IDMEF and IODEF

Reference

The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is.

digraph Reference {
	graph [bb="0,0,195,113",
		rankdir=LR
	];
	node [label="\N"];
	Reference	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#5c3d1f" HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The Reference class provides the &quot;name&quot; of an alert, or other information allowing the manager to determine what it is. ">Reference</td> </tr>" %<tr><td BGCOLOR="#996633"  HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The name of the alert, from one of the origins listed below.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#996633"  HREF="/idmef_parser/IDMEF/Reference.html" TITLE="A URL at which the manager (or the human operator of the manager) can find additional information about the alert.  The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.">[STRING] url (1) </td></tr>%<tr><td BGCOLOR="#996633"  HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The source from which the name of the alert originates. The permitted values for this attribute are shown below.  The default value is &quot;unknown&quot;.  (See also Section 10.)">[ENUM] origin (Required) </td></tr>%<tr><td BGCOLOR="#996633"  HREF="/idmef_parser/IDMEF/Reference.html" TITLE="The meaning of the reference, as understood by the alert provider.  This field is only valid if the value of the &lt;origin&gt; attribute is set to &quot;vendor-specific&quot; or &quot;user-specific&quot;.">[STRING] meaning (Optional) </td></tr>%</table>>,
		pos="97.5,56.5",
		shape=plaintext,
		width=2.7083];
}

Aggregates

name (1)

The name of the alert, from one of the origins listed below.

url (1)

A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.

Attributes

origin (Required)

The source from which the name of the alert originates. The permitted values for this attribute are shown below. The default value is "unknown". (See also Section 10.)

Rank	Keyword	Description
0	unknown	Origin of the name is not known
1	vendor-specific	A vendor-specific name (and hence, URL); this can be used to provide product-specific information
2	user-specific	A user-specific name (and hence, URL); this can be used to provide installation-specific information
3	bugtraqid	The SecurityFocus ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/bid)
4	cve	The Common Vulnerabilities and Exposures (CVE) name (http://cve.mitre.org/)
5	osvdb	The Open Source Vulnerability Database (http://www.osvdb.org)

meaning (Optional)

The meaning of the reference, as understood by the alert provider. This field is only valid if the value of the attribute is set to "vendor-specific" or "user-specific".