Browse Prior Art Database

TERENA'S Incident Object Description and Exchange Format Requirements (RFC3067)

IP.com Disclosure Number: IPCOM000005261D
Original Publication Date: 2001-Feb-01
Included in the Prior Art Database: 2001-Aug-20
Document File: 18 page(s) / 37K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

J. Arvidsson: AUTHOR [+4]

Abstract

The purpose of the Incident Object Description and Exchange Format is to define a common data format for the description, archiving and exchange of information about incidents between CSIRTs (Computer Security Incident Response Teams) (including alert, incident in investigation, archiving, statistics, reporting, etc.). This document describes the high-level requirements for such a description and exchange format, including the reasons for those requirements. Examples are used to illustrate the requirements where necessary.

This text was extracted from a ASCII Text document.
This is the abbreviated version, containing approximately 9% of the total text.

Network Working Group J. Arvidsson Request for Comments: 3067 Telia CERT Category: Informational A. Cormack

JANET-CERT Y. Demchenko

TERENA J. Meijer

SURFnet February 2001

TERENA's Incident Object Description and Exchange Format Requirements

Status of this Memo

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

The purpose of the Incident Object Description and Exchange Format is to define a common data format for the description, archiving and exchange of information about incidents between CSIRTs (Computer Security Incident Response Teams) (including alert, incident in investigation, archiving, statistics, reporting, etc.). This document describes the high-level requirements for such a description and exchange format, including the reasons for those requirements. Examples are used to illustrate the requirements where necessary.

1. Conventions used in this document

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [1].

Arvidsson, et al. Informational [Page 1]

RFC 3067 IODEF Requirements February 2001

2. Introduction

This document defines requirements for the Incident object Description and Exchange Format (IODEF), which is the intended product of the Incident Taxonomy Working Group (ITDWG) at TERENA [2]. IODEF is planned to be a standard format which allows CSIRTs to exchange operational and statistical information; it may also provide a basis for the development of compatible and inter-operable tools for Incident recording, tracking and exchange.

Another aim is to extend the work of IETF IDWG (currently focused on Intrusion Detection exchange format and communication protocol) to the description of incidents as higher level elements in Network Security. This will involve CSIRTs and their constituency related issues.

The IODEF set of documents of which this document is the first will contain IODEF Data Model and XML DTD specification. Further discussion of this document will take place in the ITDWG mailing lists or , archives are available correspondently at http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/ and http://hypermail.terena.nl/iodef-list/mail-archive/

2.1. Rationale

This work is based on attempts to establish cooperation and information exchange between leading/advanced CSIRTs in Europe and among the FIRST community. These CSIRTs understand the advantages of information exchange and cooperation in processing, tracking and investigating security incidents.

Computer Incidents are becoming distributed and International and involve many CSIRTs across borders, languages and cultures. Post- Incident information and statistics exchange is important for future Incident prevent...