Project

General

Profile

Bug #213

LML rulesets should be updated to use IDMEF Action

Added by Yoann VANDOORSELAERE about 12 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

0%

Resolution:

Description

Current rulesets (except modsecurity) does not make use of the IDMEF Action class.

4.2.6.2.  The Action Class

   The Action class is used to describe any actions taken by the
   analyzer in response to the event. 
   category

      The type of action taken.  The permitted values are shown below.
      The default value is "other".  (See also Section 10.)

   +------+-------------------+----------------------------------------+
   | Rank | Keyword           | Description                            |
   +------+-------------------+----------------------------------------+
   |    0 | block-installed   | A block of some sort was installed to  |
   |      |                   | prevent an attack from reaching its    |
   |      |                   | destination.  The block could be a     |
   |      |                   | port block, address block, etc., or    |
   |      |                   | disabling a user account.              |
   |      |                   |                                        |
   |    1 | notification-sent | A notification message of some sort    |
   |      |                   | was sent out-of-band (via pager,       |
   |      |                   | e-mail, etc.).  Does not include the   |
   |      |                   | transmission of this alert.            |
   |      |                   |                                        |
   |    2 | taken-offline     | A system, computer, or user was taken  |
   |      |                   | offline, as when the computer is shut  |
   |      |                   | down or a user is logged off.          |
   |      |                   |                                        |
   |    3 | other             | Anything not in one of the above       |
   |      |                   | categories.                            |
   +------+-------------------+----------------------------------------+

      The element itself may be empty, or may contain a textual
      description of the action, if the analyzer is able to provide
      additional details.

History

#1 Updated by about 12 years ago

  • Status changed from New to Assigned

#2 Updated by Yoann VANDOORSELAERE almost 10 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (93)

#3 Updated by Yoann VANDOORSELAERE almost 10 years ago

  • Target version set to 0.9.15

#4 Updated by Jean-Charles ROGEZ over 5 years ago

  • Assignee deleted (59)
  • Target version changed from 0.9.15 to 121

#5 Updated by Thomas ANDREJAK over 3 years ago

  • Target version changed from 121 to Prelude OSS 3.0.0

#6 Updated by Thomas ANDREJAK almost 3 years ago

  • Target version changed from Prelude OSS 3.0.0 to Prelude OSS 3.1.0

#7 Updated by Thomas ANDREJAK over 2 years ago

  • Status changed from Assigned to New
  • Target version changed from Prelude OSS 3.1.0 to Prelude OSS 4.0.0

#8 Updated by Thomas ANDREJAK over 1 year ago

  • Target version changed from Prelude OSS 4.0.0 to Prelude OSS 4.1.0

#9 Updated by Thomas ANDREJAK 4 months ago

  • Target version changed from Prelude OSS 4.1.0 to Prelude OSS 5.0.0

#10 Updated by Thomas ANDREJAK 4 months ago

  • Target version changed from Prelude OSS 5.0.0 to Prelude OSS 5.1.0

Also available in: Atom PDF