draft-ietf-mile-rfc5070-bis-05.txt   draft-ietf-mile-rfc5070-bis-06.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: July 5, 2014 January 2014 Expires: August 18, 2014 February 14, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-05 draft-ietf-mile-rfc5070-bis-06
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation that provides a framework for sharing information data representation that provides a framework for sharing information
commonly exchanged by Computer Security Incident Response Teams commonly exchanged by Computer Security Incident Response Teams
(CSIRTs) about computer security incidents. This document describes (CSIRTs) about computer security incidents. This document describes
the information model for the IODEF and provides an associated data the information model for the IODEF and provides an associated data
model specified with XML Schema. model specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 5, 2014. This Internet-Draft will expire on August 18, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10
2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 12
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 14 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 14 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15
3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 15 3.3.2. Indicator Attributes . . . . . . . . . . . . . . . . 16
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 16
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 17 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 19 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 22 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 25 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 26 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 27 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 28 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 28 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 28 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30
3.12. Method Class . . . . . . . . . . . . . . . . . . . . . . 29 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30
3.12.1. Reference Class . . . . . . . . . . . . . . . . . . 30 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31
3.13. Assessment Class . . . . . . . . . . . . . . . . . . . . 31 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32
3.13.1. Impact Class . . . . . . . . . . . . . . . . . . . . 32 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 33
3.13.2. BusinessImpact Class . . . . . . . . . . . . . . . . 34 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 34
3.13.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 36 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35
3.13.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 38 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37
3.13.5. Confidence Class . . . . . . . . . . . . . . . . . . 38 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39
3.14. History Class . . . . . . . . . . . . . . . . . . . . . . 39 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 41
3.14.1. HistoryItem Class . . . . . . . . . . . . . . . . . 40 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 42
3.15. EventData Class . . . . . . . . . . . . . . . . . . . . . 42 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 43
3.15.1. Relating the Incident and EventData Classes . . . . 44 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 44
3.15.2. Cardinality of EventData . . . . . . . . . . . . . . 44 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 46
3.16. Expectation Class . . . . . . . . . . . . . . . . . . . . 45 3.16.1. Relating the Incident and EventData Classes . . . . 48
3.17. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 48 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 48
3.18. System Class . . . . . . . . . . . . . . . . . . . . . . 48 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 49
3.19. Node Class . . . . . . . . . . . . . . . . . . . . . . . 51 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 52
3.19.1. Address Class . . . . . . . . . . . . . . . . . . . 53 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 52
3.19.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 54 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 55
3.19.3. Counter Class . . . . . . . . . . . . . . . . . . . 56 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 57
3.20. DomainData Class . . . . . . . . . . . . . . . . . . . . 58 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 58
3.20.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 60 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60
3.20.2. Nameservers Class . . . . . . . . . . . . . . . . . 61 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 62
3.20.3. DomainContacts Class . . . . . . . . . . . . . . . . 61 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64
3.21. Service Class . . . . . . . . . . . . . . . . . . . . . . 62 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 65
3.21.1. ApplicationHeader Class . . . . . . . . . . . . . . 64 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65
3.21.2. Application Class . . . . . . . . . . . . . . . . . 66 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66
3.22. OperatingSystem Class . . . . . . . . . . . . . . . . . . 67 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 68
3.23. EmailData Class . . . . . . . . . . . . . . . . . . . . . 67 3.22.2. Application Class . . . . . . . . . . . . . . . . . 69
3.24. Record Class . . . . . . . . . . . . . . . . . . . . . . 68 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70
3.24.1. RecordData Class . . . . . . . . . . . . . . . . . . 68 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70
3.24.2. RecordPattern Class . . . . . . . . . . . . . . . . 70 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71
3.24.3. RecordItem Class . . . . . . . . . . . . . . . . . . 71 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72
3.25. WindowsRegistryKeysModified Class . . . . . . . . . . . . 71 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73
3.25.1. Key Class . . . . . . . . . . . . . . . . . . . . . 72 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 75
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 73 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 75
4. Processing Considerations . . . . . . . . . . . . . . . . . . 75 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 76
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 75 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 77
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 76 4. Processing Considerations . . . . . . . . . . . . . . . . . . 79
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 76 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 79
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 77 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 80
5.1. Extending the Enumerated Values of Attributes . . . . . . 78 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 80
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 78 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 81
6. Internationalization Issues . . . . . . . . . . . . . . . . . 80 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 81
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 81 5.1. Extending the Enumerated Values of Attributes . . . . . . 81
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 81 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 82
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 83 6. Internationalization Issues . . . . . . . . . . . . . . . . . 84
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 85 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 85
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 86 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 85
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 88 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 87
9. Security Considerations . . . . . . . . . . . . . . . . . . . 122 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 89
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 123 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 90
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 123 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 92
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 124 9. Security Considerations . . . . . . . . . . . . . . . . . . . 126
12.1. Normative References . . . . . . . . . . . . . . . . . . 124 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 127
12.2. Informative References . . . . . . . . . . . . . . . . . 125 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 128
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 128
12.1. Normative References . . . . . . . . . . . . . . . . . . 128
12.2. Informative References . . . . . . . . . . . . . . . . . 130
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 5 skipping to change at page 6, line 8
1.1. Changes from 5070 1.1. Changes from 5070
This document contains changes with respect to its predecessor This document contains changes with respect to its predecessor
RFC5070. RFC5070.
o All of the RFC5070 Errata was implemented. o All of the RFC5070 Errata was implemented.
o Imported the xmlns:ds namespace to include digital signature hash o Imported the xmlns:ds namespace to include digital signature hash
classes. classes.
o The attributes @indicator-uid and @indicator-set-id were added to o The @indicator-* attributes were added to various classes to
various classes to reference commonly shared indicators. reference commonly shared indicators.
o The following classes were added to IODEF-Document:
AdditionalData.
o The following classes were added to Incident and EventData:
Discovery.
o The following classes and attributes were added to the Service o The following classes and attributes were added to the Service
class: Email, EmailSubject, X-Mailer, DomainData, AssetID, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
@virtual, and @ownership. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: FileName, o The following classes were added to the Record class: FileName and
ds:Reference, and WindowsRegistryKeysModified. WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class: o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and ThreatActor, Campaign, Confidence, Description, and
AdditionalData. AdditionalData.
o The following classes were added to Node: PostalAddress o The following classes were added to Assessment: BusinessImpact.
o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed
NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem:
DefinedCOA.
o (for consideration) The following attributes was added to the o (for consideration) The following attributes was added to the
SoftwareType complexType: user-agent. SoftwareType complexType: user-agent.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose. NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[refs.requirements]. [refs.requirements].
skipping to change at page 12, line 30 skipping to change at page 13, line 16
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| STRING indicator-uid |<>--{0..1}--[ StartTime ] | STRING indicator-uid |<>--{0..1}--[ StartTime ]
| STRING indicator-set-id |<>--{0..1}--[ EndTime ] | STRING indicator-set-id |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 2: The Incident Class Figure 2: The Incident Class
skipping to change at page 12, line 51 skipping to change at page 13, line 38
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
CSIRT that generated the IODEF document. CSIRT that generated the IODEF document.
AlternativeID AlternativeID
Zero or one. The incident tracking numbers used by other CSIRTs Zero or one. The incident tracking numbers used by other CSIRTs
to refer to the incident described in the document. to refer to the incident described in the document.
RelatedActivity RelatedActivity
Zero or many. Related activity and attribution of this activity. Zero or more. Related activity and attribution of this activity.
DetectTime DetectTime
Zero or one. The time the incident was first detected. Zero or one. The time the incident was first detected.
StartTime StartTime
Zero or one. The time the incident started. Zero or one. The time the incident started.
EndTime EndTime
Zero or one. The time the incident ended. Zero or one. The time the incident ended.
ReportTime ReportTime
One. The time the incident was reported. One. The time the incident was reported.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
incident. incident.
Discovery
Zero or more. The means by which this incident was detected.
Assessment Assessment
One or more. A characterization of the impact of the incident. One or more. A characterization of the impact of the incident.
Method Method
Zero or more. The techniques used by the intruder in the Zero or more. The techniques used by the intruder in the
incident. incident.
Contact Contact
One or more. Contact information for the parties involved in the One or more. Contact information for the parties involved in the
incident. incident.
skipping to change at page 13, line 47 skipping to change at page 14, line 36
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has five attributes: The Incident class has five attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.16). This attribute is defined as an Expectation class (Section 3.17). This attribute is defined as an
enumerated list: enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
skipping to change at page 18, line 26 skipping to change at page 19, line 16
Campaign Campaign
One or more. The campaign of a given threat actor to whom the One or more. The campaign of a given threat actor to whom the
described activity is attributed. described activity is attributed.
Confidence Confidence
Zero or one. An estimate of the confidence in attributing this Zero or one. An estimate of the confidence in attributing this
RelatedActivity to the event described in the document. RelatedActivity to the event described in the document.
Description Description
Zero or many. ML_STRING. A description of how these Zero or more. ML_STRING. A description of how these
relationships were derived. relationships were derived.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
RelatedActivity MUST at least have one instance of IncidentID, URL, RelatedActivity MUST at least have one instance of IncidentID, URL,
ThreatActor, or Campaign. ThreatActor, or Campaign.
The RelatedActivity class has one attribute: The RelatedActivity class has one attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
3.7. ThreatActor Class 3.7. ThreatActor Class
skipping to change at page 19, line 14 skipping to change at page 20, line 6
The aggregate classes that constitutes ThreatActor are: The aggregate classes that constitutes ThreatActor are:
ThreatActorID ThreatActorID
One or more. STRING. An identifier for the ThreatActor. One or more. STRING. An identifier for the ThreatActor.
Description Description
One or more. ML_STRING. A description of the ThreatActor. One or more. ML_STRING. A description of the ThreatActor.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
ThreatActor MUST have at least one instance of a ThreatActorID or ThreatActor MUST have at least one instance of a ThreatActorID or
Description. Description.
The ThreatActor class has one attribute: The ThreatActor class has one attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
3.8. Campaign Class 3.8. Campaign Class
skipping to change at page 19, line 47 skipping to change at page 20, line 39
The aggregate classes that constitutes Campaign are: The aggregate classes that constitutes Campaign are:
CampaignID CampaignID
One or more. STRING. An identifier for the Campaign. One or more. STRING. An identifier for the Campaign.
Description Description
One or more. ML_STRING. A description of the Campaign. One or more. ML_STRING. A description of the Campaign.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
Campaign MUST have at least one instance of a Campaign or Campaign MUST have at least one instance of a Campaign or
Description. Description.
The Campaign class has one attribute: The Campaign class has one attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
3.9. AdditionalData Class 3.9. AdditionalData Class
skipping to change at page 23, line 35 skipping to change at page 24, line 35
ContactName ContactName
Zero or one. ML_STRING. The name of the contact. The contact Zero or one. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute may either be an organization or a person. The type attribute
disambiguates the semantics. disambiguates the semantics.
ContactTitle ContactTitle
Zero or one. ML_STRING. The title for the individual named in Zero or one. ML_STRING. The title for the individual named in
the ContactName. the ContactName.
Description Description
Zero or many. ML_STRING. A free-form description of this Zero or more. ML_STRING. A free-form description of this
contact. In the case of a person, this is often the contact. In the case of a person, this is often the
organizational title of the individual. organizational title of the individual.
RegistryHandle RegistryHandle
Zero or many. A handle name into the registry of the contact. Zero or more. A handle name into the registry of the contact.
PostalAddress PostalAddress
Zero or one. The postal address of the contact. Zero or one. The postal address of the contact.
Email Email
Zero or many. The email address of the contact. Zero or more. The email address of the contact.
Telephone Telephone
Zero or many. The telephone number of the contact. Zero or more. The telephone number of the contact.
Fax Fax
Zero or one. The facsimile telephone number of the contact. Zero or one. The facsimile telephone number of the contact.
Timezone Timezone
Zero or one. TIMEZONE. The timezone in which the contact resides Zero or one. TIMEZONE. The timezone in which the contact resides
formatted according to Section 2.9. formatted according to Section 2.9.
Contact Contact
Zero or many. A Contact instance contained within another Contact Zero or more. A Contact instance contained within another Contact
instance inherits the values of the parent(s). This recursive instance inherits the values of the parent(s). This recursive
definition can be used to group common data pertaining to multiple definition can be used to group common data pertaining to multiple
points of contact and is especially useful when listing multiple points of contact and is especially useful when listing multiple
contacts at the same organization. contacts at the same organization.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The Contact class has five attributes: The Contact class has five attributes:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. This
attribute is defined as an enumerated list: attribute is defined as an enumerated list:
skipping to change at page 25, line 17 skipping to change at page 26, line 17
12. cc. An entity that is to be kept informed about the events 12. cc. An entity that is to be kept informed about the events
related to an asset or organization. related to an asset or organization.
13. cc-irt. A CSIRT or information sharing organization 13. cc-irt. A CSIRT or information sharing organization
coordinating activity related to an asset or organization. coordinating activity related to an asset or organization.
14. le. A law enforcement entity supporting the investigation of 14. le. A law enforcement entity supporting the investigation of
activity affecting an asset or organization. activity affecting an asset or organization.
15. ext-value. An escape value used to extend this attribute. 15. vendor. The vendor that produces an asset.
16. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-role ext-role
Optional. STRING. A means by which to extend the role attribute. Optional. STRING. A means by which to extend the role attribute.
See Section 5.1. See Section 5.1.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list: This attribute is defined as an enumerated list:
skipping to change at page 29, line 16 skipping to change at page 30, line 16
The ReportTime class represents the time the incident was reported. The ReportTime class represents the time the incident was reported.
This timestamp MUST be the time at which the IODEF document was This timestamp MUST be the time at which the IODEF document was
generated. generated.
3.11.5. DateTime 3.11.5. DateTime
The DateTime class is a generic representation of a timestamp. Infer The DateTime class is a generic representation of a timestamp. Infer
its semantics from the parent class in which it is aggregated. its semantics from the parent class in which it is aggregated.
3.12. Method Class 3.12. Discovery Class
The Method class describes the methodology used by the intruder to The Discovery class describes how an incident was detected.
perpetrate the events of the incident. This class consists of a list
of references describing the attack method and a free form +-------------------+
description of the technique. | Discovery |
+-------------------+
| ENUM source |<>--{0..*}--[ Description ]
| STRING ext-source |<>--{0..*}--[ Contact ]
| ENUM restriction |<>--{0..*}--[ DetectionPattern ]
+-------------------+
Figure 15: The Discovery Class
The Discovery class is composed of three aggregate classes.
Description
Zero or more. ML_STRING. A free-form text description of how
this incident was detected.
Contact
Zero or more. Contact information for the party that discovered
the incident.
DetectionPattern
Zero or more. Describes an application-specific configuration
that detected the incident.
The Discovery class has three attribute:
source
Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2].
1. idps. Intrusion Detection or Prevention system.
2. siem. Security Information and Event Management System.
3. av. Antivirus or and antispam software.
4. file-integrity. File integrity checking software.
5. third-party-monitoring. Contracted third-party monitoring
service.
6. os-log. Operating system logs.
7. application-log. Application logs.
8. device-log. Network device logs.
9. network-flow. Network flow analysis.
10. investigation. Manual investigation initiated based on
timely notification of a new vulnerability or exploit.
11. internal-notification. A party within the organization
discovered the activity
12. external-notification. A party outside of the organization
discovered the activity.
13. unknown. Unknown detection approach.
14. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-source
Optional. STRING. A means by which to extend the source
attribute. See Section 5.1.
restriction
Optional. ENUM. This attribute is defined in Section 3.2.
3.12.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature
that can be used by an IDS/IPS, SIEM, anti-virus, end-point
protection, network analysis, malware analysis, or host forensics
tool to identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration
to be describes in either free-form or machine readable form.
+------------------+
| DetectionPattern |
+------------------+
| ENUM restriction |<>----------[ Application ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ DetectionConfiguration ]
+------------------+
Figure 16: The DetectionPattern Class
The DetectionPattern class is composed of three aggregate classes.
Application
. One. The application for which the DetectionConfiguration or
Description is being provided.
Description
Zero or more. ML_STRING. A free-form text description of how to
use the Application or provided DetectionConfiguration.
DetectionConfiguration
Zero or more. STRING. A machine consumable configuration to find
a pattern of activity.
Either an instance of the Description or DetectionConfiguration class
MUST be present.
The Method class has one attribute:
restriction
Optional. ENUM. This attribute is defined in Section 3.2.
3.13. Method Class
The Method class describes the tactics, techniques, or procedures
used by the intruder in the incident. This class consists of both a
list of references describing the attack method and a free form
description.
+------------------+ +------------------+
| Method | | Method |
+------------------+ +------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 15: The Method Class Figure 17: The Method Class
The Method class is composed of three aggregate classes. The Method class is composed of three aggregate classes.
Reference Reference
Zero or many. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. advisory, or analysis of an attack technique.
Description Description
Zero or many. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of
methodology used by the intruder. techniques, tactics, or procedures used by the intruder.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
Either an instance of the Reference or Description class MUST be Either an instance of the Reference or Description class MUST be
present. present.
The Method class has one attribute: The Method class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.12.1. Reference Class 3.13.1. Reference Class
The Reference class is a reference to a vulnerability, IDS alert, The Reference class is a reference to a vulnerability, IDS alert,
malware sample, advisory, or attack technique. A reference consists malware sample, advisory, or attack technique. A reference consists
of a name, a URL to this reference, and an optional description. of a name, a URL to this reference, and an optional description.
+-------------------------+ +-------------------------+
| Reference | | Reference |
+-------------------------+ +-------------------------+
| ENUM attacktype |<>----------[ ReferenceName ] | ENUM attacktype |<>----------[ ReferenceName ]
| STRING ext-attacktype |<>--{0..*}--[ URL ] | STRING ext-attacktype |<>--{0..*}--[ URL ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 16: The Reference Class Figure 18: The Reference Class
The aggregate classes that constitute Reference: The aggregate classes that constitute Reference:
ReferenceName ReferenceName
One. ML_STRING. Name of the reference. One. ML_STRING. Name of the reference.
URL URL
Zero or many. URL. A URL associated with the reference. Zero or more. URL. A URL associated with the reference.
Description Description
Zero or many. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
reference. reference.
The Reference class has 4 attributes. The Reference class has 4 attributes.
attacktype attacktype
Optional. ENUM. TODO. Optional. ENUM. TODO.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Attack Optional. STRING. A mechanism by which to extend the Attack
Type. Type.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.13. Assessment Class 3.14. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ BusinessImpact ] | ENUM restriction |<>--{0..*}--[ BusinessImpact ]
| STRING indicator-uid |<>--{0..*}--[ TimeImpact ] | STRING indicator-uid |<>--{0..*}--[ TimeImpact ]
| STRING indicator-set-id |<>--{0..*}--[ MonetaryImpact ] | STRING indicator-set-id |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 17: Assessment Class Figure 19: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or many. Technical characterization of the impact of the Zero or more. Technical characterization of the impact of the
activity on the victim's enterprise. activity on the victim's enterprise.
BusinessImpact BusinessImpact
Zero or many. Impact of the activity on the business functions of Zero or more. Impact of the activity on the business functions of
the victim organization. the victim organization.
TimeImpact TimeImpact
Zero or many. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
time. time.
MonetaryImpact MonetaryImpact
Zero or many. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
financial loss. financial loss.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. the activity.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible three impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has four attributes: The Assessment class has four attributes:
occurrence occurrence
Optional. ENUM. Specifies whether the assessment is describing Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes. actual or potential outcomes.
skipping to change at page 32, line 28 skipping to change at page 35, line 44
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.13.1. Impact Class 3.14.1. Impact Class
The Impact class allows for categorizing and describing the technical The Impact class allows for categorizing and describing the technical
impact of the incident on the network of an organization. impact of the incident on the network of an organization.
This class is based on [RFC4765]. This class is based on [RFC4765].
+------------------+ +------------------+
| Impact | | Impact |
+------------------+ +------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM lang | | ENUM lang |
| ENUM severity | | ENUM severity |
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+------------------+ +------------------+
Figure 18: Impact Class Figure 20: Impact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The Impact class has five attributes: The Impact class has five attributes:
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC4646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
skipping to change at page 34, line 19 skipping to change at page 37, line 35
10. unknown. The classification of this activity is unknown. 10. unknown. The classification of this activity is unknown.
11. ext-value. An escape value used to extend this attribute. 11. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
3.13.2. BusinessImpact Class 3.14.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident. which the function of the organization was impacted by the Incident.
The element body describes the impact to the organization as a free- The element body describes the impact to the organization as a free-
form text string. The two attributes characterize the impact. form text string. The two attributes characterize the impact.
+-------------------------+ +-------------------------+
| BusinessImpact | | BusinessImpact |
+-------------------------+ +-------------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM severity | | ENUM severity |
| STRING ext-severity | | STRING ext-severity |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+-------------------------+ +-------------------------+
Figure 19: BusinessImpact Class Figure 21: BusinessImpact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact to the organization. impact to the organization.
The BusinessImpact class has four attributes: The BusinessImpact class has four attributes:
severity severity
Optional. ENUM. Characeterizes the severity of the incident on Optional. ENUM. Characterizes the severity of the incident on
business functions. The permitted values are shown below. They business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown". value is "unknown".
1. none. No effect to the organization's ability to provide all 1. none. No effect to the organization's ability to provide all
services to all users. services to all users.
2. low. Minimal effect as the organization can still provide all 2. low. Minimal effect as the organization can still provide all
critical services to all users but has lost efficiency. critical services to all users but has lost efficiency.
skipping to change at page 35, line 32 skipping to change at page 39, line 7
ext-severity ext-severity
Optional. STRING. A means by which to extend the severity Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1. attribute. See Section 5.1.
type type
Required. ENUM. Characterizes the effect this incident had on Required. ENUM. Characterizes the effect this incident had on
the business.Classifies the malicious activity into incident the business.Classifies the malicious activity into incident
categories. The permitted values are shown below. There is no categories. The permitted values are shown below. There is no
default value. default value.
1. breach-proprietary. Senstive or proprietary information was 1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated. accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was 2. breach-privacy. Personally identifiable information was
accessed or exfiltrated. accessed or exfiltrated.
3. loss-of-integrity. Sensitive or proprietary information was 3. loss-of-integrity. Sensitive or proprietary information was
changed or deleted. changed or deleted.
4. loss-of-service. Service delivery was disrupted. 4. loss-of-service. Service delivery was disrupted.
skipping to change at page 36, line 4 skipping to change at page 39, line 28
5. loss-financial. Money or services were stolen. 5. loss-financial. Money or services were stolen.
6. degraded-reputation. The reputation of the organization's 6. degraded-reputation. The reputation of the organization's
brand was diminished. brand was diminished.
7. asset-damage. A cyber-physical system was damaged. 7. asset-damage. A cyber-physical system was damaged.
8. asset-manipulation. A cyber-physical system was manipulated. 8. asset-manipulation. A cyber-physical system was manipulated.
9. legal. Incident resulted in legal or regulatory action 9. legal. Incident resulted in legal or regulatory action
10. ext-value. An escape value used to extend this attribute. 10. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
3.13.3. TimeImpact Class 3.14.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric | | STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 20: TimeImpact Class Figure 22: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has five attributes: The TimeImpact class has five attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
skipping to change at page 38, line 5 skipping to change at page 41, line 36
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute. 8. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.13.4. MonetaryImpact Class 3.14.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 21: MonetaryImpact Class Figure 23: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
skipping to change at page 38, line 46 skipping to change at page 42, line 38
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
currency currency
Optional. STRING. Defines the currency in which the monetary Optional. STRING. Defines the currency in which the monetary
impact is expressed. The permitted values are defined in "Codes impact is expressed. The permitted values are defined in "Codes
for the representation of currencies and funds" of [ISO4217]. for the representation of currencies and funds" of [ISO4217].
There is no default value. There is no default value.
3.13.5. Confidence Class 3.14.5. Confidence Class
The Confidence class represents a best estimate of the validity and The Confidence class represents a best estimate of the validity and
accuracy of the described impact (see Section 3.13) of the incident accuracy of the described impact (see Section 3.14) of the incident
activity. This estimate can be expressed as a category or a numeric activity. This estimate can be expressed as a category or a numeric
calculation. calculation.
This class if based upon [RFC4765]. This class if based upon [RFC4765].
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 22: Confidence Class Figure 24: Confidence Class
The element content expresses a numerical assessment in the The element content expresses a numerical assessment in the
confidence of the data when the value of the rating attribute is confidence of the data when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The Confidence class has one attribute.
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A rating of the analytical validity of the
specified Assessment. The permitted values are shown below. specified Assessment. The permitted values are shown below.
skipping to change at page 39, line 40 skipping to change at page 43, line 38
2. medium. Medium confidence in the validity. 2. medium. Medium confidence in the validity.
3. high. High confidence in the validity. 3. high. High confidence in the validity.
4. numeric. The element content contains a number that conveys 4. numeric. The element content contains a number that conveys
the confidence of the data. The semantics of this number the confidence of the data. The semantics of this number
outside the scope of this specification. outside the scope of this specification.
5. unknown. The confidence rating value is not known. 5. unknown. The confidence rating value is not known.
3.14. History Class 3.15. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------+ +------------------+
| History | | History |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| | | |
+------------------+ +------------------+
Figure 23: The History Class Figure 25: The History Class
The class that constitutes History is: The class that constitutes History is:
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or many. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties.
The History class has one attribute: The History class has one attribute:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
3.14.1. HistoryItem Class 3.15.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.14) log The HistoryItem class is an entry in the History (Section 3.15) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..*}--[ AdditionalData ] | STRING indicator-set-id |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 24: HistoryItem Class Figure 26: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
particular entry and references this organization's incident particular entry and references this organization's incident
tracking number. When a single organization is maintaining the tracking number. When a single organization is maintaining the
log, this class can be ignored. log, this class can be ignored.
Contact Contact
Zero or One. Provides contact information for the person that Zero or One. Provides contact information for the person that
performed the action documented in this class. performed the action documented in this class.
Description Description
Zero or many. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
action or event. action or event.
DefinedCOA DefinedCOA
Zero or many. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
AdditionalData AdditionalData
Zero or many. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The HistoryItem class has five attributes: The HistoryItem class has five attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the category attribute of the Expectation class. The to the category attribute of the Expectation class. The
difference is only one of tense. When an action is in this class, difference is only one of tense. When an action is in this class,
it has been completed. See Section 3.16. it has been completed. See Section 3.17.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.15. EventData Class 3.16. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| STRING indicator-uid |<>--{0..1}--[ DetectTime ] | STRING indicator-uid |<>--{0..1}--[ DetectTime ]
| STRING indicator-set-id |<>--{0..1}--[ StartTime ] | STRING indicator-set-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 25: The EventData Class Figure 27: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes that constitute EventData are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
Zero or one. The time the event was detected. Zero or one. The time the event was detected.
StartTime StartTime
Zero or one. The time the event started. Zero or one. The time the event started.
EndTime EndTime
Zero or one. The time the event ended. Zero or one. The time the event ended.
Contact Contact
Zero or more. Contact information for the parties involved in the Zero or more. Contact information for the parties involved in the
event. event.
Discovery
Zero or more. The means by which the event was detected.
Assessment Assessment
Zero or one. The impact of the event on the target and the Zero or one. The impact of the event on the target and the
actions taken. actions taken.
Method Method
Zero or more. The technique used by the intruder in the event. Zero or more. The technique used by the intruder in the event.
Flow Flow
Zero or more. A description of the systems or networks involved. Zero or more. A description of the systems or networks involved.
skipping to change at page 44, line 5 skipping to change at page 48, line 5
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.15.1. Relating the Incident and EventData Classes 3.16.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
individual events comprising the incident. In the most common case, individual events comprising the incident. In the most common case,
the EventData class will provide more specific information for the the EventData class will provide more specific information for the
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in Incident. provided in Incident.
3.15.2. Cardinality of EventData 3.16.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class can be thought of as a container for the
properties of an event in an incident. These properties include: the properties of an event in an incident. These properties include: the
hosts involved, impact of the incident activity on the hosts, hosts involved, impact of the incident activity on the hosts,
forensic logs, etc. With an instance of the EventData class, hosts forensic logs, etc. With an instance of the EventData class, hosts
(i.e., System class) are grouped around these common properties. (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the The recursive definition (or instance property inheritance) of the
EventData class (the EventData class is aggregated into the EventData EventData class (the EventData class is aggregated into the EventData
class) provides a way to relate information without requiring the class) provides a way to relate information without requiring the
explicit use of unique attribute identifiers in the classes or explicit use of unique attribute identifiers in the classes or
duplicating information. Instead, the relative depth (nesting) of a duplicating information. Instead, the relative depth (nesting) of a
class is used to group (relate) information. class is used to group (relate) information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 26. be found in Figure 28.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 26: Recursion in the EventData Class Figure 28: Recursion in the EventData Class
3.16. Expectation Class 3.17. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ StartTime ]
| STRING ext-action |<>--{0..1}--[ EndTime ] | STRING ext-action |<>--{0..1}--[ EndTime ]
| STRING indicator-uid |<>--{0..1}--[ Contact ] | STRING indicator-uid |<>--{0..1}--[ Contact ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 27: The Expectation Class Figure 29: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or many. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form description of the desired
action(s). action(s).
DefinedCOA DefinedCOA
Zero or many. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
StartTime StartTime
Zero or one. The time at which the sender would like the action Zero or one. The time at which the sender would like the action
performed. A timestamp that is earlier than the ReportTime performed. A timestamp that is earlier than the ReportTime
specified in the Incident class denotes that the sender would like specified in the Incident class denotes that the sender would like
the action performed as soon as possible. The absence of this the action performed as soon as possible. The absence of this
element indicates no expectations of when the recipient would like element indicates no expectations of when the recipient would like
skipping to change at page 47, line 26 skipping to change at page 51, line 26
9. rate-limit-host. Rate-limit the traffic from the machine(s) 9. rate-limit-host. Rate-limit the traffic from the machine(s)
listed as sources in the event. listed as sources in the event.
10. rate-limit-network. Rate-limit the traffic from the 10. rate-limit-network. Rate-limit the traffic from the
network(s) lists as sources in the event. network(s) lists as sources in the event.
11. rate-limit-port. Rate-limit the port(s) listed as sources in 11. rate-limit-port. Rate-limit the port(s) listed as sources in
the event. the event.
12. remediate-other. Remediate the activity in a way other than 12. upgrade-software. Upgrade or patch the software or firmware
on an asset.
13. rebuild-asset. Reinstall the operating system and
applications on an asset.
14. remediate-other. Remediate the activity in a way other than
by rate limiting or blocking. by rate limiting or blocking.
13. status-triage. Conveys receipts and the triaging of an 15. status-triage. Conveys receipts and the triaging of an
incident. incident.
14. status-new-info. Conveys that new information was received 16. status-new-info. Conveys that new information was received
for this incident. for this incident.
15. watch-and-report. Watch for the described activity and share 17. watch-and-report. Watch for the described activity and share
if seen. if seen.
16. defined-coa. Perform a predefined course of action (COA). 18. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
17. other. Perform some custom action described in the 19. other. Perform some custom action described in the
Description class. Description class.
18. ext-value. An escape value used to extend this attribute. 20. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.17. Flow Class 3.18. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 28: The Flow Class Figure 30: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow class has no attributes. The Flow class has no attributes.
3.18. System Class 3.19. System Class
The System class describes a system or network involved in an event. The System class describes a system or network involved in an event.
The systems or networks represented by this class are categorized The systems or networks represented by this class are categorized
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
skipping to change at page 49, line 18 skipping to change at page 53, line 18
| ENUM restriction |<>----------[ Node ] | ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ Service ] | ENUM category |<>--{0..*}--[ Service ]
| STRING ext-category |<>--{0..*}--[ OperatingSystem ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ]
| STRING interface |<>--{0..*}--[ Counter ] | STRING interface |<>--{0..*}--[ Counter ]
| ENUM spoofed |<>--{0..*}--[ AssetID ] | ENUM spoofed |<>--{0..*}--[ AssetID ]
| ENUM virtual |<>--{0..*}--[ Description ] | ENUM virtual |<>--{0..*}--[ Description ]
| ENUM ownership |<>--{0..*}--[ AdditionalData ] | ENUM ownership |<>--{0..*}--[ AdditionalData ]
| ENUM ext-ownership | | ENUM ext-ownership |
+---------------------+ +---------------------+
Figure 29: The System Class Figure 31: The System Class
The aggregate classes that constitute System are: The aggregate classes that constitute System are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident.
Service Service
Zero or more. A network service running on the system. Zero or more. A network service running on the system.
OperatingSystem OperatingSystem
skipping to change at page 51, line 41 skipping to change at page 55, line 41
6. unknown. The ownership of the System is unknown. 6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute. 7. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-ownership ext-ownership
Optional. STRING. A means by which to extend the ownership Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1. attribute. See Section 5.1.
3.19. Node Class 3.20. Node Class
The Node class names an asset or network. The Node class names an asset or network.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ NodeName ]
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..1}--[ Location ] | |<>--{0..1}--[ Location ]
| |<>--{0..1}--[ DateTime ] | |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 30: The Node Class Figure 32: The Node Class
The aggregate classes that constitute Node are: The aggregate classes that constitute Node are:
NodeName
Zero or more. ML_STRING. The name of the Node (e.g., fully
qualified domain name). This information MUST be provided if no
Address or DomainData information is given.
DomainData DomainData
Zero or more. The detailed domain (DNS) information associated Zero or more. The detailed domain (DNS) information associated
with this Node. with this Node. If an Address is not provided, at least one
DomainData MUST be specified.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a NodeName or DomainData is not provided, at least the Node. If a DomainData is not provided, at least one Address
one Address MUST be specified. MUST be specified.
PostalAddress PostalAddress
Zero or one. The postal address of the asset. Zero or one. The postal address of the asset.
Location Location
Zero or one. ML_STRING. A free-from description of the physical Zero or one. ML_STRING. A free-from description of the physical
location of the Node. This description may provide a more location of the Node. This description may provide a more
detailed description of where in the PostalAddress this Node is detailed description of where in the PostalAddress this Node is
found (e.g., room number, rack number, slot number in a chassis). found (e.g., room number, rack number, slot number in a chassis).
DateTime
Zero or one. A timestamp of when the resolution between the name
and address was performed. This information MAY be provided if
both an Address and NodeName are specified.
NodeRole NodeRole
Zero or more. The intended purpose of the Node. Zero or more. The intended purpose of the Node.
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
The Node class has no attributes. The Node class has no attributes.
3.19.1. Address Class 3.20.1. Address Class
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| STRING indicator-uid | | STRING indicator-uid |
| STRING indicator-set-id | | STRING indicator-set-id |
+-------------------------+ +-------------------------+
Figure 31: The Address Class Figure 33: The Address Class
The Address class has five attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr".
1. asn. Autonomous System Number 1. asn. Autonomous System Number
skipping to change at page 54, line 36 skipping to change at page 58, line 29
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.19.2. NodeRole Class 3.20.2. NodeRole Class
The NodeRole class describes the intended function performed by a The NodeRole class describes the intended function performed by a
particular host. particular host.
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category | | STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 32: The NodeRole Class Figure 34: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
3. client-partner. Client computer on network of a partner 3. client-partner. Client computer on network of a partner
4. client-remote. Client computer remotely connected to the 4. client-remote. Client computer remotely connected to the
enterprise network enterprise network
5. client-kiosk. Client computer is serves as a kiosk 5. client-kiosk. Client computer is serves as a kiosk
6. client-mobile. Client is a mobile device 6. client-mobile. Client is a mobile device
7. server-internal. Server with internal services 7. server-internal. Server with internal services
skipping to change at page 56, line 44 skipping to change at page 60, line 38
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC4646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
3.19.3. Counter Class 3.20.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependent based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
skipping to change at page 57, line 20 skipping to change at page 61, line 17
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 33: The Counter Class Figure 35: The Counter Class
The Counter class has five attribute: The Counter class has five attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
3. flow. Count of flow (e.g., NetFlow records). 3. flow. Count of network flow records.
4. session. Count of sessions. 4. session. Count of sessions.
5. alert. Count of notifications generated by another system 5. alert. Count of notifications generated by another system
(e.g., IDS or SIM). (e.g., IDS or SIM).
6. message. Count of messages (e.g., mail messages). 6. message. Count of messages (e.g., mail messages).
7. event. Count of events. 7. event. Count of events.
skipping to change at page 58, line 16 skipping to change at page 62, line 12
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.13.3 attribute are defined in Section 3.14.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1. attribute. See Section 5.1.
3.20. DomainData Class 3.21. DomainData Class
...TODO... ...TODO...
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| STRING indicator-uid |<>--{0..*}--[ RelatedDNS ] | STRING indicator-uid |<>--{0..*}--[ RelatedDNS ]
| STRING indicator-set-id |<>--{0..*}--[ Nameservers ] | STRING indicator-set-id |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| | | |
+--------------------------+ +--------------------------+
Figure 34: The DomainData Class Figure 36: The DomainData Class
The aggregate classes that constitute DomainData are: The aggregate classes that constitute DomainData are:
Name Name
One. ML_STRING. The domain name of the Node (e.g., fully One. ML_STRING. The domain name of the Node (e.g., fully
qualified domain name). qualified domain name).
DateDomainWasChecked DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the Name was Zero or one. DATETIME. A timestamp of when the Name was
resolved. resolved.
skipping to change at page 60, line 42 skipping to change at page 64, line 38
ext-domain-status ext-domain-status
Optional. STRING. A means by which to extend the system-status Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.20.1. RelatedDNS 3.21.1. RelatedDNS
...TODO... ...TODO...
+----------------------+ +----------------------+
| RelatedDNS | | RelatedDNS |
+----------------------+ +----------------------+
| STRING | | STRING |
| | | |
| ENUM record-type | | ENUM record-type |
| ENUM ext-record-type | | ENUM ext-record-type |
+----------------------+ +----------------------+
Figure 35: The RelatedDNS Class Figure 37: The RelatedDNS Class
3.20.2. Nameservers Class 3.21.2. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the name servers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
+--------------------+ +--------------------+
Figure 36: The Nameservers Class Figure 38: The Nameservers Class
The aggregate classes that constitute Nameservers are: The aggregate classes that constitute Nameservers are:
Server Server
One. ML_STRING. The domain name of the name server. One. ML_STRING. The domain name of the name server.
Address Address
One or more. The address of the name server. See Section 3.19.1. One or more. The address of the name server. See Section 3.20.1.
3.20.3. DomainContacts Class 3.21.3. DomainContacts Class
The DomainContacts class describes the contact information for a The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois given domain provided either by the registrar or through a whois
query. query.
This contact information can be explicitly described through a This contact information can be explicitly described through a
Contact class or a reference can be provided to a domain with Contact class or a reference can be provided to a domain with
identical contact information. Either a single SameDomainContact identical contact information. Either a single SameDomainContact
MUST be present or one or many Contact classes. MUST be present or one or many Contact classes.
+--------------------+ +--------------------+
| DomainContacts | | DomainContacts |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SameDomainContact ] | |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
+--------------------+ +--------------------+
Figure 37: The DomainContacts Class Figure 39: The DomainContacts Class
The aggregate classes that constitute DomainContacts are: The aggregate classes that constitute DomainContacts are:
SameDomainContact SameDomainContact
Zero or one. ML_STRING. A domain name already cited in this Zero or one. ML_STRING. A domain name already cited in this
document or through previous exchange that contains the identical document or through previous exchange that contains the identical
contact information as the domain name in question. The domain contact information as the domain name in question. The domain
contact information associated with this domain should be used in contact information associated with this domain should be used in
liue of explicit definition with the Contact class. lieu of explicit definition with the Contact class.
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.10. Section 3.10.
3.21. Service Class 3.22. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
When Service occurs as an aggregate class of a System that is a When Service occurs as an aggregate class of a System that is a
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ] | INTEGER ip-protocol |<>--{0..1}--[ Port ]
| STRING indicator-uid |<>--{0..1}--[ Portlist ] | STRING indicator-uid |<>--{0..1}--[ Portlist ]
| STRING indicator-set-id |<>--{0..1}--[ ProtoCode ] | STRING indicator-set-id |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 38: The Service Class Figure 40: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
skipping to change at page 63, line 42 skipping to change at page 67, line 14
ProtoType ProtoType
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or many. An application layer (layer 7) protocol header. Zero or more. An application layer (layer 7) protocol header.
See Section 3.21.1. See Section 3.22.1.
EmailData EmailData
Zero or one. Headers associated with an email. See Section 3.23. Zero or one. Headers associated with an email. See Section 3.24.
Application Application
Zero or one. The application bound to the specified Port or Zero or one. The application bound to the specified Port or
Portlist. See Section 3.21.2. Portlist. See Section 3.22.2.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The Service class has three attributes: The Service class has three attributes:
ip_protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols].
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.21.1. ApplicationHeader Class 3.22.1. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its fields from an application layer protocol header and its
corresponding value. corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING indicator-uid | | STRING indicator-uid |
| STRING indicator-set-uid | | STRING indicator-set-uid |
+--------------------------+ +--------------------------+
Figure 39: The ApplicationHeader Class Figure 41: The ApplicationHeader Class
The ApplicationHeader class has five attributes: The ApplicationHeader class has five attributes:
proto proto
Required. INTEGER. The IANA assigned port number per Required. INTEGER. The IANA assigned port number per
[IANA.Ports] corresponding to the application layer protocol whose [IANA.Ports] corresponding to the application layer protocol whose
field will be represented. field will be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
skipping to change at page 66, line 9 skipping to change at page 69, line 32
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1. attribute. See Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.21.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
| STRING vendor | | STRING vendor |
| STRING family | | STRING family |
| STRING name | | STRING name |
| STRING version | | STRING version |
| STRING patch | | STRING patch |
+--------------------+ +--------------------+
Figure 40: The Application Class Figure 42: The Application Class
The aggregate class that constitute Application is: The aggregate class that constitute Application is:
URL URL
Zero or one. URL. A URL describing the application. Zero or one. URL. A URL describing the application.
The Application class has seven attributes: The Application class has seven attributes:
swid swid
Optional. STRING. An identifier that can be used to reference Optional. STRING. An identifier that can be used to reference
skipping to change at page 67, line 11 skipping to change at page 70, line 34
name name
Optional. STRING. Name of the software. Optional. STRING. Name of the software.
version version
Optional. STRING. Version of the software. Optional. STRING. Version of the software.
patch patch
Optional. STRING. Patch or service pack level of the software. Optional. STRING. Patch or service pack level of the software.
3.22. OperatingSystem Class 3.23. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.21.2). (Section 3.22.2).
3.23. EmailData Class 3.24. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message. Common
headers have dedicated classes, but arbitrary headers can also be headers have dedicated classes, but arbitrary headers can also be
described. described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| STRING indicator-uid |<>--{0..1}--[ EmailFrom ] | STRING indicator-uid |<>--{0..1}--[ EmailFrom ]
| STRING indicator-set-id |<>--{0..1}--[ EmailSubject ] | STRING indicator-set-id |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
+-------------------------+ +-------------------------+
Figure 41: EmailData Class Figure 43: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. The value of an arbitrary header field in the email.
See Section 3.21.1. The attributes of EmailHeaderField MUST be See Section 3.22.1. The attributes of EmailHeaderField MUST be
set as follows: proto="25" and dtype="string". The name of the set as follows: proto="25" and dtype="string". The name of the
email header field MUST be set in the field attribute. email header field MUST be set in the field attribute.
The EmailData class has two attributes: The EmailData class has two attributes:
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.24. Record Class 3.25. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------+
| Record | | Record |
+------------------+ +------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+ +------------------+
Figure 42: Record Class Figure 44: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.24.1. RecordData Class 3.25.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------------+ +-------------------------+
| RecordData | | RecordData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING indicator-uid |<>--{0..*}--[ Description ] | STRING indicator-uid |<>--{0..*}--[ Description ]
| STRING indicator-set-id |<>--{0..1}--[ Application ] | STRING indicator-set-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 43: The RecordData Class Figure 45: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 70, line 14 skipping to change at page 73, line 41
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.24.2. RecordPattern Class 3.25.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 44: The RecordPattern Class Figure 46: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex".
1. regex. regular expression, per Appendix F of 1. regex. regular expression, per Appendix F of
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
skipping to change at page 71, line 33 skipping to change at page 75, line 18
See Section 5.1. See Section 5.1.
ext-offsetunit ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1. attribute. See Section 5.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.24.3. RecordItem Class 3.25.3. RecordItem Class
The RecordItem class provides a way to incorporate relevant logs, The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to direct encapsulation of the data, as well as, provides primitives to
reference data stored elsewhere. reference data stored elsewhere.
This class is identical to AdditionalData class (Section 3.9). This class is identical to AdditionalData class (Section 3.9).
3.25. WindowsRegistryKeysModified Class 3.26. WindowsRegistryKeysModified Class
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| STRING indicator-uid |<>--{1..*}--[ Key ] | STRING indicator-uid |<>--{1..*}--[ Key ]
| STRING indicator-set-id | | STRING indicator-set-id |
+-----------------------------+ +-----------------------------+
Figure 45: The WindowsRegistryKeysModified Class Figure 47: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has two attributes: The WindowsRegistryKeysModified class has two attributes:
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.25.1. Key Class 3.26.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
+---------------------------+ +---------------------------+
Figure 46: The Key Class Figure 48: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
skipping to change at page 73, line 46 skipping to change at page 77, line 27
ext-type ext-type
Optional. A means by which to extend the type attribute. See Optional. A means by which to extend the type attribute. See
Section 5.1. Section 5.1.
indicator-uid indicator-uid
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
indicator-set-id indicator-set-id
Optional. STRING. See Section 3.3.2. Optional. STRING. See Section 3.3.2.
3.26. HashData Class 3.27. HashData Class
The HashData class describes files, file hashes, ... TODO ...the hash The HashData class describes files, file hashes, ... TODO ...the hash
and signature details that are needed for providing context for and signature details that are needed for providing context for
indicators. indicators.
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-type |<>--{0..*}--[ FileSize ] | STRING ext-type |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ ds:Signature ] | BOOL valid |<>--{0..*}--[ ds:Signature ]
| STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ]
| STRING indicator-set-id |<>--{0..*}--[ ds:Reference ] | STRING indicator-set-id |<>--{0..*}--[ ds:Reference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 47: The HashData Class Figure 49: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes HashData are:
FileName FileName
Zero or more. ML_STRING. The name of the file. Zero or more. ML_STRING. The name of the file.
FileSize FileSize
Zero or more. INTEGER. The size of the file in bytes. Zero or more. INTEGER. The size of the file in bytes.
ds:Signature ds:Signature
skipping to change at page 77, line 35 skipping to change at page 81, line 16
content of Confidence should be empty. content of Confidence should be empty.
o The Address@type attribute determines the format of the element o The Address@type attribute determines the format of the element
content. content.
o The attributes AdditionalData@dtype and RecordItem@dtype derived o The attributes AdditionalData@dtype and RecordItem@dtype derived
from iodef:ExtensionType determine the semantics and formatting of from iodef:ExtensionType determine the semantics and formatting of
the element content. the element content.
o Symmetry in the enumerated ports of a Portlist class is required o Symmetry in the enumerated ports of a Portlist class is required
between sources and targets. See Section 3.21. between sources and targets. See Section 3.22.
4.4. Incompatibilities with v1
Version 2 of the IODEF data model makes a number of changes to
[RFC5070]. Largely, these changes were additive in nature -- classes
and enumerated values were added. The following is a list of
incompatibilities where the data model has changed between versions:
o Renames the Service@ip_protocol attribute to @ip-protocol.
o Removes the Node/NodeName in favor of representing domain names
with Node/DomainData/Name. Node/DataTime was also removed so that
Node/DomainData/DateDomainWasChecked can represent the time at
which the name to address resolution occured.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be IODEF schema. With proven value, well documented extensions can be
incorporated into future versions of the specification. However, incorporated into future versions of the specification. However,
skipping to change at page 88, line 34 skipping to change at page 92, line 34
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
================================================================== ==================================================================
== List of changes ==
==================================================================
CHANGE - new indicator values in the schema
The purpose of the proposed changes is to include commonly shared
indicators in the base IODEF schema. This class will contain
indicators from the list below that are not represented elsewhere
in the schema. IODEF extensions or embedded schemas via the SCI
classes will be required to include additional data types.
A table could be maintained through IANA to extend or change this
class in between IODEF revisions.
RFC5901 provides a method to include an entire email, the following
included indicators are ones commonly used when you do not need the
entire email
The following are in the Service Class:
Email address
Email subject
X-Mailer
The following are in the Record class:
File Name
File Hash - 5.9.5.2 - using ds:reference
WindowsRegistryKey - using method from RFC5901
The following are now in the Node class as a proposed location.
URL
HTTPUserAgent is included as a SoftwareType
HTTP User Agent String
-->
<!--
==================================================================
== IODEF-Document class == == IODEF-Document class ==
================================================================== ==================================================================
--> -->
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Incident" <xs:element ref="iodef:Incident"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 90, line 10 skipping to change at page 93, line 28
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Method" <xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History" <xs:element ref="iodef:History"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 94, line 43 skipping to change at page 98, line 13
<xs:enumeration value="provider"/> <xs:enumeration value="provider"/>
<xs:enumeration value="zone"/> <xs:enumeration value="zone"/>
<xs:enumeration value="user"/> <xs:enumeration value="user"/>
<xs:enumeration value="billing"/> <xs:enumeration value="billing"/>
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/> <xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/> <xs:enumeration value="irt"/>
<xs:enumeration value="cc"/> <xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/> <xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/> <xs:enumeration value="le"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role" <xs:attribute name="ext-role"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
skipping to change at page 98, line 25 skipping to change at page 101, line 44
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" default="other"/> type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!--
==================================================================
== Discovery class ==
==================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="idps"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="file-integrity"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Method class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Reference"/>
skipping to change at page 99, line 10 skipping to change at page 103, line 42
<xs:element name="Reference"> <xs:element name="Reference">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="ReferenceName" <xs:element name="ReferenceName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<!-- CHANGE: Do we want an indicator_set_id here to connect
data in the reference class to specific indicators?
is there a better way to do this?
Should the indicator_uid be used to mark data so that
you have a way to limit who you share that data with
in products?
-->
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<!-- Adding in Attack Type --> <!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type" <xs:attribute name="attacktype" type="att-type"
use="required"> use="required">
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-attacktype" <xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
skipping to change at page 103, line 28 skipping to change at page 108, line 4
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Method" <xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow" <xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation" <xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" <xs:element ref="iodef:Record"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 104, line 45 skipping to change at page 109, line 22
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="category"> <xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/> <xs:enumeration value="source"/>
<xs:enumeration value="target"/> <xs:enumeration value="target"/>
<!-- CHANGE - adding two new values to cover <!-- CHANGE - adding two new values to cover
watchlist groups --> watchlist groups -->
<xs:enumeration value="watchlist-source"/> <xs:enumeration value="watchlist-source"/>
<xs:enumeration value="watchlist-target"/> <xs:enumeration value="watchlist-target"/>
<xs:enumeration value="intermediate"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- CHANGE - adding an attribute to mark sets of
indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type" <xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" /> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type" <xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/> use="optional" default="unknown"/>
<xs:attribute name="ownership"> <xs:attribute name="ownership">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="personal"/> <xs:enumeration value="personal"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
skipping to change at page 105, line 51 skipping to change at page 110, line 25
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element name="NodeName"
type="iodef:MLStringType" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from
RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Address" <xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Location" <xs:element ref="iodef:Location"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Address"> <xs:element name="Address">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
skipping to change at page 108, line 44 skipping to change at page 113, line 12
</xs:choice> </xs:choice>
<xs:element name="ProtoType" <xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode" <xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField" <xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader" <xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE - email from address indicator, may be better as a sub <xs:element ref="EmailData" minOccurs="0"/>
class? Would only make sense with the service set to
email ports or none at all here or a new class. -->
<xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element ref="EmailInfo" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from
RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip_protocol" <xs:attribute name="ip-protocol"
type="xs:integer" use="required"/> type="xs:integer" use="required"/>
<xs:attribute name="indicator-uid" <xs:attribute name="indicator-uid"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id" <xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="PortlistType"> <xs:simpleType name="PortlistType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
skipping to change at page 110, line 18 skipping to change at page 114, line 23
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration" <xs:attribute name="ext-duration"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EMailInfo class == == EmailData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EmailInfo"> <xs:element name="EmailData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="EmailFrom" <xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer" <xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField" <xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
skipping to change at page 121, line 11 skipping to change at page 125, line 16
<xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/> <xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/> <xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/> <xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/> <xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/> <xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/> <xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="remediate-other"/> <xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/> <xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/> <xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/> <xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/> <xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
skipping to change at page 125, line 45 skipping to change at page 130, line 7
service-names-port-numbers/ service-names-port-numbers/
service-names-port-numbers.txt>. service-names-port-numbers.txt>.
[IANA.Protocols] [IANA.Protocols]
Internet Assigned Numbers Authority, "Assigned Internet Internet Assigned Numbers Authority, "Assigned Internet
Protocol Numbers", January 2014, <http://www.iana.org/ Protocol Numbers", January 2014, <http://www.iana.org/
assignments/protocol-numbers/protocol-numbers.txt>. assignments/protocol-numbers/protocol-numbers.txt>.
12.2. Informative References 12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December
2007.
[refs.requirements] [refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006. Work in Progress, June 2006.
[RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765, "Intrusion Detection Message Exchange Format", RFC 4765,
March 2007. March 2007.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
 End of changes. 167 change blocks. 
304 lines changed or deleted 468 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/