draft-ietf-mile-rfc5070-bis-02.txt   draft-ietf-mile-rfc5070-bis-03.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: April 23, 2014 October 20, 2013 Expires: July 12, 2014 January 8, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-02 draft-ietf-mile-rfc5070-bis-03
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. This document describes (CSIRTs) about computer security incidents. This document describes
the information model for the IODEF and provides an associated data the information model for the IODEF and provides an associated data
model specified with XML Schema. model specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 23, 2014. This Internet-Draft will expire on July 12, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 27 skipping to change at page 2, line 27
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6
1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 1.5. About the IODEF Implementation . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 11 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12
3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15 3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15
3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16 3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16
3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 16 3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17
3.6. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 3.6. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18
3.7. Campaign Class . . . . . . . . . . . . . . . . . . . . . 18 3.7. Campaign Class . . . . . . . . . . . . . . . . . . . . . 18
3.8. AdditionalData Class . . . . . . . . . . . . . . . . . . 19 3.8. AdditionalData Class . . . . . . . . . . . . . . . . . . 19
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 21 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 21
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 24 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 24
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 25 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 25
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 25 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 26
3.9.4. Telephone and Fax Classes . . . . . . . . . . . . . . 26 3.9.4. Telephone and Fax Classes . . . . . . . . . . . . . . 26
3.10. Time Classes . . . . . . . . . . . . . . . . . . . . . . 26 3.10. Time Classes . . . . . . . . . . . . . . . . . . . . . . 26
3.10.1. StartTime . . . . . . . . . . . . . . . . . . . . . 27 3.10.1. StartTime . . . . . . . . . . . . . . . . . . . . . 27
3.10.2. EndTime . . . . . . . . . . . . . . . . . . . . . . 27 3.10.2. EndTime . . . . . . . . . . . . . . . . . . . . . . 27
3.10.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 27 3.10.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 27
3.10.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 27 3.10.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 27
3.10.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 27 3.10.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 27
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 27 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 27
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 28 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 28
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 29 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 29
3.12.1. Impact Class . . . . . . . . . . . . . . . . . . . . 30 3.12.1. Impact Class . . . . . . . . . . . . . . . . . . . . 31
3.12.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 32 3.12.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 32
3.12.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 34 3.12.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 34
3.12.4. Confidence Class . . . . . . . . . . . . . . . . . . 35 3.12.4. Confidence Class . . . . . . . . . . . . . . . . . . 35
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 36 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 36
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 36 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 37
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 38 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 38
3.14.1. Relating the Incident and EventData Classes . . . . 40 3.14.1. Relating the Incident and EventData Classes . . . . 40
3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 40 3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 41
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 41 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 41
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 43 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 44
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 44 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 44
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 47 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 48
3.18.1. Counter Class . . . . . . . . . . . . . . . . . . . 48 3.18.1. Counter Class . . . . . . . . . . . . . . . . . . . 49
3.18.2. Address Class . . . . . . . . . . . . . . . . . . . 49 3.18.2. Address Class . . . . . . . . . . . . . . . . . . . 50
3.18.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 51 3.18.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 52
3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 53 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 54
3.19.1. Application Class . . . . . . . . . . . . . . . . . 54 3.19.1. Application Class . . . . . . . . . . . . . . . . . 56
3.20. OperatingSystem Class . . . . . . . . . . . . . . . . . . 56 3.20. OperatingSystem Class . . . . . . . . . . . . . . . . . . 57
3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 56 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 57
3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 56 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 58
3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 58 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 59
3.21.3. RecordItem Class . . . . . . . . . . . . . . . . . . 59 3.21.3. RecordItem Class . . . . . . . . . . . . . . . . . . 60
3.22. RegistryKeyModified Class . . . . . . . . . . . . . . . . 59 3.22. RegistryKeyModified Class . . . . . . . . . . . . . . . . 61
3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 60 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 61
3.23. HashInformation Class . . . . . . . . . . . . . . . . . . 61 3.23. HashInformation Class . . . . . . . . . . . . . . . . . . 62
4. Processing Considerations . . . . . . . . . . . . . . . . . . 62 4. Processing Considerations . . . . . . . . . . . . . . . . . . 64
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 63 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 64
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 63 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 65
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 63 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 65
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 64 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 66
5.1. Extending the Enumerated Values of Attributes . . . . . . 65 5.1. Extending the Enumerated Values of Attributes . . . . . . 66
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 65 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 67
6. Internationalization Issues . . . . . . . . . . . . . . . . . 67 6. Internationalization Issues . . . . . . . . . . . . . . . . . 69
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 68 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 68 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 70 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 71
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 72 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 73
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 74 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 75
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 75 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 76
9. Security Considerations . . . . . . . . . . . . . . . . . . . 109 9. Security Considerations . . . . . . . . . . . . . . . . . . . 109
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 109 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 110
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 110 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 110
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 110 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 111
12.1. Normative References . . . . . . . . . . . . . . . . . . 110 12.1. Normative References . . . . . . . . . . . . . . . . . . 111
12.2. Informative References . . . . . . . . . . . . . . . . . 112 12.2. Informative References . . . . . . . . . . . . . . . . . 112
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 7, line 29 skipping to change at page 7, line 29
techniques to reference information kept outside of the explicit techniques to reference information kept outside of the explicit
data model. data model.
o The domain of security analysis is not fully standardized and must o The domain of security analysis is not fully standardized and must
rely on free-form textual descriptions. The IODEF attempts to rely on free-form textual descriptions. The IODEF attempts to
strike a balance between supporting this free-form content, while strike a balance between supporting this free-form content, while
still allowing automated processing of incident information. still allowing automated processing of incident information.
o The IODEF is only one of several security relevant data o The IODEF is only one of several security relevant data
representations being standardized. Attempts were made to ensure representations being standardized. Attempts were made to ensure
they were complimentary. The data model of the Intrusion they were complementary. The data model of the Intrusion
Detection Message Exchange Format [17] influenced the design of Detection Message Exchange Format [17] influenced the design of
the IODEF. the IODEF.
Further discussion of the desirable properties for the IODEF can be Further discussion of the desirable properties for the IODEF can be
found in the Requirements for the Format for Incident Information found in the Requirements for the Format for Incident Information
Exchange (FINE) [16]. Exchange (FINE) [16].
1.5. About the IODEF Implementation 1.5. About the IODEF Implementation
The IODEF implementation is specified as an Extensible Markup The IODEF implementation is specified as an Extensible Markup
skipping to change at page 12, line 4 skipping to change at page 12, line 6
Required. ENUM. A valid language code per RFC 4646 [7] Required. ENUM. A valid language code per RFC 4646 [7]
constrained by the definition of "xs:language". The constrained by the definition of "xs:language". The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
formatid formatid
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+--------------------+ +-------------------------+
| Incident | | Incident |
+--------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | STRING indicator-set-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------+ +-------------------------+
Figure 2: The Incident Class Figure 2: The Incident Class
The aggregate classes that constitute Incident are: The aggregate classes that constitute Incident are:
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
CSIRT that generated the IODEF document. CSIRT that generated the IODEF document.
AlternativeID AlternativeID
skipping to change at page 16, line 21 skipping to change at page 16, line 25
named incident. named incident.
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
The default value is "public". The default value is "public".
3.4. AlternativeID Class 3.4. AlternativeID Class
The AlternativeID class lists the incident tracking numbers used by The AlternativeID class lists the incident tracking numbers used by
CSIRTs, other than the one generating the document, to refer to the CSIRTs, other than the one generating the document, to refer to the
identical activity described the IODEF document. A tracking number identical activity described in the IODEF document. A tracking
listed as an AlternativeID references the same incident detected by number listed as an AlternativeID references the same incident
another CSIRT. The incident tracking numbers of the CSIRT that detected by another CSIRT. The incident tracking numbers of the
generated the IODEF document must never be considered an CSIRT that generated the IODEF document must never be considered an
AlternativeID. AlternativeID.
+------------------+ +------------------+
| AlternativeID | | AlternativeID |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{1..*}--[ IncidentID ]
| | | |
+------------------+ +------------------+
Figure 4: The AlternativeID Class Figure 4: The AlternativeID Class
The aggregate class that constitutes AlternativeID is: The aggregate class that constitutes AlternativeID is:
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. One or more. The incident tracking number of another CSIRT.
The AlternativeID class has one attribute: The AlternativeID class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.5. RelatedActivity Class 3.5. RelatedActivity Class
The RelatedActivity class relates the information described in the The RelatedActivity class relates the information described in the
rest of the IODEF document to previously observed incidents or rest of the IODEF document to previously observed incidents or
activity; and allows attribution to a specific actor or campaign. activity; and allows attribution to a specific actor or campaign.
+------------------+ +------------------+
| RelatedActivity | | RelatedActivity |
+------------------+ +------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 5: RelatedActivity Class Figure 5: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are: The aggregate classes that constitutes RelatedActivity are:
IncidentID IncidentID
One or more. The incident tracking number of a related incident. One or more. The incident tracking number of a related incident.
URL URL
One or more. URL. A URL to activity related to this incident. One or more. URL. A URL to activity related to this incident.
skipping to change at page 18, line 9 skipping to change at page 18, line 17
The RelatedActivity class has one attribute: The RelatedActivity class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.6. ThreatActor Class 3.6. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a given actor.
+------------------+ +------------------+
| Actor | | Actor |
+------------------+ +------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ] | ENUM restriction |<>--{0..1}--[ ThreatActorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 6: ThreatActor Class Figure 6: ThreatActor Class
The aggregate classes that constitutes ThreatActor are: The aggregate classes that constitutes ThreatActor are:
ThreatActorID ThreatActorID
One or more. STRING. An identifier for the ThreatActor. One or more. STRING. An identifier for the ThreatActor.
Description Description
One or more. ML_STRING. A description of the ThreatActor. One or more. ML_STRING. A description of the ThreatActor.
skipping to change at page 18, line 42 skipping to change at page 19, line 5
The ThreatActor class has one attribute: The ThreatActor class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.7. Campaign Class 3.7. Campaign Class
The Campaign class describes a ... The Campaign class describes a ...
+------------------+ +------------------+
| Campaign | | Campaign |
+------------------+ +------------------+
| ENUM restriction |<>--{0..1}--[ CampaignID ] | ENUM restriction |<>--{0..1}--[ CampaignID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 7: Campaign Class Figure 7: Campaign Class
The aggregate classes that constitutes Campaign are: The aggregate classes that constitutes Campaign are:
CampaignID CampaignID
One or more. STRING. An identifier for the Campaign. One or more. STRING. An identifier for the Campaign.
Description Description
One or more. ML_STRING. A description of the Campaign. One or more. ML_STRING. A description of the Campaign.
skipping to change at page 28, line 32 skipping to change at page 28, line 42
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.11.1. Reference Class 3.11.1. Reference Class
The Reference class is a reference to a vulnerability, IDS alert, The Reference class is a reference to a vulnerability, IDS alert,
malware sample, advisory, or attack technique. A reference consists malware sample, advisory, or attack technique. A reference consists
of a name, a URL to this reference, and an optional description. of a name, a URL to this reference, and an optional description.
+------------------+ +-------------------------+
| Reference | | Reference |
+------------------+ +-------------------------+
| |<>----------[ ReferenceName ] | ENUM attacktype |<>----------[ ReferenceName ]
| |<>--{0..*}--[ URL ] | STRING ext-attacktype |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
+------------------+ | STRING indicator-set-id |
+-------------------------+
Figure 16: The Reference Class Figure 16: The Reference Class
The aggregate classes that constitute Reference: The aggregate classes that constitute Reference:
ReferenceName ReferenceName
One. ML_STRING. Name of the reference. One. ML_STRING. Name of the reference.
URL URL
Zero or many. URL. A URL associated with the reference. Zero or many. URL. A URL associated with the reference.
Description Description
Zero or many. ML_STRING. A free-form text description of this Zero or many. ML_STRING. A free-form text description of this
reference. reference.
The Reference class has 4 attributes. The Reference class has 4 attributes.
indicator-uid
Optional. STRING. A unique identifier for an Indicator.
indicator-set-id
Optional. STRING. The indicator set ID is used to group
related indicators.
attacktype attacktype
Optional. ENUM. A unique identifier for an Indicator. Optional. ENUM. TODO.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Optional. STRING. A mechanism by which to extend the Attack
Attack Type. Type.
indicator-uid
Optional. STRING. A unique identifier for an Indicator.
indicator-set-id
Optional. STRING. The indicator set ID is used to group
related indicators.
3.12. Assessment Class 3.12. Assessment Class
The Assessment class describes the technical and non-technical The Assessment class describes the technical and non-technical
repercussions of the incident on the CSIRT's constituency. repercussions of the incident on the CSIRT's constituency.
This class was derived from the IDMEF[17]. This class was derived from the IDMEF[17].
+------------------+ +-------------------------+
| Assessment | | Assessment |
+------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ TimeImpact ] | ENUM restriction |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | STRING indicator-uid |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ] | STRING indicator-set-id |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +-------------------------+
Figure 17: Assessment Class Figure 17: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or many. Technical impact of the incident on a network. Zero or many. Technical impact of the incident on a network.
TimeImpact TimeImpact
Zero or many. Impact of the activity measured with respect to Zero or many. Impact of the activity measured with respect to
skipping to change at page 34, line 30 skipping to change at page 35, line 5
attribute. See Section 5.1. attribute. See Section 5.1.
3.12.3. MonetaryImpact Class 3.12.3. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 20: MonetaryImpact Class Figure 20: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
skipping to change at page 36, line 49 skipping to change at page 37, line 34
default value is "default". default value is "default".
3.13.1. HistoryItem Class 3.13.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.13) log The HistoryItem class is an entry in the History (Section 3.13) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | STRING indicator-set-id |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------------+
Figure 23: HistoryItem Class Figure 23: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
IncidentID IncidentID
skipping to change at page 38, line 22 skipping to change at page 39, line 7
indicators. indicators.
3.14. EventData Class 3.14. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+------------------+ +-------------------------+
| EventData | | EventData |
+------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ DetectTime ] | STRING indicator-set-id |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +-------------------------+
Figure 24: The EventData Class Figure 24: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes that constitute EventData are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
skipping to change at page 40, line 33 skipping to change at page 41, line 19
3.14.2. Cardinality of EventData 3.14.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class can be thought of as a container for the
properties of an event in an incident. These properties include: the properties of an event in an incident. These properties include: the
hosts involved, impact of the incident activity on the hosts, hosts involved, impact of the incident activity on the hosts,
forensic logs, etc. With an instance of the EventData class, hosts forensic logs, etc. With an instance of the EventData class, hosts
(i.e., System class) are grouped around these common properties. (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the The recursive definition (or instance property inheritance) of the
EventData class (the EventData class is aggregated into the EventData EventData class (the EventData class is aggregated into the EventData
class) provides a way to related information without requiring the class) provides a way to relate information without requiring the
explicit use of unique attribute identifiers in the classes or explicit use of unique attribute identifiers in the classes or
duplicating information. Instead, the relative depth (nesting) of a duplicating information. Instead, the relative depth (nesting) of a
class is used to group (relate) information. class is used to group (relate) information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
skipping to change at page 41, line 19 skipping to change at page 42, line 5
Figure 25: Recursion in the EventData Class Figure 25: Recursion in the EventData Class
3.15. Expectation Class 3.15. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM action |<>--{0..1}--[ EndTime ] | ENUM action |<>--{0..1}--[ EndTime ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
+-------------------+ | STRING indicator-uid |
| STRING indicator-set-id |
+-------------------------+
Figure 26: The Expectation Class Figure 26: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or many. ML_STRING. A free-form description of the desired Zero or many. ML_STRING. A free-form description of the desired
action(s). action(s).
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. The time at which the sender would like the action
performed. A timestamp that is earlier than the ReportTime performed. A timestamp that is earlier than the ReportTime
specified in the Incident class denotes that the sender would like specified in the Incident class denotes that the sender would like
the action performed as soon as possible. The absence of this the action performed as soon as possible. The absence of this
element indicates no expections of when the recipient would like element indicates no expections of when the recipient would like
the action performed. the action performed.
EndTime EndTime
Zero or one. The time by which the sensor expects the recipient Zero or one. The time by which the sender expects the recipient
to complete the action. If the recipient cannot complete the to complete the action. If the recipient cannot complete the
action before EndTime, the recipient MUST NOT carry out the action before EndTime, the recipient MUST NOT carry out the
action. Because of transit delays, clock drift, and so on, the action. Because of transit delays, clock drift, and so on, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. Zero or one. The expected actor for the action.
The Expectations class has six attributes: The Expectations class has six attributes:
skipping to change at page 44, line 8 skipping to change at page 44, line 42
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 27: The Flow Class Figure 27: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow System class has no attributes. The Flow class has no attributes.
3.17. System Class 3.17. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized The systems or networks represented by this class are categorized
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
skipping to change at page 46, line 25 skipping to change at page 47, line 13
unknown. unknown.
2. yes. The category attribute value is probably incorrect. In 2. yes. The category attribute value is probably incorrect. In
the case of a source, the System is likely a decoy; with a the case of a source, the System is likely a decoy; with a
target, the System was likely not the intended victim. target, the System was likely not the intended victim.
3. no. The category attribute value is believed to be correct. 3. no. The category attribute value is believed to be correct.
virtual virtual
Optional. ENUM. Indicates whether this System is a virtual or Optional. ENUM. Indicates whether this System is a virtual or
physical device. The default value is "no". The possible values physical device. The default value is "unknown". The possible
are: values are:
1. yes. The System is a virtual device. 1. yes. The System is a virtual device.
2. no. The System is a physical device. 2. no. The System is a physical device.
3. unknown. It is not known if the System is virtual.
ownership ownership
Optional. ENUM. Describes the ownership of this System relative Optional. ENUM. Describes the ownership of this System relative
to the sender of the IODEF document. The possible values are: to the sender of the IODEF document. The possible values are:
1. organization. The System is owned by the organization. 1. organization. The System is owned by the organization.
2. personal. The System is owned by employee or affiliate of the 2. personal. The System is owned by employee or affiliate of the
organization. organization.
3. partner. The System is owned by a partner of the 3. partner. The System is owned by a partner of the
skipping to change at page 48, line 15 skipping to change at page 49, line 7
and address was performed. This information MAY be provided if and address was performed. This information MAY be provided if
both an Address and NodeName are specified. both an Address and NodeName are specified.
NodeRole NodeRole
Zero or more. The intended purpose of the Node. Zero or more. The intended purpose of the Node.
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
The Node class has no attributes.
3.18.1. Counter Class 3.18.1. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependant based on the class in which the are entirely context dependant based on the class in which the
skipping to change at page 48, line 41 skipping to change at page 49, line 35
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 30: The Counter Class Figure 30: The Counter Class
The Counter class has three attribute: The Counter class has five attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
3. flow. Count of flow (e.g., NetFlow records). 3. flow. Count of flow (e.g., NetFlow records).
skipping to change at page 49, line 27 skipping to change at page 50, line 20
10. organization. Count of organizations. 10. organization. Count of organizations.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
meaning
Optional. STRING. A free-form description of the metric
represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.12.2 attribute are defined in Section 3.12.2
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.18.2. Address Class 3.18.2. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from the IDMEF [17]. This class was derived from the IDMEF [17].
+---------------------+ +-------------------------+
| Address | | Address |
+---------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
+---------------------+ | STRING indicator-uid |
| STRING indicator-set-id |
+-------------------------+
Figure 31: The Address Class Figure 31: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
1. asn. Autonomous System Number 1. asn. Autonomous System Number
skipping to change at page 51, line 15 skipping to change at page 52, line 25
address belongs. address belongs.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
3.18.3. NodeRole Class 3.18.3. NodeRole Class
The NodeRole class describes the intended function performed by a The NodeRole class describes the intended function performed by a
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 32: The NodeRole Class Figure 32: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node.
1. client. Client computer 1. client. Client computer
skipping to change at page 53, line 32 skipping to change at page 55, line 5
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from the IDMEF [17]. This class was derived from the IDMEF [17].
+---------------------+ +-------------------------+
| Service | | Service |
+---------------------+ +-------------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ] | INTEGER ip_protocol |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | STRING indicator-uid |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | STRING indicator-set-id |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+---------------------+ +-------------------------+
Figure 33: The Service Class Figure 33: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
skipping to change at page 54, line 34 skipping to change at page 56, line 5
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Porlists exists. If N ports are listed relationship between these Porlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has three attributes: The Service class has three attributes:
ip_protocol ip_protocol
Required. INTEGER. The IANA protocol number. Required. INTEGER. The IANA protocol number.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. A unique identifier for an Indicator.
skipping to change at page 56, line 43 skipping to change at page 58, line 13
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.21.1. RecordData Class 3.21.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+------------------+ +-------------------------+
| RecordData | | RecordData |
+------------------+ +-------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ] | STRING indicator-set-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashInformation ] | |<>--{0..1}--[ HashInformation ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +-------------------------+
Figure 36: The RecordData Class Figure 36: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
skipping to change at page 58, line 28 skipping to change at page 59, line 46
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 37: The RecordPattern Class Figure 37: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by four attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of [3]. 1. regex. regular expression, per Appendix F of [3].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
skipping to change at page 59, line 40 skipping to change at page 61, line 11
reference data stored elsewhere. reference data stored elsewhere.
This class is identical to AdditionalData class (Section 3.8). This class is identical to AdditionalData class (Section 3.8).
3.22. RegistryKeyModified Class 3.22. RegistryKeyModified Class
The Registry Key Modified class represents operating system registry The Registry Key Modified class represents operating system registry
keys that have been modified as part and may constitue an indicator keys that have been modified as part and may constitue an indicator
of compromise. of compromise.
+-----------------------+ +-----------------------+
| RegistryKeyModified | | RegistryKeyModified |
+-----------------------+ +-----------------------+
| |<>----------[ Key ] | |<>----------[ Key ]
+-----------------------+ +-----------------------+
Figure 38: The RegistryKeyModified Class Figure 38: The RegistryKeyModified Class
The aggregate class that constitutes the Registry Key Modified class The aggregate class that constitutes the Registry Key Modified class
is: is:
Key Key
One. The Window Registry Key. One. The Window Registry Key.
3.22.1. Key Class 3.22.1. Key Class
The Key class shows name and value pairs representing an operating The Key class shows name and value pairs representing an operating
system registry key and its value. The key and value are encoded as system registry key and its value. The key and value are encoded as
in Microsoft .reg files. in Microsoft .reg files.
+--------------------------+ +--------------------------+
| Key | | Key |
+--------------------------+ +--------------------------+
| ENUM regsitryaction |<>--{0..*}--[ KeyName ] | ENUM regsitryaction |<>--{0..*}--[ KeyName ]
| STRING ext-category |<>--{0..*}--[ Value ] | STRING ext-category |<>--{0..*}--[ Value ]
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING indicator-uid | | STRING indicator-uid |
| STRING inidicator-set-id | | STRING inidicator-set-id |
+--------------------------+ +--------------------------+
Figure 39: The Registry Key Modified Class Figure 39: The Registry Key Modified Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
Zero or more. The name of the registry key. Zero or more. STRING. The name of the registry key.
Value Value
Zero or more. The value of the registry key. Zero or more. STRING. The value of the registry key.
The Key class has six attributes: The Key class has six attributes:
registryaction registryaction
Optional. ENUM. The type of action. Optional. ENUM. The type of action.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
skipping to change at page 61, line 25 skipping to change at page 63, line 5
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. The indicator set ID is used to group related
indicators. indicators.
3.23. HashInformation Class 3.23. HashInformation Class
This class are the hash and signature details that are needed for This class are the hash and signature details that are needed for
providing context for indicators. providing context for indicators.
+--------------------------+ +--------------------------+
| HashInformation | | HashInformation |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-category |<>--{0..*}--[ FileSize ] | STRING ext-category |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ]
| STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ] | STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ]
+--------------------------+ +--------------------------+
Figure 40: The Hash Sig Details Class Figure 40: The Hash Sig Details Class
The aggregate classes that constitutes HashInformation are: The aggregate classes that constitutes HashInformation are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
FileSize FileSize
Zero or more. INTEGER. The size of the file in bytes. Zero or more. INTEGER. The size of the file in bytes.
skipping to change at page 63, line 41 skipping to change at page 65, line 20
4.2. IODEF Namespace 4.2. IODEF Namespace
The IODEF schema declares a namespace of The IODEF schema declares a namespace of
"urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each
IODEF document MUST include a valid reference to the IODEF schema IODEF document MUST include a valid reference to the IODEF schema
using the "xsi:schemaLocation" attribute. An example of such a using the "xsi:schemaLocation" attribute. An example of such a
declaration would look as follows: declaration would look as follows:
<IODEF-Document <IODEF-Document
version="1.00" lang="en-US" version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0"
4.3. Validation 4.3. Validation
The IODEF documents MUST be well-formed XML. It is RECOMMENDED that The IODEF documents MUST be well-formed XML. It is RECOMMENDED that
recipients validate the document against the schema described in recipients validate the document against the schema described in
Section 8. However, mere conformance to the schema is not sufficient Section 8. However, mere conformance to the schema is not sufficient
for a semantically valid IODEF document. There is additional for a semantically valid IODEF document. There is additional
specification in the text of Section 3 that cannot be readily encoded specification in the text of Section 3 that cannot be readily encoded
skipping to change at page 65, line 33 skipping to change at page 67, line 11
attribute has "ext-value" as one its possible values. This attribute has "ext-value" as one its possible values. This
particular value serves as an escape sequence and has no valid particular value serves as an escape sequence and has no valid
meaning. meaning.
In order to add a new enumerated value to an extensible attribute, In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute. desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the Impact For example, an extended instance of the type attribute of the Impact
class would look as follows: class would look as follows:
<Impact type="ext-value" ext-type="new-attack-type"> <Impact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value". extensible attribute has been set to "ext-value".
5.2. Extending Classes 5.2. Extending Classes
The classes of the data model can be extended only through the use of The classes of the data model can be extended only through the use of
the AdditionalData and RecordItem classes. These container classes, the AdditionalData and RecordItem classes. These container classes,
collectively referred to as the extensible classes, are implemented collectively referred to as the extensible classes, are implemented
with the iodef:ExtensionType data type in the schema. They provide with the iodef:ExtensionType data type in the schema. They provide
skipping to change at page 67, line 27 skipping to change at page 69, line 5
<xs:import <xs:import
namespace="urn:ietf:params:xml:ns:iodef-1.0" namespace="urn:ietf:params:xml:ns:iodef-1.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/> schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:element name="newdata" type="xs:string" /> <xs:element name="newdata" type="xs:string" />
</xs:schema> </xs:schema>
The following XML excerpt demonstrates the use of the above schema as The following XML excerpt demonstrates the use of the above schema as
an extension to the IODEF. an extension to the IODEF.
<IODEF-Document <IODEF-Document
version="1.00" lang="en-US" version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved. The IODEF supports barriers, that certain incidents be resolved. The IODEF supports
this goal by depending on XML constructs, and through explicit design this goal by depending on XML constructs, and through explicit design
choices in the data model. choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
skipping to change at page 68, line 49 skipping to change at page 70, line 24
These examples do not necessarily represent the only way to encode a These examples do not necessarily represent the only way to encode a
particular incident. particular incident.
7.1. Worm 7.1. Worm
An example of a CSIRT reporting an instance of the Code Red worm. An example of a CSIRT reporting an instance of the Code Red worm.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- This example demonstrates a report for a very <!-- This example demonstrates a report for a very
old worm (Code Red) --> old worm (Code Red) -->
<IODEF-Document version="1.00" lang="en" <IODEF-Document version="2.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting"> <Incident purpose="reporting">
<IncidentID name="csirt.example.com">189493</IncidentID> <IncidentID name="csirt.example.com">189493</IncidentID>
<ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <ReportTime>2001-09-13T23:19:24+00:00</ReportTime>
<Description>Host sending out Code Red probes</Description> <Description>Host sending out Code Red probes</Description>
<!-- An administrative privilege was attempted, but failed --> <!-- An administrative privilege was attempted, but failed -->
<Assessment> <Assessment>
<Impact completion="failed" type="admin"/> <Impact completion="failed" type="admin"/>
skipping to change at page 70, line 26 skipping to change at page 71, line 49
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.2. Reconnaissance 7.2. Reconnaissance
An example of a CSIRT reporting a scanning activity. An example of a CSIRT reporting a scanning activity.
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<!-- This example describes reconnaissance activity: one-to-one <!-- This example describes reconnaissance activity: one-to-one
and one-to-many scanning --> and one-to-many scanning -->
<IODEF-Document version="1.00" lang="en" <IODEF-Document version="2.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting"> <Incident purpose="reporting">
<IncidentID name="csirt.example.com">59334</IncidentID> <IncidentID name="csirt.example.com">59334</IncidentID>
<ReportTime>2006-08-02T05:54:02-05:00</ReportTime> <ReportTime>2006-08-02T05:54:02-05:00</ReportTime>
<Assessment> <Assessment>
<Impact type="recon" completion="succeeded" /> <Impact type="recon" completion="succeeded" />
</Assessment> </Assessment>
<Method> <Method>
skipping to change at page 72, line 16 skipping to change at page 73, line 39
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.3. Bot-Net Reporting 7.3. Bot-Net Reporting
An example of a CSIRT reporting a bot-network. An example of a CSIRT reporting a bot-network.
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<!-- This example describes a compromise and subsequent installation <!-- This example describes a compromise and subsequent installation
of bots --> of bots -->
<IODEF-Document version="1.00" lang="en" <IODEF-Document version="2.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="mitigation"> <Incident purpose="mitigation">
<IncidentID name="csirt.example.com">908711</IncidentID> <IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-06-08T05:44:53-05:00</ReportTime> <ReportTime>2006-06-08T05:44:53-05:00</ReportTime>
<Description>Large bot-net</Description> <Description>Large bot-net</Description>
<Assessment> <Assessment>
<Impact type="dos" severity="high" completion="succeeded" /> <Impact type="dos" severity="high" completion="succeeded" />
</Assessment> </Assessment>
skipping to change at page 74, line 14 skipping to change at page 75, line 28
7.4. Watch List 7.4. Watch List
An example of a CSIRT conveying a watch-list. An example of a CSIRT conveying a watch-list.
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<!-- This example demonstrates a trivial IP watch-list --> <!-- This example demonstrates a trivial IP watch-list -->
<!-- @formatid is set to "watch-list-043" to demonstrate how <!-- @formatid is set to "watch-list-043" to demonstrate how
additional semantics about this document could be conveyed additional semantics about this document could be conveyed
assuming both parties understood it--> assuming both parties understood it-->
<IODEF-Document version="1.00" lang="en" formatid="watch-list-043" <IODEF-Document version="2.00" lang="en" formatid="watch-list-043"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting" restriction="private"> <Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">908711</IncidentID> <IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-08-01T00:00:00-05:00</ReportTime> <ReportTime>2006-08-01T00:00:00-05:00</ReportTime>
<Description> <Description>
Watch-list of known bad IPs or networks Watch-list of known bad IPs or networks
</Description> </Description>
<Assessment> <Assessment>
skipping to change at page 75, line 28 skipping to change at page 76, line 43
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
================================================================== ==================================================================
== List of changes == == List of changes ==
================================================================== ==================================================================
CHANGE - new indicator values in the schema CHANGE - new indicator values in the schema
The purpose of the proposed changes is to include commonly shared
indicators in the base IODEF schema. This class will contain
indicators from the list below that are not represented elsewhere
in the schema. IODEF extensions or embedded schemas via the SCI
classes will be required to include additional data types.
A table could be maintained through IANA to extend or change this
class in between IODEF revisions.
RFC5901 provides a method to include an entire email, the following The purpose of the proposed changes is to include commonly shared
included indicators are ones commonly used when you do not need the indicators in the base IODEF schema. This class will contain
entire email indicators from the list below that are not represented elsewhere
The following are in the Service Class: in the schema. IODEF extensions or embedded schemas via the SCI
Email address classes will be required to include additional data types.
Email subject A table could be maintained through IANA to extend or change this
X-Mailer class in between IODEF revisions.
The following are in the Record class:
File Name RFC5901 provides a method to include an entire email, the following
File Hash - 5.9.5.2 - using ds:reference included indicators are ones commonly used when you do not need the
WindowsRegistryKey - using method from RFC5901 entire email
The following are now in the Node class as a proposed location. The following are in the Service Class:
URL Email address
HTTPUserAgent is included as a SoftwareType Email subject
HTTP User Agent String X-Mailer
--> The following are in the Record class:
<!-- File Name
================================================================== File Hash - 5.9.5.2 - using ds:reference
== IODEF-Document class == WindowsRegistryKey - using method from RFC5901
================================================================== The following are now in the Node class as a proposed location.
--> URL
<xs:element name="IODEF-Document"> HTTPUserAgent is included as a SoftwareType
<xs:complexType> HTTP User Agent String
<xs:sequence> -->
<xs:element ref="iodef:Incident" <!--
maxOccurs="unbounded"/> ==================================================================
</xs:sequence> == IODEF-Document class ==
<xs:attribute name="version" ==================================================================
type="xs:string" fixed="2.00"/> -->
<xs:attribute name="lang" <xs:element name="IODEF-Document">
type="xs:language" use="required"/> <xs:complexType>
<xs:attribute name="formatid" <xs:sequence>
type="xs:string"/> <xs:element ref="iodef:Incident"
</xs:complexType> maxOccurs="unbounded"/>
</xs:element> </xs:sequence>
<!-- <xs:attribute name="version"
================================================================== type="xs:string" fixed="2.00"/>
=== Incident class === <xs:attribute name="lang"
================================================================== type="xs:language" use="required"/>
--> <xs:attribute name="formatid"
<xs:element name="Incident"> type="xs:string"/>
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element ref="iodef:IncidentID"/>
<!-- CHANGE - the incidentID can still be used,
but when you have a set of indicators or include
a watch list, a ReportID may be preferred. If
this is agreed upon, do we make them both unique
so the same key can be used in databases? This
should not be used as your index value unless you
are the issuing entity. -->
<xs:element name="ReportID" type="IncidentIDType"/>
</xs:choice>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/>
<!-- CHANGE - added attribute to mark sets of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="public"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<!--
==================================================================
=== Incident class ===
==================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element ref="iodef:IncidentID"/>
<!-- CHANGE - the incidentID can still be used,
but when you have a set of indicators or include
a watch list, a ReportID may be preferred. If
this is agreed upon, do we make them both unique
so the same key can be used in databases? This
should not be used as your index value unless you
are the issuing entity. -->
<xs:element name="ReportID" type="IncidentIDType"/>
</xs:choice>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<!-- <xs:element ref="iodef:EventData"
================================================================== minOccurs="0" maxOccurs="unbounded"/>
== ReportID class == <xs:element ref="iodef:History"
================================================================== minOccurs="0"/>
--> <xs:element ref="iodef:AdditionalData"
<xs:element name="ReportID"> minOccurs="0" maxOccurs="unbounded"/>
<xs:complexType> </xs:sequence>
<xs:sequence> <xs:attribute name="purpose" use="required">
<xs:element ref="iodef:IncidentID" <xs:simpleType>
maxOccurs="unbounded"/> <xs:restriction base="xs:NMTOKEN">
</xs:sequence> <xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"
default="public"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:complexType> <!--
</xs:element> ==================================================================
== ReportID class ==
==================================================================
-->
<xs:element name="ReportID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== AlternativeID class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="AlternativeID"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== RelatedActivity class ==
==================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> <xs:element ref="iodef:URL"
<xs:attribute name="restriction" maxOccurs="unbounded"/>
type="iodef:restriction-type"/> <xs:element ref="iodef:ThreatActor"
</xs:complexType> maxOccurs="unbounded"/>
</xs:element> <xs:element ref="iodef:Campaign"
<!-- maxOccurs="unbounded"/>
==================================================================
== RelatedActivity class ==
==================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- </xs:choice>
================================================================== <xs:element ref="iodef:Confidence"
== ThreatActor class == minOccurs="0"/>
================================================================== <xs:element ref="iodef:Description"
--> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="ThreatActor"> <xs:element ref="iodef:AdditionalData"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:sequence> </xs:sequence>
<xs:choice> <xs:attribute name="restriction"
<xs:sequence> type="iodef:restriction-type"/>
<xs:element ref="iodef:ThreatActorID" /> </xs:complexType>
<xs:element ref="iodef:Description" </xs:element>
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> <!--
==================================================================
== ThreatActor class ==
==================================================================
-->
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:element ref="iodef:Description"
type="iodef:restriction-type"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:complexType> </xs:choice>
</xs:element> <xs:element ref="iodef:AdditionalData"
<xs:element name="ThreatActorID" type="xs:string"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Campaign class == == Campaign class ==
================================================================== ==================================================================
--> -->
<xs:element name="Campaign"> <xs:element name="Campaign">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:CampaignID"/> <xs:element ref="iodef:CampaignID"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle" </xs:choice>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData"
<xs:element ref="iodef:PostalAddress" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0"/> </xs:sequence>
<xs:element ref="iodef:Email" <xs:attribute name="restriction"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:restriction-type"/>
<xs:element ref="iodef:Telephone" </xs:complexType>
minOccurs="0" maxOccurs="unbounded"/> </xs:element>
<xs:element ref="iodef:Fax" <xs:element name="CampaignID" type="xs:string"/>
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <!--
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax"
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="meaning" <xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <xs:element name="PostalAddress">
================================================================== <xs:complexType>
== Time-based classes == <xs:simpleContent>
================================================================== <xs:extension base="iodef:MLStringType">
--> <xs:attribute name="meaning"
<xs:element name="DateTime" type="xs:string" use="optional"/>
type="xs:dateTime"/> </xs:extension>
<xs:element name="ReportTime" </xs:simpleContent>
type="xs:dateTime"/> </xs:complexType>
<xs:element name="DetectTime" </xs:element>
type="xs:dateTime"/> <xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="StartTime" <xs:element name="Telephone" type="iodef:ContactMeansType"/>
type="xs:dateTime"/> <xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including an indicator set ID that may be used
to detail changes int he history class as it relates to
indicators or sets.
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<!-- CHANGE - adding indicator set id to connect the
reference to the appropriate set of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Method class ==
==================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Reference class ==
==================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element name="ReferenceName"
type="iodef:MLStringType"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<!-- CHANGE: Do we want an indicator_set_id here to connect
data in the reference class to specific indicators?
is there a better way to do this?
Should the indicator_uid be used to mark data so that
you have a way to limit who you share that data with
in products?
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type"
use="required">
</xs:attribute>
<xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Assessment class ==
==================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<!-- CHANGE: Including an indicator set ID for indicators,
may be used to connect indicators in different
representations
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations.
May need separate confidence ratings for different
indicators.
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<!-- CHANGE question: do we want to allow multiple
values to be selected in case it is a combination?
-->
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EventData class ==
==================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="default"/>
<!-- CHANGE - added attribute to mark sets of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Flow class ==
==================================================================
-->
<!-- Added System unbounded for use only when the source or
target watchlist is in use, otherwise only one system entry
is expected.
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
==================================================================
== System class ==
==================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<!-- CHANGE - adding two new values to cover
watchlist groups -->
<xs:enumeration value="watchlist-source"/>
<xs:enumeration value="watchlist-target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- CHANGE - adding an attribute to mark sets of
indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="spoofed"
default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="unknown"/>
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="virtual" type="yes-no-type"
use="optional" default="no"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element name="NodeName"
type="iodef:MLStringType" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from
RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address" <xs:complexType name="ContactMeansType">
minOccurs="0" maxOccurs="unbounded"/> <xs:simpleContent>
<!-- Proposed CHANGE: include a URI indicator. <xs:extension base="xs:string">
Common complaint that URIs were only in the <xs:attribute name="meaning"
IODEF schema as references and not part of the
incident or included indicators.
Included right now as an address type, below is a
second option for how to add it.
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
-->
</xs:choice>
<xs:element ref="iodef:Location"
minOccurs="0"/>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<!-- CHANGE - added uri type for site url/uris -->
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:extension> <!--
</xs:simpleContent> ==================================================================
</xs:complexType> == Time-based classes ==
</xs:element> ==================================================================
<xs:element name="Location" type="iodef:MLStringType"/> -->
<xs:element name="NodeRole"> <xs:element name="DateTime"
<xs:complexType> type="xs:dateTime"/>
<xs:simpleContent> <xs:element name="ReportTime"
<xs:extension base="iodef:MLStringType"> type="xs:dateTime"/>
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension> <xs:element name="DetectTime"
</xs:simpleContent> type="xs:dateTime"/>
</xs:complexType> <xs:element name="StartTime"
</xs:element> type="xs:dateTime"/>
<!-- <xs:element name="EndTime"
================================================================== type="xs:dateTime"/>
== Service Class == <xs:element name="Timezone"
================================================================== type="iodef:TimezoneType"/>
--> <xs:simpleType name="TimezoneType">
<xs:element name="Service"> <xs:restriction base="xs:string">
<xs:complexType> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
<xs:sequence> </xs:restriction>
<xs:choice minOccurs="0"> </xs:simpleType>
<xs:element name="Port" <!--
type="xs:integer"/> ==================================================================
<xs:element name="Portlist" == History class ==
type="iodef:PortlistType"/> ==================================================================
</xs:choice> -->
<xs:element name="ProtoType" <xs:element name="History">
type="xs:integer" minOccurs="0"/> <xs:complexType>
<xs:element name="ProtoCode" <xs:sequence>
type="xs:integer" minOccurs="0"/> <xs:element ref="iodef:HistoryItem"
<xs:element name="ProtoField" maxOccurs="unbounded"/>
type="xs:integer" minOccurs="0"/> </xs:sequence>
<xs:element ref="iodef:Application" <xs:attribute name="restriction"
minOccurs="0"/> type="iodef:restriction-type"
<!-- CHANGE - email from address indicator, may be better as a sub default="default"/>
class? Would only make sense with the service set to </xs:complexType>
email ports or none at all here or a new class. --> </xs:element>
<xs:element ref="Email" minOccurs="0"/> <xs:element name="HistoryItem">
<xs:element name="EmailSubject" <xs:complexType>
type="iodef:MLStringType" minOccurs="0"/> <xs:sequence>
<xs:element name="X-Mailer" <xs:element ref="iodef:DateTime"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element ref="iodef:IncidentID"
<xs:element name="EmailInfo" minOccurs="0"/>
type="EmailDetails" minOccurs="0"/> <xs:element ref="iodef:Contact"
<!-- CHANGE - added DomainData class and subclasses from minOccurs="0"/>
RFC5901 --> <xs:element ref="iodef:Description"
<xs:element ref="iodef:DomainData" minOccurs="0" minOccurs="0" maxOccurs="unbounded"/>
maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData"
</xs:sequence> minOccurs="0" maxOccurs="unbounded"/>
<xs:attribute name="ip_protocol" </xs:sequence>
type="xs:integer" use="required"/> <xs:attribute name="restriction"
<!-- CHANGE: Including a unique ID for indicators, may be type="iodef:restriction-type"/>
used to connect indicators in different representations <xs:attribute name="action"
--> type="iodef:action-type" use="required"/>
<xs:attribute name="indicator-uid" <xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Method class ==
==================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Reference class ==
==================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element name="ReferenceName"
type="iodef:MLStringType"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<!-- CHANGE: Do we want an indicator_set_id here to connect
data in the reference class to specific indicators?
is there a better way to do this?
Should the indicator_uid be used to mark data so that
you have a way to limit who you share that data with
in products?
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type"
use="required">
</xs:attribute>
<xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- CHANGE: Including an indicator set ID that may be used </xs:complexType>
to detail changes int he history class as it relates to </xs:element>
indicators or sets.
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Counter class ==
==================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== EMailDetails class == == Assessment class ==
================================================================== ==================================================================
-->
<!-- CHANGE: added the email details in a subclass for use when
you do not need all of the email details provided in the
RFC5901 or ARF extensions. No extension mechanism here, is it
needed? Possible to create an IANA table to extend this class
if needed in the future outside of schema edit cycles -->
<xs:complexType name="EmailDetails">
<xs:sequence>
<!-- Email is the From email -->
<xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
<!-- -->
================================================================== <xs:element name="Assessment">
== DomainData class - from RFC5901 == <xs:complexType>
==================================================================
-->
<xs:element name="DomainData">
<xs:complexType id="DomainData.type">
<xs:sequence> <xs:sequence>
<xs:element maxOccurs="1" <xs:choice maxOccurs="unbounded">
name="Name" type="iodef:MLStringType"/> <xs:element ref="iodef:Impact"/>
<xs:element maxOccurs="1" minOccurs="0" <xs:element ref="iodef:TimeImpact"/>
name="DateDomainWasChecked" type="xs:dateTime"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element name="RegistrationDate"
type="xs:dateTime" maxOccurs="1" minOccurs="0"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/>
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"
maxOccurs="unbounded" minOccurs="0" />
<xs:element name="Nameservers"
maxOccurs="unbounded" minOccurs="0">
<xs:complexType id="Nameservers.type">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="SystemStatus"> <xs:attribute name="occurrence">
<xs:simpleType id="SystemStatus.type"> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="spoofed"/> <xs:enumeration value="actual"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="potential"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="DomainStatus">
<xs:simpleType id="DomainStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<!-- CHANGE question: do we want to allow multiple
values to be selected in case it is a combination?
-->
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
<xs:element name="RelatedDNS" </xs:extension>
type="iodef:RelatedDNSEntryType"/> </xs:simpleContent>
<xs:complexType name="RelatedDNSEntryType"> </xs:complexType>
<xs:simpleContent> </xs:element>
<xs:extension base="xs:string"> <xs:element name="MonetaryImpact">
<xs:attribute name="RecordType" use="optional"> <xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="low"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="medium"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="high"/>
<xs:enumeration value="APL"/> <xs:enumeration value="numeric"/>
<xs:enumeration value="AXFR"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" </xs:complexType>
type="xs:string" use="optional"/> </xs:element>
</xs:extension> <!--
</xs:simpleContent> ==================================================================
</xs:complexType> == EventData class ==
==================================================================
<!-- -->
================================================================== <xs:element name="EventData">
== Record class == <xs:complexType>
================================================================== <xs:sequence>
--> <xs:element ref="iodef:Description"
<xs:element name="Record"> minOccurs="0" maxOccurs="unbounded"/>
<xs:complexType> <xs:element ref="iodef:DetectTime"
<xs:sequence> minOccurs="0"/>
<xs:element ref="iodef:RecordData" <xs:element ref="iodef:StartTime"
maxOccurs="unbounded"/> minOccurs="0"/>
</xs:sequence> <xs:element ref="iodef:EndTime"
<xs:attribute name="restriction" minOccurs="0"/>
type="iodef:restriction-type"/> <xs:element ref="iodef:Contact"
</xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
</xs:element> <xs:element ref="iodef:Assessment"
<xs:element name="RecordData"> minOccurs="0"/>
<xs:complexType> <xs:element ref="iodef:Method"
<xs:sequence> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DateTime" <xs:element ref="iodef:Flow"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
<xs:element ref="iodef:Application" minOccurs="0"/>
minOccurs="0"/> <xs:element ref="iodef:EventData"
<xs:element ref="iodef:RecordPattern" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData"
<xs:element ref="iodef:RecordItem" minOccurs="0" maxOccurs="unbounded"/>
maxOccurs="unbounded"/> </xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<!-- CHANGE: File name and hash of file indicator <xs:attribute name="indicator-set-id"
information --> type="xs:string" use="optional"/>
<xs:element name="FileName" </xs:complexType>
type="iodef:MLStringType" minOccurs="0"/> </xs:element>
<!-- Represent file hash information via digsig schema <!--
Reference class --> ==================================================================
<xs:element ref="ds:Reference" minOccurs="0"/> == Flow class ==
<!-- CHANGE: Windows Registry Key Modifications: ==================================================================
Here, we include the classes from iodef-phish, to -->
prevent the need to pull in the full schema. <!-- Added System unbounded for use only when the source or
Ensure reference to RFC5901 Section 5.9.7 remains target watchlist is in use, otherwise only one system entry
included in UML description. is expected.
--> -->
<xs:element name="WindowsRegistryKeysModified"
type="RegistryKeyModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<!-- CHANGE: Including a unique ID for an indicator.
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for sets of indicators,
may be used to connect indicators in different
representations
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern"> <xs:element name="Flow">
<xs:complexType> <xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:complexType name="RegistryKeyModified">
<xs:sequence> <xs:sequence>
<xs:element name="Key" maxOccurs="unbounded"> <xs:element ref="iodef:System"
<xs:complexType> maxOccurs="unbounded"/>
<xs:sequence> </xs:sequence>
<!-- Allows for the value to be optional for cases </xs:complexType>
such as, the registry key was deleted --> </xs:element>
<xs:element name="KeyName" type="xs:string"/> <!--
<xs:element name="Value" ==================================================================
type="xs:string" minOccurs="0"/> == System class ==
</xs:sequence> ==================================================================
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
<!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated?
--> -->
<xs:element name="System">
<!-- <xs:complexType>
================================================================== <xs:sequence>
== Classes that describe hash types, file information == <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
== with certificate properties and digital signature info == <xs:element ref="iodef:Service"
== provided through the W3C digital signature schema ==
== so it does not need to be maintained here. ==
==================================================================
-->
<xs:complexType name="HashSigDetails">
<xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer" <xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema <xs:element ref="iodef:Counter"
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- QUESTION: Do we want an AdditionalData here? -->
</xs:sequence> </xs:sequence>
<xs:attribute name="type" use="optional"> <xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/> <xs:enumeration value="source"/>
<xs:enumeration value="PKI-file-ds"/> <xs:enumeration value="target"/>
<xs:enumeration value="PKI-email-ds-watchlist"/> <!-- CHANGE - adding two new values to cover
<xs:enumeration value="PKI-file-ds-watchlist"/> watchlist groups -->
<xs:enumeration value="PGP-email-ds"/> <xs:enumeration value="watchlist-source"/>
<xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="watchlist-target"/>
<xs:enumeration value="PGP-email-ds-watchlist"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="PGP-file-ds-watchlist"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="file-hash"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="file-hash-watchlist"/>
<xs:enumeration value="email-hash-watchlist"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- Adding a boolean yes/no, 0/1option to indicate if the <!-- CHANGE - adding an attribute to mark sets of
signature or hash is valid --> indicators -->
<xs:attribute name="valid" type="xs:boolean" use="optional" />
<!-- Indicator-uid and indicator-set-id to connect to the
related file or email indicators outside of this class -->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="spoofed" type="yes-no-unknown-type"
type="iodef:restriction-type"/> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe software == == Node class ==
================================================================== ==================================================================
--> -->
<xs:complexType name="SoftwareType"> <xs:element name="Node">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:URL" <xs:choice maxOccurs="unbounded">
<xs:element name="NodeName"
type="iodef:MLStringType" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from
RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
<!-- Proposed CHANGE: include a URI indicator.
Common complaint that URIs were only in the
IODEF schema as references and not part of the
incident or included indicators.
Included right now as an address type, below is a
second option for how to add it.
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
-->
</xs:choice>
<xs:element ref="iodef:Location"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType> </xs:complexType>
<xs:element name="Application" </xs:element>
type="iodef:SoftwareType"/> <xs:element name="Address">
<xs:element name="OperatingSystem" <xs:complexType>
type="iodef:SoftwareType"/>
<!--
==================================================================
== Miscellaneous simple classes ==
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="lang" <xs:attribute name="category" default="ipv4-addr">
type="xs:language" use="optional"/> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<!-- CHANGE - added uri type for site url/uris -->
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:complexType name="ExtensionType" mixed="true"> </xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Service Class ==
==================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:choice minOccurs="0">
minOccurs="0" maxOccurs="unbounded"/> <xs:element name="Port"
type="xs:integer"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<!-- CHANGE - email from address indicator, may be better as a sub
class? Would only make sense with the service set to
email ports or none at all here or a new class. -->
<xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailInfo"
type="EmailDetails" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from
RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="dtype" <xs:attribute name="ip_protocol"
type="iodef:dtype-type" use="required"/> type="xs:integer" use="required"/>
<xs:attribute name="ext-dtype" <!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/> <xs:attribute name="indicator-set-id"
<xs:attribute name="formatid" type="xs:string" use="optional"/>
type="xs:string"/> </xs:complexType>
</xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Counter class ==
==================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EMailDetails class ==
==================================================================
-->
<!-- CHANGE: added the email details in a subclass for use when
you do not need all of the email details provided in the
RFC5901 or ARF extensions. No extension mechanism here, is it
needed? Possible to create an IANA table to extend this class
if needed in the future outside of schema edit cycles -->
<xs:complexType name="EmailDetails">
<xs:sequence>
<!-- Email is the From email -->
<xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
<!--
==================================================================
== DomainData class - from RFC5901 ==
==================================================================
-->
<xs:element name="DomainData">
<xs:complexType id="DomainData.type">
<xs:sequence>
<xs:element maxOccurs="1"
name="Name" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0"
name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate"
type="xs:dateTime" maxOccurs="1" minOccurs="0"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/>
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"
maxOccurs="unbounded" minOccurs="0" />
<xs:element name="Nameservers"
maxOccurs="unbounded" minOccurs="0">
<xs:complexType id="Nameservers.type">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice>
</xs:sequence>
<xs:attribute name="SystemStatus">
<xs:simpleType id="SystemStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="DomainStatus">
<xs:simpleType id="DomainStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="RecordType" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
<!-- </xs:element>
================================================================== <xs:element name="RecordData">
== Global attribute type declarations == <xs:complexType>
================================================================== <xs:sequence>
--> <xs:element ref="iodef:DateTime"
<xs:simpleType name="yes-no-type"> minOccurs="0"/>
<xs:restriction base="xs:NMTOKEN"> <xs:element ref="iodef:Description"
<xs:enumeration value="yes"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="no"/> <xs:element ref="iodef:Application"
</xs:restriction> minOccurs="0"/>
</xs:simpleType> <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:simpleType name="restriction-type"> <!-- CHANGE: File name and hash of file indicator
<xs:restriction base="xs:NMTOKEN"> information -->
<xs:enumeration value="default"/> <xs:element name="FileName"
<xs:enumeration value="public"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:enumeration value="partner"/> <!-- Represent file hash information via digsig schema
<xs:enumeration value="need-to-know"/> Reference class -->
<xs:enumeration value="private"/> <xs:element ref="ds:Reference" minOccurs="0"/>
<xs:enumeration value="white"/> <!-- CHANGE: Windows Registry Key Modifications:
<xs:enumeration value="green"/> Here, we include the classes from iodef-phish, to
<xs:enumeration value="amber"/> prevent the need to pull in the full schema.
<xs:enumeration value="red"/> Ensure reference to RFC5901 Section 5.9.7 remains
</xs:restriction> included in UML description.
</xs:simpleType> -->
<xs:simpleType name="severity-type"> <xs:element name="WindowsRegistryKeysModified"
<xs:restriction base="xs:NMTOKEN"> type="RegistryKeyModified"
<xs:enumeration value="low"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="medium"/> <xs:element ref="iodef:AdditionalData"
<xs:enumeration value="high"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:restriction> </xs:sequence>
</xs:simpleType> <xs:attribute name="restriction"
<xs:simpleType name="duration-type"> type="iodef:restriction-type"/>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="indicator-uid"
<xs:enumeration value="second"/> type="xs:string" use="optional"/>
<xs:enumeration value="minute"/> <xs:attribute name="indicator-set-id"
<xs:enumeration value="hour"/> type="xs:string" use="optional"/>
<xs:enumeration value="day"/> </xs:complexType>
<xs:enumeration value="month"/> </xs:element>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type"> <xs:element name="RecordPattern">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="nothing"/> <xs:simpleContent>
<xs:enumeration value="contact-source-site"/> <xs:extension base="xs:string">
<xs:enumeration value="contact-target-site"/> <xs:attribute name="type" use="required">
<xs:enumeration value="contact-sender"/> <xs:simpleType>
<xs:enumeration value="investigate"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="block-host"/> <xs:enumeration value="regex"/>
<xs:enumeration value="block-network"/> <xs:enumeration value="binary"/>
<xs:enumeration value="block-port"/> <xs:enumeration value="xpath"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="rate-limit-network"/> </xs:restriction>
<xs:enumeration value="rate-limit-port"/> </xs:simpleType>
<xs:enumeration value="remediate-other"/> </xs:attribute>
<xs:enumeration value="status-triage"/> <xs:attribute name="ext-type"
<xs:enumeration value="status-new-info"/> type="xs:string" use="optional"/>
<xs:enumeration value="watch-and-report"/> <xs:attribute name="offset"
<xs:enumeration value="other"/> type="xs:integer" use="optional"/>
<xs:enumeration value="ext-value"/> <xs:attribute name="offsetunit"
</xs:restriction> use="optional" default="line">
</xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
<xs:simpleType name="dtype-type"> </xs:simpleContent>
<xs:restriction base="xs:NMTOKEN"> </xs:complexType>
<xs:enumeration value="boolean"/> </xs:element>
<xs:enumeration value="byte"/> <xs:element name="RecordItem"
<xs:enumeration value="character"/> type="iodef:ExtensionType"/>
<xs:enumeration value="date-time"/> <!--
<xs:enumeration value="integer"/> ==================================================================
<xs:enumeration value="ntpstamp"/> == Class to describe Windows Registry Keys ==
<xs:enumeration value="portlist"/> ==================================================================
<xs:enumeration value="real"/> -->
<xs:enumeration value="string"/> <xs:complexType name="RegistryKeyModified">
<xs:enumeration value="file"/> <xs:sequence>
<xs:enumeration value="path"/> <xs:element name="Key" maxOccurs="unbounded">
<xs:enumeration value="frame"/> <xs:complexType>
<xs:enumeration value="packet"/> <xs:sequence>
<xs:enumeration value="ipv4-packet"/> <!-- Allows for the value to be optional for cases
<xs:enumeration value="ipv6-packet"/> such as, the registry key was deleted -->
<xs:enumeration value="url"/> <xs:element name="KeyName" type="xs:string"/>
<xs:enumeration value="csv"/> <xs:element name="Value"
<xs:enumeration value="winreg"/> type="xs:string" minOccurs="0"/>
<xs:enumeration value="xml"/> </xs:sequence>
<xs:enumeration value="ext-value"/> <xs:attribute name="registryaction">
</xs:restriction> <xs:simpleType>
</xs:simpleType> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
<!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated?
<xs:simpleType name="att-type"> -->
<!--
==================================================================
== Classes that describe hash types, file information ==
== with certificate properties and digital signature info ==
== provided through the W3C digital signature schema ==
== so it does not need to be maintained here. ==
==================================================================
-->
<xs:complexType name="HashSigDetails">
<xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer"
minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<!-- QUESTION: Do we want an AdditionalData here? -->
</xs:sequence>
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/> <xs:enumeration value="PKI-email-ds"/>
<xs:enumeration value="sink-hole"/> <xs:enumeration value="PKI-file-ds"/>
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="PKI-email-ds-watchlist"/>
<xs:enumeration value="phishing"/> <xs:enumeration value="PKI-file-ds-watchlist"/>
<xs:enumeration value="spear-phishing"/> <xs:enumeration value="PGP-email-ds"/>
<xs:enumeration value="recruiting"/> <xs:enumeration value="PGP-file-ds"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="PGP-email-ds-watchlist"/>
<xs:enumeration value="dns-spoof"/> <xs:enumeration value="PGP-file-ds-watchlist"/>
<xs:enumeration value="other"/> <xs:enumeration value="file-hash"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="email-hash"/>
<xs:enumeration value="file-hash-watchlist"/>
<xs:enumeration value="email-hash-watchlist"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- Adding a boolean yes/no, 0/1option to indicate if the
signature or hash is valid -->
<xs:attribute name="valid" type="xs:boolean" use="optional" />
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<!--
==================================================================
== Classes that describe software ==
==================================================================
-->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<!--
==================================================================
== Miscellaneous simple classes ==
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="lang"
type="xs:language" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<!--
==================================================================
== Global attribute type declarations ==
==================================================================
-->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
skipping to change at page 109, line 29 skipping to change at page 109, line 51
based on information that it finds. For this reason, care must be based on information that it finds. For this reason, care must be
taken by the parser to properly authenticate the recipient of the taken by the parser to properly authenticate the recipient of the
document and ascribe an appropriate confidence to the data prior to document and ascribe an appropriate confidence to the data prior to
action. action.
The underlying messaging format and protocol used to exchange The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter- standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [18] and its associated transport network Defense (RID) protocol [18] and its associated transport
binding IODEF/RID over SOAP [19] provide such security. binding IODEF/RID over HTTP/TLS [19] provide such security.
In order to suggest data processing and handling guidelines of the In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. The issue of the sender, as the recipient is free to ignore it. The issue of
enforcement is not a technical problem. enforcement is not a technical problem.
skipping to change at page 112, line 15 skipping to change at page 112, line 34
12.2. Informative References 12.2. Informative References
[16] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements [16] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006. Work in Progress, June 2006.
[17] Debar, H., Curry, D., Debar, H., and B. Feinstein, [17] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765, "Intrusion Detection Message Exchange Format", RFC 4765,
March 2007. March 2007.
[18] Moriarty, K., "Real-time Inter-network Defense", Work in [18] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
Progress, April 2007. 6545, April 2012.
[19] Moriarty, K. and B. Trammell, "IODEF/RID over SOAP", Work [19] Trammell, B., "Transport of Real-time Inter-network
in Progress, April 2007. Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012.
[20] Shafranovich, Y., "Common Format and MIME Type for Comma- [20] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File ", RFC 4180, October 2005. Separated Values (CSV) File", RFC 4180, October 2005.
Authors' Addresses Authors' Addresses
Roman Danyliw Roman Danyliw
CERT - Software Engineering Institute CERT - Software Engineering Institute
Pittsburgh, PA Pittsburgh, PA
USA USA
EMail: rdd@cert.org EMail: rdd@cert.org
Paul Stoecker Paul Stoecker
RSA RSA
Reston, VA Reston, VA
USA USA
EMail: paul.stoecker@rsa.com EMail: paul.stoecker@rsa.com
 End of changes. 130 change blocks. 
1782 lines changed or deleted 1770 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/