draft-ietf-mile-rfc5070-bis-01.txt   draft-ietf-mile-rfc5070-bis-02.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: March 02, 2014 August 29, 2013 Expires: April 23, 2014 October 20, 2013
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-01 draft-ietf-mile-rfc5070-bis-02
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. This document describes (CSIRTs) about computer security incidents. This document describes
the information model for the IODEF and provides an associated data the information model for the IODEF and provides an associated data
model specified with XML Schema. model specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 02, 2014. This Internet-Draft will expire on April 23, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 33 skipping to change at page 2, line 33
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6
1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 1.5. About the IODEF Implementation . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 8 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 10 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 11 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 11
3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15 3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15
3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16 3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16
3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 16 3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 16
3.6. AdditionalData Class . . . . . . . . . . . . . . . . . . 17 3.6. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18
3.7. Contact Class . . . . . . . . . . . . . . . . . . . . . . 19 3.7. Campaign Class . . . . . . . . . . . . . . . . . . . . . 18
3.7.1. RegistryHandle Class . . . . . . . . . . . . . . . . 22 3.8. AdditionalData Class . . . . . . . . . . . . . . . . . . 19
3.7.2. PostalAddress Class . . . . . . . . . . . . . . . . . 22 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 21
3.7.3. Email Class . . . . . . . . . . . . . . . . . . . . . 23 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 24
3.7.4. Telephone and Fax Classes . . . . . . . . . . . . . . 23 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 25
3.8. Time Classes . . . . . . . . . . . . . . . . . . . . . . 24 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 25
3.8.1. StartTime . . . . . . . . . . . . . . . . . . . . . . 24 3.9.4. Telephone and Fax Classes . . . . . . . . . . . . . . 26
3.8.2. EndTime . . . . . . . . . . . . . . . . . . . . . . . 24 3.10. Time Classes . . . . . . . . . . . . . . . . . . . . . . 26
3.8.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 24 3.10.1. StartTime . . . . . . . . . . . . . . . . . . . . . 27
3.8.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 25 3.10.2. EndTime . . . . . . . . . . . . . . . . . . . . . . 27
3.8.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 25 3.10.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 27
3.9. Method Class . . . . . . . . . . . . . . . . . . . . . . 25 3.10.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 27
3.9.1. Reference Class . . . . . . . . . . . . . . . . . . . 26 3.10.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 27
3.10. Assessment Class . . . . . . . . . . . . . . . . . . . . 27 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 27
3.10.1. Impact Class . . . . . . . . . . . . . . . . . . . . 28 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 28
3.10.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 30 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 29
3.10.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 32 3.12.1. Impact Class . . . . . . . . . . . . . . . . . . . . 30
3.10.4. Confidence Class . . . . . . . . . . . . . . . . . . 32 3.12.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 32
3.11. History Class . . . . . . . . . . . . . . . . . . . . . . 33 3.12.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 34
3.11.1. HistoryItem Class . . . . . . . . . . . . . . . . . 34 3.12.4. Confidence Class . . . . . . . . . . . . . . . . . . 35
3.12. EventData Class . . . . . . . . . . . . . . . . . . . . . 35 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 36
3.12.1. Relating the Incident and EventData Classes . . . . 37 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 36
3.12.2. Cardinality of EventData . . . . . . . . . . . . . . 38 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 38
3.13. Expectation Class . . . . . . . . . . . . . . . . . . . . 39 3.14.1. Relating the Incident and EventData Classes . . . . 40
3.14. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 41 3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 40
3.15. System Class . . . . . . . . . . . . . . . . . . . . . . 42 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 41
3.16. Node Class . . . . . . . . . . . . . . . . . . . . . . . 44 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 43
3.16.1. Counter Class . . . . . . . . . . . . . . . . . . . 45 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 44
3.16.2. Address Class . . . . . . . . . . . . . . . . . . . 46 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 47
3.16.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 48 3.18.1. Counter Class . . . . . . . . . . . . . . . . . . . 48
3.17. Service Class . . . . . . . . . . . . . . . . . . . . . . 50 3.18.2. Address Class . . . . . . . . . . . . . . . . . . . 49
3.17.1. Application Class . . . . . . . . . . . . . . . . . 51 3.18.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 51
3.18. OperatingSystem Class . . . . . . . . . . . . . . . . . . 53 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 53
3.19. Record Class . . . . . . . . . . . . . . . . . . . . . . 53 3.19.1. Application Class . . . . . . . . . . . . . . . . . 54
3.19.1. RecordData Class . . . . . . . . . . . . . . . . . . 53 3.20. OperatingSystem Class . . . . . . . . . . . . . . . . . . 56
3.19.2. RecordPattern Class . . . . . . . . . . . . . . . . 55 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 56
3.19.3. RecordItem Class . . . . . . . . . . . . . . . . . . 56 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 56
3.20. RegistryKeyModified Class . . . . . . . . . . . . . . . . 56 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 58
3.20.1. Key Class . . . . . . . . . . . . . . . . . . . . . 57 3.21.3. RecordItem Class . . . . . . . . . . . . . . . . . . 59
3.21. HashInformation Class . . . . . . . . . . . . . . . . . . 58 3.22. RegistryKeyModified Class . . . . . . . . . . . . . . . . 59
4. Processing Considerations . . . . . . . . . . . . . . . . . . 59 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 60
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 60 3.23. HashInformation Class . . . . . . . . . . . . . . . . . . 61
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 60 4. Processing Considerations . . . . . . . . . . . . . . . . . . 62
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 60 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 63
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 61 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 63
5.1. Extending the Enumerated Values of Attributes . . . . . . 62 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 63
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 62 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 64
6. Internationalization Issues . . . . . . . . . . . . . . . . . 64 5.1. Extending the Enumerated Values of Attributes . . . . . . 65
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 65
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 65 6. Internationalization Issues . . . . . . . . . . . . . . . . . 67
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 67 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 69 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 68
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 71 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 70
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 72 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 72
9. Security Considerations . . . . . . . . . . . . . . . . . . . 104 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 74
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 105 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 75
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 105 9. Security Considerations . . . . . . . . . . . . . . . . . . . 109
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 106 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 109
12.1. Normative References . . . . . . . . . . . . . . . . . . 106 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 110
12.2. Informative References . . . . . . . . . . . . . . . . . 107 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 110
12.1. Normative References . . . . . . . . . . . . . . . . . . 110
12.2. Informative References . . . . . . . . . . . . . . . . . 112
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 5, line 44 skipping to change at page 5, line 44
RFC5070. RFC5070.
o All of the RFC5070 Errata was implemented. o All of the RFC5070 Errata was implemented.
o Imported the xmlns:ds namespace to include digital signature hash o Imported the xmlns:ds namespace to include digital signature hash
classes. classes.
o The attributes @indicator-uid and @indicator-set-id were added to o The attributes @indicator-uid and @indicator-set-id were added to
various classes to reference commonly shared indicators. various classes to reference commonly shared indicators.
o The following classes were added to the Service class: Email, o The following classes and attributes were added to the Service
EmailSubject, X-Mailer, and DomainData. class: Email, EmailSubject, X-Mailer, DomainData, AssetID,
@virtual, and @ownership.
o The following classes were added to the Record class: FileName, o The following classes were added to the Record class: FileName,
ds:Reference, and WindowsRegistryKeysModified. ds:Reference, and WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and
AdditionalData.
o The following classes were added to the Contact class:
ContactTitle.
o (for consideration) The following class was added to the Node o (for consideration) The following class was added to the Node
class: URL. class: URL.
o (for consideration) The following attributes was added to the o (for consideration) The following attributes was added to the
SoftwareType complexType: user-agent. SoftwareType complexType: user-agent.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, and attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category. NodeRole@category, Incident@purpose.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [6]. document are to be interpreted as described in RFC2119 [6].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of [16]. terminology used in this document can be found in Section 2 of [16].
skipping to change at page 11, line 43 skipping to change at page 12, line 4
Required. ENUM. A valid language code per RFC 4646 [7] Required. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
formatid formatid
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+--------------------+ +--------------------+
| Incident | | Incident |
+--------------------+ +--------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..1}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
skipping to change at page 12, line 31 skipping to change at page 12, line 40
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
CSIRT that generated the IODEF document. CSIRT that generated the IODEF document.
AlternativeID AlternativeID
Zero or one. The incident tracking numbers used by other CSIRTs Zero or one. The incident tracking numbers used by other CSIRTs
to refer to the incident described in the document. to refer to the incident described in the document.
RelatedActivity RelatedActivity
Zero or one. The incident tracking numbers of related incidents. Zero or many. Related activity and attribution of this activity.
DetectTime DetectTime
Zero or one. The time the incident was first detected. Zero or one. The time the incident was first detected.
StartTime StartTime
Zero or one. The time the incident started. Zero or one. The time the incident started.
EndTime EndTime
Zero or one. The time the incident ended. Zero or one. The time the incident ended.
skipping to change at page 13, line 28 skipping to change at page 13, line 36
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has five attributes: The Incident class has five attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.13). This attribute is defined as an Expectation class (Section 3.15). This attribute is defined as an
enumerated list: enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
4. other. The document was sent for purposes specified in the 4. watch. The document was sent to convey indicators to watch
for particular activity.
5. other. The document was sent for purposes specified in the
Expectation class. Expectation class.
5. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
skipping to change at page 16, line 36 skipping to change at page 16, line 48
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. One or more. The incident tracking number of another CSIRT.
The AlternativeID class has one attribute: The AlternativeID class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.5. RelatedActivity Class 3.5. RelatedActivity Class
The RelatedActivity class lists either incident tracking numbers of The RelatedActivity class relates the information described in the
incidents or URLs (not both) that refer to activity related to the rest of the IODEF document to previously observed incidents or
one described in the IODEF document. These references may be to activity; and allows attribution to a specific actor or campaign.
local incident tracking numbers or to those of other CSIRTs.
The specifics of how a CSIRT comes to believe that two incidents are
related are considered out of scope.
+------------------+ +------------------+
| RelatedActivity | | RelatedActivity |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| |<>--{1..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 5: RelatedActivity Class Figure 5: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are: The aggregate classes that constitutes RelatedActivity are:
IncidentID IncidentID
One or more. The incident tracking number of a related incident. One or more. The incident tracking number of a related incident.
URL URL
One or more. URL. A URL to activity related to this incident. One or more. URL. A URL to activity related to this incident.
ThreatActor
One or more. The threat actor to whom the described activity is
attributed.
Campaign
One or more. The campaign of a given threat actor to whom the
described activity is attributed.
Confidence
Zero or one. An estimate of the confidence in attributing this
RelatedActivity to the event described in the document.
Description
Zero or many. ML_STRING. A description of how these
relationships were derived.
AdditionalData
Zero or many. A mechanism by which to extend the data model.
RelatedActivity MUST at least have one instance of IncidentID, URL,
ThreatActor, or Campaign.
The RelatedActivity class has one attribute: The RelatedActivity class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.6. AdditionalData Class 3.6. ThreatActor Class
The ThreatActor class describes a given actor.
+------------------+
| Actor |
+------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 6: ThreatActor Class
The aggregate classes that constitutes ThreatActor are:
ThreatActorID
One or more. STRING. An identifier for the ThreatActor.
Description
One or more. ML_STRING. A description of the ThreatActor.
AdditionalData
Zero or many. A mechanism by which to extend the data model.
ThreatActor MUST have at least one instance of a ThreatActorID or
Description.
The ThreatActor class has one attribute:
restriction
Optional. ENUM. This attribute has been defined in Section 3.2.
3.7. Campaign Class
The Campaign class describes a ...
+------------------+
| Campaign |
+------------------+
| ENUM restriction |<>--{0..1}--[ CampaignID ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 7: Campaign Class
The aggregate classes that constitutes Campaign are:
CampaignID
One or more. STRING. An identifier for the Campaign.
Description
One or more. ML_STRING. A description of the Campaign.
AdditionalData
Zero or many. A mechanism by which to extend the data model.
Campaign MUST have at least one instance of a Campaign or
Description.
The Campaign class has one attribute:
restriction
Optional. ENUM. This attribute has been defined in Section 3.2.
3.8. AdditionalData Class
The AdditionalData class serves as an extension mechanism for The AdditionalData class serves as an extension mechanism for
information not otherwise represented in the data model. For information not otherwise represented in the data model. For
relatively simple information, atomic data types (e.g., integers, relatively simple information, atomic data types (e.g., integers,
strings) are provided with a mechanism to annotate their meaning. strings) are provided with a mechanism to annotate their meaning.
The class can also be used to extend the data model (and the The class can also be used to extend the data model (and the
associated Schema) to support proprietary extensions by encapsulating associated Schema) to support proprietary extensions by encapsulating
entire XML documents conforming to another Schema (e.g., IDMEF). A entire XML documents conforming to another Schema (e.g., IDMEF). A
detailed discussion for extending the data model and the schema can detailed discussion for extending the data model and the schema can
be found in Section 5. be found in Section 5.
skipping to change at page 17, line 49 skipping to change at page 20, line 17
+------------------+ +------------------+
| ANY | | ANY |
| | | |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype | | STRING ext-dtype |
| STRING meaning | | STRING meaning |
| STRING formatid | | STRING formatid |
| ENUM restriction | | ENUM restriction |
+------------------+ +------------------+
Figure 6: The AdditionalData Class Figure 8: The AdditionalData Class
The AdditionalData class has five attributes: The AdditionalData class has five attributes:
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string".
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
skipping to change at page 19, line 23 skipping to change at page 21, line 39
Optional. STRING. A free-form description of the element Optional. STRING. A free-form description of the element
content. content.
formatid formatid
Optional. STRING. An identifier referencing the format and Optional. STRING. An identifier referencing the format and
semantics of the element content. semantics of the element content.
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.7. Contact Class 3.9. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
The 'type' attribute disambiguates the type of contact information The 'type' attribute disambiguates the type of contact information
skipping to change at page 19, line 49 skipping to change at page 22, line 18
derived by a particular traversal from the root Contact class to the derived by a particular traversal from the root Contact class to the
leaf Contact class. As such, multiple points of contact might be leaf Contact class. As such, multiple points of contact might be
specified in a single instance of a Contact class. Each child specified in a single instance of a Contact class. Each child
Contact class logically inherits contact information from its Contact class logically inherits contact information from its
ancestors. ancestors.
+------------------+ +------------------+
| Contact | | Contact |
+------------------+ +------------------+
| ENUM role |<>--{0..1}--[ ContactName ] | ENUM role |<>--{0..1}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ Description ] | STRING ext-role |<>--{0..1}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ RegistryHandle ] | ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..1}--[ PostalAddress ] | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..*}--[ Email ] | ENUM restriction |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ] | |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Fax ] | |<>--{0..1}--[ Fax ]
| |<>--{0..1}--[ Timezone ] | |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 7: The Contact Class Figure 9: The Contact Class
The aggregate classes that constitute the Contact class are: The aggregate classes that constitute the Contact class are:
ContactName ContactName
Zero or one. ML_STRING. The name of the contact. The contact Zero or one. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute may either be an organization or a person. The type attribute
disambiguates the semantics. disambiguates the semantics.
ContactTitle
Zero or one. ML_STRING. The title for the individual named in
the ContactName.
Description Description
Zero or many. ML_STRING. A free-form description of this Zero or many. ML_STRING. A free-form description of this
contact. In the case of a person, this is often the contact. In the case of a person, this is often the
organizational title of the individual. organizational title of the individual.
RegistryHandle RegistryHandle
Zero or many. A handle name into the registry of the contact. Zero or many. A handle name into the registry of the contact.
PostalAddress PostalAddress
Zero or one. The postal address of the contact. Zero or one. The postal address of the contact.
skipping to change at page 22, line 6 skipping to change at page 24, line 27
3. ext-value. An escape value used to extend this attribute. 3. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.7.1. RegistryHandle Class 3.9.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet The RegistryHandle class represents a handle into an Internet
registry or community-specific database. The handle is specified in registry or community-specific database. The handle is specified in
the element content and the type attribute specifies the database. the element content and the type attribute specifies the database.
+---------------------+ +---------------------+
| RegistryHandle | | RegistryHandle |
+---------------------+ +---------------------+
| STRING | | STRING |
| | | |
| ENUM registry | | ENUM registry |
| STRING ext-registry | | STRING ext-registry |
+---------------------+ +---------------------+
Figure 8: The RegistryHandle Class Figure 10: The RegistryHandle Class
The RegistryHandle class has two attributes: The RegistryHandle class has two attributes:
registry registry
Required. ENUM. The database to which the handle belongs. The Required. ENUM. The database to which the handle belongs. The
possible values are: possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
skipping to change at page 22, line 50 skipping to change at page 25, line 23
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-registry ext-registry
Optional. STRING. A means by which to extend the registry Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1. attribute. See Section 5.1.
3.7.2. PostalAddress Class 3.9.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies a postal address formatted
according to the POSTAL data type (Section 2.11). according to the POSTAL data type (Section 2.11).
+---------------------+ +---------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +---------------------+
| POSTAL | | POSTAL |
| | | |
| ENUM meaning | | ENUM meaning |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 9: The PostalAddress Class Figure 11: The PostalAddress Class
The PostalAddress class has two attributes: The PostalAddress class has two attributes:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. ENUM. A free-form description of the element content.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
3.7.3. Email Class 3.9.3. Email Class
The Email class specifies an email address formatted according to The Email class specifies an email address formatted according to
EMAIL data type (Section 2.14). EMAIL data type (Section 2.14).
+--------------+ +--------------+
| Email | | Email |
+--------------+ +--------------+
| EMAIL | | EMAIL |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------+ +--------------+
Figure 10: The Email Class Figure 12: The Email Class
The Email class has one attribute: The Email class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. ENUM. A free-form description of the element content.
3.7.4. Telephone and Fax Classes 3.9.4. Telephone and Fax Classes
The Telephone and Fax classes specify a voice or fax telephone number The Telephone and Fax classes specify a voice or fax telephone number
respectively, and are formatted according to PHONE data type respectively, and are formatted according to PHONE data type
(Section 2.13). (Section 2.13).
+--------------------+ +--------------------+
| {Telephone | Fax } | | {Telephone | Fax } |
+--------------------+ +--------------------+
| PHONE | | PHONE |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------------+ +--------------------+
Figure 11: The Telephone and Fax Classes Figure 13: The Telephone and Fax Classes
The Telephone class has one attribute: The Telephone class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content Optional. ENUM. A free-form description of the element content
(e.g., hours of coverage for a given number). (e.g., hours of coverage for a given number).
3.8. Time Classes 3.10. Time Classes
The data model uses five different classes to represent a timestamp. The data model uses five different classes to represent a timestamp.
Their definition is identical, but each has a distinct name to convey Their definition is identical, but each has a distinct name to convey
a difference in semantics. a difference in semantics.
The element content of each class is a timestamp formatted according The element content of each class is a timestamp formatted according
to the DATETIME data type (see Section 2.8). to the DATETIME data type (see Section 2.8).
+----------------------------------+ +----------------------------------+
| {Start| End| Report| Detect}Time | | {Start| End| Report| Detect}Time |
+----------------------------------+ +----------------------------------+
| DATETIME | | DATETIME |
+----------------------------------+ +----------------------------------+
Figure 12: The Time Classes Figure 14: The Time Classes
3.8.1. StartTime 3.10.1. StartTime
The StartTime class represents the time the incident began. The StartTime class represents the time the incident began.
3.8.2. EndTime 3.10.2. EndTime
The EndTime class represents the time the incident ended. The EndTime class represents the time the incident ended.
3.8.3. DetectTime 3.10.3. DetectTime
The DetectTime class represents the time the first activity of the The DetectTime class represents the time the first activity of the
incident was detected. incident was detected.
3.8.4. ReportTime 3.10.4. ReportTime
The ReportTime class represents the time the incident was reported. The ReportTime class represents the time the incident was reported.
This timestamp MUST be the time at which the IODEF document was This timestamp MUST be the time at which the IODEF document was
generated. generated.
3.8.5. DateTime 3.10.5. DateTime
The DateTime class is a generic representation of a timestamp. Infer The DateTime class is a generic representation of a timestamp. Infer
its semantics from the parent class in which it is aggregated. its semantics from the parent class in which it is aggregated.
3.9. Method Class 3.11. Method Class
The Method class describes the methodology used by the intruder to The Method class describes the methodology used by the intruder to
perpetrate the events of the incident. This class consists of a list perpetrate the events of the incident. This class consists of a list
of references describing the attack method and a free form of references describing the attack method and a free form
description of the technique. description of the technique.
+------------------+ +------------------+
| Method | | Method |
+------------------+ +------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 13: The Method Class Figure 15: The Method Class
The Method class is composed of three aggregate classes. The Method class is composed of three aggregate classes.
Reference Reference
Zero or many. A reference to a vulnerability, malware sample, Zero or many. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. advisory, or analysis of an attack technique.
Description Description
Zero or many. ML_STRING. A free-form text description of the Zero or many. ML_STRING. A free-form text description of the
methodology used by the intruder. methodology used by the intruder.
skipping to change at page 26, line 8 skipping to change at page 28, line 26
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
Either an instance of the Reference or Description class MUST be Either an instance of the Reference or Description class MUST be
present. present.
The Method class has one attribute: The Method class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.9.1. Reference Class 3.11.1. Reference Class
The Reference class is a reference to a vulnerability, IDS alert, The Reference class is a reference to a vulnerability, IDS alert,
malware sample, advisory, or attack technique. A reference consists malware sample, advisory, or attack technique. A reference consists
of a name, a URL to this reference, and an optional description. of a name, a URL to this reference, and an optional description.
+------------------+ +------------------+
| Reference | | Reference |
+------------------+ +------------------+
| |<>----------[ ReferenceName ] | |<>----------[ ReferenceName ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+------------------+ +------------------+
Figure 14: The Reference Class Figure 16: The Reference Class
The aggregate classes that constitute Reference: The aggregate classes that constitute Reference:
ReferenceName ReferenceName
One. ML_STRING. Name of the reference. One. ML_STRING. Name of the reference.
URL URL
Zero or many. URL. A URL associated with the reference. Zero or many. URL. A URL associated with the reference.
Description Description
Zero or many. ML_STRING. A free-form text description of this Zero or many. ML_STRING. A free-form text description of this
reference. reference.
The Reference class has 4 attributes. The Reference class has 4 attributes.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group Optional. STRING. The indicator set ID is used to group
releated indicators. related indicators.
attacktype attacktype
Optional. ENUM. A unique identifier for an Indicator. Optional. ENUM. A unique identifier for an Indicator.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Optional. STRING. A mechanism by which to extend the
Attack Type. Attack Type.
3.10. Assessment Class 3.12. Assessment Class
The Assessment class describes the technical and non-technical The Assessment class describes the technical and non-technical
repercussions of the incident on the CSIRT's constituency. repercussions of the incident on the CSIRT's constituency.
This class was derived from the IDMEF[17]. This class was derived from the IDMEF[17].
+------------------+ +------------------+
| Assessment | | Assessment |
+------------------+ +------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ TimeImpact ] | ENUM restriction |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 15: Assessment Class Figure 17: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or many. Technical impact of the incident on a network. Zero or many. Technical impact of the incident on a network.
TimeImpact TimeImpact
Zero or many. Impact of the activity measured with respect to Zero or many. Impact of the activity measured with respect to
time. time.
skipping to change at page 28, line 24 skipping to change at page 30, line 39
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.10.1. Impact Class 3.12.1. Impact Class
The Impact class allows for categorizing and describing the technical The Impact class allows for categorizing and describing the technical
impact of the incident on the network of an organization. impact of the incident on the network of an organization.
This class is based on the IDMEF [17]. This class is based on the IDMEF [17].
+------------------+ +------------------+
| Impact | | Impact |
+------------------+ +------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM lang | | ENUM lang |
| ENUM severity | | ENUM severity |
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+------------------+ +------------------+
Figure 16: Impact Class Figure 18: Impact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The Impact class has five attributes: The Impact class has five attributes:
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
skipping to change at page 30, line 16 skipping to change at page 32, line 31
10. unknown. The classification of this activity is unknown. 10. unknown. The classification of this activity is unknown.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
3.10.2. TimeImpact Class 3.12.2. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 17: TimeImpact Class Figure 19: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has five attributes: The TimeImpact class has five attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
skipping to change at page 32, line 5 skipping to change at page 34, line 22
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.10.3. MonetaryImpact Class 3.12.3. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 18: MonetaryImpact Class Figure 20: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
skipping to change at page 32, line 46 skipping to change at page 35, line 14
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the monetary
impact is expressed. The permitted values are defined in ISO impact is expressed. The permitted values are defined in ISO
4217:2001, Codes for the representation of currencies and funds 4217:2001, Codes for the representation of currencies and funds
[14]. There is no default value. [14]. There is no default value.
3.10.4. Confidence Class 3.12.4. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents a best estimate of the validity and
accuracy of the described impact (see Section 3.10) of the incident accuracy of the described impact (see Section 3.12) of the incident
activity. This estimate can be expressed as a category or a numeric activity. This estimate can be expressed as a category or a numeric
calculation. calculation.
This class if based upon the IDMEF [17]). This class if based upon the IDMEF [17]).
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 19: Confidence Class Figure 21: Confidence Class
The element content expresses a numerical assessment in the The element content expresses a numerical assessment in the
confidence of the data when the value of the rating attribute is confidence of the data when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The Confidence class has one attribute.
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A rating of the analytical validity of the
specified Assessment. The permitted values are shown below. specified Assessment. The permitted values are shown below.
skipping to change at page 33, line 40 skipping to change at page 36, line 11
2. medium. Medium confidence in the validity. 2. medium. Medium confidence in the validity.
3. high. High confidence in the validity. 3. high. High confidence in the validity.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
3.11. History Class 3.13. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------+ +------------------+
| History | | History |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| | | |
+------------------+ +------------------+
Figure 20: The History Class Figure 22: The History Class
The class that constitutes History is: The class that constitutes History is:
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or many. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties.
The History class has one attribute: The History class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
3.11.1. HistoryItem Class 3.13.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.11) log The HistoryItem class is an entry in the History (Section 3.13) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------+ +-------------------+
| HistoryItem | | HistoryItem |
+-------------------+ +-------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 21: HistoryItem Class Figure 23: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
skipping to change at page 35, line 30 skipping to change at page 37, line 48
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the category attribute of the Expectation class. The to the category attribute of the Expectation class. The
difference is only one of tense. When an action is in this class, difference is only one of tense. When an action is in this class,
it has been completed. See Section 3.13. it has been completed. See Section 3.15.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.12. EventData Class 3.14. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
skipping to change at page 36, line 22 skipping to change at page 38, line 39
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 22: The EventData Class Figure 24: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes that constitute EventData are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
Zero or one. The time the event was detected. Zero or one. The time the event was detected.
skipping to change at page 37, line 39 skipping to change at page 40, line 7
The EventData class has two attributes: The EventData class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.12.1. Relating the Incident and EventData Classes 3.14.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in IncidentData. provided in IncidentData.
3.12.2. Cardinality of EventData 3.14.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class can be thought of as a container for the
properties of an event in an incident. These properties include: the properties of an event in an incident. These properties include: the
hosts involved, impact of the incident activity on the hosts, hosts involved, impact of the incident activity on the hosts,
forensic logs, etc. With an instance of the EventData class, hosts forensic logs, etc. With an instance of the EventData class, hosts
(i.e., System class) are grouped around these common properties. (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the The recursive definition (or instance property inheritance) of the
EventData class (the EventData class is aggregated into the EventData EventData class (the EventData class is aggregated into the EventData
class) provides a way to related information without requiring the class) provides a way to related information without requiring the
explicit use of unique attribute identifiers in the classes or explicit use of unique attribute identifiers in the classes or
duplicating information. Instead, the relative depth (nesting) of a duplicating information. Instead, the relative depth (nesting) of a
class is used to group (relate) information. class is used to group (relate) information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 23. be found in Figure 25.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 23: Recursion in the EventData Class
3.13. Expectation Class Figure 25: Recursion in the EventData Class
3.15. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------+ +-------------------+
| Expectation | | Expectation |
+-------------------+ +-------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM action |<>--{0..1}--[ EndTime ] | ENUM action |<>--{0..1}--[ EndTime ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
+-------------------+ +-------------------+
Figure 24: The Expectation Class Figure 26: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or many. ML_STRING. A free-form description of the desired Zero or many. ML_STRING. A free-form description of the desired
action(s). action(s).
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. The time at which the sender would like the action
performed. A timestamp that is earlier than the ReportTime performed. A timestamp that is earlier than the ReportTime
skipping to change at page 41, line 34 skipping to change at page 43, line 40
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.14. Flow Class 3.16. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 25: The Flow Class Figure 27: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow System class has no attributes. The Flow System class has no attributes.
3.15. System Class 3.17. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized The systems or networks represented by this class are categorized
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
the activity. A value of "sensor" dictates that this System was part the activity. A value of "sensor" dictates that this System was part
of an instrumentation to monitor the network. of an instrumentation to monitor the network.
+---------------------+ +---------------------+
| System | | System |
+---------------------+ +---------------------+
| ENUM restriction |<>----------[ Node ] | ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ Service ] | ENUM category |<>--{0..*}--[ Service ]
| STRING ext-category |<>--{0..*}--[ OperatingSystem ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ]
| STRING interface |<>--{0..*}--[ Counter ] | STRING interface |<>--{0..*}--[ Counter ]
| ENUM spoofed |<>--{0..*}--[ Description ] | ENUM spoofed |<>--{0..*}--[ AssetID ]
| |<>--{0..*}--[ AdditionalData ] | ENUM virtual |<>--{0..*}--[ Description ]
| ENUM ownership |<>--{0..*}--[ AdditionalData ]
| ENUM ext-ownership |
+---------------------+ +---------------------+
Figure 26: The System Class Figure 28: The System Class
The aggregate classes that constitute System are: The aggregate classes that constitute System are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident.
Service Service
Zero or more. A network service running on the system. Zero or more. A network service running on the system.
OperatingSystem OperatingSystem
Zero or more. The operating system running on the system. Zero or more. The operating system running on the system.
Counter Counter
Zero or more. A counter with which to summarize properties of Zero or more. A counter with which to summarize properties of
this host or network. this host or network.
AssetID
Zero or more. An asset identifier for the System.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
System. System.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The System class has six attributes: The System class has eight attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. The possible values are: in the incident. The possible values are:
1. source. The System was the source of the event. 1. source. The System was the source of the event.
skipping to change at page 44, line 11 skipping to change at page 46, line 23
1. unknown. The accuracy of the category attribute value is 1. unknown. The accuracy of the category attribute value is
unknown. unknown.
2. yes. The category attribute value is probably incorrect. In 2. yes. The category attribute value is probably incorrect. In
the case of a source, the System is likely a decoy; with a the case of a source, the System is likely a decoy; with a
target, the System was likely not the intended victim. target, the System was likely not the intended victim.
3. no. The category attribute value is believed to be correct. 3. no. The category attribute value is believed to be correct.
3.16. Node Class virtual
Optional. ENUM. Indicates whether this System is a virtual or
physical device. The default value is "no". The possible values
are:
The Node class names a system (e.g., PC, router) or network. 1. yes. The System is a virtual device.
2. no. The System is a physical device.
ownership
Optional. ENUM. Describes the ownership of this System relative
to the sender of the IODEF document. The possible values are:
1. organization. The System is owned by the organization.
2. personal. The System is owned by employee or affiliate of the
organization.
3. partner. The System is owned by a partner of the
organization.
4. customer. The System is owned by a customer of the
organization.
5. no-relationship. The System is owned by an entity that has no
known relationship with the organization.
6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-ownership
Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.
3.18. Node Class
The Node class names an asset or network.
This class was derived from the IDMEF [17]. This class was derived from the IDMEF [17].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ NodeName ] | |<>--{0..*}--[ NodeName ]
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ Location ] | |<>--{0..1}--[ Location ]
| |<>--{0..1}--[ DateTime ] | |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 27: The Node Class Figure 29: The Node Class
The aggregate classes that constitute Node are: The aggregate classes that constitute Node are:
NodeName NodeName
Zero or more. ML_STRING. The name of the Node (e.g., fully Zero or more. ML_STRING. The name of the Node (e.g., fully
qualified domain name). This information MUST be provided if no qualified domain name). This information MUST be provided if no
Address information is given. Address information is given.
DomainData DomainData
Zero or more. The DomainData Class and Subclasses from RFC 5901. Zero or more. The DomainData Class and Subclasses from RFC 5901.
skipping to change at page 45, line 15 skipping to change at page 48, line 15
and address was performed. This information MAY be provided if and address was performed. This information MAY be provided if
both an Address and NodeName are specified. both an Address and NodeName are specified.
NodeRole NodeRole
Zero or more. The intended purpose of the Node. Zero or more. The intended purpose of the Node.
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
3.16.1. Counter Class 3.18.1. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependant based on the class in which the are entirely context dependant based on the class in which the
Counter is aggregated. Counter is aggregated.
skipping to change at page 45, line 39 skipping to change at page 48, line 39
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 28: The Counter Class Figure 30: The Counter Class
The Counter class has three attribute: The Counter class has three attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
skipping to change at page 46, line 32 skipping to change at page 49, line 32
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.10.2 attribute are defined in Section 3.12.2
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.16.2. Address Class 3.18.2. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from the IDMEF [17]. This class was derived from the IDMEF [17].
+---------------------+ +---------------------+
| Address | | Address |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
+---------------------+ +---------------------+
Figure 29: The Address Class Figure 31: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
1. asn. Autonomous System Number 1. asn. Autonomous System Number
skipping to change at page 48, line 10 skipping to change at page 51, line 10
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
3.16.3. NodeRole Class 3.18.3. NodeRole Class
The NodeRole class describes the intended function performed by a The NodeRole class describes the intended function performed by a
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 30: The NodeRole Class Figure 32: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
skipping to change at page 49, line 45 skipping to change at page 52, line 45
27. infra-router. Router 27. infra-router. Router
28. infra-switch. Switch 28. infra-switch. Switch
29. camera. Camera server 29. camera. Camera server
30. proxy. Proxy server 30. proxy. Proxy server
31. remote-access. Remote access server 31. remote-access. Remote access server
32. log. Logserver (e.g., syslog) 32. log. Log server (e.g., syslog)
33. virtualization. Server running virtual machines 33. virtualization. Server running virtual machines
34. pos. Point-of-sale device 34. pos. Point-of-sale device
35. scada. Supervisory control and data acquisition system 35. scada. Supervisory control and data acquisition system
36. scada-supervisory. Supervisory system for a SCADA 36. scada-supervisory. Supervisory system for a SCADA
37. ext-value. An escape value used to extend this attribute. 37. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
3.17. Service Class 3.19. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
skipping to change at page 50, line 43 skipping to change at page 53, line 43
| Service | | Service |
+---------------------+ +---------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ] | INTEGER ip_protocol |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+---------------------+ +---------------------+
Figure 31: The Service Class Figure 33: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
skipping to change at page 51, line 50 skipping to change at page 54, line 50
ip_protocol ip_protocol
Required. INTEGER. The IANA protocol number. Required. INTEGER. The IANA protocol number.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.17.1. Application Class 3.19.1. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
| STRING vendor | | STRING vendor |
| STRING family | | STRING family |
| STRING name | | STRING name |
| STRING version | | STRING version |
| STRING patch | | STRING patch |
+--------------------+ +--------------------+
Figure 32: The Application Class Figure 34: The Application Class
The aggregate class that constitute Application is: The aggregate class that constitute Application is:
URL URL
Zero or one. URL. A URL describing the application. Zero or one. URL. A URL describing the application.
The Application class has seven attributes: The Application class has seven attributes:
swid swid
Optional. STRING. An identifier that can be used to reference Optional. STRING. An identifier that can be used to reference
skipping to change at page 53, line 5 skipping to change at page 56, line 5
name name
Optional. STRING. Name of the software. Optional. STRING. Name of the software.
version version
Optional. STRING. Version of the software. Optional. STRING. Version of the software.
patch patch
Optional. STRING. Patch or service pack level of the software. Optional. STRING. Patch or service pack level of the software.
3.18. OperatingSystem Class 3.20. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.17.1). (Section 3.19.1).
3.19. Record Class 3.21. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------+
| Record | | Record |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+ +------------------+
Figure 33: Record Class Figure 35: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.19.1. RecordData Class 3.21.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+------------------+ +------------------+
| RecordData | | RecordData |
+------------------+ +------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashInformation ] | |<>--{0..1}--[ HashInformation ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 34: The RecordData Class Figure 36: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 55, line 5 skipping to change at page 58, line 5
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.19.2. RecordPattern Class 3.21.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 35: The RecordPattern Class Figure 37: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by four attributes: the body of the element. It is further annotated by four attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of [3]. 1. regex. regular expression, per Appendix F of [3].
skipping to change at page 56, line 24 skipping to change at page 59, line 24
See Section 5.1. See Section 5.1.
ext-offsetunit ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1. attribute. See Section 5.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.19.3. RecordItem Class 3.21.3. RecordItem Class
The RecordItem class provides a way to incorporate relevant logs, The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to direct encapsulation of the data, as well as, provides primitives to
reference data stored elsewhere. reference data stored elsewhere.
This class is identical to AdditionalData class (Section 3.6). This class is identical to AdditionalData class (Section 3.8).
3.20. RegistryKeyModified Class 3.22. RegistryKeyModified Class
The Registry Key Modified class represents operating system registry The Registry Key Modified class represents operating system registry
keys that have been modified as part and may constitue an indicator keys that have been modified as part and may constitue an indicator
of compromise. of compromise.
+-----------------------+ +-----------------------+
| RegistryKeyModified | | RegistryKeyModified |
+-----------------------+ +-----------------------+
| |<>----------[ Key ] | |<>----------[ Key ]
+-----------------------+ +-----------------------+
Figure 36: The RegistryKeyModified Class Figure 38: The RegistryKeyModified Class
The aggregate class that constitutes the Registry Key Modified class The aggregate class that constitutes the Registry Key Modified class
is: is:
Key Key
One. The Window Registry Key. One. The Window Registry Key.
3.20.1. Key Class 3.22.1. Key Class
The Key class shows name and value pairs representing an operating The Key class shows name and value pairs representing an operating
system registry key and its value. The key and value are encoded as system registry key and its value. The key and value are encoded as
in Microsoft .reg files. in Microsoft .reg files.
+--------------------------+ +--------------------------+
| Key | | Key |
+--------------------------+ +--------------------------+
| ENUM regsitryaction |<>--{0..*}--[ KeyName ] | ENUM regsitryaction |<>--{0..*}--[ KeyName ]
| STRING ext-category |<>--{0..*}--[ Value ] | STRING ext-category |<>--{0..*}--[ Value ]
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING indicator-uid | | STRING indicator-uid |
| STRING inidicator-set-id | | STRING inidicator-set-id |
+--------------------------+ +--------------------------+
Figure 37: The Registry Key Modified Class Figure 39: The Registry Key Modified Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
Zero or more. The name of the registry key. Zero or more. The name of the registry key.
Value Value
Zero or more. The value of the registry key. Zero or more. The value of the registry key.
The Key class has six attributes: The Key class has six attributes:
skipping to change at page 58, line 17 skipping to change at page 61, line 17
1. watchlist. Registry key information that is provided in a 1. watchlist. Registry key information that is provided in a
watchlist. watchlist.
2. ext-value. Registry key information from an external source. 2. ext-value. Registry key information from an external source.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group relfated Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.21. HashInformation Class 3.23. HashInformation Class
This class are the hash and signature details that are needed for This class are the hash and signature details that are needed for
providing context for indicators. providing context for indicators.
+--------------------------+ +--------------------------+
| HashInformation | | HashInformation |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-category |<>--{0..*}--[ FileSize ] | STRING ext-category |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ]
| STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ] | STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ]
+--------------------------+ +--------------------------+
Figure 38: The Hash Sig Details Class Figure 40: The Hash Sig Details Class
The aggregate classes that constitutes HashInformation are: The aggregate classes that constitutes HashInformation are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
FileSize FileSize
Zero or more. INTEGER. The size of the file in bytes. Zero or more. INTEGER. The size of the file in bytes.
ds:Signature ds:Signature
skipping to change at page 61, line 44 skipping to change at page 64, line 44
content of Confidence should be empty. content of Confidence should be empty.
o The Address@type attribute determines the format of the element o The Address@type attribute determines the format of the element
content. content.
o The attributes AdditionalData@dtype and RecordItem@dtype derived o The attributes AdditionalData@dtype and RecordItem@dtype derived
from iodef:ExtensionType determine the semantics and formatting of from iodef:ExtensionType determine the semantics and formatting of
the element content. the element content.
o Symmetry in the enumerated ports of a Portlist class is required o Symmetry in the enumerated ports of a Portlist class is required
between sources and targets. See Section 3.17. between sources and targets. See Section 3.19.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be IODEF schema. With proven value, well documented extensions can be
incorporated into future versions of the specification. However, incorporated into future versions of the specification. However,
skipping to change at page 63, line 31 skipping to change at page 66, line 31
recommendation makes readability of the document easier by recommendation makes readability of the document easier by
allowing the reader to infer which namespaces relate to IODEF by allowing the reader to infer which namespaces relate to IODEF by
inspection. inspection.
3. It is RECOMMENDED that extension schemas follow the naming 3. It is RECOMMENDED that extension schemas follow the naming
convention of the IODEF data model. This makes reading an convention of the IODEF data model. This makes reading an
extended IODEF document look like any other IODEF document. The extended IODEF document look like any other IODEF document. The
names of all elements are capitalized. For elements with names of all elements are capitalized. For elements with
composed names, a capital letter is used for each word. composed names, a capital letter is used for each word.
Attribute names are lower case. Attributes with composed names Attribute names are lower case. Attributes with composed names
are seperated by a hyphen. are separated by a hyphen.
4. Parsers that encounter an unrecognized element in a namespace 4. Parsers that encounter an unrecognized element in a namespace
that they do support MUST reject the document as a syntax error. that they do support MUST reject the document as a syntax error.
5. There are security and performance implications in requiring 5. There are security and performance implications in requiring
implementations to dynamically download schemas at run time. implementations to dynamically download schemas at run time.
Thus, implementations SHOULD NOT download schemas at runtime, Thus, implementations SHOULD NOT download schemas at runtime,
unless implementations take appropriate precautions and are unless implementations take appropriate precautions and are
prepared for potentially significant network, processing, and prepared for potentially significant network, processing, and
time-out demands. time-out demands.
skipping to change at page 72, line 44 skipping to change at page 75, line 44
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- CHANGE: See above addition of xmlns:ds and import of same
namespace. This is to use the digital signature hash
inclusion of a file by referencing the existing standard as
was done in RFC5901, RFC3275 is the reference, see RFC5901
section 5.9.5.2
-->
<!-- <!--
================================================================== ==================================================================
== List of changes == == List of changes ==
================================================================== ==================================================================
CHANGE - new indicator values in the schema CHANGE - new indicator values in the schema
The purpose of the proposed changes is to include commonly shared The purpose of the proposed changes is to include commonly shared
indicators in the base IODEF schema. This class will contain indicators in the base IODEF schema. This class will contain
indicators from the list below that are not represented elsewhere indicators from the list below that are not represented elsewhere
in the schema. IODEF extensions or embedded schemas via the SCI in the schema. IODEF extensions or embedded schemas via the SCI
classes will be required to include additional data types. classes will be required to include additional data types.
A table could be maintained through IANA to extend or change this A table could be maintained through IANA to extend or change this
class in between IODEF revisions. class in between IODEF revisions.
RFC5901 provides a method to include an entire email, the following RFC5901 provides a method to include an entire email, the following
included indicators are ones commonly used when you do not need the included indicators are ones commonly used when you do not need the
skipping to change at page 74, line 18 skipping to change at page 77, line 10
================================================================== ==================================================================
=== Incident class === === Incident class ===
================================================================== ==================================================================
--> -->
<xs:element name="Incident"> <xs:element name="Incident">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:element ref="iodef:IncidentID"/> <xs:element ref="iodef:IncidentID"/>
<!-- CHANGE - the incidentID can still be used, <!-- CHANGE - the incidentID can still be used,
but when you have a set of indictaors or include but when you have a set of indicators or include
a watch list, a ReportID may be preferred. If a watch list, a ReportID may be preferred. If
this is agreed upon, do we make them both unique this is agreed upon, do we make them both unique
so the same key can be used in databases? This so the same key can be used in databases? This
should not be used as your index value unless you should not be used as your index value unless you
are the issueing entity. --> are the issuing entity. -->
<xs:element name="ReportID" type="IncidentIDType"/> <xs:element name="ReportID" type="IncidentIDType"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AlternativeID" <xs:element ref="iodef:AlternativeID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity" <xs:element ref="iodef:RelatedActivity"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
skipping to change at page 75, line 9 skipping to change at page 77, line 50
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="purpose" use="required"> <xs:attribute name="purpose" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/> <xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/> <xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/> <xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-purpose" <xs:attribute name="ext-purpose"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="lang" <xs:attribute name="lang"
type="xs:language"/> type="xs:language"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
skipping to change at page 76, line 35 skipping to change at page 79, line 30
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== RelatedActivity class == == RelatedActivity class ==
================================================================== ==================================================================
--> -->
<xs:element name="RelatedActivity"> <xs:element name="RelatedActivity">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:sequence>
<xs:element ref="iodef:IncidentID" <xs:choice maxOccurs="unbounded">
maxOccurs="unbounded"/> <xs:element ref="iodef:IncidentID"
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
maxOccurs="unbounded"/> <xs:element ref="iodef:URL"
</xs:choice> maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== ThreatActor class ==
==================================================================
-->
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<!--
==================================================================
== Campaign class ==
==================================================================
-->
<xs:element name="Campaign">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:CampaignID"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== AdditionalData class == == AdditionalData class ==
================================================================== ==================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Contact class == == Contact class ==
================================================================== ==================================================================
--> -->
<xs:element name="Contact"> <xs:element name="Contact">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ContactName" <xs:element ref="iodef:ContactName"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle" <xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Email" <xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone" <xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 78, line 4 skipping to change at page 82, line 18
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role" <xs:attribute name="ext-role"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- CHANGE - UML states the type disambiguates the type of
Name person or organization. Do we want this added to the
schema? -->
<xs:element name="ContactName" <xs:element name="ContactName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle"> <xs:element name="RegistryHandle">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="registry"> <xs:attribute name="registry">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/> <xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/> <xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/> <xs:enumeration value="arin"/>
skipping to change at page 87, line 11 skipping to change at page 91, line 24
<xs:element name="System"> <xs:element name="System">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/> <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service" <xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem" <xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="interface" <xs:attribute name="interface"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="category"> <xs:attribute name="category">
skipping to change at page 87, line 41 skipping to change at page 92, line 8
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- CHANGE - adding an attribute to mark sets of <!-- CHANGE - adding an attribute to mark sets of
indicators --> indicators -->
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="spoofed" <xs:attribute name="spoofed"
default="unknown"> default="unknown">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="yes"/> <xs:enumeration value="yes"/>
<xs:enumeration value="no"/> <xs:enumeration value="no"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="virtual" type="yes-no-type"
use="optional" default="no"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 93, line 40 skipping to change at page 98, line 25
<xs:element maxOccurs="1" minOccurs="0" <xs:element maxOccurs="1" minOccurs="0"
name="DateDomainWasChecked" type="xs:dateTime"/> name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate" <xs:element name="RegistrationDate"
type="xs:dateTime" maxOccurs="1" minOccurs="0"/> type="xs:dateTime" maxOccurs="1" minOccurs="0"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate" <xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType" type="iodef:RelatedDNSEntryType"
maxOccurs="unbounded" minOccurs="0" /> maxOccurs="unbounded" minOccurs="0" />
<xs:element name="Nameservers" <xs:element name="Nameservers"
maxOccurs="unbounded" minOccurs="0" /> maxOccurs="unbounded" minOccurs="0">
<xs:complexType id="Nameservers.type"> <xs:complexType id="Nameservers.type">
<xs:sequence> <xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/> <xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0"> <xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact" <xs:element name="SameDomainContact"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
skipping to change at page 98, line 36 skipping to change at page 103, line 18
<xs:enumeration value="delete-key"/> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/> <xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/> <xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/> <xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- CHANGE: Including an indicator set ID that may be used </xs:sequence>
to detail changes int he history class as it relates to <!-- CHANGE: Including a unique ID for indicators, may be
indicators or sets. used to connect indicators in different representations
--> -->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:sequence>
</xs:complexType> </xs:complexType>
<!-- CHANGE: Should this be broken out as another class <!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc. for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated? as is demonstrated?
--> -->
<!-- <!--
================================================================== ==================================================================
== Classes that describe hash types, file information == == Classes that describe hash types, file information ==
skipping to change at page 102, line 15 skipping to change at page 106, line 41
<xs:attribute name="formatid" <xs:attribute name="formatid"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
<!-- <!--
================================================================== ==================================================================
== Global attribute type declarations == == Global attribute type declarations ==
================================================================== ==================================================================
--> -->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type"> <xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/> <xs:enumeration value="default"/>
<xs:enumeration value="public"/> <xs:enumeration value="public"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/> <xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/> <xs:enumeration value="private"/>
<xs:enumeration value="white"/> <xs:enumeration value="white"/>
<xs:enumeration value="green"/> <xs:enumeration value="green"/>
<xs:enumeration value="amber"/> <xs:enumeration value="amber"/>
 End of changes. 133 change blocks. 
215 lines changed or deleted 446 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/