draft-ietf-mile-rfc5070-bis-10.txt   draft-ietf-mile-rfc5070-bis-11.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: May 13, 2015 November 9, 2014 Expires: September 24, 2015 March 23, 2015
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-10 draft-ietf-mile-rfc5070-bis-11
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 13, 2015. This Internet-Draft will expire on September 24, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 21 skipping to change at page 2, line 21
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 2.12. Person or Organization . . . . . . . . . . . . . . . . . 12
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12
2.16. Identifiers and Identifier References . . . . . . . . . . 12 2.16. Identifiers and Identifier References . . . . . . . . . . 12
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 16 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 17
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 16 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 17
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 17 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 18
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 18 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 20
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 20 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 22
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 23
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 29
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 30
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 31
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 32
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 32
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33
3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36
3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 35 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 44
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 46
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 43 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48
3.16.1. Relating the Incident and EventData Classes . . . . 47 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 47 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 48 3.16.1. Relating the Incident and EventData Classes . . . . 53
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 51 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 51 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 54 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 55 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 59 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 60 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 63 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 63 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 64 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 70
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 64 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 66 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 71
3.22.2. Application Class . . . . . . . . . . . . . . . . . 67 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 72
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 69 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 74
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 69 3.22.2. Application Class . . . . . . . . . . . . . . . . . 76
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 70 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 77
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 70 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 77
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 72 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 78
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 73 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 78
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 73 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 80
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 74 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 81
3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 75 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 82
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 75 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 82
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 76 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 83
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 76 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 84
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 77 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 85
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 79 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 85
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 80 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 87
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 80 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 88
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 81 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 89
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 81 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 90
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 83 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 90
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 84 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 90
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 84 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 92
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 86 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 93
3.32.5. ObservableReference Class . . . . . . . . . . . . . 88 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 94
3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 88 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 96
4. Processing Considerations . . . . . . . . . . . . . . . . . . 89 3.32.5. ObservableReference Class . . . . . . . . . . . . . 97
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 89 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 97
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 89 4. Processing Considerations . . . . . . . . . . . . . . . . . . 98
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 90 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 98
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 91 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 99
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 91 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 99
5.1. Extending the Enumerated Values of Attributes . . . . . . 92 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 100
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 92 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 101
6. Internationalization Issues . . . . . . . . . . . . . . . . . 94 5.1. Extending the Enumerated Values of Attributes . . . . . . 101
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.1.1. Private Extension of Enumerated Values . . . . . . . 101
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5.1.2. Public Extension of Enumerated Values . . . . . . . . 102
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 96 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 102
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 98 6. Internationalization Issues . . . . . . . . . . . . . . . . . 104
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 100 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 105
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 101 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 106
9. Security Considerations . . . . . . . . . . . . . . . . . . . 139 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 107
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 139 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 109
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 140 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 111
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 140 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 112
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 142 9. Security Considerations . . . . . . . . . . . . . . . . . . . 153
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 143 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 153
12.1. Normative References . . . . . . . . . . . . . . . . . . 143 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 154
12.2. Informative References . . . . . . . . . . . . . . . . . 145 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 154
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 156
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 157
12.1. Normative References . . . . . . . . . . . . . . . . . . 157
12.2. Informative References . . . . . . . . . . . . . . . . . 159
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 160
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 26 skipping to change at page 6, line 33
RFC5070. RFC5070.
o All of the RFC5070 Errata was implemented. o All of the RFC5070 Errata was implemented.
o Imported the xmlns:ds namespace to include digital signature hash o Imported the xmlns:ds namespace to include digital signature hash
classes. classes.
o The following classes were added to IODEF-Document: o The following classes were added to IODEF-Document:
AdditionalData. AdditionalData.
o The following class was added to Incident: IndicatorData. o The following class and attribute was added to Incident:
IndicatorData and @status.
o The following classes were added to Incident and EventData: o The following classes were added to Incident and EventData:
Discovery. Discovery.
o The following classes and attributes were added to the Service o The following classes and attributes were added to the Service
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: HashData and o The following classes were added to the Record class: HashData and
WindowsRegistryKeysModified. WindowsRegistryKeysModified.
skipping to change at page 7, line 8 skipping to change at page 7, line 15
o The following classes were added to Node: PostalAddress and o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed DomainData. The following classes were removed from Node: Removed
NodeName and DateTime. NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem: o The following classes were added to Expectation and HistoryItem:
DefinedCOA. DefinedCOA.
o The following classes were added to Reference: ReferenceName
(replaced Name).
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose, Contact@role, NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed. AdditionalData@dtype, System@spoofed.
o Removed all "ext-" attributes in favor of using an IANA registry o Added option for public extension of enumerated attributes with an
for extending attributes. IANA registry and added @ext-restriction.
o Removed Impact class in favor of using SystemImpact and o Removed Impact class in favor of using SystemImpact and
IncidentCategory. IncidentCategory.
o iodef:MLStringType uses xml:lang and @translation-id.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[refs.requirements]. [refs.requirements].
skipping to change at page 9, line 40 skipping to change at page 9, line 48
A single character is represented by the CHARACTER data type. A A single character is represented by the CHARACTER data type. A
character string is represented by the STRING data type. Special character string is represented by the STRING data type. Special
characters must be encoded using entity references. See Section 4.1. characters must be encoded using entity references. See Section 4.1.
The CHARACTER and STRING data types are implement as an "xs:string" The CHARACTER and STRING data types are implement as an "xs:string"
in [W3C.SCHEMA.DTYPES]. in [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
STRING data that represents multi-character attributes in a language STRING data that represents multi-character string in a language
different than the default encoding of the document is of the different than the default encoding of the document is of the
ML_STRING data type. ML_STRING data type.
The ML_STRING data type is implemented as an "iodef:MLStringType" in ML_STRING data type is implemented as the "iodef:MLStringType" type
the schema. in the schema. This type extends the "xs:string" to include two
attributes. The body of any class that uses this type is the
multilingual string.
Multiple instances of a class of this type with the same parent that
have the same value set in the translation-id attribute are
considered translations. The language of a given class of this type
is set by the xml:lang attribute.
+------------------------+
| iodef:MLStringType |
+------------------------+
| ENUM xml:lang |
| STRING translation-id |
| |
+------------------------+
Figure 1: The iodef:MLStringType Type
Classes of the iodef:MLStringType type have two attributes:
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text.
2.5. Bytes 2.5. Bytes
A binary octet is represented by the BYTE data type. A sequence of A binary octet is represented by the BYTE data type. A sequence of
binary octets is represented by the BYTE[] data type. These octets binary octets is represented by the BYTE[] data type. These octets
are encoded using base64. are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" in The BYTE data type is implemented as an "xs:base64Binary" in
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
skipping to change at page 12, line 34 skipping to change at page 13, line 22
3.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data The IODEF-Document class is the top level class in the IODEF data
model. All IODEF documents are an instance of this class. model. All IODEF documents are an instance of this class.
+-----------------+ +-----------------+
| IODEF-Document | | IODEF-Document |
+-----------------+ +-----------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
| ENUM lang |<>--{0..*}--[ AdditionalData ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING formatid | | STRING formatid |
+-----------------+ +-----------------+
Figure 1: IODEF-Document Class Figure 2: IODEF-Document Class
The aggregate class that constitute IODEF-Document is: The aggregate class that constitute IODEF-Document is:
Incident Incident
One or more. The information related to a single incident. One or more. The information related to a single incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
The IODEF-Document class has three attributes: The IODEF-Document class has three attributes:
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
lang xml:lang
Required. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A language identifier per Section 2.12 of
by the definition of "xs:language". The interpretation of this [W3C.XML] whose values and form are described in [RFC5646]. The
code is described in Section 6. interpretation of this code is described in Section 6.
formatid formatid
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| ENUM lang |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM restriction |<>--{0..*}--[ RelatedActivity ] | ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING observable-id |<>--{0..1}--[ DetectTime ] | STRING ext-status |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--{ RecoveryTime ] | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
| |<>----------[ ReportTime ] | STRING observable-id |<>----------[ ReportTime ]
| |<>--{0..1}--[ GenerationTime ] | |<>--{0..1}--[ GenerationTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ IndicatorData ] | |<>--{0..*}--[ IndicatorData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 2: The Incident Class Figure 3: The Incident Class
The aggregate classes that constitute Incident are: The aggregate classes that constitute Incident are:
IncidentID IncidentID
One. An incident tracking number assigned to this incident by the One. An incident tracking number assigned to this incident by the
CSIRT that generated the IODEF document. CSIRT that generated the IODEF document.
AlternativeID AlternativeID
Zero or one. The incident tracking numbers used by other CSIRTs Zero or one. The incident tracking numbers used by other CSIRTs
to refer to the incident described in the document. to refer to the incident described in the document.
skipping to change at page 14, line 30 skipping to change at page 15, line 16
EndTime EndTime
Zero or one. The time the incident ended. Zero or one. The time the incident ended.
RecoveryTime RecoveryTime
Zero or one. The time the site recovered from the incident. Zero or one. The time the site recovered from the incident.
ReportTime ReportTime
One. The time the incident was reported. One. The time the incident was reported.
GenerationTime GenerationTime
One. The time the content in this Incident class was generated. Zero or one. The time the content in this Incident class was
generated.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
incident. incident.
Discovery Discovery
Zero or more. The means by which this incident was detected. Zero or more. The means by which this incident was detected.
Assessment Assessment
One or more. A characterization of the impact of the incident. One or more. A characterization of the impact of the incident.
skipping to change at page 15, line 15 skipping to change at page 15, line 50
IndicatorData IndicatorData
Zero or more. Description of indicators. Zero or more. Description of indicators.
History History
Zero or one. A log of significant events or actions that occurred Zero or one. A log of significant events or actions that occurred
during the course of handling the incident. during the course of handling the incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. Zero or more. Mechanism by which to extend the data model.
The Incident class has three attributes: The Incident class has eight attributes:
purpose purpose
Required. ENUM. The purpose attribute represents the reason why Required. ENUM. The purpose attribute represents the reason why
the IODEF document was created. It is closely related to the the IODEF document was created. It is closely related to the
Expectation class (Section 3.17). These values are maintained in Expectation class (Section 3.17). These values are maintained in
the "Incident-purpose" IANA registry per Table 1. This attribute the "Incident-purpose" IANA registry per Table 1. This attribute
is defined as an enumerated list: is defined as an enumerated list:
1. traceback. The document was sent for trace-back purposes. 1. traceback. The document was sent for trace-back purposes.
skipping to change at page 15, line 38 skipping to change at page 16, line 26
3. reporting. The document was sent to comply with reporting 3. reporting. The document was sent to comply with reporting
requirements. requirements.
4. watch. The document was sent to convey indicators to watch 4. watch. The document was sent to convey indicators to watch
for particular activity. for particular activity.
5. other. The document was sent for purposes specified in the 5. other. The document was sent for purposes specified in the
Expectation class. Expectation class.
lang 6. ext-value. An escape value used to extend this attribute.
Optional. ENUM. A valid language code per [RFC5646] constrained See Section 5.1.1.
by the definition of "xs:language". The interpretation of this
code is described in Section 6. ext-purpose
Optional. STRING. A means by which to extend the purpose
attribute. See Section 5.1.1.
status
Optional. ENUM. The status attribute conveys the state in a
workflow where the incident is currently found. These values are
maintained in the "Incident-status" IANA registry per Table 1.
This attribute is defined as an enumerated list:
1. new. The document is newly reported and has not been
actioned.
2. in-progress. The contents of this document are under
investigation.
3. forwarded. The document has been forwarded to another party
for handling.
4. resolved. The investigation into the activity in this
document has concluded.
5. future. The .
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-status
Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1.
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.3. Common Attributes 3.3. Common Attributes
There are a number of recurring attributes used by the data model. There are a number of recurring attributes used by the data model.
They are documented in this section. They are documented in this section.
3.3.1. restriction Attribute 3.3.1. restriction Attribute
skipping to change at page 16, line 41 skipping to change at page 18, line 15
closest ancestor that did specify a value. closest ancestor that did specify a value.
This attribute is defined as an enumerated value with a default value This attribute is defined as an enumerated value with a default value
of "private". Note that the default value of the restriction of "private". Note that the default value of the restriction
attribute is only defined in the context of the Incident class. In attribute is only defined in the context of the Incident class. In
other classes where this attribute is used, no default is specified. other classes where this attribute is used, no default is specified.
These values are maintained in the "Restriction" IANA registry per These values are maintained in the "Restriction" IANA registry per
Table 1. Table 1.
1. public. The information can be freely distributed without 1. public. The information can be freely distributed without
restriction. restriction.
2. partner. The information may be shared within a closed community 2. partner. The information may be shared within a closed
of peers, partners, or affected parties, but cannot be openly community of peers, partners, or affected parties, but cannot be
published. openly published.
3. need-to-know. The information may be shared only within the 3. need-to-know. The information may be shared only within the
organization with individuals that have a need to know. organization with individuals that have a need to know.
4. private. The information may not be shared. 4. private. The information may not be shared.
5. default. The information can be shared according to an 5. default. The information can be shared according to an
information disclosure policy pre-arranged by the communicating information disclosure policy pre-arranged by the communicating
parties. parties.
6. white. Same as 'public'. 6. white. Same as 'public'.
7. green. Same as 'partner'. 7. green. Same as 'partner'.
8. amber. Same as 'need-to-know'. 8. amber. Same as 'need-to-know'.
9. red. Same as 'private'. 9. red. Same as 'private'.
10. ext-value. An escape value used to extend this attribute. See
Section 5.1.1.
3.3.2. observable-id Attribute 3.3.2. observable-id Attribute
Information included in an incident report may be an observable Information included in an incident report may be an observable
relevant to an indicator. The observable-id attribute provides a relevant to an indicator. The observable-id attribute provides a
unique identifier in the scope of the document for this observable. unique identifier in the scope of the document for this observable.
This identifier can then used to reference the observable with an This identifier can then used to reference the observable with an
ObservableReference class to define an indicator in the IndicatorData ObservableReference class to define an indicator in the IndicatorData
class. class.
skipping to change at page 17, line 37 skipping to change at page 19, line 16
The IncidentID class represents an incident tracking number that is The IncidentID class represents an incident tracking number that is
unique in the context of the CSIRT and identifies the activity unique in the context of the CSIRT and identifies the activity
characterized in an IODEF Document. This identifier would serve as characterized in an IODEF Document. This identifier would serve as
an index into the CSIRT incident handling system. The combination of an index into the CSIRT incident handling system. The combination of
the name attribute and the string in the element content MUST be a the name attribute and the string in the element content MUST be a
globally unique identifier describing the activity. Documents globally unique identifier describing the activity. Documents
generated by a given CSIRT MUST NOT reuse the same value unless they generated by a given CSIRT MUST NOT reuse the same value unless they
are referencing the same incident. are referencing the same incident.
+------------------+ +------------------------+
| IncidentID | | IncidentID |
+------------------+ +------------------------+
| STRING | | STRING |
| | | |
| STRING name | | STRING name |
| STRING instance | | STRING instance |
| ENUM restriction | | ENUM restriction |
+------------------+ | STRING ext-restriction |
+------------------------+
Figure 3: The IncidentID Class Figure 4: The IncidentID Class
The IncidentID class has three attributes: The IncidentID class has four attributes:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the document. In order to have a globally unique CSIRT created the document. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. MUST be used.
instance instance
Optional. STRING. An identifier referencing a subset of the Optional. STRING. An identifier referencing a subset of the
named incident. named incident.
restriction restriction
Optional. ENUM. See Section 3.3.1. The default value is Optional. ENUM. See Section 3.3.1. The default value is
"public". "public".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.5. AlternativeID Class 3.5. AlternativeID Class
The AlternativeID class lists the incident tracking numbers used by The AlternativeID class lists the incident tracking numbers used by
CSIRTs, other than the one generating the document, to refer to the CSIRTs, other than the one generating the document, to refer to the
identical activity described in the IODEF document. A tracking identical activity described in the IODEF document. A tracking
number listed as an AlternativeID references the same incident number listed as an AlternativeID references the same incident
detected by another CSIRT. The incident tracking numbers of the detected by another CSIRT. The incident tracking numbers of the
CSIRT that generated the IODEF document must never be considered an CSIRT that generated the IODEF document must never be considered an
AlternativeID. AlternativeID.
+------------------+ +------------------------+
| AlternativeID | | AlternativeID |
+------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ] | ENUM restriction |<>--{1..*}--[ IncidentID ]
| | | STRING ext-restriction |
+------------------+ +------------------------+
Figure 4: The AlternativeID Class Figure 5: The AlternativeID Class
The aggregate class that constitutes AlternativeID is: The aggregate class that constitutes AlternativeID is:
IncidentID IncidentID
One or more. The incident tracking number of another CSIRT. One or more. The incident tracking number of another CSIRT.
The AlternativeID class has one attribute: The AlternativeID class has two attributes:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.6. RelatedActivity Class 3.6. RelatedActivity Class
The RelatedActivity class relates the information described in the The RelatedActivity class relates the information described in the
rest of the IODEF document to previously observed incidents or rest of the IODEF document to previously observed incidents or
activity; and allows attribution to a specific actor or campaign. activity; and allows attribution to a specific actor or campaign.
+------------------+ +------------------------+
| RelatedActivity | | RelatedActivity |
+------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ] | ENUM restriction |<>--{0..*}--[ IncidentID ]
| |<>--{0..*}--[ URL ] | STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ] | |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ] | |<>--{0..*}--[ Campaign ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------------+
Figure 5: RelatedActivity Class Figure 6: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are: The aggregate classes that constitutes RelatedActivity are:
IncidentID IncidentID
One or more. The incident tracking number of a related incident. One or more. The incident tracking number of a related incident.
URL URL
One or more. URL. A URL to activity related to this incident. One or more. URL. A URL to activity related to this incident.
ThreatActor ThreatActor
skipping to change at page 19, line 49 skipping to change at page 21, line 49
Description Description
Zero or more. ML_STRING. A description of how these Zero or more. ML_STRING. A description of how these
relationships were derived. relationships were derived.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
RelatedActivity MUST at least have one instance of IncidentID, URL, RelatedActivity MUST at least have one instance of IncidentID, URL,
ThreatActor, or Campaign. ThreatActor, or Campaign.
The RelatedActivity class has one attribute: The RelatedActivity class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.7. ThreatActor Class 3.7. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a given actor.
+------------------+ +------------------------+
| Actor | | Actor |
+------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ] | ENUM restriction |<>--{0..1}--[ ThreatActorID ]
| |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------------+
Figure 6: ThreatActor Class Figure 7: ThreatActor Class
The aggregate classes that constitutes ThreatActor are: The aggregate classes that constitutes ThreatActor are:
ThreatActorID ThreatActorID
One or more. STRING. An identifier for the ThreatActor. One or more. STRING. An identifier for the ThreatActor.
Description Description
One or more. ML_STRING. A description of the ThreatActor. One or more. ML_STRING. A description of the ThreatActor.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
ThreatActor MUST have at least one instance of a ThreatActorID or ThreatActor MUST have at least one instance of a ThreatActorID or
Description. Description.
The ThreatActor class has one attribute: The ThreatActor class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.8. Campaign Class 3.8. Campaign Class
The Campaign class describes a ... The Campaign class describes a campaign of attacks by a threat actor.
+------------------+ +------------------------+
| Campaign | | Campaign |
+------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ CampaignID ] | ENUM restriction |<>--{0..1}--[ CampaignID ]
| |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------------+
Figure 7: Campaign Class Figure 8: Campaign Class
The aggregate classes that constitutes Campaign are: The aggregate classes that constitutes Campaign are:
CampaignID CampaignID
One or more. STRING. An identifier for the Campaign. One or more. STRING. An identifier for the Campaign.
Description Description
One or more. ML_STRING. A description of the Campaign. One or more. ML_STRING. A description of the Campaign.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
Campaign MUST have at least one instance of a Campaign or Campaign MUST have at least one instance of a Campaign or
Description. Description.
The Campaign class has one attribute: The Campaign class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.9. AdditionalData Class 3.9. AdditionalData Class
The AdditionalData class serves as an extension mechanism for The AdditionalData class serves as an extension mechanism for
information not otherwise represented in the data model. For information not otherwise represented in the data model. For
relatively simple information, atomic data types (e.g., integers, relatively simple information, atomic data types (e.g., integers,
strings) are provided with a mechanism to annotate their meaning. strings) are provided with a mechanism to annotate their meaning.
The class can also be used to extend the data model (and the The class can also be used to extend the data model (and the
associated Schema) to support proprietary extensions by encapsulating associated Schema) to support proprietary extensions by encapsulating
entire XML documents conforming to another Schema. A detailed entire XML documents conforming to another Schema. A detailed
discussion for extending the data model and the schema can be found discussion for extending the data model and the schema can be found
in Section 5. in Section 5.
Unlike XML, which is self-describing, atomic data must be documented Unlike XML, which is self-describing, atomic data must be documented
to convey its meaning. This information is described in the to convey its meaning. This information is described in the
'meaning' attribute. Since these description are outside the scope 'meaning' attribute. Since these description are outside the scope
of the specification, some additional coordination may be required to of the specification, some additional coordination may be required to
ensure that a recipient of a document using the AdditionalData ensure that a recipient of a document using the AdditionalData
classes can make sense of the custom extensions. classes can make sense of the custom extensions.
+------------------+ +------------------------+
| AdditionalData | | AdditionalData |
+------------------+ +------------------------+
| ANY | | ANY |
| | | |
| ENUM dtype | | ENUM dtype |
| STRING meaning | | STRING ext-dtype |
| STRING formatid | | STRING meaning |
| ENUM restriction | | STRING formatid |
+------------------+ | ENUM restriction |
| STRING ext-restriction |
+------------------------+
Figure 8: The AdditionalData Class Figure 9: The AdditionalData Class
The AdditionalData class has four attributes: The AdditionalData class has six attributes:
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the value is "string". These values are maintained in the
"AdditionalData-dtype" IANA registry per Table 1. "AdditionalData-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE. 2. byte. The element content is of type BYTE.
skipping to change at page 23, line 13 skipping to change at page 25, line 33
17. url. The element content is of type URL. 17. url. The element content is of type URL.
18. csv. The element content is a common separated value (CSV) 18. csv. The element content is a common separated value (CSV)
list per Section 2 of [RFC4180] encoded as a STRING type. list per Section 2 of [RFC4180] encoded as a STRING type.
19. winreg. The element content is a Windows registry key 19. winreg. The element content is a Windows registry key
encoded as a STRING type. encoded as a STRING type.
20. xml. The element content is XML. See Section 5. 20. xml. The element content is XML. See Section 5.
21. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the element Optional. STRING. A free-form description of the element
content. content.
formatid formatid
Optional. STRING. An identifier referencing the format and Optional. STRING. An identifier referencing the format and
semantics of the element content. semantics of the element content.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.10. Contact Class 3.10. Contact Class
The Contact class describes contact information for organizations and The Contact class describes contact information for organizations and
personnel involved in the incident. This class allows for the naming personnel involved in the incident. This class allows for the naming
of the involved party, specifying contact information for them, and of the involved party, specifying contact information for them, and
identifying their role in the incident. identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one People and organizations are treated interchangeably as contacts; one
can be associated with the other using the recursive definition of can be associated with the other using the recursive definition of
the class (the Contact class is aggregated into the Contact class). the class (the Contact class is aggregated into the Contact class).
skipping to change at page 24, line 5 skipping to change at page 26, line 29
The inheriting definition of Contact provides a way to relate The inheriting definition of Contact provides a way to relate
information without requiring the explicit use of identifiers in the information without requiring the explicit use of identifiers in the
classes or duplication of data. A complete point of contact is classes or duplication of data. A complete point of contact is
derived by a particular traversal from the root Contact class to the derived by a particular traversal from the root Contact class to the
leaf Contact class. As such, multiple points of contact might be leaf Contact class. As such, multiple points of contact might be
specified in a single instance of a Contact class. Each child specified in a single instance of a Contact class. Each child
Contact class logically inherits contact information from its Contact class logically inherits contact information from its
ancestors. ancestors.
+------------------+ +------------------------+
| Contact | | Contact |
+------------------+ +------------------------+
| ENUM role |<>--{0..1}--[ ContactName ] | ENUM role |<>--{0..*}--[ ContactName ]
| ENUM type |<>--{0..1}--[ ContactTitle ] | STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM type |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ RegistryHandle ] | STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| |<>--{0..1}--[ PostalAddress ] | ENUM restriction |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Email ] | STRING ext-restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ] | |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Fax ] | |<>--{0..1}--[ Fax ]
| |<>--{0..1}--[ Timezone ] | |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------------+
Figure 9: The Contact Class Figure 10: The Contact Class
The aggregate classes that constitute the Contact class are: The aggregate classes that constitute the Contact class are:
ContactName ContactName
Zero or one. ML_STRING. The name of the contact. The contact Zero or more. ML_STRING. The name of the contact. The contact
may either be an organization or a person. The type attribute may either be an organization or a person. The type attribute
disambiguates the semantics. disambiguates the semantics.
ContactTitle ContactTitle
Zero or one. ML_STRING. The title for the individual named in Zero or more. ML_STRING. The title for the individual named in
the ContactName. the ContactName.
Description Description
Zero or more. ML_STRING. A free-form description of this Zero or more. ML_STRING. A free-form description of this
contact. In the case of a person, this is often the contact. In the case of a person, this is often the
organizational title of the individual. organizational title of the individual.
RegistryHandle RegistryHandle
Zero or more. A handle name into the registry of the contact. Zero or more. A handle name into the registry of the contact.
skipping to change at page 25, line 23 skipping to change at page 27, line 50
points of contact and is especially useful when listing multiple points of contact and is especially useful when listing multiple
contacts at the same organization. contacts at the same organization.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the Contact class. This is not enforced in the IODEF schema as of the Contact class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The Contact class has three attributes: The Contact class has six attributes:
role role
Required. ENUM. Indicates the role the contact fulfills. This Required. ENUM. Indicates the role the contact fulfills. This
attribute is defined as an enumerated list. These values are attribute is defined as an enumerated list. These values are
maintained in the "Contact-role" IANA registry per Table 1. maintained in the "Contact-role" IANA registry per Table 1.
1. creator. The entity that generate the document. 1. creator. The entity that generate the document.
2. reporter. The entity that reported the information. 2. reporter. The entity that reported the information.
skipping to change at page 26, line 29 skipping to change at page 29, line 8
15. vendor. The vendor that produces an asset. 15. vendor. The vendor that produces an asset.
16. vendor-support. A vendor that provides services. 16. vendor-support. A vendor that provides services.
17. victim. A victim in the incident. 17. victim. A victim in the incident.
18. victim-notified. A victim in the incident who has been 18. victim-notified. A victim in the incident who has been
notified. notified.
19. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-role
Optional. STRING. A means by which to extend the role attribute.
See Section 5.1.1.
type type
Required. ENUM. Indicates the type of contact being described. Required. ENUM. Indicates the type of contact being described.
This attribute is defined as an enumerated list. These values are This attribute is defined as an enumerated list. These values are
maintained in the "Contact-type" IANA registry per Table 1. maintained in the "Contact-type" IANA registry per Table 1.
1. person. The information for this contact references an 1. person. The information for this contact references an
individual. individual.
2. organization. The information for this contact references an 2. organization. The information for this contact references an
organization. organization.
3. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.10.1. RegistryHandle Class 3.10.1. RegistryHandle Class
The RegistryHandle class represents a handle into an Internet The RegistryHandle class represents a handle into an Internet
registry or community-specific database. The handle is specified in registry or community-specific database. The handle is specified in
the element content and the type attribute specifies the database. the element content and the type attribute specifies the database.
+---------------------+ +---------------------+
| RegistryHandle | | RegistryHandle |
+---------------------+ +---------------------+
| STRING | | STRING |
| | | |
| ENUM registry | | ENUM registry |
| STRING ext-registry |
+---------------------+ +---------------------+
Figure 10: The RegistryHandle Class Figure 11: The RegistryHandle Class
The RegistryHandle class has one attributes: The RegistryHandle class has two attributes:
registry registry
Required. ENUM. The database to which the handle belongs. These Required. ENUM. The database to which the handle belongs. These
values are maintained in the "RegistryHandle-registry" IANA values are maintained in the "RegistryHandle-registry" IANA
registry per Table 1. The possible values are: registry per Table 1. The possible values are:
1. internic. Internet Network Information Center 1. internic. Internet Network Information Center
2. apnic. Asia Pacific Network Information Center 2. apnic. Asia Pacific Network Information Center
3. arin. American Registry for Internet Numbers 3. arin. American Registry for Internet Numbers
4. lacnic. Latin-American and Caribbean IP Address Registry 4. lacnic. Latin-American and Caribbean IP Address Registry
5. ripe. Reseaux IP Europeens 5. ripe. Reseaux IP Europeens
6. afrinic. African Internet Numbers Registry 6. afrinic. African Internet Numbers Registry
7. local. A database local to the CSIRT 7. local. A database local to the CSIRT
8. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-registry
Optional. STRING. A means by which to extend the registry
attribute. See Section 5.1.1.
3.10.2. PostalAddress Class 3.10.2. PostalAddress Class
The PostalAddress class specifies a postal address formatted The PostalAddress class specifies a postal address formatted
according to the POSTAL data type (Section 2.11). according to the POSTAL data type (Section 2.11).
+---------------------+ +---------------------+
| PostalAddress | | PostalAddress |
+---------------------+ +---------------------+
| POSTAL | | POSTAL |
| | | |
| STRING meaning | | STRING meaning |
| ENUM lang | | ENUM xml:lang |
+---------------------+ +---------------------+
Figure 11: The PostalAddress Class Figure 12: The PostalAddress Class
The PostalAddress class has two attributes: The PostalAddress class has two attributes:
meaning meaning
Optional. STRING. A free-form description of the element Optional. STRING. A free-form description of the element
content. content.
lang xml:lang
Optional. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A language identifier per Section 2.12 of
by the definition of "xs:language". The interpretation of this [W3C.XML] whose values and form are described in [RFC5646]. The
code is described in Section 6. interpretation of this code is described in Section 6.
3.10.3. Email Class 3.10.3. Email Class
The Email class specifies an email address formatted according to The Email class specifies an email address formatted according to
EMAIL data type (Section 2.14). EMAIL data type (Section 2.14).
+--------------+ +--------------+
| Email | | Email |
+--------------+ +--------------+
| EMAIL | | EMAIL |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------+ +--------------+
Figure 12: The Email Class Figure 13: The Email Class
The Email class has one attribute: The Email class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content. Optional. ENUM. A free-form description of the element content.
3.10.4. Telephone and Fax Classes 3.10.4. Telephone and Fax Classes
The Telephone and Fax classes specify a voice or fax telephone number The Telephone and Fax classes specify a voice or fax telephone number
respectively, and are formatted according to PHONE data type respectively, and are formatted according to PHONE data type
(Section 2.13). (Section 2.13).
+--------------------+ +--------------------+
| {Telephone | Fax } | | {Telephone | Fax } |
+--------------------+ +--------------------+
| PHONE | | PHONE |
| | | |
| ENUM meaning | | ENUM meaning |
+--------------------+ +--------------------+
Figure 13: The Telephone and Fax Classes Figure 14: The Telephone and Fax Classes
The Telephone class has one attribute: The Telephone class has one attribute:
meaning meaning
Optional. ENUM. A free-form description of the element content Optional. ENUM. A free-form description of the element content
(e.g., hours of coverage for a given number). (e.g., hours of coverage for a given number).
3.11. Time Classes 3.11. Time Classes
The data model uses five different classes to represent a timestamp. The data model uses six different classes to represent a timestamp.
Their definition is identical, but each has a distinct name to convey Their definition is identical, but each has a distinct name to convey
a difference in semantics. a difference in semantics.
The element content of each class is a timestamp formatted according The element content of each class is a timestamp formatted according
to the DATETIME data type (see Section 2.8). to the DATETIME data type (see Section 2.8).
+----------------------------------+ +-----------------+
| {Start| End| Report| Detect}Time | | StartTime |
+----------------------------------+ | EndTime |
| DATETIME | | ReportTime |
+----------------------------------+ | DetectTime |
| GenerationTime |
| DateTime |
+-----------------+
| DATETIME |
+-----------------+
Figure 14: The Time Classes Figure 15: The Time Classes
3.11.1. StartTime Class 3.11.1. StartTime Class
The StartTime class represents the time the incident began. The StartTime class represents the time the incident began.
3.11.2. EndTime Class 3.11.2. EndTime Class
The EndTime class represents the time the incident ended. The EndTime class represents the time the incident ended.
3.11.3. DetectTime Class 3.11.3. DetectTime Class
The DetectTime class represents the time the first activity of the The DetectTime class represents the time the first activity of the
incident was detected. incident was detected.
3.11.4. ReportTime Class 3.11.4. ReportTime Class
The ReportTime class represents the time the incident was reported. The ReportTime class represents the time the incident was reported.
This timestamp MUST be the time at which the IODEF document was
generated.
3.11.5. DateTime 3.11.5. GenerationTime Class
The GenerationTime class represents the time when the IODEF document
was produced. This timestamp MUST be the time at which the IODEF
document was generated.
3.11.6. DateTime
The DateTime class is a generic representation of a timestamp. Infer The DateTime class is a generic representation of a timestamp. Infer
its semantics from the parent class in which it is aggregated. its semantics from the parent class in which it is aggregated.
3.12. Discovery Class 3.12. Discovery Class
The Discovery class describes how an incident was detected. The Discovery class describes how an incident was detected.
+-------------------+ +------------------------+
| Discovery | | Discovery |
+-------------------+ +------------------------+
| ENUM source |<>--{0..*}--[ Description ] | ENUM source |<>--{0..*}--[ Description ]
| ENUM restriction |<>--{0..*}--[ Contact ] | STRING ext-source |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ DetectionPattern ] | ENUM restriction |<>--{0..*}--[ DetectionPattern ]
+-------------------+ | STRING ext-restriction |
+------------------------+
Figure 15: The Discovery Class Figure 16: The Discovery Class
The Discovery class is composed of three aggregate classes. The Discovery class is composed of three aggregate classes.
Description Description
Zero or more. ML_STRING. A free-form text description of how Zero or more. ML_STRING. A free-form text description of how
this incident was detected. this incident was detected.
Contact Contact
Zero or more. Contact information for the party that discovered Zero or more. Contact information for the party that discovered
the incident. the incident.
DetectionPattern DetectionPattern
Zero or more. Describes an application-specific configuration Zero or more. Describes an application-specific configuration
that detected the incident. that detected the incident.
The Discovery class has two attribute: The Discovery class has four attribute:
source source
Optional. ENUM. Categorizes the techniques used to discover the Optional. ENUM. Categorizes the techniques used to discover the
incident. These values are partially derived from Table 3-1 of incident. These values are partially derived from Table 3-1 of
[NIST800.61rev2]. These values are maintained in the "Discovery- [NIST800.61rev2]. These values are maintained in the "Discovery-
source" IANA registry per Table 1. source" IANA registry per Table 1.
1. nidps. Network Intrusion Detection or Prevention system. 1. nidps. Network Intrusion Detection or Prevention system.
2. hips. Host-based Intrusion Prevention system. 2. hips. Host-based Intrusion Prevention system.
skipping to change at page 31, line 40 skipping to change at page 35, line 10
organization. organization.
17. partner. A customer or business partner reported the 17. partner. A customer or business partner reported the
activity to the victim organization. activity to the victim organization.
18. actor. The threat actor directly or indirectly reported this 18. actor. The threat actor directly or indirectly reported this
activity to the victim organization. activity to the victim organization.
19. unknown. Unknown detection approach. 19. unknown. Unknown detection approach.
20. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-source
Optional. STRING. A means by which to extend the source
attribute. See Section 5.1.1.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.12.1. DetectionPattern Class 3.12.1. DetectionPattern Class
The DetectionPattern class describes a configuration or signature The DetectionPattern class describes a configuration or signature
that can be used by an IDS/IPS, SIEM, anti-virus, end-point that can be used by an IDS/IPS, SIEM, anti-virus, end-point
protection, network analysis, malware analysis, or host forensics protection, network analysis, malware analysis, or host forensics
tool to identify a particular phenomenon. This class requires the tool to identify a particular phenomenon. This class requires the
identification of the target application and allows the configuration identification of the target application and allows the configuration
to be describes in either free-form or machine readable form. to be describes in either free-form or machine readable form.
+------------------+ +------------------------+
| DetectionPattern | | DetectionPattern |
+------------------+ +------------------------+
| ENUM restriction |<>----------[ Application ] | ENUM restriction |<>----------[ Application ]
| |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ DetectionConfiguration ] | |<>--{0..*}--[ DetectionConfiguration ]
+------------------+ +------------------------+
Figure 16: The DetectionPattern Class Figure 17: The DetectionPattern Class
The DetectionPattern class is composed of three aggregate classes. The DetectionPattern class is composed of three aggregate classes.
Application Application
. One. The application for which the DetectionConfiguration or . One. The application for which the DetectionConfiguration or
Description is being provided. Description is being provided.
Description Description
Zero or more. ML_STRING. A free-form text description of how to Zero or more. ML_STRING. A free-form text description of how to
use the Application or provided DetectionConfiguration. use the Application or provided DetectionConfiguration.
DetectionConfiguration DetectionConfiguration
Zero or more. STRING. A machine consumable configuration to find Zero or more. STRING. A machine consumable configuration to find
a pattern of activity. a pattern of activity.
Either an instance of the Description or DetectionConfiguration class Either an instance of the Description or DetectionConfiguration class
MUST be present. MUST be present.
The Method class has one attribute: The DetectionPattern class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.13. Method Class 3.13. Method Class
The Method class describes the tactics, techniques, or procedures The Method class describes the tactics, techniques, or procedures
used by the intruder in the incident. This class consists of both a used by the intruder in the incident. This class consists of both a
list of references describing the attack method and a free form list of references describing the attack method and a free form
description. description.
+------------------+ +------------------------+
| Method | | Method |
+------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ enum:Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------+ +------------------------+
Figure 17: The Method Class Figure 18: The Method Class
The Method class is composed of three aggregate classes. The Method class is composed of three aggregate classes.
enum:Reference enum:Reference
Zero or more. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique per [RFC-ENUM]. advisory, or analysis of an attack technique.
Description Description
Zero or more. ML_STRING. A free-form text description of Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the intruder. techniques, tactics, or procedures used by the intruder.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
Either an instance of the Reference or Description class MUST be Either an instance of the Reference or Description class MUST be
present. present.
The Method class has one attribute: The Method class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.13.1. Reference Class
The Reference class is an external reference to relevant information
such a vulnerability, IDS alert, malware sample, advisory, or attack
technique. A reference consists of a name, a URL to this reference,
and an optional description.
+-------------------------+
| Reference |
+-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+-------------------------+
Figure 19: The Reference Class
The aggregate classes that constitute Reference:
ReferenceName
Zero or one. Reference identifier per [RFC-ENUM].
URL
Zero or more. URL. A URL associated with the reference.
Description
Zero or more. ML_STRING. A free-form text description of this
reference.
At least one of these classes MUST be present.
The Reference class has one attribute.
observable-id
Optional. ID. See Section 3.3.2.
3.14. Assessment Class 3.14. Assessment Class
The Assessment class describes the repercussions of the incident to The Assessment class describes the repercussions of the incident to
the victim. the victim.
+-------------------------+ +-------------------------+
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ IncidentCategory ] | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ SystemImpact ] | ENUM restriction |<>--{0..*}--[ SystemImpact ]
| ID observable-id |<>--{0..*}--[ BusinessImpact ] | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
| |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 18: Assessment Class Figure 20: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
IncidentCategory IncidentCategory
Zero or more. ML_STRING. A free-form text description Zero or more. ML_STRING. A free-form text description
categorizing the type of Incident. categorizing the type of Incident.
SystemImpact SystemImpact
Zero or more. Technical characterization of the impact of the Zero or more. Technical characterization of the impact of the
activity on the victim's enterprise. activity on the victim's enterprise.
skipping to change at page 34, line 43 skipping to change at page 39, line 22
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible three impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has three attributes: The Assessment class has four attributes:
occurrence occurrence
Optional. ENUM. Specifies whether the assessment is describing Optional. ENUM. Specifies whether the assessment is describing
actual or potential outcomes. actual or potential outcomes.
1. actual. This assessment describes activity that has occurred. 1. actual. This assessment describes activity that has occurred.
2. potential. This assessment describes potential activity that 2. potential. This assessment describes potential activity that
might occur. might occur.
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.14.1. SystemImpact Class 3.14.1. SystemImpact Class
The SystemImpact class describes the technical impact of the incident The SystemImpact class describes the technical impact of the incident
to the systems on the network. to the systems on the network.
This class is based on [RFC4765]. This class is based on [RFC4765].
+------------------+ +-----------------------+
| SystemImpact | | SystemImpact |
+------------------+ +-----------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM lang | | ENUM xml:lang |
| ENUM severity | | STRING translation-id |
| ENUM completion | | ENUM severity |
| ENUM type | | ENUM completion |
+------------------+ | ENUM type |
| STRING ext-type |
+-----------------------+
Figure 19: SystemImpact Class Figure 21: SystemImpact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact. impact.
The SystemImpact class has four attributes: The SystemImpact class has six attributes:
lang xml:lang
Optional. ENUM. A valid language code per [RFC5646] constrained Optional. ENUM. A language identifier. See Section 6.
by the definition of "xs:language". The interpretation of this
code is described in Section 6. translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
skipping to change at page 37, line 33 skipping to change at page 42, line 22
monitored. monitored.
21. monitoring-host. System activity (e.g., running processes, 21. monitoring-host. System activity (e.g., running processes,
keystrokes) were monitored. keystrokes) were monitored.
22. policy. Activity violated the system owner's acceptable use 22. policy. Activity violated the system owner's acceptable use
policy. policy.
23. unknown. The impact is unknown. 23. unknown. The impact is unknown.
24. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.14.2. BusinessImpact Class 3.14.2. BusinessImpact Class
The BusinessImpact class describes and characterizes the degree to The BusinessImpact class describes and characterizes the degree to
which the function of the organization was impacted by the Incident. which the function of the organization was impacted by the Incident.
The element body describes the impact to the organization as a free- The element body describes the impact to the organization as a free-
form text string. The two attributes characterize the impact. form text string. The two attributes characterize the impact.
+-------------------------+ +-------------------------+
| BusinessImpact | | BusinessImpact |
+-------------------------+ +-------------------------+
| ML_STRING | | ML_STRING |
| | | |
| ENUM xml:lang |
| STRING translation-id |
| ENUM severity | | ENUM severity |
| STRING ext-severity |
| ENUM type | | ENUM type |
| STRING ext-type |
+-------------------------+ +-------------------------+
Figure 20: BusinessImpact Class Figure 22: BusinessImpact Class
The element content will be a free-form textual description of the The element content will be a free-form textual description of the
impact to the organization. impact to the organization.
The BusinessImpact class has two attributes: The BusinessImpact class has four attributes:
xml:lang
Optional. ENUM. A language identifier. See Section 6.
translation-id
Optional. STRING. An identifier to relate other instances of
this class as translations of this text. See Section 6.
severity severity
Optional. ENUM. Characterizes the severity of the incident on Optional. ENUM. Characterizes the severity of the incident on
business functions. The permitted values are shown below. They business functions. The permitted values are shown below. They
were derived from Table 3-2 of [NIST800.61rev2]. The default were derived from Table 3-2 of [NIST800.61rev2]. The default
value is "unknown". These values are maintained in the value is "unknown". These values are maintained in the
"BusinessImpact-severity" IANA registry per Table 1. "BusinessImpact-severity" IANA registry per Table 1.
1. none. No effect to the organization's ability to provide all 1. none. No effect to the organization's ability to provide all
services to all users. services to all users.
skipping to change at page 38, line 31 skipping to change at page 43, line 38
critical services to all users but has lost efficiency. critical services to all users but has lost efficiency.
3. medium. The organization has lost the ability to provide a 3. medium. The organization has lost the ability to provide a
critical service to a subset of system users. critical service to a subset of system users.
4. high. The organization is no longer able to provide some 4. high. The organization is no longer able to provide some
critical services to any users. critical services to any users.
5. unknown. The impact is not known. 5. unknown. The impact is not known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-severity
Optional. STRING. A means by which to extend the severity
attribute. See Section 5.1.1.
type type
Required. ENUM. Characterizes the effect this incident had on Required. ENUM. Characterizes the effect this incident had on
the business. The permitted values are shown below. There is no the business. The permitted values are shown below. There is no
default value. These values are maintained in the default value. These values are maintained in the
"BusinessImpact-type" IANA registry per Table 1. "BusinessImpact-type" IANA registry per Table 1.
1. breach-proprietary. Sensitive or proprietary information was 1. breach-proprietary. Sensitive or proprietary information was
accessed or exfiltrated. accessed or exfiltrated.
2. breach-privacy. Personally identifiable information was 2. breach-privacy. Personally identifiable information was
skipping to change at page 39, line 19 skipping to change at page 44, line 32
9. asset-damage. A cyber-physical system was damaged. 9. asset-damage. A cyber-physical system was damaged.
10. asset-manipulation. A cyber-physical system was manipulated. 10. asset-manipulation. A cyber-physical system was manipulated.
11. legal. The incident resulted in legal or regulatory action. 11. legal. The incident resulted in legal or regulatory action.
12. extortion. The incident resulted in actors extorting the 12. extortion. The incident resulted in actors extorting the
victim organization. victim organization.
13. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.14.3. TimeImpact Class 3.14.3. TimeImpact Class
The TimeImpact class describes the impact of the incident on an The TimeImpact class describes the impact of the incident on an
organization as a function of time. It provides a way to convey down organization as a function of time. It provides a way to convey down
time and recovery time. time and recovery time.
+---------------------+ +---------------------+
| TimeImpact | | TimeImpact |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| ENUM metric | | ENUM metric |
| STRING ext-metrics |
| ENUM duration | | ENUM duration |
| STRING ext-duration |
+---------------------+ +---------------------+
Figure 21: TimeImpact Class Figure 23: TimeImpact Class
The element content is a positive, floating point (REAL) number The element content is a positive, floating point (REAL) number
specifying a unit of time. The duration and metric attributes will specifying a unit of time. The duration and metric attributes will
imply the semantics of the element content. imply the semantics of the element content.
The TimeImpact class has three attributes: The TimeImpact class has five attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
1. low. Low severity 1. low. Low severity
2. medium. Medium severity 2. medium. Medium severity
3. high. High severity 3. high. High severity
metric metric
Required. ENUM. Defines the metric in which the time is Required. ENUM. Defines the metric in which the time is
expressed. The permitted values are shown below. There is no expressed. The permitted values are shown below. There is no
default value. These values are maintained in the "TimeImpact- default value. These values are maintained in the "TimeImpact-
metric" IANA registry per Table 1. metric" IANA registry per Table 1.
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff-time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
skipping to change at page 40, line 21 skipping to change at page 45, line 51
1. labor. Total staff-time to recovery from the activity (e.g., 1. labor. Total staff-time to recovery from the activity (e.g.,
2 employees working 4 hours each would be 8 hours). 2 employees working 4 hours each would be 8 hours).
2. elapsed. Elapsed time from the beginning of the recovery to 2. elapsed. Elapsed time from the beginning of the recovery to
its completion (i.e., wall-clock time). its completion (i.e., wall-clock time).
3. downtime. Duration of time for which some provided service(s) 3. downtime. Duration of time for which some provided service(s)
was not available. was not available.
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-metric
Optional. STRING. A means by which to extend the metric
attribute. See Section 5.1.1.
duration duration
Optional. ENUM. Defines a unit of time, that when combined with Optional. ENUM. Defines a unit of time, that when combined with
the metric attribute, fully describes a metric of impact that will the metric attribute, fully describes a metric of impact that will
be conveyed in the element content. The permitted values are be conveyed in the element content. The permitted values are
shown below. The default value is "hour". These values are shown below. The default value is "hour". These values are
maintained in the "TimeImpact-duration" IANA registry per Table 1. maintained in the "TimeImpact-duration" IANA registry per Table 1.
1. second. The unit of the element content is seconds. 1. second. The unit of the element content is seconds.
2. minute. The unit of the element content is minutes. 2. minute. The unit of the element content is minutes.
skipping to change at page 40, line 42 skipping to change at page 46, line 30
3. hour. The unit of the element content is hours. 3. hour. The unit of the element content is hours.
4. day. The unit of the element content is days. 4. day. The unit of the element content is days.
5. month. The unit of the element content is months. 5. month. The unit of the element content is months.
6. quarter. The unit of the element content is quarters. 6. quarter. The unit of the element content is quarters.
7. year. The unit of the element content is years. 7. year. The unit of the element content is years.
8. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1.
3.14.4. MonetaryImpact Class 3.14.4. MonetaryImpact Class
The MonetaryImpact class describes the financial impact of the The MonetaryImpact class describes the financial impact of the
activity on an organization. For example, this impact may consider activity on an organization. For example, this impact may consider
losses due to the cost of the investigation or recovery, diminished losses due to the cost of the investigation or recovery, diminished
productivity of the staff, or a tarnished reputation that will affect productivity of the staff, or a tarnished reputation that will affect
future opportunities. future opportunities.
+------------------+ +------------------+
| MonetaryImpact | | MonetaryImpact |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM severity | | ENUM severity |
| STRING currency | | STRING currency |
+------------------+ +------------------+
Figure 22: MonetaryImpact Class Figure 24: MonetaryImpact Class
The element content is a positive, floating point number (REAL) The element content is a positive, floating point number (REAL)
specifying a unit of currency described in the currency attribute. specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes: The MonetaryImpact class has two attributes:
severity severity
Optional. ENUM. An estimate of the relative severity of the Optional. ENUM. An estimate of the relative severity of the
activity. The permitted values are shown below. There is no activity. The permitted values are shown below. There is no
default value. default value.
skipping to change at page 42, line 13 skipping to change at page 48, line 13
This class if based upon [RFC4765]. This class if based upon [RFC4765].
+------------------+ +------------------+
| Confidence | | Confidence |
+------------------+ +------------------+
| REAL | | REAL |
| | | |
| ENUM rating | | ENUM rating |
+------------------+ +------------------+
Figure 23: Confidence Class Figure 25: Confidence Class
The element content expresses a numerical assessment in the The element content expresses a numerical assessment in the
confidence of the data when the value of the rating attribute is confidence of the data when the value of the rating attribute is
"numeric". Otherwise, this element MUST be empty. "numeric". Otherwise, this element MUST be empty.
The Confidence class has one attribute. The Confidence class has one attribute.
rating rating
Required. ENUM. A rating of the analytical validity of the Required. ENUM. A rating of the analytical validity of the
specified Assessment. The permitted values are shown below. specified Assessment. The permitted values are shown below.
skipping to change at page 43, line 5 skipping to change at page 49, line 5
3.15. History Class 3.15. History Class
The History class is a log of the significant events or actions The History class is a log of the significant events or actions
performed by the involved parties during the course of handling the performed by the involved parties during the course of handling the
incident. incident.
The level of detail maintained in this log is left up to the The level of detail maintained in this log is left up to the
discretion of those handling the incident. discretion of those handling the incident.
+------------------+ +------------------------+
| History | | History |
+------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ] | ENUM restriction |<>--{1..*}--[ HistoryItem ]
| | | STRING ext-restriction |
+------------------+ +------------------------+
Figure 24: The History Class Figure 26: The History Class
The class that constitutes History is: The class that constitutes History is:
HistoryItem HistoryItem
One or many. Entry in the history log of significant events or One or many. Entry in the history log of significant events or
actions performed by the involved parties. actions performed by the involved parties.
The History class has one attribute: The History class has two attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. See Section 3.3.1. The default value is
default value is "default". "default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.15.1. HistoryItem Class 3.15.1. HistoryItem Class
The HistoryItem class is an entry in the History (Section 3.15) log The HistoryItem class is an entry in the History (Section 3.15) log
that documents a particular action or event that occurred in the that documents a particular action or event that occurred in the
course of handling the incident. The details of the entry are a course of handling the incident. The details of the entry are a
free-form description, but each can be categorized with the type free-form description, but each can be categorized with the type
attribute. attribute.
+-------------------------+ +-------------------------+
| HistoryItem | | HistoryItem |
+-------------------------+ +-------------------------+
| ENUM restriction |<>----------[ DateTime ] | ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ] | STRING ext-restriction |<>--{0..1}--[ IncidentId ]
| ID observable-id |<>--{0..1}--[ Contact ] | ENUM action |<>--{0..1}--[ Contact ]
| |<>--{0..*}--[ Description ] | STRING ext-action |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 25: HistoryItem Class Figure 27: HistoryItem Class
The aggregate classes that constitute HistoryItem are: The aggregate classes that constitute HistoryItem are:
DateTime DateTime
One. Timestamp of this entry in the history log (e.g., when the One. Timestamp of this entry in the history log (e.g., when the
action described in the Description was taken). action described in the Description was taken).
IncidentID IncidentID
Zero or One. In a history log created by multiple parties, the Zero or One. In a history log created by multiple parties, the
IncidentID provides a mechanism to specify which CSIRT created a IncidentID provides a mechanism to specify which CSIRT created a
skipping to change at page 44, line 27 skipping to change at page 50, line 33
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
action. This class MUST be present if the action attribute is set action. This class MUST be present if the action attribute is set
to "defined-coa". to "defined-coa".
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The HistoryItem class has three attributes: The HistoryItem class has five attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
action action
Required. ENUM. Classifies a performed action or occurrence Required. ENUM. Classifies a performed action or occurrence
documented in this history log entry. As activity will likely documented in this history log entry. As activity will likely
have been instigated either through a previously conveyed have been instigated either through a previously conveyed
expectation or internal investigation, this attribute is identical expectation or internal investigation, this attribute is identical
to the action attribute of the Expectation class. The difference to the action attribute of the Expectation class. The difference
is only one of tense. When an action is in this class, it has is only one of tense. When an action is in this class, it has
been completed. See Section 3.17. been completed. See Section 3.17.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16. EventData Class 3.16. EventData Class
The EventData class describes a particular event of the incident for The EventData class describes a particular event of the incident for
a given set of hosts or networks. This description includes the a given set of hosts or networks. This description includes the
systems from which the activity originated and those targeted, an systems from which the activity originated and those targeted, an
assessment of the techniques used by the intruder, the impact of the assessment of the techniques used by the intruder, the impact of the
activity on the organization, and any forensic evidence discovered. activity on the organization, and any forensic evidence discovered.
+-------------------------+ +-------------------------+
| EventData | | EventData |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ DetectTime ] | STRING ext-restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ] | ID observable-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ RecoveryTime ] | |<>--{0..1}--[ RecoveryTime ]
| |<>--{0..1}--[ ReportTime ] | |<>--{0..1}--[ ReportTime ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ Discovery ] | |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ] | |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 26: The EventData Class Figure 28: The EventData Class
The aggregate classes that constitute EventData are: The aggregate classes that constitute EventData are:
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
event. event.
DetectTime DetectTime
Zero or one. The time the event was detected. Zero or one. The time the event was detected.
skipping to change at page 46, line 40 skipping to change at page 53, line 9
not containing other EventData instances) represent actual events. not containing other EventData instances) represent actual events.
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
At least one of the aggregate classes MUST be present in an instance At least one of the aggregate classes MUST be present in an instance
of the EventData class. This is not enforced in the IODEF schema as of the EventData class. This is not enforced in the IODEF schema as
there is no simple way to accomplish it. there is no simple way to accomplish it.
The EventData class has two attributes: The EventData class has three attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. See Section 3.3.1. The default value is
default value is "default". "default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.16.1. Relating the Incident and EventData Classes 3.16.1. Relating the Incident and EventData Classes
There is substantial overlap in the Incident and EventData classes. There is substantial overlap in the Incident and EventData classes.
Nevertheless, the semantics of these classes are quite different. Nevertheless, the semantics of these classes are quite different.
The Incident class provides summary information about the entire The Incident class provides summary information about the entire
incident, while the EventData class provides information about the incident, while the EventData class provides information about the
skipping to change at page 47, line 42 skipping to change at page 54, line 11
explicit use of unique attribute identifiers in the classes or explicit use of unique attribute identifiers in the classes or
duplicating information. Instead, the relative depth (nesting) of a duplicating information. Instead, the relative depth (nesting) of a
class is used to group (relate) information. class is used to group (relate) information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 27. be found in Figure 29.
+------------------+ +------------------+
| EventData | | EventData |
+------------------+ +------------------+
| |<>----[ Contact ] | |<>----[ Contact ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
| | | |
| |<>----[ EventData ]<>----[ Flow ] | |<>----[ EventData ]<>----[ Flow ]
| | [ ]<>----[ Assessment ] | | [ ]<>----[ Assessment ]
+------------------+ +------------------+
Figure 27: Recursion in the EventData Class Figure 29: Recursion in the EventData Class
3.17. Expectation Class 3.17. Expectation Class
The Expectation class conveys to the recipient of the IODEF document The Expectation class conveys to the recipient of the IODEF document
the actions the sender is requesting. The scope of the requested the actions the sender is requesting. The scope of the requested
action is limited to purview of the EventData class in which this action is limited to purview of the EventData class in which this
class is aggregated. class is aggregated.
+-------------------------+ +-------------------------+
| Expectation | | Expectation |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..*}--[ DefinedCOA ] | STRING ext-restriction |<>--{0..*}--[ DefinedCOA ]
| ENUM action |<>--{0..1}--[ StartTime ] | ENUM severity |<>--{0..1}--[ StartTime ]
| ID observable-id |<>--{0..1}--[ EndTime ] | ENUM action |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Contact ] | STRING ext-action |<>--{0..1}--[ Contact ]
| ID observable-id |
| |
+-------------------------+ +-------------------------+
Figure 28: The Expectation Class Figure 30: The Expectation Class
The aggregate classes that constitute Expectation are: The aggregate classes that constitute Expectation are:
Description Description
Zero or more. ML_STRING. A free-form description of the desired Zero or more. ML_STRING. A free-form description of the desired
action(s). action(s).
DefinedCOA DefinedCOA
Zero or more. ML_STRING. A unique identifier meaningful to the Zero or more. ML_STRING. A unique identifier meaningful to the
sender and recipient of this document that references a course of sender and recipient of this document that references a course of
skipping to change at page 49, line 20 skipping to change at page 55, line 30
Zero or one. The time by which the sender expects the recipient Zero or one. The time by which the sender expects the recipient
to complete the action. If the recipient cannot complete the to complete the action. If the recipient cannot complete the
action before EndTime, the recipient MUST NOT carry out the action before EndTime, the recipient MUST NOT carry out the
action. Because of transit delays, clock drift, and so on, the action. Because of transit delays, clock drift, and so on, the
sender MUST be prepared for the recipient to have carried out the sender MUST be prepared for the recipient to have carried out the
action, even if it completes past EndTime. action, even if it completes past EndTime.
Contact Contact
Zero or one. The expected actor for the action. Zero or one. The expected actor for the action.
The Expectations class has four attributes: The Expectations class has six attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. The Optional. ENUM. See Section 3.3.1. The default value is
default value is "default". "default".
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
severity severity
Optional. ENUM. Indicates the desired priority of the action. Optional. ENUM. Indicates the desired priority of the action.
This attribute is an enumerated list with no default value, and This attribute is an enumerated list with no default value, and
the semantics of these relative measures are context dependent. the semantics of these relative measures are context dependent.
1. low. Low priority 1. low. Low priority
2. medium. Medium priority 2. medium. Medium priority
skipping to change at page 51, line 13 skipping to change at page 57, line 29
if seen. if seen.
21. training. Train user to identify or mitigate a threat. 21. training. Train user to identify or mitigate a threat.
22. defined-coa. Perform a predefined course of action (COA). 22. defined-coa. Perform a predefined course of action (COA).
The COA is named in the DefinedCOA class. The COA is named in the DefinedCOA class.
23. other. Perform some custom action described in the 23. other. Perform some custom action described in the
Description class. Description class.
24. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-action
Optional. STRING. A means by which to extend the action
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.18. Flow Class 3.18. Flow Class
The Flow class groups related the source and target hosts. The Flow class groups related the source and target hosts.
+------------------+ +------------------+
| Flow | | Flow |
+------------------+ +------------------+
| |<>--{1..*}--[ System ] | |<>--{1..*}--[ System ]
+------------------+ +------------------+
Figure 29: The Flow Class Figure 31: The Flow Class
The aggregate class that constitutes Flow is: The aggregate class that constitutes Flow is:
System System
One or More. A host or network involved in an event. One or More. A host or network involved in an event.
The Flow class has no attributes. The Flow class has no attributes.
3.19. System Class 3.19. System Class
skipping to change at page 52, line 5 skipping to change at page 58, line 24
according to the role they played in the incident through the according to the role they played in the incident through the
category attribute. The value of this category attribute dictates category attribute. The value of this category attribute dictates
the semantics of the aggregated classes in the System class. If the the semantics of the aggregated classes in the System class. If the
category attribute has a value of "source", then the aggregated category attribute has a value of "source", then the aggregated
classes denote the machine and service from which the activity is classes denote the machine and service from which the activity is
originating. With a category attribute value of "target" or originating. With a category attribute value of "target" or
"intermediary", then the machine or service is the one targeted in "intermediary", then the machine or service is the one targeted in
the activity. A value of "sensor" dictates that this System was part the activity. A value of "sensor" dictates that this System was part
of an instrumentation to monitor the network. of an instrumentation to monitor the network.
+---------------------+ +------------------------+
| System | | System |
+---------------------+ +------------------------+
| ENUM restriction |<>----------[ Node ] | ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ NodeRole ] | STRING ext-restriction |<>--{0..*}--[ NodeRole ]
| STRING interface |<>--{0..*}--[ Service ] | ENUM category |<>--{0..*}--[ Service ]
| ENUM spoofed |<>--{0..*}--[ OperatingSystem ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ]
| ENUM virtual |<>--{0..*}--[ Counter ] | STRING interface |<>--{0..*}--[ Counter ]
| ENUM ownership |<>--{0..*}--[ AssetID ] | ENUM spoofed |<>--{0..*}--[ AssetID ]
| |<>--{0..*}--[ Description ] | ENUM virtual |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | ENUM ownership |<>--{0..*}--[ AdditionalData ]
+---------------------+ | STRING ext-ownership |
| |
+------------------------+
Figure 30: The System Class Figure 32: The System Class
The aggregate classes that constitute System are: The aggregate classes that constitute System are:
Node Node
One. A host or network involved in the incident. One. A host or network involved in the incident.
NodeRole NodeRole
Zero or more. The intended purpose of the system. Zero or more. The intended purpose of the system.
Service Service
skipping to change at page 52, line 48 skipping to change at page 59, line 20
AssetID AssetID
Zero or more. An asset identifier for the System. Zero or more. An asset identifier for the System.
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
System. System.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
The System class has six attributes: The System class has nine attributes:
restriction restriction
Optional. ENUM. This attribute is defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
category category
Optional. ENUM. Classifies the role the host or network played Optional. ENUM. Classifies the role the host or network played
in the incident. These values are maintained in the "System- in the incident. These values are maintained in the "System-
category" IANA registry per Table 1. The possible values are: category" IANA registry per Table 1. The possible values are:
1. source. The System was the source of the event. 1. source. The System was the source of the event.
2. target. The System was the target of the event. 2. target. The System was the target of the event.
3. intermediate. The System was an intermediary in the event. 3. intermediate. The System was an intermediary in the event.
4. sensor. The System was a sensor monitoring the event. 4. sensor. The System was a sensor monitoring the event.
5. infrastructure. The System was an infrastructure node of 5. infrastructure. The System was an infrastructure node of
IODEF document exchange. IODEF document exchange.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
interface interface
Optional. STRING. Specifies the interface on which the event(s) Optional. STRING. Specifies the interface on which the event(s)
on this System originated. If the Node class specifies a network on this System originated. If the Node class specifies a network
rather than a host, this attribute has no meaning. rather than a host, this attribute has no meaning.
spoofed spoofed
Optional. ENUM. An indication of confidence in whether this Optional. ENUM. An indication of confidence in whether this
System was the true target or attacking host. The permitted System was the true target or attacking host. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"unknown". "unknown".
skipping to change at page 54, line 25 skipping to change at page 61, line 10
organization. organization.
4. customer. The System is owned by a customer of the 4. customer. The System is owned by a customer of the
organization. organization.
5. no-relationship. The System is owned by an entity that has no 5. no-relationship. The System is owned by an entity that has no
known relationship with the organization. known relationship with the organization.
6. unknown. The ownership of the System is unknown. 6. unknown. The ownership of the System is unknown.
7. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-ownership
Optional. STRING. A means by which to extend the ownership
attribute. See Section 5.1.1.
3.20. Node Class 3.20. Node Class
The Node class names an asset or network. The Node class names an asset or network.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+---------------+ +---------------+
| Node | | Node |
+---------------+ +---------------+
| |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ] | |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ] | |<>--{0..1}--[ PostalAddress ]
| |<>--{0..1}--[ Location ] | |<>--{0..*}--[ Location ]
| |<>--{0..1}--[ DateTime ] | |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
+---------------+ +---------------+
Figure 31: The Node Class Figure 33: The Node Class
The aggregate classes that constitute Node are: The aggregate classes that constitute Node are:
DomainData DomainData
Zero or more. The detailed domain (DNS) information associated Zero or more. The detailed domain (DNS) information associated
with this Node. If an Address is not provided, at least one with this Node. If an Address is not provided, at least one
DomainData MUST be specified. DomainData MUST be specified.
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a DomainData is not provided, at least one Address the Node. If a DomainData is not provided, at least one Address
MUST be specified. MUST be specified.
PostalAddress PostalAddress
Zero or one. The postal address of the asset. Zero or one. The postal address of the asset.
Location Location
Zero or one. ML_STRING. A free-from description of the physical Zero or more. ML_STRING. A free-from description of the physical
location of the Node. This description may provide a more location of the Node. This description may provide a more
detailed description of where in the PostalAddress this Node is detailed description of where in the PostalAddress this Node is
found (e.g., room number, rack number, slot number in a chassis). found (e.g., room number, rack number, slot number in a chassis).
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
The Node class has no attributes. The Node class has no attributes.
skipping to change at page 55, line 34 skipping to change at page 62, line 26
The Address class represents a hardware (layer-2), network (layer-3), The Address class represents a hardware (layer-2), network (layer-3),
or application (layer-7) address. or application (layer-7) address.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Address | | Address |
+-------------------------+ +-------------------------+
| ENUM category | | ENUM category |
| STRING ext-category |
| STRING vlan-name | | STRING vlan-name |
| INTEGER vlan-num | | INTEGER vlan-num |
| ID observable-id | | ID observable-id |
+-------------------------+ +-------------------------+
Figure 32: The Address Class Figure 34: The Address Class
The Address class has four attributes: The Address class has five attributes:
category category
Optional. ENUM. The type of address represented. The permitted Optional. ENUM. The type of address represented. The permitted
values for this attribute are shown below. The default value is values for this attribute are shown below. The default value is
"ipv4-addr". These values are maintained in the "Address- "ipv4-addr". These values are maintained in the "Address-
category" IANA registry per Table 1. category" IANA registry per Table 1.
1. asn. Autonomous System Number 1. asn. Autonomous System Number
2. atm. Asynchronous Transfer Mode (ATM) address 2. atm. Asynchronous Transfer Mode (ATM) address
skipping to change at page 56, line 26 skipping to change at page 63, line 22
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
10. mac. Media Access Control (MAC) address 10. mac. Media Access Control (MAC) address
11. site-uri. A URL or URI for a resource. 11. site-uri. A URL or URI for a resource.
12. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
vlan-name vlan-name
Optional. STRING. The name of the Virtual LAN to which the Optional. STRING. The name of the Virtual LAN to which the
address belongs. address belongs.
vlan-num vlan-num
Optional. STRING. The number of the Virtual LAN to which the Optional. STRING. The number of the Virtual LAN to which the
address belongs. address belongs.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.2. NodeRole Class 3.20.2. NodeRole Class
The NodeRole class describes the function performed by a particular . The NodeRole class describes the function performed by a particular .
+---------------------+ +---------------------+
| NodeRole | | NodeRole |
+---------------------+ +---------------------+
| ENUM category | | ENUM category |
| ENUM lang | | STRING ext-category |
| ENUM xml:lang |
+---------------------+ +---------------------+
Figure 33: The NodeRole Class Figure 35: The NodeRole Class
The NodeRole class has two attributes: The NodeRole class has three attributes:
category category
Required. ENUM. Functionality provided by a node. These values Required. ENUM. Functionality provided by a node. These values
are maintained in the "NodeRole-category" IANA registry per are maintained in the "NodeRole-category" IANA registry per
Table 1. Table 1.
1. client. Client computer 1. client. Client computer
2. client-enterprise. Client computer on the enterprise network 2. client-enterprise. Client computer on the enterprise network
skipping to change at page 59, line 21 skipping to change at page 66, line 23
49. reflector. A system used in a reflector attacker. 49. reflector. A system used in a reflector attacker.
50. phishing-site. Site hosting phishing content 50. phishing-site. Site hosting phishing content
51. spear-phishing-site. Site hosting spear-phishing content 51. spear-phishing-site. Site hosting spear-phishing content
52. recruiting-site. Site to recruit 52. recruiting-site. Site to recruit
53. fraudulent-site. Fraudulent site. 53. fraudulent-site. Fraudulent site.
lang 54. ext-value. An escape value used to extend this attribute.
Optional. ENUM. A valid language code per [RFC5646] constrained See Section 5.1.1.
by the definition of "xs:language". The interpretation of this
code is described in Section 6. ext-category
Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1.
xml:lang
Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6.
3.20.3. Counter Class 3.20.3. Counter Class
The Counter class summarize multiple occurrences of some event, or The Counter class summarize multiple occurrences of some event, or
conveys counts or rates on various features (e.g., packets, sessions, conveys counts or rates on various features (e.g., packets, sessions,
events). events).
The value of the counter is the element content with its units The value of the counter is the element content with its units
represented in the type attribute. A rate for a given feature can be represented in the type attribute. A rate for a given feature can be
expressed by setting the duration attribute. The complete semantics expressed by setting the duration attribute. The complete semantics
are entirely context dependent based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
+---------------------+ +---------------------+
| Counter | | Counter |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration |
+---------------------+ +---------------------+
Figure 34: The Counter Class Figure 36: The Counter Class
The Counter class has three attribute: The Counter class has five attribute:
type type
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-type" IANA registry These values are maintained in the "Counter-type" IANA registry
per Table 1. per Table 1.
1. byte. Count of bytes. 1. byte. Count of bytes.
2. packet. Count of packets. 2. packet. Count of packets.
skipping to change at page 60, line 31 skipping to change at page 67, line 47
6. message. Count of messages (e.g., mail messages). 6. message. Count of messages (e.g., mail messages).
7. event. Count of events. 7. event. Count of events.
8. host. Count of hosts. 8. host. Count of hosts.
9. site. Count of site. 9. site. Count of site.
10. organization. Count of organizations. 10. organization. Count of organizations.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate
rather than a count over the entire event. In that case, this rather than a count over the entire event. In that case, this
attribute specifies the denominator of the rate (where the type attribute specifies the denominator of the rate (where the type
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.14.3 attribute are defined in Section 3.14.3
ext-duration
Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1.
3.21. DomainData Class 3.21. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and meta-data associated
with this domain. with this domain.
+--------------------------+ +--------------------------+
| DomainData | | DomainData |
+--------------------------+ +--------------------------+
| ENUM system-status |<>----------[ Name ] | ENUM system-status |<>----------[ Name ]
| ENUM domain-status |<>--{0..1}--[ DateDomainWasChecked ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| ID observable-id |<>--{0..1}--[ ExpirationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| |<>--{0..*}--[ RelatedDNS ] | ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ] | |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ] | |<>--{0..1}--[ DomainContacts ]
| | | |
+--------------------------+ +--------------------------+
Figure 35: The DomainData Class Figure 37: The DomainData Class
The aggregate classes that constitute DomainData are: The aggregate classes that constitute DomainData are:
Name Name
One. ML_STRING. The domain name of the Node (e.g., fully One. STRING. The domain name of the Node (e.g., fully qualified
qualified domain name). domain name).
DateDomainWasChecked DateDomainWasChecked
Zero or one. DATETIME. A timestamp of when the Name was Zero or one. DATETIME. A timestamp of when the Name was
resolved. resolved.
RegistrationDate RegistrationDate
Zero or one. DATETIME. A timestamp of when domain listed in Name Zero or one. DATETIME. A timestamp of when domain listed in Name
was registered. was registered.
ExpirationDate ExpirationDate
skipping to change at page 61, line 49 skipping to change at page 69, line 20
Zero or more. Additional DNS records associated with this domain. Zero or more. Additional DNS records associated with this domain.
Nameservers Nameservers
Zero or more. The name servers identified for the domain listed Zero or more. The name servers identified for the domain listed
in Name. in Name.
DomainContacts DomainContacts
Zero or one. Contact information for the domain listed in Name Zero or one. Contact information for the domain listed in Name
supplied by the registrar or through a whois query. supplied by the registrar or through a whois query.
The DomainData class has four attribute: The DomainData class has five attribute:
system-status system-status
Required. ENUM. Assesses the domain's involvement in the event. Required. ENUM. Assesses the domain's involvement in the event.
These values are maintained in the "DomainData-system-status" IANA These values are maintained in the "DomainData-system-status" IANA
registry per Table 1. registry per Table 1.
1. spoofed. This domain was spoofed. 1. spoofed. This domain was spoofed.
2. fraudulent. This domain was operated with fraudulent 2. fraudulent. This domain was operated with fraudulent
intentions. intentions.
3. innocent-hacked. This domain was compromised by a third 3. innocent-hacked. This domain was compromised by a third
party. party.
4. innocent-hijacked. This domain was deliberately hijacked. 4. innocent-hijacked. This domain was deliberately hijacked.
5. unknown. No categorization for this domain known. 5. unknown. No categorization for this domain known.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-system-status
Optional. STRING. A means by which to extend the system-status
attribute. See Section 5.1.1.
domain-status domain-status
Required. ENUM. Categorizes the registry status of the domain at Required. ENUM. Categorizes the registry status of the domain at
the time the document was generated. These values and their the time the document was generated. These values and their
associated descriptions are derived from Section 3.2.2 of associated descriptions are derived from Section 3.2.2 of
[RFC3982]. These values are maintained in the "DomainData-domain- [RFC3982]. These values are maintained in the "DomainData-domain-
status" IANA registry per Table 1. status" IANA registry per Table 1.
1. reservedDelegation. The domain is permanently inactive. 1. reservedDelegation. The domain is permanently inactive.
2. assignedAndActive. The domain is in a normal state. 2. assignedAndActive. The domain is in a normal state.
skipping to change at page 62, line 51 skipping to change at page 70, line 29
7. registryLock. The domain is on hold by the registry. 7. registryLock. The domain is on hold by the registry.
8. registrarLock. Same as "registryLock". 8. registrarLock. Same as "registryLock".
9. other. The domain has a known status but it is not one of 9. other. The domain has a known status but it is not one of
the redefined enumerated values. the redefined enumerated values.
10. unknown. The domain has an unknown status. 10. unknown. The domain has an unknown status.
11. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-domain-status
Optional. STRING. A means by which to extend the domain-status
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.21.1. RelatedDNS 3.21.1. RelatedDNS
The RelatedDNS class describes additional record types associated The RelatedDNS class describes additional record types associated
with a given domain name. The record type is described in the with a given domain name. The record type is described in the
record-type attribute and the value of the record is the element record-type attribute and the value of the record is the element
content. ... TODO Issue #39 ... content. ... TODO Issue #39 ...
+----------------------+ +----------------------+
| RelatedDNS | | RelatedDNS |
+----------------------+ +----------------------+
| STRING | | STRING |
| | | |
| ENUM record-type | | ENUM record-type |
+----------------------+ +----------------------+
Figure 36: The RelatedDNS Class Figure 38: The RelatedDNS Class
The RelatedDNS class has one attribute: The RelatedDNS class has one attribute:
record-type record-type
Required. ENUM. The DNS record type. ... TODO values need to be Required. ENUM. The DNS record type. ... TODO values need to be
listed ... listed ...
3.21.2. Nameservers Class 3.21.2. Nameservers Class
The Nameservers class describes the name servers associated with a The Nameservers class describes the name servers associated with a
given domain. given domain.
+--------------------+ +--------------------+
| Nameservers | | Nameservers |
+--------------------+ +--------------------+
| |<>----------[ Server ] | |<>----------[ Server ]
| |<>--{1..*}--[ Address ] | |<>--{1..*}--[ Address ]
+--------------------+ +--------------------+
Figure 37: The Nameservers Class Figure 39: The Nameservers Class
The aggregate classes that constitute Nameservers are: The aggregate classes that constitute Nameservers are:
Server Server
One. ML_STRING. The domain name of the name server. One. STRING. The domain name of the name server.
Address Address
One or more. The address of the name server. See Section 3.20.1. One or more. The address of the name server. See Section 3.20.1.
3.21.3. DomainContacts Class 3.21.3. DomainContacts Class
The DomainContacts class describes the contact information for a The DomainContacts class describes the contact information for a
given domain provided either by the registrar or through a whois given domain provided either by the registrar or through a whois
query. query.
skipping to change at page 64, line 23 skipping to change at page 72, line 12
identical contact information. Either a single SameDomainContact identical contact information. Either a single SameDomainContact
MUST be present or one or many Contact classes. MUST be present or one or many Contact classes.
+--------------------+ +--------------------+
| DomainContacts | | DomainContacts |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SameDomainContact ] | |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
+--------------------+ +--------------------+
Figure 38: The DomainContacts Class Figure 40: The DomainContacts Class
The aggregate classes that constitute DomainContacts are: The aggregate classes that constitute DomainContacts are:
SameDomainContact SameDomainContact
Zero or one. ML_STRING. A domain name already cited in this Zero or one. STRING. A domain name already cited in this
document or through previous exchange that contains the identical document or through previous exchange that contains the identical
contact information as the domain name in question. The domain contact information as the domain name in question. The domain
contact information associated with this domain should be used in contact information associated with this domain should be used in
lieu of explicit definition with the Contact class. lieu of explicit definition with the Contact class.
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.10. Section 3.10.
3.22. Service Class 3.22. Service Class
skipping to change at page 65, line 18 skipping to change at page 73, line 18
| INTEGER ip-protocol |<>--{0..1}--[ Port ] | INTEGER ip-protocol |<>--{0..1}--[ Port ]
| ID observable-id |<>--{0..1}--[ Portlist ] | ID observable-id |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 39: The Service Class Figure 41: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
skipping to change at page 66, line 43 skipping to change at page 74, line 43
corresponding value. corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype |
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 40: The ApplicationHeader Class Figure 42: The ApplicationHeader Class
The ApplicationHeader class has four attributes: The ApplicationHeader class has four attributes:
proto proto
Required. INTEGER. The IANA assigned port number per Required. INTEGER. The IANA assigned port number per
[IANA.Ports] corresponding to the application layer protocol whose [IANA.Ports] corresponding to the application layer protocol whose
field will be represented. field will be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
skipping to change at page 67, line 43 skipping to change at page 75, line 43
9. string. The element content is of type STRING. 9. string. The element content is of type STRING.
10. file. The element content is a base64 encoded binary file 10. file. The element content is a base64 encoded binary file
encoded as a BYTE[] type. encoded as a BYTE[] type.
11. path. The element content is a file-system path encoded as a 11. path. The element content is a file-system path encoded as a
STRING type. STRING type.
12. xml. The element content is XML. See Section 5. 12. xml. The element content is XML. See Section 5.
13. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
| STRING vendor | | STRING vendor |
| STRING family | | STRING family |
| STRING name | | STRING name |
| STRING version | | STRING version |
| STRING patch | | STRING patch |
+--------------------+ +--------------------+
Figure 41: The Application Class Figure 43: The Application Class
The aggregate class that constitute Application is: The aggregate class that constitute Application is:
URL URL
Zero or one. URL. A URL describing the application. Zero or one. URL. A URL describing the application.
The Application class has seven attributes: The Application class has seven attributes:
swid swid
Optional. STRING. An identifier that can be used to reference Optional. STRING. An identifier that can be used to reference
skipping to change at page 69, line 28 skipping to change at page 77, line 29
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ] | |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 42: EmailData Class Figure 44: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
skipping to change at page 70, line 20 skipping to change at page 78, line 21
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25. Record Class 3.25. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
provides supportive information about the incident. The source of provides supportive information about the incident. The source of
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------+ +------------------------+
| Record | | Record |
+------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+ | STRING ext-restriction |
+------------------------+
Figure 43: Record Class Figure 45: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has one attribute: The Record class has two attributes:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.25.1. RecordData Class 3.25.1. RecordData Class
The RecordData class groups log or audit data from a given sensor The RecordData class groups log or audit data from a given sensor
(e.g., IDS, firewall log) and provides a way to annotate the output. (e.g., IDS, firewall log) and provides a way to annotate the output.
+-------------------+ +------------------------+
| RecordData | | RecordData |
+-------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ] | ENUM restriction |<>--{0..1}--[ DateTime ]
| ID observable-id |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ] | ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ] | |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ] | |<>--{0..*}--
| |<>--{0..*}--[ AdditionalData ]+-------------------+ | | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 44: The RecordData Class Figure 46: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 71, line 52 skipping to change at page 80, line 5
Zero or one. The file name and hash of a file indicator. Zero or one. The file name and hash of a file indicator.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or more. The registry keys that were modified that are Zero or more. The registry keys that were modified that are
indicator(s). indicator(s).
AdditionalData AdditionalData
Zero or more. An extension mechanism for data not explicitly Zero or more. An extension mechanism for data not explicitly
represented in the data model. represented in the data model.
The RecordData class has two attribute: The RecordData class has three attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.25.2. RecordPattern Class 3.25.2. RecordPattern Class
The RecordPattern class describes where in the content of the The RecordPattern class describes where in the content of the
RecordItem relevant information can be found. It provides a way to RecordItem relevant information can be found. It provides a way to
reference subsets of information, identified by a pattern, in a large reference subsets of information, identified by a pattern, in a large
log file, audit trail, or forensic data. log file, audit trail, or forensic data.
+-----------------------+ +-----------------------+
| RecordPattern | | RecordPattern |
+-----------------------+ +-----------------------+
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 45: The RecordPattern Class Figure 47: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by four attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1. maintained in the "RecordPattern-type" IANA registry per Table 1.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
offset offset
Optional. INTEGER. Amount of units (determined by the offsetunit Optional. INTEGER. Amount of units (determined by the offsetunit
attribute) to seek into the RecordItem data before matching the attribute) to seek into the RecordItem data before matching the
pattern. pattern.
offsetunit offsetunit
Optional. ENUM. Describes the units of the offset attribute. Optional. ENUM. Describes the units of the offset attribute.
The default is "line". These values are maintained in the The default is "line". These values are maintained in the
"RecordPattern-offsetunit" IANA registry per Table 1. "RecordPattern-offsetunit" IANA registry per Table 1.
1. line. Offset is a count of lines. 1. line. Offset is a count of lines.
2. byte. Offset is a count of bytes. 2. byte. Offset is a count of bytes.
3. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-offsetunit
Optional. STRING. A means by which to extend the offsetunit
attribute. See Section 5.1.1.
instance instance
Optional. INTEGER. Number of types to apply the specified Optional. INTEGER. Number of types to apply the specified
pattern. pattern.
3.25.3. RecordItem Class 3.25.3. RecordItem Class
The RecordItem class provides a way to incorporate relevant logs, The RecordItem class provides a way to incorporate relevant logs,
audit trails, or forensic data to support the conclusions made during audit trails, or forensic data to support the conclusions made during
the course of analyzing the incident. The class supports both the the course of analyzing the incident. The class supports both the
direct encapsulation of the data, as well as, provides primitives to direct encapsulation of the data, as well as, provides primitives to
skipping to change at page 73, line 38 skipping to change at page 82, line 17
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+ +-----------------------------+
Figure 46: The WindowsRegistryKeysModified Class Figure 48: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has one attribute: The WindowsRegistryKeysModified class has one attribute:
observable-id observable-id
skipping to change at page 74, line 14 skipping to change at page 82, line 39
3.26.1. Key Class 3.26.1. Key Class
The Key class describes a particular Windows operating system The Key class describes a particular Windows operating system
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| ID observable-id |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id |
+---------------------------+ +---------------------------+
Figure 47: The Key Class Figure 49: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
The Key class has two attributes: The Key class has three attributes:
registryaction registryaction
Optional. ENUM. The type of action taken on the registry key. Optional. ENUM. The type of action taken on the registry key.
These values are maintained in the "Key-registryaction" IANA These values are maintained in the "Key-registryaction" IANA
registry per Table 1. registry per Table 1.
1. add-key. Registry key added. 1. add-key. Registry key added.
2. add-value. Value added to registry key. 2. add-value. Value added to registry key.
3. delete-key. Registry key deleted. 3. delete-key. Registry key deleted.
4. delete-value. Value deleted from registry key. 4. delete-value. Value deleted from registry key.
5. modify-key. Registry key modified. 5. modify-key. Registry key modified.
6. modify-value. Value modified for registry key. 6. modify-value. Value modified for registry key.
7. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-registryaction
Optional. STRING. A means by which to extend the registryaction
attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.27. CertificateData Class 3.27. CertificateData Class
The CertificateData class describes X.509 certificates. The CertificateData class describes X.509 certificates.
+----------------------+ +------------------------+
| CertificateData | | CertificateData |
+----------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ Certificate ] | ID observable-id |<>--{1..*}--[ Certificate ]
| ENUM restriction | | ENUM restriction |
+----------------------+ | STRING ext-restriction |
+------------------------+
Figure 48: The CertificateData Class Figure 50: The CertificateData Class
The aggregate classes that constitutes CertificateData are: The aggregate classes that constitutes CertificateData are:
Certificate Certificate
One or more. A certificate. One or more. A certificate.
The CertificateData class has two attribute: The CertificateData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.27.1. Certificate Class 3.27.1. Certificate Class
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ENUM valid |<>----------[ ds: X509Data ] | ENUM valid |<>----------[ ds: X509Data ]
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 49: The Certificate Class Figure 51: The Certificate Class
The aggregate classes that constitutes Certificate are: The aggregate classes that constitutes Certificate are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
The Certificate class has one attribute: The Certificate class has one attribute:
valid valid
skipping to change at page 76, line 23 skipping to change at page 85, line 11
2. no. The certificate is not valid. 2. no. The certificate is not valid.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.28. FileData Class 3.28. FileData Class
The FileData class describes files of interest identified during the The FileData class describes files of interest identified during the
analysis of an incident. analysis of an incident.
+----------------------+ +------------------------+
| FileData | | FileData |
+----------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ File ] | ID observable-id |<>--{1..*}--[ File ]
| ENUM restriction | | ENUM restriction |
+----------------------+ | STRING ext-restriction |
+------------------------+
Figure 50: The FileData Class Figure 52: The FileData Class
The aggregate class that constitutes FileData is: The aggregate class that constitutes FileData is:
File File
One or more. A description of a file. One or more. A description of a file.
The FileData class has two attribute: The FileData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.28.1. File Class 3.28.1. File Class
The File class describes a file and its associated meta data. The File class describes a file and its associated meta data.
+--------------------------+ +--------------------------+
| File | | File |
+--------------------------+ +--------------------------+
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..*}--[ FileProperties ]
+--------------------------+ +--------------------------+
Figure 51: The File Class Figure 53: The File Class
The aggregate classes that constitutes File are: The aggregate classes that constitutes File are:
FileName FileName
Zero or One. ML_STRING. The name of the file. Zero or One. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or One. INTEGER. The size of the file in bytes.
FileType
Zero or One. STRING. The type of file per the IANA Media Types
Registry [IANA.Media]. Valid values correspond to the text in the
"Template" column (e.g., "application/pdf").
URL URL
Zero or more. A reference to the file. Zero or more. A reference to the file.
HashData HashData
Zero or One. Hash(es) associated with this file. Zero or One. Hash(es) associated with this file.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. Zero or One. Signature(s) associated with this file.
FileProperties FileProperties
skipping to change at page 78, line 13 skipping to change at page 87, line 18
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ] | ENUM scope |<>--{0..1}--[ HashTarget ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 52: The HashData Class Figure 54: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes HashData are:
HashTarget HashTarget
Zero or One. An identifier that references a a subset of the Zero or One. An identifier that references a a subset of the
object per the @scope attribute. object per the @scope attribute.
Hash Hash
Zero or more. The hash generated on the object. Zero or more. The hash generated on the object.
skipping to change at page 79, line 24 skipping to change at page 88, line 29
6. email-hash. A hash computed over the headers and body of an 6. email-hash. A hash computed over the headers and body of an
email message. email message.
7. email-headers-hash. A hash computed over all of the headers 7. email-headers-hash. A hash computed over all of the headers
of an email message. of an email message.
8. email-body-hash. A hash computed over the body of an email 8. email-body-hash. A hash computed over the body of an email
message. message.
9. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-scope
Optional. STRING. A means by which to extend the scope
attribute. See Section 5.1.1.
3.29.1. Hash Class 3.29.1. Hash Class
The Hash class describes a specific hash value, algorithm, and an The Hash class describes a specific hash value, algorithm, and an
application used to generate it. application used to generate it.
+-----------------------+ +----------------+
| Hash | | Hash |
+-----------------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ ds:CannonicalizationMethod ]
+-----------------------+ | |<>--{0..1}--[ Application ]
+----------------+
Figure 53: The Hash Class Figure 55: The Hash Class
The aggregate classes that constitutes Hash are: The aggregate classes that constitutes Hash are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue ds:DigestValue
One. The computer hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
ds:CannonicalizationMethod
Zero or one. The cannonicalization method used for the has. See
Section 4.3.1 of [W3C.XMLSIG].
Application Application
Zero or One. The application used to calculate the hash. Zero or One. The application used to calculate the hash.
The HashData class has no attribute: The HashData class has no attribute:
3.29.2. FuzzyHash Class 3.29.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash (in an extensible way) and The FuzzyHash class describes a fuzzy hash (in an extensible way) and
the application used to generate it. the application used to generate it.
+--------------------------+ +--------------------------+
| FuzzyHash | | FuzzyHash |
+--------------------------+ +--------------------------+
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+--------------------------+ +--------------------------+
Figure 54: The FuzzyHash Class Figure 56: The FuzzyHash Class
The aggregate classes that constitutes FuzzyHash are: The aggregate classes that constitutes FuzzyHash are:
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
Application Application
Zero or One. The application used to calculate the hash. Zero or One. The application used to calculate the hash.
skipping to change at page 80, line 43 skipping to change at page 90, line 16
The SignatureData class describes different signatures on an given The SignatureData class describes different signatures on an given
object. object.
+--------------------------+ +--------------------------+
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 55: The SignatureData Class Figure 57: The SignatureData Class
The aggregate classes that constitutes SignatureData are: The aggregate classes that constitutes SignatureData are:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attribute: The SignatureData class has no attribute:
3.31. IndicatorData Class 3.31. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes the indicators identified from
analysis of an incident. analysis of an incident.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 56: The IndicatorData Class Figure 58: The IndicatorData Class
The aggregate class that constitutes IndicatorData is: The aggregate class that constitutes IndicatorData is:
Indicator Indicator
One or more. An indicator from the incident. One or more. An indicator from the incident.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.32. Indicator Class 3.32. Indicator Class
The Indicator class describes a cyber indicator. An indicator The Indicator class describes a cyber indicator. An indicator
consists of observable features and phenomenon that aid in the consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity, and associated forensic or proactive detection of malicious activity, and associated
meta-data. This indicator can be described outright or reference meta-data. This indicator can be described outright or reference
observable features and phenomenon described elsewhere in the observable features and phenomenon described elsewhere in the
incident information. Portions of an incident description can be incident information. Portions of an incident description can be
composed to define an indicator, as can the indicators themselves. composed to define an indicator, as can the indicators themselves.
+--------------------+ +------------------------+
| Indicator | | Indicator |
+--------------------+ +------------------------+
| ENUM restriction |<>----------[ IndicatorID ] | ENUM restriction |<>----------[ IndicatorID ]
| |<>--{0..1}--[ AlternativeIndicatorID ] | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------+ +------------------------+
Figure 57: The Indicator Class Figure 59: The Indicator Class
The aggregate classes that constitute Indicator are: The aggregate classes that constitute Indicator are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.32.1 One. An identifier for this indicator. See Section 3.32.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.32.2 Section 3.32.2
skipping to change at page 83, line 17 skipping to change at page 92, line 37
class. class.
The StartTime and EndTime classes can be used to define an interval The StartTime and EndTime classes can be used to define an interval
during which the indicator is valid. If both classes are present, during which the indicator is valid. If both classes are present,
the indicator is consider valid only during the described interval. the indicator is consider valid only during the described interval.
If neither class is provided, the indicator is considered valid If neither class is provided, the indicator is considered valid
during any time interval. If only a StartTime is provided, the during any time interval. If only a StartTime is provided, the
indicator is valid anytime after this timestamp. If only an EndTime indicator is valid anytime after this timestamp. If only an EndTime
is provided, the indicator is valid anytime prior to this timestamp. is provided, the indicator is valid anytime prior to this timestamp.
The Indicator class has one attribute: The Indicator class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.32.1. IndicatorID Class 3.32.1. IndicatorID Class
The IndicatorID class identifies an indicator with a globally unique The IndicatorID class identifies an indicator with a globally unique
identifier. The combination of the name and version attributes, and identifier. The combination of the name and version attributes, and
the element content form this identifier. Indicators generated by the element content form this identifier. Indicators generated by
given CSIRT MUST NOT reuse the same value unless they are referencing given CSIRT MUST NOT reuse the same value unless they are referencing
the same indicator. the same indicator.
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 58: The IndicatorID Class Figure 60: The IndicatorID Class
The IndicatorID class has two attributes: The IndicatorID class has two attributes:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
skipping to change at page 84, line 14 skipping to change at page 93, line 39
3.32.2. AlternativeIndicatorID Class 3.32.2. AlternativeIndicatorID Class
The AlternativeIndicatorID class lists alternative identifiers for an The AlternativeIndicatorID class lists alternative identifiers for an
indicator. indicator.
+-------------------------+ +-------------------------+
| AlternativeIndicatorID | | AlternativeIndicatorID |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| | | STRING ext-restriction |
+-------------------------+ +-------------------------+
Figure 59: The AlternativeIndicatorID Class Figure 61: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is: The aggregate class that constitutes AlternativeIndicatorID is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. One or more. A reference to an indicator.
The AlternativeIndicatorID class has one attribute: The AlternativeIndicatorID class has two attributes:
restriction restriction
Optional. ENUM. This attribute has been defined in Section 3.2. Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.32.3. Observable Class 3.32.3. Observable Class
The Observable class describes a feature and phenomenon that can be The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious observed or measured for the purposes of detecting malicious
behavior. behavior.
+-------------------+ +-------------------+
| Observable | | Observable |
+-------------------+ +-------------------+
skipping to change at page 85, line 20 skipping to change at page 94, line 31
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ enum:Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 60: The Observable Class Figure 62: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes that constitute Observable are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.20.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.21. Zero or One. A DomainData observable. See Section 3.21.
Service Service
skipping to change at page 86, line 23 skipping to change at page 95, line 34
Incident Incident
Zero or One. An Incident observable. See Section 3.2. Zero or One. An Incident observable. See Section 3.2.
EventData EventData
Zero or One. An EventData observable. See Section 3.16. Zero or One. An EventData observable. See Section 3.16.
Expectation Expectation
Zero or One. An Expectation observable. See Section 3.17. Zero or One. An Expectation observable. See Section 3.17.
enum:Reference Reference
Zero or One. A Reference observable. See [RFC-ENUM]. Zero or One. A Reference observable. See Section 3.13.1.
Assessment Assessment
Zero or One. An Assessment observable. See Section 3.14. Zero or One. An Assessment observable. See Section 3.14.
HistoryItem HistoryItem
Zero or One. A HistoryItem observable. See Section 3.15.1. Zero or One. A HistoryItem observable. See Section 3.15.1.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
skipping to change at page 87, line 15 skipping to change at page 96, line 28
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 61: The IndicatorExpression Class Figure 63: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable.
skipping to change at page 88, line 20 skipping to change at page 97, line 34
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 62: The ObservableReference Class Figure 64: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attributes:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.32.6. IndicatorReference Class 3.32.6. IndicatorReference Class
skipping to change at page 88, line 45 skipping to change at page 98, line 15
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 63: The IndicatorReference Class Figure 65: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attributes:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
skipping to change at page 89, line 22 skipping to change at page 98, line 41
Either the uid-ref or the euid-ref attribute MUST be set. Either the uid-ref or the euid-ref attribute MUST be set.
4. Processing Considerations 4. Processing Considerations
This section defines additional requirements on creating and parsing This section defines additional requirements on creating and parsing
IODEF documents. IODEF documents.
4.1. Encoding 4.1. Encoding
Every IODEF document MUST begin with an XML declaration, and MUST Every IODEF document MUST begin with an XML declaration, and MUST
specify the XML version used. If UTF-8 encoding is not used, the specify the XML version used. The character encoding MUST also be
character encoding MUST also be explicitly specified. The IODEF explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16
conforms to all XML data encoding conventions and constraints. [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD
NOT be used. The IODEF conforms to all XML data encoding conventions
and constraints.
The XML declaration with no character encoding will read as follows: The XML declaration with no character encoding will read as follows:
<?xml version="1.0" ?> <?xml version="1.0" ?>
When a character encoding is specified, the XML declaration will read When a character encoding is specified, the XML declaration will read
like the following: like the following:
<?xml version="1.0" encoding="charset" ?> <?xml version="1.0" encoding="charset" ?>
skipping to change at page 90, line 27 skipping to change at page 99, line 46
in the schema and it must also be considered by an IODEF parser. The in the schema and it must also be considered by an IODEF parser. The
following is a list of discrepancies in what is more strictly following is a list of discrepancies in what is more strictly
specified in the normative text (Section 3), but not enforced in the specified in the normative text (Section 3), but not enforced in the
IODEF schema: IODEF schema:
o The elements or attributes that are defined as POSTAL, NAME, o The elements or attributes that are defined as POSTAL, NAME,
PHONE, and EMAIL data-types are implemented as "xs:string", but PHONE, and EMAIL data-types are implemented as "xs:string", but
more rigid formatting requirements are specified in the text. more rigid formatting requirements are specified in the text.
o The IODEF-Document@lang and MLStringType@lang attributes are o The IODEF-Document@lang and MLStringType@lang attributes are
declared as an "xs:language" that constrains values with a regular declared as an "xml:language" that constrains values with a
expression. However, the value of this attribute still needs to regular expression. However, the value of this attribute still
be validated against the list of possible enumerated values is needs to be validated against the list of possible enumerated
defined in [RFC5646]. values is defined in [RFC5646].
o The MonetaryImpact@currency attribute is declared as an o The MonetaryImpact@currency attribute is declared as an
"xs:string", but the list of valid values as defined in [ISO4217]. "xs:string", but the list of valid values as defined in [ISO4217].
o All of the aggregated classes Contact and EventData are optional o All of the aggregated classes Contact and EventData are optional
in the schema, but at least one of these aggregated classes MUST in the schema, but at least one of these aggregated classes MUST
be present. be present.
o There are multiple conventions that can be used to categorize a o There are multiple conventions that can be used to categorize a
system using the NodeRole class or to specify software with the system using the NodeRole class or to specify software with the
skipping to change at page 91, line 47 skipping to change at page 101, line 15
o The Reference class is now defined by [RFC-ENUM]. o The Reference class is now defined by [RFC-ENUM].
o Extending enumerated values is now handled through collection of o Extending enumerated values is now handled through collection of
IANA registries. All attributes of with a name prefixed by "ext-" IANA registries. All attributes of with a name prefixed by "ext-"
have been removed. have been removed.
o The data previously represented in the Impact class is now in the o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has SystemImpact and IncidentCategory classes. The Impact class has
been removed. been removed.
o The Description class has been redefined to use xml:lang and
@translation-id. IODEF-document also uses xml:lang.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
IODEF schema. With proven value, well documented extensions can be base IODEF schema. With proven value, well documented extensions can
incorporated into future versions of the specification. However, be incorporated into future versions of the specification. However,
this approach also supports private extensions relevant only to a this approach also supports private extensions relevant only to a
closed consortium. closed consortium.
5.1. Extending the Enumerated Values of Attributes 5.1. Extending the Enumerated Values of Attributes
Enumerated values of select attributes can be extended for private
use through specially marked attributes with the "ext-" prefix.
Likewise, each extensible attribute has a corresponding IANA registry
to which to added public extensions.
5.1.1. Private Extension of Enumerated Values
The data model supports a means by which to add new enumerated values
to an attribute without public registration. For each attribute that
supports this extension technique, there is a corresponding attribute
in the same element whose name is identical but with a prefix of
"ext-". This special attribute is referred to as the extension
attribute, and the attribute being extended is referred to as an
extensible attribute. For example, an extensible attribute named
"foo" will have a corresponding extension attribute named "ext-foo".
An element may have many extensible, and therefore many extension,
attributes.
In addition to a corresponding extension attribute, each extensible
attribute has "ext-value" as one its possible enumerated values.
This particular value serves as an escape sequence to the implementor
to signal that the extension attribute value should be read.
Otherwise, this value and has no valid meaning.
In order to add a new enumerated value to an extensible attribute,
the value of this attribute MUST be set to "ext-value", and the new
desired value MUST be set in the corresponding extension attribute.
For example, an extended instance of the type attribute of the
SystemImpact class would look as follows:
<SystemImpact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding
extensible attribute has been set to "ext-value".
5.1.2. Public Extension of Enumerated Values
Select enumerated value of the attributes defined in the data model Select enumerated value of the attributes defined in the data model
can be extended by adding entries to the corresponding IANA registry. can be extended by adding entries to the corresponding IANA registry.
See Table 1. Table 1 enumerates these registries. Section 4.3 discusses the XML
Validation implications of these types of extensions.
5.2. Extending Classes 5.2. Extending Classes
The classes of the data model can be extended only through the use of The classes of the data model can be extended only through the use of
the AdditionalData and RecordItem classes. These container classes, the AdditionalData and RecordItem classes. These container classes,
collectively referred to as the extensible classes, are implemented collectively referred to as the extensible classes, are implemented
with the iodef:ExtensionType data type in the schema. They provide with the iodef:ExtensionType data type in the schema. They provide
the ability to have new atomic or XML-encoded data elements in all of the ability to have new atomic or XML-encoded data elements in all of
the top-level classes of the Incident class and a few of the more the top-level classes of the Incident class and a few of the more
complicated subordinate classes. As there are multiple instances of complicated subordinate classes. As there are multiple instances of
skipping to change at page 94, line 25 skipping to change at page 104, line 41
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved. The IODEF supports barriers, that certain incidents be resolved and threat information
this goal by depending on XML constructs, and through explicit design shared. The IODEF supports this goal by depending on XML constructs,
choices in the data model. and through explicit design choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
all the different character encodings, such as UTF-8 and UTF-16, all the different character encodings, such as UTF-8 and UTF-16,
possible with XML. Additionally, each IODEF document MUST specify possible with XML. Additionally, each IODEF document MUST specify
the language in which their contents are encoded. The language can the language in which their contents are encoded. The language can
be specified with the attribute "xml:lang" (per Section 2.12 of be specified with the attribute "xml:lang" (per Section 2.12 of
[W3C.XML]) in the top-level element (i.e., IODEF-Document@lang) and [W3C.XML]) in the top-level element (i.e., IODEF-Document) and
letting all other elements inherit that definition. All IODEF letting all other elements inherit that definition. All IODEF
classes with a free-form text definition (i.e., all those defined of classes with a free-form text definition (i.e., all those defined of
type iodef:MLStringType) can also specify a language different from type iodef:MLStringType) can also specify a language different from
the rest of the document. The valid language codes for the the rest of the document. The valid language codes for the
"xml:lang" attribute are described in [RFC5646]. "xml:lang" attribute are described in [RFC5646].
The data model supports multiple translations of free-form text. In The data model supports multiple translations of free-form text. For
the places where free-text is used for descriptive purposes, the classes where free-text is used for descriptive purposes (e.g.,
given class always has a one-to-many cardinality to its parent (e.g., classes of the iodef:MLStringType type such as the Description
Description class). The intent is to allow the identical text to be class), the given class always has a one-to-many cardinality to its
encoded in different instances of the same class, but each being in a parent. The intent is to allow the identical text to be encoded in
different language. This approach allows an IODEF document author to different instances of the same class, but each being in a different
send recipients speaking different languages an identical document. language. This approach allows an IODEF document author to send
The IODEF parser SHOULD extract the appropriate language relevant to recipients speaking different languages an identical document. The
the recipient. IODEF parser SHOULD extract the appropriate language relevant to the
recipient.
Related instances of a given iodef:MLStringType class that are
translations of each other are identified by a common identifier set
in the translation-id attribute. The example below shows three
instances of a Description class expressed in three difference
languages. The relationship between these three instances of the
Description class is conveyed by the common value of "1" in the
translation-id attribute.
<IODEF-Document version="2.00" xml:lang="en" ...
<Incident purpose="reporting">
...
<Description translation-id="1"
xml:lang="en">English</Description>
<Description translation-id="1"
xml:lang="de">Englisch</Description>
<Description translation-id="1"
xml:lang="fr">Anglais</Description>
While the intent of the data model is to provide internationalization While the intent of the data model is to provide internationalization
and localization, the intent is not to do so at the detriment of and localization, the intent is not to do so at the detriment of
interoperability. While the IODEF does support different languages, interoperability. While the IODEF does support different languages,
the data model also relies heavily on standardized enumerated the data model also relies heavily on standardized enumerated
attributes that can crudely approximate the contents of the document. attributes that can crudely approximate the contents of the document.
With this approach, a CSIRT should be able to make some sense of an With this approach, a CSIRT should be able to make some sense of an
IODEF document it receives even if the text based data elements are IODEF document it receives even if the text based data elements are
written in a language unfamiliar to the analyst. written in a language unfamiliar to the analyst.
skipping to change at page 102, line 31 skipping to change at page 113, line 17
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Incident" <xs:element ref="iodef:Incident"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="version" <xs:attribute name="version"
type="xs:string" fixed="2.00"/> type="xs:string" fixed="2.00"/>
<xs:attribute name="lang"
type="xs:language" use="required"/>
<xs:attribute name="formatid" <xs:attribute name="formatid"
type="xs:string"/> type="xs:string"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
=== Incident class === === Incident class ===
================================================================== ==================================================================
--> -->
<xs:element name="Incident"> <xs:element name="Incident">
skipping to change at page 103, line 37 skipping to change at page 114, line 22
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="purpose" use="required"> <xs:attribute name="purpose" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/> <xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/> <xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/> <xs:enumeration value="reporting"/>
<xs:enumeration value="watch" /> <xs:enumeration value="watch" />
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="lang" <xs:attribute name="ext-purpose"
type="xs:language"/> type="xs:string" use="optional"/>
<xs:attribute name="status">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/> type="iodef:restriction-type"
default="private"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== IncidentID class == == IncidentID class ==
================================================================== ==================================================================
--> -->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType"> <xs:complexType name="IncidentIDType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="name" <xs:attribute name="name"
type="xs:string" use="required"/> type="xs:string" use="required"/>
<xs:attribute name="instance" <xs:attribute name="instance"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
skipping to change at page 104, line 17 skipping to change at page 115, line 19
<xs:complexType name="IncidentIDType"> <xs:complexType name="IncidentIDType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="name" <xs:attribute name="name"
type="xs:string" use="required"/> type="xs:string" use="required"/>
<xs:attribute name="instance" <xs:attribute name="instance"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="public"/> default="public"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<!-- <!--
================================================================== ==================================================================
== AlternativeID class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="AlternativeID"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== RelatedActivity class == == RelatedActivity class ==
================================================================== ==================================================================
--> -->
<xs:element name="RelatedActivity"> <xs:element name="RelatedActivity">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 105, line 15 skipping to change at page 116, line 21
</xs:choice> </xs:choice>
<xs:element ref="iodef:Confidence" <xs:element ref="iodef:Confidence"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== ThreatActor class == == ThreatActor class ==
================================================================== ==================================================================
--> -->
<xs:element name="ThreatActor"> <xs:element name="ThreatActor">
<xs:complexType> <xs:complexType>
skipping to change at page 105, line 40 skipping to change at page 116, line 48
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ThreatActorID" type="xs:string"/> <xs:element name="ThreatActorID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Campaign class == == Campaign class ==
================================================================== ==================================================================
--> -->
<xs:element name="Campaign"> <xs:element name="Campaign">
skipping to change at page 106, line 17 skipping to change at page 117, line 28
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="CampaignID" type="xs:string"/> <xs:element name="CampaignID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== AdditionalData class == == AdditionalData class ==
================================================================== ==================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Contact class == == Contact class ==
================================================================== ==================================================================
--> -->
<xs:element name="Contact"> <xs:element name="Contact">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ContactName" <xs:element ref="iodef:ContactName"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle" <xs:element ref="iodef:ContactTitle"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle" <xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Email" <xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone" <xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 107, line 31 skipping to change at page 118, line 45
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/> <xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/> <xs:enumeration value="irt"/>
<xs:enumeration value="cc"/> <xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/> <xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/> <xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/> <xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/> <xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/> <xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/> <xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ContactName" <xs:element name="ContactName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="ContactTitle" <xs:element name="ContactTitle"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="RegistryHandle"> <xs:element name="RegistryHandle">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="registry"> <xs:attribute name="registry">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/> <xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/> <xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/> <xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/> <xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/> <xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/> <xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/> <xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="PostalAddress"> <xs:element name="PostalAddress">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
skipping to change at page 109, line 39 skipping to change at page 121, line 15
--> -->
<xs:element name="History"> <xs:element name="History">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:HistoryItem" <xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="HistoryItem"> <xs:element name="HistoryItem">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA" <xs:element name="DefinedCOA"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Expectation class == == Expectation class ==
================================================================== ==================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
skipping to change at page 110, line 40 skipping to change at page 122, line 22
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" default="other"/> type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Discovery class == == Discovery class ==
================================================================== ==================================================================
--> -->
skipping to change at page 111, line 39 skipping to change at page 123, line 26
<xs:enumeration value="network-flow"/> <xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/> <xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/> <xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/> <xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/> <xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/> <xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/> <xs:enumeration value="leo"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="actor"/> <xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DetectionPattern"> <xs:element name="DetectionPattern">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Application"/> <xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration" <xs:element name="DetectionConfiguration"
type="xs:string" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Method class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="enum:Reference"/> <xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/> <xs:element ref="iodef:Description"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Reference class ==
==================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element ref="enum:ReferenceName"
minOccurs="0" />
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Assessment class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Assessment">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="IncidentCategory" <xs:element name="IncidentCategory"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:SystemImpact"/>
<xs:element name="BusinessImpact" <xs:element name="BusinessImpact"
type="iodef:BusinessImpactType/> type="iodef:BusinessImpactType" />
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element name="IntendedImpact" <xs:element name="IntendedImpact"
type="iodef:BusinessImpactType/> type="iodef:BusinessImpactType"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor" <xs:element name="MitigatingFactor"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/> <xs:enumeration value="actual"/>
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="SystemImpact"> <xs:element name="SystemImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
skipping to change at page 114, line 22 skipping to change at page 126, line 41
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/> <xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/> <xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/> <xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/> <xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/> <xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/> <xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/> <xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/> <xs:enumeration value="policy"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:complexType name="BusinessImpactType"> <xs:complexType name="BusinessImpactType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/> <xs:enumeration value="none"/>
<xs:enumeration value="low"/> <xs:enumeration value="low"/>
<xs:enumeration value="medium"/> <xs:enumeration value="medium"/>
<xs:enumeration value="high"/> <xs:enumeration value="high"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type" <xs:attribute name="type"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/> <xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" /> <xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/> <xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/> <xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/> <xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/> <xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/> <xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/> <xs:enumeration value="extortion"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:element name="TimeImpact"> <xs:element name="TimeImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="metric" <xs:attribute name="metric"
use="required"> use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/> <xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/> <xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/> <xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="MonetaryImpact"> <xs:element name="MonetaryImpact">
skipping to change at page 117, line 15 skipping to change at page 129, line 44
<xs:element ref="iodef:Record" <xs:element ref="iodef:Record"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Flow class == == Flow class ==
================================================================== ==================================================================
--> -->
<!-- Added System unbounded for use only when the source or <!-- Added System unbounded for use only when the source or
skipping to change at page 118, line 14 skipping to change at page 130, line 45
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="category"> <xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/> <xs:enumeration value="source"/>
<xs:enumeration value="target"/> <xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" <xs:attribute name="interface"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type" <xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" /> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type" <xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/> use="optional" default="unknown"/>
<xs:attribute name="ownership"> <xs:attribute name="ownership">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="personal"/> <xs:enumeration value="personal"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="customer"/> <xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/> <xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 119, line 13 skipping to change at page 132, line 4
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Address" <xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Location" <xs:element ref="iodef:Location"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Address"> <xs:element name="Address">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
skipping to change at page 119, line 40 skipping to change at page 132, line 32
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/> <xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/> <xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/> <xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" <xs:attribute name="vlan-name"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="vlan-num" <xs:attribute name="vlan-num"
type="xs:integer"/> type="xs:integer"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole"> <xs:element name="NodeRole">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required"> <xs:attribute name="category" use="required">
<xs:simpleType> <xs:simpleType>
skipping to change at page 121, line 20 skipping to change at page 134, line 14
<xs:enumeration value="anonymization"/> <xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/> <xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/> <xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/> <xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/> <xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/> <xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/> <xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/> <xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Service Class == == Service Class ==
================================================================== ==================================================================
--> -->
skipping to change at page 122, line 40 skipping to change at page 135, line 37
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="packet"/> <xs:enumeration value="packet"/>
<xs:enumeration value="flow"/> <xs:enumeration value="flow"/>
<xs:enumeration value="session"/> <xs:enumeration value="session"/>
<xs:enumeration value="event"/> <xs:enumeration value="event"/>
<xs:enumeration value="alert"/> <xs:enumeration value="alert"/>
<xs:enumeration value="message"/> <xs:enumeration value="message"/>
<xs:enumeration value="host"/> <xs:enumeration value="host"/>
<xs:enumeration value="site"/> <xs:enumeration value="site"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EmailData class == == EmailData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EmailData"> <xs:element name="EmailData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 123, line 41 skipping to change at page 136, line 43
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Name" <xs:element name="Name"
type="iodef:MLStringType" maxOccurs="1" /> type="xs:string" maxOccurs="1" />
<xs:element name="DateDomainWasChecked" <xs:element name="DateDomainWasChecked"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RegistrationDate" <xs:element name="RegistrationDate"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="ExpirationDate" <xs:element name="ExpirationDate"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType" type="iodef:RelatedDNSEntryType"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Nameservers" <xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts" <xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="system-status"> <xs:attribute name="system-status">
skipping to change at page 124, line 19 skipping to change at page 137, line 22
</xs:sequence> </xs:sequence>
<xs:attribute name="system-status"> <xs:attribute name="system-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/> <xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"> <xs:attribute name="domain-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/> <xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/> <xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
skipping to change at page 125, line 44 skipping to change at page 139, line 4
<xs:enumeration value="SSHFP"/> <xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/> <xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/> <xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/> <xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/> <xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/> <xs:enumeration value="TXT"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:element name="Nameservers"> <xs:element name="Nameservers">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/> <xs:element name="Server" type="xs:string"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DomainContacts"> <xs:element name="DomainContacts">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:choice>
<xs:element name="SameDomainContact" <xs:element name="SameDomainContact"
type="iodef:MLStringType"/> type="xs:string"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
maxOccurs="unbounded" minOccurs="1"/> maxOccurs="unbounded" minOccurs="1"/>
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Record class == == Record class ==
================================================================== ==================================================================
--> -->
<xs:element name="Record"> <xs:element name="Record">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:RecordData" <xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordData"> <xs:element name="RecordData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime" <xs:element ref="iodef:DateTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" <xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData" <xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 127, line 4 skipping to change at page 140, line 15
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" <xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData" <xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData" <xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordPattern"> <xs:element name="RecordPattern">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/> <xs:enumeration value="regex"/>
<xs:enumeration value="binary"/> <xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/> <xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset" <xs:attribute name="offset"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit" <xs:attribute name="offsetunit"
use="optional" default="line"> use="optional" default="line">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/> <xs:enumeration value="line"/>
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance" <xs:attribute name="instance"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordItem" <xs:element name="RecordItem"
type="iodef:ExtensionType"/> type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
skipping to change at page 128, line 25 s