Go library for authoring and parsing data in IDMEF format (IETF RFC 4765).
IDMEF has a few characteristics which make it attrative to use.
Some SIEMs can use it directly and it can be used as an intermediate format to translate vendor specific events to vendor specific consumers. Some formats of consideration are AWS CloudTrail (both CloudTrail>IDMEF and IDMEF>CloudTrail) and Google Chronicle (IDMEF>Chronicle).
There are two sets of Message structs, one for authoring and one for parsing. The reason is due to Go's lack of support for parsing XML with tag prefixes.
Note on JSON: since these are provided as Go structs, it is very easy to convert to JSON. Today, there are no JSON tags but they may be added in the future after some investigation. The things to investigate are use of camelCase vs. PascalCase for JSON property names: (a) whether both should be used to map to the XML structure or (b) whether only one should be used (likely lower camelCase) to be consistent with JSON.
Use the go-idmef
(idmef
) package structs to create the idmef.Message
struct and then call xml.Marshal()
or idmef.Message.Bytes()
.
Example messages from the RFC are available in the testdata
folder in both XML and Go code. These are compared in the tests](unmarshal/)
See unmarshal.ReadFile()
function for an example to parse aa IDMEF XML file.
This list shows the defined objects. See the RFC model overview for reference.
The examples in RFC 4765 are included and tested in this repo. Go and XML representations are provided, parsed and compared. The following is a lists of the examples in RFC 4765. RFC descriptions are provided.
idmef
is the authoring package and creates XML with the idmef
tag.unmarshal
is the parsing package which reads in XML files but does not support the idmef
tag prefix due to Go issue 9519. Unmarshal or parse a file using unmarshal
to receive a *unmarshal.Message
which can then be converted to an authoring struct with *unmarshal.Message.Common()
.timestamp.Timestamp
is based on code from github.com/coreos/mantle
under the Apache 2.0 license and MIT compatible. This is a large, archived codebase with many dependencies.diffmatchpatch
from github.com/sergi/go-diff
was used during development to analyze failed test results.