Power of the IDMEF format
The power of a SIEM rests largely on the richness and the relevance of the format on which it bases itself. In this domain, Prelude uses the most powerful and most standard format available today.
Prelude SIEM implements the IDMEF format for handling alerts. IDMEF (Intrustion Detection Message Exchange Format) is a format defined by the IETF RFC 4765 and in 4766. It was the subject of an IETF working group for several years. The IDWG Working Group (Intrusion Detection Work Group) consisted of members such as IBM, MIT, Cisco, Nokia, the Mitre and the Prelude Team.
The primary objective of defining the size IDMEF was to improve the processing capabilities automation of the probes and the SIEMs to increase these tools detection capabilities, particularly through the correlation and to simplify the work of the operators.
In 2015, as part of www.secef.net project, a project supported by the DGA to promote and improve IDMEF and IODEF alert formats, the SSIR CentraleSupelec team conducted a comparative study of the main alert formats available on the market.
The summary of the study is presented in the table below:
| Format | IDMEF | CEF | LEEF | CIM | CEE | CADF |
|---|---|---|---|---|---|---|
| FIELDS NUMBER | 166 | 117 | 50 | 58 | 56 | 48 |
| NORMALIZED FIELDS NUMBER | 259 | 84 | 49 | 48 | 49 | 76 |
| TRANSLATABLE FIELDS NUMBER | 259 | 65 | 20 | 29 | 39 | 72 |
| UNTRANSLATABLE BUT RELEVANT FIELDS NUMBER | 0 | 15 | 11 | 11 | 5 | 3 |
| UNTRANSLATABLE AND SLIGHTLY RELEVANT FIELDS NUMBER | 0 | 4 | 18 | 8 | 5 | 1 |
| RELEVANT FIELDS NUMBER | 248 | 80 | 31 | 40 | 44 | 75 |
| COVERAGE OF THE IDMEF FORMAT | 100 % | 25 % | 8% | 11 % | 15 % | 28 % |
| RELATIVE RICHNESS COMPARED TO IDMEF | 100 % | 32 % | 13 % | 16 % | 18 % | 30 % |
| Format | IDMEF | CEF | LEEF | CIM | CEE | CADF |
|---|---|---|---|---|---|---|
| ORIGIN | IETF-RFC 4765 | HP-ArcSight | IBM-QRadar | DMTF | Mitre | Open Group |
| EXPRESSIVENESS | +++ | ++ | - | + | +? | ++ |
| STRUCTURATION | +++ | -- | -- | + | - | ++ |
This study highlights two features of IDMEF compared to its proprietary competitors:
- A greater expressiveness than its competitors. Combined with the power of the correlator and Prelude filter modules, that high content can more effectively handle alerts thereby improve detection capabilities. This transfer processing to the tool the analyst can be use 24/7 by non-experts of first level teams.
- A structuring better than its competitors. With this structure, the alerts and threats information displayed in Prelude interfaces reflects more the network reality. The progress between the different probes and manager, for example, is very easily represented and enables a simpler and better treatment and more compartmentalized for medium to large-sized information systems.
As part of the SECEF project, the IDMEF format has been proposed for developments and enrichments that will strengthen its superiority over its competitors.