successful. We realize we cannot create the perfect one, there is never “one size fits all” solution. We would like to hit some middle ground between complexity of IDMEF and free spirit and structure (or lack thereof) of !AbuseHelper, learn from pitfalls of existing projects and based on experience as members of CSIRT team, propose solutions to some of them on the way, taking into consideration recent evolution and requirements in the field.

Long story short - for the sake of illustration, this is an example of JSON serialized IDEA of synthetic security event.

   "Format": "IDEA0",
   "ID": "4390fc3f-c753-4a3e-bc83-1b44f24baf75",
   "CreateTime": "2012-11-03T10:00:02Z",
   "DetectTime": "2012-11-03T10:00:07Z",
   "WinStartTime": "2012-11-03T05:00:00Z",
   "WinEndTime": "2012-11-03T10:00:00Z",
   "EventTime": "2012-11-03T07:36:00Z",
   "CeaseTime": "2012-11-03T09:55:22Z",
   "Category": ["Fraud.Phishing"],
   "Ref": ["cve:CVE-1234-5678"],
   "Confidence": 1,
   "Note": "Synthetic example",
   "ConnCount": 20,
   "Source": [
         "Type": ["Phishing"],
         "IP4": ["", ""],
         "IP6": ["2001:0db8:0000:0000:0000:ff00:0042::/112"],
         "Hostname": ["example.com"],
         "URL": ["http://example.com/cgi-bin/killemall"],
         "Proto": ["tcp", "http"],
         "AttachHand": ["att1"],
         "Netname": ["ripe:IANA-CBLK-RESERVED1"]
   "Target": [
         "Type": ["Backscatter", "OriginSpam"],
         "Email": ["innocent@example.com"],
         "Spoofed": true
         "IP4": [""],
         "Anonymised": true
   "Attach": [
         "Handle": "att1",
         "FileName": ["killemall"],
         "Type": ["Malware"],
         "ContentType": "application/octet-stream",
         "Hash": ["sha1:0c4a38c3569f0cc632e74f4c"],
         "Size": 46,
         "Ref": ["Trojan-Spy:W32/FinSpy.A"],
         "ContentEncoding": "base64",
         "Content": "TVpqdXN0a2lkZGluZwo="
   "Node": [
         "Name": "cz.cesnet.kippo-honey",
         "Type": ["Protocol", "Honeypot"],
         "SW": ["Kippo"],
         "AggrWin": "00:05:00"
Last modified: 01.02.2017 11:13