IDEF Working Group S.F. Wu, X. Zhao, J. Yuill, P. Chen
INTERNET-DRAFT NC State University
draft-wu-ids-eventcorr-mib-01.txt M. Erlanger
HMC/Aerospace
F. Gong, F. Wang
MCNC
M.Y. Huang
Boeing
October 21, 1999
Intrusion Detection System Event Correlation MIB
<draft-wu-ids-eventcorr-mib-01.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet Drafts are working documents of the Internet Engineering
Task Force (IETF), its Areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet- Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This memo defines, using the MIB format, the data model for
intrusion event correlation. In particular, it defines how the
relationship among low-level and high-level events can be
represented, and how this information model can be extended to
support different type of intrusion detection and security
management applications.
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 1]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
Table of Contents
1. The SNMP Network Management Framework ......................... ?
2. Problems addressed and goals .................................. 4
3. MIB design .................................................... 5
4. The Intrusion Detection System Event MIB ...................... 7
5. Examples to use IDS Event MIB ................................. 7
6. Intellectual Property .........................................17
7. Acknowledgements ..............................................17
8. References ....................................................18
Security Considerations ...........................................20
Authors' Addresses ................................................21
Full Copyright Statement ..........................................22
1. The SNMP Network Management Framework
The SNMP Network Management Framework presently consists of five
major components:
o An overall architecture, described in RFC 2571 [1].
o Mechanisms for describing and naming objects and events for the
purpose of management. The first version of this Structure of
Management Information (SMI) is called SMIv1 and described in
RFC 1155 [2], RFC 1212 [3] and RFC 1215 [4]. The second version,
called SMIv2, is described in RFC 1902 [5], RFC 1903 [6] and RFC
1904 [7].
o Message protocols for transferring management information. The
first version of the SNMP message protocol is called SNMPv1 and
described in RFC 1157 [8]. A second version of the SNMP message
protocol, which is not an Internet standards track protocol, is
called SNMPv2c and described in RFC 1901 [9] and RFC 1906 [10].
The third version of the message protocol is called SNMPv3 and
described in RFC 1906 [10], RFC 2572 [11] and RFC 2574 [12].
o Protocol operations for accessing management information. The
first set of protocol operations and associated PDU formats is
described in RFC 1157 [8]. A second set of protocol operations
and associated PDU formats is described in RFC 1905 [13].
o A set of fundamental applications described in RFC 2573 [14] and
the view-based access control mechanism described in RFC 2575
[15].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. Objects in the MIB are
defined using the mechanisms defined in the SMI.
This memo specifies a MIB module that is compliant to the SMIv2. A
MIB conforming to the SMIv1 can be produced through the appropriate
translations. The resulting translated MIB must be semantically
equivalent, except where objects or events are omitted because no
translation is possible (use of Counter64). Some machine readable
information in SMIv2 will be converted into textual descriptions in
SMIv1 during the translation process. However, this loss of machine
readable information is not considered to change the semantics of the
MIB.
2. Problems addressed and goals
The emergence of collaborated attacks in recent years requires IDS
technology to move ahead to a new frontier, where different IDSs
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 2]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
work in a distributed and cooperated fashion. Basically they need
talk to others and talk in a same 'language', which should be in a
common format and unambiguous, as well as has enough descriptive
power. For practical reason, it should be easily implemented and
involves little overheads.
A few internet drafts [???] have been proposed to represent the
data format for intrusion information/events. And, a few commercial
products such as ISS's RealSecure provide an interface to access
and interact with intrusion detection information and systems. A
typical example is the interaction between RealSecure and
Checkpoint firewall using "opsec."
However, none of the current works addressed the issue of
correlation among events in different levels of abstraction. For
instance, when the IDS detected a portscan attack, how detailed
should IDS report to the security manager? How does the manager
find out whether it is a slow portscan or how many machines or IP
addresses (please note that some of the "ghost" addresses might
have been scanned) have been scanned and in what rate?
For another example, when an IDS detected a SynFlood attack, how
will it report the details if the security manager is interested in
knowing: how many SynFlood packets? how long? How about source IP
addresses -- are they the same or random? If random, what are they?
What we have today is a set of non-structure events, and their
relationship is not uniformally represented. Our objective in this
proposal is to define a structure to relate low-level and
high-level events as well as a framework to extend new relations.
3. MIB design
In the real world, people often describe an event with a tuple of
five elements: <WHERE, WHEN, WHO, WHAT, HOW>. Borrowed from this
idea, our MIB also use the same tuple to describe the attacks in
the cyberspace. Our MIB organizes the information of an event into
these five categories. 'WHERE' contains the information on where
an attack is launched, where is the target and where this event is
observed. 'WHEN' is a timestamp of a event, which specifies the
beginning time, ending time of an event and/or the informaiton of
frequency or times of occurrences. 'WHO' will indicate which IDS
observed the event and, if possible, which user and/or process
triggered it. 'WHAT' records the detailed information, such as
protocol type, protocol-specific data, and packet content. The
links between abstract events and raw events specify 'HOW', which
we will explain in the following.
Most of currently developed or developing IDSs fall into two
categories: signature-based IDS and statistic-based IDS.
Signature-based IDSs use signature recognition approach to detect
intrusions, which can be implemented, for example, by finite state
machines. Under this approach, a set of low level "raw" events will
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 3]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
trigger the state transitions. When such a finite state machine
stopped in a particular critical state, a particular intrusion has
been detected and thus a high level abstract event is generated.
Statistic-based IDSs use statistical approach which monitors
deviations from a long-term profile. A single significant
deviation can be regarded as a raw event. When an IDS detects a
list of deviations and believes an intrusion is in progress, an
abstract event can be produced. Therefore, in order to represent
the relations among raw and high-level events, we use another
table, reference table, to link abstract event with corresponding
raw events, which specify the 'HOW' as we explained above.
4. The Intrusion Detection System Event Correlation MIB
idsEventMIB DEFIITIONS ::= BEGIN
IMPORTS
TRAP-TYPE
FROM RFC-1215
PhysAddress, DisplayString
FROM RFC1213-MIB
OBJECT-TYPE
FROM RFC-1212
TimeTicks, Gauge, Counter
FROM RFC1155-SMI
MODULE-IDENTITY, OBJECT-TYPE,
experimental, Integer32, Unsigned32,
NOTIFICATION-TYPE
FROM SNMPv2-SMI
mib-2
FROM RFC1213-MIB
TEXTUAL-CONVENTION, RowStatus,
TimeStamp, DisplayString,
AutonomousType, DateAndTime
FROM SNMPv2-TC
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
FailureReason
FROM NOTIFICATION-MIB
SnmpTagValue
FROM SNMP-TARGET-MIB
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
idsEvent MODULE-IDENTITY
LAST-UPDATED "990625"
ORGANIZATION "NCSU."
CONTACT-INFO
"
S. Felix Wu
Tel: +1-919-515-7920
E-mail: wu@csc.ncsu.edu
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 4]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
Xiaoliang Zhao
Tel: +1-919-513-1894
E-mail: xzhao@unity.ncsu.edu
Ping Chen
Tel: +1-919-513-1894
E-mail: pchen3@unity.ncsu.edu
"
DESCRIPTION
"The MIB module for exchanging information
between IDS systems."
::= { experimental }
--
-- textual conventions
--
Utf8String ::= TEXTUAL-CONVENTION
DISPLAY-HINT "255a"
STATUS current
DESCRIPTION
"To facilitate internationalization, this TC
represents information taken from the ISO/IEC IS
10646-1 character set, encoded as an octet string
using the UTF-8 character encoding scheme described
in RFC 2044 [11]. For strings in 7-bit US-ASCII,
there is no impact since the UTF-8 representation
is identical to the US-ASCII encoding."
SYNTAX OCTET STRING (SIZE (0..255))
idsEvents OBJECT IDENTIFIER ::= { idsEventMIB 1 }
--
-- idsAbstractEventTable
--
idsAbstractEventTable OBJECT-TYPE
SYNTAX SEQUENCE OF idsAbstractEventEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"Table of abstract events originated by IDS."
::= { idsEvents 1 }
idsAbstractEventEntry OBJECT-TYPE
SYNTAX idsAbstractEventEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing high level information
about a suspicious event."
::= { idsAbstractEventTable 1 }
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 5]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsAbstractEventEntry ::= SEQUENCE {
idsAbstractEventOriginator SnmpAdminString
idsAbstractEventIndex INTEGER(1..2147483647)
idsAbstractEventGeneralType Utf8String
idsAbstractEventSpecificType Utf8String
idsAbstractEventConfidency INTEGER(0..100)
idsAbstractEventReferencesBegin OBJECT IDENTIFIER
idsAbstractEventReferencesEnd OBJECT IDENTIFIER
idsAbstractEventReasoningModelID Utf8String
idsAbstractEventUserID Utf8String
idsAbstractEventProcessID INTEGER(0..65535)
idsAbstractEventTimeBegin TimeStamp
idsAbstractEventTimeEnd TimeStamp
idsAbstractEventInterval INTEGER(0..65535)
idsAbstractEventSourceNetworkAddress IPAddress
idsAbstractEventTargetNetworkAddress IPAddress
idsAbstractEventAttackedProtocol Utf8String
idsAbstractEventAttackedProtocolDetail OCTET STRING (SIZE (0..2048))
idsAbstractEventLocationExt OCTET STRING (SIZE (0..2048))
idsAbstractEventAttackImpact DisplayString
idsAbstractEventAttackPenetration DisplayString
idsAbstractEventIDSResponse DisplayString
idsAbstractEventIDSAdvisory DisplayString
idsAbstractEventVendorSpecificDataValue OCTET STRING (SIZE \
(0..2048))
}
idsAbstractEventOriginator OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The ID agent name who generate the event, which should be unique
in a management domain."
::= { idsAbstractEventEntry 1 }
idsAbstractEventIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An index that uniquely identifies an entry in the abstract
event table. These indices are assigned beginning with 1 and
increase by one with each new entry. The agent may choose to
delete the instances of idsAbstractEventEntry as required
because of lack of memory. It is an implementation
specific matter as to when this deletion may occur and
as to which entries are deleted."
::= { idsAbstractEventEntry 2 }
idsAbstractEventGeneralType OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 6]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
STATUS current
DESCRIPTION
"A general type to facilitate the classfication of attacks,
e.g. network based attack vs host based attack, misuse or
anomaly, etc."
::= { idsAbstractEventEntry 3 }
idsAbstractEventSpecificType OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Using CVE [18] recommendations, which provide an uniform naming
space, to identify the attack type known by IDS, e.g. Denial of
Service/Net/Teardrop or Map/Net/Tcp Scan."
::= { idsAbstractEventEntry 4 }
idsAbstractEventConfidency OBJECT-TYPE
SYNTAX INTEGER(0..100)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To which degree, IDS believe it is an attack."
::= { idsAbstractEventEntry 5 }
idsAbstractEventReferencesBegin OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The index value of the beginning raw in the idsReferenceTable.
Pairing with idsAbstractEventReferencesEnd, we can locate all
of the raw event which uncovered this attack."
::= { idsAbstractEventEntry 6 }
idsAbstractEventReferencesEnd OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To point to the ending raw in the idsReferenceTable."
::= { idsAbstractEventEntry 7 }
idsAbstractEventReasoningModelID OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To specify the relationship between abstract events and raw events.
e.g., abstract events come from the signature recognition or anomaly
detection of a list of raw events."
::= { idsAbstractEventEntry 8 }
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 7]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsAbstractEventUserID OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If possible, specify who launched the attack."
::= { idsAbstractEventEntry 9 }
idsAbstractEventProcessID OBJECT-TYPE
SYNTAX INTEGER(0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If possible, specify which process was involved in the attack."
::= { idsAbstractEventEntry 10 }
idsAbstractEventTimeBegin OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When is the first time IDS noticed the attack."
::= { idsAbstractEventEntry 11 }
idsAbstractEventTimeEnd OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"when is the last raw event occurred related with this attack."
::= { idsAbstractEventEntry 12 }
idsAbstractEventInterval OBJECT-TYPE
SYNTAX INTEGER(0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To measure the intensity of an attack, i.e. how many related
raw events occurred within a specific period."
::= { idsAbstractEventEntry 13 }
idsAbstractEventSourceNetworkAddress OBJECT-TYPE
SYNTAX IPAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To specify the source of a network based attack, maybe variable."
::= { idsAbstractEventEntry 14 }
idsAbstractEventTargetNetworkAddress OBJECT-TYPE
SYNTAX IPAddress
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 8]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The target of a network based attack, maybe variable."
::= { idsAbstractEventEntry 15 }
idsAbstractEventAttackedProtocol OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Which protocol(s) is attacked, The format of this field must
follow Network Protocol Name/Transportation Protocol
Name/Application Protocol Name, e.g. TCP, TCP/BGP, IP/TCP/HTTP."
::= { idsAbstractEventEntry 16 }
idsAbstractEventAttackedProtocolDetail OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..2048))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The detailed protocol-specific information. For each protocol
specified in idsAbstractEventAttackedProtocol, here has a
corresponding list of <name,value> pairs which contains
protocol-specific data. The list will be enclosed in a pair of
braces and be seperated by slash from each other. The synax of
<name,value> pair will be "name=value;". For example, if
idsAbstractEventAttackedProtocol = TCP/HTTP, then
idsAbstractEventAttackedProtocolDetail = {source
port=1234;}/{url=www4.ncsu.edu/~xzhao;method=get;}
::= { idsAbstractEventEntry 17 }
idsAbstractEventLocationExt OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..2048))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If it is not a TCP/IP network, provide all necessary information
here about the source, target, and detailed data."
::= { idsAbstractEventEntry 18 }
idsAbstractEventAttackImpact OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To indicate the potential impact of the attack, as required by
IDWG."
::= { idsAbstractEventEntry 19 }
idsAbstractEventAttackPenetration OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 9]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
STATUS current
DESCRIPTION
"To indicate the degree of the penetration achieved by the attack."
:= { idsAbstractEventEntry 20 }
idsAbstractEventIDSResponse OBJECT-TYPE
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The automatic actions taken by the IDS in the response to the
event (if any)."
::= { idsAbstractEventEntry 21 }
idsAbstractEventIDSAdvisory OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An advisory from a noted authority such as CERT."
::= { idsAbstractEventEntry 22 }
idsAbstractEventVendorSpecificDataValue OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..2048))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To define vendor specific data."
::= { idsAbstractEventEntry 23 }
--
-- ids RawEventTable
--
idsRawEventTable OBJECT-TYPE
SYNTAX SEQUENCE OF idsRawEventEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The table of raw events caught by IDS."
::= { idsEvents 2 }
idsRawEventEntry OBJECT-TYPE
SYNTAX idsRawEventEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table, containing all necessary information
about a raw event."
:= { idsRawEventTable 1 }
idsRawEventEntry ::= SEQUENCE {
idsRawEventOrigator SnmpAdminString
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 10]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsRawEventIndex INTEGER(1..2147483647)
idsRawEventGeneralInfo Utf8String
idsRawEventDetailedInfo OCTET STRING (SIZE (0..8192))
idsRawEventUserID Utf8String
idsRawEventProcessID INTEGER(0..65535)
idsRawEventTimeStamp TimeStamp
idsRawEventSourceNetworkAddress IPAddress
idsRawEventTargetNetworkAddress IPAddress
idsRawEventAttackedProtocol Utf8String
idsRawEventAttackedProtocolDetail OCTET STRING (SIZE (0..2048))
idsRawEventLocationExt OCTET STRING (SIZE (0..2048))
}
idsRawEventOriginator OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The IDS name who record the raw event."
::= { idsRawEventEntry 1 }
idsRawEventIndex OBJECT-TYPE
SYNTAX INTEGER(1..2147483647)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"An unique value for each raw event. It is recommended that values
are assigned continousely starting from 1."
::= { idsRawEventEntry 2 }
idsRawEventGeneralInfo OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A general description of raw event, e.g. it is a abnomaly from
users normal behavior or a failed attempt of a connection."
::= { idsRawEventEntry 3 }
idsRawEventDetailedInfo OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..8192))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The most detailed information about raw event should be put here,
e.g. in a network based attack, the data portion in IP packet is
the most detailed information."
::= { idsRawEventEntry 4 }
idsRawEventUserID OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 11]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
DESCRIPTION
"If possible, put user name here."
::= { idsRawEventEntry 5 }
idsRawEventProcessID OBJECT-TYPE
SYNTAX INTEGER(0..65535)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If possible, put process ID here."
::= { idsRawEventEntry 6 }
idsRawEventTimeStamp OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"When this raw event occurred."
::= { idsRawEventEntry 7 }
idsRawEventSourceNetworkAddress OBJECT-TYPE
SYNTAX IPAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Where the attack is launched."
::= { idsRawEventEntry 8 }
idsRawEventTargetNetworkAddress OBJECT-TYPE
SYNTAX IPAddress
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Who is the target."
::= { idsRawEventEntry 9 }
idsRawEventAttackedProtocol OBJECT-TYPE
SYNTAX Utf8String
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Which protocol(s) is attacked. The format is the same as
described in the DESCRIPTION of
idsAbstractEventAttackedProtocol."
::= { idsRawEventEntry 10 }
idsRawEventAttackedProtocolDetail OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..2048))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The detailed protocol-specific information. The format is the
same as described in the DESCRIPTION of
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 12]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsAbstractEventAttackedProtocolDetail."
::= { idsRawEventEntry 11 }
idsRawEventLocationExt OBJECT-TYPE
SYNTAX OCTET STRING (SIZE (0..2048))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If it is not a TCP/IP network, provide all necessary information
here about the source, target, and detailed data."
::= { idsRawEventEntry 12 }
--
-- idsReferenceTable
--
idsReferenceTable OBJECT-TYPE
SYNTAX SEQUENCE OF idsReferenceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This table is a bridge between abstract events and raw events.
One abstract event is supported by a list of raw events. These
raw events' index is continously stored in the table thus be
able to be located by specifying the beginning and ending points."
::= { idsEvents 3 }
idsReferenceEntry OBJECT-TYPE
SYNTAX idsReferenceEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry in the table. Each entry contains one raw events index
which support the abstract event."
::= { idsReferenceTable 1 }
idsReferenceEntry ::= SEQUENCE {
idsReferenceOriginator SnmpAdminString
idsReferenceIndex INTEGER(0..2147483647)
idsReferenceRawEventTag OBJECT IDENTIFIER
}
idsReferenceOriginator OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"Who create this entry, generally it is the IDS agent name."
::= { idsReferenceEntry 1 }
idsReferenceIndex OBJECT-TYPE
SYNTAX INTEGER(0..2147483647)
MAX-ACCESS read-only
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 13]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
STATUS current
DESCRIPTION
"The unique index in the table. All entries between a particular
starting point and ending point are related to the same abstract
event."
::= { idsReferenceEntry 2 }
idsReferenceRawEventTag OBJECT-TYPE
SYNTAX OBJECT IDENTIFIER
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"To point the corresponding raw event's index in idsRawEventTable."
::= { idsReferenceEntry 3 }
-- Conformance information
idsEventConformance OBJECT IDENTIFIER ::= { idsEventMIB 2 }
idsEventGroups OBJECT IDENTIFIER ::= { idsEventConformance 1 }
idsEventCompliances OBJECT IDENTIFIER ::= { idsEventConformance 2 }
-- Compliance statements
idsEventsCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the
INTRUSION-DETECTION-EVENT-MIB."
MODULE -- this module
MANDATORY-GROUPS {
idsAbstractEventGroup,
idsRawEventGroup,
idsReferenceGroup
}
::= { idsEventCompliances 1 }
-- Units of conformance
idsAbstractEventGroup OBJECT-GROUP
OBJECTS {
idsAbstractEventOriginator,
idsAbstractEventIndex,
idsAbstractEventGeneralType,
idsAbstractEventSpecificType,
idsAbstractEventConfidency,
idsAbstractEventReferencesBegin,
idsAbstractEventReferencesEnd,
idsAbstractEventReasoningModelID,
idsAbstractEventUserID,
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 14]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsAbstractEventProcessID,
idsAbstractEventTimeBegin,
idsAbstractEventTimeEnd,
idsAbstractEventInterval,
idsAbstractEventSourceNetworkAddress,
idsAbstractEventTargetNetworkAddress,
idsAbstractEventAttackedProtocol,
idsAbstractEventAttackedProtocolDetail,
idsAbstractEventLocationExt,
idsAbstractEventAttackImpact,
idsAbstractEventAttackPenetration,
idsAbstractEventIDSResponse,
idsAbstractEventIDSAdvisory,
idsAbstractEventVendorSpecificDataValue
}
STATUS current
DESCRIPTION
" A collection of information to describe the high-level
abstract event."
::= { idsEventGroups 1 }
idsRawEventGroup OBJECT-GROUP
OBJECTS {
idsRawEventOrigator,
idsRawEventIndex,
idsRawEventGeneralInfo,
idsRawEventDetailedInfo,
idsRawEventUserID,
idsRawEventProcessID,
idsRawEventTimeStamp,
idsRawEventSourceNetworkAddress,
idsRawEventTargetNetworkAddress,
idsRawEventAttackedProtocol,
idsRawEventAttackedProtocolDetail,
idsRawEventLocationExt
}
STATUS current
DESCRIPTION
" A collection of information to describe the low-level
raw event."
::= { idsEventGroups 2 }
idsReferenceGroup OBJECT-GROUP
OBJECTS {
idsReferenceOriginator,
idsReferenceIndex,
idsReferenceRawEventTag
}
STATUS current
DESCRIPTION
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 15]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
" A collection of objects for generation and
despatch ofmessages pertaining to intrusions
detected."
::= { idsEventGroups 3 }
END
5. Examples to use IDS Event MIB
In the following examples, we define 2 special values: if all bits
are 0, it means no value avaiable for the corresponding field, while all
bits 1 means any value is possible.
- Port Scanning attack:
Port scanning is usually the first step of a real attack, by which
attackers try to gather information of the victim. Once they find a
running service has security hole, they can exploit it and launch an
attack.
/* the following record is in idsAbstractEventTable */
{
idsAbstractEventOriginator = sniffer-1
idsAbstractEventIndex = 103
idsAbstractEventGeneralType = network, misuse
idsAbstractEventSpecificType = Map/Net/Tcp Scan
idsAbstractEventConfidency = 0.85
idsAbstractEventReferencesBegin = 400
idsAbstractEventReferencesEnd = 500
idsAbstractEventReasoningModelID = Signature Recognition
idsAbstractEventUserID = 0 (unknown user)
idsAbstractEventProcessID = 0 (unknown PID, not root PID)
idsAbstractEventTimeBegin = Tue Jun 22 17:34:57 EDT 1999
idsAbstractEventTimeEnd = Tue Jun 22 17:40:21 EDT 1999
idsAbstractEventInterval = 20 packets / second
idsAbstractEventSourceNetworkAddress = 152.1.75.161
idsAbstractEventTargetNetworkAddress = 152.1.75.160
idsAbstractEventAttackedProtocol = TCP
idsAbstractEventAttackedProtocolDetail = {SrcPort:65535;DestPort:65535;}
idsAbstractEventLocationExt = 0
idsAbstractEventAttackImpact = Configuration Info. Disclosure
idsAbstractEventAttackPenetration = localhost only
idsAbstractEventIDSResponse = raised alarm
idsAbstractEventIDSAdvisory = CERT advisory xxxxx
idsAbstractEventVendorSpecificDataValue = 0
}
/* the following is in the idsRawEventTable */
{
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1300
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 16]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsRawEventGeneralInfo = failed connection
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:34:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.160
idsRawEventAttackProtocol = TCP
idsRawEventAttackedProtocolDetail = {SrcPort:2300;DestPort:5;}
idsRawEventLocationExt = 0
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1301
idsRawEventGeneralInfo = half connection
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:35:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.160
idsRawEventAttackProtocol = TCP
idsRawEventAttackedProtocolDetail = {SrcPort:2301;DestPort:7;}
idsRawEventLocationExt = 0
...
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1305
idsRawEventGeneralInfo = half connection
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:36:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.160
idsRawEventAttackProtocol = TCP
idsRawEventAttackedProtocolDetail = {SrcPort:2302;DestPort:23;}
idsRawEventLocationExt = 0
...
}
/* the following is in the idsReferenceTable */
{
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 400
idsReferenceRawDataTag = 1300
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 401
idsReferenceRawDataTag = 1301
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 17]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 402
idsReferenceRawDataTag = 1305
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 403
idsReferenceRawDataTag = 1309
...
}
- Ping-O-Death Event
Ping-O-Death is a kind of attack that attackers send very large
packet to crash network module of some systems.
/* the following record is in idsAbstractEventTable */
{
idsAbstractEventOriginator = sniffer-1
idsAbstractEventIndex = 105
idsAbstractEventGeneralType = network, misuse
idsAbstractEventSpecificType = Denial of Services/
Net/Ping-o-Death
idsAbstractEventConfidency = 0.9
idsAbstractEventReferencesBegin = 501
idsAbstractEventReferencesEnd = 599
idsAbstractEventReasoningModelID = Signature Recognition
idsAbstractEventUserID = 0 (unknown user)
idsAbstractEventProcessID = 0 (unknown PID, not root PID)
idsAbstractEventTimeBegin = Tue Jun 22 17:34:57 EDT 1999
idsAbstractEventTimeEnd = Tue Jun 22 17:54:21 EDT 1999
idsAbstractEventInterval = 50 packets / second
idsAbstractEventSourceNetworkAddress = 152.1.75.161
idsAbstractEventTargetNetworkAddress = 152.1.75.170
idsAbstractEventAttackedProtocol = ICMP
idsAbstractEventAttackedProtocolDetail = {PacketSize:65510}
idsAbstractEventLocationExt = 0
idsAbstractEventAttackImpact = system crash
idsAbstractEventAttackPenetration = localhost only
idsAbstractEventIDSResponse = raised alarm
idsAbstractEventIDSAdvisory = CERT advisory xxxxx
idsAbstractEventVendorSpecificDataValue = 0
}
/* the following is in the idsRawEventTable */
{
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1500
idsRawEventGeneralInfo = defragmented ICMP packet
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 17]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:34:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.170
idsRawEventAttackProtocol = ICMP
idsRawEventAttackedProtocolDetail = {PacketSize:1480;}
idsRawEventLocationExt = 0
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1501
idsRawEventGeneralInfo = defragmented ICMP packet
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:35:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.170
idsRawEventAttackProtocol = ICMP
idsRawEventAttackedProtocolDetail = {PacketSize:1480;}
idsRawEventLocationExt = 0
...
idsRawEventOriginator = sniffer-1
idsRawEventIndex = 1505
idsRawEventGeneralInfo = defragmented ICMP packet
idsRawEventDetailedInfo = 0
idsRawEventUserID = 0
idsRawEventProcessID = 0
idsRawEventTimeStamp = Tue Jun 22 17:36:57 EDT 1999
idsRawEventSourceNetworkAddress = 152.1.75.161
idsRawEventTargetNetworkAddress = 152.1.75.170
idsRawEventAttackProtocol = ICMP
idsRawEventAttackedProtocolDetail = {PacketSize:1480;}
idsRawEventLocationExt = 0
...
}
/* the following is in the idsReferenceTable */
{
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 501
idsReferenceRawDataTag = 1500
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 502
idsReferenceRawDataTag = 1501
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 503
idsReferenceRawDataTag = 1505
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 18]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsReferenceOriginator = sniffer-1
idsReferenceIndex = 504
idsReferenceRawDataTag = 1509
...
}
- User Activity Anomaly Event:
User Activity Anomaly generally means a user's behavior significantly
deviated from his normal profile. For example, a user usually just
uses word processing software, suddenly, he seems begin to use
compliers more. That indicates his account maybe has been
compromised.
/* the following record is in idsAbstractEventTable */
{
idsAbstractEventOriginator = syslog-analyzer-1
idsAbstractEventIndex = 106
idsAbstractEventGeneralType = host, anomaly
idsAbstractEventSpecificType = User Activity Anomaly
idsAbstractEventConfidency = 0.67
idsAbstractEventReferencesBegin = 600
idsAbstractEventReferencesEnd = 700
idsAbstractEventReasoningModelID = Anomaly Detection
idsAbstractEventUserID = aaa
idsAbstractEventProcessID = 65535
idsAbstractEventTimeBegin = Tue Jun 22 17:54:57 EDT 1999
idsAbstractEventTimeEnd = Tue Jun 22 18:10:21 EDT 1999
idsAbstractEventInterval = 0.1 activities / second
idsAbstractEventSourceNetworkAddress = localhost
idsAbstractEventTargetNetworkAddress = localhost
idsAbstractEventAttackedProtocol = 0
idsAbstractEventAttackedProtocolDetail = 0
idsAbstractEventLocationExt = 0
idsAbstractEventAttackImpact = Localhost May Be Hacked
idsAbstractEventAttackPenetration = unknown, localhost at least
idsAbstractEventIDSResponse = raised alarm
idsAbstractEventIDSAdvisory = CERT advisory xxxxx
idsAbstractEventVendorSpecificDataValue = 0
}
/* the following is in the idsRawEventTable */
{
idsRawEventOriginator = syslog-analyzer-1
idsRawEventIndex = 2300
idsRawEventGeneralInfo = User Activity Deviation
idsRawEventDetailedInfo = using gcc 10 times than normal
idsRawEventUserID = aaa
idsRawEventProcessID = 1011
idsRawEventTimeStamp = Tue Jun 22 17:54:57 EDT 1999
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 19]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsRawEventSourceNetworkAddress = localhost
idsRawEventTargetNetworkAddress = localhost
idsRawEventAttackProtocol = 0
idsRawEventAttackedProtocolDetail = 0
idsRawEventLocationExt = 0
idsRawEventOriginator = syslog-analyzer-1
idsRawEventIndex = 2301
idsRawEventGeneralInfo = root access attempt
idsRawEventDetailedInfo = su: incorrect password
idsRawEventUserID = aaa
idsRawEventProcessID = 1012
idsRawEventTimeStamp = Tue Jun 22 17:55:57 EDT 1999
idsRawEventSourceNetworkAddress = localhost
idsRawEventTargetNetworkAddress = localhost
idsRawEventAttackProtocol = 0
idsRawEventAttackedProtocolDetail = 0
idsRawEventLocationExt = 0
...
idsRawEventOriginator = syslog-analyzer-1
idsRawEventIndex = 2305
idsRawEventGeneralInfo = access control violation
idsRawEventDetailedInfo = socket: Operation not permitted
idsRawEventUserID = aaa
idsRawEventProcessID = 1014
idsRawEventTimeStamp = Tue Jun 22 17:56:57 EDT 1999
idsRawEventSourceNetworkAddress = localhost
idsRawEventTargetNetworkAddress = localhost
idsRawEventAttackProtocol = 0
idsRawEventAttackedProtocolDetail = 0
idsRawEventLocationExt = 0
...
}
/* the following is in the idsReferenceTable */
{
idsReferenceOriginator = syslog-analyzer-1
idsReferenceIndex = 600
idsReferenceRawDataTag = 2300
idsReferenceOriginator = syslog-analyzer-1
idsReferenceIndex = 601
idsReferenceRawDataTag = 2301
idsReferenceOriginator = syslog-analyzer-1
idsReferenceIndex = 602
idsReferenceRawDataTag = 2305
idsReferenceOriginator = syslog-analyzer-1
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 20]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
idsReferenceIndex = 603
idsReferenceRawDataTag = 2309
...
}
6. Intellectual Property
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
7. Acknowledgements
This draft is the product of discussions and deliberations carried
out in the IETF intrusion detection message exchange format working
group (ietf-idwg-wg).
8. References
[1] D. Harrington, R. Presuhn and B. Wijnen, "An Architecture for
Describing SNMP Management Frameworks", RFC 2571, April 1999.
[2] Rose, M. and K. McCloghrie, "Structure and Identification of
Management Information for TCP/IP-based Internets", STD 16, RFC
1155, May 1990.
[3] Rose, M. and K. McCloghrie, "Concise MIB Definitions", STD 16,
RFC 1212, March 1991.
[4] Rose, M., "A Convention for Defining Traps for use with the
SNMP", RFC 1215, March 1991.
[5] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Structure of Management Information
Version 2 (SMIv2)", STD 58, RFC 2578, April 1999.
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 21]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
[6] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Textual Conventions for SMIv2", STD 58,
RFC 2579, April 1999.
[7] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose,
M. and S. Waldbusser, "Conformance Statements for SMIv2", STD
58, RFC 2580, April 1999.
[8] Case, J., Fedor, M., Schoffstall, M. and J. Davin, "Simple
Network Management Protocol", STD 15, RFC 1157, May 1990.
[9] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser,
"Introduction to Community-based SNMPv2", RFC 1901, January
1996.
[10] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Transport
Mappings for Version 2 of the Simple Network Management Protocol
(SNMPv2)", RFC 1906, January 1996.
[11] Case, J., Harrington D., Presuhn R. and B. Wijnen, "Message
Processing and Dispatching for the Simple Network Management
Protocol (SNMP)", RFC 2572, April 1999.
[12] Blumenthal, U. and B. Wijnen, "User-based Security Model (USM)
for version 3 of the Simple Network Management Protocol
(SNMPv3)", RFC 2574, April 1999.
[13] Case, J., McCloghrie, K., Rose, M. and S. Waldbusser, "Protocol
Operations for Version 2 of the Simple Network Management
Protocol (SNMPv2)", RFC 1905, January 1996.
[14] Levi, D., Meyer, P. and B. Stewart, "SNMPv3 Applications", RFC
2573, April 1999.
[15] Wijnen, B., Presuhn, R. and K. McCloghrie, "View-based Access
Control Model (VACM) for the Simple Network Management Protocol
(SNMP)", RFC 2575, April 1999.
[16] M. Wood, "Intrusion Detection Exchange Format Requirement",
Internet Draft, IETF, July 1999. Work in Progress.
[17] H. Debar and M. Huang, "Intrusion Detection Exchange Format Data
Model", Internet Draft, IETF, August 1999. Work in Progress.
[18] S. Christey, Mann, and Hill, "Development of a common
vunerability enumeration." Workshop RAID99, Sep, 99
Security Considerations
There are management objects defined in this MIB that have a MAX-
ACCESS clause of read-write and read-create. There is the risk that
an intruder can alter or create any management objects of this MIB
via direct SNMP SET operations. So, care must be taken to put in
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 22]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
place the security provisions of SNMP for authentication and access
control. Not all versions of SNMP provide features for such a
secure environment.
SNMPv1 by itself is such an insecure environment. Even if the
network itself is secure (for example by using IPSec), even then,
there is no control as to who on the secure network is allowed to
access and GET (read) and SET (write) the objects in this MIB.
It is strongly recommended that the implementors consider the security
features as provided by the SNMPv3 framework. Specifically, the use
of the User-based Security Model RFC 2274 [12] and the View-based
Access Control Model RFC 2275 [15] is recommended.
It is then a customer/user responsibility to ensure that the SNMP
entity giving access to an instance of this MIB, is properly
configured to give access to those objects only to those principals
(users) that have legitimate rights to access them.
Authors' Addresses
S. Felix Wu
Xiao-Liang Zhao
Jim Yuill
Ping Chen
Dept. of Computer Science
North Carolina State University
Box 7550, NCSU Centennial Campus
Raleigh, NC 27695
U.S.A.
Phone: +1-919-515-7920
EMail: wu@eos.ncsu.edu
Mike Erlanger
Department of Computer Science
HMC
Aerospace
EMail: mike@cs.hmc.edu
Ming-Yu Huang
Boeing
EMail:
Fengmin Gong
Feiyi Wang
Advance Networking Research
MCNC
EMail: gong@anr.mcnc.org
Wu, Zhao, Yuill, Chen, Erlanger, Huang, Gong, Wang [page 23]
�
INTERNET-DRAFT IDS Event Correlation October 21, 1999
Full Copyright statement
"Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."