draft-ietf-mile-rfc5070-bis-09.txt   draft-ietf-mile-rfc5070-bis-10.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: April 29, 2015 October 26, 2014 Expires: May 13, 2015 November 9, 2014
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-09 draft-ietf-mile-rfc5070-bis-10
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 29, 2015. This Internet-Draft will expire on May 13, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 27 skipping to change at page 2, line 27
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11
2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11
2.16. Identifiers and Identifier References . . . . . . . . . . 11 2.16. Identifiers and Identifier References . . . . . . . . . . 12
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 16
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 16
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 17 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 17
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 18 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 18
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 20
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33
3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 35
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 36 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 38 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 43 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 43
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 45 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44
3.16.1. Relating the Incident and EventData Classes . . . . 47 3.16.1. Relating the Incident and EventData Classes . . . . 47
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 47 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 47
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 48 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 48
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 51 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 51
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 51 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 51
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 54 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 54
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 55 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 55
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 57 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 59
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 61 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 60
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 63
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 64 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 63
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 64
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 64
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 67 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 66
3.22.2. Application Class . . . . . . . . . . . . . . . . . 69 3.22.2. Application Class . . . . . . . . . . . . . . . . . 67
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 69
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 69
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 70
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 70
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 72
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 74 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 73
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 74 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 73
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 75 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 74
3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 76 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 75
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 78 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 75
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 78 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 76
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 80 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 76
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 81 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 77
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 82 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 79
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 83 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 80
3.29.5. ObservableReference Class . . . . . . . . . . . . . 85 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 80
3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 85 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 81
4. Processing Considerations . . . . . . . . . . . . . . . . . . 86 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 81
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 86 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 83
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 87 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 84
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 87 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 84
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 88 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 86
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 88 3.32.5. ObservableReference Class . . . . . . . . . . . . . 88
5.1. Extending the Enumerated Values of Attributes . . . . . . 89 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 88
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 89 4. Processing Considerations . . . . . . . . . . . . . . . . . . 89
6. Internationalization Issues . . . . . . . . . . . . . . . . . 91 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 89
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 89
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 90
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 94 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 91
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 96 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 91
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 97 5.1. Extending the Enumerated Values of Attributes . . . . . . 92
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 99 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 92
9. Security Considerations . . . . . . . . . . . . . . . . . . . 135 6. Internationalization Issues . . . . . . . . . . . . . . . . . 94
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 95
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 136 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 95
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 137 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 96
12.1. Normative References . . . . . . . . . . . . . . . . . . 137 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 98
12.2. Informative References . . . . . . . . . . . . . . . . . 139 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 100
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 101
9. Security Considerations . . . . . . . . . . . . . . . . . . . 139
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 139
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 140
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 140
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 142
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 143
12.1. Normative References . . . . . . . . . . . . . . . . . . 143
12.2. Informative References . . . . . . . . . . . . . . . . . 145
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 34 skipping to change at page 6, line 42
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: HashData and o The following classes were added to the Record class: HashData and
WindowsRegistryKeysModified. WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class: o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and ThreatActor, Campaign, Confidence, Description, and
AdditionalData. AdditionalData.
o The following classes were added to Assessment: BusinessImpact and o The following classes were added to Assessment: IncidentCategory,
MitigatingFactor. SystemImpact, BusinessImpact, IntendedImpact and MitigatingFactor.
o The following classes were added to Node: PostalAddress and o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed DomainData. The following classes were removed from Node: Removed
NodeName and DateTime. NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem: o The following classes were added to Expectation and HistoryItem:
DefinedCOA. DefinedCOA.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose, Contact@role, NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed. AdditionalData@dtype, System@spoofed.
o Removed all "ext-" attributes in favor of using an IANA registry
for extending attributes.
o Removed Impact class in favor of using SystemImpact and
IncidentCategory.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[refs.requirements]. [refs.requirements].
skipping to change at page 13, line 15 skipping to change at page 13, line 28
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | ENUM lang |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..*}--[ RelatedActivity ] | ENUM restriction |<>--{0..*}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ] | STRING observable-id |<>--{0..1}--[ DetectTime ]
| STRING observable-id |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--{ RecoveryTime ] | |<>--{0..1}--{ RecoveryTime ]
| |<>----------[ ReportTime ] | |<>----------[ ReportTime ]
| |<>--{0..1}--[ GenerationTime ] | |<>--{0..1}--[ GenerationTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
skipping to change at page 14, line 49 skipping to change at page 15, line 15
IndicatorData IndicatorData
Zero or more. Description of indicators. Zero or more. Description of indicators.
History History
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has four attributes: The Incident class has three attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.17). This attribute is defined as an Expectation class (Section 3.17). These values are maintained in
enumerated list: the "Incident-purpose" IANA registry per Table 1. This attribute
is defined as an enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
2. mitigation. The document was sent to request aid in 2. mitigation. The document was sent to request aid in
mitigating the described activity. mitigating the described activity.
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
4. watch. The document was sent to convey indicators to watch 4. watch. The document was sent to convey indicators to watch
for particular activity. for particular activity.
5. other. The document was sent for purposes specified in the 5. other. The document was sent for purposes specified in the
Expectation class. Expectation class.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-purpose
Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 16, line 26 skipping to change at page 16, line 38
or an ancestor has a weak policy, and the children selectively apply or an ancestor has a weak policy, and the children selectively apply
more rigid controls). The implicit value of the restriction more rigid controls). The implicit value of the restriction
attribute for a class that did not specify one can be found in the attribute for a class that did not specify one can be found in the
closest ancestor that did specify a value. closest ancestor that did specify a value.
This attribute is defined as an enumerated value with a default value This attribute is defined as an enumerated value with a default value
of "private". Note that the default value of the restriction of "private". Note that the default value of the restriction
attribute is only defined in the context of the Incident class. In attribute is only defined in the context of the Incident class. In
other classes where this attribute is used, no default is specified. other classes where this attribute is used, no default is specified.
These values are maintained in the "Restriction" IANA registry per
Table 1.
1. public. The information can be freely distributed without 1. public. The information can be freely distributed without
restriction. restriction.
2. partner. The information may be shared within a closed community 2. partner. The information may be shared within a closed community
of peers, partners, or affected parties, but cannot be openly of peers, partners, or affected parties, but cannot be openly
published. published.
3. need-to-know. The information may be shared only within the 3. need-to-know. The information may be shared only within the
organization with individuals that have a need to know. organization with individuals that have a need to know.
skipping to change at page 21, line 33 skipping to change at page 21, line 47
of the specification, some additional coordination may be required to of the specification, some additional coordination may be required to
ensure that a recipient of a document using the AdditionalData ensure that a recipient of a document using the AdditionalData
classes can make sense of the custom extensions. classes can make sense of the custom extensions.
+------------------+ +------------------+
| AdditionalData | | AdditionalData |
+------------------+ +------------------+
| ANY | | ANY |
| | | |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype |
| STRING meaning | | STRING meaning |
| STRING formatid | | STRING formatid |
| ENUM restriction | | ENUM restriction |
+------------------+ +------------------+
Figure 8: The AdditionalData Class Figure 8: The AdditionalData Class
The AdditionalData class has five attributes: The AdditionalData class has four attributes:
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string". These values are maintained in the
"AdditionalData-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE. 2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN. 3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER. 4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME. 5. date-time. The element content is of type DATETIME.
skipping to change at page 22, line 47 skipping to change at page 23, line 13
17. url. The element content is of type URL. 17. url. The element content is of type URL.
18. csv. The element content is a common separated value (CSV) 18. csv. The element content is a common separated value (CSV)
list per Section 2 of [RFC4180] encoded as a STRING type. list per Section 2 of [RFC4180] encoded as a STRING type.
19. winreg. The element content is a Windows registry key 19. winreg. The element content is a Windows registry key
encoded as a STRING type. encoded as a STRING type.
20. xml. The element content is XML. See Section 5. 20. xml. The element content is XML. See Section 5.
21. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.
meaning meaning
Optional. STRING. A free-form description of the element Optional. STRING. A free-form description of the element
content. content.
formatid formatid
Optional. STRING. An identifier referencing the format and Optional. STRING. An identifier referencing the format and
semantics of the element content. semantics of the element content.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
skipping to change at page 24, line 9 skipping to change at page 24, line 9
derived by a particular traversal from the root Contact class to the derived by a particular traversal from the root Contact class to the
leaf Contact class. As such, multiple points of contact might be leaf Contact class. As such, multiple points of contact might be
specified in a single instance of a Contact class. Each child specified in a single instance of a Contact class. Each child
Contact class logically inherits contact information from its Contact class logically inherits contact information from its
ancestors. ancestors.
+------------------+ +------------------+
| Contact | | Contact |
+------------------+ +------------------+
| ENUM role |<>--{0..1}--[ ContactName ] | ENUM role |<>--{0..1}--[ ContactName ]
| STRING ext-role |<>--{0..1}--[ ContactTitle ] | ENUM type |<>--{0..1}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ] | |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Email ] | |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ] | |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Fax ] | |<>--{0..1}--[ Fax ]
| |<>--{0..1}--[ Timezone ] | |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------+
Figure 9: The Contact Class Figure 9: The Contact Class
skipping to change at page 25, line 23 skipping to change at page 25, line 23
points of contact and is especially useful when listing multiple points of contact and is especially useful when listing multiple
contacts at the same organization. contacts at the same organization.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The Contact class has five attributes: The Contact class has three attributes:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. This
attribute is defined as an enumerated list: attribute is defined as an enumerated list. These values are
maintained in the "Contact-role" IANA registry per Table 1.
1. creator. The entity that generate the document. 1. creator. The entity that generate the document.
2. reporter. The entity that reported the information. 2. reporter. The entity that reported the information.
3. admin. An administrative contact or business owner for an 3. admin. An administrative contact or business owner for an
asset or organization. asset or organization.
4. tech. An entity responsible for the day-to-day management of 4. tech. An entity responsible for the day-to-day management of
technical issues for an asset or organization. technical issues for an asset or organization.
skipping to change at page 26, line 14 skipping to change at page 26, line 17
11. abuse. An entity responsible for handling abuse originating 11. abuse. An entity responsible for handling abuse originating
from an asset or organization. from an asset or organization.
12. cc. An entity that is to be kept informed about the events 12. cc. An entity that is to be kept informed about the events
related to an asset or organization. related to an asset or organization.
13. cc-irt. A CSIRT or information sharing organization 13. cc-irt. A CSIRT or information sharing organization
coordinating activity related to an asset or organization. coordinating activity related to an asset or organization.
14. le. A law enforcement entity supporting the investigation of 14. leo. A law enforcement organization supporting the
activity affecting an asset or organization. investigation of activity affecting an asset or organization.
15. vendor. The vendor that produces an asset. 15. vendor. The vendor that produces an asset.
16. ext-value. An escape value used to extend this attribute. 16. vendor-support. A vendor that provides services.
See Section 5.1.
ext-role 17. victim. A victim in the incident.
Optional. STRING. A means by which to extend the role attribute.
See Section 5.1. 18. victim-notified. A victim in the incident who has been
notified.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list: This attribute is defined as an enumerated list. These values are
maintained in the "Contact-type" IANA registry per Table 1.
1. person. The information for this contact references an 1. person. The information for this contact references an
individual. individual.
2. organization. The information for this contact references an 2. organization. The information for this contact references an
organization. organization.
3. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.10.1. RegistryHandle Class 3.10.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet The RegistryHandle class represents a handle into an Internet
registry or community-specific database. The handle is specified in registry or community-specific database. The handle is specified in
the element content and the type attribute specifies the database. the element content and the type attribute specifies the database.
+---------------------+ +---------------------+
| RegistryHandle | | RegistryHandle |
+---------------------+ +---------------------+
| STRING | | STRING |
| | | |
| ENUM registry | | ENUM registry |
| STRING ext-registry |
+---------------------+ +---------------------+
Figure 10: The RegistryHandle Class Figure 10: The RegistryHandle Class
The RegistryHandle class has two attributes: The RegistryHandle class has one attributes:
registry registry
Required. ENUM. The database to which the handle belongs. The Required. ENUM. The database to which the handle belongs. These
possible values are: values are maintained in the "RegistryHandle-registry" IANA
registry per Table 1. The possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-registry
Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1.
3.10.2. PostalAddress Class 3.10.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies a postal address formatted
according to the POSTAL data type (Section 2.11). according to the POSTAL data type (Section 2.11).
+---------------------+ +---------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +---------------------+
| POSTAL | | POSTAL |
| | | |
skipping to change at page 30, line 24 skipping to change at page 30, line 13
its semantics from the parent class in which it is aggregated. its semantics from the parent class in which it is aggregated.
3.12. Discovery Class 3.12. Discovery Class
The Discovery class describes how an incident was detected. The Discovery class describes how an incident was detected.
+-------------------+ +-------------------+
| Discovery | | Discovery |
+-------------------+ +-------------------+
| ENUM source |<>--{0..*}--[ Description ] | ENUM source |<>--{0..*}--[ Description ]
| STRING ext-source |<>--{0..*}--[ Contact ] | ENUM restriction |<>--{0..*}--[ Contact ]
| ENUM restriction |<>--{0..*}--[ DetectionPattern ] | |<>--{0..*}--[ DetectionPattern ]
+-------------------+ +-------------------+
Figure 15: The Discovery Class Figure 15: The Discovery Class
The Discovery class is composed of three aggregate classes. The Discovery class is composed of three aggregate classes.
Description Description
Zero or more. ML_STRING. A free-form text description of how Zero or more. ML_STRING. A free-form text description of how
this incident was detected. this incident was detected.
Contact Contact
Zero or more. Contact information for the party that discovered Zero or more. Contact information for the party that discovered
the incident. the incident.
DetectionPattern DetectionPattern
Zero or more. Describes an application-specific configuration Zero or more. Describes an application-specific configuration
that detected the incident. that detected the incident.
The Discovery class has three attribute: The Discovery class has two attribute:
source source
Optional. ENUM. Categorizes the techniques used to discover the Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2]. [NIST800.61rev2]. These values are maintained in the "Discovery-
source" IANA registry per Table 1.
1. idps. Intrusion Detection or Prevention system. 1. nidps. Network Intrusion Detection or Prevention system.
2. siem. Security Information and Event Management System. 2. hips. Host-based Intrusion Prevention system.
3. av. Antivirus or and antispam software. 3. siem. Security Information and Event Management System.
4. file-integrity. File integrity checking software. 4. av. Antivirus or and antispam software.
5. third-party-monitoring. Contracted third-party monitoring 5. third-party-monitoring. Contracted third-party monitoring
service. service.
6. os-log. Operating system logs. 6. incident. The activity was discovered while investigating an
unrelated incident.
7. application-log. Application logs. 7. os-log. Operating system logs.
8. device-log. Network device logs. 8. application-log. Application logs.
9. network-flow. Network flow analysis. 9. device-log. Network device logs.
10. investigation. Manual investigation initiated based on 10. network-flow. Network flow analysis.
timely notification of a new vulnerability or exploit.
11. internal-notification. A party within the organization 11. passive-dns. Passive DNS analysis.
discovered the activity
12. external-notification. A party outside of the organization 12. investigation. Manual investigation initiated based on
discovered the activity. notification of a new vulnerability or exploit.
13. unknown. Unknown detection approach. 13. audit. Security audit.
14. ext-value. An escape value used to extend this attribute. 14. internal-notification. A party within the organization
See Section 5.1. reported the activity
ext-source 15. external-notification. A party outside of the organization
Optional. STRING. A means by which to extend the source reported the activity.
attribute. See Section 5.1.
16. leo. A law enforcement organization notified the victim
organization.
17. partner. A customer or business partner reported the
activity to the victim organization.
18. actor. The threat actor directly or indirectly reported this
activity to the victim organization.
19. unknown. Unknown detection approach.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.12.1. DetectionPattern Class 3.12.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature The DetectionPattern class describes a configuration or signature
that can be used by an IDS/IPS, SIEM, anti-virus, end-point that can be used by an IDS/IPS, SIEM, anti-virus, end-point
protection, network analysis, malware analysis, or host forensics protection, network analysis, malware analysis, or host forensics
tool to identify a particular phenomenon. This class requires the tool to identify a particular phenomenon. This class requires the
skipping to change at page 33, line 34 skipping to change at page 33, line 34
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
3.14. Assessment Class 3.14. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ BusinessImpact ] | ENUM restriction |<>--{0..*}--[ SystemImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ BusinessImpact ]
| |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 18: Assessment Class Figure 18: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
Impact IncidentCategory
Zero or more. ML_STRING. A free-form text description
categorizing the type of Incident.
SystemImpact
Zero or more. Technical characterization of the impact of the Zero or more. Technical characterization of the impact of the
activity on the victim's enterprise. activity on the victim's enterprise.
BusinessImpact BusinessImpact
Zero or more. Impact of the activity on the business functions of Zero or more. Impact of the activity on the business functions of
the victim organization. the victim organization.
TimeImpact TimeImpact
Zero or more. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
time. time.
MonetaryImpact MonetaryImpact
Zero or more. Impact of the activity measured with respect to Zero or more. Impact of the activity measured with respect to
financial loss. financial loss.
IntendedImpact
Zero or more. Intended impact to the victim by the attacker.
Identically defined as Section 3.14.2 but describes intent rather
than the realized impact.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. the activity.
MitigatingFactor MitigatingFactor
Zero or one. ML_STRING. A description of a mitigating factor an Zero or one. ML_STRING. A description of a mitigating factor an
impact. impact.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
skipping to change at page 35, line 5 skipping to change at page 35, line 11
2. potential. This assessment describes potential activity that 2. potential. This assessment describes potential activity that
might occur. might occur.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14.1. Impact Class 3.14.1. SystemImpact Class
The Impact class allows for categorizing and describing the technical The SystemImpact class describes the technical impact of the incident
impact of the incident on the network of an organization. to the systems on the network.
This class is based on [RFC4765]. This class is based on [RFC4765].
+------------------+ +------------------+
| Impact | | SystemImpact |
+------------------+ +------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM lang | | ENUM lang |
| ENUM severity | | ENUM severity |
| ENUM completion | | ENUM completion |
| ENUM type | | ENUM type |
| STRING ext-type |
+------------------+ +------------------+
Figure 19: Impact Class Figure 19: SystemImpact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The Impact class has five attributes: The SystemImpact class has four attributes:
lang lang
Optional. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
skipping to change at page 36, line 10 skipping to change at page 36, line 15
completion completion
Optional. ENUM. An indication whether the described activity was Optional. ENUM. An indication whether the described activity was
successful. The permitted values are shown below. There is no successful. The permitted values are shown below. There is no
default value. default value.
1. failed. The attempted activity was not successful. 1. failed. The attempted activity was not successful.
2. succeeded. The attempted activity succeeded. 2. succeeded. The attempted activity succeeded.
type type
Required. ENUM. Classifies the malicious activity into incident Required. ENUM. Classifies the impact. The permitted values are
categories. The permitted values are shown below. The default shown below. The default value is "unknown". These values are
value is "unknown". maintained in the "SystemImpact-type" IANA registry per Table 1.
1. admin. Administrative privileges were attempted. 1. takeover-account. Control was taken of a given account
(e.g., a social media account).
2. dos. A denial of service was attempted. 2. takeover-service. Control was taken of a given service.
3. file. An action that impacts the integrity of a file or 3. takeover-system. Control was taken of a given system.
database was attempted.
4. info-leak. An attempt was made to exfiltrate information. 4. cps-manipulation. A cyber physical system was manipulated.
5. misconfiguration. An attempt was made to exploit a mis- 5. cps-damage. A cyber physical system was damaged.
configuration in a system.
6. policy. Activity violating site's policy was attempted. 6. availability-data. Access to particular data was degraded or
denied.
7. recon. Reconnaissance activity was attempted. 7. availability-account. Access to an account was degraded or
denied.
8. social-engineering. A social engineering attack was 8. availability-service. Access to a service was degraded or
attempted. denied.
9. user. User privileges were attempted. 9. availability-system. Access to a system was degraded or
denied.
10. unknown. The classification of this activity is unknown. 10. damaged-system. Hardware on a system was irreparably
damaged.
11. ext-value. An escape value used to extend this attribute. 11. damaged-data. Data on a system was deleted.
See Section 5.1.
ext-type 12. breach-proprietary. Sensitive or proprietary information was
Optional. STRING. A means by which to extend the type attribute. accessed or exfiltrated.
See Section 5.1.
13. breach-privacy. Personally identifiable information was
accessed or exfiltrated.
14. breach-credential. Credential information was accessed or
exfiltrated.
15. breach-configuration. System configuration or data inventory
was access or exfiltrated.
16. integrity-data. Data on the system was modified.
17. integrity-configuration. Application or system configuration
was modified.
18. integrity-hardware. Firmware of a hardware component was
modified.
19. traffic-redirection. Network traffic on the system was
redirected
20. monitoring-traffic. Network traffic emerging from a host was
monitored.
21. monitoring-host. System activity (e.g., running processes,
keystrokes) were monitored.
22. policy. Activity violated the system owner's acceptable use
policy.
23. unknown. The impact is unknown.
3.14.2. BusinessImpact Class 3.14.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident. which the function of the organization was impacted by the Incident.
The element body describes the impact to the organization as a free- The element body describes the impact to the organization as a free-
form text string. The two attributes characterize the impact. form text string. The two attributes characterize the impact.
+-------------------------+ +-------------------------+
| BusinessImpact | | BusinessImpact |
+-------------------------+ +-------------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM severity | | ENUM severity |
| STRING ext-severity |
| ENUM type | | ENUM type |
| STRING ext-type |
+-------------------------+ +-------------------------+
Figure 20: BusinessImpact Class Figure 20: BusinessImpact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact to the organization. impact to the organization.
The BusinessImpact class has four attributes: The BusinessImpact class has two attributes:
severity severity
Optional. ENUM. Characterizes the severity of the incident on Optional. ENUM. Characterizes the severity of the incident on
business functions. The permitted values are shown below. They business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown". value is "unknown". These values are maintained in the
"BusinessImpact-severity" IANA registry per Table 1.
1. none. No effect to the organization's ability to provide all 1. none. No effect to the organization's ability to provide all
services to all users. services to all users.
2. low. Minimal effect as the organization can still provide all 2. low. Minimal effect as the organization can still provide all
critical services to all users but has lost efficiency. critical services to all users but has lost efficiency.
3. medium. The organization has lost the ability to provide a 3. medium. The organization has lost the ability to provide a
critical service to a subset of system users. critical service to a subset of system users.
4. high. The organization is no longer able to provide some 4. high. The organization is no longer able to provide some
critical services to any users. critical services to any users.
5. unknown. The impact is not known. 5. unknown. The impact is not known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-severity
Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.
type type
Required. ENUM. Characterizes the effect this incident had on Required. ENUM. Characterizes the effect this incident had on
the business.Classifies the malicious activity into incident the business. The permitted values are shown below. There is no
categories. The permitted values are shown below. There is no default value. These values are maintained in the
default value. "BusinessImpact-type" IANA registry per Table 1.
1. breach-proprietary. Sensitive or proprietary information was 1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated. accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was 2. breach-privacy. Personally identifiable information was
accessed or exfiltrated. accessed or exfiltrated.
3. loss-of-integrity. Sensitive or proprietary information was 3. breach-credential. Credential information was accessed or
exfiltrated.
4. loss-of-integrity. Sensitive or proprietary information was
changed or deleted. changed or deleted.
4. loss-of-service. Service delivery was disrupted. 5. loss-of-service. Service delivery was disrupted.
5. loss-financial. Money or services were stolen. 6. theft-financial. Money was stolen.
6. degraded-reputation. The reputation of the organization's 7. theft-service. Services were misappropriated.
brand was diminished.
7. asset-damage. A cyber-physical system was damaged. 8. degraded-reputation. The reputation of the organization's
brand was diminished.
8. asset-manipulation. A cyber-physical system was manipulated. 9. asset-damage. A cyber-physical system was damaged.
9. legal. Incident resulted in legal or regulatory action 10. asset-manipulation. A cyber-physical system was manipulated.
10. ext-value. An escape value used to extend this attribute. 11. legal. The incident resulted in legal or regulatory action.
See Section 5.1.
ext-type 12. extortion. The incident resulted in actors extorting the
Optional. STRING. A means by which to extend the type attribute. victim organization.
See Section 5.1.
3.14.3. TimeImpact Class 3.14.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metric |
| ENUM duration | | ENUM duration |
| STRING ext-duration |
+---------------------+ +---------------------+
Figure 21: TimeImpact Class Figure 21: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has five attributes: The TimeImpact class has three attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
metric metric
Required. ENUM. Defines the metric in which the time is Required. ENUM. Defines the metric in which the time is
expressed. The permitted values are shown below. There is no expressed. The permitted values are shown below. There is no
default value. default value. These values are maintained in the "TimeImpact-
metric" IANA registry per Table 1.
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff-time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to 2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time). its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s) 3. downtime. Duration of time for which some provided service(s)
was not available. was not available.
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-metric
Optional. STRING. A means by which to extend the metric
attribute. See Section 5.1.
duration duration
Optional. ENUM. Defines a unit of time, that when combined with Optional. ENUM. Defines a unit of time, that when combined with
the metric attribute, fully describes a metric of impact that will the metric attribute, fully describes a metric of impact that will
be conveyed in the element content. The permitted values are be conveyed in the element content. The permitted values are
shown below. The default value is "hour". shown below. The default value is "hour". These values are
maintained in the "TimeImpact-duration" IANA registry per Table 1.
1. second. The unit of the element content is seconds. 1. second. The unit of the element content is seconds.
2. minute. The unit of the element content is minutes. 2. minute. The unit of the element content is minutes.
3. hour. The unit of the element content is hours. 3. hour. The unit of the element content is hours.
4. day. The unit of the element content is days. 4. day. The unit of the element content is days.
5. month. The unit of the element content is months. 5. month. The unit of the element content is months.
6. quarter. The unit of the element content is quarters. 6. quarter. The unit of the element content is quarters.
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.
3.14.4. MonetaryImpact Class 3.14.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
skipping to change at page 43, line 39 skipping to change at page 43, line 39
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ] | ID observable-id |<>--{0..1}--[ Contact ]
| ID observable-id |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 25: HistoryItem Class Figure 25: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
skipping to change at page 44, line 27 skipping to change at page 44, line 27
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The HistoryItem class has four attributes: The HistoryItem class has three attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the action attribute of the Expectation class. The difference to the action attribute of the Expectation class. The difference
is only one of tense. When an action is in this class, it has is only one of tense. When an action is in this class, it has
been completed. See Section 3.17. been completed. See Section 3.17.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. EventData Class 3.16. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
skipping to change at page 48, line 32 skipping to change at page 48, line 32
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ StartTime ]
| STRING ext-action |<>--{0..1}--[ EndTime ] | ID observable-id |<>--{0..1}--[ EndTime ]
| ID observable-id |<>--{0..1}--[ Contact ] | |<>--{0..1}--[ Contact ]
+-------------------------+ +-------------------------+
Figure 28: The Expectation Class Figure 28: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or more. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form description of the desired
action(s). action(s).
skipping to change at page 49, line 20 skipping to change at page 49, line 20
Zero or one. The time by which the sender expects the recipient Zero or one. The time by which the sender expects the recipient
to complete the action. If the recipient cannot complete the to complete the action. If the recipient cannot complete the
action before EndTime, the recipient MUST NOT carry out the action before EndTime, the recipient MUST NOT carry out the
action. Because of transit delays, clock drift, and so on, the action. Because of transit delays, clock drift, and so on, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. Zero or one. The expected actor for the action.
The Expectations class has five attributes: The Expectations class has four attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. This attribute is defined in Section 3.2. The
default value is "default". default value is "default".
severity severity
Optional. ENUM. Indicates the desired priority of the action. Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent. the semantics of these relative measures are context dependent.
1. low. Low priority 1. low. Low priority
2. medium. Medium priority 2. medium. Medium priority
3. high. High priority 3. high. High priority
action action
Optional. ENUM. Classifies the type of action requested. This Optional. ENUM. Classifies the type of action requested. This
attribute is an enumerated list with a default value of "other". attribute is an enumerated list with a default value of "other".
These values are maintained in the "Expectation-action" IANA
registry per Table 1.
1. nothing. No action is requested. Do nothing with the 1. nothing. No action is requested. Do nothing with the
information. information.
2. contact-source-site. Contact the site(s) identified as the 2. contact-source-site. Contact the site(s) identified as the
source of the activity. source of the activity.
3. contact-target-site. Contact the site(s) identified as the 3. contact-target-site. Contact the site(s) identified as the
target of the activity. target of the activity.
skipping to change at page 50, line 24 skipping to change at page 50, line 26
9. rate-limit-host. Rate-limit the traffic from the machine(s) 9. rate-limit-host. Rate-limit the traffic from the machine(s)
listed as sources in the event. listed as sources in the event.
10. rate-limit-network. Rate-limit the traffic from the 10. rate-limit-network. Rate-limit the traffic from the
network(s) lists as sources in the event. network(s) lists as sources in the event.
11. rate-limit-port. Rate-limit the port(s) listed as sources in 11. rate-limit-port. Rate-limit the port(s) listed as sources in
the event. the event.
12. upgrade-software. Upgrade or patch the software or firmware 12. redirect-traffic. Redirect traffic from intended recipient
for further analysis.
13. honeypot. Redirect traffic to a honeypot for further
analysis.
14. upgrade-software. Upgrade or patch the software or firmware
on an asset. on an asset.
13. rebuild-asset. Reinstall the operating system and 15. rebuild-asset. Reinstall the operating system or
applications on an asset. applications on an asset.
14. remediate-other. Remediate the activity in a way other than 16. harden-asset. Change the configuration an asset (e.g.,
reduce the number of services or user accounts) to reduce the
attack surface.
17. remediate-other. Remediate the activity in a way other than
by rate limiting or blocking. by rate limiting or blocking.
15. status-triage. Conveys receipts and the triaging of an 18. status-triage. Conveys receipts and the triaging of an
incident. incident.
16. status-new-info. Conveys that new information was received 19. status-new-info. Conveys that new information was received
for this incident. for this incident.
17. watch-and-report. Watch for the described activity and share 20. watch-and-report. Watch for the described activity and share
if seen. if seen.
18. defined-coa. Perform a predefined course of action (COA). 21. training. Train user to identify or mitigate a threat.
22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
19. other. Perform some custom action described in the 23. other. Perform some custom action described in the
Description class. Description class.
20. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18. Flow Class 3.18. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
skipping to change at page 52, line 10 skipping to change at page 52, line 10
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
the activity. A value of "sensor" dictates that this System was part the activity. A value of "sensor" dictates that this System was part
of an instrumentation to monitor the network. of an instrumentation to monitor the network.
+---------------------+ +---------------------+
| System | | System |
+---------------------+ +---------------------+
| ENUM restriction |<>----------[ Node ] | ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ NodeRole ] | ENUM category |<>--{0..*}--[ NodeRole ]
| STRING ext-category |<>--{0..*}--[ Service ] | STRING interface |<>--{0..*}--[ Service ]
| STRING interface |<>--{0..*}--[ OperatingSystem ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| ENUM spoofed |<>--{0..*}--[ Counter ] | ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM virtual |<>--{0..*}--[ AssetID ] | ENUM ownership |<>--{0..*}--[ AssetID ]
| ENUM ownership |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| ENUM ext-ownership |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------+ +---------------------+
Figure 30: The System Class Figure 30: The System Class
The aggregate classes that constitute System are: The aggregate classes that constitute System are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident.
NodeRole NodeRole
skipping to change at page 52, line 48 skipping to change at page 52, line 48
AssetID AssetID
Zero or more. An asset identifier for the System. Zero or more. An asset identifier for the System.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
System. System.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The System class has eight attributes: The System class has six attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. This attribute is defined in Section 3.2.
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. The possible values are: in the incident. These values are maintained in the "System-
category" IANA registry per Table 1. The possible values are:
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event. 3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of
IODEF document exchange. IODEF document exchange.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.
interface interface
Optional. STRING. Specifies the interface on which the event(s) Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning. rather than a host, this attribute has no meaning.
spoofed spoofed
Optional. ENUM. An indication of confidence in whether this Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"unknown". "unknown".
skipping to change at page 54, line 11 skipping to change at page 54, line 5
values are: values are:
1. yes. The System is a virtual device. 1. yes. The System is a virtual device.
2. no. The System is a physical device. 2. no. The System is a physical device.
3. unknown. It is not known if the System is virtual. 3. unknown. It is not known if the System is virtual.
ownership ownership
Optional. ENUM. Describes the ownership of this System relative Optional. ENUM. Describes the ownership of this System relative
to the sender of the IODEF document. The possible values are: to the sender of the IODEF document. These values are maintained
in the "System-ownership" IANA registry per Table 1. The possible
values are:
1. organization. The System is owned by the organization. 1. organization. The System is owned by the organization.
2. personal. The System is owned by employee or affiliate of the 2. personal. The System is owned by employee or affiliate of the
organization. organization.
3. partner. The System is owned by a partner of the 3. partner. The System is owned by a partner of the
organization. organization.
4. customer. The System is owned by a customer of the 4. customer. The System is owned by a customer of the
organization. organization.
5. no-relationship. The System is owned by an entity that has no 5. no-relationship. The System is owned by an entity that has no
known relationship with the organization. known relationship with the organization.
6. unknown. The ownership of the System is unknown. 6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-ownership
Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.
3.20. Node Class 3.20. Node Class
The Node class names an asset or network. The Node class names an asset or network.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
skipping to change at page 56, line 9 skipping to change at page 55, line 34
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| ID observable-id | | ID observable-id |
+-------------------------+ +-------------------------+
Figure 32: The Address Class Figure 32: The Address Class
The Address class has five attributes: The Address class has four attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". "ipv4-addr". These values are maintained in the "Address-
category" IANA registry per Table 1.
1. asn. Autonomous System Number 1. asn. Autonomous System Number
2. atm. Asynchronous Transfer Mode (ATM) address 2. atm. Asynchronous Transfer Mode (ATM) address
3. e-mail. Electronic mail address (RFC 822) 3. e-mail. Electronic mail address (RFC 822)
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation
(a.b.c.d) (a.b.c.d)
5. ipv4-net. IPv4 network address in dotted-decimal notation, 5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (a.b.c.d/nn) slash, significant bits (a.b.c.d/nn)
6. ipv4-net-mask. IPv4 network address in dotted-decimal 6. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation notation, slash, network mask in dotted-decimal notation
skipping to change at page 56, line 50 skipping to change at page 56, line 26
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
10. mac. Media Access Control (MAC) address 10. mac. Media Access Control (MAC) address
11. site-uri. A URL or URI for a resource. 11. site-uri. A URL or URI for a resource.
12. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.
vlan-name vlan-name
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.2. NodeRole Class 3.20.2. NodeRole Class
The NodeRole class describes the function performed by a particular . The NodeRole class describes the function performed by a particular .
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| STRING ext-category |
| ENUM lang | | ENUM lang |
+---------------------+ +---------------------+
Figure 33: The NodeRole Class Figure 33: The NodeRole Class
The NodeRole class has three attributes: The NodeRole class has two attributes:
category category
Required. ENUM. Functionality provided by a node. Required. ENUM. Functionality provided by a node. These values
are maintained in the "NodeRole-category" IANA registry per
Table 1.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
3. client-partner. Client computer on network of a partner 3. client-partner. Client computer on network of a partner
4. client-remote. Client computer remotely connected to the 4. client-remote. Client computer remotely connected to the
enterprise network enterprise network
skipping to change at page 59, line 30 skipping to change at page 58, line 49
39. pos. Point-of-sale device 39. pos. Point-of-sale device
40. scada. Supervisory control and data acquisition system 40. scada. Supervisory control and data acquisition system
41. scada-supervisory. Supervisory system for a SCADA 41. scada-supervisory. Supervisory system for a SCADA
42. sinkhole. Traffic sinkhole destination 42. sinkhole. Traffic sinkhole destination
43. honeypot. Honeypot server 43. honeypot. Honeypot server
44. c2. Malicious command and control server 44. anonymization. Anonymization server (e.g., Tor node)
45. malware-distribution. Server that distributes malware 45. c2. Malicious command and control server
46. malware-distribution. Server that distributes malware
46. drop-server. Server to which exfiltrated content is 47. drop-server. Server to which exfiltrated content is
uploaded. uploaded.
47. hop-point. Intermediary server used to get to a victim. 48. hop-point. Intermediary server used to get to a victim.
48. reflector. A system used in a reflector attacker.
49. phishing-site. Site hosting phishing content
50. spear-phishing-site. Site hosting spear-phishing content 49. reflector. A system used in a reflector attacker.
51. recruiting-site. Site to recruit 50. phishing-site. Site hosting phishing content
52. fraudulent-site. Fraudulent site. 51. spear-phishing-site. Site hosting spear-phishing content
53. ext-value. An escape value used to extend this attribute. 52. recruiting-site. Site to recruit
See Section 5.1.
ext-category 53. fraudulent-site. Fraudulent site.
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.
lang lang
Optional. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A valid language code per [RFC5646] constrained
by the definition of "xs:language". The interpretation of this by the definition of "xs:language". The interpretation of this
code is described in Section 6. code is described in Section 6.
3.20.3. Counter Class 3.20.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
skipping to change at page 60, line 32 skipping to change at page 59, line 44
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependent based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
+---------------------+ +---------------------+
| Counter | | Counter |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration |
+---------------------+ +---------------------+
Figure 34: The Counter Class Figure 34: The Counter Class
The Counter class has five attribute: The Counter class has three attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-type" IANA registry
per Table 1.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
3. flow. Count of network flow records. 3. flow. Count of network flow records.
4. session. Count of sessions. 4. session. Count of sessions.
5. alert. Count of notifications generated by another system 5. alert. Count of notifications generated by another system
skipping to change at page 61, line 18 skipping to change at page 60, line 31
6. message. Count of messages (e.g., mail messages). 6. message. Count of messages (e.g., mail messages).
7. event. Count of events. 7. event. Count of events.
8. host. Count of hosts. 8. host. Count of hosts.
9. site. Count of site. 9. site. Count of site.
10. organization. Count of organizations. 10. organization. Count of organizations.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.14.3 attribute are defined in Section 3.14.3
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.
3.21. DomainData Class 3.21. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and meta-data associated
with this domain. with this domain.
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | ENUM domain-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | ID observable-id |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ] | |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ] | |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| | | |
+--------------------------+ +--------------------------+
Figure 35: The DomainData Class Figure 35: The DomainData Class
The aggregate classes that constitute DomainData are: The aggregate classes that constitute DomainData are:
Name Name
skipping to change at page 62, line 49 skipping to change at page 61, line 49
Zero or more. Additional DNS records associated with this domain. Zero or more. Additional DNS records associated with this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The name servers identified for the domain listed
in Name. in Name.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query. supplied by the registrar or through a whois query.
The DomainData class has five attribute: The DomainData class has four attribute:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA
registry per Table 1.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent 2. fraudulent. This domain was operated with fraudulent
intentions. intentions.
3. innocent-hacked. This domain was compromised by a third 3. innocent-hacked. This domain was compromised by a third
party. party.
4. innocent-hijacked. This domain was deliberately hijacked. 4. innocent-hijacked. This domain was deliberately hijacked.
5. unknown. No categorization for this domain known. 5. unknown. No categorization for this domain known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-system-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.
domain-status domain-status
Required. ENUM. Categorizes the registry status of the domain at Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of associated descriptions are derived from Section 3.2.2 of
[RFC3982]. [RFC3982]. These values are maintained in the "DomainData-domain-
status" IANA registry per Table 1.
1. reservedDelegation. The domain is permanently inactive. 1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state. 2. assignedAndActive. The domain is in a normal state.
3. assignedAndInactive. The domain has an assigned registration 3. assignedAndInactive. The domain has an assigned registration
but the delegation is inactive. but the delegation is inactive.
4. assignedAndOnHold. The domain is under dispute. 4. assignedAndOnHold. The domain is under dispute.
skipping to change at page 64, line 5 skipping to change at page 62, line 51
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
9. other. The domain has a known status but it is not one of 9. other. The domain has a known status but it is not one of
the redefined enumerated values. the redefined enumerated values.
10. unknown. The domain has an unknown status. 10. unknown. The domain has an unknown status.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-domain-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.21.1. RelatedDNS 3.21.1. RelatedDNS
The RelatedDNS class describes additional record types associated The RelatedDNS class describes additional record types associated
with a given domain name. The record type is described in the with a given domain name. The record type is described in the
record-type attribute and the value of the record is the element record-type attribute and the value of the record is the element
content. ... TODO Issue #39 ... content. ... TODO Issue #39 ...
+----------------------+ +----------------------+
| RelatedDNS | | RelatedDNS |
+----------------------+ +----------------------+
| STRING | | STRING |
| | | |
| ENUM record-type | | ENUM record-type |
| ENUM ext-record-type |
+----------------------+ +----------------------+
Figure 36: The RelatedDNS Class Figure 36: The RelatedDNS Class
The RelatedDNS class has two attribute: The RelatedDNS class has one attribute:
record-type record-type
Required. ENUM. The DNS record type. ... TODO values need to be Required. ENUM. The DNS record type. ... TODO values need to be
listed ... listed ...
ext-record-type. An escape value used to extend this attribute.
See Section 5.1.
3.21.2. Nameservers Class 3.21.2. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the name servers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
skipping to change at page 69, line 13 skipping to change at page 67, line 43
9. string. The element content is of type STRING. 9. string. The element content is of type STRING.
10. file. The element content is a base64 encoded binary file 10. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type. encoded as a BYTE[] type.
11. path. The element content is a file-system path encoded as a 11. path. The element content is a file-system path encoded as a
STRING type. STRING type.
12. xml. The element content is XML. See Section 5. 12. xml. The element content is XML. See Section 5.
13. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
skipping to change at page 70, line 44 skipping to change at page 69, line 24
headers have dedicated classes, but arbitrary headers can also be headers have dedicated classes, but arbitrary headers can also be
described. described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 42: EmailData Class Figure 42: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
skipping to change at page 71, line 19 skipping to change at page 69, line 50
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. The value of an arbitrary header field in the email.
See Section 3.22.1. The attributes of EmailHeaderField MUST be See Section 3.22.1. The attributes of EmailHeaderField MUST be
set as follows: proto="25" and dtype="string". The name of the set as follows: proto="25" and dtype="string". The name of the
email header field MUST be set in the field attribute. email header field MUST be set in the field attribute.
HashData
Zero or One. Hash(es) associated with this email.
SignatureData
Zero or One. Signature(s) associated with this email.
The EmailData class has one attribute: The EmailData class has one attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25. Record Class 3.25. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
skipping to change at page 72, line 18 skipping to change at page 71, line 13
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------+ +-------------------+
| RecordData | | RecordData |
+-------------------+ +-------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| ID observable-id |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ]+-------------------+ | |<>--{0..*}--[ AdditionalData ]+-------------------+
Figure 44: The RecordData Class Figure 44: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
skipping to change at page 72, line 45 skipping to change at page 71, line 41
Zero or one. Information about the sensor used to generate the Zero or one. Information about the sensor used to generate the
RecordItem data. RecordItem data.
RecordPattern RecordPattern
Zero or more. A search string to precisely find the relevant data Zero or more. A search string to precisely find the relevant data
in a RecordItem. in a RecordItem.
RecordItem RecordItem
Zero or more. Log, audit, or forensic data. Zero or more. Log, audit, or forensic data.
HashData FileData
Zero or one. The file name and hash of a file indicator. Zero or one. The file name and hash of a file indicator.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s).
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
skipping to change at page 73, line 28 skipping to change at page 72, line 24
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 45: The RecordPattern Class Figure 45: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by four attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
offset offset
Optional. INTEGER. Amount of units (determined by the offsetunit Optional. INTEGER. Amount of units (determined by the offsetunit
attribute) to seek into the RecordItem data before matching the attribute) to seek into the RecordItem data before matching the
pattern. pattern.
offsetunit offsetunit
Optional. ENUM. Describes the units of the offset attribute. Optional. ENUM. Describes the units of the offset attribute.
The default is "line". The default is "line". These values are maintained in the
"RecordPattern-offsetunit" IANA registry per Table 1.
1. line. Offset is a count of lines. 1. line. Offset is a count of lines.
2. byte. Offset is a count of bytes. 2. byte. Offset is a count of bytes.
3. ext-value. An escape value used to extend this attribute.
See Section 5.1.
ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.25.3. RecordItem Class 3.25.3. RecordItem Class
The RecordItem class provides a way to incorporate relevant logs, The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to direct encapsulation of the data, as well as, provides primitives to
skipping to change at page 75, line 33 skipping to change at page 74, line 14
3.26.1. Key Class 3.26.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | ID observable-id |<>--{0..1}--[ KeyValue ]
| ID observable-id |
+---------------------------+ +---------------------------+
Figure 47: The Key Class Figure 47: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
The Key class has three attributes: The Key class has two attributes:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
These values are maintained in the "Key-registryaction" IANA
registry per Table 1.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
4. delete-value. Value deleted from registry key. 4. delete-value. Value deleted from registry key.
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified for registry key.
7. ext-value. External value. observable-id
Optional. ID. See Section 3.3.2.
ext-registryaction 3.27. CertificateData Class
Optional. A means by which to extend the registryaction
attribute. See Section 5.1. The CertificateData class describes X.509 certificates.
+----------------------+
| CertificateData |
+----------------------+
| ID observable-id |<>--{1..*}--[ Certificate ]
| ENUM restriction |
+----------------------+
Figure 48: The CertificateData Class
The aggregate classes that constitutes CertificateData are:
Certificate
One or more. A certificate.
The CertificateData class has two attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.27. HashData Class restriction
Optional. ENUM. See Section 3.3.1.
The HashData class describes files names and associated hashes and 3.27.1. Certificate Class
signatures. ... TODO Fix Issue #20 and #25 ...
The Certificate class describes a given X.509 certificate or
certificate chain.
+--------------------------+ +--------------------------+
| HashData | | Certificate |
+--------------------------+ +--------------------------+
| ENUM type |<>--{0..*}--[ FileName ] | ENUM valid |<>----------[ ds: X509Data ]
| STRING ext-type |<>--{0..*}--[ FileSize ] | ID observable-id |
| BOOL valid |<>--{0..*}--[ ds:Signature ]
| ID observable-id |<>--{0..*}--[ ds:KeyInfo ]
| |<>--{0..*}--[ ds:Reference ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 48: The HashData Class Figure 49: The Certificate Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes Certificate are:
FileName ds:X509Data
Zero or more. ML_STRING. The name of the file. One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG].
FileSize The Certificate class has one attribute:
Zero or more. INTEGER. The size of the file in bytes.
ds:Signature valid
Zero or more. Optional. Indicates whether a given certificate has a valid
signature. An invalid signature may be due to an invalid
certificate chain, a signature not decoding properly, or a
certificate contents not matching the hash.
ds:KeyInfo 1. yes. The certificate is valid.
Zero or more.
ds:Reference 2. no. The certificate is not valid.
Zero or more. The algorithm identification and value of a hash
computed over a file. This element is defined in [RFC3275].
Refer to RFC 5901.
AdditionalData observable-id
Zero or more. Mechanism by which to extend the data model. See Optional. ID. See Section 3.3.2.
Section 3.9
The HashData class has four attributes: 3.28. FileData Class
type The FileData class describes files of interest identified during the
Optional. ENUM. The Hash Type. analysis of an incident.
1. PKI-email-ds. PKI email digital signature. +----------------------+
| FileData |
+----------------------+
| ID observable-id |<>--{1..*}--[ File ]
| ENUM restriction |
+----------------------+
2. PKI-file-ds. PKI file digital signature. Figure 50: The FileData Class
3. PGP-email-ds. PGP email digital signature. The aggregate class that constitutes FileData is:
4. PGP-file-ds. PGP file digital signature. File
One or more. A description of a file.
5. file-hash. A hash computed over the entire contents of a The FileData class has two attribute:
file.
6. email-hash. A hash computed over the headers and body of an observable-id
email message. Optional. ID. See Section 3.3.2.
7. email-headers-hash. A hash computed over all of the headers restriction
of an email message. Optional. ENUM. See Section 3.3.1.
8. email-body-hash. A hash computed over the body of an email 3.28.1. File Class
message.
9. email-headers-hash. A hash computed over all of the email The File class describes a file and its associated meta data.
headers.
10. ext-value. An escape value used to extend this attribute. +--------------------------+
See Section 5.1. | File |
+--------------------------+
| ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ]
| |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ]
| |<>--{0..*}--[ FileProperties ]
+--------------------------+
ext-type Figure 51: The File Class
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.
valid The aggregate classes that constitutes File are:
Optional. BOOLEAN. Indicates if the signature or hash is valid.
FileName
Zero or One. ML_STRING. The name of the file.
FileSize
Zero or One. INTEGER. The size of the file in bytes.
URL
Zero or more. A reference to the file.
HashData
Zero or One. Hash(es) associated with this file.
SignatureData
Zero or One. Signature(s) associated with this file.
FileProperties
Zero or more. Mechanism by which to extend the data model to
describe properties of the file. See Section 3.9.
The File class has one attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.28. IndicatorData Class 3.29. HashData Class
The HashData class describes different types of hashes on an given
object (e.g., file, part of a file, email).
+--------------------------+
| HashData |
+--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ]
| |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ]
+--------------------------+
Figure 52: The HashData Class
The aggregate classes that constitutes HashData are:
HashTarget
Zero or One. An identifier that references a a subset of the
object per the @scope attribute.
Hash
Zero or more. The hash generated on the object.
FuzzyHash
Zero or more. The fuzzy hash of the object.
A single instance of Hash or FuzzyHash MUST be present.
The HashData class has one attribute:
scope
Required. ENUM. Describes the scope of the hash on a type of
object. These values are maintained in the "HashData-scope" IANA
registry per Table 1.
1. file-contents. A hash computed over the entire contents of a
file.
2. file-pe-section. A hash computed on a given section of a
Windows Portable Executable (PE) file. If set to this value,
the HashTargetId class MUST identify the section being hashed.
This section is identified by an ordinal number (starting at
1) corresponding to the the order in which the given section
header was defined in the Section Table of the PE file header.
3. file-pe-iat. A hash computed on the Import Address
Table (IAT) of a PE file. As IAT hashes are often tool
dependent, if this value is set, the HashTargetId class MUST
specify the tool used to generate the hash.
4. file-pe-resource. A hash computed on a given resource in a PE
file. If set to this value, the HashTargetId class MUST
identify the resource being hashed. This resource is
identified by an ordinal number (starting at 1) corresponding
to the oder in which the given resource is declared in the
Resource Directory of the Data Dictionary in the PE file
header.
5. file-pdf-object. A hash computed on a given object in a
Portable Document Format (PDF) file. If set to this value,
the HashTargetId class MUST identify the object being hashed.
This object is identified by its offset in the PDF file.
6. email-hash. A hash computed over the headers and body of an
email message.
7. email-headers-hash. A hash computed over all of the headers
of an email message.
8. email-body-hash. A hash computed over the body of an email
message.
3.29.1. Hash Class
The Hash class describes a specific hash value, algorithm, and an
application used to generate it.
+-----------------------+
| Hash |
+-----------------------+
| |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ Application ]
+-----------------------+
Figure 53: The Hash Class
The aggregate classes that constitutes Hash are:
ds:DigestMethod
One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue
One. The computer hash value. See Section 4.3.3.6 of
[W3C.XMLSIG].
Application
Zero or One. The application used to calculate the hash.
The HashData class has no attribute:
3.29.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash (in an extensible way) and
the application used to generate it.
+--------------------------+
| FuzzyHash |
+--------------------------+
| |<>--{0..*}--[ AdditionalData ]
| |<>--{0..1}--[ Application ]
+--------------------------+
Figure 54: The FuzzyHash Class
The aggregate classes that constitutes FuzzyHash are:
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9.
Application
Zero or One. The application used to calculate the hash.
The FuzzyData class has no attribute:
3.30. SignatureData Class
The SignatureData class describes different signatures on an given
object.
+--------------------------+
| SignatureData |
+--------------------------+
| |<>--{1..*}--[ ds:Signature ]
+--------------------------+
Figure 55: The SignatureData Class
The aggregate classes that constitutes SignatureData are:
Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attribute:
3.31. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes the indicators identified from
analysis of an incident. analysis of an incident.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 49: The IndicatorData Class Figure 56: The IndicatorData Class
The aggregate class that constitutes IndicatorData is: The aggregate class that constitutes IndicatorData is:
Indicator Indicator
One or more. An indicator from the incident. One or more. An indicator from the incident.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.29. Indicator Class 3.32. Indicator Class
The Indicator class describes a cyber indicator. An indicator The Indicator class describes a cyber indicator. An indicator
consists of observable features and phenomenon that aid in the consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity, and associated forensic or proactive detection of malicious activity, and associated
meta-data. This indicator can be described outright or reference meta-data. This indicator can be described outright or reference
observable features and phenomenon described elsewhere in the observable features and phenomenon described elsewhere in the
incident information. Portions of an incident description can be incident information. Portions of an incident description can be
composed to define an indicator, as can the indicators themselves. composed to define an indicator, as can the indicators themselves.
+--------------------+ +--------------------+
skipping to change at page 79, line 22 skipping to change at page 81, line 52
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------+ +--------------------+
Figure 50: The Indicator Class Figure 57: The Indicator Class
The aggregate classes that constitute Indicator are: The aggregate classes that constitute Indicator are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.29.1 One. An identifier for this indicator. See Section 3.32.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.29.2 Section 3.32.2
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
EndTime EndTime
skipping to change at page 80, line 7 skipping to change at page 82, line 36
Confidence Confidence
Zero or one. An estimate of the confidence in the quality of the Zero or one. An estimate of the confidence in the quality of the
indicator. See Section 3.14.5. indicator. See Section 3.14.5.
Contact Contact
Zero or more. Contact information for this indicator. See Zero or more. Contact information for this indicator. See
Section 3.10. Section 3.10.
Observable Observable
Zero or one. An observable feature or phenomenon of this Zero or one. An observable feature or phenomenon of this
indicator. See Section 3.29.3. indicator. See Section 3.32.3.
ObservableReference ObservableReference
Zero or one. A reference to a feature or phenomenon defined Zero or one. A reference to a feature or phenomenon defined
elsewhere in the document. See Section 3.29.5. elsewhere in the document. See Section 3.32.5.
IndicatorExpression IndicatorExpression
Zero or one. A composition of observables. See Section 3.29.4. Zero or one. A composition of observables. See Section 3.32.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. Zero or one. A reference to an indicator.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
The Indicator class MUST have exactly one instance of an Observable, The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference IndicatorExpression, ObservableReference, or IndicatorReference
skipping to change at page 80, line 40 skipping to change at page 83, line 22
If neither class is provided, the indicator is considered valid If neither class is provided, the indicator is considered valid
during any time interval. If only a StartTime is provided, the during any time interval. If only a StartTime is provided, the
indicator is valid anytime after this timestamp. If only an EndTime indicator is valid anytime after this timestamp. If only an EndTime
is provided, the indicator is valid anytime prior to this timestamp. is provided, the indicator is valid anytime prior to this timestamp.
The Indicator class has one attribute: The Indicator class has one attribute:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
3.29.1. IndicatorID Class 3.32.1. IndicatorID Class
The IndicatorID class identifies an indicator with a globally unique The IndicatorID class identifies an indicator with a globally unique
identifier. The combination of the name and version attributes, and identifier. The combination of the name and version attributes, and
the element content form this identifier. Indicators generated by the element content form this identifier. Indicators generated by
given CSIRT MUST NOT reuse the same value unless they are referencing given CSIRT MUST NOT reuse the same value unless they are referencing
the same indicator. the same indicator.
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 51: The IndicatorID Class Figure 58: The IndicatorID Class
The IndicatorID class has two attributes: The IndicatorID class has two attributes:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
version version
Required. STRING. A version number of an indicator. Required. STRING. A version number of an indicator.
3.29.2. AlternativeIndicatorID Class 3.32.2. AlternativeIndicatorID Class
The AlternativeIndicatorID class lists alternative identifiers for an The AlternativeIndicatorID class lists alternative identifiers for an
indicator. indicator.
+-------------------------+ +-------------------------+
| AlternativeIndicatorID | | AlternativeIndicatorID |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| | | |
+-------------------------+ +-------------------------+
Figure 52: The AlternativeIndicatorID Class Figure 59: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is: The aggregate class that constitutes AlternativeIndicatorID is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. One or more. A reference to an indicator.
The AlternativeIndicatorID class has one attribute: The AlternativeIndicatorID class has one attribute:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. This attribute has been defined in Section 3.2.
3.29.3. Observable Class 3.32.3. Observable Class
The Observable class describes a feature and phenomenon that can be The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious observed or measured for the purposes of detecting malicious
behavior. behavior.
+-------------------+ +-------------------+
| Observable | | Observable |
+-------------------+ +-------------------+
| |<>--{0..1}--[ Address ] | |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ] | |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ enum:Reference ] | |<>--{0..*}--[ enum:Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 53: The Observable Class Figure 60: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes that constitute Observable are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.20.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.21. Zero or One. A DomainData observable. See Section 3.21.
Service Service
skipping to change at page 83, line 7 skipping to change at page 85, line 50
Zero or One. A EmailData observable. See Section 3.24. Zero or One. A EmailData observable. See Section 3.24.
ApplicationHeader ApplicationHeader
Zero or One. An ApplicationHeader observable. See Zero or One. An ApplicationHeader observable. See
Section 3.22.1. Section 3.22.1.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See Zero or One. A WindowsRegistryKeysModified observable. See
Section 3.26. Section 3.26.
HashData FileData
Zero or One. A HashData observable. See Section 3.27. Zero or One. A FileData observable. See Section 3.28.
CertificateData
Zero or One. A CertificateData observable. See Section 3.27.
RecordData RecordData
Zero or One. A RecordData observable. See Section 3.25.1. Zero or One. A RecordData observable. See Section 3.25.1.
EventData EventData
Zero or One. An EventData observable. See Section 3.16. Zero or One. An EventData observable. See Section 3.16.
Incident Incident
Zero or One. An Incident observable. See Section 3.2. Zero or One. An Incident observable. See Section 3.2.
skipping to change at page 83, line 43 skipping to change at page 86, line 41
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
The Observable class MUST have exactly one of the possible child The Observable class MUST have exactly one of the possible child
classes. classes.
The Observable class has no attributes. The Observable class has no attributes.
3.29.4. IndicatorExpression Class 3.32.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression phenomenon or features, or indicators. Elements of the expression
can be described directly, reference relevant data from other parts can be described directly, reference relevant data from other parts
of a given IODEF document, or reference previously defined of a given IODEF document, or reference previously defined
indicators. indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
determined by the operator attribute. Nesting an IndicatorExpression determined by the operator attribute. Nesting an IndicatorExpression
skipping to change at page 84, line 20 skipping to change at page 87, line 15
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 54: The IndicatorExpression Class Figure 61: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable.
skipping to change at page 85, line 11 skipping to change at page 88, line 5
elements. elements.
1. not. negation operator. 1. not. negation operator.
2. and. conjunction operator. 2. and. conjunction operator.
3. or. disjunction operator. 3. or. disjunction operator.
4. xor. exclusive disjunction operator. 4. xor. exclusive disjunction operator.
3.29.5. ObservableReference Class 3.32.5. ObservableReference Class
The ObservableReference describes a reference to an observable The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document. feature or phenomenon described elsewhere in the document.
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 55: The ObservableReference Class Figure 62: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attributes:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.29.6. IndicatorReference Class 3.32.6. IndicatorReference Class
The IndicatorReference describes a reference to an indicator. This The IndicatorReference describes a reference to an indicator. This
reference may be to an indicator described in the IODEF document or reference may be to an indicator described in the IODEF document or
in a previously exchanged IODEF document. in a previously exchanged IODEF document.
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 56: The IndicatorReference Class Figure 63: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attributes:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
skipping to change at page 88, line 18 skipping to change at page 91, line 12
o The Address@type attribute determines the format of the element o The Address@type attribute determines the format of the element
content. content.
o The attributes AdditionalData@dtype and RecordItem@dtype derived o The attributes AdditionalData@dtype and RecordItem@dtype derived
from iodef:ExtensionType determine the semantics and formatting of from iodef:ExtensionType determine the semantics and formatting of
the element content. the element content.
o Symmetry in the enumerated ports of a Portlist class is required o Symmetry in the enumerated ports of a Portlist class is required
between sources and targets. See Section 3.22. between sources and targets. See Section 3.22.
o The enumerated values present in this document are a static list
that will be incomplete over time as select attributes can be
extended by a corresponded IANA registry. See Table 1. Hence,
the schema to validate a given document MUST be dynamically
generated from these registry values.
4.4. Incompatibilities with v1 4.4. Incompatibilities with v1
Version 2 of the IODEF data model makes a number of changes to Version 2 of the IODEF data model makes a number of changes to
[RFC5070]. Largely, these changes were additive in nature -- classes [RFC5070]. Largely, these changes were additive in nature -- classes
and enumerated values were added. The following is a list of and enumerated values were added. The following is a list of
incompatibilities where the data model has changed between versions: incompatibilities where the data model has changed between versions:
o The IODEF-Document@version attribute is set to "2.0". o The IODEF-Document@version attribute is set to "2.0".
o The Service@ip_protocol attribute was renamed to @ip-protocol. o The Service@ip_protocol attribute was renamed to @ip-protocol.
skipping to change at page 88, line 39 skipping to change at page 91, line 39
o The Node/NodeName class was removed in favor of representing o The Node/NodeName class was removed in favor of representing
domain names with Node/DomainData/Name class. The Node/DataTime domain names with Node/DomainData/Name class. The Node/DataTime
class was also removed so that the Node/DomainData/ class was also removed so that the Node/DomainData/
DateDomainWasChecked class can represent the time at which the DateDomainWasChecked class can represent the time at which the
name to address resolution occurred. name to address resolution occurred.
o The Node/NodeRole class was moved to System/NodeRole. o The Node/NodeRole class was moved to System/NodeRole.
o The Reference class is now defined by [RFC-ENUM]. o The Reference class is now defined by [RFC-ENUM].
o Extending enumerated values is now handled through collection of
IANA registries. All attributes of with a name prefixed by "ext-"
have been removed.
o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has
been removed.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be IODEF schema. With proven value, well documented extensions can be
incorporated into future versions of the specification. However, incorporated into future versions of the specification. However,
this approach also supports private extensions relevant only to a this approach also supports private extensions relevant only to a
closed consortium. closed consortium.
5.1. Extending the Enumerated Values of Attributes 5.1. Extending the Enumerated Values of Attributes
The data model supports a means by which to add new enumerated values Select enumerated value of the attributes defined in the data model
to an attribute. For each attribute that supports this extension can be extended by adding entries to the corresponding IANA registry.
technique, there is a corresponding attribute in the same element See Table 1.
whose name is identical, less a prefix of "ext-". This special
attribute is referred to as the extension attribute, and the
attribute being extended is referred to as an extensible attribute.
For example, an extensible attribute named "foo" will have a
corresponding extension attribute named "ext-foo". An element may
have many extensible, and therefore many extension, attributes.
In addition to a corresponding extension attribute, each extensible
attribute has "ext-value" as one its possible values. This
particular value serves as an escape sequence and has no valid
meaning.
In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the Impact
class would look as follows:
<Impact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value".
5.2. Extending Classes 5.2. Extending Classes
The classes of the data model can be extended only through the use of The classes of the data model can be extended only through the use of
the AdditionalData and RecordItem classes. These container classes, the AdditionalData and RecordItem classes. These container classes,
collectively referred to as the extensible classes, are implemented collectively referred to as the extensible classes, are implemented
with the iodef:ExtensionType data type in the schema. They provide with the iodef:ExtensionType data type in the schema. They provide
the ability to have new atomic or XML-encoded data elements in all of the ability to have new atomic or XML-encoded data elements in all of
the top-level classes of the Incident class and a few of the more the top-level classes of the Incident class and a few of the more
complicated subordinate classes. As there are multiple instances of complicated subordinate classes. As there are multiple instances of
skipping to change at page 101, line 9 skipping to change at page 103, line 37
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="purpose" use="required"> <xs:attribute name="purpose" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/> <xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/> <xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/> <xs:enumeration value="reporting"/>
<xs:enumeration value="watch" /> <xs:enumeration value="watch" />
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang" <xs:attribute name="lang"
type="xs:language"/> type="xs:language"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/> type="iodef:restriction-type" default="private"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
skipping to change at page 104, line 49 skipping to change at page 107, line 26
<xs:enumeration value="tech"/> <xs:enumeration value="tech"/>
<xs:enumeration value="provider"/> <xs:enumeration value="provider"/>
<xs:enumeration value="zone"/> <xs:enumeration value="zone"/>
<xs:enumeration value="user"/> <xs:enumeration value="user"/>
<xs:enumeration value="billing"/> <xs:enumeration value="billing"/>
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/> <xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/> <xs:enumeration value="irt"/>
<xs:enumeration value="cc"/> <xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/> <xs:enumeration value="cc-irt"/>
<xs:enumeration value="le"/> <xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/> <xs:enumeration value="vendor"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ContactName" <xs:element name="ContactName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="ContactTitle" <xs:element name="ContactTitle"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="RegistryHandle"> <xs:element name="RegistryHandle">
<xs:complexType> <xs:complexType>
skipping to change at page 105, line 43 skipping to change at page 108, line 16
<xs:attribute name="registry"> <xs:attribute name="registry">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/> <xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/> <xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/> <xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/> <xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/> <xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/> <xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/> <xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="PostalAddress"> <xs:element name="PostalAddress">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
skipping to change at page 106, line 44 skipping to change at page 109, line 16
<xs:element name="ReportTime" <xs:element name="ReportTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="DetectTime" <xs:element name="DetectTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="StartTime" <xs:element name="StartTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="EndTime" <xs:element name="EndTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="RecoveryTime" <xs:element name="RecoveryTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="GenerationTime"
type="xs:dateTime"/>
<xs:element name="Timezone" <xs:element name="Timezone"
type="iodef:TimezoneType"/> type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType"> <xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== History class == == History class ==
skipping to change at page 107, line 39 skipping to change at page 110, line 13
<xs:element name="DefinedCOA" <xs:element name="DefinedCOA"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Expectation class == == Expectation class ==
================================================================== ==================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
skipping to change at page 108, line 24 skipping to change at page 110, line 44
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" default="other"/> type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Discovery class == == Discovery class ==
================================================================== ==================================================================
--> -->
skipping to change at page 108, line 50 skipping to change at page 111, line 20
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern" <xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="source" <xs:attribute name="source"
use="optional" default="unknown"> use="optional" default="unknown">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="idps"/> <xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/> <xs:enumeration value="siem"/>
<xs:enumeration value="av"/> <xs:enumeration value="av"/>
<xs:enumeration value="file-integrity"/>
<xs:enumeration value="third-party-monitoring"/> <xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/> <xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/> <xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/> <xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/> <xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/> <xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/> <xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/> <xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DetectionPattern"> <xs:element name="DetectionPattern">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Application"/> <xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
skipping to change at page 110, line 22 skipping to change at page 112, line 42
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Assessment class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Assessment">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="IncidentCategory"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/> <xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/> <xs:element name="BusinessImpact"
type="iodef:BusinessImpactType/>
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element name="IntendedImpact"
type="iodef:BusinessImpactType/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor" <xs:element name="MitigatingFactor"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
skipping to change at page 110, line 51 skipping to change at page 113, line 29
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Impact"> <xs:element name="SystemImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/> <xs:enumeration value="succeeded"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="type" <xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="BusinessImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availibility-account"/>
<xs:enumeration value="availibility-service"/>
<xs:enumeration value="availibility-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="loss-of-integrity"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-service" /> <xs:enumeration value="breach-configuration"/>
<xs:enumeration value="loss-financial"/> <xs:enumeration value="integrity-data"/>
<xs:enumeration value="degraded-reputation"/> <xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="asset-damage"/> <xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="asset-manipulation"/> <xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="legal"/> <xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:complexType name="BusinessImpactType">
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="TimeImpact"> <xs:element name="TimeImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="metric" <xs:attribute name="metric"
use="required"> use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/> <xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/> <xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/> <xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="MonetaryImpact"> <xs:element name="MonetaryImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
skipping to change at page 115, line 18 skipping to change at page 117, line 45
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== System class == == System class ==
================================================================== ==================================================================
--> -->
<xs:element name="System"> <xs:element name="System">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/> <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element name="NodeRole"> <xs:element ref="iodef:NodeRole"
<xs:complexType> minOccurs="0" maxOccurs="unbounded" />
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element ref="iodef:Service" <xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem" <xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 117, line 16 skipping to change at page 118, line 22
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="category"> <xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/> <xs:enumeration value="source"/>
<xs:enumeration value="target"/> <xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" <xs:attribute name="interface"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type" <xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" /> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type" <xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/> use="optional" default="unknown"/>
<xs:attribute name="ownership"> <xs:attribute name="ownership">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="personal"/> <xs:enumeration value="personal"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="customer"/> <xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/> <xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 118, line 39 skipping to change at page 119, line 40
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/> <xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/> <xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/> <xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" <xs:attribute name="vlan-name"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="vlan-num" <xs:attribute name="vlan-num"
type="xs:integer"/> type="xs:integer"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Service Class == == Service Class ==
================================================================== ==================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice minOccurs="0"> <xs:choice minOccurs="0">
<xs:element name="Port" <xs:element name="Port"
skipping to change at page 120, line 20 skipping to change at page 122, line 40
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="packet"/> <xs:enumeration value="packet"/>
<xs:enumeration value="flow"/> <xs:enumeration value="flow"/>
<xs:enumeration value="session"/> <xs:enumeration value="session"/>
<xs:enumeration value="event"/> <xs:enumeration value="event"/>
<xs:enumeration value="alert"/> <xs:enumeration value="alert"/>
<xs:enumeration value="message"/> <xs:enumeration value="message"/>
<xs:enumeration value="host"/> <xs:enumeration value="host"/>
<xs:enumeration value="site"/> <xs:enumeration value="site"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EmailData class == == EmailData class ==
================================================================== ==================================================================
--> -->
skipping to change at page 121, line 6 skipping to change at page 123, line 22
<xs:sequence> <xs:sequence>
<xs:element name="EmailFrom" <xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer" <xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField" <xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="SignatureData"
minOccurs="0" />
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
skipping to change at page 121, line 51 skipping to change at page 124, line 22
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/> <xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"> <xs:attribute name="domain-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/> <xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/> <xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
skipping to change at page 123, line 25 skipping to change at page 125, line 40
<xs:enumeration value="SIG"/> <xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/> <xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/> <xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/> <xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/> <xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/> <xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/> <xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/> <xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/> <xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/> <xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-record-type"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:element name="Nameservers"> <xs:element name="Nameservers">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/> <xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DomainContacts"> <xs:element name="DomainContacts">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:choice>
<xs:element name="SameDomainContact" <xs:element name="SameDomainContact"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
skipping to change at page 124, line 36 skipping to change at page 126, line 48
<xs:element ref="iodef:DateTime" <xs:element ref="iodef:DateTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" <xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" <xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordPattern"> <xs:element name="RecordPattern">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/> <xs:enumeration value="regex"/>
<xs:enumeration value="binary"/> <xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/> <xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset" <xs:attribute name="offset"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit" <xs:attribute name="offsetunit"
use="optional" default="line"> use="optional" default="line">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/> <xs:enumeration value="line"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance" <xs:attribute name="instance"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordItem" <xs:element name="RecordItem"
type="iodef:ExtensionType"/> type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
skipping to change at page 126, line 16 skipping to change at page 128, line 25
</xs:sequence> </xs:sequence>
<xs:attribute name="registryaction"> <xs:attribute name="registryaction">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/> <xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/> <xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/> <xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/> <xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/> <xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ================================================================
== Classes that describe hash types, file information == == Classes to describe a file ==
== with certificate properties and digital signature info == ================================================================
== provided through the W3C digital signature schema == -->
== so it does not need to be maintained here. ==
================================================================== <xs:element name="FileData">
--> <xs:complexType>
<xs:element name="HashData"> <xs:sequence>
<xs:complexType> <xs:element ref="iodef:File"
<xs:sequence> minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="File">
<xs:complexType>
<xs:sequence>
<xs:element name="FileName" type="iodef:MLStringType" <xs:element name="FileName" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" />
<xs:element name="FileSize" type="xs:integer" <xs:element name="FileSize" type="xs:integer"
minOccurs="0" />
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="ds:Signature" <xs:element ref="ds:Signature"
minOccurs="0" />
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo" </xs:sequence>
minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="observable-id"
<xs:element ref="ds:Reference" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileProperties"
type="iodef:ExtensionType"/>
<!--
================================================================
== Classes to describe a hash ==
================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element name="HashTarget" type="iodef:MLStringType"
minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" use="optional"> <xs:attribute name="scope" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="PKI-email-ds"/> <xs:enumeration value="file-contents"/>
<xs:enumeration value="PKI-file-ds"/> <xs:enumeration value="file-pe-section"/>
<xs:enumeration value="PGP-email-ds"/> <xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-hash"/> <xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/> <xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/> <xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/> <xs:enumeration value="email-body-hash"/>
<!-- QUESTION: Are values needed to differentiate the
key information shared when the ds:KeyInfo class
is referenced? -->
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" </xs:complexType>
type="xs:string" use="optional"/> </xs:element>
<xs:attribute name="valid"
type="xs:boolean" use="optional" /> <xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod" />
<xs:element ref="ds:DigestValue" />
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AdditionalData" />
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
================================================================
== Classes to describe a signature ==
================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature"
maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
================================================================
== Classes to describe a certficate ==
================================================================
-->
<xs:element name="CertificateData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:X509Data" />
</xs:sequence>
<xs:attribute name="virtual" type="yes-no-type"
use="optional" />
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe software == == Classes that describe software ==
================================================================== ==================================================================
--> -->
<xs:complexType name="SoftwareType"> <xs:complexType name="SoftwareType">
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 129, line 50 skipping to change at page 133, line 49
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:DomainData" <xs:element ref="iodef:DomainData"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EmailData" <xs:element ref="iodef:EmailData"
minOccurs="0"/> minOccurs="0"/>
<xs:element name="ApplicationHeader" <xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:HashData" <xs:element ref="iodef:FileData"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecordData" <xs:element ref="iodef:RecordData"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Incident" <xs:element ref="iodef:Incident"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Expectation" <xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="enum:Reference" <xs:element ref="enum:Reference"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
minOccurs="0"/> minOccurs="0"/>
skipping to change at page 132, line 4 skipping to change at page 135, line 49
</xs:simpleType> </xs:simpleType>
<xs:complexType name="MLStringType"> <xs:complexType name="MLStringType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="lang" <xs:attribute name="lang"
type="xs:language" use="optional"/> type="xs:language" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:complexType name="ExtensionType" mixed="true"> <xs:complexType name="ExtensionType" mixed="true">
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="dtype" <xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/> type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="formatid" <xs:attribute name="formatid"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
</xs:complexType> </xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true"> <xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence> <xs:sequence>
skipping to change at page 133, line 39 skipping to change at page 137, line 34
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="duration-type"> <xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/> <xs:enumeration value="second"/>
<xs:enumeration value="minute"/> <xs:enumeration value="minute"/>
<xs:enumeration value="hour"/> <xs:enumeration value="hour"/>
<xs:enumeration value="day"/> <xs:enumeration value="day"/>
<xs:enumeration value="month"/> <xs:enumeration value="month"/>
<xs:enumeration value="quarter"/> <xs:enumeration value="quarter"/>
<xs:enumeration value="year"/> <xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="action-type"> <xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/> <xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/> <xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/> <xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/> <xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/> <xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/> <xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/> <xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/> <xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/> <xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/> <xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/> <xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/> <xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/> <xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/> <xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="bytes"/>
<xs:enumeration value="character"/> <xs:enumeration value="character"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="date-time"/>
skipping to change at page 134, line 42 skipping to change at page 138, line 38
<xs:enumeration value="file"/> <xs:enumeration value="file"/>
<xs:enumeration value="path"/> <xs:enumeration value="path"/>
<xs:enumeration value="frame"/> <xs:enumeration value="frame"/>
<xs:enumeration value="packet"/> <xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/> <xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/> <xs:enumeration value="url"/>
<xs:enumeration value="csv"/> <xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/> <xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/> <xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="proto-dtype-type"> <xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="bytes"/>
<xs:enumeration value="character"/> <xs:enumeration value="character"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/> <xs:enumeration value="integer"/>
<xs:enumeration value="real"/> <xs:enumeration value="real"/>
<xs:enumeration value="string"/> <xs:enumeration value="string"/>
<xs:enumeration value="xml"/> <xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema> </xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
skipping to change at page 136, line 23 skipping to change at page 139, line 50
encoded information, the IODEF allows a document sender to convey a encoded information, the IODEF allows a document sender to convey a
privacy policy using the restriction attribute. The various privacy policy using the restriction attribute. The various
instances of this attribute allow different data elements of the instances of this attribute allow different data elements of the
document to be covered by dissimilar policies. While flexible, it document to be covered by dissimilar policies. While flexible, it
must be stressed that this approach only serves as a guideline from must be stressed that this approach only serves as a guideline from
the sender, as the recipient is free to ignore it. The issue of the sender, as the recipient is free to ignore it. The issue of
enforcement is not a technical problem. enforcement is not a technical problem.
10. IANA Considerations 10. IANA Considerations
This document registers a namespace, XML schema, and a number of
registries that map to enumerated values defined in the schema.
10.1. Namespace and Schema
This document uses URNs to describe an XML namespace and schema This document uses URNs to describe an XML namespace and schema
conforming to a registry mechanism described in [RFC3688] conforming to a registry mechanism described in [RFC3688]
Registration for the IODEF namespace: Registration for the IODEF namespace:
o URI: urn:ietf:params:xml:ns:iodef-2.0 o URI: urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the first author of the "Author's Address"
section of this document. section of this document.
skipping to change at page 136, line 44 skipping to change at page 140, line 28
Registration for the IODEF XML schema: Registration for the IODEF XML schema:
o URI: urn:ietf:params:xml:schema:iodef-2.0 o URI: urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" o Registrant Contact: See the first author of the "Author's Address"
section of this document. section of this document.
o XML: See the "IODEF Schema" in Section 8 of this document. o XML: See the "IODEF Schema" in Section 8 of this document.
10.2. Enumerated Value Registries
This document creates xx identically structured registries to be
managed by IANA:
o Name of the parent registry: "Incident Object Description Exchange
Format v2 (IODEF)"
o URL of the registry: http://www.iana.org/assignments/iodef2
o Namespace format: A registry entry consists of:
* Value. An enumerated value for a given IODEF attribute.
* Description. A short description of the enumerated value.
* Reference. An optional list of URIs to further describe the
value.
o Allocation policy: Expert Review per [RFC5226]
The registries to be created are named in the table below in the
"Registry Name" column. The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points
to a given schema attribute or type per Section 8. Each enumerated
value in the schema gets a corresponding entry in a given registry.
The "IV (Description)" points to a section in the text of this
document. The initial value of the Reference field of every registry
entry described below should be this document.
+--------------------------+------------------------+---------------+
| Registry Name | IV (Value) | IV |
| | | (Description) |
+--------------------------+------------------------+---------------+
| Restriction | iodef-restriction-type | Section 3.3.1 |
| | | |
| Incident-purpose | Incident@purpose | Section 3.2 |
| | | |
| Contact-role | Contact@role | Section 3.10 |
| | | |
| Contact-type | Contact@type | Section 3.10 |
| | | |
| RegistryHandle-registry | RegistryHandle@registr | Section |
| | y | 3.10.1 |
| | | |
| Expectation-action | iodef:action-type | Section 3.17 |
| | | |
| Discovery-source | Discovery@source | Section 3.12 |
| | | |
| SystemImpact-type | SystemImpact@type | Section |
| | | 3.14.1 |
| | | |
| BusinessImpact-severity | BusinessImpact@severit | Section |
| | y | 3.14.2 |
| | | |
| BusinessImpact-type | BusinessImpact@type | Section |
| | | 3.14.2 |
| | | |
| TimeImpact-metrics | TimeImpact@metric | Section |
| | | 3.14.3 |
| | | |
| TimeImpact-duration | iodef:duration-type | Section |
| | | 3.14.3 |
| | | |
| NodeRole-category | NodeRole@category | Section |
| | | 3.20.2 |
| | | |
| System-category | System@category | Section 3.19 |
| | | |
| System-ownership | System@ownership | Section 3.19 |
| | | |
| Address-category | Address@category | Section |
| | | 3.20.1 |
| | | |
| Counter-type | Counter@type | Section |
| | | 3.20.3 |
| | | |
| DomainData-system-status | DomainData@system- | Section 3.21 |
| | status | |
| | | |
| DomainData-domain-status | DomainData@domain- | Section 3.21 |
| | status | |
| | | |
| RelatedDNS-record-type | RelatedDNS@record-type | Section |
| | | 3.21.1 |
| | | |
| RecordPattern-type | RecordPattern@type | Section |
| | | 3.25.2 |
| | | |
| RecordPattern-offsetunit | RecordPattern@offsetun | Section |
| | it | 3.25.2 |
| | | |
| Key-registryaction | Key@registryaction | Section |
| | | 3.26.1 |
| | | |
| HashData-scope | HashData@scope | Section 3.29 |
| | | |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| | | |
| EmailHeaderField-proto- | iodef:proto-dtype-type | Section |
| dtype | | 3.22.1 |
+--------------------------+------------------------+---------------+
Table 1: IANA Enumerated Value Registries
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
o Kathleen Moriarty, EMC Corporation o Kathleen Moriarty, EMC Corporation
o Brian Trammell, ETH Zurich o Brian Trammell, ETH Zurich
o Patrick Cain, Cooper-Cain Group, Inc. o Patrick Cain, Cooper-Cain Group, Inc.
o ... TODO many more to add ... o ... TODO many more to add ...
12. References 12. References
12.1. Normative References 12.1. Normative References
[W3C.XML] World Wide Web Consortium, "Extensible Markup Language [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
(XML) 1.0 (Second Edition)", W3C Recommendation , October (XML) 1.0 (Second Edition)", W3C Recommendation , October
skipping to change at page 137, line 36 skipping to change at page 143, line 33
[W3C.XMLNS] [W3C.XMLNS]
World Wide Web Consortium, "Namespaces in XML", W3C World Wide Web Consortium, "Namespaces in XML", W3C
Recommendation , January 1999, Recommendation , January 1999,
<http://www.w3.org/TR/REC-xml-names/>. <http://www.w3.org/TR/REC-xml-names/>.
[W3C.XPATH] [W3C.XPATH]
World Wide Web Consortium, "XML Path Language (XPath) World Wide Web Consortium, "XML Path Language (XPath)
2.0", W3C Candidate Recommendation , June 2006, 2.0", W3C Candidate Recommendation , June 2006,
<http://www.w3.org/TR/xpath20/>. <http://www.w3.org/TR/xpath20/>.
[W3C.XMLSIG]
World Wide Web Consortium, "XML Signature Syntax and
Processing 2.0", W3C Candidate Recommendation , June 2008,
<http://www.w3.org/TR/xmldsig-core/>.
[IEEE.POSIX] [IEEE.POSIX]
Institute of Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers,
"Information Technology - Portable Operating System "Information Technology - Portable Operating System
Interface (POSIX) - Part 1: Base Definitions", IEEE Interface (POSIX) - Part 1: Base Definitions", IEEE
1003.1, June 2001. 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC5646] Philips, A. and M. Davis, "Tags for Identifying of [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
skipping to change at page 140, line 5 skipping to change at page 145, line 49
(IRIS)", RFC 3982, January 2005. (IRIS)", RFC 3982, January 2005.
[KB310516] [KB310516]
Microsoft Corporation, "How to add, modify, or delete Microsoft Corporation, "How to add, modify, or delete
registry subkeys and values by using a registration registry subkeys and values by using a registration
entries (.reg) file", December 2007. entries (.reg) file", December 2007.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-
Separated Values (CSV) File", RFC 4180, October 2005. Separated Values (CSV) File", RFC 4180, October 2005.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", RFC 5226, May 2008.
Authors' Addresses Authors' Addresses
Roman Danyliw Roman Danyliw
CERT - Software Engineering Institute CERT - Software Engineering Institute
Pittsburgh, PA Pittsburgh, PA
USA USA
EMail: rdd@cert.org EMail: rdd@cert.org
Paul Stoecker Paul Stoecker
 End of changes. 312 change blocks. 
717 lines changed or deleted 1041 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/