draft-ietf-mile-rfc5070-bis-04.txt   draft-ietf-mile-rfc5070-bis-05.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: July 22, 2014 January 18, 2014 Expires: July 5, 2014 January 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-04 draft-ietf-mile-rfc5070-bis-05
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. This document describes (CSIRTs) about computer security incidents. This document describes
the information model for the IODEF and provides an associated data the information model for the IODEF and provides an associated data
model specified with XML Schema. model specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 22, 2014. This Internet-Draft will expire on July 5, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 10 skipping to change at page 3, line 10
3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 15 3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 15
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 19 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 19
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 22 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 22
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 25 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 25
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 26 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 26
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 26 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 27 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 27
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 27 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 28 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 28
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 28 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 28
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 28 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 28
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 28 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 28 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29
3.12. Method Class . . . . . . . . . . . . . . . . . . . . . . 28 3.12. Method Class . . . . . . . . . . . . . . . . . . . . . . 29
3.12.1. Reference Class . . . . . . . . . . . . . . . . . . 29 3.12.1. Reference Class . . . . . . . . . . . . . . . . . . 30
3.13. Assessment Class . . . . . . . . . . . . . . . . . . . . 30 3.13. Assessment Class . . . . . . . . . . . . . . . . . . . . 31
3.13.1. Impact Class . . . . . . . . . . . . . . . . . . . . 31 3.13.1. Impact Class . . . . . . . . . . . . . . . . . . . . 32
3.13.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 33 3.13.2. BusinessImpact Class . . . . . . . . . . . . . . . . 34
3.13.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 35 3.13.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 36
3.13.4. Confidence Class . . . . . . . . . . . . . . . . . . 36 3.13.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 38
3.14. History Class . . . . . . . . . . . . . . . . . . . . . . 37 3.13.5. Confidence Class . . . . . . . . . . . . . . . . . . 38
3.14.1. HistoryItem Class . . . . . . . . . . . . . . . . . 38 3.14. History Class . . . . . . . . . . . . . . . . . . . . . . 39
3.15. EventData Class . . . . . . . . . . . . . . . . . . . . . 40 3.14.1. HistoryItem Class . . . . . . . . . . . . . . . . . 40
3.15.1. Relating the Incident and EventData Classes . . . . 42 3.15. EventData Class . . . . . . . . . . . . . . . . . . . . . 42
3.15.2. Cardinality of EventData . . . . . . . . . . . . . . 42 3.15.1. Relating the Incident and EventData Classes . . . . 44
3.16. Expectation Class . . . . . . . . . . . . . . . . . . . . 43 3.15.2. Cardinality of EventData . . . . . . . . . . . . . . 44
3.17. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 46 3.16. Expectation Class . . . . . . . . . . . . . . . . . . . . 45
3.18. System Class . . . . . . . . . . . . . . . . . . . . . . 46 3.17. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 48
3.19. Node Class . . . . . . . . . . . . . . . . . . . . . . . 49 3.18. System Class . . . . . . . . . . . . . . . . . . . . . . 48
3.19.1. Address Class . . . . . . . . . . . . . . . . . . . 51 3.19. Node Class . . . . . . . . . . . . . . . . . . . . . . . 51
3.19.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 52 3.19.1. Address Class . . . . . . . . . . . . . . . . . . . 53
3.19.3. Counter Class . . . . . . . . . . . . . . . . . . . 54 3.19.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 54
3.20. DomainData Class . . . . . . . . . . . . . . . . . . . . 56 3.19.3. Counter Class . . . . . . . . . . . . . . . . . . . 56
3.20.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 56 3.20. DomainData Class . . . . . . . . . . . . . . . . . . . . 58
3.20.2. Nameservers Class . . . . . . . . . . . . . . . . . 57 3.20.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 60
3.20.3. DomainContacts Class . . . . . . . . . . . . . . . . 57 3.20.2. Nameservers Class . . . . . . . . . . . . . . . . . 61
3.21. Service Class . . . . . . . . . . . . . . . . . . . . . . 57 3.20.3. DomainContacts Class . . . . . . . . . . . . . . . . 61
3.21.1. ApplicationHeader Class . . . . . . . . . . . . . . 59 3.21. Service Class . . . . . . . . . . . . . . . . . . . . . . 62
3.21.2. Application Class . . . . . . . . . . . . . . . . . 61 3.21.1. ApplicationHeader Class . . . . . . . . . . . . . . 64
3.22. OperatingSystem Class . . . . . . . . . . . . . . . . . . 62 3.21.2. Application Class . . . . . . . . . . . . . . . . . 66
3.23. EmailInfo Class . . . . . . . . . . . . . . . . . . . . . 62 3.22. OperatingSystem Class . . . . . . . . . . . . . . . . . . 67
3.24. Record Class . . . . . . . . . . . . . . . . . . . . . . 63 3.23. EmailData Class . . . . . . . . . . . . . . . . . . . . . 67
3.24.1. RecordData Class . . . . . . . . . . . . . . . . . . 63 3.24. Record Class . . . . . . . . . . . . . . . . . . . . . . 68
3.24.2. RecordPattern Class . . . . . . . . . . . . . . . . 64 3.24.1. RecordData Class . . . . . . . . . . . . . . . . . . 68
3.24.3. RecordItem Class . . . . . . . . . . . . . . . . . . 66 3.24.2. RecordPattern Class . . . . . . . . . . . . . . . . 70
3.25. WindowsRegistryKeysModified Class . . . . . . . . . . . . 66 3.24.3. RecordItem Class . . . . . . . . . . . . . . . . . . 71
3.25.1. Key Class . . . . . . . . . . . . . . . . . . . . . 67 3.25. WindowsRegistryKeysModified Class . . . . . . . . . . . . 71
3.25.1. Key Class . . . . . . . . . . . . . . . . . . . . . 72
3.26. HashInformation Class . . . . . . . . . . . . . . . . . . 68 3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 73
4. Processing Considerations . . . . . . . . . . . . . . . . . . 70 4. Processing Considerations . . . . . . . . . . . . . . . . . . 75
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 70 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 70 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 76
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 71 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 76
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 72 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 77
5.1. Extending the Enumerated Values of Attributes . . . . . . 72 5.1. Extending the Enumerated Values of Attributes . . . . . . 78
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 73 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 78
6. Internationalization Issues . . . . . . . . . . . . . . . . . 75 6. Internationalization Issues . . . . . . . . . . . . . . . . . 80
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 76 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 81
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 77 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 83
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 79 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 85
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 81 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 86
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 82 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 88
9. Security Considerations . . . . . . . . . . . . . . . . . . . 116 9. Security Considerations . . . . . . . . . . . . . . . . . . . 122
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 116 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 123
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 117 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 123
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 117 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 124
12.1. Normative References . . . . . . . . . . . . . . . . . . 117 12.1. Normative References . . . . . . . . . . . . . . . . . . 124
12.2. Informative References . . . . . . . . . . . . . . . . . 119 12.2. Informative References . . . . . . . . . . . . . . . . . 125
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 19 skipping to change at page 6, line 19
class: Email, EmailSubject, X-Mailer, DomainData, AssetID, class: Email, EmailSubject, X-Mailer, DomainData, AssetID,
@virtual, and @ownership. @virtual, and @ownership.
o The following classes were added to the Record class: FileName, o The following classes were added to the Record class: FileName,
ds:Reference, and WindowsRegistryKeysModified. ds:Reference, and WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class: o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and ThreatActor, Campaign, Confidence, Description, and
AdditionalData. AdditionalData.
o The following classes were added to Node: PostalAddress
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o (for consideration) The following class was added to the Node
class: URL.
o (for consideration) The following attributes was added to the o (for consideration) The following attributes was added to the
SoftwareType complexType: user-agent. SoftwareType complexType: user-agent.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose. NodeRole@category, Incident@purpose.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
skipping to change at page 11, line 41 skipping to change at page 11, line 41
+-----------------+ +-----------------+
Figure 1: IODEF-Document Class Figure 1: IODEF-Document Class
The aggregate class that constitute IODEF-Document is: The aggregate class that constitute IODEF-Document is:
Incident Incident
One or more. The information related to a single incident. One or more. The information related to a single incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model. See
Section 3.9
The IODEF-Document class has three attributes: The IODEF-Document class has three attributes:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
lang lang
Required. ENUM. A valid language code per [RFC4646] constrained Required. ENUM. A valid language code per [RFC4646] constrained
skipping to change at page 24, line 29 skipping to change at page 24, line 29
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The Contact class has five attributes: The Contact class has five attributes:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. This
attribute is defined as an enumerated list: attribute is defined as an enumerated list:
1. creator. The entity that generate the document. 1. creator. The entity that generate the document.
2. admin. An administrative contact for a host or network. 2. reporter. The entity that reported the information.
3. tech. A technical contact for a host or network. 3. admin. An administrative contact or business owner for an
asset or organization.
4. irt. The CSIRT involved in handling the incident. 4. tech. An entity responsible for the day-to-day management of
technical issues for an asset or organization.
5. cc. An entity that is to be kept informed about the handling 5. provider. An external hosting provider for an asset.
of the incident.
6. ext-value. An escape value used to extend this attribute. 6. zone. An entity with authority over a DNS zone.
See Section 5.1.
7. user. An end-user of an asset or part of an organization.
8. billing. An entity responsible for billing issues for an
asset or organization.
9. legal. An entity responsible for legal issue related to an
asset or organization.
10. irt. An entity responsible for handling security issues for
an asset or organization.
11. abuse. An entity responsible for handling abuse originating
from an asset or organization.
12. cc. An entity that is to be kept informed about the events
related to an asset or organization.
13. cc-irt. A CSIRT or information sharing organization
coordinating activity related to an asset or organization.
14. le. A law enforcement entity supporting the investigation of
activity affecting an asset or organization.
15. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-role ext-role
Optional. STRING. A means by which to extend the role attribute. Optional. STRING. A means by which to extend the role attribute.
See Section 5.1. See Section 5.1.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list: This attribute is defined as an enumerated list:
1. person. The information for this contact references an 1. person. The information for this contact references an
skipping to change at page 30, line 24 skipping to change at page 31, line 7
Type. Type.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.13. Assessment Class 3.13. Assessment Class
The Assessment class describes the technical and non-technical The Assessment class describes the repercussions of the incident to
repercussions of the incident on the CSIRT's constituency. the victim.
This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ TimeImpact ] | ENUM restriction |<>--{0..*}--[ BusinessImpact ]
| STRING indicator-uid |<>--{0..*}--[ MonetaryImpact ] | STRING indicator-uid |<>--{0..*}--[ TimeImpact ]
| STRING indicator-set-id |<>--{0..*}--[ Counter ] | STRING indicator-set-id |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 17: Assessment Class Figure 17: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or many. Technical impact of the incident on a network. Zero or many. Technical characterization of the impact of the
activity on the victim's enterprise.
BusinessImpact
Zero or many. Impact of the activity on the business functions of
the victim organization.
TimeImpact TimeImpact
Zero or many. Impact of the activity measured with respect to Zero or many. Impact of the activity measured with respect to
time. time.
MonetaryImpact MonetaryImpact
Zero or many. Impact of the activity measured with respect to Zero or many. Impact of the activity measured with respect to
financial loss. financial loss.
Counter Counter
skipping to change at page 33, line 35 skipping to change at page 34, line 19
10. unknown. The classification of this activity is unknown. 10. unknown. The classification of this activity is unknown.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
3.13.2. TimeImpact Class 3.13.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident.
The element body describes the impact to the organization as a free-
form text string. The two attributes characterize the impact.
+-------------------------+
| BusinessImpact |
+-------------------------+
| ML_STRING |
| |
| ENUM severity |
| STRING ext-severity |
| ENUM type |
| STRING ext-type |
+-------------------------+
Figure 19: BusinessImpact Class
The element content will be a free-form textual description of the
impact to the organization.
The BusinessImpact class has four attributes:
severity
Optional. ENUM. Characeterizes the severity of the incident on
business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown".
1. none. No effect to the organization's ability to provide all
services to all users.
2. low. Minimal effect as the organization can still provide all
critical services to all users but has lost efficiency.
3. medium. The organization has lost the ability to provide a
critical service to a subset of system users.
4. high. The organization is no longer able to provide some
critical services to any users.
5. unknown. The impact is not known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-severity
Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.
type
Required. ENUM. Characterizes the effect this incident had on
the business.Classifies the malicious activity into incident
categories. The permitted values are shown below. There is no
default value.
1. breach-proprietary. Senstive or proprietary information was
accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was
accessed or exfiltrated.
3. loss-of-integrity. Sensitive or proprietary information was
changed or deleted.
4. loss-of-service. Service delivery was disrupted.
5. loss-financial. Money or services were stolen.
6. degraded-reputation. The reputation of the organization's
brand was diminished.
7. asset-damage. A cyber-physical system was damaged.
8. asset-manipulation. A cyber-physical system was manipulated.
9. legal. Incident resulted in legal or regulatory action
10. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
3.13.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 19: TimeImpact Class Figure 20: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has five attributes: The TimeImpact class has five attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
skipping to change at page 35, line 36 skipping to change at page 38, line 5
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.13.3. MonetaryImpact Class 3.13.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 20: MonetaryImpact Class Figure 21: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
skipping to change at page 36, line 38 skipping to change at page 38, line 46
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the monetary
impact is expressed. The permitted values are defined in "Codes impact is expressed. The permitted values are defined in "Codes
for the representation of currencies and funds" of [ISO4217]. for the representation of currencies and funds" of [ISO4217].
There is no default value. There is no default value.
3.13.4. Confidence Class 3.13.5. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents a best estimate of the validity and
accuracy of the described impact (see Section 3.13) of the incident accuracy of the described impact (see Section 3.13) of the incident
activity. This estimate can be expressed as a category or a numeric activity. This estimate can be expressed as a category or a numeric
calculation. calculation.
This class if based upon [RFC4765]. This class if based upon [RFC4765].
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 21: Confidence Class Figure 22: Confidence Class
The element content expresses a numerical assessment in the The element content expresses a numerical assessment in the
confidence of the data when the value of the rating attribute is confidence of the data when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The Confidence class has one attribute.
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A rating of the analytical validity of the
specified Assessment. The permitted values are shown below. specified Assessment. The permitted values are shown below.
skipping to change at page 38, line 12 skipping to change at page 40, line 12
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------+ +------------------+
| History | | History |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| | | |
+------------------+ +------------------+
Figure 22: The History Class Figure 23: The History Class
The class that constitutes History is: The class that constitutes History is:
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or many. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties.
The History class has one attribute: The History class has one attribute:
restriction restriction
skipping to change at page 38, line 44 skipping to change at page 40, line 44
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..*}--[ AdditionalData ] | STRING indicator-set-id |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 23: HistoryItem Class Figure 24: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
skipping to change at page 40, line 30 skipping to change at page 42, line 30
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 24: The EventData Class Figure 25: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes that constitute EventData are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
Zero or one. The time the event was detected. Zero or one. The time the event was detected.
skipping to change at page 42, line 19 skipping to change at page 44, line 19
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in IncidentData. provided in Incident.
3.15.2. Cardinality of EventData 3.15.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class can be thought of as a container for the
properties of an event in an incident. These properties include: the properties of an event in an incident. These properties include: the
hosts involved, impact of the incident activity on the hosts, hosts involved, impact of the incident activity on the hosts,
forensic logs, etc. With an instance of the EventData class, hosts forensic logs, etc. With an instance of the EventData class, hosts
(i.e., System class) are grouped around these common properties. (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the The recursive definition (or instance property inheritance) of the
skipping to change at page 42, line 42 skipping to change at page 44, line 42
explicit use of unique attribute identifiers in the classes or explicit use of unique attribute identifiers in the classes or
duplicating information. Instead, the relative depth (nesting) of a duplicating information. Instead, the relative depth (nesting) of a
class is used to group (relate) information. class is used to group (relate) information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 25. be found in Figure 26.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 25: Recursion in the EventData Class Figure 26: Recursion in the EventData Class
3.16. Expectation Class 3.16. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ StartTime ]
| STRING ext-action |<>--{0..1}--[ EndTime ] | STRING ext-action |<>--{0..1}--[ EndTime ]
| STRING indicator-uid |<>--{0..1}--[ Contact ] | STRING indicator-uid |<>--{0..1}--[ Contact ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 26: The Expectation Class Figure 27: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or many. ML_STRING. A free-form description of the desired Zero or many. ML_STRING. A free-form description of the desired
action(s). action(s).
DefinedCOA DefinedCOA
Zero or many. ML_STRING. A unique identifier meaningful to the Zero or many. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. The time at which the sender would like the action
performed. A timestamp that is earlier than the ReportTime performed. A timestamp that is earlier than the ReportTime
specified in the Incident class denotes that the sender would like specified in the Incident class denotes that the sender would like
the action performed as soon as possible. The absence of this the action performed as soon as possible. The absence of this
element indicates no expections of when the recipient would like element indicates no expectations of when the recipient would like
the action performed. the action performed.
EndTime EndTime
Zero or one. The time by which the sender expects the recipient Zero or one. The time by which the sender expects the recipient
to complete the action. If the recipient cannot complete the to complete the action. If the recipient cannot complete the
action before EndTime, the recipient MUST NOT carry out the action before EndTime, the recipient MUST NOT carry out the
action. Because of transit delays, clock drift, and so on, the action. Because of transit delays, clock drift, and so on, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
skipping to change at page 44, line 31 skipping to change at page 46, line 31
The Expectations class has six attributes: The Expectations class has six attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
severity severity
Optional. ENUM. Indicates the desired priority of the action. Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependant. the semantics of these relative measures are context dependent.
1. low. Low priority 1. low. Low priority
2. medium. Medium priority 2. medium. Medium priority
3. high. High priority 3. high. High priority
action action
Optional. ENUM. Classifies the type of action requested. This Optional. ENUM. Classifies the type of action requested. This
attribute is an enumerated list with a default value of "other". attribute is an enumerated list with a default value of "other".
skipping to change at page 46, line 18 skipping to change at page 48, line 18
3.17. Flow Class 3.17. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 27: The Flow Class Figure 28: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow class has no attributes. The Flow class has no attributes.
3.18. System Class 3.18. System Class
skipping to change at page 47, line 18 skipping to change at page 49, line 18
| ENUM restriction |<>----------[ Node ] | ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ Service ] | ENUM category |<>--{0..*}--[ Service ]
| STRING ext-category |<>--{0..*}--[ OperatingSystem ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ]
| STRING interface |<>--{0..*}--[ Counter ] | STRING interface |<>--{0..*}--[ Counter ]
| ENUM spoofed |<>--{0..*}--[ AssetID ] | ENUM spoofed |<>--{0..*}--[ AssetID ]
| ENUM virtual |<>--{0..*}--[ Description ] | ENUM virtual |<>--{0..*}--[ Description ]
| ENUM ownership |<>--{0..*}--[ AdditionalData ] | ENUM ownership |<>--{0..*}--[ AdditionalData ]
| ENUM ext-ownership | | ENUM ext-ownership |
+---------------------+ +---------------------+
Figure 28: The System Class Figure 29: The System Class
The aggregate classes that constitute System are: The aggregate classes that constitute System are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident.
Service Service
Zero or more. A network service running on the system. Zero or more. A network service running on the system.
OperatingSystem OperatingSystem
skipping to change at page 50, line 18 skipping to change at page 52, line 18
| |<>--{0..*}--[ NodeName ] | |<>--{0..*}--[ NodeName ]
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..1}--[ Location ] | |<>--{0..1}--[ Location ]
| |<>--{0..1}--[ DateTime ] | |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 29: The Node Class Figure 30: The Node Class
The aggregate classes that constitute Node are: The aggregate classes that constitute Node are:
NodeName NodeName
Zero or more. ML_STRING. The name of the Node (e.g., fully Zero or more. ML_STRING. The name of the Node (e.g., fully
qualified domain name). This information MUST be provided if no qualified domain name). This information MUST be provided if no
Address or DomainData information is given. Address or DomainData information is given.
DomainData DomainData
Zero or more. TODO. The DomainData Class and Subclasses from RFC Zero or more. The detailed domain (DNS) information associated
5901. with this Node.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a NodeName or DomainData is not provided, at least the Node. If a NodeName or DomainData is not provided, at least
one Address MUST be specified. one Address MUST be specified.
PostalAddress PostalAddress
Zero or one. The postal address of the asset. Zero or one. The postal address of the asset.
Location Location
skipping to change at page 51, line 29 skipping to change at page 53, line 29
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| STRING indicator-uid | | STRING indicator-uid |
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 30: The Address Class Figure 31: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
1. asn. Autonomous System Number 1. asn. Autonomous System Number
skipping to change at page 52, line 49 skipping to change at page 54, line 49
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 31: The NodeRole Class Figure 32: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
skipping to change at page 55, line 5 skipping to change at page 57, line 5
3.19.3. Counter Class 3.19.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependant based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
+---------------------+ +---------------------+
| Counter | | Counter |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 32: The Counter Class Figure 33: The Counter Class
The Counter class has five attribute: The Counter class has five attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
skipping to change at page 56, line 16 skipping to change at page 58, line 16
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.13.2 attribute are defined in Section 3.13.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.20. DomainData Class 3.20. DomainData Class
...TODO... ...TODO...
+-------------------------+ +--------------------------+
| DomainData | | DomainData |
+-------------------------+ +--------------------------+
| ENUM SystemStatus |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| ENUM DomainStatus |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| STRING indicator-uid |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING indicator-set-id |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| |<>--{0..*}--[ RelatedDNS ] | STRING indicator-uid |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ] | STRING indicator-set-id |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| | | |
+-------------------------+ +--------------------------+
Figure 33: The DomainData Class Figure 34: The DomainData Class
The aggregate classes that constitute DomainData are:
Name
One. ML_STRING. The domain name of the Node (e.g., fully
qualified domain name).
DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the Name was
resolved.
RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name
was registered.
ExpirationDate
Zero or one. DATETIME. A timestamp of when the domain listed in
Name is set to expire.
RelatedDNS
Zero or more. ...TODO...
Nameservers
Zero or more. The name servers identified for the domain listed
in Name.
DomainContacts
Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query.
The DomainData class has six attribute:
system-status
Required. ENUM. Assesses the domain's involvement in the event.
1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent
intentions.
3. innocent-hacked. This domain was compromised by a third
party.
4. innocent-hijacked. This domain was deliberately hijacked.
5. unknown. No categorization for this domain known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-system-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.
domain-status
Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of
[RFC3982].
1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned registration
but the delegation is inactive.
4. assignedAndOnHold. The domain is under dispute.
5. revoked. The domain is in the process of being purged from
the database.
6. transferPending. The domain is pending a change in
authority.
7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock".
9. other. ... TODO -- RFC 5901 has this but doesn't describe it
...
10. unknown. The domain has an unknown status.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-domain-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.
indicator-uid
Optional. STRING. See Section 3.3.2.
indicator-set-id
Optional. STRING. See Section 3.3.2.
3.20.1. RelatedDNS 3.20.1. RelatedDNS
...TODO... ...TODO...
+---------------------+ +----------------------+
| RelatedDNS | | RelatedDNS |
+---------------------+ +----------------------+
| STRING | | STRING |
| | | |
| ENUM RecordType | | ENUM record-type |
| ENUM ext-RecordType | | ENUM ext-record-type |
+---------------------+ +----------------------+
Figure 34: The RelatedDNS Class Figure 35: The RelatedDNS Class
3.20.2. Nameservers Class 3.20.2. Nameservers Class
...TODO... The Nameservers class describes the name servers associated with a
given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
+--------------------+ +--------------------+
Figure 35: The Nameservers Class Figure 36: The Nameservers Class
The aggregate classes that constitute Nameservers are:
Server
One. ML_STRING. The domain name of the name server.
Address
One or more. The address of the name server. See Section 3.19.1.
3.20.3. DomainContacts Class 3.20.3. DomainContacts Class
...TODO... The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois
query.
This contact information can be explicitly described through a
Contact class or a reference can be provided to a domain with
identical contact information. Either a single SameDomainContact
MUST be present or one or many Contact classes.
+--------------------+ +--------------------+
| DomainContacts | | DomainContacts |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SameDomainContact ] | |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
+--------------------+ +--------------------+
Figure 36: The DomainContacts Class Figure 37: The DomainContacts Class
The aggregate classes that constitute DomainContacts are:
SameDomainContact
Zero or one. ML_STRING. A domain name already cited in this
document or through previous exchange that contains the identical
contact information as the domain name in question. The domain
contact information associated with this domain should be used in
liue of explicit definition with the Contact class.
Contact
One or more. Contact information for the domain. See
Section 3.10.
3.21. Service Class 3.21. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
skipping to change at page 58, line 16 skipping to change at page 63, line 14
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ] | INTEGER ip_protocol |<>--{0..1}--[ Port ]
| STRING indicator-uid |<>--{0..1}--[ Portlist ] | STRING indicator-uid |<>--{0..1}--[ Portlist ]
| STRING indicator-set-id |<>--{0..1}--[ ProtoCode ] | STRING indicator-set-id |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailInfo ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 37: The Service Class Figure 38: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
skipping to change at page 58, line 47 skipping to change at page 63, line 45
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or many. An application layer (layer 7) protocol header. Zero or many. An application layer (layer 7) protocol header.
See Section 3.21.1. See Section 3.21.1.
EmailInfo EmailData
Zero or one. TODO. See Section 3.23. Zero or one. Headers associated with an email. See Section 3.23.
Application Application
Zero or one. The application bound to the specified Port or Zero or one. The application bound to the specified Port or
Portlist. See Section 3.21.2. Portlist. See Section 3.21.2.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Porlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has three attributes: The Service class has three attributes:
ip_protocol ip_protocol
Required. INTEGER. The IANA protocol number. Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols].
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.21.1. ApplicationHeader Class 3.21.1. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
skipping to change at page 59, line 49 skipping to change at page 64, line 50
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING indicator-uid | | STRING indicator-uid |
| STRING indicator-set-uid | | STRING indicator-set-uid |
+--------------------------+ +--------------------------+
Figure 38: The ApplicationHeader Class Figure 39: The ApplicationHeader Class
The ApplicationHeader class has five attributes: The ApplicationHeader class has five attributes:
proto proto
Required. INTEGER. The IANA protocol number from xxx corrending Required. INTEGER. The IANA assigned port number per
to the protocol whose field will be represented. [IANA.Ports] corresponding to the application layer protocol whose
field will be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
will be found in the element body. will be found in the element body.
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string".
skipping to change at page 61, line 25 skipping to change at page 66, line 26
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
| STRING vendor | | STRING vendor |
| STRING family | | STRING family |
| STRING name | | STRING name |
| STRING version | | STRING version |
| STRING patch | | STRING patch |
+--------------------+ +--------------------+
Figure 39: The Application Class Figure 40: The Application Class
The aggregate class that constitute Application is: The aggregate class that constitute Application is:
URL URL
Zero or one. URL. A URL describing the application. Zero or one. URL. A URL describing the application.
The Application class has seven attributes: The Application class has seven attributes:
swid swid
Optional. STRING. An identifier that can be used to reference Optional. STRING. An identifier that can be used to reference
skipping to change at page 62, line 15 skipping to change at page 67, line 17
patch patch
Optional. STRING. Patch or service pack level of the software. Optional. STRING. Patch or service pack level of the software.
3.22. OperatingSystem Class 3.22. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.21.2). (Section 3.21.2).
3.23. EmailInfo Class 3.23. EmailData Class
The EmailInfo class describes common headers from email messages. The EmailData class describes headers from an email message. Common
headers have dedicated classes, but arbitrary headers can also be
described.
+-------------------------+ +-------------------------+
| EmailInfo | | EmailData |
+-------------------------+ +-------------------------+
| STRING indicator-uid |<>--{0..1}--[ EmailFrom ] | STRING indicator-uid |<>--{0..1}--[ EmailFrom ]
| STRING indicator-set-id |<>--{0..1}--[ EmailSubject ] | STRING indicator-set-id |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
+-------------------------+ +-------------------------+
Figure 40: EmailInfo Class Figure 41: EmailData Class
The aggregate class that constitutes EmailInfo are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
The EmailInfo class has two attributes: EmailHeaderField
Zero or one. The value of an arbitrary header field in the email.
See Section 3.21.1. The attributes of EmailHeaderField MUST be
set as follows: proto="25" and dtype="string". The name of the
email header field MUST be set in the field attribute.
The EmailData class has two attributes:
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.24. Record Class 3.24. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------+
| Record | | Record |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+ +------------------+
Figure 41: Record Class Figure 42: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has one attribute: The Record class has one attribute:
skipping to change at page 63, line 45 skipping to change at page 69, line 13
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------------+ +-------------------------+
| RecordData | | RecordData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..1}--[ Application ] | STRING indicator-set-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashInformation ] | |<>--{0..1}--[ HashData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 42: The RecordData Class Figure 43: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 64, line 24 skipping to change at page 69, line 41
Zero or one. Information about the sensor used to generate the Zero or one. Information about the sensor used to generate the
RecordItem data. RecordItem data.
RecordPattern RecordPattern
Zero or more. A search string to precisely find the relevant data Zero or more. A search string to precisely find the relevant data
in a RecordItem. in a RecordItem.
RecordItem RecordItem
Zero or more. Log, audit, or forensic data. Zero or more. Log, audit, or forensic data.
HashInformation HashData
Zero or one. The file name and hash of a file indicator. Zero or one. The file name and hash of a file indicator.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s).
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
skipping to change at page 65, line 18 skipping to change at page 70, line 34
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 43: The RecordPattern Class Figure 44: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of 1. regex. regular expression, per Appendix F of
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
skipping to change at page 66, line 41 skipping to change at page 72, line 12
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| STRING indicator-uid |<>--{1..*}--[ Key ] | STRING indicator-uid |<>--{1..*}--[ Key ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-----------------------------+ +-----------------------------+
Figure 44: The WindowsRegistryKeysModified Class Figure 45: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has two attributes: The WindowsRegistryKeysModified class has two attributes:
indicator-uid indicator-uid
skipping to change at page 67, line 22 skipping to change at page 72, line 42
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+---------------------------+ +---------------------------+
Figure 45: The Key Class Figure 46: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
skipping to change at page 68, line 27 skipping to change at page 73, line 46
ext-type ext-type
Optional. A means by which to extend the type attribute. See Optional. A means by which to extend the type attribute. See
Section 5.1. Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.26. HashInformation Class 3.26. HashData Class
This class are the hash and signature details that are needed for The HashData class describes files, file hashes, ... TODO ...the hash
providing context for indicators. and signature details that are needed for providing context for
indicators.
+--------------------------+ +--------------------------+
| HashInformation | | HashData |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-type |<>--{0..*}--[ FileSize ] | STRING ext-type |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ]
| STRING indicator-set-id |<>--{0..*}--[ ds:Reference ] | STRING indicator-set-id |<>--{0..*}--[ ds:Reference ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 46: The HashInformation Class Figure 47: The HashData Class
The aggregate classes that constitutes HashInformation are: The aggregate classes that constitutes HashData are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
FileSize FileSize
Zero or more. INTEGER. The size of the file in bytes. Zero or more. INTEGER. The size of the file in bytes.
ds:Signature ds:Signature
Zero or more. Zero or more.
ds:KeyInfo ds:KeyInfo
Zero or more. Zero or more.
ds:Reference ds:Reference
Zero or more. The algorithm identification and value of a hash Zero or more. The algorithm identification and value of a hash
computed over a file. This element is defined in [RFC3275]. computed over a file. This element is defined in [RFC3275].
Refer to RFC 5901. Refer to RFC 5901.
The HashInformation class has five attributes: AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9
The HashData class has five attributes:
type type
Optional. ENUM. The Hash Type. Optional. ENUM. The Hash Type.
1. PKI-email-ds. PKI email digital signature. 1. PKI-email-ds. PKI email digital signature.
2. PKI-file-ds. PKI file digital signature. 2. PKI-file-ds. PKI file digital signature.
3. PKI-email-ds_watchlist. Watchlist of PKI email digital 3. PKI-email-ds_watchlist. Watchlist of PKI email digital
signatures. signatures.
skipping to change at page 89, line 4 skipping to change at page 94, line 25
<xs:element ref="iodef:Telephone" <xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax" <xs:element ref="iodef:Fax"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Timezone" <xs:element ref="iodef:Timezone"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="role" use="required"> <xs:attribute name="role" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/> <xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/> <xs:enumeration value="admin"/>
<xs:enumeration value="tech"/> <xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/> <xs:enumeration value="irt"/>
<xs:enumeration value="cc"/> <xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role" <xs:attribute name="ext-role"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
skipping to change at page 94, line 11 skipping to change at page 99, line 40
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Assessment class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Assessment">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/> <xs:element ref="iodef:Impact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
skipping to change at page 95, line 4 skipping to change at page 100, line 34
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/> <xs:enumeration value="succeeded"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="type" <xs:attribute name="type"
use="optional" default="unknown"> use="optional" default="unknown">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<!-- CHANGE question: do we want to allow multiple
values to be selected in case it is a combination?
-->
<xs:enumeration value="admin"/> <xs:enumeration value="admin"/>
<xs:enumeration value="dos"/> <xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/> <xs:enumeration value="extortion"/>
<xs:enumeration value="file"/> <xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/> <xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/> <xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/> <xs:enumeration value="recon"/>
<xs:enumeration value="policy"/> <xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/> <xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/> <xs:enumeration value="user"/>
skipping to change at page 95, line 31 skipping to change at page 101, line 9
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BusinessImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="loss-financial"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact"> <xs:element name="TimeImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="metric" <xs:attribute name="metric"
use="required"> use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
skipping to change at page 102, line 19 skipping to change at page 108, line 41
type="xs:integer"/> type="xs:integer"/>
<xs:element name="Portlist" <xs:element name="Portlist"
type="iodef:PortlistType"/> type="iodef:PortlistType"/>
</xs:choice> </xs:choice>
<xs:element name="ProtoType" <xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode" <xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField" <xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:ApplicationHeader" <xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE - email from address indicator, may be better as a sub <!-- CHANGE - email from address indicator, may be better as a sub
class? Would only make sense with the service set to class? Would only make sense with the service set to
email ports or none at all here or a new class. --> email ports or none at all here or a new class. -->
<xs:element ref="Email" minOccurs="0"/> <xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer" <xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element ref="EmailInfo" minOccurs="0"/> <xs:element ref="EmailInfo" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from <!-- CHANGE - added DomainData class and subclasses from
RFC5901 --> RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip_protocol" <xs:attribute name="ip_protocol"
type="xs:integer" use="required"/> type="xs:integer" use="required"/>
skipping to change at page 103, line 46 skipping to change at page 110, line 21
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EMailInfo class == == EMailInfo class ==
================================================================== ==================================================================
--> -->
<!-- CHANGE: added the email details in a subclass for use when
you do not need all of the email details provided in the
RFC5901 or ARF extensions. No extension mechanism here, is it
needed? Possible to create an IANA table to extend this class
if needed in the future outside of schema edit cycles -->
<xs:element name="EmailInfo"> <xs:element name="EmailInfo">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="EmailFrom" <xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer" <xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== ApplicationHeadr class ==
==================================================================
-->
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType id="DomainData.type"> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Name" <xs:element name="Name"
type="iodef:MLStringType" maxOccurs="1" /> type="iodef:MLStringType" maxOccurs="1" />
<xs:element name="DateDomainWasChecked" <xs:element name="DateDomainWasChecked"
type="xs:dateTime" type="xs:dateTime"
maxOccurs="1" minOccurs="0" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RegistrationDate" <xs:element name="RegistrationDate"
type="xs:dateTime" type="xs:dateTime"
maxOccurs="1" minOccurs="0" /> minOccurs="0" maxOccurs="1" />
<xs:element name="ExpirationDate" <xs:element name="ExpirationDate"
type="xs:dateTime" type="xs:dateTime"
maxOccurs="1" minOccurs="0" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType" type="iodef:RelatedDNSEntryType"
maxOccurs="unbounded" minOccurs="0" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Nameservers" <xs:element ref="iodef:Nameservers"
maxOccurs="unbounded" minOccurs="0"> minOccurs="0" maxOccurs="unbounded" />
<xs:complexType id="Nameservers.type"> <xs:element ref="iodef:DomainContacts"
<xs:sequence> minOccurs="0" maxOccurs="1" />
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice>
</xs:sequence> </xs:sequence>
<xs:attribute name="SystemStatus">
<xs:simpleType id="SystemStatus.type"> <xs:attribute name="system-status">
<xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/> <xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-system-status"
<xs:attribute name="DomainStatus"> type="xs:string" use="optional"/>
<xs:simpleType id="DomainStatus.type"> <xs:attribute name="domain-status">
<xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/> <xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/> <xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="RecordType" use="optional"> <xs:attribute name="record-type" use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/> <xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/> <xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/> <xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/> <xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/> <xs:enumeration value="CNAME"/>
skipping to change at page 107, line 25 skipping to change at page 113, line 12
<xs:enumeration value="SSHFP"/> <xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/> <xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/> <xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/> <xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/> <xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/> <xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-RecordType" <xs:attribute name="ext-record-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded" minOccurs="1"/>
</xs:choice>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Record class == == Record class ==
================================================================== ==================================================================
--> -->
<xs:element name="Record"> <xs:element name="Record">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:RecordData" <xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
skipping to change at page 110, line 10 skipping to change at page 116, line 19
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
</xs:sequence> </xs:sequence>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated?
-->
<!-- <!--
================================================================== ==================================================================
== Classes that describe hash types, file information == == Classes that describe hash types, file information ==
== with certificate properties and digital signature info == == with certificate properties and digital signature info ==
== provided through the W3C digital signature schema == == provided through the W3C digital signature schema ==
== so it does not need to be maintained here. == == so it does not need to be maintained here. ==
================================================================== ==================================================================
--> -->
<xs:element name="HashInformation"> <xs:element name="HashInformation">
skipping to change at page 110, line 43 skipping to change at page 116, line 47
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5), and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. --> KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature" <xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo" <xs:element ref="ds:KeyInfo"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference" <xs:element ref="ds:Reference"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- QUESTION: Do we want an AdditionalData here? --> <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" use="optional"> <xs:attribute name="type" use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/> <xs:enumeration value="PKI-email-ds"/>
<xs:enumeration value="PKI-file-ds"/> <xs:enumeration value="PKI-file-ds"/>
<xs:enumeration value="PKI-email-ds-watchlist"/> <xs:enumeration value="PKI-email-ds-watchlist"/>
<xs:enumeration value="PKI-file-ds-watchlist"/> <xs:enumeration value="PKI-file-ds-watchlist"/>
<xs:enumeration value="PGP-email-ds"/> <xs:enumeration value="PGP-email-ds"/>
<xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="PGP-file-ds"/>
skipping to change at page 113, line 17 skipping to change at page 119, line 23
type="iodef:dtype-type" use="required"/> type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype" <xs:attribute name="ext-dtype"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="formatid" <xs:attribute name="formatid"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
<!-- <!--
================================================================== ==================================================================
== Global attribute type declarations == == Global attribute type declarations ==
================================================================== ==================================================================
--> -->
<xs:simpleType name="yes-no-type"> <xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/> <xs:enumeration value="yes"/>
<xs:enumeration value="no"/> <xs:enumeration value="no"/>
</xs:restriction> </xs:restriction>
skipping to change at page 119, line 5 skipping to change at page 125, line 31
currencies and funds, ISO 4217:2001", ISO 4217:2001, currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001. August 2001.
[RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January
2004. 2004.
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XML-Signature Syntax and Processing", RFC 3275, Language) XML-Signature Syntax and Processing", RFC 3275,
March 2002. March 2002.
[IANA.Ports]
Internet Assigned Numbers Authority, "Service Name and
Transport Protocol Port Number Registry", January 2014,
<http://www.iana.org/assignments/
service-names-port-numbers/
service-names-port-numbers.txt>.
[IANA.Protocols]
Internet Assigned Numbers Authority, "Assigned Internet
Protocol Numbers", January 2014, <http://www.iana.org/
assignments/protocol-numbers/protocol-numbers.txt>.
12.2. Informative References 12.2. Informative References
[refs.requirements] [refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006. Work in Progress, June 2006.
[RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765, "Intrusion Detection Message Exchange Format", RFC 4765,
March 2007. March 2007.
skipping to change at page 119, line 26 skipping to change at page 126, line 15
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
6545, April 2012. 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012. 2012.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010. Class for Reporting Phishing", RFC 5901, July 2010.
[NIST800.61rev2]
Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
"NIST Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide", January 2012,
<http://csrc.nist.gov/publications/nistpubs/800-61rev2/
SP800-61rev2.pdf>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service
(IRIS)", RFC 3982, January 2005.
[KB310516] [KB310516]
Microsoft Corporation, "How to add, modify, or delete Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration registry subkeys and values by using a registration
entries (.reg) file", December 2007. entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File", RFC 4180, October 2005. Separated Values (CSV) File", RFC 4180, October 2005.
Authors' Addresses Authors' Addresses
 End of changes. 107 change blocks. 
240 lines changed or deleted 570 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/