Essentials
Get Involved
Related Projects
LibIH, Incident Handling library, is a library that supports the need to generate XML documents conforming to various computer security data representation standards (in different states of development).
Three XML data representation formats are supported, each targeting a different level of abstraction in computer security.
- Incident Object Description Exchange Format (IODEF): a format to represent data interchange between Computer Security Incident Response Teams (CSIRT), or between a CSIRT and its constituency.
- Intrusion Detection Message Exchange Format (IDMEF): a format to represent data generated by an Intrusion Detection System (IDS).
- Simple Network Markup Language (SNML): a format to represent TCP, UDP, and ICMP network traffic.
Standards efforts cannot exist in a vacuum, but must be implemented in operational systems. LibIH makes is possible to easily build programs, such as AirCERT, that make use of these standards by providing the following functionality to manipulate security event data:
- a generic tree (DOM-like) data structure and the associated primitive to represent the XML document and manipulate any of the component objects (e.g., packet headers, log entries, contact information, etc);
- an XML-parsing engine (built on top of expat) that will convert XML documents conforming to the support DTD into the generic tree data structure; and
- a configurable output mechanism that can be used to turn a libIH tree into an XML document conforming to the appropriate DTD (with no hard-coding of tags, attributes, etc.).
At this time, libIH is meant to be used from C (and possibly C++) programs. There are no run-time binding for Java, perl, Python, or any other language.
The current code-base was designed and tested on Linux and OpenBSD, but should be usable (although untested) without change to other unix platforms as well as Windows.
LibIH is licensed under the LGPL license.