IDMEF vs IODEF: (9)
11. IDMEF doesn’t contain elements Attack and Vulnerability because
Attack is a confirmed Intrusion that is being handled by CSIRT/humans
Vulnerability is covered by Classification element.
However, it looks a bit indefinite as sub-element of
Analyzer, CreateTime, DetectTime?, AnalyzerTime?, Source*, Target*, Classification+, ToolAlert?, OverflowAlert?, CorrelationAlert?, AdditionalData*)>
The Classification class provides the "name" of an alert, or other information allowing the manager to determine what it is (for example, to decide whether or not to display the alert on-screen, what color to display it in, etc.).
The Classification class is composed of two aggregate classes: name (of vulnerability), url.
TBC: What’s the relation between Alert and Attack?