draft-ietf-mile-rfc5070-bis-03.txt   draft-ietf-mile-rfc5070-bis-04.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: July 12, 2014 January 8, 2014 Expires: July 22, 2014 January 18, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-03 draft-ietf-mile-rfc5070-bis-04
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. This document describes (CSIRTs) about computer security incidents. This document describes
the information model for the IODEF and provides an associated data the information model for the IODEF and provides an associated data
model specified with XML Schema. model specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 12, 2014. This Internet-Draft will expire on July 22, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 25 skipping to change at page 2, line 25
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 1.5. About the IODEF Implementation . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12
3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 14
3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 14
3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17 3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 15
3.6. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16
3.7. Campaign Class . . . . . . . . . . . . . . . . . . . . . 18 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17
3.8. AdditionalData Class . . . . . . . . . . . . . . . . . . 19 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 21 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 24 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 19
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 25 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 26 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 22
3.9.4. Telephone and Fax Classes . . . . . . . . . . . . . . 26 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 25
3.10. Time Classes . . . . . . . . . . . . . . . . . . . . . . 26 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 26
3.10.1. StartTime . . . . . . . . . . . . . . . . . . . . . 27 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 26
3.10.2. EndTime . . . . . . . . . . . . . . . . . . . . . . 27 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 27
3.10.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 27 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 27
3.10.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 27 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 28
3.10.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 27 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 28
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 27 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 28
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 28 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 28
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 29 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 28
3.12.1. Impact Class . . . . . . . . . . . . . . . . . . . . 31 3.12. Method Class . . . . . . . . . . . . . . . . . . . . . . 28
3.12.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 32 3.12.1. Reference Class . . . . . . . . . . . . . . . . . . 29
3.12.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 34 3.13. Assessment Class . . . . . . . . . . . . . . . . . . . . 30
3.12.4. Confidence Class . . . . . . . . . . . . . . . . . . 35 3.13.1. Impact Class . . . . . . . . . . . . . . . . . . . . 31
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 36 3.13.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 33
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 37 3.13.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 35
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 38 3.13.4. Confidence Class . . . . . . . . . . . . . . . . . . 36
3.14.1. Relating the Incident and EventData Classes . . . . 40 3.14. History Class . . . . . . . . . . . . . . . . . . . . . . 37
3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 41 3.14.1. HistoryItem Class . . . . . . . . . . . . . . . . . 38
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 41 3.15. EventData Class . . . . . . . . . . . . . . . . . . . . . 40
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 44 3.15.1. Relating the Incident and EventData Classes . . . . 42
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 44 3.15.2. Cardinality of EventData . . . . . . . . . . . . . . 42
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 48 3.16. Expectation Class . . . . . . . . . . . . . . . . . . . . 43
3.18.1. Counter Class . . . . . . . . . . . . . . . . . . . 49 3.17. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 46
3.18.2. Address Class . . . . . . . . . . . . . . . . . . . 50 3.18. System Class . . . . . . . . . . . . . . . . . . . . . . 46
3.18.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 52 3.19. Node Class . . . . . . . . . . . . . . . . . . . . . . . 49
3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 54 3.19.1. Address Class . . . . . . . . . . . . . . . . . . . 51
3.19.1. Application Class . . . . . . . . . . . . . . . . . 56 3.19.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 52
3.20. OperatingSystem Class . . . . . . . . . . . . . . . . . . 57 3.19.3. Counter Class . . . . . . . . . . . . . . . . . . . 54
3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 57 3.20. DomainData Class . . . . . . . . . . . . . . . . . . . . 56
3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 58 3.20.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 56
3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 59 3.20.2. Nameservers Class . . . . . . . . . . . . . . . . . 57
3.21.3. RecordItem Class . . . . . . . . . . . . . . . . . . 60 3.20.3. DomainContacts Class . . . . . . . . . . . . . . . . 57
3.22. RegistryKeyModified Class . . . . . . . . . . . . . . . . 61 3.21. Service Class . . . . . . . . . . . . . . . . . . . . . . 57
3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 61 3.21.1. ApplicationHeader Class . . . . . . . . . . . . . . 59
3.23. HashInformation Class . . . . . . . . . . . . . . . . . . 62 3.21.2. Application Class . . . . . . . . . . . . . . . . . 61
4. Processing Considerations . . . . . . . . . . . . . . . . . . 64 3.22. OperatingSystem Class . . . . . . . . . . . . . . . . . . 62
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 64 3.23. EmailInfo Class . . . . . . . . . . . . . . . . . . . . . 62
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 65 3.24. Record Class . . . . . . . . . . . . . . . . . . . . . . 63
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 65 3.24.1. RecordData Class . . . . . . . . . . . . . . . . . . 63
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 66 3.24.2. RecordPattern Class . . . . . . . . . . . . . . . . 64
5.1. Extending the Enumerated Values of Attributes . . . . . . 66 3.24.3. RecordItem Class . . . . . . . . . . . . . . . . . . 66
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 67 3.25. WindowsRegistryKeysModified Class . . . . . . . . . . . . 66
6. Internationalization Issues . . . . . . . . . . . . . . . . . 69 3.25.1. Key Class . . . . . . . . . . . . . . . . . . . . . 67
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 70 3.26. HashInformation Class . . . . . . . . . . . . . . . . . . 68
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 71 4. Processing Considerations . . . . . . . . . . . . . . . . . . 70
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 73 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 70
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 75 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 70
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 76 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 71
9. Security Considerations . . . . . . . . . . . . . . . . . . . 109 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 72
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 110 5.1. Extending the Enumerated Values of Attributes . . . . . . 72
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 110 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 73
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 111 6. Internationalization Issues . . . . . . . . . . . . . . . . . 75
12.1. Normative References . . . . . . . . . . . . . . . . . . 111 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 76
12.2. Informative References . . . . . . . . . . . . . . . . . 112 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 76
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 77
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 79
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 81
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 82
9. Security Considerations . . . . . . . . . . . . . . . . . . . 116
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 116
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 117
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 117
12.1. Normative References . . . . . . . . . . . . . . . . . . 117
12.2. Informative References . . . . . . . . . . . . . . . . . 119
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 26 skipping to change at page 6, line 36
SoftwareType complexType: user-agent. SoftwareType complexType: user-agent.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose. NodeRole@category, Incident@purpose.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [6]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of [16]. terminology used in this document can be found in Section 2 of
[refs.requirements].
1.3. Notations 1.3. Notations
The normative IODEF data model is specified with the text in The normative IODEF data model is specified with the text in
Section 3 and the XML schema in Section 8. To help in the Section 3 and the XML schema in Section 8. To help in the
understanding of the data elements, Section 3 also depicts the understanding of the data elements, Section 3 also depicts the
underlying information model using Unified Modeling Language (UML). underlying information model using Unified Modeling Language (UML).
This abstract presentation of the IODEF is not normative. This abstract presentation of the IODEF is not normative.
For clarity in this document, the term "XML document" will be used For clarity in this document, the term "XML document" will be used
skipping to change at page 7, line 30 skipping to change at page 7, line 40
data model. data model.
o The domain of security analysis is not fully standardized and must o The domain of security analysis is not fully standardized and must
rely on free-form textual descriptions. The IODEF attempts to rely on free-form textual descriptions. The IODEF attempts to
strike a balance between supporting this free-form content, while strike a balance between supporting this free-form content, while
still allowing automated processing of incident information. still allowing automated processing of incident information.
o The IODEF is only one of several security relevant data o The IODEF is only one of several security relevant data
representations being standardized. Attempts were made to ensure representations being standardized. Attempts were made to ensure
they were complementary. The data model of the Intrusion they were complementary. The data model of the Intrusion
Detection Message Exchange Format [17] influenced the design of Detection Message Exchange Format [RFC4765] influenced the design
the IODEF. of the IODEF.
Further discussion of the desirable properties for the IODEF can be Further discussion of the desirable properties for the IODEF can be
found in the Requirements for the Format for Incident Information found in the Requirements for the Format for Incident Information
Exchange (FINE) [16]. Exchange (FINE) [refs.requirements].
1.5. About the IODEF Implementation 1.5. About the IODEF Implementation
The IODEF implementation is specified as an Extensible Markup The IODEF implementation is specified as an Extensible Markup
Language (XML) [1] Schema [2] in Section 8. Language (XML) [W3C.XML] Schema [W3C.SCHEMA].
Implementing the IODEF in XML provides numerous advantages. Its Implementing the IODEF in XML provides numerous advantages. Its
extensibility makes it ideal for specifying a data encoding framework extensibility makes it ideal for specifying a data encoding framework
that supports various character encodings. Likewise, the abundance that supports various character encodings. Likewise, the abundance
of related technologies (e.g., XSL, XPath, XML-Signature) makes for of related technologies (e.g., XSL, XPath, XML-Signature) makes for
simplified manipulation. However, XML is fundamentally a text simplified manipulation. However, XML is fundamentally a text
representation, which makes it inherently inefficient when binary representation, which makes it inherently inefficient when binary
data must be embedded or large volumes of data must be exchanged. data must be embedded or large volumes of data must be exchanged.
2. IODEF Data Types 2. IODEF Data Types
The various data elements of the IODEF data model are typed. This The various data elements of the IODEF data model are typed. This
section discusses these data types. When possible, native Schema section discusses these data types. When possible, native Schema
data types were adopted, but for more complicated formats, regular data types were adopted, but for more complicated formats, regular
expressions (see Appendix F of [3]) or external standards were used. expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external
standards were used.
2.1. Integers 2.1. Integers
An integer is represented by the INTEGER data type. Integer data An integer is represented by the INTEGER data type. Integer data
MUST be encoded in Base 10. MUST be encoded in Base 10.
The INTEGER data type is implemented as an "xs:integer" [3] in the The INTEGER data type is implemented as an "xs:integer" in
schema. [W3C.SCHEMA.DTYPES].
2.2. Real Numbers 2.2. Real Numbers
Real (floating-point) attributes are represented by the REAL data Real (floating-point) attributes are represented by the REAL data
type. Real data MUST be encoded in Base 10. type. Real data MUST be encoded in Base 10.
The REAL data type is implemented as an "xs:float" [3] in the schema. The REAL data type is implemented as an "xs:float" in
[W3C.SCHEMA.DTYPES].
2.3. Characters and Strings 2.3. Characters and Strings
A single character is represented by the CHARACTER data type. A A single character is represented by the CHARACTER data type. A
character string is represented by the STRING data type. Special character string is represented by the STRING data type. Special
characters must be encoded using entity references. See Section 4.1. characters must be encoded using entity references. See Section 4.1.
The CHARACTER and STRING data types are implement as an "xs:string" The CHARACTER and STRING data types are implement as an "xs:string"
[3] in the schema. in [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
STRING data that represents multi-character attributes in a language STRING data that represents multi-character attributes in a language
different than the default encoding of the document is of the different than the default encoding of the document is of the
ML_STRING data type. ML_STRING data type.
The ML_STRING data type is implemented as an "iodef:MLStringType" in The ML_STRING data type is implemented as an "iodef:MLStringType" in
the schema. the schema.
2.5. Bytes 2.5. Bytes
A binary octet is represented by the BYTE data type. A sequence of A binary octet is represented by the BYTE data type. A sequence of
binary octets is represented by the BYTE[] data type. These octets binary octets is represented by the BYTE[] data type. These octets
are encoded using base64. are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" [3] in the The BYTE data type is implemented as an "xs:base64Binary" in
schema. [W3C.SCHEMA.DTYPES].
2.6. Hexadecimal Bytes 2.6. Hexadecimal Bytes
A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. A binary octet is represented by the HEXBIN (and HEXBIN[]) data type.
This octet is encoded as a character tuple consisting of two This octet is encoded as a character tuple consisting of two
hexadecimal digits. hexadecimal digits.
The HEXBIN data type is implemented as an "xs:hexBinary" [3] in the The HEXBIN data type is implemented as an "xs:hexBinary" in
schema. [W3C.SCHEMA.DTYPES].
2.7. Enumerated Types 2.7. Enumerated Types
Enumerated types are represented by the ENUM data type, and consist Enumerated types are represented by the ENUM data type, and consist
of an ordered list of acceptable values. Each value has a of an ordered list of acceptable values. Each value has a
representative keyword. Within the IODEF schema, the enumerated type representative keyword. Within the IODEF schema, the enumerated type
keywords are used as attribute values. keywords are used as attribute values.
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the The ENUM data type is implemented as a series of "xs:NMTOKEN" in the
schema. schema.
2.8. Date-Time Strings 2.8. Date-Time Strings
Date-time strings are represented by the DATETIME data type. Each Date-time strings are represented by the DATETIME data type. Each
date-time string identifies a particular instant in time; ranges are date-time string identifies a particular instant in time; ranges are
not supported. not supported.
Date-time strings are formatted according to a subset of ISO Date-time strings are formatted according to a subset of [ISO8601]
8601:2000 [13] documented in RFC 3339 [12]. documented in [RFC3339].
The DATETIME data type is implemented as an "xs:dateTime" [3] in the The DATETIME data type is implemented as an "xs:dateTime" in the
schema. schema.
2.9. Timezone String 2.9. Timezone String
A timezone offset from UTC is represented by the TIMEZONE data type. A timezone offset from UTC is represented by the TIMEZONE data type.
It is formatted according to the following regular expression: It is formatted according to the following regular expression:
"Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
The TIMEZONE data type is implemented as an "xs:string" with a The TIMEZONE data type is implemented as an "xs:string" with a
regular expression constraint in the schema. This regular expression regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular
is identical to the timezone representation implemented in an expression is identical to the timezone representation implemented in
"xs:dateTime". an "xs:dateTime".
2.10. Port Lists 2.10. Port Lists
A list of network ports are represented by the PORTLIST data type. A A list of network ports are represented by the PORTLIST data type. A
PORTLIST consists of a comma-separated list of numbers and ranges PORTLIST consists of a comma-separated list of numbers and ranges
(N-M means ports N through M, inclusive). It is formatted according (N-M means ports N through M, inclusive). It is formatted according
to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*".
For example, "2,5-15,30,32,40-50,55-60". For example, "2,5-15,30,32,40-50,55-60".
The PORTLIST data type is implemented as an "xs:string" with a The PORTLIST data type is implemented as an "xs:string" with a
regular expression constraint in the schema. regular expression constraint in the schema.
2.11. Postal Address 2.11. Postal Address
A postal address is represented by the POSTAL data type. This data A postal address is represented by the POSTAL data type. This data
type is an ML_STRING whose format is documented in Section 2.23 of type is an ML_STRING whose format is documented in Section 2.23 of
RFC 4519 [10]. It defines a postal address as a free-form multi-line [RFC4519]. It defines a postal address as a free-form multi-line
string separated by the "$" character. string separated by the "$" character.
The POSTAL data type is implemented as an "xs:string" in the schema. The POSTAL data type is implemented as an "xs:string" in the schema.
2.12. Person or Organization 2.12. Person or Organization
The name of an individual or organization is represented by the NAME The name of an individual or organization is represented by the NAME
data type. This data type is an ML_STRING whose format is documented data type. This data type is an ML_STRING whose format is documented
in Section 2.3 of RFC 4519 [10]. in Section 2.3 of [RFC4519].
The NAME data type is implemented as an "xs:string" in the schema. The NAME data type is implemented as an "xs:string" in the schema.
2.13. Telephone and Fax Numbers 2.13. Telephone and Fax Numbers
A telephone or fax number is represented by the PHONE data type. The A telephone or fax number is represented by the PHONE data type. The
format of the PHONE data type is documented in Section 2.35 of RFC format of the PHONE data type is documented in Section 2.35 of
4519 [10]. [RFC4519].
The PHONE data type is implemented as an "xs:string" in the schema. The PHONE data type is implemented as an "xs:string" in the schema.
2.14. Email String 2.14. Email String
An email address is represented by the EMAIL data type. The format An email address is represented by the EMAIL data type. The format
of the EMAIL data type is documented in Section 3.4.1 RFC 2822 [11] of the EMAIL data type is documented in Section 3.4.1 [RFC5322].
The EMAIL data type is implemented as an "xs:string" in the schema. The EMAIL data type is implemented as an "xs:string" in the schema.
2.15. Uniform Resource Locator strings 2.15. Uniform Resource Locator strings
A uniform resource locator (URL) is represented by the URL data type. A uniform resource locator (URL) is represented by the URL data type.
The format of the URL data type is documented in RFC 2396 [8]. The format of the URL data type is documented in [RFC3986].
The URL data type is implemented as an "xs:anyURI" in the schema. The URL data type is implemented as an "xs:anyURI" in the schema.
3. The IODEF Data Model 3. The IODEF Data Model
In this section, the individual components of the IODEF data model In this section, the individual components of the IODEF data model
will be discussed in detail. For each class, the semantics will be will be discussed in detail. For each class, the semantics will be
described and the relationship with other classes will be depicted described and the relationship with other classes will be depicted
with UML. When necessary, specific comments will be made about with UML. When necessary, specific comments will be made about
corresponding definition in the schema in Section 8 corresponding definition in the schema in Section 8
3.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data The IODEF-Document class is the top level class in the IODEF data
model. All IODEF documents are an instance of this class. model. All IODEF documents are an instance of this class.
+-----------------+ +-----------------+
| IODEF-Document | | IODEF-Document |
+-----------------+ +-----------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
| ENUM lang | | ENUM lang |<>--{0..*}--[ AdditionalData ]
| STRING formatid | | STRING formatid |
+-----------------+ +-----------------+
Figure 1: IODEF-Document Class Figure 1: IODEF-Document Class
The aggregate class that constitute IODEF-Document is: The aggregate class that constitute IODEF-Document is:
Incident Incident
One or more. The information related to a single incident. One or more. The information related to a single incident.
AdditionalData
Zero or more. Mechanism by which to extend the data model.
The IODEF-Document class has three attributes: The IODEF-Document class has three attributes:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
lang lang
Required. ENUM. A valid language code per RFC 4646 [7] Required. ENUM. A valid language code per [RFC4646] constrained
constrained by the definition of "xs:language". The by the definition of "xs:language". The interpretation of this
interpretation of this code is described in Section 6. code is described in Section 6.
formatid formatid
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| STRING indicator-set-id |<>--{0..1}--[ StartTime ] | STRING indicator-uid |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | STRING indicator-set-id |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
skipping to change at page 13, line 38 skipping to change at page 13, line 47
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has five attributes: The Incident class has five attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.15). This attribute is defined as an Expectation class (Section 3.16). This attribute is defined as an
enumerated list: enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
skipping to change at page 14, line 16 skipping to change at page 14, line 25
Expectation class. Expectation class.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per [RFC4646] constrained
constrained by the definition of "xs:language". The by the definition of "xs:language". The interpretation of this
interpretation of this code is described in Section 6. code is described in Section 6.
restriction restriction
Optional. ENUM. This attribute indicates the disclosure Optional. ENUM. See Section 3.3.1.
guidelines to which the sender expects the recipient to adhere for
the information represented in this class and its children. This
guideline provides no security since there are no specified
technical means to ensure that the recipient of the document
handles the information as the sender requested.
The value of this attribute is logically inherited by the children indicator-uid
of this class. That is to say, the disclosure rules applied to Optional. STRING. See Section 3.3.2.
this class, also apply to its children.
It is possible to set a granular disclosure policy, since all of indicator-set-id
the high-level classes (i.e., children of the Incident class) have Optional. STRING. See Section 3.3.2.
a restriction attribute. Therefore, a child can override the
guidelines of a parent class, be it to restrict or relax the
disclosure rules (e.g., a child has a weaker policy than an
ancestor; or an ancestor has a weak policy, and the children
selectively apply more rigid controls). The implicit value of the
restriction attribute for a class that did not specify one can be
found in the closest ancestor that did specify a value.
This attribute is defined as an enumerated value with a default 3.3. Common Attributes
value of "private". Note that the default value of the
restriction attribute is only defined in the context of the
Incident class. In other classes where this attribute is used, no
default is specified.
1. public. The information can be freely distributed without There are a number of recurring attributes used by the data model.
restriction. They are documented in this section.
2. partner. The information may be shared within a closed 3.3.1. restriction Attribute
community of peers, partners, or affected parties, but cannot
be openly published.
3. need-to-know. The information may be shared only within the The restriction attribute indicates the disclosure guidelines to
organization with individuals that have a need to know. which the sender expects the recipient to adhere for the information
represented in this class and its children. This guideline provides
no security since there are no specified technical means to ensure
that the recipient of the document handles the information as the
sender requested.
4. private. The information may not be shared. The value of this attribute is logically inherited by the children of
this class. That is to say, the disclosure rules applied to this
class, also apply to its children.
5. default. The information can be shared according to an It is possible to set a granular disclosure policy, since all of the
information disclosure policy pre-arranged by the high-level classes (i.e., children of the Incident class) have a
communicating parties. restriction attribute. Therefore, a child can override the
guidelines of a parent class, be it to restrict or relax the
disclosure rules (e.g., a child has a weaker policy than an ancestor;
or an ancestor has a weak policy, and the children selectively apply
more rigid controls). The implicit value of the restriction
attribute for a class that did not specify one can be found in the
closest ancestor that did specify a value.
6. white. Same as 'public'. This attribute is defined as an enumerated value with a default value
of "private". Note that the default value of the restriction
attribute is only defined in the context of the Incident class. In
other classes where this attribute is used, no default is specified.
7. green. Same as 'partner'. 1. public. The information can be freely distributed without
restriction.
8. amber. Same as 'need-to-know'. 2. partner. The information may be shared within a closed community
of peers, partners, or affected parties, but cannot be openly
published.
9. red. Same as 'private'. 3. need-to-know. The information may be shared only within the
organization with individuals that have a need to know.
4. private. The information may not be shared.
5. default. The information can be shared according to an
information disclosure policy pre-arranged by the communicating
parties.
6. white. Same as 'public'.
7. green. Same as 'partner'.
8. amber. Same as 'need-to-know'.
9. red. Same as 'private'.
3.3.2. Indicator Attributes
For data elements that are commonly used as indicators, the data
model uses four attributes to facilitate their ...
indicator-uid
STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related STRING. See Section 3.3.2.
indicators.
3.3. IncidentID Class 3.4. IncidentID Class
The IncidentID class represents an incident tracking number that is The IncidentID class represents an incident tracking number that is
unique in the context of the CSIRT and identifies the activity unique in the context of the CSIRT and identifies the activity
characterized in an IODEF Document. This identifier would serve as characterized in an IODEF Document. This identifier would serve as
an index into the CSIRT incident handling system. The combination of an index into the CSIRT incident handling system. The combination of
the name attribute and the string in the element content MUST be a the name attribute and the string in the element content MUST be a
globally unique identifier describing the activity. Documents globally unique identifier describing the activity. Documents
generated by a given CSIRT MUST NOT reuse the same value unless they generated by a given CSIRT MUST NOT reuse the same value unless they
are referencing the same incident. are referencing the same incident.
skipping to change at page 16, line 18 skipping to change at page 16, line 47
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the document. In order to have a globally unique CSIRT created the document. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. MUST be used.
instance instance
Optional. STRING. An identifier referencing a subset of the Optional. STRING. An identifier referencing a subset of the
named incident. named incident.
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1. The default value is
The default value is "public". "public".
3.4. AlternativeID Class 3.5. AlternativeID Class
The AlternativeID class lists the incident tracking numbers used by The AlternativeID class lists the incident tracking numbers used by
CSIRTs, other than the one generating the document, to refer to the CSIRTs, other than the one generating the document, to refer to the
identical activity described in the IODEF document. A tracking identical activity described in the IODEF document. A tracking
number listed as an AlternativeID references the same incident number listed as an AlternativeID references the same incident
detected by another CSIRT. The incident tracking numbers of the detected by another CSIRT. The incident tracking numbers of the
CSIRT that generated the IODEF document must never be considered an CSIRT that generated the IODEF document must never be considered an
AlternativeID. AlternativeID.
+------------------+ +------------------+
| AlternativeID | | AlternativeID |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{1..*}--[ IncidentID ]
| | | |
+------------------+ +------------------+
Figure 4: The AlternativeID Class Figure 4: The AlternativeID Class
The aggregate class that constitutes AlternativeID is: The aggregate class that constitutes AlternativeID is:
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. One or more. The incident tracking number of another CSIRT.
The AlternativeID class has one attribute: The AlternativeID class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.5. RelatedActivity Class 3.6. RelatedActivity Class
The RelatedActivity class relates the information described in the The RelatedActivity class relates the information described in the
rest of the IODEF document to previously observed incidents or rest of the IODEF document to previously observed incidents or
activity; and allows attribution to a specific actor or campaign. activity; and allows attribution to a specific actor or campaign.
+------------------+ +------------------+
| RelatedActivity | | RelatedActivity |
+------------------+ +------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 5: RelatedActivity Class Figure 5: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are: The aggregate classes that constitutes RelatedActivity are:
IncidentID IncidentID
One or more. The incident tracking number of a related incident. One or more. The incident tracking number of a related incident.
URL URL
One or more. URL. A URL to activity related to this incident. One or more. URL. A URL to activity related to this incident.
skipping to change at page 18, line 11 skipping to change at page 18, line 38
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
RelatedActivity MUST at least have one instance of IncidentID, URL, RelatedActivity MUST at least have one instance of IncidentID, URL,
ThreatActor, or Campaign. ThreatActor, or Campaign.
The RelatedActivity class has one attribute: The RelatedActivity class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
3.6. ThreatActor Class 3.7. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a given actor.
+------------------+ +------------------+
| Actor | | Actor |
+------------------+ +------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ] | ENUM restriction |<>--{0..1}--[ ThreatActorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 6: ThreatActor Class Figure 6: ThreatActor Class
The aggregate classes that constitutes ThreatActor are: The aggregate classes that constitutes ThreatActor are:
ThreatActorID ThreatActorID
One or more. STRING. An identifier for the ThreatActor. One or more. STRING. An identifier for the ThreatActor.
Description Description
One or more. ML_STRING. A description of the ThreatActor. One or more. ML_STRING. A description of the ThreatActor.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
ThreatActor MUST have at least one instance of a ThreatActorID or ThreatActor MUST have at least one instance of a ThreatActorID or
Description. Description.
The ThreatActor class has one attribute: The ThreatActor class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
3.7. Campaign Class 3.8. Campaign Class
The Campaign class describes a ... The Campaign class describes a ...
+------------------+ +------------------+
| Campaign | | Campaign |
+------------------+ +------------------+
| ENUM restriction |<>--{0..1}--[ CampaignID ] | ENUM restriction |<>--{0..1}--[ CampaignID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 7: Campaign Class Figure 7: Campaign Class
The aggregate classes that constitutes Campaign are: The aggregate classes that constitutes Campaign are:
CampaignID CampaignID
One or more. STRING. An identifier for the Campaign. One or more. STRING. An identifier for the Campaign.
Description Description
One or more. ML_STRING. A description of the Campaign. One or more. ML_STRING. A description of the Campaign.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
Campaign MUST have at least one instance of a Campaign or Campaign MUST have at least one instance of a Campaign or
Description. Description.
The Campaign class has one attribute: The Campaign class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
3.8. AdditionalData Class 3.9. AdditionalData Class
The AdditionalData class serves as an extension mechanism for The AdditionalData class serves as an extension mechanism for
information not otherwise represented in the data model. For information not otherwise represented in the data model. For
relatively simple information, atomic data types (e.g., integers, relatively simple information, atomic data types (e.g., integers,
strings) are provided with a mechanism to annotate their meaning. strings) are provided with a mechanism to annotate their meaning.
The class can also be used to extend the data model (and the The class can also be used to extend the data model (and the
associated Schema) to support proprietary extensions by encapsulating associated Schema) to support proprietary extensions by encapsulating
entire XML documents conforming to another Schema (e.g., IDMEF). A entire XML documents conforming to another Schema. A detailed
detailed discussion for extending the data model and the schema can discussion for extending the data model and the schema can be found
be found in Section 5. in Section 5.
Unlike XML, which is self-describing, atomic data must be documented Unlike XML, which is self-describing, atomic data must be documented
to convey its meaning. This information is described in the to convey its meaning. This information is described in the
'meaning' attribute. Since these description are outside the scope 'meaning' attribute. Since these description are outside the scope
of the specification, some additional coordination may be required to of the specification, some additional coordination may be required to
ensure that a recipient of a document using the AdditionalData ensure that a recipient of a document using the AdditionalData
classes can make sense of the custom extensions. classes can make sense of the custom extensions.
+------------------+ +------------------+
| AdditionalData | | AdditionalData |
skipping to change at page 20, line 30 skipping to change at page 20, line 52
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string".
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE. 2. byte. The element content is of type BYTE.
3. character. The element content is of type CHARACTER. 3. bytes. The element content is of type HEXBIN.
4. date-time. The element content is of type DATETIME. 4. character. The element content is of type CHARACTER.
5. integer. The element content is of type INTEGER. 5. date-time. The element content is of type DATETIME.
6. portlist. The element content is of type PORTLIST. 6. ntpstamp. Same as date-time.
7. real. The element content is of type REAL. 7. integer. The element content is of type INTEGER.
8. string. The element content is of type STRING. 8. portlist. The element content is of type PORTLIST.
9. file. The element content is a base64 encoded binary file 9. real. The element content is of type REAL.
10. string. The element content is of type STRING.
11. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type. encoded as a BYTE[] type.
10. frame. The element content is a layer-2 frame encoded as a 12. path. The element content is a file-system path encoded as a
STRING type.
13. frame. The element content is a layer-2 frame encoded as a
HEXBIN type. HEXBIN type.
11. packet. The element content is a layer-3 packet encoded as a 14. packet. The element content is a layer-3 packet encoded as a
HEXBIN type. HEXBIN type.
12. ipv4-packet. The element content is an IPv4 packet encoded 15. ipv4-packet. The element content is an IPv4 packet encoded
as a HEXBIN type. as a HEXBIN type.
13. ipv6-packet. The element content is an IPv6 packet encoded 16. ipv6-packet. The element content is an IPv6 packet encoded
as a HEXBIN type. as a HEXBIN type.
14. path. The element content is a file-system path encoded as a 17. url. The element content is of type URL.
STRING type.
15. url. The element content is of type URL.
16. csv. The element content is a common separated value (CSV) 18. csv. The element content is a common separated value (CSV)
list per Section 2 of [20] encoded as a STRING type. list per Section 2 of [RFC4180] encoded as a STRING type.
17. winreg. The element content is a Windows registry key 19. winreg. The element content is a Windows registry key
encoded as a STRING type. encoded as a STRING type.
18. xml. The element content is XML (see Section 5). 20. xml. The element content is XML. See Section 5.
19. ext-value. An escape value used to extend this attribute. 21. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1. attribute. See Section 5.1.
meaning meaning
Optional. STRING. A free-form description of the element Optional. STRING. A free-form description of the element
content. content.
formatid formatid
Optional. STRING. An identifier referencing the format and Optional. STRING. An identifier referencing the format and
semantics of the element content. semantics of the element content.
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
3.9. Contact Class 3.10. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
The 'type' attribute disambiguates the type of contact information The 'type' attribute disambiguates the type of contact information
skipping to change at page 24, line 27 skipping to change at page 25, line 18
3. ext-value. An escape value used to extend this attribute. 3. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.9.1. RegistryHandle Class 3.10.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet The RegistryHandle class represents a handle into an Internet
registry or community-specific database. The handle is specified in registry or community-specific database. The handle is specified in
the element content and the type attribute specifies the database. the element content and the type attribute specifies the database.
+---------------------+ +---------------------+
| RegistryHandle | | RegistryHandle |
+---------------------+ +---------------------+
| STRING | | STRING |
| | | |
skipping to change at page 25, line 4 skipping to change at page 25, line 42
Figure 10: The RegistryHandle Class Figure 10: The RegistryHandle Class
The RegistryHandle class has two attributes: The RegistryHandle class has two attributes:
registry registry
Required. ENUM. The database to which the handle belongs. The Required. ENUM. The database to which the handle belongs. The
possible values are: possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-registry ext-registry
Optional. STRING. A means by which to extend the registry Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1. attribute. See Section 5.1.
3.9.2. PostalAddress Class 3.10.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies a postal address formatted
according to the POSTAL data type (Section 2.11). according to the POSTAL data type (Section 2.11).
+---------------------+ +---------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +---------------------+
| POSTAL | | POSTAL |
| | | |
| ENUM meaning | | ENUM meaning |
skipping to change at page 25, line 45 skipping to change at page 26, line 35
+---------------------+ +---------------------+
Figure 11: The PostalAddress Class Figure 11: The PostalAddress Class
The PostalAddress class has two attributes: The PostalAddress class has two attributes:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. ENUM. A free-form description of the element content.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per [RFC4646] constrained
constrained by the definition of "xs:language". The by the definition of "xs:language". The interpretation of this
interpretation of this code is described in Section 6. code is described in Section 6.
3.9.3. Email Class 3.10.3. Email Class
The Email class specifies an email address formatted according to The Email class specifies an email address formatted according to
EMAIL data type (Section 2.14). EMAIL data type (Section 2.14).
+--------------+ +--------------+
| Email | | Email |
+--------------+ +--------------+
| EMAIL | | EMAIL |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------+ +--------------+
Figure 12: The Email Class Figure 12: The Email Class
The Email class has one attribute: The Email class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. ENUM. A free-form description of the element content.
3.9.4. Telephone and Fax Classes 3.10.4. Telephone and Fax Classes
The Telephone and Fax classes specify a voice or fax telephone number The Telephone and Fax classes specify a voice or fax telephone number
respectively, and are formatted according to PHONE data type respectively, and are formatted according to PHONE data type
(Section 2.13). (Section 2.13).
+--------------------+ +--------------------+
| {Telephone | Fax } | | {Telephone | Fax } |
+--------------------+ +--------------------+
| PHONE | | PHONE |
| | | |
skipping to change at page 26, line 47 skipping to change at page 27, line 42
+--------------------+ +--------------------+
Figure 13: The Telephone and Fax Classes Figure 13: The Telephone and Fax Classes
The Telephone class has one attribute: The Telephone class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content Optional. ENUM. A free-form description of the element content
(e.g., hours of coverage for a given number). (e.g., hours of coverage for a given number).
3.10. Time Classes 3.11. Time Classes
The data model uses five different classes to represent a timestamp. The data model uses five different classes to represent a timestamp.
Their definition is identical, but each has a distinct name to convey Their definition is identical, but each has a distinct name to convey
a difference in semantics. a difference in semantics.
The element content of each class is a timestamp formatted according The element content of each class is a timestamp formatted according
to the DATETIME data type (see Section 2.8). to the DATETIME data type (see Section 2.8).
+----------------------------------+ +----------------------------------+
| {Start| End| Report| Detect}Time | | {Start| End| Report| Detect}Time |
+----------------------------------+ +----------------------------------+
| DATETIME | | DATETIME |
+----------------------------------+ +----------------------------------+
Figure 14: The Time Classes Figure 14: The Time Classes
3.10.1. StartTime 3.11.1. StartTime Class
The StartTime class represents the time the incident began. The StartTime class represents the time the incident began.
3.10.2. EndTime 3.11.2. EndTime Class
The EndTime class represents the time the incident ended. The EndTime class represents the time the incident ended.
3.10.3. DetectTime 3.11.3. DetectTime Class
The DetectTime class represents the time the first activity of the The DetectTime class represents the time the first activity of the
incident was detected. incident was detected.
3.10.4. ReportTime 3.11.4. ReportTime Class
The ReportTime class represents the time the incident was reported. The ReportTime class represents the time the incident was reported.
This timestamp MUST be the time at which the IODEF document was This timestamp MUST be the time at which the IODEF document was
generated. generated.
3.10.5. DateTime 3.11.5. DateTime
The DateTime class is a generic representation of a timestamp. Infer The DateTime class is a generic representation of a timestamp. Infer
its semantics from the parent class in which it is aggregated. its semantics from the parent class in which it is aggregated.
3.11. Method Class 3.12. Method Class
The Method class describes the methodology used by the intruder to The Method class describes the methodology used by the intruder to
perpetrate the events of the incident. This class consists of a list perpetrate the events of the incident. This class consists of a list
of references describing the attack method and a free form of references describing the attack method and a free form
description of the technique. description of the technique.
+------------------+ +------------------+
| Method | | Method |
+------------------+ +------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
skipping to change at page 28, line 36 skipping to change at page 29, line 26
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
Either an instance of the Reference or Description class MUST be Either an instance of the Reference or Description class MUST be
present. present.
The Method class has one attribute: The Method class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.11.1. Reference Class 3.12.1. Reference Class
The Reference class is a reference to a vulnerability, IDS alert, The Reference class is a reference to a vulnerability, IDS alert,
malware sample, advisory, or attack technique. A reference consists malware sample, advisory, or attack technique. A reference consists
of a name, a URL to this reference, and an optional description. of a name, a URL to this reference, and an optional description.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ENUM attacktype |<>----------[ ReferenceName ] | ENUM attacktype |<>----------[ ReferenceName ]
| STRING ext-attacktype |<>--{0..*}--[ URL ] | STRING ext-attacktype |<>--{0..*}--[ URL ]
skipping to change at page 29, line 27 skipping to change at page 30, line 17
The Reference class has 4 attributes. The Reference class has 4 attributes.
attacktype attacktype
Optional. ENUM. TODO. Optional. ENUM. TODO.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Attack Optional. STRING. A mechanism by which to extend the Attack
Type. Type.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group Optional. STRING. See Section 3.3.2.
related indicators.
3.12. Assessment Class 3.13. Assessment Class
The Assessment class describes the technical and non-technical The Assessment class describes the technical and non-technical
repercussions of the incident on the CSIRT's constituency. repercussions of the incident on the CSIRT's constituency.
This class was derived from the IDMEF[17]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ TimeImpact ] | ENUM restriction |<>--{0..*}--[ TimeImpact ]
| STRING indicator-uid |<>--{0..*}--[ MonetaryImpact ] | STRING indicator-uid |<>--{0..*}--[ MonetaryImpact ]
| STRING indicator-set-id |<>--{0..*}--[ Counter ] | STRING indicator-set-id |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 17: Assessment Class Figure 17: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or many. Technical impact of the incident on a network. Zero or many. Technical impact of the incident on a network.
TimeImpact TimeImpact
Zero or many. Impact of the activity measured with respect to Zero or many. Impact of the activity measured with respect to
skipping to change at page 30, line 46 skipping to change at page 31, line 35
1. actual. This assessment describes activity that has occurred. 1. actual. This assessment describes activity that has occurred.
2. potential. This assessment describes potential activity that 2. potential. This assessment describes potential activity that
might occur. might occur.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.12.1. Impact Class 3.13.1. Impact Class
The Impact class allows for categorizing and describing the technical The Impact class allows for categorizing and describing the technical
impact of the incident on the network of an organization. impact of the incident on the network of an organization.
This class is based on the IDMEF [17]. This class is based on [RFC4765].
+------------------+ +------------------+
| Impact | | Impact |
+------------------+ +------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM lang | | ENUM lang |
| ENUM severity | | ENUM severity |
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
skipping to change at page 31, line 32 skipping to change at page 32, line 25
+------------------+ +------------------+
Figure 18: Impact Class Figure 18: Impact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The Impact class has five attributes: The Impact class has five attributes:
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per [RFC4646] constrained
constrained by the definition of "xs:language". The by the definition of "xs:language". The interpretation of this
interpretation of this code is described in Section 6. code is described in Section 6.
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
skipping to change at page 32, line 44 skipping to change at page 33, line 35
10. unknown. The classification of this activity is unknown. 10. unknown. The classification of this activity is unknown.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
3.12.2. TimeImpact Class 3.13.2. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 19: TimeImpact Class Figure 19: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has five attributes: The TimeImpact class has five attributes:
severity severity
skipping to change at page 34, line 36 skipping to change at page 35, line 36
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.12.3. MonetaryImpact Class 3.13.3. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 20: MonetaryImpact Class Figure 20: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
skipping to change at page 35, line 34 skipping to change at page 36, line 34
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the monetary
impact is expressed. The permitted values are defined in ISO impact is expressed. The permitted values are defined in "Codes
4217:2001, Codes for the representation of currencies and funds for the representation of currencies and funds" of [ISO4217].
[14]. There is no default value. There is no default value.
3.12.4. Confidence Class 3.13.4. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents a best estimate of the validity and
accuracy of the described impact (see Section 3.12) of the incident accuracy of the described impact (see Section 3.13) of the incident
activity. This estimate can be expressed as a category or a numeric activity. This estimate can be expressed as a category or a numeric
calculation. calculation.
This class if based upon the IDMEF [17]). This class if based upon [RFC4765].
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 21: Confidence Class Figure 21: Confidence Class
The element content expresses a numerical assessment in the The element content expresses a numerical assessment in the
confidence of the data when the value of the rating attribute is confidence of the data when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The Confidence class has one attribute.
rating rating
skipping to change at page 36, line 38 skipping to change at page 37, line 38
2. medium. Medium confidence in the validity. 2. medium. Medium confidence in the validity.
3. high. High confidence in the validity. 3. high. High confidence in the validity.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
3.13. History Class 3.14. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------+ +------------------+
| History | | History |
skipping to change at page 37, line 26 skipping to change at page 38, line 26
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or many. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties.
The History class has one attribute: The History class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
3.13.1. HistoryItem Class 3.14.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.13) log The HistoryItem class is an entry in the History (Section 3.14) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
skipping to change at page 38, line 18 skipping to change at page 39, line 18
log, this class can be ignored. log, this class can be ignored.
Contact Contact
Zero or One. Provides contact information for the person that Zero or One. Provides contact information for the person that
performed the action documented in this class. performed the action documented in this class.
Description Description
Zero or many. ML_STRING. A free-form textual description of the Zero or many. ML_STRING. A free-form textual description of the
action or event. action or event.
DefinedCOA
Zero or many. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set
to "defined-coa".
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or many. A mechanism by which to extend the data model.
The HistoryItem class has five attributes: The HistoryItem class has five attributes:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the category attribute of the Expectation class. The to the category attribute of the Expectation class. The
difference is only one of tense. When an action is in this class, difference is only one of tense. When an action is in this class,
it has been completed. See Section 3.15. it has been completed. See Section 3.16.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.14. EventData Class 3.15. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..1}--[ DetectTime ] | STRING indicator-uid |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | STRING indicator-set-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
skipping to change at page 40, line 38 skipping to change at page 41, line 43
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the EventData class. This is not enforced in the IODEF schema as of the EventData class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The EventData class has two attributes: The EventData class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.14.1. Relating the Incident and EventData Classes 3.15.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in IncidentData. provided in IncidentData.
3.14.2. Cardinality of EventData 3.15.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class can be thought of as a container for the
properties of an event in an incident. These properties include: the properties of an event in an incident. These properties include: the
hosts involved, impact of the incident activity on the hosts, hosts involved, impact of the incident activity on the hosts,
forensic logs, etc. With an instance of the EventData class, hosts forensic logs, etc. With an instance of the EventData class, hosts
(i.e., System class) are grouped around these common properties. (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the The recursive definition (or instance property inheritance) of the
EventData class (the EventData class is aggregated into the EventData EventData class (the EventData class is aggregated into the EventData
class) provides a way to relate information without requiring the class) provides a way to relate information without requiring the
skipping to change at page 41, line 46 skipping to change at page 43, line 19
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 25: Recursion in the EventData Class Figure 25: Recursion in the EventData Class
3.15. Expectation Class 3.16. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ EndTime ] | ENUM action |<>--{0..1}--[ StartTime ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ EndTime ]
| STRING indicator-uid | | STRING indicator-uid |<>--{0..1}--[ Contact ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 26: The Expectation Class Figure 26: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or many. ML_STRING. A free-form description of the desired Zero or many. ML_STRING. A free-form description of the desired
action(s). action(s).
DefinedCOA
Zero or many. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set
to "defined-coa".
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. The time at which the sender would like the action
performed. A timestamp that is earlier than the ReportTime performed. A timestamp that is earlier than the ReportTime
specified in the Incident class denotes that the sender would like specified in the Incident class denotes that the sender would like
the action performed as soon as possible. The absence of this the action performed as soon as possible. The absence of this
element indicates no expections of when the recipient would like element indicates no expections of when the recipient would like
the action performed. the action performed.
EndTime EndTime
Zero or one. The time by which the sender expects the recipient Zero or one. The time by which the sender expects the recipient
skipping to change at page 44, line 8 skipping to change at page 45, line 38
13. status-triage. Conveys receipts and the triaging of an 13. status-triage. Conveys receipts and the triaging of an
incident. incident.
14. status-new-info. Conveys that new information was received 14. status-new-info. Conveys that new information was received
for this incident. for this incident.
15. watch-and-report. Watch for the described activity and share 15. watch-and-report. Watch for the described activity and share
if seen. if seen.
16. other. Perform some custom action described in the 16. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class.
17. other. Perform some custom action described in the
Description class. Description class.
17. ext-value. An escape value used to extend this attribute. 18. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.16. Flow Class 3.17. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 27: The Flow Class Figure 27: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow class has no attributes. The Flow class has no attributes.
3.17. System Class 3.18. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized The systems or networks represented by this class are categorized
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
skipping to change at page 46, line 33 skipping to change at page 48, line 28
IODEF document exchange. IODEF document exchange.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
interface interface
Optional. STRING. Specifies the interface on which the event(s) Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning. rather than a host, this attribute has no meaning.
spoofed spoofed
Optional. ENUM. An indication of confidence in whether this Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
skipping to change at page 48, line 5 skipping to change at page 49, line 41
6. unknown. The ownership of the System is unknown. 6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute. 7. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-ownership ext-ownership
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1. attribute. See Section 5.1.
3.18. Node Class 3.19. Node Class
The Node class names an asset or network. The Node class names an asset or network.
This class was derived from the IDMEF [17]. This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ NodeName ] | |<>--{0..*}--[ NodeName ]
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ Location ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..1}--[ DateTime ] | |<>--{0..1}--[ Location ]
| |<>--{0..*}--[ NodeRole ] | |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 29: The Node Class Figure 29: The Node Class
The aggregate classes that constitute Node are: The aggregate classes that constitute Node are:
NodeName NodeName
Zero or more. ML_STRING. The name of the Node (e.g., fully Zero or more. ML_STRING. The name of the Node (e.g., fully
qualified domain name). This information MUST be provided if no qualified domain name). This information MUST be provided if no
Address information is given. Address or DomainData information is given.
DomainData DomainData
Zero or more. The DomainData Class and Subclasses from RFC 5901. Zero or more. TODO. The DomainData Class and Subclasses from RFC
5901.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a NodeName is not provided, at least one Address the Node. If a NodeName or DomainData is not provided, at least
MUST be specified. one Address MUST be specified.
PostalAddress
Zero or one. The postal address of the asset.
Location Location
Zero or one. ML_STRING. A free-from description of the physical Zero or one. ML_STRING. A free-from description of the physical
location of the equipment. location of the Node. This description may provide a more
detailed description of where in the PostalAddress this Node is
found (e.g., room number, rack number, slot number in a chassis).
DateTime DateTime
Zero or one. A timestamp of when the resolution between the name Zero or one. A timestamp of when the resolution between the name
and address was performed. This information MAY be provided if and address was performed. This information MAY be provided if
both an Address and NodeName are specified. both an Address and NodeName are specified.
NodeRole NodeRole
Zero or more. The intended purpose of the Node. Zero or more. The intended purpose of the Node.
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
The Node class has no attributes. The Node class has no attributes.
3.18.1. Counter Class 3.19.1. Address Class
The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions,
events).
The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics
are entirely context dependant based on the class in which the
Counter is aggregated.
+---------------------+
| Counter |
+---------------------+
| REAL |
| |
| ENUM type |
| STRING ext-type |
| STRING meaning |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 30: The Counter Class
The Counter class has five attribute:
type
Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes.
2. packet. Count of packets.
3. flow. Count of flow (e.g., NetFlow records).
4. session. Count of sessions.
5. alert. Count of notifications generated by another system
(e.g., IDS or SIM).
6. message. Count of messages (e.g., mail messages).
7. event. Count of events.
8. host. Count of hosts.
9. site. Count of site.
10. organization. Count of organizations.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
meaning
Optional. STRING. A free-form description of the metric
represented by the Counter.
duration
Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this
attribute are defined in Section 3.12.2
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.
3.18.2. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from the IDMEF [17]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| STRING indicator-uid | | STRING indicator-uid |
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 31: The Address Class Figure 30: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
1. asn. Autonomous System Number 1. asn. Autonomous System Number
skipping to change at page 51, line 49 skipping to change at page 52, line 13
(a.b.c.d/w.x.y.z) (a.b.c.d/w.x.y.z)
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
10. mac. Media Access Control (MAC) address 10. mac. Media Access Control (MAC) address
11. site-uri. A URL or URI for a site. 11. site-uri. A URL or URI for a resource.
12. ext-value. An escape value used to extend this attribute. 12. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
vlan-name vlan-name
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
3.18.3. NodeRole Class indicator-set-id
Optional. STRING. See Section 3.3.2.
3.19.2. NodeRole Class
The NodeRole class describes the intended function performed by a The NodeRole class describes the intended function performed by a
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 32: The NodeRole Class Figure 31: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
skipping to change at page 54, line 24 skipping to change at page 54, line 40
36. scada-supervisory. Supervisory system for a SCADA 36. scada-supervisory. Supervisory system for a SCADA
37. ext-value. An escape value used to extend this attribute. 37. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per RFC 4646 [7] Optional. ENUM. A valid language code per [RFC4646] constrained
constrained by the definition of "xs:language". The by the definition of "xs:language". The interpretation of this
interpretation of this code is described in Section 6. code is described in Section 6.
3.19. Service Class 3.19.3. Counter Class
The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions,
events).
The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics
are entirely context dependant based on the class in which the
Counter is aggregated.
+---------------------+
| Counter |
+---------------------+
| REAL |
| |
| ENUM type |
| STRING ext-type |
| STRING meaning |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 32: The Counter Class
The Counter class has five attribute:
type
Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes.
2. packet. Count of packets.
3. flow. Count of flow (e.g., NetFlow records).
4. session. Count of sessions.
5. alert. Count of notifications generated by another system
(e.g., IDS or SIM).
6. message. Count of messages (e.g., mail messages).
7. event. Count of events.
8. host. Count of hosts.
9. site. Count of site.
10. organization. Count of organizations.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
meaning
Optional. STRING. A free-form description of the metric
represented by the Counter.
duration
Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this
attribute are defined in Section 3.13.2
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.
3.20. DomainData Class
...TODO...
+-------------------------+
| DomainData |
+-------------------------+
| ENUM SystemStatus |<>----------[ Name ]
| ENUM DomainStatus |<>--{0..1}--[ DateDomainWasChecked ]
| STRING indicator-uid |<>--{0..1}--[ RegistrationDate ]
| STRING indicator-set-id |<>--{0..1}--[ ExpirationDate ]
| |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ]
| |
+-------------------------+
Figure 33: The DomainData Class
3.20.1. RelatedDNS
...TODO...
+---------------------+
| RelatedDNS |
+---------------------+
| STRING |
| |
| ENUM RecordType |
| ENUM ext-RecordType |
+---------------------+
Figure 34: The RelatedDNS Class
3.20.2. Nameservers Class
...TODO...
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server ]
| |<>--{1..*}--[ Address ]
+--------------------+
Figure 35: The Nameservers Class
3.20.3. DomainContacts Class
...TODO...
+--------------------+
| DomainContacts |
+--------------------+
| |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ]
+--------------------+
Figure 36: The DomainContacts Class
3.21. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from the IDMEF [17]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ] | INTEGER ip_protocol |<>--{0..1}--[ Port ]
| STRING indicator-uid |<>--{0..1}--[ Portlist ] | STRING indicator-uid |<>--{0..1}--[ Portlist ]
| STRING indicator-set-id |<>--{0..1}--[ ProtoCode ] | STRING indicator-set-id |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ Application ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailInfo ]
| |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 33: The Service Class Figure 37: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
ProtoCode ProtoCode
Zero or one. INTEGER. A layer-4 protocol-specific code field Zero or one. INTEGER. A transport layer (layer 4) protocol-
(e.g., ICMP code field). specific code field (e.g., ICMP code field).
ProtoType ProtoType
Zero or one. INTEGER. A layer-4 protocol specific type field Zero or one. INTEGER. A transport layer (layer 4) protocol
(e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A layer-4 protocol specific flag field Zero or one. INTEGER. A transport layer (layer 4) protocol
(e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader
Zero or many. An application layer (layer 7) protocol header.
See Section 3.21.1.
EmailInfo
Zero or one. TODO. See Section 3.23.
Application Application
Zero or one. The application bound to the specified Port or Zero or one. The application bound to the specified Port or
Portlist. Portlist. See Section 3.21.2.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Porlists exists. If N ports are listed relationship between these Porlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
skipping to change at page 56, line 15 skipping to change at page 59, line 26
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has three attributes: The Service class has three attributes:
ip_protocol ip_protocol
Required. INTEGER. The IANA protocol number. Required. INTEGER. The IANA protocol number.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.19.1. Application Class 3.21.1. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its
corresponding value.
+--------------------------+
| ApplicationHeader |
+--------------------------+
| ANY |
| |
| INTEGER proto |
| STRING field |
| ENUM dtype |
| STRING indicator-uid |
| STRING indicator-set-uid |
+--------------------------+
Figure 38: The ApplicationHeader Class
The ApplicationHeader class has five attributes:
proto
Required. INTEGER. The IANA protocol number from xxx corrending
to the protocol whose field will be represented.
field
Required. STRING. The name of the protocol field whose value
will be found in the element body.
dtype
Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string".
1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME.
6. integer. The element content is of type INTEGER.
7. portlist. The element content is of type PORTLIST.
8. real. The element content is of type REAL.
9. string. The element content is of type STRING.
10. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type.
11. path. The element content is a file-system path encoded as a
STRING type.
12. xml. The element content is XML. See Section 5.
13. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.21.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
| STRING vendor | | STRING vendor |
| STRING family | | STRING family |
| STRING name | | STRING name |
| STRING version | | STRING version |
| STRING patch | | STRING patch |
+--------------------+ +--------------------+
Figure 34: The Application Class Figure 39: The Application Class
The aggregate class that constitute Application is: The aggregate class that constitute Application is:
URL URL
Zero or one. URL. A URL describing the application. Zero or one. URL. A URL describing the application.
The Application class has seven attributes: The Application class has seven attributes:
swid swid
Optional. STRING. An identifier that can be used to reference Optional. STRING. An identifier that can be used to reference
skipping to change at page 57, line 23 skipping to change at page 62, line 9
name name
Optional. STRING. Name of the software. Optional. STRING. Name of the software.
version version
Optional. STRING. Version of the software. Optional. STRING. Version of the software.
patch patch
Optional. STRING. Patch or service pack level of the software. Optional. STRING. Patch or service pack level of the software.
3.20. OperatingSystem Class 3.22. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.19.1). (Section 3.21.2).
3.21. Record Class 3.23. EmailInfo Class
The EmailInfo class describes common headers from email messages.
+-------------------------+
| EmailInfo |
+-------------------------+
| STRING indicator-uid |<>--{0..1}--[ EmailFrom ]
| STRING indicator-set-id |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ]
+-------------------------+
Figure 40: EmailInfo Class
The aggregate class that constitutes EmailInfo are:
EmailFrom
Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322].
EmailSubject
Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an
email.
The EmailInfo class has two attributes:
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.24. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------+
| Record | | Record |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+ +------------------+
Figure 35: Record Class Figure 41: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.21.1. RecordData Class 3.24.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------------+ +-------------------------+
| RecordData | | RecordData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..1}--[ Application ] | STRING indicator-set-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashInformation ] | |<>--{0..1}--[ HashInformation ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 36: The RecordData Class Figure 42: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 59, line 14 skipping to change at page 64, line 38
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s).
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
The RecordData class has three attribute: The RecordData class has three attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.21.2. RecordPattern Class 3.24.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 37: The RecordPattern Class Figure 43: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of [3]. 1. regex. regular expression, per Appendix F of
[W3C.SCHEMA.DTYPES].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [5] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute. 4. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
offset offset
Optional. INTEGER. Amount of units (determined by the offsetunit Optional. INTEGER. Amount of units (determined by the offsetunit
skipping to change at page 60, line 43 skipping to change at page 66, line 18
See Section 5.1. See Section 5.1.
ext-offsetunit ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1. attribute. See Section 5.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.21.3. RecordItem Class 3.24.3. RecordItem Class
The RecordItem class provides a way to incorporate relevant logs, The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to direct encapsulation of the data, as well as, provides primitives to
reference data stored elsewhere. reference data stored elsewhere.
This class is identical to AdditionalData class (Section 3.8). This class is identical to AdditionalData class (Section 3.9).
3.22. RegistryKeyModified Class 3.25. WindowsRegistryKeysModified Class
The Registry Key Modified class represents operating system registry The WindowsRegistryKeysModified class describes Windows operating
keys that have been modified as part and may constitue an indicator system registry keys and the operations that were performed on them.
of compromise. This class was derived from [RFC5901].
+-----------------------+ +-----------------------------+
| RegistryKeyModified | | WindowsRegistryKeysModified |
+-----------------------+ +-----------------------------+
| |<>----------[ Key ] | STRING indicator-uid |<>--{1..*}--[ Key ]
+-----------------------+ | STRING indicator-set-id |
+-----------------------------+
Figure 38: The RegistryKeyModified Class Figure 44: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the Registry Key Modified class The aggregate class that constitutes the WindowsRegistryKeysModified
is: class is:
Key Key
One. The Window Registry Key. One or many. The Window registry key.
3.22.1. Key Class The WindowsRegistryKeysModified class has two attributes:
The Key class shows name and value pairs representing an operating indicator-uid
system registry key and its value. The key and value are encoded as Optional. STRING. See Section 3.3.2.
in Microsoft .reg files.
+--------------------------+ indicator-set-id
| Key | Optional. STRING. See Section 3.3.2.
+--------------------------+
| ENUM regsitryaction |<>--{0..*}--[ KeyName ]
| STRING ext-category |<>--{0..*}--[ Value ]
| ENUM type |
| STRING ext-type |
| STRING indicator-uid |
| STRING inidicator-set-id |
+--------------------------+
Figure 39: The Registry Key Modified Class 3.25.1. Key Class
The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it.
+---------------------------+
| Key |
+---------------------------+
| ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ENUM type |
| STRING ext-type |
+---------------------------+
Figure 45: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
Zero or more. STRING. The name of the registry key. One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
Value KeyValue
Zero or more. STRING. The value of the registry key. Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516].
The Key class has six attributes: The Key class has four attributes:
registryaction registryaction
Optional. ENUM. The type of action. Optional. ENUM. The type of action taken on the registry key.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
4. delete-value. Value deleted from registry key. 4. delete-value. Value deleted from registry key.
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified for registry key.
7. ext-value. External value. 7. ext-value. External value.
ext-category ext-registryaction
Optional. Extension category. Optional. A means by which to extend the registryaction
attribute. See Section 5.1.
type type
Optional. Type Optional. TODO.
1. watchlist. Registry key information that is provided in a 1. watchlist. Registry key information that is provided in a
watchlist. watchlist.
2. ext-value. Registry key information from an external source. 2. ext-value. Registry key information from an external source.
ext-type
Optional. A means by which to extend the type attribute. See
Section 5.1.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
3.23. HashInformation Class 3.26. HashInformation Class
This class are the hash and signature details that are needed for This class are the hash and signature details that are needed for
providing context for indicators. providing context for indicators.
+--------------------------+ +--------------------------+
| HashInformation | | HashInformation |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-category |<>--{0..*}--[ FileSize ] | STRING ext-type |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ]
| STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ] | STRING indicator-set-id |<>--{0..*}--[ ds:Reference ]
+--------------------------+ +--------------------------+
Figure 40: The Hash Sig Details Class Figure 46: The HashInformation Class
The aggregate classes that constitutes HashInformation are: The aggregate classes that constitutes HashInformation are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
FileSize FileSize
Zero or more. INTEGER. The size of the file in bytes. Zero or more. INTEGER. The size of the file in bytes.
ds:Signature ds:Signature
Zero or more. Zero or more.
ds:KeyInfo ds:KeyInfo
Zero or more. Zero or more.
ds:Reference ds:Reference
Zero or more. The algorithm identification and value of a hash Zero or more. The algorithm identification and value of a hash
computed over the malware executable. This entire element is computed over a file. This element is defined in [RFC3275].
imported from [RFC3275]. Refer to RFC 5901. Refer to RFC 5901.
The HashInformation class has five attributes: The HashInformation class has five attributes:
type type
Optional. ENUM. The Hash Type. Optional. ENUM. The Hash Type.
1. PKI-email-ds. PKI email digital signature. 1. PKI-email-ds. PKI email digital signature.
2. PKI-file-ds. PKI file digital signature. 2. PKI-file-ds. PKI file digital signature.
skipping to change at page 64, line 21 skipping to change at page 69, line 47
signatures signatures
9. file-hash. A file hash. 9. file-hash. A file hash.
10. email-hash. An email hash. 10. email-hash. An email hash.
11. file-hash-watchlist. Watchlist of file hashes 11. file-hash-watchlist. Watchlist of file hashes
12. email-hash-watchlist. Watchlist of email hashes 12. email-hash-watchlist. Watchlist of email hashes
13. ext-value. Extension value. 13. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
valid
Optional. BOOLEAN. Indicates if the signature or hash is valid.
indicator-uid indicator-uid
Optional. STRING. A unique identifier for an Indicator. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. The indicator set ID is used to group related Optional. STRING. See Section 3.3.2.
indicators.
4. Processing Considerations 4. Processing Considerations
This section defines additional requirements on creating and parsing This section defines additional requirements on creating and parsing
IODEF documents. IODEF documents.
4.1. Encoding 4.1. Encoding
Every IODEF document MUST begin with an XML declaration, and MUST Every IODEF document MUST begin with an XML declaration, and MUST
specify the XML version used. If UTF-8 encoding is not used, the specify the XML version used. If UTF-8 encoding is not used, the
skipping to change at page 64, line 52 skipping to change at page 70, line 38
The XML declaration with no character encoding will read as follows: The XML declaration with no character encoding will read as follows:
<?xml version="1.0" ?> <?xml version="1.0" ?>
When a character encoding is specified, the XML declaration will read When a character encoding is specified, the XML declaration will read
like the following: like the following:
<?xml version="1.0" encoding="charset" ?> <?xml version="1.0" encoding="charset" ?>
Where "charset" is the name of the character encoding as registered Where "charset" is the name of the character encoding as registered
with the Internet Assigned Numbers Authority (IANA), see [9]. with the Internet Assigned Numbers Authority (IANA), see [RFC2978].
The following characters have special meaning in XML and MUST be The following characters have special meaning in XML and MUST be
escaped with their entity reference equivalent: "&", "<", ">", "\"" escaped with their entity reference equivalent: "&", "<", ">", "\""
(double quotation mark), and "'" (apostrophe). These entity (double quotation mark), and "'" (apostrophe). These entity
references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;" references are "&amp;", "&lt;", "&gt;", "&quot;", and "&apos;"
respectively. respectively.
4.2. IODEF Namespace 4.2. IODEF Namespace
The IODEF schema declares a namespace of The IODEF schema declares a namespace of
"urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS].
IODEF document MUST include a valid reference to the IODEF schema Each IODEF document MUST include a valid reference to the IODEF
using the "xsi:schemaLocation" attribute. An example of such a schema using the "xsi:schemaLocation" attribute. An example of such
declaration would look as follows: a declaration would look as follows:
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0"
4.3. Validation 4.3. Validation
The IODEF documents MUST be well-formed XML. It is RECOMMENDED that The IODEF documents MUST be well-formed XML. It is RECOMMENDED that
recipients validate the document against the schema described in recipients validate the document against the schema described in
Section 8. However, mere conformance to the schema is not sufficient Section 8. However, mere conformance to the schema is not sufficient
for a semantically valid IODEF document. There is additional for a semantically valid IODEF document. There is additional
specification in the text of Section 3 that cannot be readily encoded specification in the text of Section 3 that cannot be readily encoded
in the schema and it must also be considered by an IODEF parser. The in the schema and it must also be considered by an IODEF parser. The
following is a list of discrepancies in what is more strictly following is a list of discrepancies in what is more strictly
skipping to change at page 65, line 44 skipping to change at page 71, line 32
IODEF schema: IODEF schema:
o The elements or attributes that are defined as POSTAL, NAME, o The elements or attributes that are defined as POSTAL, NAME,
PHONE, and EMAIL data-types are implemented as "xs:string", but PHONE, and EMAIL data-types are implemented as "xs:string", but
more rigid formatting requirements are specified in the text. more rigid formatting requirements are specified in the text.
o The IODEF-Document@lang and MLStringType@lang attributes are o The IODEF-Document@lang and MLStringType@lang attributes are
declared as an "xs:language" that constrains values with a regular declared as an "xs:language" that constrains values with a regular
expression. However, the value of this attribute still needs to expression. However, the value of this attribute still needs to
be validated against the list of possible enumerated values is be validated against the list of possible enumerated values is
defined in [7]. defined in [RFC4646].
o The MonetaryImpact@currency attribute is declared as an o The MonetaryImpact@currency attribute is declared as an
"xs:string", but the list of valid values as defined in [14]. "xs:string", but the list of valid values as defined in [ISO4217].
o All of the aggregated classes Contact and EventData are optional o All of the aggregated classes Contact and EventData are optional
in the schema, but at least one of these aggregated classes MUST in the schema, but at least one of these aggregated classes MUST
be present. be present.
o There are multiple conventions that can be used to categorize a o There are multiple conventions that can be used to categorize a
system using the NodeRole class or to specify software with the system using the NodeRole class or to specify software with the
Application and OperatingSystem classes. IODEF parsers MUST Application and OperatingSystem classes. IODEF parsers MUST
accept incident reports that do not use these fields in accordance accept incident reports that do not use these fields in accordance
with local conventions. with local conventions.
skipping to change at page 66, line 22 skipping to change at page 72, line 10
content of Confidence should be empty. content of Confidence should be empty.
o The Address@type attribute determines the format of the element o The Address@type attribute determines the format of the element
content. content.
o The attributes AdditionalData@dtype and RecordItem@dtype derived o The attributes AdditionalData@dtype and RecordItem@dtype derived
from iodef:ExtensionType determine the semantics and formatting of from iodef:ExtensionType determine the semantics and formatting of
the element content. the element content.
o Symmetry in the enumerated ports of a Portlist class is required o Symmetry in the enumerated ports of a Portlist class is required
between sources and targets. See Section 3.19. between sources and targets. See Section 3.21.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be IODEF schema. With proven value, well documented extensions can be
incorporated into future versions of the specification. However, incorporated into future versions of the specification. However,
skipping to change at page 69, line 33 skipping to change at page 75, line 33
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved. The IODEF supports barriers, that certain incidents be resolved. The IODEF supports
this goal by depending on XML constructs, and through explicit design this goal by depending on XML constructs, and through explicit design
choices in the data model. choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
all the different character encodings, such as UTF-8 and UTF-16, all the different character encodings, such as UTF-8 and UTF-16,
possible with XML. Additionally, each IODEF document MUST specify possible with XML. Additionally, each IODEF document MUST specify
the language in which their contents are encoded. The language can the language in which their contents are encoded. The language can
be specified with the attribute "xml:lang" (per Section 2.12 of [1]) be specified with the attribute "xml:lang" (per Section 2.12 of
in the top-level element (i.e., IODEF-Document@lang) and letting all [W3C.XML]) in the top-level element (i.e., IODEF-Document@lang) and
other elements inherit that definition. All IODEF classes with a letting all other elements inherit that definition. All IODEF
free-form text definition (i.e., all those defined of type classes with a free-form text definition (i.e., all those defined of
iodef:MLStringType) can also specify a language different from the type iodef:MLStringType) can also specify a language different from
rest of the document. The valid language codes for the "xml:lang" the rest of the document. The valid language codes for the
attribute are described in RFC 4646 [7]. "xml:lang" attribute are described in [RFC4646].
The data model supports multiple translations of free-form text. In The data model supports multiple translations of free-form text. In
the places where free-text is used for descriptive purposes, the the places where free-text is used for descriptive purposes, the
given class always has a one-to-many cardinality to its parent (e.g., given class always has a one-to-many cardinality to its parent (e.g.,
Description class). The intent is to allow the identical text to be Description class). The intent is to allow the identical text to be
encoded in different instances of the same class, but each being in a encoded in different instances of the same class, but each being in a
different language. This approach allows an IODEF document author to different language. This approach allows an IODEF document author to
send recipients speaking different languages an identical document. send recipients speaking different languages an identical document.
The IODEF parser SHOULD extract the appropriate language relevant to The IODEF parser SHOULD extract the appropriate language relevant to
the recipient. the recipient.
skipping to change at page 76, line 43 skipping to change at page 82, line 43
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
================================================================== ==================================================================
skipping to change at page 78, line 5 skipping to change at page 84, line 5
<!-- <!--
================================================================== ==================================================================
== IODEF-Document class == == IODEF-Document class ==
================================================================== ==================================================================
--> -->
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Incident" <xs:element ref="iodef:Incident"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="version" <xs:attribute name="version"
type="xs:string" fixed="2.00"/> type="xs:string" fixed="2.00"/>
<xs:attribute name="lang" <xs:attribute name="lang"
type="xs:language" use="required"/> type="xs:language" use="required"/>
<xs:attribute name="formatid" <xs:attribute name="formatid"
type="xs:string"/> type="xs:string"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
=== Incident class === === Incident class ===
================================================================== ==================================================================
--> -->
<xs:element name="Incident"> <xs:element name="Incident">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:IncidentID"/>
<!-- CHANGE - the incidentID can still be used,
but when you have a set of indicators or include
a watch list, a ReportID may be preferred. If
this is agreed upon, do we make them both unique
so the same key can be used in databases? This
should not be used as your index value unless you
are the issuing entity. -->
<xs:element name="ReportID" type="IncidentIDType"/>
</xs:choice>
<xs:element ref="iodef:AlternativeID" <xs:element ref="iodef:AlternativeID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity" <xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 79, line 30 skipping to change at page 85, line 21
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-purpose" <xs:attribute name="ext-purpose"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="lang" <xs:attribute name="lang"
type="xs:language"/> type="xs:language"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/> type="iodef:restriction-type" default="private"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== IncidentID class == == IncidentID class ==
================================================================== ==================================================================
--> -->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
skipping to change at page 85, line 44 skipping to change at page 91, line 38
<xs:element name="HistoryItem"> <xs:element name="HistoryItem">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
skipping to change at page 86, line 20 skipping to change at page 92, line 19
<!-- <!--
================================================================== ==================================================================
== Expectation class == == Expectation class ==
================================================================== ==================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" default="other"/> type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Method class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 87, line 35 skipping to change at page 93, line 36
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<!-- CHANGE: Do we want an indicator_set_id here to connect <!-- CHANGE: Do we want an indicator_set_id here to connect
data in the reference class to specific indicators? data in the reference class to specific indicators?
is there a better way to do this? is there a better way to do this?
Should the indicator_uid be used to mark data so that Should the indicator_uid be used to mark data so that
you have a way to limit who you share that data with you have a way to limit who you share that data with
in products? in products?
--> -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- Adding in Attack Type --> <!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type" <xs:attribute name="attacktype" type="att-type"
use="required"> use="required">
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-attacktype" <xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
skipping to change at page 88, line 30 skipping to change at page 94, line 30
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/> <xs:enumeration value="actual"/>
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Impact"> <xs:element name="Impact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
skipping to change at page 91, line 23 skipping to change at page 97, line 25
<xs:element ref="iodef:Record" <xs:element ref="iodef:Record"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Flow class == == Flow class ==
================================================================== ==================================================================
--> -->
<!-- Added System unbounded for use only when the source or <!-- Added System unbounded for use only when the source or
skipping to change at page 93, line 33 skipping to change at page 99, line 34
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element name="NodeName" <xs:element name="NodeName"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from <!-- CHANGE - added DomainData class and subclasses from
RFC5901 --> RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Address" <xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- Proposed CHANGE: include a URI indicator.
Common complaint that URIs were only in the
IODEF schema as references and not part of the
incident or included indicators.
Included right now as an address type, below is a
second option for how to add it.
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
-->
</xs:choice> </xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location" <xs:element ref="iodef:Location"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:DateTime" <xs:element ref="iodef:DateTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
skipping to change at page 94, line 27 skipping to change at page 100, line 20
<xs:enumeration value="asn"/> <xs:enumeration value="asn"/>
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/> <xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/> <xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="ipv6-net-mask"/>
<!-- CHANGE - added uri type for site url/uris -->
<xs:enumeration value="site-uri"/> <xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" <xs:attribute name="vlan-name"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="vlan-num" <xs:attribute name="vlan-num"
skipping to change at page 95, line 48 skipping to change at page 101, line 40
<xs:enumeration value="log"/> <xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/> <xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/> <xs:enumeration value="pos"/>
<xs:enumeration value="scada"/> <xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/> <xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type" <xs:attribute name="attacktype" type="att-type"
use="optional"/> use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Service Class == == Service Class ==
================================================================== ==================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
skipping to change at page 96, line 29 skipping to change at page 102, line 19
type="xs:integer"/> type="xs:integer"/>
<xs:element name="Portlist" <xs:element name="Portlist"
type="iodef:PortlistType"/> type="iodef:PortlistType"/>
</xs:choice> </xs:choice>
<xs:element name="ProtoType" <xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode" <xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField" <xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:ApplicationHeader"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE - email from address indicator, may be better as a sub <!-- CHANGE - email from address indicator, may be better as a sub
class? Would only make sense with the service set to class? Would only make sense with the service set to
email ports or none at all here or a new class. --> email ports or none at all here or a new class. -->
<xs:element ref="Email" minOccurs="0"/> <xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer" <xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailInfo" <xs:element ref="EmailInfo" minOccurs="0"/>
type="EmailDetails" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from <!-- CHANGE - added DomainData class and subclasses from
RFC5901 --> RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip_protocol" <xs:attribute name="ip_protocol"
type="xs:integer" use="required"/> type="xs:integer" use="required"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="PortlistType"> <xs:simpleType name="PortlistType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
skipping to change at page 98, line 7 skipping to change at page 103, line 43
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration" <xs:attribute name="ext-duration"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EMailDetails class == == EMailInfo class ==
================================================================== ==================================================================
--> -->
<!-- CHANGE: added the email details in a subclass for use when <!-- CHANGE: added the email details in a subclass for use when
you do not need all of the email details provided in the you do not need all of the email details provided in the
RFC5901 or ARF extensions. No extension mechanism here, is it RFC5901 or ARF extensions. No extension mechanism here, is it
needed? Possible to create an IANA table to extend this class needed? Possible to create an IANA table to extend this class
if needed in the future outside of schema edit cycles --> if needed in the future outside of schema edit cycles -->
<xs:complexType name="EmailDetails"> <xs:element name="EmailInfo">
<xs:sequence> <xs:complexType>
<!-- Email is the From email --> <xs:sequence>
<xs:element ref="Email" minOccurs="0"/> <xs:element name="EmailFrom"
<xs:element name="EmailSubject" type="iodef:MLStringType" minOccurs="0"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EmailSubject"
<xs:element name="X-Mailer" type="iodef:MLStringType" minOccurs="0"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EmailX-Mailer"
</xs:sequence> type="iodef:MLStringType" minOccurs="0"/>
<xs:attribute name="indicator-uid" </xs:sequence>
type="xs:string" use="optional"/> <xs:attribute name="indicator-uid"
</xs:complexType> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== ApplicationHeadr class ==
==================================================================
-->
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType id="DomainData.type"> <xs:complexType id="DomainData.type">
<xs:sequence> <xs:sequence>
<xs:element maxOccurs="1" <xs:element name="Name"
name="Name" type="iodef:MLStringType"/> type="iodef:MLStringType" maxOccurs="1" />
<xs:element maxOccurs="1" minOccurs="0" <xs:element name="DateDomainWasChecked"
name="DateDomainWasChecked" type="xs:dateTime"/> type="xs:dateTime"
maxOccurs="1" minOccurs="0" />
<xs:element name="RegistrationDate" <xs:element name="RegistrationDate"
type="xs:dateTime" maxOccurs="1" minOccurs="0"/> type="xs:dateTime"
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate" maxOccurs="1" minOccurs="0" />
type="xs:dateTime"/> <xs:element name="ExpirationDate"
type="xs:dateTime"
maxOccurs="1" minOccurs="0" />
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType" type="iodef:RelatedDNSEntryType"
maxOccurs="unbounded" minOccurs="0" /> maxOccurs="unbounded" minOccurs="0" />
<xs:element name="Nameservers" <xs:element name="Nameservers"
maxOccurs="unbounded" minOccurs="0"> maxOccurs="unbounded" minOccurs="0">
<xs:complexType id="Nameservers.type"> <xs:complexType id="Nameservers.type">
<xs:sequence> <xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/> <xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0"> <xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact" <xs:element name="SameDomainContact"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:sequence> <xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1" <xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/> ref="iodef:Contact"/>
</xs:sequence> </xs:sequence>
skipping to change at page 99, line 45 skipping to change at page 106, line 17
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/> <xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="RecordType" use="optional"> <xs:attribute name="RecordType" use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/> <xs:enumeration value="APL"/>
skipping to change at page 100, line 48 skipping to change at page 107, line 25
<xs:enumeration value="SSHFP"/> <xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/> <xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/> <xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/> <xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/> <xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/> <xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-RecordType"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<!-- <!--
================================================================== ==================================================================
== Record class == == Record class ==
================================================================== ==================================================================
--> -->
skipping to change at page 101, line 39 skipping to change at page 108, line 11
<xs:element ref="iodef:DateTime" <xs:element ref="iodef:DateTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" <xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:HashInformation"
<!-- CHANGE: File name and hash of file indicator minOccurs="0" maxOccurs="unbounded"/>
information --> <xs:element ref="iodef:WindowsRegistryKeysModified"
<xs:element name="FileName"
type="iodef:MLStringType" minOccurs="0"/>
<!-- Represent file hash information via digsig schema
Reference class -->
<xs:element ref="ds:Reference" minOccurs="0"/>
<!-- CHANGE: Windows Registry Key Modifications:
Here, we include the classes from iodef-phish, to
prevent the need to pull in the full schema.
Ensure reference to RFC5901 Section 5.9.7 remains
included in UML description.
-->
<xs:element name="WindowsRegistryKeysModified"
type="RegistryKeyModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
skipping to change at page 103, line 15 skipping to change at page 109, line 23
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordItem" <xs:element name="RecordItem"
type="iodef:ExtensionType"/> type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Class to describe Windows Registry Keys == == Class to describe Windows Registry Keys ==
================================================================== ==================================================================
--> -->
<xs:complexType name="RegistryKeyModified"> <xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Key" maxOccurs="unbounded"> <xs:element name="Key" maxOccurs="unbounded">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<!-- Allows for the value to be optional for cases <!-- Allows for the value to be optional for cases
such as, the registry key was deleted --> such as, the registry key was deleted -->
<xs:element name="KeyName" type="xs:string"/> <xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" <xs:element name="Value"
type="xs:string" minOccurs="0"/> type="xs:string" minOccurs="0"/>
</xs:sequence> </xs:sequence>
skipping to change at page 103, line 39 skipping to change at page 109, line 48
<xs:enumeration value="add-key"/> <xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/> <xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/> <xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/> <xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/> <xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
</xs:sequence> </xs:sequence>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- CHANGE: Should this be broken out as another class <!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc. for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated? as is demonstrated?
--> -->
<!-- <!--
================================================================== ==================================================================
== Classes that describe hash types, file information == == Classes that describe hash types, file information ==
== with certificate properties and digital signature info == == with certificate properties and digital signature info ==
== provided through the W3C digital signature schema == == provided through the W3C digital signature schema ==
== so it does not need to be maintained here. == == so it does not need to be maintained here. ==
================================================================== ==================================================================
--> -->
skipping to change at page 104, line 15 skipping to change at page 110, line 24
--> -->
<!-- <!--
================================================================== ==================================================================
== Classes that describe hash types, file information == == Classes that describe hash types, file information ==
== with certificate properties and digital signature info == == with certificate properties and digital signature info ==
== provided through the W3C digital signature schema == == provided through the W3C digital signature schema ==
== so it does not need to be maintained here. == == so it does not need to be maintained here. ==
================================================================== ==================================================================
--> -->
<xs:complexType name="HashSigDetails"> <xs:element name="HashInformation">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType" <xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer" <xs:element name="FileSize" type="xs:integer"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema <!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5), and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use classes may be useful, so Signature was added, but you can use
skipping to change at page 105, line 4 skipping to change at page 111, line 15
<xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="PGP-file-ds"/>
<xs:enumeration value="PGP-email-ds-watchlist"/> <xs:enumeration value="PGP-email-ds-watchlist"/>
<xs:enumeration value="PGP-file-ds-watchlist"/> <xs:enumeration value="PGP-file-ds-watchlist"/>
<xs:enumeration value="file-hash"/> <xs:enumeration value="file-hash"/>
<xs:enumeration value="email-hash"/> <xs:enumeration value="email-hash"/>
<xs:enumeration value="file-hash-watchlist"/> <xs:enumeration value="file-hash-watchlist"/>
<xs:enumeration value="email-hash-watchlist"/> <xs:enumeration value="email-hash-watchlist"/>
<!-- QUESTION: Are values needed to differentiate the <!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class key information shared when the ds:KeyInfo class
is referenced? --> is referenced? -->
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- Adding a boolean yes/no, 0/1option to indicate if the <xs:attribute name="valid"
signature or hash is valid --> type="xs:boolean" use="optional" />
<xs:attribute name="valid" type="xs:boolean" use="optional" />
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe software == == Classes that describe software ==
================================================================== ==================================================================
--> -->
<xs:complexType name="SoftwareType"> <xs:complexType name="SoftwareType">
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 108, line 28 skipping to change at page 114, line 39
<xs:enumeration value="block-host"/> <xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/> <xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/> <xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/> <xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="remediate-other"/> <xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/> <xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/> <xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/> <xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/> <xs:enumeration value="character"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/> <xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/> <xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/> <xs:enumeration value="portlist"/>
<xs:enumeration value="real"/> <xs:enumeration value="real"/>
<xs:enumeration value="string"/> <xs:enumeration value="string"/>
<xs:enumeration value="file"/> <xs:enumeration value="file"/>
<xs:enumeration value="path"/> <xs:enumeration value="path"/>
<xs:enumeration value="frame"/> <xs:enumeration value="frame"/>
skipping to change at page 109, line 10 skipping to change at page 115, line 23
<xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/> <xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/> <xs:enumeration value="url"/>
<xs:enumeration value="csv"/> <xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/> <xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/> <xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="att-type"> <xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/> <xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/> <xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/> <xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/> <xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/> <xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/> <xs:enumeration value="dns-spoof"/>
skipping to change at page 109, line 24 skipping to change at page 116, line 4
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/> <xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/> <xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/> <xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/> <xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema> </xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store, the latter risk must be addressed by the systems that process, store,
and archive IODEF documents and information derived from them. and archive IODEF documents and information derived from them.
Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF parser should handle this content
with care to prevent unintentional automated execution.
The contents of an IODEF document may include a request for action or The contents of an IODEF document may include a request for action or
an IODEF parser may independently have logic to take certain actions an IODEF parser may independently have logic to take certain actions
based on information that it finds. For this reason, care must be based on information that it finds. For this reason, care must be
taken by the parser to properly authenticate the recipient of the taken by the parser to properly authenticate the recipient of the
document and ascribe an appropriate confidence to the data prior to document and ascribe an appropriate confidence to the data prior to
action. action.
The underlying messaging format and protocol used to exchange The underlying messaging format and protocol used to exchange
instances of the IODEF MUST provide appropriate guarantees of instances of the IODEF MUST provide appropriate guarantees of
confidentiality, integrity, and authenticity. The use of a confidentiality, integrity, and authenticity. The use of a
standardized security protocol is encouraged. The Real-time Inter- standardized security protocol is encouraged. The Real-time Inter-
network Defense (RID) protocol [18] and its associated transport network Defense (RID) protocol [RFC6545] and its associated transport
binding IODEF/RID over HTTP/TLS [19] provide such security. binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
In order to suggest data processing and handling guidelines of the In order to suggest data processing and handling guidelines of the
encoded information, the IODEF allows a document sender to convey a encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. The issue of the sender, as the recipient is free to ignore it. The issue of
enforcement is not a technical problem. enforcement is not a technical problem.
10. IANA Considerations 10. IANA Considerations
This document uses URNs to describe an XML namespace and schema This document uses URNs to describe an XML namespace and schema
conforming to a registry mechanism described in [15] conforming to a registry mechanism described in [RFC3688]
Registration for the IODEF namespace: Registration for the IODEF namespace:
o URI: urn:ietf:params:xml:ns:iodef-2.0 o URI: urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the first author of the "Author's Address"
section of this document. section of this document.
o XML: None. Namespace URIs do not represent an XML specification. o XML: None. Namespace URIs do not represent an XML specification.
skipping to change at page 110, line 43 skipping to change at page 117, line 27
section of this document. section of this document.
o XML: See the "IODEF Schema" in Section 8 of this document. o XML: See the "IODEF Schema" in Section 8 of this document.
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
o Patrick Cain, Cooper-Cain Group, Inc.
o The eCSIRT.net Project
o The Incident Object Description and Exchange Format Working-Group
of the TERENA task-force (TF-CSIRT)
o Glenn Mansfield Keeni, Cyber Solutions, Inc.
o Hiroyuki Kido, NARA Institute of Science and Technology
o Kathleen Moriarty, EMC Corporation o Kathleen Moriarty, EMC Corporation
o Brian Trammell, ETH Zurich o Brian Trammell, ETH Zurich
o Jan Meijer, SURFnet bv o Patrick Cain, Cooper-Cain Group, Inc.
o Yuri Demchenko, University of Amsterdam o ... TODO many more to add ...
12. References 12. References
12.1. Normative References 12.1. Normative References
[1] World Wide Web Consortium, "Extensible Markup Language [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
(XML) 1.0 (Second Edition)", W3C Recommendation , October (XML) 1.0 (Second Edition)", W3C Recommendation , October
2000, <http://www.w3.org/TR/2000/REC-xml-20001006>. 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
[2] World Wide Web Consortium, "XML XML Schema Part 1: [W3C.SCHEMA]
World Wide Web Consortium, "XML XML Schema Part 1:
Structures Second Edition", W3C Recommendation , October Structures Second Edition", W3C Recommendation , October
2004, <http://www.w3.org/TR/xmlschema-1/>. 2004, <http://www.w3.org/TR/xmlschema-1/>.
[3] World Wide Web Consortium, "XML Schema Part 2: Datatypes [W3C.SCHEMA.DTYPES]
World Wide Web Consortium, "XML Schema Part 2: Datatypes
Second Edition", W3C Recommendation , October 2004, Second Edition", W3C Recommendation , October 2004,
<http://www.w3.org/TR/xmlschema-2/>. <http://www.w3.org/TR/xmlschema-2/>.
[4] World Wide Web Consortium, "Namespaces in XML", W3C [W3C.XMLNS]
World Wide Web Consortium, "Namespaces in XML", W3C
Recommendation , January 1999, Recommendation , January 1999,
<http://www.w3.org/TR/REC-xml-names/>. <http://www.w3.org/TR/REC-xml-names/>.
[5] World Wide Web Consortium, "XML Path Language (XPath) [W3C.XPATH]
World Wide Web Consortium, "XML Path Language (XPath)
2.0", W3C Candidate Recommendation , June 2006, 2.0", W3C Candidate Recommendation , June 2006,
<http://www.w3.org/TR/xpath20/>. <http://www.w3.org/TR/xpath20/>.
[6] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[7] Philips, A. and M. Davis, "Tags for Identifying of [RFC4646] Philips, A. and M. Davis, "Tags for Identifying of
Languages", RFC 4646, September 2006. Languages", RFC 4646, September 2006.
[8] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986, Resource Identifiers (URI): Generic Syntax", RFC 3986,
January 2005`. January 2005`.
[9] Freed, N. and J. Postel, "IANA Charset Registration [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 2978, October 2000. Procedures", BCP 2978, October 2000.
[10] Sciberras, A., "Schema for User Applications", RFC 4519, [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
June 2006. June 2006.
[11] Resnick, P., "Internet Message Format", RFC 2822, April [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
2001. 2008.
[12] Klyne, G. and C. Newman, "Date and Time on the Internet: [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, July 2002. Timestamps", RFC 3339, July 2002.
[13] International Organization for Standardization, [ISO8601] International Organization for Standardization,
"International Standard: Data elements and interchange "International Standard: Data elements and interchange
formats - Information interchange - Representation of formats - Information interchange - Representation of
dates and times", ISO 8601, Second Edition, December 2000. dates and times", ISO 8601, Second Edition, December 2000.
[14] International Organization for Standardization, [ISO4217] International Organization for Standardization,
"International Standard: Codes for the representation of "International Standard: Codes for the representation of
currencies and funds, ISO 4217:2001", ISO 4217:2001, currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001. August 2001.
[15] Mealling, M., "The IETF XML Registry", RFC 3688, January [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
2004. 2004.
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XML-Signature Syntax and Processing", RFC 3275,
March 2002.
12.2. Informative References 12.2. Informative References
[16] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements [refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006. Work in Progress, June 2006.
[17] Debar, H., Curry, D., Debar, H., and B. Feinstein, [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765, "Intrusion Detection Message Exchange Format", RFC 4765,
March 2007. March 2007.
[18] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
6545, April 2012. 6545, April 2012.
[19] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012. 2012.
[20] Shafranovich, Y., "Common Format and MIME Type for Comma- [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010.
[KB310516]
Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration
entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File", RFC 4180, October 2005. Separated Values (CSV) File", RFC 4180, October 2005.
Authors' Addresses Authors' Addresses
Roman Danyliw Roman Danyliw
CERT - Software Engineering Institute CERT - Software Engineering Institute
Pittsburgh, PA Pittsburgh, PA
USA USA
EMail: rdd@cert.org EMail: rdd@cert.org
 End of changes. 288 change blocks. 
676 lines changed or deleted 971 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/