RFC 3067 (rfc3067) - Page 2 of 17
TERENA'S Incident Object Description and Exchange Format Requirements
Alternative Format: Original Text Document
RFC 3067 IODEF Requirements February 2001
2. Introduction
This document defines requirements for the Incident object
Description and Exchange Format (IODEF), which is the intended
product of the Incident Taxonomy Working Group (ITDWG) at TERENA [2].
IODEF is planned to be a standard format which allows CSIRTs to
exchange operational and statistical information; it may also provide
a basis for the development of compatible and inter-operable tools
for Incident recording, tracking and exchange.
Another aim is to extend the work of IETF IDWG (currently focused on
Intrusion Detection exchange format and communication protocol) to
the description of incidents as higher level elements in Network
Security. This will involve CSIRTs and their constituency related
issues.
The IODEF set of documents of which this document is the first will
contain IODEF Data Model and XML DTD specification. Further
discussion of this document will take place in the ITDWG mailing
lists [email protected]> or [email protected]>, archives
are available correspondently at
http://hypermail.terena.nl/incident-taxonomy-list/mail-archive/ and
http://hypermail.terena.nl/iodef-list/mail-archive/
2.1. Rationale
This work is based on attempts to establish cooperation and
information exchange between leading/advanced CSIRTs in Europe and
among the FIRST community. These CSIRTs understand the advantages of
information exchange and cooperation in processing, tracking and
investigating security incidents.
Computer Incidents are becoming distributed and International and
involve many CSIRTs across borders, languages and cultures. Post-
Incident information and statistics exchange is important for future
Incident prevention and Internet security improvement. The key
element for information exchange in all these cases is a common
format for Incident (Object) description.
It is probable that in further development or implementation the
IODEF might be used for forensic purposes, and this means that
Incident description must be unambiguous and allow for future custody
(archiving/documentation) features.
Arvidsson, et al. Informational