draft-ietf-mile-jsoniodef-12.txt   draft-ietf-mile-jsoniodef-13.txt 
MILE T. Takahashi MILE T. Takahashi
Internet-Draft NICT Internet-Draft NICT
Intended status: Standards Track R. Danyliw Intended status: Standards Track R. Danyliw
Expires: June 26, 2020 CERT Expires: August 13, 2020 CERT
M. Suzuki M. Suzuki
NICT NICT
December 24, 2019 February 10, 2020
JSON binding of IODEF JSON binding of IODEF
draft-ietf-mile-jsoniodef-12 draft-ietf-mile-jsoniodef-13
Abstract Abstract
The Incident Object Description Exchange Format defined in RFC 7970 The Incident Object Description Exchange Format defined in RFC 7970
provides an information model and a corresponding XML data model for provides an information model and a corresponding XML data model for
exchanging incident and indicator information. This draft gives exchanging incident and indicator information. This draft gives
implementers and operators an alternative format to exchange the same implementers and operators an alternative format to exchange the same
information by defining an alternative data model implementation in information by defining an alternative data model implementation in
JSON and its encoding in CBOR. JSON and its encoding in CBOR.
skipping to change at page 1, line 38 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 26, 2020. This Internet-Draft will expire on August 13, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 23 skipping to change at page 2, line 23
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3 2.1. Abstract Data Type to JSON Data Type Mapping . . . . . . 3
2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5 2.2. Complex JSON Types . . . . . . . . . . . . . . . . . . . 5
2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5 2.2.1. Integer . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5 2.2.2. Multilingual Strings . . . . . . . . . . . . . . . . 5
2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2.3. Enum . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.4. Software and Software Reference . . . . . . . . . . . 6 2.2.4. Software and Software Reference . . . . . . . . . . . 6
2.2.5. Structured Information . . . . . . . . . . . . . . . 6 2.2.5. Structured Information . . . . . . . . . . . . . . . 6
2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7 2.2.6. EXTENSION . . . . . . . . . . . . . . . . . . . . . . 7
3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7 3. IODEF JSON Data Model . . . . . . . . . . . . . . . . . . . . 7
3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 7 3.1. Classes and Elements . . . . . . . . . . . . . . . . . . 8
3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 17 3.2. Mapping between JSON and XML IODEF . . . . . . . . . . . 18
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 19 4.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 19
4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 21 4.2. Indicators from a Campaign . . . . . . . . . . . . . . . 22
5. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 25 5. Mapkeys . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 41 6. The IODEF Data Model (CDDL) . . . . . . . . . . . . . . . . . 30
7. Security Considerations . . . . . . . . . . . . . . . . . . . 41 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 50
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 41 8. Security Considerations . . . . . . . . . . . . . . . . . . . 50
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 41 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 50
9.1. Normative References . . . . . . . . . . . . . . . . . . 41 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 50
9.2. Informative References . . . . . . . . . . . . . . . . . 42 10.1. Normative References . . . . . . . . . . . . . . . . . . 50
Appendix A. Data Types used in this document . . . . . . . . . . 42 10.2. Informative References . . . . . . . . . . . . . . . . . 51
Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 42 Appendix A. Data Types used in this document . . . . . . . . . . 51
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 71 Appendix B. The IODEF Data Model (JSON Schema) . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 80
1. Introduction 1. Introduction
The Incident Object Description Exchange Format (IODEF) [RFC7970] The Incident Object Description Exchange Format (IODEF) [RFC7970]
defines a data representation for security incident reports and defines a data representation for security incident reports and
indicators commonly exchanged by operational security teams. It indicators commonly exchanged by operational security teams. It
facilitates the automated exchange of this information to enable facilitates the automated exchange of this information to enable
mitigation and watch-and-warning. Section 3 of [RFC7970] defined an mitigation and watch-and-warning. Section 3 of [RFC7970] defined an
information model using Unified Modeling Language (UML) and a information model using Unified Modeling Language (UML) and a
corresponding Extensible Markup Language (XML) schema data model in corresponding Extensible Markup Language (XML) schema data model in
skipping to change at page 3, line 16 skipping to change at page 3, line 16
processing. They will streamline incident response operations. processing. They will streamline incident response operations.
Another well-used and structured format that is suitable for machine Another well-used and structured format that is suitable for machine
processing is JavaScript Object Notation (JSON) [RFC8259]. To processing is JavaScript Object Notation (JSON) [RFC8259]. To
facilitate the automation of incident response operations, IODEF facilitate the automation of incident response operations, IODEF
documents and implementations should support JSON representation and documents and implementations should support JSON representation and
it encoding in Concise Binary Object Representation (CBOR) [RFC7049]. it encoding in Concise Binary Object Representation (CBOR) [RFC7049].
This document defines an alternate implementation of the IODEF UML This document defines an alternate implementation of the IODEF UML
information model by specifying a JavaScript Object Notation (JSON) information model by specifying a JavaScript Object Notation (JSON)
data model using Concise Data Definition Language (CDDL) [RFC8610] data model using Concise Data Definition Language (CDDL) [RFC8610]
and JSON Schema [jsonschema]. This JSON data model is referred to as and JSON Schema [I-D.handrews-json-schema-validation]. This JSON
IODEF JSON in this document. IODEF JSON provides all of the data model is referred to as IODEF JSON in this document. IODEF JSON
expressivity of IODEF XML. It gives implementers and operators an provides all of the expressivity of IODEF XML. It gives implementers
alternative format to exchange the same information. and operators an alternative format to exchange the same information.
The normative IODEF JSON data model is found in Section 5. Section 2 The normative IODEF JSON data model is found in Section 6. Section 2
and Section 3 describe the data types and elements of this data and Section 3 describe the data types and elements of this data
model. Section 4 provides examples. model. Section 4 provides examples.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all 14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
skipping to change at page 5, line 17 skipping to change at page 5, line 17
| | | [RFC8610] | | | | [RFC8610] |
+-----------------+------------------+---------------------------------+ +-----------------+------------------+---------------------------------+
| INTEGER | 0, 1, 6 tag 2, | integer | | INTEGER | 0, 1, 6 tag 2, | integer |
| | 6 tag 3 | | | | 6 tag 3 | |
| REAL | 7 bits 26 | float32 | | REAL | 7 bits 26 | float32 |
| CHARACTER | 3 | text | | CHARACTER | 3 | text |
| STRING | 3 | text | | STRING | 3 | text |
| ML_STRING | 5 | Maps/Structs (Section 3.5.1) | | ML_STRING | 5 | Maps/Structs (Section 3.5.1) |
| BYTE | 6 tag 22 | eb64legacy | | BYTE | 6 tag 22 | eb64legacy |
| BYTE[] | 6 tag 22 | eb64legacy | | BYTE[] | 6 tag 22 | eb64legacy |
| HEXBIN | 2 | bytes | | HEXBIN | 6 tag 23 | eb16 |
| HEXBIN[] | 2 | bytes | | HEXBIN[] | 6 tag 23 | eb16 |
| ENUM | - | Choices (Section 2.2.2) | | ENUM | - | Choices (Section 2.2.2) |
| DATETIME | 6 tag 0 | tdate | | DATETIME | 6 tag 0 | tdate |
| TIMEZONE | 3 | text | | TIMEZONE | 3 | text |
| PORTLIST | 3 | text | | PORTLIST | 3 | text |
| POSTAL | 3 | ML_STRING (Section 2.2.1) | | POSTAL | 3 | ML_STRING (Section 2.2.1) |
| PHONE | 3 | text | | PHONE | 3 | text |
| EMAIL | 3 | text | | EMAIL | 3 | text |
| URL | 6 tag 32 | uri | | URL | 6 tag 32 | uri |
| ID | 3 | text | | ID | 3 | text |
| IDREF | 3 | text | | IDREF | 3 | text |
skipping to change at page 5, line 50 skipping to change at page 5, line 50
An integer is a subset of "number" type of JSON, which represents An integer is a subset of "number" type of JSON, which represents
signed digits encoded in Base 10. The definition of this integer is signed digits encoded in Base 10. The definition of this integer is
"[ minus ] int" in [RFC8259] Section 6 manner. "[ minus ] int" in [RFC8259] Section 6 manner.
2.2.2. Multilingual Strings 2.2.2. Multilingual Strings
A string that needs to be represented in a human-readable language A string that needs to be represented in a human-readable language
different from the default encoding of the document is represented in different from the default encoding of the document is represented in
the information model by the ML_STRING data type. This data type is the information model by the ML_STRING data type. This data type is
implemented as either an object with "value", "lang", and implemented as either an object with "value", "lang", and
"translation-id" elements or a text string as defined in Section 5. "translation-id" elements or a text string as defined in Section 6.
An example is shown below. An example is shown below.
"MLStringType": { "MLStringType": {
"value": "free-form text", # STRING "value": "free-form text", # STRING
"lang": "en", # ENUM "lang": "en", # ENUM
"translation-id": "jp2en0023" # STRING "translation-id": "jp2en0023" # STRING
} }
Note that in figures throughout this document, some supplementary Note that in figures throughout this document, some supplementary
information follows "#", but these are not valid syntax in JSON, but information follows "#", but these are not valid syntax in JSON, but
skipping to change at page 6, line 28 skipping to change at page 6, line 28
a representative keyword. Within the data model, the enumerated type a representative keyword. Within the data model, the enumerated type
keywords are used as attribute values. keywords are used as attribute values.
2.2.4. Software and Software Reference 2.2.4. Software and Software Reference
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a Uniform Resource Locator (URL) [RFC3986], or using a reference, a Uniform Resource Locator (URL) [RFC3986], or
with free-form text. The SOFTWARE data type is implemented as an with free-form text. The SOFTWARE data type is implemented as an
object with "SoftwareReference", "URL", and "Description" elements as object with "SoftwareReference", "URL", and "Description" elements as
defined in Section 5. Examples are shown below. defined in Section 6. Examples are shown below.
"SoftwareType": { "SoftwareType": {
"SoftwareReference": {...}, # SoftwareReference "SoftwareReference": {...}, # SoftwareReference
"Description": ["MS Windows"] # STRING "Description": ["MS Windows"] # STRING
} }
SoftwareReference class is a reference to a particular version of SoftwareReference class is a reference to a particular version of
software. Examples are shown below. software. Examples are shown below.
"SoftwareReference": { "SoftwareReference": {
skipping to change at page 7, line 12 skipping to change at page 7, line 12
structure of its extension classes. The STRUCTUREDINFO data type is structure of its extension classes. The STRUCTUREDINFO data type is
implemented as an object with "SpecID", "ext-SpecID", "ContentID", implemented as an object with "SpecID", "ext-SpecID", "ContentID",
"RawData", and "Reference" elements. An example for embedding a "RawData", and "Reference" elements. An example for embedding a
structured ID is shown below. structured ID is shown below.
"StructuredInfo": { "StructuredInfo": {
"SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM "SpecID": "urn:ietf:params:xml:ns:mile:cwe:3.3", # ENUM
"ContentID": "CWE-89" # STRING "ContentID": "CWE-89" # STRING
} }
When embedding the raw data, base64 encoding defined in Section 4 of When embedding the raw data, it should be encoded as a BYTE type
[RFC4648] SHOULD be used for encoding the data, as shown below. object, as shown below.
"StructuredInfo": { "StructuredInfo": {
"SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM "SpecID": "urn:ietf:params:xml:ns:mile:mmdef:1.2", # ENUM
"RawData": "<<<strings encoded with base64>>>" # BYTE "RawData": "<<< encoded structured data >>>" # BYTE
} }
Note that the structure of this information is not interpreted in the When embedding the raw data, base64 encoding defined in Section 4 of
IODEF JSON, and the word 'structured' indicates that the data item [RFC4648] SHOULD be used for JSON IODEF while binary representation
has internal structure that is intended to be processed outside of SHOULD be used for CBOR IODEF.
the IODEF framework.
2.2.6. EXTENSION 2.2.6. EXTENSION
Information not otherwise represented in the IODEF can be added using Information not otherwise represented in the IODEF can be added using
the EXTENSION data type. This data type is a generic extension the EXTENSION data type. This data type is a generic extension
mechanism. The EXTENSION data type is implemented as an mechanism. The EXTENSION data type is implemented as an
ExtensionType object with "value", "name", "dtype", "ext-dtype", ExtensionType object with "value", "name", "dtype", "ext-dtype",
"meaning", "formatid", "restriction", "ext-restriction", and "meaning", "formatid", "restriction", "ext-restriction", and
"observable-id" elements. An example for embedding a structured ID "observable-id" elements. An example for embedding a structured ID
is shown below. is shown below.
"ExtensionType": { "ExtensionType": {
"value": "xxxxxxx", # STRING "value": "xxxxxxx", # STRING
"name": "Syslog", # STRING "name": "Syslog", # STRING
"dtype": "string", # ENUM "dtype": "string", # ENUM
"meaning": "Syslog from the security appliance X" # STRING "meaning": "Syslog from the security appliance X" # STRING
} }
3. IODEF JSON Data Model Note that this data type is prepared in [RFC7970] as its generic
extension mechanism. If a data item has internal structure that is
intended to be processed outside of the IODEF framework, one may
consider using StructuredInfo data type mentioned in Section 2.2.5.
3. IODEF JSON Data Model
3.1. Classes and Elements 3.1. Classes and Elements
The following table shows the list of IODEF Classes, their elements, The following table shows the list of IODEF Classes, their elements,
and the corresponding section in [RFC7970]. Note that the complete and the corresponding section in [RFC7970]. Note that the complete
JSON schema is defined in Section 5 using CDDL. JSON schema is defined in Section 6 using CDDL.
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IODEF Class | Class | Corresponding | | IODEF Class | Class | Corresponding |
| | Elements and | Section | | | Elements and | Section |
| | Attribute | in [RFC7970] | | | Attribute | in [RFC7970] |
+-----------------------------+--------------------+---------------+ +-----------------------------+--------------------+---------------+
| IODEF-Document | version | 3.1 | | IODEF-Document | version | 3.1 |
| | lang? | | | | lang? | |
| | format-id? | | | | format-id? | |
| | private-enum-name? | | | | private-enum-name? | |
skipping to change at page 18, line 27 skipping to change at page 18, line 37
o ObservableReference class is deleted, and classes with its o ObservableReference class is deleted, and classes with its
instances now directly have uid-ref as an element. instances now directly have uid-ref as an element.
o Record class is deleted, and classes with its instances now o Record class is deleted, and classes with its instances now
directly have the instances of RecordData class that used to directly have the instances of RecordData class that used to
belong to the Record class. belong to the Record class.
o The MLStringType were modified to support simple string by o The MLStringType were modified to support simple string by
allowing the type to have not only a predefined object type but allowing the type to have not only a predefined object type but
also text type, in order to allow simple descriptions of elements also text type, in order to allow simple descriptions of elements
of the type. of the type. Implementations need to be capable of parsing
MLStringType that could take form of both text and object.
o The elements of ML_STRING type in XML IODEF document are presented o The elements of ML_STRING type in XML IODEF document are presented
as either STRING type or ML_STRING type in JSON IODEF document. as either STRING type or ML_STRING type in JSON IODEF document.
When converting from XML IODEF document to JSON one or vice versa,
the information contained in the original data of ML_STRING type
must be preserved. When STRING is used instead of ML_STRING,
parsers can assume that its xml:lang is set to "en". Otherwise it
is expected that both receiver and sender have some external
methods to agree upon the language used in this field.
o Data models of the extension classes defined by [RFC7203] and o Data models of the extension classes defined by [RFC7203] and
referenced by [RFC7970] are represented by StructuredInfo class referenced by [RFC7970] are represented by StructuredInfo class
defined in this document. defined in this document.
o Signature, X509Data, and RawData are encoded with base64 and are o Signature, X509Data, and RawData are encoded using base64 encoding
represented as string (BYTE type) in JSON IODEF documents. for JSON IODEF and binary representation for CBOR IODEF to
represent them as BYTE object.
o EmailBody represents an whole message body including MIME o EmailBody represents an whole message body including MIME
structure in the same manner defined in [RFC7970]. In case of an structure in the same manner defined in [RFC7970]. In case of an
email composed of MIME multipart, the EmailBody contains multiple email composed of MIME multipart, the EmailBody contains multiple
body parts separated by boundary strings. body parts separated by boundary strings.
o The "ipv6-net-mask" type attribute of BulkObservable class remains o The "ipv6-net-mask" type attribute of BulkObservable class remains
available for the backward compatibility purpose, but the use of available for the backward compatibility purpose, but the use of
this attribute is not recommended because IPV6 does not use this attribute is not recommended because IPV6 does not use
netmask any more. netmask any more.
o ENUM values in this document is extensible and is managed by IANA, o ENUM values in this document is extensible and is managed by IANA,
as with [RFC7970]. as with [RFC7970]. The values in the table are used both by
[RFC7970] implementations and by their JSON (and CBOR) bindings as
specified by this document.
o This document uses JSON's "number" type to represent integers that
only has full precision for integer values between -2**53 and
2**53. When dealing with integers outside the range, this issue
needs to be considered.
o Binaries are encoded in bytes. Note that XML IODEF in [RFC7970]
uses HEXBIN due to the incapability of XML for embedding binaries
as they are.
4. Examples 4. Examples
This section provides examples of IODEF documents. These examples do This section provides examples of IODEF documents. These examples do
not represent the full capabilities of the data model or the only way not represent the full capabilities of the data model or the only way
to encode particular information. to encode particular information.
4.1. Minimal Example 4.1. Minimal Example
A document containing only the mandatory elements and attributes is A document containing only the mandatory elements and attributes is
skipping to change at page 19, line 37 skipping to change at page 21, line 5
"Contact": [{ "Contact": [{
"type": "organization", "type": "organization",
"role": "creator", "role": "creator",
"Email": [{"EmailTo": "contact@csirt.example.com"}] "Email": [{"EmailTo": "contact@csirt.example.com"}]
}] }]
}] }]
} }
Figure 4: A Minimal Example in JSON Figure 4: A Minimal Example in JSON
A3 # map(3) A3 # map(3)
67 # text(7) 01 # unsigned(1)
76657273696F6E # "version" 63 # text(3)
63 # text(3) 322E30 # "2.0"
322E30 # "2.0" 02 # unsigned(2)
64 # text(4) 62 # text(2)
6C616E67 # "lang" 656E # "en"
62 # text(2) 06 # unsigned(6)
656E # "en" 81 # array(1)
68 # text(8) A5 # map(5)
496E636964656E74 # "Incident" 17 # unsigned(23)
81 # array(1) 69 # text(9)
A5 # map(5) 7265706F7274696E67 # "reporting"
67 # text(7) 0F # unsigned(15)
707572706F7365 # "purpose" 67 # text(7)
69 # text(9) 70726976617465 # "private"
7265706F7274696E67 # "reporting" 18 1B # unsigned(27)
6B # text(11) A2 # map(2)
7265737472696374696F6E # "restriction" 18 2B # unsigned(43)
67 # text(7) 66 # text(6)
70726976617465 # "private" 343932333832 # "492382"
6A # text(10) 0A # unsigned(10)
496E636964656E744944 # "IncidentID" 71 # text(17)
A2 # map(2) 63736972742E6578616D706C652E636F6D
62 # text(2) # "csirt.example.com"
6964 # "id" 18 23 # unsigned(35)
66 # text(6) 78 19 # text(25)
343932333832 # "492382" 323031352D30372D31385430393A30303A30302D30353A3030
64 # text(4) # "2015-07-18T09:00:00-05:00"
6E616D65 # "name" 18 27 # unsigned(39)
71 # text(17) 81 # array(1)
63736972742E6578616D706C652E636F6D # "csirt.example.com" A3 # map(3)
6E # text(14) 18 35 # unsigned(53)
47656E65726174696F6E54696D65 # "GenerationTime" 6C # text(12)
C0 # tag(0) 6F7267616E697A6174696F6E # "organization"
78 19 # text(25) 18 33 # unsigned(51)
323031352D30372D31385430393A30303A30302D30353A3030 67 # text(7)
# "2015-07-18T09:00:00-05:00" 63726561746F72 # "creator"
67 # text(7) 18 3B # unsigned(59)
436F6E74616374 # "Contact" 81 # array(1)
81 # array(1) A1 # map(1)
A3 # map(3) 18 42 # unsigned(66)
64 # text(4) 78 19 # text(25)
74797065 # "type" 636F6E746163744063736972742E6578616D706C652E636F6D
6C # text(12) # "contact@csirt.example.com"
6F7267616E697A6174696F6E # "organization"
64 # text(4)
726F6C65 # "role"
67 # text(7)
63726561746F72 # "creator"
65 # text(5)
456D61696C # "Email"
81 # array(1)
A1 # map(1)
67 # text(7)
456D61696C546F # "EmailTo"
78 19 # text(25)
636F6E746163744063736972742E6578616D706C652E636F6D
# "contact@csirt.example.com"
Figure 5: A Minimal Example in CBOR Figure 5: A Minimal Example in CBOR
4.2. Indicators from a Campaign 4.2. Indicators from a Campaign
An example of C2 domains from a given campaign is shown below in JSON An example of C2 domains from a given campaign is shown below in JSON
and CBOR, respectively. and CBOR, respectively.
{ {
"version": "2.0", "version": "2.0",
skipping to change at page 22, line 14 skipping to change at page 23, line 14
"type": "domain-name", "type": "domain-name",
"BulkObservableList": "kj290023j09r34.example.com"} "BulkObservableList": "kj290023j09r34.example.com"}
} }
}] }]
}] }]
} }
Figure 6: Indicators from a Campaign in JSON Figure 6: Indicators from a Campaign in JSON
A3 # map(3) A3 # map(3)
67 # text(7) 01 # unsigned(1)
76657273696F6E # "version" 63 # text(3)
63 # text(3) 322E30 # "2.0"
322E30 # "2.0" 02 # unsigned(2)
64 # text(4) 62 # text(2)
6C616E67 # "lang" 656E # "en"
62 # text(2) 06 # unsigned(6)
656E # "en" 81 # array(1)
68 # text(8) A9 # map(9)
496E636964656E74 # "Incident" 17 # unsigned(23)
81 # array(1) 65 # text(5)
A9 # map(9) 7761746368 # "watch"
67 # text(7) 0F # unsigned(15)
707572706F7365 # "purpose" 65 # text(5)
65 # text(5) 677265656E # "green"
7761746368 # "watch" 18 1B # unsigned(27)
6B # text(11) A2 # map(2)
7265737472696374696F6E # "restriction" 18 2B # unsigned(43)
65 # text(5) 66 # text(6)
677265656E # "green" 383937393233 # "897923"
6A # text(10) 0A # unsigned(10)
496E636964656E744944 # "IncidentID" 71 # text(17)
A2 # map(2) 63736972742E6578616D706C652E636F6D # "csirt.example.com"
62 # text(2) 18 1D # unsigned(29)
6964 # "id" 81 # array(1)
66 # text(6)
383937393233 # "897923"
64 # text(4)
6E616D65 # "name"
71 # text(17)
63736972742E6578616D706C652E636F6D # "csirt.example.com"
6F # text(15)
52656C617465644163746976697479 # "RelatedActivity"
81 # array(1)
A2 # map(2)
6B # text(11)
5468726561744163746F72 # "ThreatActor"
81 # array(1)
A2 # map(2) A2 # map(2)
6D # text(13) 18 2D # unsigned(45)
5468726561744163746F724944 # "ThreatActorID" 81 # array(1)
81 # array(1) A2 # map(2)
78 1A # text(26) 18 31 # unsigned(49)
54412D31322D414747524553534956452D425554544552464 81 # array(1)
C59 # "TA-12-AGGRESSIVE-BUTTERFLY" 78 1A # text(26)
6B # text(11) 54412D31322D414747524553534956452D425554544552464C59
4465736372697074696F6E # "Description" # "TA-12-AGGRESSIVE-BUTTERFLY"
81 # array(1) 14 # unsigned(20)
74 # text(20) 81 # array(1)
4167677265737369766520427574746572666C79 74 # text(20)
4167677265737369766520427574746572666C79
# "Aggressive Butterfly" # "Aggressive Butterfly"
68 # text(8) 18 2E # unsigned(46)
43616D706169676E # "Campaign" 81 # array(1)
81 # array(1) A2 # map(2)
A2 # map(2) 18 32 # unsigned(50)
6A # text(10) 81 # array(1)
43616D706169676E4944 # "CampaignID" 6C # text(12)
81 # array(1) 432D323031352D3539343035
6C # text(12) # "C-2015-59405"
432D323031352D3539343035 # "C-2015-59405" 14 # unsigned(20)
6B # text(11) 81 # array(1)
4465736372697074696F6E # "Description" 6E # text(14)
81 # array(1) 4F72616E67652047697261666665
6E # text(14) # "Orange Giraffe"
4F72616E67652047697261666665 # "Orange Giraffe" 18 23 # unsigned(35)
6E # text(14) 78 19 # text(25)
47656E65726174696F6E54696D65 # "GenerationTime" 323031352D31302D30325431313A31383A30302D30353A3030
C0 # tag(0)
78 19 # text(25)
323031352D31302D30325431313A31383A30302D30353A3030
# "2015-10-02T11:18:00-05:00" # "2015-10-02T11:18:00-05:00"
6B # text(11) 14 # unsigned(20)
4465736372697074696F6E # "Description" 81 # array(1)
81 # array(1) 78 70 # text(112)
78 6F # text(111) 53756D6D6172697A65732074686520496E64696361746F7273206F6620436F6D70726F6D69736520666F72207468650D0A4F72616E676520476972616666652063616D706169676E206F6620746865204167677265737369766520427574746572666C79206372696D652067616E672E
53756D6D6172697A65732074686520496E64696361746F7273206F6620436 # "Summarizes the Indicators of Compromise for the\r\nOrange Giraffe campaign of the Aggressive Butterfly crime gang."
F6D70726F6D69736520666F7220746865204F72616E676520476972616666 18 25 # unsigned(37)
652063616D706169676E206F6620746865204167677265737369766520427 81 # array(1)
574746572666C79206372696D652067616E672E
# "Summarizes the Indicators of Compromise for the Orange
Giraffe campaign of the Aggressive Butterfly crime gang."
6A # text(10)
4173736573736D656E74 # "Assessment"
81 # array(1)
A1 # map(1)
66 # text(6)
496D70616374 # "Impact"
81 # array(1)
A1 # map(1) A1 # map(1)
6E # text(14) 18 58 # unsigned(88)
427573696E657373496D70616374 # "BusinessImpact" 81 # array(1)
A1 # map(1) A1 # map(1)
64 # text(4) 18 5A # unsigned(90)
74797065 # "type" A1 # map(1)
72 # text(18) 18 35 # unsigned(53)
6272656163682D70726F7072696574617279 72 # text(18)
6272656163682D70726F7072696574617279
# "breach-proprietary" # "breach-proprietary"
67 # text(7) 18 27 # unsigned(39)
436F6E74616374 # "Contact" 81 # array(1)
81 # array(1) A4 # map(4)
A4 # map(4) 18 35 # unsigned(53)
64 # text(4) 6C # text(12)
74797065 # "type" 6F7267616E697A6174696F6E # "organization"
6C # text(12) 18 33 # unsigned(51)
6F7267616E697A6174696F6E # "organization" 67 # text(7)
64 # text(4) 63726561746F72 # "creator"
726F6C65 # "role" 18 37 # unsigned(55)
67 # text(7) 81 # array(1)
63726561746F72 # "creator" 75 # text(21)
6B # text(11) 435349525420666F72206578616D706C652E636F6D
436F6E746163744E616D65 # "ContactName"
81 # array(1)
75 # text(21)
435349525420666F72206578616D706C652E636F6D
# "CSIRT for example.com" # "CSIRT for example.com"
65 # text(5) 18 3B # unsigned(59)
456D61696C # "Email" 81 # array(1)
81 # array(1) A1 # map(1)
A1 # map(1) 18 42 # unsigned(66)
67 # text(7) 78 19 # text(25)
456D61696C546F # "EmailTo" 636F6E746163744063736972742E6578616D706C652E636F6D
78 19 # text(25) # "contact@csirt.example.com"
636F6E746163744063736972742E6578616D706C652E636F6D 18 29 # unsigned(41)
# "contact@csirt.example.com" 81 # array(1)
69 # text(9) A4 # map(4)
496E64696361746F72 # "Indicator" 18 2F # unsigned(47)
81 # array(1) A3 # map(3)
A4 # map(4) 18 2B # unsigned(43)
6B # text(11) 69 # text(9)
496E64696361746F724944 # "IndicatorID" 473930383233343930 # "G90823490"
A3 # map(3) 0A # unsigned(10)
62 # text(2) 71 # text(17)
6964 # "id" 63736972742E6578616D706C652E636F6D
69 # text(9)
473930383233343930 # "G90823490"
64 # text(4)
6E616D65 # "name"
71 # text(17)
63736972742E6578616D706C652E636F6D
# "csirt.example.com" # "csirt.example.com"
67 # text(7) 01 # unsigned(1)
76657273696F6E # "version" 61 # text(1)
61 # text(1) 31 # "1"
31 # "1" 14 # unsigned(20)
6B # text(11) 81 # array(1)
4465736372697074696F6E # "Description" 6A # text(10)
81 # array(1) 433220646F6D61696E73 # "C2 domains"
6A # text(10) 18 1F # unsigned(31)
433220646F6D61696E73 # "C2 domains" 78 19 # text(25)
69 # text(9) 323031342D31322D30325431313A31383A30302D30353A3030
537461727454696D65 # "StartTime" # "2014-12-02T11:18:00-05:00"
C0 # tag(0) 18 C4 # unsigned(196)
78 19 # text(25) A1 # map(1)
323031342D31322D30325431313A31383A30302D30353A3030 18 C9 # unsigned(201)
# "2014-12-02T11:18:00-05:00" A2 # map(2)
6A # text(10) 18 35 # unsigned(53)
4F627365727661626C65 # "Observable" 6B # text(11)
A1 # map(1) 646F6D61696E2D6E616D65 # "domain-name"
6E # text(14) 18 CB # unsigned(203)
42756C6B4F627365727661626C65 # "BulkObservable" 78 1A # text(26)
A2 # map(2) 6B6A3239303032336A30397233342E6578616D706C652E636F6D
64 # text(4)
74797065 # "type"
6B # text(11)
646F6D61696E2D6E616D65 # "domain-name"
72 # text(18)
42756C6B4F627365727661626C654C697374
# "BulkObservableList"
78 1A # text(26)
6B6A3239303032336A30397233342E6578616D706C652E636F6D
# "kj290023j09r34.example.com" # "kj290023j09r34.example.com"
Figure 7: Indicators from a Campaign in CBOR Figure 7: Indicators from a Campaign in CBOR
5. The IODEF Data Model (CDDL) 5. Mapkeys
The mapkeys are provided in Table Figure 8 for minimizing the CBOR
size.
+---------------------------------+-------+
|mapkey |cborkey|
+---------------------------------+-------+
|iodef-version |1 |
|iodef-lang |2 |
|iodef-format-id |3 |
|iodef-private-enum-name |4 |
|iodef-private-enum-id |5 |
|iodef-Incident |6 |
|iodef-AdditionalData |7 |
|iodef-value |8 |
|iodef-translation-id |9 |
|iodef-name |10 |
|iodef-dtype |11 |
|iodef-ext-dtype |12 |
|iodef-meaning |13 |
|iodef-formatid |14 |
|iodef-restriction |15 |
|iodef-ext-restriction |16 |
|iodef-observable-id |17 |
|iodef-SoftwareReference |18 |
|iodef-URL |19 |
|iodef-Description |20 |
|iodef-spec-name |21 |
|iodef-ext-spec-name |22 |
|iodef-purpose |23 |
|iodef-ext-purpose |24 |
|iodef-status |25 |
|iodef-ext-status |26 |
|iodef-IncidentID |27 |
|iodef-AlternativeID |28 |
|iodef-RelatedActivity |29 |
|iodef-DetectTime |30 |
|iodef-StartTime |31 |
|iodef-EndTime |32 |
|iodef-RecoveryTime |33 |
|iodef-ReportTime |34 |
|iodef-GenerationTime |35 |
|iodef-Discovery |36 |
|iodef-Assessment |37 |
|iodef-Method |38 |
|iodef-Contact |39 |
|iodef-EventData |40 |
|iodef-Indicator |41 |
|iodef-History |42 |
|iodef-id |43 |
|iodef-instance |44 |
|iodef-ThreatActor |45 |
|iodef-Campaign |46 |
|iodef-IndicatorID |47 |
|iodef-Confidence |48 |
|iodef-ThreatActorID |49 |
|iodef-CampaignID |50 |
|iodef-role |51 |
|iodef-ext-role |52 |
|iodef-type |53 |
|iodef-ext-type |54 |
|iodef-ContactName |55 |
|iodef-ContactTitle |56 |
|iodef-RegistryHandle |57 |
|iodef-PostalAddress |58 |
|iodef-Email |59 |
|iodef-Telephone |60 |
|iodef-Timezone |61 |
|iodef-handle |62 |
|iodef-registry |63 |
|iodef-ext-registry |64 |
|iodef-PAddress |65 |
|iodef-EmailTo |66 |
|iodef-TelephoneNumber |67 |
|iodef-source |68 |
|iodef-ext-source |69 |
|iodef-DetectionPattern |70 |
|iodef-DetectionConfiguration |71 |
|iodef-Application |72 |
|iodef-Reference |73 |
|iodef-AttackPattern |74 |
|iodef-Vulnerability |75 |
|iodef-Weakness |76 |
|iodef-SpecID |77 |
|iodef-ext-SpecID |78 |
|iodef-ContentID |79 |
|iodef-RawData |80 |
|iodef-Platform |81 |
|iodef-Scoring |82 |
|iodef-ReferenceName |83 |
|iodef-specIndex |84 |
|iodef-ID |85 |
|iodef-occurrence |86 |
|iodef-IncidentCategory |87 |
|iodef-Impact |88 |
|iodef-SystemImpact |89 |
|iodef-BusinessImpact |90 |
|iodef-TimeImpact |91 |
|iodef-MonetaryImpact |92 |
|iodef-IntendedImpact |93 |
|iodef-Counter |94 |
|iodef-MitigatingFactor |95 |
|iodef-Cause |96 |
|iodef-severity |97 |
|iodef-completion |98 |
|iodef-ext-severity |99 |
|iodef-metric |100 |
|iodef-ext-metric |101 |
|iodef-duration |102 |
|iodef-ext-duration |103 |
|iodef-currency |104 |
|iodef-rating |105 |
|iodef-ext-rating |106 |
|iodef-HistoryItem |107 |
|iodef-action |108 |
|iodef-ext-action |109 |
|iodef-DateTime |110 |
|iodef-DefinedCOA |111 |
|iodef-System |112 |
|iodef-Expectation |113 |
|iodef-RecordData |114 |
|iodef-category |115 |
|iodef-ext-category |116 |
|iodef-interface |117 |
|iodef-spoofed |118 |
|iodef-virtual |119 |
|iodef-ownership |120 |
|iodef-ext-ownership |121 |
|iodef-Node |122 |
|iodef-NodeRole |123 |
|iodef-Service |124 |
|iodef-OperatingSystem |125 |
|iodef-AssetID |126 |
|iodef-DomainData |127 |
|iodef-Address |128 |
|iodef-Location |129 |
|iodef-vlan-name |130 |
|iodef-vlan-num |131 |
|iodef-unit |132 |
|iodef-ext-unit |133 |
|iodef-system-status |134 |
|iodef-ext-system-status |135 |
|iodef-domain-status |136 |
|iodef-ext-domain-status |137 |
|iodef-Name |138 |
|iodef-DateDomainWasChecked |139 |
|iodef-RegistrationDate |140 |
|iodef-ExpirationDate |141 |
|iodef-RelatedDNS |142 |
|iodef-NameServers |143 |
|iodef-DomainContacts |144 |
|iodef-Server |145 |
|iodef-SameDomainContact |146 |
|iodef-ip-protocol |147 |
|iodef-ServiceName |148 |
|iodef-Port |149 |
|iodef-Portlist |150 |
|iodef-ProtoCode |151 |
|iodef-ProtoType |152 |
|iodef-ProtoField |153 |
|iodef-ApplicationHeaderField |154 |
|iodef-EmailData |155 |
|iodef-IANAService |156 |
|iodef-EmailFrom |157 |
|iodef-EmailSubject |158 |
|iodef-EmailX-Mailer |159 |
|iodef-EmailHeaderField |160 |
|iodef-EmailHeaders |161 |
|iodef-EmailBody |162 |
|iodef-EmailMessage |163 |
|iodef-HashData |164 |
|iodef-Signature |165 |
|iodef-RecordPattern |166 |
|iodef-RecordItem |167 |
|iodef-FileData |168 |
|iodef-WindowsRegistryKeysModified|169 |
|iodef-CertificateData |170 |
|iodef-offset |171 |
|iodef-offsetunit |172 |
|iodef-ext-offsetunit |173 |
|iodef-Key |174 |
|iodef-registryaction |175 |
|iodef-ext-registryaction |176 |
|iodef-KeyName |177 |
|iodef-KeyValue |178 |
|iodef-Certificate |179 |
|iodef-X509Data |180 |
|iodef-File |181 |
|iodef-FileName |182 |
|iodef-FileSize |183 |
|iodef-FileType |184 |
|iodef-AssociatedSoftware |185 |
|iodef-FileProperties |186 |
|iodef-scope |187 |
|iodef-HashTargetID |188 |
|iodef-Hash |189 |
|iodef-FuzzyHash |190 |
|iodef-DigestMethod |191 |
|iodef-DigestValue |192 |
|iodef-CanonicalizationMethod |193 |
|iodef-FuzzyHashValue |194 |
|iodef-AlternativeIndicatorID |195 |
|iodef-Observable |196 |
|iodef-uid-ref |197 |
|iodef-IndicatorExpression |198 |
|iodef-IndicatorReference |199 |
|iodef-AttackPhase |200 |
|iodef-BulkObservable |201 |
|iodef-BulkObservableFormat |202 |
|iodef-BulkObservableList |203 |
|iodef-operator |204 |
|iodef-ext-operator |205 |
|iodef-euid-ref |206 |
|iodef-AttackPhaseID |207 |
+---------------------------------+-------+
Figure 8: Mapkeys
6. The IODEF Data Model (CDDL)
This section provides the IODEF data model. Note that mapkeys are
described at the beginning of the CDDL data model for better
readability.
start = iodef start = iodef
;;; iodef.json: IODEF-Document ;;; iodef.json: IODEF-Document
iodef-version = 1
iodef-lang = 2
iodef-format-id = 3
iodef-private-enum-name = 4
iodef-private-enum-id = 5
iodef-Incident = 6
iodef-AdditionalData = 7
iodef-value = 8
iodef-translation-id = 9
iodef-name = 10
iodef-dtype = 11
iodef-ext-dtype = 12
iodef-meaning = 13
iodef-formatid = 14
iodef-restriction = 15
iodef-ext-restriction = 16
iodef-observable-id = 17
iodef-SoftwareReference = 18
iodef-URL = 19
iodef-Description = 20
iodef-spec-name = 21
iodef-ext-spec-name = 22
iodef-purpose = 23
iodef-ext-purpose = 24
iodef-status = 25
iodef-ext-status = 26
iodef-IncidentID = 27
iodef-AlternativeID = 28
iodef-RelatedActivity = 29
iodef-DetectTime = 30
iodef-StartTime = 31
iodef-EndTime = 32
iodef-RecoveryTime = 33
iodef-ReportTime = 34
iodef-GenerationTime = 35
iodef-Discovery = 36
iodef-Assessment = 37
iodef-Method = 38
iodef-Contact = 39
iodef-EventData = 40
iodef-Indicator = 41
iodef-History = 42
iodef-id = 43
iodef-instance = 44
iodef-ThreatActor = 45
iodef-Campaign = 46
iodef-IndicatorID = 47
iodef-Confidence = 48
iodef-ThreatActorID = 49
iodef-CampaignID = 50
iodef-role = 51
iodef-ext-role = 52
iodef-type = 53
iodef-ext-type = 54
iodef-ContactName = 55
iodef-ContactTitle = 56
iodef-RegistryHandle = 57
iodef-PostalAddress = 58
iodef-Email = 59
iodef-Telephone = 60
iodef-Timezone = 61
iodef-handle = 62
iodef-registry = 63
iodef-ext-registry = 64
iodef-PAddress = 65
iodef-EmailTo = 66
iodef-TelephoneNumber = 67
iodef-source = 68
iodef-ext-source = 69
iodef-DetectionPattern = 70
iodef-DetectionConfiguration = 71
iodef-Application = 72
iodef-Reference = 73
iodef-AttackPattern = 74
iodef-Vulnerability = 75
iodef-Weakness = 76
iodef-SpecID = 77
iodef-ext-SpecID = 78
iodef-ContentID = 79
iodef-RawData = 80
iodef-Platform = 81
iodef-Scoring = 82
iodef-ReferenceName = 83
iodef-specIndex = 84
iodef-ID = 85
iodef-occurrence = 86
iodef-IncidentCategory = 87
iodef-Impact = 88
iodef-SystemImpact = 89
iodef-BusinessImpact = 90
iodef-TimeImpact = 91
iodef-MonetaryImpact = 92
iodef-IntendedImpact = 93
iodef-Counter = 94
iodef-MitigatingFactor = 95
iodef-Cause = 96
iodef-severity = 97
iodef-completion = 98
iodef-ext-severity = 99
iodef-metric = 100
iodef-ext-metric = 101
iodef-duration = 102
iodef-ext-duration = 103
iodef-currency = 104
iodef-rating = 105
iodef-ext-rating = 106
iodef-HistoryItem = 107
iodef-action = 108
iodef-ext-action = 109
iodef-DateTime = 110
iodef-DefinedCOA = 111
iodef-System = 112
iodef-Expectation = 113
iodef-RecordData = 114
iodef-category = 115
iodef-ext-category = 116
iodef-interface = 117
iodef-spoofed = 118
iodef-virtual = 119
iodef-ownership = 120
iodef-ext-ownership = 121
iodef-Node = 122
iodef-NodeRole = 123
iodef-Service = 124
iodef-OperatingSystem = 125
iodef-AssetID = 126
iodef-DomainData = 127
iodef-Address = 128
iodef-Location = 129
iodef-vlan-name = 130
iodef-vlan-num = 131
iodef-unit = 132
iodef-ext-unit = 133
iodef-system-status = 134
iodef-ext-system-status = 135
iodef-domain-status = 136
iodef-ext-domain-status = 137
iodef-Name = 138
iodef-DateDomainWasChecked = 139
iodef-RegistrationDate = 140
iodef-ExpirationDate = 141
iodef-RelatedDNS = 142
iodef-NameServers = 143
iodef-DomainContacts = 144
iodef-Server = 145
iodef-SameDomainContact = 146
iodef-ip-protocol = 147
iodef-ServiceName = 148
iodef-Port = 149
iodef-Portlist = 150
iodef-ProtoCode = 151
iodef-ProtoType = 152
iodef-ProtoField = 153
iodef-ApplicationHeaderField = 154
iodef-EmailData = 155
iodef-IANAService = 156
iodef-EmailFrom = 157
iodef-EmailSubject = 158
iodef-EmailX-Mailer = 159
iodef-EmailHeaderField = 160
iodef-EmailHeaders = 161
iodef-EmailBody = 162
iodef-EmailMessage = 163
iodef-HashData = 164
iodef-Signature = 165
iodef-RecordPattern = 166
iodef-RecordItem = 167
iodef-FileData = 168
iodef-WindowsRegistryKeysModified = 169
iodef-CertificateData = 170
iodef-offset = 171
iodef-offsetunit = 172
iodef-ext-offsetunit = 173
iodef-Key = 174
iodef-registryaction = 175
iodef-ext-registryaction = 176
iodef-KeyName = 177
iodef-KeyValue = 178
iodef-Certificate = 179
iodef-X509Data = 180
iodef-File = 181
iodef-FileName = 182
iodef-FileSize = 183
iodef-FileType = 184
iodef-AssociatedSoftware = 185
iodef-FileProperties = 186
iodef-scope = 187
iodef-HashTargetID = 188
iodef-Hash = 189
iodef-FuzzyHash = 190
iodef-DigestMethod = 191
iodef-DigestValue = 192
iodef-CanonicalizationMethod = 193
iodef-FuzzyHashValue = 194
iodef-AlternativeIndicatorID = 195
iodef-Observable = 196
iodef-uid-ref = 197
iodef-IndicatorExpression = 198
iodef-IndicatorReference = 199
iodef-AttackPhase = 200
iodef-BulkObservable = 201
iodef-BulkObservableFormat = 202
iodef-BulkObservableList = 203
iodef-operator = 204
iodef-ext-operator = 205
iodef-euid-ref = 206
iodef-AttackPhaseID = 207
iodef = { iodef = {
version: text iodef-version => text,
? lang: lang ? iodef-lang => lang,
? format-id: text ? iodef-format-id => text
? private-enum-name: text ? iodef-private-enum-name => text,
? private-enum-id: text ? iodef-private-enum-id => text,
Incident: [+ Incident] iodef-Incident => [+ Incident],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" / duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
"year" / "ext-value" "year" / "ext-value"
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*" lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
restriction = "public" / "partner" / "need-to-know" / "private" / restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" / "default" / "white" / "green" / "amber" / "red" /
"ext-value" "ext-value"
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private" SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*" IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
IDREFType = IDtype IDREFType = IDtype
URLtype = uri URLtype = uri
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]" TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*" PortlistType = text .regexp "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
action = "nothing" / "contact-source-site" / "contact-target-site" / action = "nothing" / "contact-source-site" / "contact-target-site" /
"contact-sender" / "investigate" / "block-host" / "contact-sender" / "investigate" / "block-host" /
"block-network" / "block-port" / "rate-limit-host" / "block-network" / "block-port" / "rate-limit-host" /
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" / "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
"honeypot" / "upgrade-software" / "rebuild-asset" / "honeypot" / "upgrade-software" / "rebuild-asset" /
"harden-asset" / "remediate-other" / "status-triage" / "harden-asset" / "remediate-other" / "status-triage" /
"status-new-info" / "watch-and-report" / "training" / "status-new-info" / "watch-and-report" / "training" /
"defined-coa" / "other" / "ext-value" "defined-coa" / "other" / "ext-value"
DATETIME = tdate DATETIME = tdate
BYTE = eb64legacy BYTE = eb64legacy
MLStringType = { MLStringType = {
value: text iodef-value => text,
? lang: lang ? iodef-lang => lang,
? translation-id: text ? iodef-translation-id => text
} / text } / text
PositiveFloatType = float32 .gt 0 PositiveFloatType = float32 .gt 0
PAddressType = MLStringType PAddressType = MLStringType
ExtensionType = { ExtensionType = {
value: text iodef-value => text,
? name: text ? iodef-name => text,
dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / iodef-dtype => "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "ntpstamp" / "integer" / "portlist" / "real" / "string" /
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/ "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json" /
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
.default "string" .default "string"
? ext-dtype: text ? iodef-ext-dtype => text,
? meaning: text ? iodef-meaning => text,
? formatid: text ? iodef-formatid => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
} }
SoftwareType = { SoftwareType = {
? SoftwareReference: SoftwareReference ? iodef-SoftwareReference => SoftwareReference,
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
SoftwareReference = { SoftwareReference = {
? value: text ? iodef-value => text,
spec-name: "custom" / "cpe" / "swid" / "ext-value" iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
? ext-spec-name: text ? iodef-ext-spec-name => text,
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value" ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
.default "string" .default "string",
? ext-dtype: text ? iodef-ext-dtype => text
} }
Incident = { Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / iodef-purpose => "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value" "ext-value",
? ext-purpose: text ? iodef-ext-purpose => text,
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" / ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
"ext-value" "ext-value",
? ext-status: text ? iodef-ext-status => text,
? lang: lang ? iodef-lang => lang,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
IncidentID: IncidentID iodef-IncidentID => IncidentID,
? AlternativeID: AlternativeID ? iodef-AlternativeID => AlternativeID,
? RelatedActivity: [+ RelatedActivity] ? iodef-RelatedActivity => [+ RelatedActivity],
? DetectTime: DATETIME ? iodef-DetectTime => DATETIME,
? StartTime: DATETIME ? iodef-StartTime => DATETIME,
? EndTime: DATETIME ? iodef-EndTime => DATETIME,
? RecoveryTime: DATETIME ? iodef-RecoveryTime => DATETIME,
? ReportTime: DATETIME ? iodef-ReportTime => DATETIME,
GenerationTime: DATETIME iodef-GenerationTime => DATETIME,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? Discovery: [+ Discovery] ? iodef-Discovery => [+ Discovery],
? Assessment: [+ Assessment] ? iodef-Assessment => [+ Assessment],
? Method: [+ Method] ? iodef-Method => [+ Method],
Contact: [+ Contact] iodef-Contact => [+ Contact],
? EventData: [+ EventData] ? iodef-EventData => [+ EventData],
? Indicator: [+ Indicator] ? iodef-Indicator => [+ Indicator],
? History: History ? iodef-History => History,
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IncidentID = { IncidentID = {
id: text iodef-id => text,
name: text iodef-name => text,
? instance: text ? iodef-instance => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text
} }
AlternativeID = { AlternativeID = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
IncidentID: [+ IncidentID] iodef-IncidentID => [+ IncidentID]
} }
RelatedActivity = { RelatedActivity = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? IncidentID: [+ IncidentID] ? iodef-IncidentID => [+ IncidentID],
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? ThreatActor: [+ ThreatActor] ? iodef-ThreatActor => [+ ThreatActor],
? Campaign: [+ Campaign] ? iodef-Campaign => [+ Campaign],
? IndicatorID: [+ IndicatorID] ? iodef-IndicatorID => [+ IndicatorID],
? Confidence: Confidence ? iodef-Confidence => Confidence,
? Description: [+ text] ? iodef-Description => [+ text],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
ThreatActor = { ThreatActor = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? ThreatActorID: [+ text] ? iodef-ThreatActorID => [+ text],
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Campaign = { Campaign = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? CampaignID: [+ text] ? iodef-CampaignID => [+ text],
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Contact = { Contact = {
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" / iodef-role => "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /,
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" / "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
"vendor" / "vendor-support" / "victim" / "victim-notified" / "vendor" / "vendor-support" / "victim" / "victim-notified" /
"ext-value" "ext-value",
? ext-role: text ? iodef-ext-role => text,
type: "person" / "organization" / "ext-value" iodef-type => "person" / "organization" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? ContactName: [+ MLStringType] ? iodef-ContactName => [+ MLStringType],
? ContactTitle: [+ MLStringType] ? iodef-ContactTitle => [+ MLStringType],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? RegistryHandle: [+ RegistryHandle] ? iodef-RegistryHandle => [+ RegistryHandle],
? PostalAddress: [+ PostalAddress] ? iodef-PostalAddress => [+ PostalAddress],
? Email: [+ Email] ? iodef-Email => [+ Email],
? Telephone: [+ Telephone] ? iodef-Telephone => [+ Telephone],
? Timezone: TimeZonetype ? iodef-Timezone => TimeZonetype,
? Contact: [+ Contact] ? iodef-Contact => [+ Contact],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
RegistryHandle = { RegistryHandle = {
handle: text iodef-handle => text,
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" / iodef-registry => "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
"afrinic" / "local" / "ext-value" "afrinic" / "local" / "ext-value",
? ext-registry: text ? iodef-ext-registry => text
} }
PostalAddress = { PostalAddress = {
? type: "street" / "mailing" / "ext-value" ? iodef-type => "street" / "mailing" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
PAddress: PAddressType iodef-PAddress => PAddressType,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Email = { Email = {
? type: "direct" / "hotline" / "ext-value" ? iodef-type => "direct" / "hotline" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
EmailTo: text iodef-EmailTo => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Telephone = { Telephone = {
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value" ? iodef-type => "wired" / "mobile" / "fax" / "hotline" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
TelephoneNumber: text iodef-TelephoneNumber => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Discovery = { Discovery = {
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" / ? iodef-source => "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
"incident" / "os-log" / "application-log" / "device-log" / "incident" / "os-log" / "application-log" / "device-log" /
"network-flow" / "passive-dns" / "investigation" / "audit" / "network-flow" / "passive-dns" / "investigation" / "audit" /
"internal-notification" / "external-notification" / "internal-notification" / "external-notification" /
"leo" / "partner" / "actor" / "unknown" / "ext-value" "leo" / "partner" / "actor" / "unknown" / "ext-value",
? ext-source: text ? iodef-ext-source => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? Contact: [+ Contact] ? iodef-Contact => [+ Contact],
? DetectionPattern: [+ DetectionPattern] ? iodef-DetectionPattern => [+ DetectionPattern]
} }
DetectionPattern = { DetectionPattern = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
(Description: [+ MLStringType] // DetectionConfiguration: [+ text]) (iodef-Description => [+ MLStringType],
Application: SoftwareType iodef-DetectionConfiguration => [+ text]),
iodef-Application => SoftwareType
} }
Method = { Method = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? Reference: [+ Reference] ? iodef-Reference => [+ Reference],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? AttackPattern: [+ StructuredInfo] ? iodef-AttackPattern => [+ StructuredInfo],
? Vulnerability: [+ StructuredInfo] ? iodef-Vulnerability => [+ StructuredInfo],
? Weakness: [+ StructuredInfo] ? iodef-Weakness => [+ StructuredInfo],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
StructuredInfo = { StructuredInfo = {
SpecID: SpecID iodef-SpecID => SpecID,
? ext-SpecID: text ? iodef-ext-SpecID => text,
? ContentID: text ? iodef-ContentID => text,
? (RawData: [+ BYTE] // Reference:[+ Reference]) ? (iodef-RawData => [+ BYTE],
? Platform:[+ Platform] iodef-Reference => [+ Reference]),
? Scoring:[+ Scoring] ? iodef-Platform => [+ Platform],
? iodef-Scoring => [+ Scoring]
} }
Platform = { Platform = {
SpecID: SpecID iodef-SpecID => SpecID,
? ext-SpecID: text ? iodef-ext-SpecID => text,
? ContentID: text ? iodef-ContentID => text,
? RawData: [+ BYTE] ? iodef-RawData => [+ BYTE],
? Reference: [+ Reference] ? iodef-Reference => [+ Reference]
} }
Scoring = { Scoring = {
SpecID: SpecID iodef-SpecID => SpecID,
? ext-SpecID: text ? iodef-ext-SpecID => text,
? ContentID: text ? iodef-ContentID => text,
? RawData: [+ BYTE] ? iodef-RawData => [+ BYTE],
? Reference: [+ Reference] ? iodef-Reference => [+ Reference]
} }
Reference = { Reference = {
? observable-id: IDtype ? iodef-observable-id => IDtype,
? ReferenceName: ReferenceName ? iodef-ReferenceName => ReferenceName,
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
ReferenceName = { ReferenceName = {
specIndex: integer iodef-specIndex => integer,
ID: IDtype iodef-ID => IDtype
} }
Assessment = { Assessment = {
? occurrence: "actual" / "potential" ? iodef-occurrence => "actual" / "potential",
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
? IncidentCategory: [+ MLStringType] ? iodef-IncidentCategory => [+ MLStringType],
Impact: [+ {SystemImpact: SystemImpact} / iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
{BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} / {iodef-BusinessImpact => BusinessImpact /
{MonetaryImpact: MonetaryImpact} / {iodef-TimeImpact => TimeImpact} /
{IntendedImpact: BusinessImpact}] {iodef-MonetaryImpact => MonetaryImpact} /
? Counter: [+ Counter] {iodef-IntendedImpact => BusinessImpact}],
? MitigatingFactor: [+ MLStringType] ? iodef-Counter => [+ Counter],
? Cause: [+ MLStringType] ? iodef-MitigatingFactor => [+ MLStringType],
? Confidence: Confidence ? iodef-Cause => [+ MLStringType],
? AdditionalData: [+ ExtensionType] ? iodef-Confidence => Confidence,
? iodef-AdditionalData => [+ ExtensionType]
} }
SystemImpact = { SystemImpact = {
? severity: "low" / "medium" / "high" ? iodef-severity => "low" / "medium" / "high",
? completion: "failed" / "succeeded" ? iodef-completion => "failed" / "succeeded",
type: "takeover-account" / "takeover-service" / "takeover-system" / iodef-type => "takeover-account" / "takeover-service" / "takeover-system" /
"cps-manipulation" / "cps-damage" / "availability-data" / "cps-manipulation" / "cps-damage" / "availability-data" /
"availability-account" / "availability-service" / "availability-account" / "availability-service" /
"availability-system" / "damaged-system" / "damaged-data" / "availability-system" / "damaged-system" / "damaged-data" /
"breach-proprietary" / "breach-privacy" / "breach-credential" / "breach-proprietary" / "breach-privacy" / "breach-credential" /
"breach-configuration" / "integrity-data" / "breach-configuration" / "integrity-data" /
"integrity-configuration" / "integrity-hardware" / "integrity-configuration" / "integrity-hardware" /
"traffic-redirection" / "monitoring-traffic" / "monitoring-host"/ "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
"policy" / "unknown" / "ext-value" .default "unknown" "policy" / "unknown" / "ext-value" .default "unknown",
? ext-type: text ? iodef-ext-type => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
BusinessImpact = { BusinessImpact = {
? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value" ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" / "ext-value"
.default "unknown" .default "unknown",
? ext-severity: text ? iodef-ext-severity => text,
type: "breach-proprietary" / "breach-privacy" / "breach-credential" / iodef-type => "breach-proprietary" / "breach-privacy" / "breach-credential" /
"loss-of-integrity" / "loss-of-service" / "theft-financial" / "loss-of-integrity" / "loss-of-service" / "theft-financial" /
"theft-service" / "degraded-reputation" / "asset-damage" / "theft-service" / "degraded-reputation" / "asset-damage" /
"asset-manipulation" / "legal" / "extortion" / "unknown" / "asset-manipulation" / "legal" / "extortion" / "unknown" /
"ext-value" .default "unknown" "ext-value" .default "unknown",
? ext-type: text ? iodef-ext-type => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
TimeImpact = { TimeImpact = {
value: PositiveFloatType iodef-value => PositiveFloatType,
? severity: "low" / "medium" / "high" ? iodef-severity => "low" / "medium" / "high",
metric: "labor" / "elapsed" / "downtime" / "ext-value" iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
? ext-metric: text ? iodef-ext-metric => text,
? duration: duration .default "hour" ? iodef-duration => duration .default "hour",
? ext-duration: text ? iodef-ext-duration => text
} }
MonetaryImpact = { MonetaryImpact = {
value: PositiveFloatType iodef-value => PositiveFloatType,
? severity: "low" / "medium" / "high" ? iodef-severity => "low" / "medium" / "high",
? currency: text ? iodef-currency => text
} }
Confidence = { Confidence = {
value: float32 iodef-value => float32,
rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value" iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value",
? ext-rating: text ? iodef-ext-rating => text
} }
History = { History = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
HistoryItem: [+ HistoryItem] iodef-HistoryItem => [+ HistoryItem]
} }
HistoryItem = { HistoryItem = {
action: action .default "other" iodef-action => action .default "other",
? ext-action: text ? iodef-ext-action => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
DateTime: DATETIME iodef-DateTime => DATETIME,
? IncidentID: IncidentID ? iodef-IncidentID => IncidentID,
? Contact: Contact ? iodef-Contact => Contact,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? DefinedCOA: [+ text] ? iodef-DefinedCOA => [+ text],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
EventData = { EventData = {
? restriction: restriction .default "default" ? iodef-restriction => restriction .default "default",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? DetectTime: DATETIME ? iodef-DetectTime => DATETIME,
? StartTime: DATETIME ? iodef-StartTime => DATETIME,
? EndTime: DATETIME ? iodef-EndTime => DATETIME,
? RecoveryTime: DATETIME ? iodef-RecoveryTime => DATETIME,
? ReportTime: DATETIME ? iodef-ReportTime => DATETIME,
? Contact: [+ Contact] ? iodef-Contact => [+ Contact],
? Discovery: [+ Discovery] ? iodef-Discovery => [+ Discovery],
? Assessment: Assessment ? iodef-Assessment => Assessment,
? Method: [+ Method] ? iodef-Method => [+ Method],
? System: [+ System] ? iodef-System => [+ System],
? Expectation: [+ Expectation] ? iodef-Expectation => [+ Expectation],
? RecordData: [+ RecordData] ? iodef-RecordData => [+ RecordData],
? EventData: [+ EventData] ? iodef-EventData => [+ EventData],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Expectation = { Expectation = {
? action: action .default "other" ? iodef-action => action .default "other",
? ext-action: text ? iodef-ext-action => text,
? severity: "low" / "medium" / "high" ? iodef-severity => "low" / "medium" / "high",
? restriction: restriction .default "default" ? iodef-restriction => restriction .default "default",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? DefinedCOA: [+ text] ? iodef-DefinedCOA => [+ text],
? StartTime: DATETIME ? iodef-StartTime => DATETIME,
? EndTime: DATETIME ? iodef-EndTime => DATETIME,
? Contact: Contact ? iodef-Contact => Contact
} }
System = { System = {
? category: "source" / "target" / "intermediate" / "sensor" / ? iodef-category => "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value" "infrastructure" / "ext-value",
? ext-category: text ? iodef-ext-category => text,
? interface: text ? iodef-interface => text,
? spoofed: "unknown" / "yes" / "no" .default "unknown" ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
? virtual: "yes" / "no" / "unknown" .default "unknown" ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
? ownership: "organization" / "personal" / "partner" / "customer" / ? iodef-ownership => "organization" / "personal" / "partner" / "customer" /
"no-relationship" / "unknown" / "ext-value" "no-relationship" / "unknown" / "ext-value",
? ext-ownership: text ? iodef-ext-ownership => text,
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
Node: Node iodef-Node => Node,
? NodeRole: [+ NodeRole] ? iodef-NodeRole => [+ NodeRole],
? Service: [+ Service] ? iodef-Service => [+ Service],
? OperatingSystem: [+ SoftwareType] ? iodef-OperatingSystem => [+ SoftwareType],
? Counter: [+ Counter] ? iodef-Counter => [+ Counter],
? AssetID: [+ text] ? iodef-AssetID => [+ text],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Node = { Node = {
(DomainData:[+ DomainData] (iodef-DomainData => [+ DomainData],
? Address:[+ Address] // ? iodef-Address => [+ Address] //
? DomainData:[+ DomainData] ? iodef-DomainData => [+ DomainData],
Address:[+ Address]) iodef-Address => [+ Address]),
? PostalAddress: PostalAddress ? iodef-PostalAddress => PostalAddress,
? Location: [+ MLStringType] ? iodef-Location => [+ MLStringType],
? Counter: [+ Counter] ? iodef-Counter => [+ Counter]
} }
Address = { Address = {
value: text iodef-value => text,
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" / "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
"ext-value" .default "ipv6-addr" "ext-value" .default "ipv6-addr",
? ext-category: text ? iodef-ext-category => text,
? vlan-name: text ? iodef-vlan-name => text,
? vlan-num: integer ? iodef-vlan-num => integer,
? observable-id: IDtype ? iodef-observable-id => IDtype
} }
NodeRole = { NodeRole = {
category: "client" / "client-enterprise" / "client-partner" / iodef-category => "client" / "client-enterprise" / "client-partner" /
"client-remote" / "client-kiosk" / "client-mobile" / "client-remote" / "client-kiosk" / "client-mobile" /
"server-internal" / "server-public" / "www" / "mail" / "server-internal" / "server-public" / "www" / "mail" /
"webmail" / "messaging" / "streaming" / "voice" / "file" / "webmail" / "messaging" / "streaming" / "voice" / "file" /
"ftp" / "p2p" / "name" / "directory" / "credential" / "ftp" / "p2p" / "name" / "directory" / "credential" /
"print" / "application" / "database" / "backup" / "dhcp" / "print" / "application" / "database" / "backup" / "dhcp" /
"assessment" / "source-control" / "config-management" / "assessment" / "source-control" / "config-management" /
"monitoring" / "infra" / "infra-firewall" / "infra-router" / "monitoring" / "infra" / "infra-firewall" / "infra-router" /
"infra-switch" / "camera" / "proxy" / "remote-access" / "infra-switch" / "camera" / "proxy" / "remote-access" /
"log" / "virtualization" / "pos" / "scada" / "log" / "virtualization" / "pos" / "scada" /
"scada-supervisory" / "sinkhole" / "honeypot" / "scada-supervisory" / "sinkhole" / "honeypot" /
"anomyzation" / "c2-server" / "malware-distribution" / "anomyzation" / "c2-server" / "malware-distribution" /
"drop-server" / "hop-point" / "reflector" / "drop-server" / "hop-point" / "reflector" /
"phishing-site" / "spear-phishing-site" / "recruiting-site" / "phishing-site" / "spear-phishing-site" / "recruiting-site" /
"fraudulent-site" / "ext-value" "fraudulent-site" / "ext-value",
? ext-category: text ? iodef-ext-category => text,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
Counter = { Counter = {
value: float32 iodef-value => float32,
type: "count" / "peak" / "average" / "ext-value" iodef-type => "count" / "peak" / "average" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" / iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
"message" / "event" / "host" / "site" / "organization" / "message" / "event" / "host" / "site" / "organization" /
"ext-value" "ext-value",
? ext-unit: text ? iodef-ext-unit => text,
? meaning: text ? iodef-meaning => text,
? duration: duration .default "hour" ? iodef-duration => duration .default "hour",
? ext-duration: text ? iodef-ext-duration => text
} }
DomainData = { DomainData = {
system-status: "spoofed" / "fraudulent" / "innocent-hacked" / iodef-system-status => "spoofed" / "fraudulent" / "innocent-hacked" /
"innocent-hijacked" / "unknown" / "ext-value" "innocent-hijacked" / "unknown" / "ext-value",
? ext-system-status: text ? iodef-ext-system-status => text,
domain-status: "reservedDelegation" / "assignedAndActive" / iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
"assignedAndInactive" / "assignedAndOnHold" / "assignedAndInactive" / "assignedAndOnHold" /
"revoked" / "transferPending" / "registryLock" / "revoked" / "transferPending" / "registryLock" /
"registrarLock" / "other" / "unknown" / "ext-value" "registrarLock" / "other" / "unknown" / "ext-value",
? ext-domain-status: text ? iodef-ext-domain-status => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
Name: text iodef-Name => text,
? DateDomainWasChecked: DATETIME ? iodef-DateDomainWasChecked => DATETIME,
? RegistrationDate: DATETIME ? iodef-RegistrationDate => DATETIME,
? ExpirationDate: DATETIME ? iodef-ExpirationDate => DATETIME,
? RelatedDNS: [+ ExtensionType] ? iodef-RelatedDNS => [+ ExtensionType],
? NameServers: [+ NameServers] ? iodef-NameServers => [+ NameServers],
? DomainContacts: DomainContacts ? iodef-DomainContacts => DomainContacts
} }
NameServers = { NameServers = {
Server: text iodef-Server => text,
Address: [+ Address] iodef-Address => [+ Address]
} }
DomainContacts = { DomainContacts = {
(SameDomainContact: text // Contact: [+ Contact]) (iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
} }
Service = { Service = {
? ip-protocol: integer ? iodef-ip-protocol => integer,
? observable-id: IDtype ? iodef-observable-id => IDtype,
? ServiceName: ServiceName ? iodef-ServiceName => ServiceName,
? Port: integer ? iodef-Port => integer,
? Portlist: PortlistType ? iodef-Portlist => PortlistType,
? ProtoCode: integer ? iodef-ProtoCode => integer,
? ProtoType: integer ? iodef-ProtoType => integer,
? ProtoField: integer ? iodef-ProtoField => integer,
? ApplicationHeaderField: [+ ExtensionType] ? iodef-ApplicationHeaderField => [+ ExtensionType],
? EmailData: EmailData ? iodef-EmailData => EmailData,
? Application: SoftwareType ? iodef-Application => SoftwareType
} }
ServiceName = { ServiceName = {
? IANAService: text ? iodef-IANAService => text,
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
EmailData = { EmailData = {
? observable-id: IDtype ? iodef-observable-id => IDtype,
? EmailTo: [+ text] ? iodef-EmailTo => [+ text],
? EmailFrom: text ? iodef-EmailFrom => text,
? EmailSubject: text ? iodef-EmailSubject => text,
? EmailX-Mailer: text ? iodef-EmailX-Mailer => text,
? EmailHeaderField: [+ ExtensionType] ? iodef-EmailHeaderField => [+ ExtensionType],
? EmailHeaders: text ? iodef-EmailHeaders => text,
? EmailBody: text ? iodef-EmailBody => text,
? EmailMessage: text ? iodef-EmailMessage => text,
? HashData: [+ HashData] ? iodef-HashData => [+ HashData],
? Signature: [+ BYTE] ? iodef-Signature => [+ BYTE]
} }
RecordData = { RecordData = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
? DateTime: DATETIME ? iodef-DateTime => DATETIME,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? Application: SoftwareType ? iodef-Application => SoftwareType,
? RecordPattern: [+ RecordPattern] ? iodef-RecordPattern => [+ RecordPattern],
? RecordItem: [+ ExtensionType] ? iodef-RecordItem => [+ ExtensionType],
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? FileData: [+ FileData] ? iodef-FileData => [+ FileData],
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified] ? iodef-WindowsRegistryKeysModified => [+ WindowsRegistryKeysModified],
? CertificateData: [+ CertificateData] ? iodef-CertificateData => [+ CertificateData],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
RecordPattern = { RecordPattern = {
value: text iodef-value => text,
type: "regex" / "binary" / "xpath" / "ext-value" .default "regex" iodef-type => "regex" / "binary" / "xpath" / "ext-value" .default "regex",
? ext-type: text ? iodef-ext-type => text,
? offset: integer ? iodef-offset => integer,
? offsetunit: "line" / "byte" / "ext-value" .default "line" ? iodef-offsetunit => "line" / "byte" / "ext-value" .default "line",
? ext-offsetunit: text ? iodef-ext-offsetunit => text,
? instance: integer ? iodef-instance => integer
} }
WindowsRegistryKeysModified = { WindowsRegistryKeysModified = {
? observable-id: IDtype ? iodef-observable-id => IDtype,
Key: [+ Key] iodef-Key => [+ Key]
} }
Key = { Key = {
? registryaction: "add-key" / "add-value" / "delete-key" / ? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
"delete-value" / "modify-key" / "modify-value" / "delete-value" / "modify-key" / "modify-value" /
"ext-value" "ext-value",
? ext-registryaction: text ? iodef-ext-registryaction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
KeyName: text iodef-KeyName => text,
? KeyValue: text ? iodef-KeyValue => text
} }
CertificateData = { CertificateData = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
Certificate: [+ Certificate] iodef-Certificate => [+ Certificate]
} }
Certificate = { Certificate = {
? observable-id: IDtype ? iodef-observable-id => IDtype,
X509Data: BYTE iodef-X509Data => BYTE,
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType]
} }
FileData = { FileData = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? observable-id: IDtype ? iodef-observable-id => IDtype,
File: [+ File] iodef-File => [+ File]
} }
File = { File = {
? observable-id: IDtype ? iodef-observable-id => IDtype,
? FileName: text ? iodef-FileName => text,
? FileSize: integer ? iodef-FileSize => integer,
? FileType: text ? iodef-FileType => text,
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? HashData: HashData ? iodef-HashData => HashData,
? Signature: [+ BYTE] ? iodef-Signature => [+ BYTE],
? AssociatedSoftware: SoftwareType ? iodef-AssociatedSoftware => SoftwareType,
? FileProperties: [+ ExtensionType] ? iodef-FileProperties => [+ ExtensionType]
} }
HashData = { HashData = {
scope: "file-contents" / "file-pe-section" / "file-pe-iat" / iodef-scope => "file-contents" / "file-pe-section" / "file-pe-iat" /
"file-pe-resource" / "file-pdf-object" / "email-hash" / "file-pe-resource" / "file-pdf-object" / "email-hash" /
"email-headers-hash" / "email-body-hash" / "ext-value" "email-headers-hash" / "email-body-hash" / "ext-value",
? HashTargetID: text ? iodef-HashTargetID => text,
? Hash: [+ Hash] ? iodef-Hash => [+ Hash],
? FuzzyHash: [+ FuzzyHash] ? iodef-FuzzyHash => [+ FuzzyHash]
} }
Hash = { Hash = {
DigestMethod: BYTE iodef-DigestMethod => BYTE,
DigestValue: BYTE iodef-DigestValue => BYTE,
? CanonicalizationMethod: BYTE ? iodef-CanonicalizationMethod => BYTE,
? Application: SoftwareType ? iodef-Application => SoftwareType
} }
FuzzyHash = { FuzzyHash = {
FuzzyHashValue: [+ ExtensionType] iodef-FuzzyHashValue => [+ ExtensionType],
? Application: SoftwareType ? iodef-Application => SoftwareType,
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Indicator = { Indicator = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
IndicatorID: IndicatorID iodef-IndicatorID => IndicatorID,
? AlternativeIndicatorID: [+ AlternativeIndicatorID] ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? StartTime: DATETIME ? iodef-StartTime => DATETIME,
? EndTime: DATETIME ? iodef-EndTime => DATETIME,
? Confidence: Confidence ? iodef-Confidence => Confidence,
? Contact: [+ Contact] ? iodef-Contact => [+ Contact],
(Observable: Observable // uid-ref: IDREFType // (iodef-Observable => Observable // iodef-uid-ref => IDREFType //
IndicatorExpression: IndicatorExpression // iodef-IndicatorExpression => IndicatorExpression //
IndicatorReference: IndicatorReference) iodef-IndicatorReference => IndicatorReference),
? NodeRole: [+ NodeRole] ? iodef-NodeRole => [+ NodeRole],
? AttackPhase: [+ AttackPhase] ? iodef-AttackPhase => [+ AttackPhase],
? Reference: [+ Reference] ? iodef-Reference => [+ Reference],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IndicatorID = { IndicatorID = {
id: IDtype iodef-id => IDtype,
name: text iodef-name => text,
version: text iodef-version => text
} }
AlternativeIndicatorID = { AlternativeIndicatorID = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
IndicatorID: [+ IndicatorID] iodef-IndicatorID => [+ IndicatorID]
} }
Observable = { Observable = {
? restriction: restriction .default "private" ? iodef-restriction => restriction .default "private",
? ext-restriction: text ? iodef-ext-restriction => text,
? (System: System // Address: Address // DomainData: DomainData // ? (iodef-System => System // iodef-Address => Address // iodef-DomainData => DomainData //
EmailData: EmailData // Service: Service // iodef-EmailData => EmailData // iodef-Service => Service //
WindowsRegistryKeysModified: WindowsRegistryKeysModified // iodef-WindowsRegistryKeysModified => WindowsRegistryKeysModified //
FileData: FileData // CertificateData: CertificateData // iodef-FileData => FileData // iodef-CertificateData => CertificateData //
RegistryHandle: RegistryHandle // RecordData: RecordData // iodef-RegistryHandle => RegistryHandle // iodef-RecordData => RecordData //
EventData: EventData // Incident: Incident // iodef-EventData => EventData // iodef-Incident => Incident // iodef-Expectation => Expectation //
Expectation: Expectation // Reference: Reference // iodef-Reference => Reference // iodef-Assessment => Assessment //
Assessment: Assessment // DetectionPattern: DetectionPattern // iodef-DetectionPattern => DetectionPattern // iodef-HistoryItem => HistoryItem //
HistoryItem: HistoryItem // BulkObservable: BulkObservable // iodef-BulkObservable => BulkObservable // iodef-AdditionalData => [+ ExtensionType])
AdditionalData: [+ ExtensionType])
} }
BulkObservable = { BulkObservable = {
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" / ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" / "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
"domain-to-ipv6" / "domain-to-ipv4-timestamp" / "domain-to-ipv6" / "domain-to-ipv4-timestamp" /
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" / "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
"windows-reg-key" / "file-hash" / "email-x-mailer" / "windows-reg-key" / "file-hash" / "email-x-mailer" /
"email-subject" / "http-user-agent" / "http-request-uri" / "email-subject" / "http-user-agent" / "http-request-uri" /
"mutex" / "file-path" / "user-name" / "ext-value" "mutex" / "file-path" / "user-name" / "ext-value",
? ext-type: text ? iodef-ext-type => text,
? BulkObservableFormat: BulkObservableFormat ? iodef-BulkObservableFormat => BulkObservableFormat,
BulkObservableList: text iodef-BulkObservableList => text,
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
BulkObservableFormat = { BulkObservableFormat = {
(Hash: Hash // AdditionalData: [+ ExtensionType]) (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
} }
IndicatorExpression = { IndicatorExpression = {
? operator: "not" / "and" / "or" / "xor" .default "and" ? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
? ext-operator: text ? iodef-ext-operator => text,
? IndicatorExpression: [+ IndicatorExpression] ? iodef-IndicatorExpression => [+ IndicatorExpression],
? Observable: [+ Observable] ? iodef-Observable => [+ Observable],
? uid-ref: [+ IDREFType] ? iodef-uid-ref => [+ IDREFType],
? IndicatorReference: [+ IndicatorReference] ? iodef-IndicatorReference => [+ IndicatorReference],
? Confidence: Confidence ? iodef-Confidence => Confidence,
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
IndicatorReference = { IndicatorReference = {
(uid-ref: IDREFType // euid-ref: text) (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
? version: text ? iodef-version => text
} }
AttackPhase = { AttackPhase = {
? AttackPhaseID: [+ text] ? iodef-AttackPhaseID => [+ text],
? URL: [+ URLtype] ? iodef-URL => [+ URLtype],
? Description: [+ MLStringType] ? iodef-Description => [+ MLStringType],
? AdditionalData: [+ ExtensionType] ? iodef-AdditionalData => [+ ExtensionType]
} }
Figure 9: Data Model in CDDL
Figure 8: Data Model in CDDL 7. IANA Considerations
6. IANA Considerations
This document does not require any IANA actions. This document does not require any IANA actions.
7. Security Considerations 8. Security Considerations
This document does not provide any further security considerations This document provides a mapping from XML IODEF defined in [RFC7970]
than the one described in [RFC7970]. to JSON, and Section 3.2 describes several issues that arise when
converting XML IODEF and JSON IODEF. Though it does not provide any
further security considerations than the one described in [RFC7970],
impelementers of this document should be aware of those issues to
avoid any unintended outcome.
8. Acknowledgments 9. Acknowledgments
We would like to thank Henk Birkholz, Carsten Bormann, Yasuaki We would like to thank Henk Birkholz, Carsten Bormann, Benjamin
Morita, and Takahiko Nagata for their insightful comments on CDDL. Kaduk, Yasuaki Morita, and Takahiko Nagata for their insightful
comments on this document and CDDL.
9. References 10. References
9.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
skipping to change at page 42, line 20 skipping to change at page 51, line 24
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data [RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
9.2. Informative References 10.2. Informative References
[jsonschema] [I-D.handrews-json-schema-validation]
Francis Galiegue, Kris Zyp, and Gary Court, "JSON Schema: Wright, A., Andrews, H., and B. Hutton, "JSON Schema
core definitions and terminology", 2013. Validation: A Vocabulary for Structural Validation of
JSON", draft-handrews-json-schema-validation-02 (work in
progress), September 2019.
Appendix A. Data Types used in this document Appendix A. Data Types used in this document
The CDDL prelude used in this document is mapped to JSON as shown in The CDDL prelude used in this document is mapped to JSON as shown in
the table below. the table below.
+-----------------+-------------------+----------------------------+ +-----------------+-------------------+----------------------------+
| CDDL Prelude | Use of JSON | Instance | Validation | | CDDL Prelude | Use of JSON | Instance | Validation |
+-----------------+-------------------+----------------------------+ +-----------------+-------------------+----------------------------+
| bytes | n/a | string | tool available | | bytes | n/a | string | tool available |
| text | string | string | unnecessary | | text | string | string | unnecessary |
| tdate | n/a | string | 7.3.1 date-time | | tdate | n/a | string | 7.3.1 date-time |
| integer | n/a | number | integer | | integer | n/a | number | integer |
| eb64legacy | n/a | string | tool available | | eb64legacy | n/a | string | tool available |
| uri | n/a | string | 7.3.6 uri | | uri | n/a | string | 7.3.6 uri |
| float32 | float32 | number | unnecessary | | float32 | float32 | number | unnecessary |
+-----------------+-------------------+----------------------------+ +-----------------+-------------------+----------------------------+
Figure 9: CDDL Prelude mapping in JSON Figure 10: CDDL Prelude mapping in JSON
Appendix B. The IODEF Data Model (JSON Schema) Appendix B. The IODEF Data Model (JSON Schema)
This section provides a JSON schema [jsonschema] that defines the This section provides a JSON schema
IODEF Data Model defined in this draft. Note that this section is [I-D.handrews-json-schema-validation] that defines the IODEF Data
Informative. Model defined in this draft. Note that this section is Informative.
{ "$schema": "http://json-schema.org/draft-04/schema#", { "$schema": "http://json-schema.org/draft-04/schema#",
"definitions": { "definitions": {
"action": {"enum": ["nothing","contact-source-site", "action": {"enum": ["nothing","contact-source-site",
"contact-target-site","contact-sender","investigate", "contact-target-site","contact-sender","investigate",
"block-host","block-network","block-port","rate-limit-host", "block-host","block-network","block-port","rate-limit-host",
"rate-limit-network","rate-limit-port","redirect-traffic", "rate-limit-network","rate-limit-port","redirect-traffic",
"honeypot","upgrade-software","rebuild-asset","harden-asset", "honeypot","upgrade-software","rebuild-asset","harden-asset",
"remediate-other","status-triage","status-new-info", "remediate-other","status-triage","status-new-info",
"watch-and-report","training","defined-coa","other", "watch-and-report","training","defined-coa","other",
skipping to change at page 71, line 4 skipping to change at page 80, line 11
"format-id": {"type": "string"}, "format-id": {"type": "string"},
"private-enum-name": {"type": "string"}, "private-enum-name": {"type": "string"},
"private-enum-id": {"type": "string"}, "private-enum-id": {"type": "string"},
"Incident": { "Incident": {
"type": "array", "type": "array",
"items": {"$ref": "#/definitions/Incident"}, "items": {"$ref": "#/definitions/Incident"},
"minItems": 1}, "minItems": 1},
"AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}}, "AdditionalData": {"$ref":"#/definitions/ExtensionTypeList"}},
"required": ["version","Incident"], "required": ["version","Incident"],
"additionalProperties": false} "additionalProperties": false}
Figure 10: JSON schema
Figure 11: JSON schema
Authors' Addresses Authors' Addresses
Takeshi Takahashi Takeshi Takahashi
National Institute of Information and Communications Technology National Institute of Information and Communications Technology
4-2-1 Nukui-Kitamachi 4-2-1 Nukui-Kitamachi
Koganei, Tokyo 184-8795 Koganei, Tokyo 184-8795
Japan Japan
Phone: +81 42 327 5862 Phone: +81 42 327 5862
 End of changes. 120 change blocks. 
792 lines changed or deleted 1195 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/