Project

General

Profile

Prelude Standards

IDMEF Standard

Since Prelude handles events from different kinds of sensors, a generic events description language had to be chosen. Prelude uses Intrusion Detection Message Exchange Format (IDMEF) as the common languages for reporting events.

The purpose of IDMEF is to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to the management systems which may need to interact with them.

IDMEF is intended to be a standard data format that automated intrusion detection systems can use to report alerts about events that they deem suspicious. The development of this standard format enables interoperability among commercial, open source, and research systems, allowing users to mix-and-match the deployment of these systems according to their strong and weak points to obtain an optimal implementation.

The IDMEF Experimental RFC is available on IETF website :
http://tools.ietf.org/rfc/rfc4765.txt

IDMEF is originally intented to be an XML language. However since speed concerns arise when generating and using XML, or when converting events binary data to characters, the Prelude project has written a home-made implementation of the IDMEF specification, using binary structure, and preserving original datatype used to carry specific data.

Full IDMEF-XML compliance is preserved since components like PreludeManager and PreludeImport can output and import XML based IDMEF within the Prelude system.