draft-ietf-mile-rfc5070-bis-07.txt   draft-ietf-mile-rfc5070-bis-08.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: January 24, 2015 July 23, 2014 Expires: February 6, 2015 August 5, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-07 draft-ietf-mile-rfc5070-bis-08
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 24, 2015. This Internet-Draft will expire on February 6, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 28 skipping to change at page 2, line 28
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11
2.16. Identifiers and Identifier References . . . . . . . . . . 11 2.16. Identifiers and Identifier References . . . . . . . . . . 11
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 16 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 16
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 29 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32
3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 32 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 33
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 34
3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 36 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 38 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 41
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 42
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 43
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 42 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 44
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 46
3.16.1. Relating the Incident and EventData Classes . . . . 46 3.16.1. Relating the Incident and EventData Classes . . . . 48
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 46 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 48
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 47 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 49
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 50 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 52
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 50 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 52
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 53 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 55
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 54 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 56
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 58
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 58 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 59 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 61
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 62 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 62 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 64
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 63 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 63 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 65 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 67
3.22.2. Application Class . . . . . . . . . . . . . . . . . 67 3.22.2. Application Class . . . . . . . . . . . . . . . . . 69
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 68 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 68 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 69 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 69 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 70 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 72 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 74
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 72 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 74
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 73 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 75
3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 74 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 76
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 75 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 78
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 75 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 78
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 78 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 80
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 78 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 81
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 79 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 82
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 80 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 83
3.29.5. ObservableReference Class . . . . . . . . . . . . . 82 3.29.5. ObservableReference Class . . . . . . . . . . . . . 85
3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 82 3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 85
4. Processing Considerations . . . . . . . . . . . . . . . . . . 83 4. Processing Considerations . . . . . . . . . . . . . . . . . . 86
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 83 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 86
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 84 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 87
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 84 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 87
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 85 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 88
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 85 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 88
5.1. Extending the Enumerated Values of Attributes . . . . . . 85 5.1. Extending the Enumerated Values of Attributes . . . . . . 88
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 86 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 89
6. Internationalization Issues . . . . . . . . . . . . . . . . . 88 6. Internationalization Issues . . . . . . . . . . . . . . . . . 91
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 89 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 92
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 89 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 92
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 91 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 94
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 92 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 96
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 94 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 97
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 96 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 99
9. Security Considerations . . . . . . . . . . . . . . . . . . . 132 9. Security Considerations . . . . . . . . . . . . . . . . . . . 135
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 133 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 134 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 137
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 134 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 137
12.1. Normative References . . . . . . . . . . . . . . . . . . 134 12.1. Normative References . . . . . . . . . . . . . . . . . . 137
12.2. Informative References . . . . . . . . . . . . . . . . . 136 12.2. Informative References . . . . . . . . . . . . . . . . . 139
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 30 skipping to change at page 6, line 30
o The following class was added to Incident: IndicatorData. o The following class was added to Incident: IndicatorData.
o The following classes were added to Incident and EventData: o The following classes were added to Incident and EventData:
Discovery. Discovery.
o The following classes and attributes were added to the Service o The following classes and attributes were added to the Service
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: FileName and o The following classes were added to the Record class: HashData and
WindowsRegistryKeysModified. WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class: o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and ThreatActor, Campaign, Confidence, Description, and
AdditionalData. AdditionalData.
o The following classes were added to Assessment: BusinessImpact. o The following classes were added to Assessment: BusinessImpact and
MitigatingFactor.
o The following classes were added to Node: PostalAddress and o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed DomainData. The following classes were removed from Node: Removed
NodeName and DateTime. NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem: o The following classes were added to Expectation and HistoryItem:
DefinedCOA. DefinedCOA.
skipping to change at page 10, line 18 skipping to change at page 10, line 21
of an ordered list of acceptable values. Each value has a of an ordered list of acceptable values. Each value has a
representative keyword. Within the IODEF schema, the enumerated type representative keyword. Within the IODEF schema, the enumerated type
keywords are used as attribute values. keywords are used as attribute values.
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the The ENUM data type is implemented as a series of "xs:NMTOKEN" in the
schema. schema.
2.8. Date-Time Strings 2.8. Date-Time Strings
Date-time strings are represented by the DATETIME data type. Each Date-time strings are represented by the DATETIME data type. Each
date-time string identifies a particular instant in time; ranges are date-time string identifies a particular instant in time. Ranges are
not supported. not supported.
Date-time strings are formatted according to a subset of [ISO8601] Date-time strings are formatted according to a subset of [ISO8601]
documented in [RFC3339]. documented in [RFC3339].
The DATETIME data type is implemented as an "xs:dateTime" in the The DATETIME data type is implemented as an "xs:dateTime" in the
schema. schema.
2.9. Timezone String 2.9. Timezone String
skipping to change at page 12, line 42 skipping to change at page 12, line 45
Section 3.9 Section 3.9
The IODEF-Document class has three attributes: The IODEF-Document class has three attributes:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
lang lang
Required. ENUM. A valid language code per [RFC4646] constrained Required. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
formatid formatid
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
3.2. Incident Class 3.2. Incident Class
skipping to change at page 13, line 18 skipping to change at page 13, line 18
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM lang |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | ENUM restriction |<>--{0..1}--[ DetectTime ]
| STRING observable-uid |<>--{0..1}--[ StartTime ] | STRING observable-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ IndicatorData ] | |<>--{0..*}--[ IndicatorData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
skipping to change at page 15, line 25 skipping to change at page 15, line 25
Expectation class. Expectation class.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-purpose ext-purpose
Optional. STRING. A means by which to extend the purpose Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.3. Common Attributes 3.3. Common Attributes
skipping to change at page 16, line 49 skipping to change at page 16, line 49
8. amber. Same as 'need-to-know'. 8. amber. Same as 'need-to-know'.
9. red. Same as 'private'. 9. red. Same as 'private'.
3.3.2. observable-id Attribute 3.3.2. observable-id Attribute
Information included in an incident report may be an observable Information included in an incident report may be an observable
relevant to an indicator. The observable-id attribute provides a relevant to an indicator. The observable-id attribute provides a
unique identifier in the scope of the document for this observable. unique identifier in the scope of the document for this observable.
This identifer can then used to reference the observable with an This identifier can then used to reference the observable with an
ObservableReference class to define an indicator in the IndicatorData ObservableReference class to define an indicator in the IndicatorData
class. class.
3.4. IncidentID Class 3.4. IncidentID Class
The IncidentID class represents an incident tracking number that is The IncidentID class represents an incident tracking number that is
unique in the context of the CSIRT and identifies the activity unique in the context of the CSIRT and identifies the activity
characterized in an IODEF Document. This identifier would serve as characterized in an IODEF Document. This identifier would serve as
an index into the CSIRT incident handling system. The combination of an index into the CSIRT incident handling system. The combination of
the name attribute and the string in the element content MUST be a the name attribute and the string in the element content MUST be a
skipping to change at page 27, line 33 skipping to change at page 28, line 10
3.10.2. PostalAddress Class 3.10.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies a postal address formatted
according to the POSTAL data type (Section 2.11). according to the POSTAL data type (Section 2.11).
+---------------------+ +---------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +---------------------+
| POSTAL | | POSTAL |
| | | |
| ENUM meaning | | STRING meaning |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 11: The PostalAddress Class Figure 11: The PostalAddress Class
The PostalAddress class has two attributes: The PostalAddress class has two attributes:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. STRING. A free-form description of the element
content.
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
3.10.3. Email Class 3.10.3. Email Class
The Email class specifies an email address formatted according to The Email class specifies an email address formatted according to
EMAIL data type (Section 2.14). EMAIL data type (Section 2.14).
+--------------+ +--------------+
| Email | | Email |
+--------------+ +--------------+
| EMAIL | | EMAIL |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------+ +--------------+
skipping to change at page 33, line 30 skipping to change at page 34, line 8
URL URL
Zero or more. URL. A URL associated with the reference. Zero or more. URL. A URL associated with the reference.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
reference. reference.
The Reference class has 3 attributes. The Reference class has 3 attributes.
attacktype attacktype
Optional. ENUM. TODO. Optional. ENUM. TODO.
ext-attacktype ext-attacktype
Optional. STRING. A mechanism by which to extend the Optional. STRING. A mechanism by which to extend the Attack
Attack Type. Type.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14. Assessment Class 3.14. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ BusinessImpact ] | ENUM restriction |<>--{0..*}--[ BusinessImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 19: Assessment Class Figure 19: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact Impact
Zero or more. Technical characterization of the impact of the Zero or more. Technical characterization of the impact of the
activity on the victim's enterprise. activity on the victim's enterprise.
skipping to change at page 34, line 31 skipping to change at page 35, line 11
time. time.
MonetaryImpact MonetaryImpact
Zero or more. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
financial loss. financial loss.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. the activity.
MitigatingFactor
Zero or one. ML_STRING. A description of a mitigating factor an
impact.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible three impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has three attributes: The Assessment class has three attributes:
skipping to change at page 35, line 36 skipping to change at page 36, line 25
+------------------+ +------------------+
Figure 20: Impact Class Figure 20: Impact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The Impact class has five attributes: The Impact class has five attributes:
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
skipping to change at page 36, line 17 skipping to change at page 36, line 52
successful. The permitted values are shown below. There is no successful. The permitted values are shown below. There is no
default value. default value.
1. failed. The attempted activity was not successful. 1. failed. The attempted activity was not successful.
2. succeeded. The attempted activity succeeded. 2. succeeded. The attempted activity succeeded.
type type
Required. ENUM. Classifies the malicious activity into incident Required. ENUM. Classifies the malicious activity into incident
categories. The permitted values are shown below. The default categories. The permitted values are shown below. The default
value is "other". value is "unknown".
1. admin. Administrative privileges were attempted. 1. admin. Administrative privileges were attempted.
2. dos. A denial of service was attempted. 2. dos. A denial of service was attempted.
3. file. An action that impacts the integrity of a file or 3. file. An action that impacts the integrity of a file or
database was attempted. database was attempted.
4. info-leak. An attempt was made to exfiltrate information. 4. info-leak. An attempt was made to exfiltrate information.
skipping to change at page 44, line 15 skipping to change at page 45, line 37
The HistoryItem class has four attributes: The HistoryItem class has four attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the category attribute of the Expectation class. The to the action attribute of the Expectation class. The difference
difference is only one of tense. When an action is in this class, is only one of tense. When an action is in this class, it has
it has been completed. See Section 3.17. been completed. See Section 3.17.
ext-action ext-action
Optional. STRING. A means by which to extend the action Optional. STRING. A means by which to extend the action
attribute. See Section 5.1. attribute. See Section 5.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. EventData Class 3.16. EventData Class
skipping to change at page 56, line 46 skipping to change at page 58, line 46
6. client-mobile. Client is a mobile device 6. client-mobile. Client is a mobile device
7. server-internal. Server with internal services 7. server-internal. Server with internal services
8. server-public. Server with public services 8. server-public. Server with public services
9. www. WWW server 9. www. WWW server
10. mail. Mail server 10. mail. Mail server
11. messaging. Messaging server (e.g., NNTP, IRC, IM) 11. webmail. Web mail server
12. streaming. Streaming-media server 12. messaging. Messaging server (e.g., NNTP, IRC, IM)
13. voice. Voice server (e.g., SIP, H.323) 13. streaming. Streaming-media server
14. file. File server (e.g., SMB, CVS, AFS) 14. voice. Voice server (e.g., SIP, H.323)
15. ftp. FTP server 15. file. File server (e.g., SMB, CVS, AFS)
16. p2p. Peer-to-peer node 16. ftp. FTP server
17. name. Name server (e.g., DNS, WINS) 17. p2p. Peer-to-peer node
18. directory. Directory server (e.g., LDAP, finger, whois) 18. name. Name server (e.g., DNS, WINS)
19. credential. Credential server (e.g., domain controller, 19. directory. Directory server (e.g., LDAP, finger, whois)
Kerberos)
20. print. Print server 20. credential. Credential server (e.g., domain controller,
Kerberos)
21. application. Application server 21. print. Print server
22. database. Database server 22. application. Application server
23. backup. Backup server 23. database. Database server
24. dhcp. DHCP server 24. backup. Backup server
25. infra. Infrastructure server (e.g., router, firewall, DHCP) 25. dhcp. DHCP server
26. infra-firewall. Firewall 26. infra. Infrastructure server (e.g., router, firewall, DHCP)
27. infra-router. Router 27. infra-firewall. Firewall
28. infra-switch. Switch 28. infra-router. Router
29. camera. Camera server 29. infra-switch. Switch
30. proxy. Proxy server 30. camera. Camera server
31. remote-access. Remote access server 31. proxy. Proxy server
32. log. Log server (e.g., syslog) 32. remote-access. Remote access server
33. virtualization. Server running virtual machines 33. log. Log server (e.g., syslog)
34. pos. Point-of-sale device 34. virtualization. Server running virtual machines
35. scada. Supervisory control and data acquisition system 35. pos. Point-of-sale device
36. scada-supervisory. Supervisory system for a SCADA 36. scada. Supervisory control and data acquisition system
37. ext-value. An escape value used to extend this attribute. 37. scada-supervisory. Supervisory system for a SCADA
38. ext-value. An escape value used to extend this attribute.
See Section 5.1. See Section 5.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1. attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC4646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
3.20.3. Counter Class 3.20.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
skipping to change at page 69, line 38 skipping to change at page 72, line 10
The Record class has one attribute: The Record class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.25.1. RecordData Class 3.25.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+--------------------+ +--------------------+
| RecordData | | RecordData |
+--------------------+ +--------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| ID observable-id |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] +--------------------+ | |<>--{0..*}--[ AdditionalData ]+--------------------+
Figure 45: The RecordData Class Figure 45: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
skipping to change at page 75, line 5 skipping to change at page 77, line 23
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
The HashData class has four attributes: The HashData class has four attributes:
type type
Optional. ENUM. The Hash Type. Optional. ENUM. The Hash Type.
1. PKI-email-ds. PKI email digital signature. 1. PKI-email-ds. PKI email digital signature.
2. PKI-file-ds. PKI file digital signature. 2. PKI-file-ds. PKI file digital signature.
3. PGP-email-ds. PGP email digital signature. 3. PGP-email-ds. PGP email digital signature.
4. PGP-file-ds. PGP file digital signature. 4. PGP-file-ds. PGP file digital signature.
5. file-hash. A file hash. 5. file-hash. A hash computed over the entire contents of a
file.
6. email-hash. An email hash. 6. email-hash. A hash computed over the headers and body of an
email message.
7. ext-value. An escape value used to extend this attribute. 7. email-headers-hash. A hash computed over all of the headers
See Section 5.1. of an email message.
8. email-body-hash. A hash computed over the body of an email
message.
9. email-headers-hash. A hash computed over all of the email
headers.
10. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1. See Section 5.1.
valid valid
Optional. BOOLEAN. Indicates if the signature or hash is valid. Optional. BOOLEAN. Indicates if the signature or hash is valid.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 76, line 49 skipping to change at page 79, line 42
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
EndTime EndTime
Zero or one. DATETIME. A timestamp fo the end of the time period Zero or one. DATETIME. A timestamp of the end of the time period
during which this indicaor is valid. during which this indicator is valid.
Confidence Confidence
Zero or one. An estimate of the confidence in the quality of the Zero or one. An estimate of the confidence in the quality of the
indicator. See Section 3.14.5. indicator. See Section 3.14.5.
Contact Contact
Zero or more. Contact information for this indicator. See Zero or more. Contact information for this indicator. See
Section 3.10. Section 3.10.
Observable Observable
skipping to change at page 77, line 37 skipping to change at page 80, line 29
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
The Indicator class MUST have exactly one instance of an Observable, The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference IndicatorExpression, ObservableReference, or IndicatorReference
class. class.
The StartTime and EndTime classes can be used to define an interval The StartTime and EndTime classes can be used to define an interval
during which the indicator is valid. If both classes are present, during which the indicator is valid. If both classes are present,
the indicator is consider valid only during the decribed interval. the indicator is consider valid only during the described interval.
If neither class is provided, the indicator is considered valid If neither class is provided, the indicator is considered valid
during any time interval. If only a StartTime is provided, the during any time interval. If only a StartTime is provided, the
indicator is valid anytime after this timestamp. If only an EndTime indicator is valid anytime after this timestamp. If only an EndTime
is provided, the indicator is valid anytime prior to this timestamp. is provided, the indicator is valid anytime prior to this timestamp.
The Indicator class has one attribute: The Indicator class has one attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
3.29.1. IndicatorID Class 3.29.1. IndicatorID Class
The IndicatorID class identifies an indicator with a indentifier The IndicatorID class identifies an indicator with a globally unique
globally unique identifier. The combination of the name and version identifier. The combination of the name and version attributes, and
attributes, and the element content form this identifier. Indicators the element content form this identifier. Indicators generated by
generated by given CSIRT MUST NOT resuse the same value unless they given CSIRT MUST NOT reuse the same value unless they are referencing
are referencing the same indicator. the same indicator.
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
skipping to change at page 84, line 40 skipping to change at page 87, line 38
IODEF schema: IODEF schema:
o The elements or attributes that are defined as POSTAL, NAME, o The elements or attributes that are defined as POSTAL, NAME,
PHONE, and EMAIL data-types are implemented as "xs:string", but PHONE, and EMAIL data-types are implemented as "xs:string", but
more rigid formatting requirements are specified in the text. more rigid formatting requirements are specified in the text.
o The IODEF-Document@lang and MLStringType@lang attributes are o The IODEF-Document@lang and MLStringType@lang attributes are
declared as an "xs:language" that constrains values with a regular declared as an "xs:language" that constrains values with a regular
expression. However, the value of this attribute still needs to expression. However, the value of this attribute still needs to
be validated against the list of possible enumerated values is be validated against the list of possible enumerated values is
defined in [RFC4646]. defined in [RFC5646].
o The MonetaryImpact@currency attribute is declared as an o The MonetaryImpact@currency attribute is declared as an
"xs:string", but the list of valid values as defined in [ISO4217]. "xs:string", but the list of valid values as defined in [ISO4217].
o All of the aggregated classes Contact and EventData are optional o All of the aggregated classes Contact and EventData are optional
in the schema, but at least one of these aggregated classes MUST in the schema, but at least one of these aggregated classes MUST
be present. be present.
o There are multiple conventions that can be used to categorize a o There are multiple conventions that can be used to categorize a
system using the NodeRole class or to specify software with the system using the NodeRole class or to specify software with the
skipping to change at page 85, line 32 skipping to change at page 88, line 30
Version 2 of the IODEF data model makes a number of changes to Version 2 of the IODEF data model makes a number of changes to
[RFC5070]. Largely, these changes were additive in nature -- classes [RFC5070]. Largely, these changes were additive in nature -- classes
and enumerated values were added. The following is a list of and enumerated values were added. The following is a list of
incompatibilities where the data model has changed between versions: incompatibilities where the data model has changed between versions:
o Renames the Service@ip_protocol attribute to @ip-protocol. o Renames the Service@ip_protocol attribute to @ip-protocol.
o Removes the Node/NodeName in favor of representing domain names o Removes the Node/NodeName in favor of representing domain names
with Node/DomainData/Name. Node/DataTime was also removed so that with Node/DomainData/Name. Node/DataTime was also removed so that
Node/DomainData/DateDomainWasChecked can represent the time at Node/DomainData/DateDomainWasChecked can represent the time at
which the name to address resolution occured. which the name to address resolution occurred.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be IODEF schema. With proven value, well documented extensions can be
incorporated into future versions of the specification. However, incorporated into future versions of the specification. However,
skipping to change at page 86, line 21 skipping to change at page 89, line 18
attribute has "ext-value" as one its possible values. This attribute has "ext-value" as one its possible values. This
particular value serves as an escape sequence and has no valid particular value serves as an escape sequence and has no valid
meaning. meaning.
In order to add a new enumerated value to an extensible attribute, In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute. desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the Impact For example, an extended instance of the type attribute of the Impact
class would look as follows: class would look as follows:
<Impact type="ext-value" ext-type="new-attack-type"> <Impact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value". extensible attribute has been set to "ext-value".
5.2. Extending Classes 5.2. Extending Classes
The classes of the data model can be extended only through the use of The classes of the data model can be extended only through the use of
the AdditionalData and RecordItem classes. These container classes, the AdditionalData and RecordItem classes. These container classes,
collectively referred to as the extensible classes, are implemented collectively referred to as the extensible classes, are implemented
with the iodef:ExtensionType data type in the schema. They provide with the iodef:ExtensionType data type in the schema. They provide
skipping to change at page 88, line 15 skipping to change at page 91, line 21
<xs:import <xs:import
namespace="urn:ietf:params:xml:ns:iodef-1.0" namespace="urn:ietf:params:xml:ns:iodef-1.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/> schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:element name="newdata" type="xs:string" /> <xs:element name="newdata" type="xs:string" />
</xs:schema> </xs:schema>
The following XML excerpt demonstrates the use of the above schema as The following XML excerpt demonstrates the use of the above schema as
an extension to the IODEF. an extension to the IODEF.
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved. The IODEF supports barriers, that certain incidents be resolved. The IODEF supports
this goal by depending on XML constructs, and through explicit design this goal by depending on XML constructs, and through explicit design
choices in the data model. choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
all the different character encodings, such as UTF-8 and UTF-16, all the different character encodings, such as UTF-8 and UTF-16,
possible with XML. Additionally, each IODEF document MUST specify possible with XML. Additionally, each IODEF document MUST specify
the language in which their contents are encoded. The language can the language in which their contents are encoded. The language can
be specified with the attribute "xml:lang" (per Section 2.12 of be specified with the attribute "xml:lang" (per Section 2.12 of
[W3C.XML]) in the top-level element (i.e., IODEF-Document@lang) and [W3C.XML]) in the top-level element (i.e., IODEF-Document@lang) and
letting all other elements inherit that definition. All IODEF letting all other elements inherit that definition. All IODEF
classes with a free-form text definition (i.e., all those defined of classes with a free-form text definition (i.e., all those defined of
type iodef:MLStringType) can also specify a language different from type iodef:MLStringType) can also specify a language different from
the rest of the document. The valid language codes for the the rest of the document. The valid language codes for the
"xml:lang" attribute are described in [RFC4646]. "xml:lang" attribute are described in [RFC5646].
The data model supports multiple translations of free-form text. In The data model supports multiple translations of free-form text. In
the places where free-text is used for descriptive purposes, the the places where free-text is used for descriptive purposes, the
given class always has a one-to-many cardinality to its parent (e.g., given class always has a one-to-many cardinality to its parent (e.g.,
Description class). The intent is to allow the identical text to be Description class). The intent is to allow the identical text to be
encoded in different instances of the same class, but each being in a encoded in different instances of the same class, but each being in a
different language. This approach allows an IODEF document author to different language. This approach allows an IODEF document author to
send recipients speaking different languages an identical document. send recipients speaking different languages an identical document.
The IODEF parser SHOULD extract the appropriate language relevant to The IODEF parser SHOULD extract the appropriate language relevant to
the recipient. the recipient.
skipping to change at page 96, line 7 skipping to change at page 99, line 16
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!--
==================================================================
== IODEF-Document class ==
==================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident"
maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version"
type="xs:string" fixed="2.00"/>
<xs:attribute name="lang"
type="xs:language" use="required"/>
<xs:attribute name="formatid"
type="xs:string"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
=== Incident class ===
==================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType> <!--
</xs:element> ==================================================================
<!-- == IODEF-Document class ==
================================================================== ==================================================================
== IncidentID class == -->
================================================================== <xs:element name="IODEF-Document">
--> <xs:complexType>
<xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:sequence>
<xs:complexType name="IncidentIDType"> <xs:element ref="iodef:Incident"
<xs:simpleContent> maxOccurs="unbounded"/>
<xs:extension base="xs:string"> <xs:element ref="iodef:AdditionalData"
<xs:attribute name="name" minOccurs="0" maxOccurs="unbounded"/>
type="xs:string" use="required"/> </xs:sequence>
<xs:attribute name="instance" <xs:attribute name="version"
type="xs:string" use="optional"/> type="xs:string" fixed="2.00"/>
<xs:attribute name="restriction" <xs:attribute name="lang"
type="iodef:restriction-type" type="xs:language" use="required"/>
default="public"/> <xs:attribute name="formatid"
</xs:extension> type="xs:string"/>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
<!-- </xs:element>
================================================================== <!--
== ReportID class == ==================================================================
================================================================== === Incident class ===
--> ==================================================================
<xs:element name="ReportID"> -->
<xs:complexType> <xs:element name="Incident">
<xs:sequence> <xs:complexType>
<xs:element ref="iodef:IncidentID" <xs:sequence>
maxOccurs="unbounded"/> <xs:element ref="iodef:IncidentID"/>
</xs:sequence> <xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"
</xs:complexType> default="public"/>
</xs:element> </xs:extension>
</xs:simpleContent>
</xs:complexType>
<!-- <!--
================================================================== ==================================================================
== AlternativeID class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="AlternativeID"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== RelatedActivity class ==
==================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
</xs:sequence> <!--
<xs:attribute name="restriction" ==================================================================
type="iodef:restriction-type"/> == ThreatActor class ==
</xs:complexType> ==================================================================
</xs:element> -->
<!-- <xs:element name="ThreatActor">
================================================================== <xs:complexType>
== RelatedActivity class == <xs:sequence>
================================================================== <xs:choice>
--> <xs:sequence>
<xs:element name="RelatedActivity"> <xs:element ref="iodef:ThreatActorID" />
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== ThreatActor class ==
==================================================================
-->
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:element ref="iodef:Description"
type="iodef:restriction-type"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:complexType> </xs:choice>
</xs:element> <xs:element ref="iodef:AdditionalData"
<xs:element name="ThreatActorID" type="xs:string"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- </xs:sequence>
================================================================== <xs:attribute name="restriction"
== Campaign class == type="iodef:restriction-type"/>
================================================================== </xs:complexType>
--> </xs:element>
<xs:element name="Campaign"> <xs:element name="ThreatActorID" type="xs:string"/>
<xs:complexType>
<xs:sequence> <!--
<xs:choice> ==================================================================
<xs:sequence> == Campaign class ==
<xs:element ref="iodef:CampaignID"/> ==================================================================
<xs:element ref="iodef:Description" -->
minOccurs="0" maxOccurs="unbounded"/> <xs:element name="Campaign">
</xs:sequence> <xs:complexType>
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element ref="iodef:CampaignID"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle" </xs:choice>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData"
<xs:element ref="iodef:PostalAddress" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0"/> </xs:sequence>
<xs:element ref="iodef:Email" <xs:attribute name="restriction"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:restriction-type"/>
<xs:element ref="iodef:Telephone" </xs:complexType>
minOccurs="0" maxOccurs="unbounded"/> </xs:element>
<xs:element ref="iodef:Fax" <xs:element name="CampaignID" type="xs:string"/>
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <!--
==================================================================
== AdditionalData class ==
==================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
==================================================================
== Contact class ==
==================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax"
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="ContactTitle"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="meaning" <xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <xs:element name="PostalAddress">
================================================================== <xs:complexType>
== Time-based classes == <xs:simpleContent>
================================================================== <xs:extension base="iodef:MLStringType">
--> <xs:attribute name="meaning"
<xs:element name="DateTime" type="xs:string" use="optional"/>
type="xs:dateTime"/>
<xs:element name="ReportTime"
type="xs:dateTime"/>
<xs:element name="DetectTime"
type="xs:dateTime"/>
<xs:element name="StartTime"
type="xs:dateTime"/>
<xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Discovery class ==
==================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="idps"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="file-integrity"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Method class ==
==================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Reference class ==
==================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element name="ReferenceName"
type="iodef:MLStringType"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type"
use="required">
</xs:attribute>
<xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Assessment class ==
==================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="BusinessImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="loss-financial"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact"> </xs:extension>
<xs:complexType> </xs:simpleContent>
<xs:simpleContent> </xs:complexType>
<xs:extension base="iodef:PositiveFloatType"> </xs:element>
<xs:attribute name="severity" <xs:element name="Email" type="iodef:ContactMeansType"/>
type="iodef:severity-type"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:attribute name="metric" <xs:element name="Fax" type="iodef:ContactMeansType"/>
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EventData class ==
==================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="observable-id" <xs:complexType name="ContactMeansType">
type="xs:ID" use="optional"/> <xs:simpleContent>
</xs:complexType> <xs:extension base="xs:string">
</xs:element> <xs:attribute name="meaning"
<!--
==================================================================
== Flow class ==
==================================================================
-->
<!-- Added System unbounded for use only when the source or
target watchlist is in use, otherwise only one system entry
is expected.
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
==================================================================
== System class ==
==================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:extension>
</xs:element> </xs:simpleContent>
<!-- </xs:complexType>
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Service Class ==
==================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:choice minOccurs="0">
<xs:element name="Port"
type="xs:integer"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Counter class ==
==================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== EmailData class == == Time-based classes ==
================================================================== ==================================================================
--> -->
<xs:element name="EmailData"> <xs:element name="DateTime"
<xs:complexType> type="xs:dateTime"/>
<xs:sequence> <xs:element name="ReportTime"
<xs:element name="EmailFrom" type="xs:dateTime"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element name="DetectTime"
<xs:element name="EmailSubject" type="xs:dateTime"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element name="StartTime"
<xs:element name="EmailX-Mailer" type="xs:dateTime"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element name="EmailHeaderField" <xs:element ref="iodef:EndTime"
type="iodef:ApplicationHeaderType" minOccurs="0"/>
minOccurs="0"/> <xs:element ref="iodef:Contact"
</xs:sequence> minOccurs="0"/>
<xs:attribute name="observable-id" </xs:sequence>
type="xs:ID" use="optional"/> <xs:attribute name="restriction"
</xs:complexType> type="iodef:restriction-type"
</xs:element> default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == Discovery class ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="Discovery">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Name" <xs:element ref="iodef:Description"
type="iodef:MLStringType" maxOccurs="1" /> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DateDomainWasChecked" <xs:element ref="iodef:Contact"
type="xs:dateTime" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0" maxOccurs="1" /> <xs:element ref="iodef:DetectionPattern"
<xs:element name="RegistrationDate" minOccurs="0" maxOccurs="unbounded"/>
type="xs:dateTime"
minOccurs="0" maxOccurs="1" />
<xs:element name="ExpirationDate"
type="xs:dateTime"
minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"
minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="source"
<xs:attribute name="system-status"> use="optional" default="unknown">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="spoofed"/> <xs:enumeration value="idps"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="siem"/>
<xs:enumeration value="innocent-hacked"/> <xs:enumeration value="av"/>
<xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="file-integrity"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-system-status" <xs:attribute name="ext-source"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="domain-status"> <xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Method class ==
==================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Reference class ==
==================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element name="ReferenceName"
type="iodef:MLStringType"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type"
use="required">
</xs:attribute>
<xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Assessment class ==
==================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="reservedDelegation"/> <xs:enumeration value="actual"/>
<xs:enumeration value="assignedAndActive"/> <xs:enumeration value="potential"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-domain-status" <xs:attribute name="restriction"
type="xs:string" use="optional"/> type="iodef:restriction-type"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Impact">
<xs:element name="RelatedDNS" <xs:complexType>
type="iodef:RelatedDNSEntryType"/> <xs:simpleContent>
<xs:complexType name="RelatedDNSEntryType"> <xs:extension base="iodef:MLStringType">
<xs:simpleContent> <xs:attribute name="severity"
<xs:extension base="xs:string"> type="iodef:severity-type"/>
<xs:attribute name="record-type" use="optional"> <xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="BusinessImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="loss-financial"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="low"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="medium"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="high"/>
<xs:enumeration value="APL"/> <xs:enumeration value="numeric"/>
<xs:enumeration value="AXFR"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-record-type" </xs:complexType>
type="xs:string" use="optional"/> </xs:element>
</xs:extension> <!--
</xs:simpleContent> ==================================================================
</xs:complexType> == EventData class ==
==================================================================
<xs:element name="Nameservers"> -->
<xs:complexType> <xs:element name="EventData">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded" minOccurs="1"/>
</xs:choice>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Key" maxOccurs="unbounded"> <xs:element ref="iodef:Description"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:sequence> <xs:element ref="iodef:DetectTime"
<!-- Allows for the value to be optional for cases minOccurs="0"/>
such as, the registry key was deleted --> <xs:element ref="iodef:StartTime"
<xs:element name="KeyName" type="xs:string"/> minOccurs="0"/>
<xs:element name="Value" <xs:element ref="iodef:EndTime"
type="xs:string" minOccurs="0"/> minOccurs="0"/>
</xs:sequence> <xs:element ref="iodef:Contact"
<xs:attribute name="registryaction"> minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleType> <xs:element ref="iodef:Discovery"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="add-key"/> <xs:element ref="iodef:Assessment"
<xs:enumeration value="add-value"/> minOccurs="0"/>
<xs:enumeration value="delete-key"/> <xs:element ref="iodef:Method"
<xs:enumeration value="delete-value"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="modify-key"/> <xs:element ref="iodef:Flow"
<xs:enumeration value="modify-value"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="ext-value"/> <xs:element ref="iodef:Expectation"
</xs:restriction> minOccurs="0" maxOccurs="unbounded"/>
</xs:simpleType> <xs:element ref="iodef:Record"
</xs:attribute> minOccurs="0"/>
<xs:attribute name="ext-registryaction" <xs:element ref="iodef:EventData"
type="xs:string" use="optional"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:complexType> <xs:element ref="iodef:AdditionalData"
</xs:element> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="restriction"
type="xs:ID" use="optional"/> type="iodef:restriction-type"
</xs:complexType> default="default"/>
</xs:element> <xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe hash types, file information == == Flow class ==
== with certificate properties and digital signature info == ==================================================================
== provided through the W3C digital signature schema == -->
== so it does not need to be maintained here. == <!-- Added System unbounded for use only when the source or
================================================================== target watchlist is in use, otherwise only one system entry
--> is expected.
<xs:element name="HashData"> -->
<xs:complexType> <xs:element name="Flow">
<xs:sequence> <xs:complexType>
<xs:element name="FileName" type="iodef:MLStringType" <xs:sequence>
<xs:element ref="iodef:System"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
==================================================================
== System class ==
==================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer" <xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema <xs:element ref="iodef:Counter"
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" use="optional"> <xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/> <xs:enumeration value="source"/>
<xs:enumeration value="PKI-file-ds"/> <xs:enumeration value="target"/>
<xs:enumeration value="PGP-email-ds"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="file-hash"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="email-hash"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="valid"
type="xs:boolean" use="optional" />
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!--
<!-- ==================================================================
================================================================== == Node class ==
== Classes that describe software == ==================================================================
================================================================== -->
--> <xs:element name="Node">
<xs:complexType name="SoftwareType"> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:URL" <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType> </xs:complexType>
<xs:element name="Application" </xs:element>
type="iodef:SoftwareType"/> <xs:element name="Address">
<xs:element name="OperatingSystem" <xs:complexType>
type="iodef:SoftwareType"/> <xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type"
use="optional"/>
</xs:extension>
</xs:simpleContent>
<!-- </xs:complexType>
================================================================== </xs:element>
== IndicatorData classes == <!--
================================================================== ==================================================================
== Service Class ==
==================================================================
--> -->
<xs:element name="IndicatorData"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Indicator" <xs:choice minOccurs="0">
minOccurs="1" maxOccurs="unbounded"/> <xs:element name="Port"
</xs:sequence> type="xs:integer"/>
</xs:complexType> <xs:element name="Portlist"
</xs:element> type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="Indicator"> <xs:element name="ProtoType"
<xs:complexType> type="xs:integer" minOccurs="0"/>
<xs:sequence> <xs:element name="ProtoCode"
<xs:element ref="iodef:IndicatorID" /> type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element name="ProtoField"
minOccurs="0" maxOccurs="unbounded"/> type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element name="ApplicationHeader"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:ApplicationHeaderType"
<xs:element ref="iodef:StartTime" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0" /> <xs:element ref="EmailData" minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:Application"
minOccurs="0" /> minOccurs="0"/>
<xs:element ref="iodef:Confidence" </xs:sequence>
minOccurs="0" /> <xs:attribute name="ip-protocol"
<xs:element ref="iodef:Contact" type="xs:integer" use="required"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="observable-id"
<xs:choice> type="xs:ID" use="optional"/>
<xs:element ref="iodef:Observable" /> </xs:complexType>
<xs:element ref="iodef:ObservableReference" /> </xs:element>
<xs:element ref="iodef:IndicatorExpression" /> <xs:simpleType name="PortlistType">
<xs:element ref="iodef:IndicatorReference" /> <xs:restriction base="xs:string">
</xs:choice> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:sequence> </xs:restriction>
<xs:attribute name="restriction" </xs:simpleType>
type="iodef:restriction-type"/> <!--
</xs:complexType> ==================================================================
</xs:element> == Counter class ==
==================================================================
<xs:element name="IndicatorID" type="iodef:IndicatorIDType"/> -->
<xs:complexType name="IndicatorIDType"> <xs:element name="Counter">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:id"> <xs:extension base="xs:double">
<xs:attribute name="name" <xs:attribute name="type" use="required">
type="xs:string" use="required"/> <xs:simpleType>
<xs:attribute name="version" <xs:restriction base="xs:NMTOKEN">
type="xs:string" use="required"/> <xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == EmailData class ==
<xs:element ref="iodef:IndicatorID" ==================================================================
maxOccurs="unbounded"/> -->
</xs:sequence> <xs:element name="EmailData">
<xs:attribute name="restriction" <xs:complexType>
type="iodef:restriction-type"/> <xs:sequence>
</xs:complexType> <xs:element name="EmailFrom"
</xs:element> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element name="Observable"> </xs:sequence>
<xs:complexType> <xs:attribute name="observable-id"
<xs:sequence> type="xs:ID" use="optional"/>
<xs:element ref="iodef:Address" </xs:complexType>
minOccurs="0"/> </xs:element>
<xs:element ref="iodef:DomainData"
minOccurs="0"/>
<xs:element ref="iodef:EmailData"
minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorExpression"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == DomainData class - from RFC5901 ==
<xs:choice> ==================================================================
<xs:element ref="iodef:IndicatorExpression" -->
minOccurs="0"/> <xs:element name="DomainData">
<xs:element ref="iodef:Observable" <xs:complexType>
minOccurs="0" /> <xs:sequence>
<xs:element ref="iodef:ObservableReference" <xs:element name="Name"
minOccurs="0"/> type="iodef:MLStringType" maxOccurs="1" />
<xs:element ref="iodef:IndicatorReference" <xs:element name="DateDomainWasChecked"
minOccurs="0"/> type="xs:dateTime"
</xs:choice> minOccurs="0" maxOccurs="1" />
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element name="RegistrationDate"
minOccurs="0" maxOccurs="unbounded"/> type="xs:dateTime"
</xs:sequence> minOccurs="0" maxOccurs="1" />
<xs:attribute name="operator" use="required"> <xs:element name="ExpirationDate"
<xs:simpleType> type="xs:dateTime"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0" maxOccurs="1" />
<xs:enumeration value="not"/> <xs:element name="RelatedDNS"
<xs:enumeration value="and"/> type="iodef:RelatedDNSEntryType"
<xs:enumeration value="or"/> minOccurs="0" maxOccurs="unbounded" />
<xs:enumeration value="xor"/> <xs:element ref="iodef:Nameservers"
</xs:restriction> minOccurs="0" maxOccurs="unbounded" />
</xs:simpleType> <xs:element ref="iodef:DomainContacts"
</xs:attribute> minOccurs="0" maxOccurs="1" />
</xs:complexType> </xs:sequence>
</xs:element>
<xs:element name="ObservableReference"> <xs:attribute name="system-status">
<xs:complexType> <xs:simpleType>
<xs:attribute name="uid-ref" <xs:restriction base="xs:string">
type="xs:IDREF" use="required"/> <xs:enumeration value="spoofed"/>
</xs:complexType> <xs:enumeration value="fraudulent"/>
</xs:element> <xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference"> <xs:element name="RelatedDNS"
<xs:complexType> type="iodef:RelatedDNSEntryType"/>
<xs:attribute name="uid-ref" <xs:complexType name="RelatedDNSEntryType">
type="xs:IDREF" use="optional"/> <xs:simpleContent>
<xs:attribute name="euid-ref" <xs:extension base="xs:string">
type="xs:string" use="optional"/> <xs:attribute name="record-type" use="optional">
<xs:attribute name="version" <xs:simpleType>
type="xs:string" use="optional"/> <xs:restriction base="xs:NMTOKEN">
</xs:complexType> <xs:enumeration value="A"/>
</xs:element> <xs:enumeration value="AAAA"/>
<!-- ================================================================== <xs:enumeration value="AFSDB"/>
== Miscellaneous simple classes == <xs:enumeration value="APL"/>
================================================================== <xs:enumeration value="AXFR"/>
--> <xs:enumeration value="CAA"/>
<xs:element name="Description" <xs:enumeration value="CERT"/>
type="iodef:MLStringType"/> <xs:enumeration value="CNAME"/>
<xs:element name="URL" <xs:enumeration value="DHCID"/>
type="xs:anyURI"/> <xs:enumeration value="DLV"/>
<!-- <xs:enumeration value="DNAME"/>
================================================================== <xs:enumeration value="DNSKEY"/>
== Data Types == <xs:enumeration value="DS"/>
================================================================== <xs:enumeration value="HIP"/>
--> <xs:enumeration value="IXFR"/>
<xs:simpleType name="PositiveFloatType"> <xs:enumeration value="IPSECKEY"/>
<xs:restriction base="xs:float"> <xs:enumeration value="LOC"/>
<xs:minExclusive value="0"/> <xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-record-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:restriction> <xs:element name="Nameservers">
</xs:simpleType> <xs:complexType>
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="MLStringType"> <xs:element name="DomainContacts">
<xs:simpleContent> <xs:complexType>
<xs:extension base="xs:string"> <xs:choice>
<xs:attribute name="lang" <xs:element name="SameDomainContact"
type="xs:language" use="optional"/> type="iodef:MLStringType"/>
</xs:extension> <xs:element ref="iodef:Contact"
</xs:simpleContent> maxOccurs="unbounded" minOccurs="1"/>
</xs:complexType> </xs:choice>
</xs:complexType>
</xs:element>
<xs:complexType name="ExtensionType" mixed="true"> <!--
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:element ref="iodef:RecordData"
minOccurs="0" maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:complexType name="ApplicationHeaderType" mixed="true"> <xs:element name="RecordData">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:element ref="iodef:DateTime"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="proto" <xs:attribute name="restriction"
type="xs:integer" use="required"/> type="iodef:restriction-type"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element>
<!-- <xs:element name="RecordPattern">
================================================================== <xs:complexType>
== Global attribute type declarations == <xs:simpleContent>
================================================================== <xs:extension base="xs:string">
--> <xs:attribute name="type" use="required">
<xs:simpleType name="yes-no-type"> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/> <xs:enumeration value="regex"/>
<xs:enumeration value="no"/> <xs:enumeration value="binary"/>
</xs:restriction> <xs:enumeration value="xpath"/>
</xs:simpleType> <xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<!-- Allows for the value to be optional for cases
such as, the registry key was deleted -->
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
<xs:simpleType name="yes-no-unknown-type"> </xs:sequence>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="registryaction">
<xs:enumeration value="yes"/> <xs:simpleType>
<xs:enumeration value="no"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="unknown"/> <xs:enumeration value="add-key"/>
</xs:restriction> <xs:enumeration value="add-value"/>
</xs:simpleType> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="restriction-type"> <!--
<xs:restriction base="xs:NMTOKEN"> ==================================================================
<xs:enumeration value="default"/> == Classes that describe hash types, file information ==
<xs:enumeration value="public"/> == with certificate properties and digital signature info ==
<xs:enumeration value="partner"/> == provided through the W3C digital signature schema ==
<xs:enumeration value="need-to-know"/> == so it does not need to be maintained here. ==
<xs:enumeration value="private"/> ==================================================================
<xs:enumeration value="white"/> -->
<xs:enumeration value="green"/> <xs:element name="HashData">
<xs:enumeration value="amber"/> <xs:complexType>
<xs:enumeration value="red"/> <xs:sequence>
</xs:restriction> <xs:element name="FileName" type="iodef:MLStringType"
</xs:simpleType> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="FileSize" type="xs:integer"
minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/>
<xs:enumeration value="PKI-file-ds"/>
<xs:enumeration value="PGP-email-ds"/>
<xs:enumeration value="PGP-file-ds"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="valid"
type="xs:boolean" use="optional" />
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="severity-type"> <!--
<xs:restriction base="xs:NMTOKEN"> ==================================================================
<xs:enumeration value="low"/> == Classes that describe software ==
<xs:enumeration value="medium"/> ==================================================================
<xs:enumeration value="high"/> -->
</xs:restriction> <xs:complexType name="SoftwareType">
</xs:simpleType> <xs:sequence>
<xs:simpleType name="duration-type"> <xs:element ref="iodef:URL"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0"/>
<xs:enumeration value="second"/> </xs:sequence>
<xs:enumeration value="minute"/> <xs:attribute name="swid"
<xs:enumeration value="hour"/> type="xs:string" default="0"/>
<xs:enumeration value="day"/> <xs:attribute name="configid"
<xs:enumeration value="month"/> type="xs:string" default="0"/>
<xs:enumeration value="quarter"/> <xs:attribute name="vendor"
<xs:enumeration value="year"/> type="xs:string"/>
<xs:enumeration value="ext-value"/> <xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
</xs:restriction> <!--
</xs:simpleType> ==================================================================
== IndicatorData classes ==
==================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:simpleType name="action-type"> <xs:element name="Indicator">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="nothing"/> <xs:sequence>
<xs:enumeration value="contact-source-site"/> <xs:element ref="iodef:IndicatorID" />
<xs:enumeration value="contact-target-site"/> <xs:element ref="iodef:AlternativeIndicatorID"
<xs:enumeration value="contact-sender"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="investigate"/> <xs:element ref="iodef:Description"
<xs:enumeration value="block-host"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="block-network"/> <xs:element ref="iodef:StartTime"
<xs:enumeration value="block-port"/> minOccurs="0" />
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:element ref="iodef:EndTime"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0" />
<xs:enumeration value="boolean"/> <xs:element ref="iodef:Confidence"
<xs:enumeration value="byte"/> minOccurs="0" />
<xs:enumeration value="bytes"/> <xs:element ref="iodef:Contact"
<xs:enumeration value="character"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="date-time"/> <xs:choice>
<xs:enumeration value="integer"/> <xs:element ref="iodef:Observable" />
<xs:enumeration value="ntpstamp"/> <xs:element ref="iodef:ObservableReference" />
<xs:enumeration value="portlist"/> <xs:element ref="iodef:IndicatorExpression" />
<xs:enumeration value="real"/> <xs:element ref="iodef:IndicatorReference" />
<xs:enumeration value="string"/> </xs:choice>
<xs:enumeration value="file"/> </xs:sequence>
<xs:enumeration value="path"/> <xs:attribute name="restriction"
<xs:enumeration value="frame"/> type="iodef:restriction-type"/>
<xs:enumeration value="packet"/> </xs:complexType>
<xs:enumeration value="ipv4-packet"/> </xs:element>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type"> <xs:element name="IndicatorID">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Address"
minOccurs="0"/>
<xs:element ref="iodef:DomainData"
minOccurs="0"/>
<xs:element ref="iodef:EmailData"
minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorExpression">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"
minOccurs="0"/>
<xs:element ref="iodef:Observable"
minOccurs="0" />
<xs:element ref="iodef:ObservableReference"
minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference"
minOccurs="0"/>
</xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="operator" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref"
type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref"
type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref"
type="xs:string" use="optional"/>
<xs:attribute name="version"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Miscellaneous simple classes ==
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="lang"
type="xs:language" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
<!--
==================================================================
== Global attribute type declarations ==
==================================================================
-->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="c2-server"/>
<xs:enumeration value="byte"/> <xs:enumeration value="sink-hole"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="malware-distribution"/>
<xs:enumeration value="character"/> <xs:enumeration value="phishing"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="spear-phishing"/>
<xs:enumeration value="integer"/> <xs:enumeration value="recruiting"/>
<xs:enumeration value="real"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="string"/> <xs:enumeration value="dns-spoof"/>
<xs:enumeration value="xml"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:schema>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
skipping to change at page 135, line 12 skipping to change at page 138, line 14
[IEEE.POSIX] [IEEE.POSIX]
Institute of Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers,
"Information Technology - Portable Operating System "Information Technology - Portable Operating System
Interface (POSIX) - Part 1: Base Definitions", IEEE Interface (POSIX) - Part 1: Base Definitions", IEEE
1003.1, June 2001. 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC4646] Philips, A. and M. Davis, "Tags for Identifying of [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
Languages", RFC 4646, September 2006. Languages", RFC 5646, September 2009.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986, Resource Identifiers (URI): Generic Syntax", RFC 3986,
January 2005`. January 2005`.
[RFC2978] Freed, N. and J. Postel, "IANA Charset Registration [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration
Procedures", BCP 2978, October 2000. Procedures", BCP 2978, October 2000.
[RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519,
June 2006. June 2006.
skipping to change at page 136, line 11 skipping to change at page 139, line 13
March 2002. March 2002.
[IANA.Ports] [IANA.Ports]
Internet Assigned Numbers Authority, "Service Name and Internet Assigned Numbers Authority, "Service Name and
Transport Protocol Port Number Registry", January 2014, Transport Protocol Port Number Registry", January 2014,
<http://www.iana.org/assignments/service-names-port- <http://www.iana.org/assignments/service-names-port-
numbers/service-names-port-numbers.txt>. numbers/service-names-port-numbers.txt>.
[IANA.Protocols] [IANA.Protocols]
Internet Assigned Numbers Authority, "Assigned Internet Internet Assigned Numbers Authority, "Assigned Internet
Protocol Numbers", January 2014, <http://www.iana.org/ Protocol Numbers", January 2014,
assignments/protocol-numbers/protocol-numbers.txt>. <http://www.iana.org/assignments/protocol-numbers/
protocol-numbers.txt>.
12.2. Informative References 12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December Object Description Exchange Format", RFC 5070, December
2007. 2007.
[refs.requirements] [refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
skipping to change at page 136, line 42 skipping to change at page 139, line 45
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012. 2012.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010. Class for Reporting Phishing", RFC 5901, July 2010.
[NIST800.61rev2] [NIST800.61rev2]
Cichonski, P., Millar, T., Grance, T., and K. Scarfone, Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
"NIST Special Publication 800-61 Revision 2: Computer "NIST Special Publication 800-61 Revision 2: Computer
Security Incident Handling Guide", January 2012, <http:// Security Incident Handling Guide", January 2012,
csrc.nist.gov/publications/nistpubs/800-61rev2/ <http://csrc.nist.gov/publications/nistpubs/800-61rev2/
SP800-61rev2.pdf>. SP800-61rev2.pdf>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg)
Type for the Internet Registry Information Service Type for the Internet Registry Information Service
(IRIS)", RFC 3982, January 2005. (IRIS)", RFC 3982, January 2005.
[KB310516] [KB310516]
Microsoft Corporation, "How to add, modify, or delete Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration registry subkeys and values by using a registration
entries (.reg) file", December 2007. entries (.reg) file", December 2007.
 End of changes. 154 change blocks. 
1846 lines changed or deleted 1863 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/