draft-ietf-mile-rfc5070-bis-11.txt   draft-ietf-mile-rfc5070-bis-12.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: September 24, 2015 March 23, 2015 Expires: December 20, 2015 June 18, 2015
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-11 draft-ietf-mile-rfc5070-bis-12
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 24, 2015. This Internet-Draft will expire on December 20, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8
1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 1.5. About the IODEF Implementation . . . . . . . . . . . . . 9
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 10
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 12
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.12. Person or Organization . . . . . . . . . . . . . . . . . 12 2.12. Person or Organization . . . . . . . . . . . . . . . . . 12
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12
2.16. Identifiers and Identifier References . . . . . . . . . . 12 2.16. Identifiers and Identifier References . . . . . . . . . . 13
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 17 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 18
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 17 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 18
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 18 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 19
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 20 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 21
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 22 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 23
3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 23 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 24
3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26
3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 29 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 30
3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 30 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 31
3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31
3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 31 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 32
3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32
3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 32 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 33
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 32 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 33
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33
3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33 3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33
3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33 3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36
3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38
3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 44 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 45
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 46 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 47
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51
3.16.1. Relating the Incident and EventData Classes . . . . 53 3.16.1. Relating the Incident and EventData Classes . . . . 53
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 70 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 71 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 72 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 74 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 75
3.22.2. Application Class . . . . . . . . . . . . . . . . . 76 3.22.2. Application Class . . . . . . . . . . . . . . . . . 76
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 77 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 78
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 77 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 78 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 79
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 78 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 79
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 80 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 81
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 81 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 82
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 82 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 83
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 82 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 83
3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 83 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 84
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 84 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 85
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 85 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 86
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 85 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 86
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 87 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 88
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 88 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 89
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 89 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 90
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 90 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 91
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 90 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 91
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 90 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 92
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 92 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 94
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 93 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 94
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 94 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 95
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 96 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 100
3.32.5. ObservableReference Class . . . . . . . . . . . . . 97 3.32.5. ObservableReference Class . . . . . . . . . . . . . 102
3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 97 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 102
4. Processing Considerations . . . . . . . . . . . . . . . . . . 98 4. Processing Considerations . . . . . . . . . . . . . . . . . . 103
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 98 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 103
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 99 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 103
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 99 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 104
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 100 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 105
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 101 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 106
5.1. Extending the Enumerated Values of Attributes . . . . . . 101 5.1. Extending the Enumerated Values of Attributes . . . . . . 106
5.1.1. Private Extension of Enumerated Values . . . . . . . 101 5.1.1. Private Extension of Enumerated Values . . . . . . . 106
5.1.2. Public Extension of Enumerated Values . . . . . . . . 102 5.1.2. Public Extension of Enumerated Values . . . . . . . . 107
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 102 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 107
6. Internationalization Issues . . . . . . . . . . . . . . . . . 104 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 109
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 105 6. Internationalization Issues . . . . . . . . . . . . . . . . . 109
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 106 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 107 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 109 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 112
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 111 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 114
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 112 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 116
9. Security Considerations . . . . . . . . . . . . . . . . . . . 153 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 117
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 153 9. Security Considerations . . . . . . . . . . . . . . . . . . . 160
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 154 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 160
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 154 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 161
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 156 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 157 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163
12.1. Normative References . . . . . . . . . . . . . . . . . . 157 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164
12.2. Informative References . . . . . . . . . . . . . . . . . 159 12.1. Normative References . . . . . . . . . . . . . . . . . . 164
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 160 12.2. Informative References . . . . . . . . . . . . . . . . . 166
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 167
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 7, line 15 skipping to change at page 7, line 15
o The following classes were added to Node: PostalAddress and o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed DomainData. The following classes were removed from Node: Removed
NodeName and DateTime. NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem: o The following classes were added to Expectation and HistoryItem:
DefinedCOA. DefinedCOA.
o The following classes were aded to Service: ServiceName
o The following classes were added to Reference: ReferenceName o The following classes were added to Reference: ReferenceName
(replaced Name). (replaced Name).
o The following attributes were added to Counter: type and unit.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose, Contact@role, NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed. AdditionalData@dtype, System@spoofed.
o Added option for public extension of enumerated attributes with an o Added option for public extension of enumerated attributes with an
IANA registry and added @ext-restriction. IANA registry and added @ext-restriction.
o Removed Impact class in favor of using SystemImpact and o Removed Impact class in favor of using SystemImpact and
IncidentCategory. IncidentCategory.
skipping to change at page 9, line 48 skipping to change at page 10, line 7
A single character is represented by the CHARACTER data type. A A single character is represented by the CHARACTER data type. A
character string is represented by the STRING data type. Special character string is represented by the STRING data type. Special
characters must be encoded using entity references. See Section 4.1. characters must be encoded using entity references. See Section 4.1.
The CHARACTER and STRING data types are implement as an "xs:string" The CHARACTER and STRING data types are implement as an "xs:string"
in [W3C.SCHEMA.DTYPES]. in [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
STRING data that represents multi-character string in a language A character string that needs to be represented in a language
different than the default encoding of the document is of the different than the default encoding of the document is of the
ML_STRING data type. ML_STRING data type.
ML_STRING data type is implemented as the "iodef:MLStringType" type ML_STRING data type is implemented as the "iodef:MLStringType" type
in the schema. This type extends the "xs:string" to include two in the schema. This type extends the "xs:string" to include two
attributes. The body of any class that uses this type is the attributes. The body of any class that uses this type is the
multilingual string. multilingual string.
Multiple instances of a class of this type with the same parent that
have the same value set in the translation-id attribute are
considered translations. The language of a given class of this type
is set by the xml:lang attribute.
+------------------------+ +------------------------+
| iodef:MLStringType | | iodef:MLStringType |
+------------------------+ +------------------------+
| ENUM xml:lang | | ENUM xml:lang |
| STRING translation-id | | STRING translation-id |
| | | |
+------------------------+ +------------------------+
Figure 1: The iodef:MLStringType Type Figure 1: The iodef:MLStringType Type
Classes of the iodef:MLStringType type have two attributes: Classes of the iodef:MLStringType type have two attributes:
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
translation-id translation-id
Optional. STRING. An identifier to relate other instances of Optional. STRING. An identifier to relate other instances of
this class as translations of this text. this class with the same parent as translations of this text. The
scope of this identifier is limited to all of the direct, peer
child classes of a given parent class.
Using this class enables representing translation of the same text in
multiple language. Each translation is a distinct instance of this
class with a common parent. This relationship between multiple
classes being translated instances of the same text is indicated by a
common identifier set in the translation-id attribute. The language
of a given class of this type is set by the xml:lang attribute.
2.5. Bytes 2.5. Bytes
A binary octet is represented by the BYTE data type. A sequence of A binary octet is represented by the BYTE data type. A sequence of
binary octets is represented by the BYTE[] data type. These octets binary octets is represented by the BYTE[] data type. These octets
are encoded using base64. are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" in The BYTE data type is implemented as an "xs:base64Binary" in
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
skipping to change at page 13, line 18 skipping to change at page 13, line 30
will be discussed in detail. For each class, the semantics will be will be discussed in detail. For each class, the semantics will be
described and the relationship with other classes will be depicted described and the relationship with other classes will be depicted
with UML. When necessary, specific comments will be made about with UML. When necessary, specific comments will be made about
corresponding definition in the schema in Section 8 corresponding definition in the schema in Section 8
3.1. IODEF-Document Class 3.1. IODEF-Document Class
The IODEF-Document class is the top level class in the IODEF data The IODEF-Document class is the top level class in the IODEF data
model. All IODEF documents are an instance of this class. model. All IODEF documents are an instance of this class.
+-----------------+ +--------------------------+
| IODEF-Document | | IODEF-Document |
+-----------------+ +--------------------------+
| STRING version |<>--{1..*}--[ Incident ] | STRING version |<>--{1..*}--[ Incident ]
| ENUM xml:lang |<>--{0..*}--[ AdditionalData ] | ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING formatid | | STRING format-id |
+-----------------+ | STRING private-enum-name |
| STRING private-enum-id |
+--------------------------+
Figure 2: IODEF-Document Class Figure 2: IODEF-Document Class
The aggregate class that constitute IODEF-Document is: The aggregate class that constitute IODEF-Document is:
Incident Incident
One or more. The information related to a single incident. One or more. The information related to a single incident.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
skipping to change at page 13, line 49 skipping to change at page 14, line 15
version version
Required. STRING. The IODEF specification version number to Required. STRING. The IODEF specification version number to
which this IODEF document conforms. The value of this attribute which this IODEF document conforms. The value of this attribute
MUST be "2.00" MUST be "2.00"
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
[W3C.XML] whose values and form are described in [RFC5646]. The [W3C.XML] whose values and form are described in [RFC5646]. The
interpretation of this code is described in Section 6. interpretation of this code is described in Section 6.
formatid format-id
Optional. STRING. A free-form string to convey processing Optional. STRING. A free-form string to convey processing
instructions to the recipient of the document. Its semantics must instructions to the recipient of the document. Its semantics must
be negotiated out-of-band. be negotiated out-of-band.
private-enum-name
Optional. STRING. A globally unique identifier for the CSIRT
generating the document to deconflict private extensions used in
the Document. The fully qualified domain name associated with the
CSIRT MUST be used as the identifier.
private-enum-id
Optional. STRING. An organizationally unique identifier for an
extension used in the Document. If this attribute is set, the
private-enum-name MUST also be set.
3.2. Incident Class 3.2. Incident Class
Every incident is represented by an instance of the Incident class. Every incident is represented by an instance of the Incident class.
This class provides a standardized representation for commonly This class provides a standardized representation for commonly
exchanged incident data. exchanged incident data.
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
skipping to change at page 63, line 6 skipping to change at page 63, line 6
1. asn. Autonomous System Number 1. asn. Autonomous System Number
2. atm. Asynchronous Transfer Mode (ATM) address 2. atm. Asynchronous Transfer Mode (ATM) address
3. e-mail. Electronic mail address (RFC 822) 3. e-mail. Electronic mail address (RFC 822)
4. ipv4-addr. IPv4 host address in dotted-decimal notation 4. ipv4-addr. IPv4 host address in dotted-decimal notation
(a.b.c.d) (a.b.c.d)
5. ipv4-net. IPv4 network address in dotted-decimal notation, 5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (a.b.c.d/nn) slash, significant bits (i.e., a.b.c.d/nn)
6. ipv4-net-mask. IPv4 network address in dotted-decimal 6. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation notation, slash, network mask in dotted-decimal notation
(a.b.c.d/w.x.y.z) (i.e., a.b.c.d/w.x.y.z)
7. ipv6-addr. IPv6 host address 7. ipv6-addr. IPv6 host address
8. ipv6-net. IPv6 network address, slash, significant bits 8. ipv6-net. IPv6 network address, slash, significant bits
9. ipv6-net-mask. IPv6 network address, slash, network mask 9. ipv6-net-mask. IPv6 network address, slash, network mask
10. mac. Media Access Control (MAC) address 10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
11. site-uri. A URL or URI for a resource. 11. site-uri. A URL or URI for a resource.
12. ext-value. An escape value used to extend this attribute. 12. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-category ext-category
Optional. STRING. A means by which to extend the category Optional. STRING. A means by which to extend the category
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 67, line 12 skipping to change at page 67, line 12
are entirely context dependent based on the class in which the are entirely context dependent based on the class in which the
Counter is aggregated. Counter is aggregated.
+---------------------+ +---------------------+
| Counter | | Counter |
+---------------------+ +---------------------+
| REAL | | REAL |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| ENUM unit |
| STRING ext-unit |
| STRING meaning | | STRING meaning |
| ENUM duration | | ENUM duration |
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 36: The Counter Class Figure 36: The Counter Class
The Counter class has five attribute: The Counter class has seven attribute:
type type
Required. ENUM. Specifies the type of counter specified in the
element content. These values are maintained in the "Counter-
type" IANA registry per Table 1. The default value is "count".
1. count. The Counter class value is a counter.
2. peak. The Counter class value is a peak value.
3. average. The Counter class value is an average.
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
unit
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-type" IANA registry These values are maintained in the "Counter-unit" IANA registry
per Table 1. per Table 1.
1. byte. Count of bytes. 1. byte. Bytes.
2. packet. Count of packets. 2. mbit. Megabits (Mbits).
3. flow. Count of network flow records. 3. packet. Packets.
4. session. Count of sessions. 4. flow. Network flow records.
5. alert. Count of notifications generated by another system 5. session. Sessions.
(e.g., IDS or SIM).
6. message. Count of messages (e.g., mail messages). 6. alert. Notifications generated by another system (e.g., IDS
or SIM).
7. event. Count of events. 7. message. Messages (e.g., mail messages).
8. host. Count of hosts. 8. event. Events.
9. site. Count of site. 9. host. Hosts.
10. organization. Count of organizations. 10. site. Site.
11. ext-value. An escape value used to extend this attribute. 11. organization. Organizations.
12. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-type ext-unit
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the unit attribute.
See Section 5.1.1. See Section 5.1.1.
meaning meaning
Optional. STRING. A free-form description of the metric Optional. STRING. A free-form description of the metric
represented by the Counter. represented by the Counter.
duration duration
Optional. ENUM. If present, the Counter class represents a rate Optional. ENUM. If present, the Counter class represents a rate.
rather than a count over the entire event. In that case, this This attribute specifies unit of time over which the rate whose
attribute specifies the denominator of the rate (where the type units are specified in the unit attribute is being conveyed. This
attribute is the the denominator of the rate (where the unit
attribute specified the nominator). The possible values of this attribute specified the nominator). The possible values of this
attribute are defined in Section 3.14.3 attribute are defined in Section 3.14.3
ext-duration ext-duration
Optional. STRING. A means by which to extend the duration Optional. STRING. A means by which to extend the duration
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.21. DomainData Class 3.21. DomainData Class
The DomainData class describes a domain name and meta-data associated The DomainData class describes a domain name and meta-data associated
skipping to change at page 73, line 8 skipping to change at page 73, line 24
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ Port ] + INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Portlist ] | ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 41: The Service Class Figure 41: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
ServiceName
Zero or one. STRING. The name of the service per the "Service
Name" field of the [IANA.Ports] registry.
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
ProtoCode ProtoCode
Zero or one. INTEGER. A transport layer (layer 4) protocol- Zero or one. INTEGER. A transport layer (layer 4) protocol-
specific code field (e.g., ICMP code field). specific code field (e.g., ICMP code field).
skipping to change at page 74, line 41 skipping to change at page 75, line 17
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its fields from an application layer protocol header and its
corresponding value. corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING proto-name |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype | | STRING ext-dtype |
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 42: The ApplicationHeader Class Figure 42: The ApplicationHeader Class
The ApplicationHeader class has four attributes: The ApplicationHeader class has six attributes:
proto proto
Required. INTEGER. The IANA assigned port number per Optional. INTEGER. The IANA assigned port number per the
[IANA.Ports] corresponding to the application layer protocol whose "Protocol Number" field of the [IANA.Ports] registry corresponding
field will be represented. to the application layer protocol whose field will be represented.
proto-name
Optional. STRING. The IANA assigned service name per the
"Service Name" field of the the [IANA.Ports] registry
corresponding to the application layer protocol whose field will
be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
will be found in the element body. will be found in the element body.
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string".
skipping to change at page 76, line 5 skipping to change at page 76, line 35
13. ext-value. An escape value used to extend this attribute. 13. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
Either the proto or proto-name attribute MUST be set. If both are
set, they MUST correspond to the same entry in the registry.
3.22.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes an application running on a System
providing a Service. providing a Service.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | STRING swid |<>--{0..1}--[ URL ]
| STRING configid | | STRING configid |
skipping to change at page 77, line 48 skipping to change at page 78, line 47
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. The value of an arbitrary header field in the email.
See Section 3.22.1. The attributes of EmailHeaderField MUST be See Section 3.22.1. The attributes of EmailHeaderField MUST be
set as follows: proto="25" and dtype="string". The name of the set as follows: proto="25" or proto-name="smtp", or both can be
email header field MUST be set in the field attribute. set; and dtype="string". The name of the email header field MUST
be set in the field attribute.
HashData HashData
Zero or One. Hash(es) associated with this email. Zero or One. Hash(es) associated with this email.
SignatureData SignatureData
Zero or One. Signature(s) associated with this email. Zero or One. Signature(s) associated with this email.
The EmailData class has one attribute: The EmailData class has one attribute:
observable-id observable-id
skipping to change at page 86, line 5 skipping to change at page 87, line 5
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.28.1. File Class 3.28.1. File Class
The File class describes a file and its associated meta data. The File class describes a file and its associated meta data.
+--------------------------+ +-----------------------+
| File | | File |
+--------------------------+ +-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..1}--[ AssociatedSoftware ]
+--------------------------+ | |<>--{0..*}--[ FileProperties ]
+-----------------------+
Figure 53: The File Class Figure 53: The File Class
The aggregate classes that constitutes File are: The aggregate classes that constitutes File are:
FileName FileName
Zero or One. STRING. The name of the file. Zero or One. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or One. INTEGER. The size of the file in bytes.
FileType FileType
Zero or One. STRING. The type of file per the IANA Media Types Zero or One. STRING. The type of file per the IANA Media Types
Registry [IANA.Media]. Valid values correspond to the text in the Registry [IANA.Media]. Valid values correspond to the text in the
"Template" column (e.g., "application/pdf"). "Template" column (e.g., "application/pdf").
URL URL
Zero or more. A reference to the file. Zero or more. A URL reference to the file.
HashData HashData
Zero or One. Hash(es) associated with this file. Zero or One. Hash(es) associated with this file.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. Zero or One. Signature(s) associated with this file.
AssociatedSoftware
Zero or One. The software application or operating system to
which this file belongs. See Section 3.22.2 for the definition.
FileProperties FileProperties
Zero or more. Mechanism by which to extend the data model to Zero or more. Mechanism by which to extend the data model to
describe properties of the file. See Section 3.9. describe properties of the file. See Section 3.9.
The File class has one attribute: The File class has one attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.29. HashData Class 3.29. HashData Class
skipping to change at page 94, line 34 skipping to change at page 95, line 43
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 62: The Observable Class Figure 62: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes that constitute Observable are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.20.1.
skipping to change at page 95, line 43 skipping to change at page 96, line 52
Reference Reference
Zero or One. A Reference observable. See Section 3.13.1. Zero or One. A Reference observable. See Section 3.13.1.
Assessment Assessment
Zero or One. An Assessment observable. See Section 3.14. Zero or One. An Assessment observable. See Section 3.14.
HistoryItem HistoryItem
Zero or One. A HistoryItem observable. See Section 3.15.1. Zero or One. A HistoryItem observable. See Section 3.15.1.
BulkObservable
Zero or One. A bulk list of observables. See Section 3.32.3.1.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
The Observable class MUST have exactly one of the possible child The Observable class MUST have exactly one of the possible child
classes. classes.
The Observable class has no attributes. The Observable class has no attributes.
3.32.3.1. BulkObservable Class
The BulkObservable class allows the bulk enumeration of single type
of observables without requiring each one to be encoded individually
in multiple instances of the same class. The type attribute
describes the type observable listed in the child BulkObservableList
class. The BulkObservableFormat class optionally provides additional
meta-data.
+---------------------------+
| BulkObservable |
+---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
Figure 63: The BulkObservable Class
The aggregate classes that constitutes BulkObservable are:
BulkObservableFormat
Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class.
BulkObservableList
One. STRING. A list of observables, one per line. Each line is
seperated with either a CR or CR-and-LF. The type attribute will
specify the which observables will be listed.
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9.
The BulkObservable class has two attributes:
type
Optional. ENUM. The type of the observable listed in the child
ObservableList class. These values are maintained in the
"BulkObservable-type" IANA registry per Table 1.
1. asn. Autonomous System Number (per the Address@category
attribute).
2. atm. Asynchronous Transfer Mode (ATM) address (per the
Address@category attribute).
3. e-mail. Electronic mail address (RFC 822) (per the
Address@category attribute).
4. ipv4-addr. IPv4 host address in dotted-decimal notation
(e.g., 192.0.2.1) (per the Address@category attribute).
5. ipv4-net. IPv4 network address in dotted-decimal notation,
slash, significant bits (e.g., 192.0.2.0/24) (per the
Address@category attribute).
6. ipv4-net-mask. IPv4 network address in dotted-decimal
notation, slash, network mask in dotted-decimal notation
(i.e., 192.0.2.0/255.255.255.0) (per the Address@category
attribute).
7. ipv6-addr. IPv6 host address (e.g., 2001:DB8::3) (per the
Address@category attribute).
8. ipv6-net. IPv6 network address, slash, significant bits
(e.g., 2001:DB8::/32) (per the Address@category attribute).
9. ipv6-net-mask. IPv6 network address, slash, network mask
(per the Address@category attribute).
10. mac. Media Access Control (MAC) address (i.e., a:b:c:d:e:f)
(per the Address@category attribute).
11. site-uri. A URL or URI for a resource (per the
Address@category attribute).
12. fqdn. Fully qualified domain name.
13. domain-name. A fully qualified domain name or part of a
name. (e.g., fqdn.example.com, example.com).
14. domain-to-ipv4. A fqdn-to-IPv4 address mapping specified as
a comma separated list (e.g., "fqdn.example.com, 192.0.2.1").
15. domain-to-ipv6. A fqdn-to-IPv6 address mapping specified as
a comma separated list (e.g., "fqdn.example.com,
2001:DB8::3").
16. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a
timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
17. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a
timestamp (in the DATETIME format) of the resolution (e.g.,
"fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
18. ipv4-port. An IPv4 address, port and protocol tuple (e.g.,
192.0.2.1, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry.
19. ipv6-port. An IPv6 address, port and protocol tuple (e.g.,
2001:DB8::3, 80, tcp). The protocol name corresponds to the
"Keyword" column in the [IANA.Protocols] registry.
20. windows-reg-key. A Microsoft Windows Registry key.
21. file-hash. A file hash. The format of this hash is
described in the Hashclass that MUST be present in a sibling
BulkObservableFormat class.
22. email-x-mailer. An X-Mailer field from an email.
23. email-subject. An email subject line.
24. http-user-agent. A User Agent field from an HTTP request
header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0)
Gecko/20100101 Firefox/38.0").
25. http-request-uri. The Request URI from an HTTP request
header.
26. mutex. The name of a system mutex.
27. file-path. A file path (e.g., "/tmp/local/file",
"c:\windows\system32\file.sys")
28. user-name. A username.
29. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-type
Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1.
3.32.3.1.1. BulkObservableFormat Class
The ObservableFormat class specifies meta-data about the format of an
observable enumerated in a sibling BulkObservableList class.
+---------------------------+
| BulkObservableFormat |
+---------------------------+
| |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
Figure 64: The BulkObservableFormat Class
The aggregate classes that constitutes BulkObservableFormat are:
Hash
Zero or one. Describes the format of a hash.
AdditionalData
Zero or more. Mechanism by which to extend the data model. See
Section 3.9.
The BulkObservableFormat class has no attributes.
Either Hash or AdditionalData MUST be present.
3.32.4. IndicatorExpression Class 3.32.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression phenomenon or features, or indicators. Elements of the expression
can be described directly, reference relevant data from other parts can be described directly, reference relevant data from other parts
of a given IODEF document, or reference previously defined of a given IODEF document, or reference previously defined
indicators. indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
skipping to change at page 96, line 28 skipping to change at page 101, line 15
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 63: The IndicatorExpression Class Figure 65: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable.
skipping to change at page 97, line 5 skipping to change at page 101, line 40
Zero or more. A reference to another indicator. Zero or more. A reference to another indicator.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
... TODO Additional text is required to describe the valid ... TODO Additional text is required to describe the valid
combinations of classes and how the operator class should be applied combinations of classes and how the operator class should be applied
... ...
The IndicatorExpression class has one attributes: The IndicatorExpression class has one attribute:
operator operator
Optional. ENUM. The operator to be applied between the child Optional. ENUM. The operator to be applied between the child
elements. elements.
1. not. negation operator. 1. not. negation operator.
2. and. conjunction operator. 2. and. conjunction operator.
3. or. disjunction operator. 3. or. disjunction operator.
skipping to change at page 97, line 34 skipping to change at page 102, line 20
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 64: The ObservableReference Class Figure 66: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attributes:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.32.6. IndicatorReference Class 3.32.6. IndicatorReference Class
skipping to change at page 98, line 15 skipping to change at page 102, line 45
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 65: The IndicatorReference Class Figure 67: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attributes:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
skipping to change at page 101, line 18 skipping to change at page 105, line 50
IANA registries. All attributes of with a name prefixed by "ext-" IANA registries. All attributes of with a name prefixed by "ext-"
have been removed. have been removed.
o The data previously represented in the Impact class is now in the o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has SystemImpact and IncidentCategory classes. The Impact class has
been removed. been removed.
o The Description class has been redefined to use xml:lang and o The Description class has been redefined to use xml:lang and
@translation-id. IODEF-document also uses xml:lang. @translation-id. IODEF-document also uses xml:lang.
o The semantics of Counter@type in v1 are now represented in
Counter@unit.
o The IODEF-Document@formatid attribute has been renamed to @format-
id.
5. Extending the IODEF 5. Extending the IODEF
In order to support the changing activity of CSIRTS, the IODEF data In order to support the changing activity of CSIRTS, the IODEF data
model will need to evolve along with them. This section discusses model will need to evolve along with them. This section discusses
how new data elements that have no current representation in the data how new data elements that have no current representation in the data
model can be incorporated into the IODEF. These techniques are model can be incorporated into the IODEF. These techniques are
designed so that adding new data will not require a change to the designed so that adding new data will not require a change to the
base IODEF schema. With proven value, well documented extensions can base IODEF schema. With proven value, well documented extensions can
be incorporated into future versions of the specification. However, be incorporated into future versions of the specification. However,
this approach also supports private extensions relevant only to a this approach also supports private extensions relevant only to a
skipping to change at page 104, line 37 skipping to change at page 109, line 21
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
5.3. Deconflicting Private Extensions
Private extensions used in a document can be labeled to attribute
their original specifier using the private-enum-name and private-
enum-id attributes. This allows a recipient of a document to
disambiguiate private extensions. Only a single private extension
can be identified in a given IODEF-Document.
If a CSIRT has only a single private extension, then only the
private-enum-name attribute needs to be specified. Additional,
multiple distinct private extensions or versioning of a single
extension can be accomplished by also setting the corresponding
private-num-id attribute.
The following XML excerpt demonstrates the specification of a private
extension from "example.com" with an identifier of "13".
<IODEF-Document
version="2.00" lang="en-US"
private-enum-name="example.com"
private-enum-id="13"
...
</IODEF-Document>
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved and threat information barriers, that certain incidents be resolved and threat information
shared. The IODEF supports this goal by depending on XML constructs, shared. The IODEF supports this goal by depending on XML constructs,
and through explicit design choices in the data model. and through explicit design choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
all the different character encodings, such as UTF-8 and UTF-16, all the different character encodings, such as UTF-8 and UTF-16,
skipping to change at page 112, line 30 skipping to change at page 117, line 39
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlms:xml="http://www.w3c.org/XML/1998/namespace"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
attributeFormDefault="unqualified"> elementFormDefault="qualified"
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" attributeFormDefault="unqualified">
schemaLocation="http://www.w3.org/TR/2002/ <xs:import namespace="http://www.w3c.org/XML/1998/namespace"
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> schemaLocation="http://www.w3c.org/2001/xml.xsd">
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.iana.org/xml-registry/schema/iodef-enum-1.0.xsd" /> schemaLocation="http://www.w3.org/TR/2002/
<xs:annotation> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:documentation> <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
Incident Object Description Exchange Format v2.0, RFC5070-bis schemaLocation="http://www.iana.org/assignments/xml-
</xs:documentation> registry/schema/iodef-enum-1.0.xsd" />
</xs:annotation> <xs:annotation>
<xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis
</xs:documentation>
</xs:annotation>
<!-- <!--
================================================================== ==================================================================
== IODEF-Document class == == IODEF-Document class ==
================================================================== ==================================================================
--> -->
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Incident" <xs:element ref="iodef:Incident"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="version" <xs:attribute name="version"
type="xs:string" fixed="2.00"/> type="xs:string" fixed="2.00"/>
<xs:attribute name="formatid" <xs:attribute ref="xml:lang" />
type="xs:string"/> <xs:attribute name="format-id"
</xs:complexType> type="xs:string" use="optional"/>
</xs:element> <xs:attribute name="private-enum-name"
<!-- type="xs:string" use="optional"/>
================================================================== <xs:attribute name="private-enum-id"
=== Incident class === type="xs:string" use="optional"/>
================================================================== </xs:complexType>
--> </xs:element>
<xs:element name="Incident"> <!--
<xs:complexType> ==================================================================
<xs:sequence> === Incident class ===
<xs:element ref="iodef:IncidentID"/> ==================================================================
<xs:element ref="iodef:AlternativeID" -->
minOccurs="0"/> <xs:element name="Incident">
<xs:element ref="iodef:RelatedActivity" <xs:complexType>
minOccurs="0" maxOccurs="unbounded"/> <xs:sequence>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:IncidentID"/>
minOccurs="0"/> <xs:element ref="iodef:AlternativeID"
<xs:element ref="iodef:StartTime" minOccurs="0"/>
minOccurs="0"/> <xs:element ref="iodef:RelatedActivity"
<xs:element ref="iodef:EndTime" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:StartTime"
<xs:element ref="iodef:GenerationTime" minOccurs="0"/>
minOccurs="0"/> <xs:element ref="iodef:EndTime"
<xs:element ref="iodef:Description" minOccurs="0"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RecoveryTime"
<xs:element ref="iodef:Discovery" minOccurs="0"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:GenerationTime"
maxOccurs="unbounded"/> minOccurs="0"/>
<xs:element ref="iodef:Method" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Discovery"
maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:Assessment"
minOccurs="0" maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:History" <xs:element ref="iodef:Method"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> <xs:element ref="iodef:EventData"
<xs:attribute name="purpose" use="required"> minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleType> <xs:element ref="iodef:History"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0"/>
<xs:enumeration value="traceback"/> <xs:element ref="iodef:AdditionalData"
<xs:enumeration value="mitigation"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="reporting"/> </xs:sequence>
<xs:enumeration value="watch" /> <xs:attribute name="purpose" use="required">
<xs:enumeration value="other"/> <xs:simpleType>
<xs:enumeration value="ext-value"/> <xs:restriction base="xs:NMTOKEN">
</xs:restriction> <xs:enumeration value="traceback"/>
</xs:simpleType> <xs:enumeration value="mitigation"/>
</xs:attribute> <xs:enumeration value="reporting"/>
<xs:attribute name="ext-purpose" <xs:enumeration value="watch" />
type="xs:string" use="optional"/> <xs:enumeration value="other"/>
<xs:attribute name="status"> <xs:enumeration value="ext-value"/>
<xs:simpleType> </xs:restriction>
<xs:restriction base="xs:NMTOKEN"> </xs:simpleType>
<xs:enumeration value="new"/> </xs:attribute>
<xs:enumeration value="in-progress"/> <xs:attribute name="ext-purpose"
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="private"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="status">
type="iodef:restriction-type" <xs:simpleType>
default="public"/> <xs:restriction base="xs:NMTOKEN">
<xs:attribute name="ext-restriction" <xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> <xs:attribute ref="xml:lang" />
</xs:simpleContent> <xs:attribute name="restriction"
</xs:complexType> type="iodef:restriction-type"
default="private"/>
<!-- <xs:attribute name="ext-restriction"
================================================================== type="xs:string" use="optional"/>
== AlternativeID class == <xs:attribute name="observable-id"
================================================================== type="xs:ID" use="optional"/>
--> </xs:complexType>
<xs:element name="AlternativeID"> </xs:element>
<xs:complexType> <!--
<xs:sequence> ==================================================================
<xs:element ref="iodef:IncidentID" == IncidentID class ==
maxOccurs="unbounded"/> ==================================================================
</xs:sequence> -->
<xs:attribute name="restriction" <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
type="iodef:restriction-type"/> <xs:complexType name="IncidentIDType">
<xs:attribute name="ext-restriction" <xs:simpleContent>
type="xs:string" use="optional"/> <xs:extension base="xs:string">
</xs:complexType> <xs:attribute name="name"
</xs:element> type="xs:string" use="required"/>
<!-- <xs:attribute name="instance"
================================================================== type="xs:string" use="optional"/>
== RelatedActivity class == <xs:attribute name="restriction"
================================================================== type="iodef:restriction-type"
--> default="public"/>
<xs:element name="RelatedActivity"> <xs:attribute name="ext-restriction"
<xs:complexType> type="xs:string" use="optional"/>
<xs:sequence> </xs:extension>
<xs:choice maxOccurs="unbounded"> </xs:simpleContent>
<xs:element ref="iodef:IncidentID" </xs:complexType>
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== ThreatActor class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="ThreatActor"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:element ref="iodef:IncidentID"
<xs:sequence> maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActorID" /> </xs:sequence>
<xs:element ref="iodef:Description" <xs:attribute name="restriction"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:restriction-type"/>
</xs:sequence> <xs:attribute name="ext-restriction"
<xs:element ref="iodef:Description" type="xs:string" use="optional"/>
minOccurs="1" maxOccurs="unbounded"/> </xs:complexType>
</xs:choice> </xs:element>
<xs:element ref="iodef:AdditionalData" <!--
minOccurs="0" maxOccurs="unbounded"/> ==================================================================
</xs:sequence> == RelatedActivity class ==
<xs:attribute name="restriction" ==================================================================
type="iodef:restriction-type"/> -->
<xs:attribute name="ext-restriction" <xs:element name="RelatedActivity">
type="xs:string" use="optional"/> <xs:complexType>
</xs:complexType> <xs:sequence>
</xs:element> <xs:choice maxOccurs="unbounded">
<xs:element name="ThreatActorID" type="xs:string"/> <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:Confidence"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Campaign class == == ThreatActor class ==
================================================================== ==================================================================
--> -->
<xs:element name="Campaign"> <xs:element name="ThreatActor">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:CampaignID"/> <xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="CampaignID" type="xs:string"/> <xs:element name="ThreatActorID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== AdditionalData class == == Campaign class ==
================================================================== ==================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="Campaign">
<!-- <xs:complexType>
================================================================== <xs:sequence>
== Contact class == <xs:choice>
================================================================== <xs:sequence>
--> <xs:element ref="iodef:CampaignID"/>
<xs:element name="Contact"> <xs:element ref="iodef:Description"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:sequence> </xs:sequence>
<xs:element ref="iodef:ContactName" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle" </xs:choice>
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<xs:element ref="iodef:Description" <!--
minOccurs="0" maxOccurs="unbounded"/> ==================================================================
<xs:element ref="iodef:RegistryHandle" == AdditionalData class ==
minOccurs="0" maxOccurs="unbounded"/> ==================================================================
<xs:element ref="iodef:PostalAddress" -->
minOccurs="0"/> <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element ref="iodef:Email" <!--
minOccurs="0" maxOccurs="unbounded"/> ==================================================================
<xs:element ref="iodef:Telephone" == Contact class ==
minOccurs="0" maxOccurs="unbounded"/> ==================================================================
<xs:element ref="iodef:Fax" -->
minOccurs="0"/> <xs:element name="Contact">
<xs:element ref="iodef:Timezone" <xs:complexType>
minOccurs="0"/> <xs:sequence>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> <xs:element ref="iodef:Description"
<xs:attribute name="role" use="required"> minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleType> <xs:element ref="iodef:RegistryHandle"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="creator"/> <xs:element ref="iodef:PostalAddress"
<xs:enumeration value="reporter"/> minOccurs="0"/>
<xs:enumeration value="admin"/> <xs:element ref="iodef:Email"
<xs:enumeration value="tech"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="provider"/> <xs:element ref="iodef:Telephone"
<xs:enumeration value="zone"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="user"/> <xs:element ref="iodef:Fax"
<xs:enumeration value="billing"/> minOccurs="0"/>
<xs:enumeration value="legal"/> <xs:element ref="iodef:Timezone"
<xs:enumeration value="abuse"/> minOccurs="0"/>
<xs:enumeration value="irt"/> <xs:element ref="iodef:Contact"
<xs:enumeration value="cc"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="cc-irt"/> <xs:element ref="iodef:AdditionalData"
<xs:enumeration value="leo"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="vendor"/> </xs:sequence>
<xs:enumeration value="vendor-services"/> <xs:attribute name="role" use="required">
<xs:enumeration value="victim"/> <xs:simpleType>
<xs:enumeration value="victim-notified"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="ext-value"/> <xs:enumeration value="creator"/>
</xs:restriction> <xs:enumeration value="reporter"/>
</xs:simpleType> <xs:enumeration value="admin"/>
</xs:attribute> <xs:enumeration value="tech"/>
<xs:attribute name="ext-role" <xs:enumeration value="provider"/>
type="xs:string" use="optional"/> <xs:enumeration value="zone"/>
<xs:attribute name="type" use="required"> <xs:enumeration value="user"/>
<xs:simpleType> <xs:enumeration value="billing"/>
<xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="legal"/>
<xs:enumeration value="person"/> <xs:enumeration value="abuse"/>
<xs:enumeration value="organization"/> <xs:enumeration value="irt"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="cc"/>
</xs:restriction> <xs:enumeration value="cc-irt"/>
</xs:simpleType> <xs:enumeration value="leo"/>
</xs:attribute> <xs:enumeration value="vendor"/>
<xs:attribute name="ext-type" <xs:enumeration value="vendor-services"/>
type="xs:string" use="optional"/> <xs:enumeration value="victim"/>
<xs:attribute name="restriction" <xs:enumeration value="victim-notified"/>
type="iodef:restriction-type"/> <xs:enumeration value="ext-value"/>
<xs:attribute name="ext-restriction" </xs:restriction>
type="xs:string" use="optional"/> </xs:simpleType>
</xs:complexType> </xs:attribute>
</xs:element> <xs:attribute name="ext-role"
<xs:element name="ContactName" type="xs:string" use="optional"/>
type="iodef:MLStringType"/> <xs:attribute name="type" use="required">
<xs:element name="ContactTitle" <xs:simpleType>
type="iodef:MLStringType"/> <xs:restriction base="xs:NMTOKEN">
<xs:element name="RegistryHandle"> <xs:enumeration value="person"/>
<xs:complexType> <xs:enumeration value="organization"/>
<xs:simpleContent> <xs:enumeration value="ext-value"/>
<xs:extension base="xs:string"> </xs:restriction>
<xs:attribute name="registry"> </xs:simpleType>
<xs:simpleType> </xs:attribute>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="ext-type"
<xs:enumeration value="internic"/> type="xs:string" use="optional"/>
<xs:enumeration value="apnic"/> <xs:attribute name="restriction"
<xs:enumeration value="arin"/> type="iodef:restriction-type"/>
<xs:enumeration value="lacnic"/> <xs:attribute name="ext-restriction"
<xs:enumeration value="ripe"/> type="xs:string" use="optional"/>
<xs:enumeration value="afrinic"/> </xs:complexType>
<xs:enumeration value="local"/> </xs:element>
<xs:enumeration value="ext-value"/> <xs:element name="ContactName"
</xs:restriction> type="iodef:MLStringType"/>
</xs:simpleType> <xs:element name="ContactTitle"
</xs:attribute> type="iodef:MLStringType"/>
<xs:attribute name="ext-registry" <xs:element name="RegistryHandle">
type="xs:string" use="optional"/> <xs:complexType>
</xs:extension> <xs:simpleContent>
</xs:simpleContent> <xs:extension base="xs:string">
</xs:complexType> <xs:attribute name="registry">
</xs:element> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress"> <xs:element name="PostalAddress">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/> <xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/> <xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <xs:complexType name="ContactMeansType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<!-- <!--
================================================================== ==================================================================
== Time-based classes == == Time-based classes ==
================================================================== ==================================================================
--> -->
<xs:element name="DateTime" <xs:element name="DateTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="ReportTime" <xs:element name="ReportTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="DetectTime" <xs:element name="DetectTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="StartTime"
type="xs:dateTime"/>
<xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="RecoveryTime"
type="xs:dateTime"/>
<xs:element name="GenerationTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Expectation class ==
==================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="StartTime"
================================================================== type="xs:dateTime"/>
== Discovery class == <xs:element name="EndTime"
================================================================== type="xs:dateTime"/>
--> <xs:element name="RecoveryTime"
<xs:element name="Discovery"> type="xs:dateTime"/>
<xs:complexType> <xs:element name="GenerationTime"
<xs:sequence> type="xs:dateTime"/>
<xs:element ref="iodef:Description" <xs:element name="Timezone"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:TimezoneType"/>
<xs:element ref="iodef:Contact" <xs:simpleType name="TimezoneType">
minOccurs="0" maxOccurs="unbounded"/> <xs:restriction base="xs:string">
<xs:element ref="iodef:DetectionPattern" <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:restriction>
</xs:sequence> </xs:simpleType>
<xs:attribute name="source" <!--
use="optional" default="unknown"> ==================================================================
== History class ==
==================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleType> </xs:sequence>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="restriction"
<xs:enumeration value="nidps"/> type="iodef:restriction-type"/>
<xs:enumeration value="hips"/> <xs:attribute name="ext-restriction"
<xs:enumeration value="siem"/> type="xs:string" use="optional"/>
<xs:enumeration value="av"/> <xs:attribute name="action"
<xs:enumeration value="third-party-monitoring"/> type="iodef:action-type" use="required"/>
<xs:enumeration value="incident"/> <xs:attribute name="ext-action"
<xs:enumeration value="os-log"/> type="xs:string" use="optional"/>
<xs:enumeration value="application-log"/> <xs:attribute name="observable-id"
<xs:enumeration value="device-log"/> type="xs:ID" use="optional"/>
<xs:enumeration value="network-flow"/> </xs:complexType>
<xs:enumeration value="passive-dns"/> </xs:element>
<xs:enumeration value="investigation"/> <!--
<xs:enumeration value="audit"/> ==================================================================
<xs:enumeration value="internal-notification"/> == Expectation class ==
<xs:enumeration value="external-notification"/> ==================================================================
<xs:enumeration value="leo"/> -->
<xs:enumeration value="partner"/> <xs:element name="Expectation">
<xs:enumeration value="actor"/> <xs:complexType>
<xs:enumeration value="unknown"/> <xs:sequence>
<xs:enumeration value="ext-value"/> <xs:element ref="iodef:Description"
</xs:restriction> minOccurs="0" maxOccurs="unbounded"/>
</xs:simpleType> <xs:element name="DefinedCOA"
</xs:attribute> type="iodef:MLStringType"
<xs:attribute name="ext-source" minOccurs="0" maxOccurs="unbounded"/>
type="xs:string" use="optional"/> <xs:element ref="iodef:StartTime"
<xs:attribute name="restriction" minOccurs="0"/>
type="iodef:restriction-type"/> <xs:element ref="iodef:EndTime"
<xs:attribute name="ext-restriction" minOccurs="0"/>
type="xs:string" use="optional"/> <xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="default"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
</xs:complexType> <!--
</xs:element> ==================================================================
== Discovery class ==
==================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:element name="DetectionPattern"> </xs:complexType>
<xs:complexType> </xs:element>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="DetectionPattern">
================================================================== <xs:complexType>
== Method class == <xs:sequence>
================================================================== <xs:element ref="iodef:Application"/>
--> <xs:element ref="iodef:Description"
<xs:element name="Method"> minOccurs="0" maxOccurs="unbounded"/>
<xs:complexType> <xs:element name="DetectionConfiguration"
<xs:sequence> type="xs:string"
<xs:choice maxOccurs="unbounded"> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"/> </xs:sequence>
<xs:element ref="iodef:Description"/> <xs:attribute name="restriction"
</xs:choice> type="iodef:restriction-type"/>
<xs:element ref="iodef:AdditionalData" <xs:attribute name="ext-restriction"
minOccurs="0" maxOccurs="unbounded"/> type="xs:string" use="optional"/>
</xs:sequence> </xs:complexType>
<xs:attribute name="restriction" </xs:element>
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Reference class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Reference"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="enum:ReferenceName" <xs:choice maxOccurs="unbounded">
minOccurs="0" /> <xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:Description"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:choice>
<xs:element ref="iodef:Description" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="restriction"
type="xs:ID" use="optional"/> type="iodef:restriction-type"/>
</xs:complexType> <xs:attribute name="ext-restriction"
</xs:element> type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Reference class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Reference">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="IncidentCategory" <xs:element ref="enum:ReferenceName"
type="iodef:MLStringType" minOccurs="0" />
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:URL"
<xs:choice maxOccurs="unbounded"> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:Description"
<xs:element name="BusinessImpact" minOccurs="0" maxOccurs="unbounded"/>
type="iodef:BusinessImpactType" /> </xs:sequence>
<xs:element ref="iodef:TimeImpact"/> <xs:attribute name="observable-id"
<xs:element ref="iodef:MonetaryImpact"/> type="xs:ID" use="optional"/>
<xs:element name="IntendedImpact" </xs:complexType>
type="iodef:BusinessImpactType"/> </xs:element>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="SystemImpact"> <!--
<xs:complexType> ==================================================================
<xs:simpleContent> == Assessment class ==
<xs:extension base="iodef:MLStringType"> ==================================================================
<xs:attribute name="severity" -->
type="iodef:severity-type"/> <xs:element name="Assessment">
<xs:attribute name="completion"> <xs:complexType>
<xs:simpleType> <xs:sequence>
<xs:restriction base="xs:NMTOKEN"> <xs:element name="IncidentCategory"
<xs:enumeration value="failed"/> type="iodef:MLStringType"
<xs:enumeration value="succeeded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:restriction> <xs:choice maxOccurs="unbounded">
</xs:simpleType> <xs:element ref="iodef:SystemImpact"/>
</xs:attribute> <xs:element name="BusinessImpact"
<xs:attribute name="type" type="iodef:BusinessImpactType" />
use="optional"> <xs:element ref="iodef:TimeImpact"/>
<xs:simpleType> <xs:element ref="iodef:MonetaryImpact"/>
<xs:restriction base="xs:NMTOKEN"> <xs:element name="IntendedImpact"
<xs:enumeration value="admin"/> type="iodef:BusinessImpactType"/>
<xs:enumeration value="takeover-account"/> </xs:choice>
<xs:enumeration value="takeover-service"/> <xs:element ref="iodef:Counter"
<xs:enumeration value="takeover-system"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="cps-manipulation"/> <xs:element name="MitigatingFactor"
<xs:enumeration value="cps-damage"/> type="iodef:MLStringType"
<xs:enumeration value="availability-data"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="availibility-account"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:enumeration value="availibility-service"/> <xs:element ref="iodef:AdditionalData"
<xs:enumeration value="availibility-system"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="damaged-system"/> </xs:sequence>
<xs:enumeration value="damaged-data"/> <xs:attribute name="occurrence">
<xs:enumeration value="breach-proprietary"/> <xs:simpleType>
<xs:enumeration value="breach-privacy"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-credential"/> <xs:enumeration value="actual"/>
<xs:enumeration value="breach-configuration"/> <xs:enumeration value="potential"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:complexType name="BusinessImpactType">
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="TimeImpact"> </xs:restriction>
<xs:complexType> </xs:simpleType>
<xs:simpleContent> </xs:attribute>
<xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="restriction"
<xs:attribute name="severity" type="iodef:restriction-type"/>
type="iodef:severity-type"/> <xs:attribute name="ext-restriction"
<xs:attribute name="metric" type="xs:string" use="optional"/>
use="required"> <xs:attribute name="observable-id"
<xs:simpleType> type="xs:ID" use="optional"/>
<xs:restriction base="xs:NMTOKEN"> </xs:complexType>
<xs:enumeration value="labor"/> </xs:element>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="duration"
type="iodef:duration-type"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence"> <xs:element name="SystemImpact">
<xs:complexType mixed="true"> <xs:complexType>
<xs:attribute name="rating" use="required"> <xs:simpleContent>
<xs:simpleType> <xs:extension base="iodef:MLStringType">
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="severity"
<xs:enumeration value="low"/> type="iodef:severity-type"/>
<xs:enumeration value="medium"/> <xs:attribute name="completion">
<xs:enumeration value="high"/> <xs:simpleType>
<xs:enumeration value="numeric"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="unknown"/> <xs:enumeration value="failed"/>
</xs:restriction> <xs:enumeration value="succeeded"/>
</xs:simpleType> </xs:restriction>
</xs:attribute> </xs:simpleType>
</xs:complexType> </xs:attribute>
</xs:element> <xs:attribute name="type"
<!-- use="optional">
================================================================== <xs:simpleType>
== EventData class == <xs:restriction base="xs:NMTOKEN">
================================================================== <xs:enumeration value="admin"/>
--> <xs:enumeration value="takeover-account"/>
<xs:element name="EventData"> <xs:enumeration value="takeover-service"/>
<xs:complexType> <xs:enumeration value="takeover-system"/>
<xs:sequence> <xs:enumeration value="cps-manipulation"/>
<xs:element ref="iodef:Description" <xs:enumeration value="cps-damage"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="availability-data"/>
<xs:element ref="iodef:DetectTime" <xs:enumeration value="availibility-account"/>
minOccurs="0"/> <xs:enumeration value="availibility-service"/>
<xs:element ref="iodef:StartTime" <xs:enumeration value="availibility-system"/>
minOccurs="0"/> <xs:enumeration value="damaged-system"/>
<xs:element ref="iodef:EndTime" <xs:enumeration value="damaged-data"/>
minOccurs="0"/> <xs:enumeration value="breach-proprietary"/>
<xs:element ref="iodef:RecoveryTime" <xs:enumeration value="breach-privacy"/>
minOccurs="0"/> <xs:enumeration value="breach-credential"/>
<xs:element ref="iodef:ReportTime" <xs:enumeration value="breach-configuration"/>
minOccurs="0"/> <xs:enumeration value="integrity-data"/>
<xs:element ref="iodef:Contact" <xs:enumeration value="integrity-configuration"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="integrity-hardware"/>
<xs:element ref="iodef:Discovery" <xs:enumeration value="traffic-redirection"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="monitoring-traffic"/>
<xs:element ref="iodef:Assessment" <xs:enumeration value="monitoring-host"/>
minOccurs="0"/> <xs:enumeration value="policy"/>
<xs:element ref="iodef:Method" <xs:enumeration value="ext-value"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:restriction>
<xs:element ref="iodef:Flow" </xs:simpleType>
minOccurs="0" maxOccurs="unbounded"/> </xs:attribute>
<xs:element ref="iodef:Expectation" <xs:attribute name="ext-type"
minOccurs="0" maxOccurs="unbounded"/> type="xs:string" use="optional"/>
<xs:element ref="iodef:Record" </xs:extension>
minOccurs="0"/> </xs:simpleContent>
<xs:element ref="iodef:EventData" </xs:complexType>
minOccurs="0" maxOccurs="unbounded"/> </xs:element>
<xs:element ref="iodef:AdditionalData" <xs:complexType name="BusinessImpactType">
minOccurs="0" maxOccurs="unbounded"/> <xs:simpleContent>
</xs:sequence> <xs:extension base="iodef:MLStringType">
<xs:attribute name="restriction" <xs:attribute name="severity"
type="iodef:restriction-type" use="optional">
default="default"/> <xs:simpleType>
<xs:attribute name="ext-restriction" <xs:restriction base="xs:NMTOKEN">
type="xs:string" use="optional"/> <xs:enumeration value="none"/>
<xs:attribute name="observable-id" <xs:enumeration value="low"/>
type="xs:ID" use="optional"/> <xs:enumeration value="medium"/>
</xs:complexType> <xs:enumeration value="high"/>
</xs:element> <xs:enumeration value="unknown"/>
<!-- <xs:enumeration value="ext-value"/>
================================================================== </xs:restriction>
== Flow class == </xs:simpleType>
================================================================== </xs:attribute>
--> <xs:attribute name="ext-severity"
<!-- Added System unbounded for use only when the source or type="xs:string" use="optional"/>
target watchlist is in use, otherwise only one system entry <xs:attribute name="type"
is expected. use="optional">
--> <xs:simpleType>
<xs:element name="Flow"> <xs:restriction base="xs:NMTOKEN">
<xs:complexType> <xs:enumeration value="breach-proprietary"/>
<xs:sequence> <xs:enumeration value="breach-privacy"/>
<xs:element ref="iodef:System" <xs:enumeration value="breach-credential"/>
maxOccurs="unbounded"/> <xs:enumeration value="loss-of-integrity"/>
</xs:sequence> <xs:enumeration value="loss-of-service" />
</xs:complexType> <xs:enumeration value="theft-financial"/>
</xs:element> <xs:enumeration value="theft-service"/>
<!-- <xs:enumeration value="degraded-reputation"/>
================================================================== <xs:enumeration value="asset-damage"/>
== System class == <xs:enumeration value="asset-manipulation"/>
================================================================== <xs:enumeration value="legal"/>
--> <xs:enumeration value="extortion"/>
<xs:element name="System"> <xs:enumeration value="ext-value"/>
<xs:complexType> </xs:restriction>
<xs:sequence> </xs:simpleType>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/> </xs:attribute>
<xs:element ref="iodef:NodeRole" <xs:attribute name="ext-type"
minOccurs="0" maxOccurs="unbounded" /> type="xs:string" use="optional"/>
<xs:element ref="iodef:Service" </xs:extension>
minOccurs="0" maxOccurs="unbounded"/> </xs:simpleContent>
<xs:element ref="iodef:OperatingSystem" </xs:complexType>
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/>
<xs:attribute name="ownership">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location" <xs:element name="TimeImpact">
minOccurs="0" maxOccurs="unbounded"/> <xs:complexType>
<xs:element ref="iodef:NodeRole" <xs:simpleContent>
minOccurs="0" maxOccurs="unbounded"/> <xs:extension base="iodef:PositiveFloatType">
<xs:element ref="iodef:Counter" <xs:attribute name="severity"
minOccurs="0" maxOccurs="unbounded"/> type="iodef:severity-type"/>
</xs:sequence> <xs:attribute name="metric"
</xs:complexType> use="required">
</xs:element> <xs:simpleType>
<xs:element name="Address"> <xs:restriction base="xs:NMTOKEN">
<xs:complexType> <xs:enumeration value="labor"/>
<xs:simpleContent> <xs:enumeration value="elapsed"/>
<xs:extension base="xs:string"> <xs:enumeration value="downtime"/>
<xs:attribute name="category" default="ipv4-addr"> <xs:enumeration value="ext-value"/>
<xs:simpleType> </xs:restriction>
<xs:restriction base="xs:NMTOKEN"> </xs:simpleType>
<xs:enumeration value="asn"/> </xs:attribute>
<xs:enumeration value="atm"/> <xs:attribute name="duration"
<xs:enumeration value="e-mail"/> type="iodef:duration-type"/>
<xs:enumeration value="mac"/> </xs:extension>
<xs:enumeration value="ipv4-addr"/> </xs:simpleContent>
<xs:enumeration value="ipv4-net"/> </xs:complexType>
<xs:enumeration value="ipv4-net-mask"/> </xs:element>
<xs:enumeration value="ipv6-addr"/> <xs:element name="MonetaryImpact">
<xs:enumeration value="ipv6-net"/> <xs:complexType>
<xs:enumeration value="ipv6-net-mask"/> <xs:simpleContent>
<xs:enumeration value="site-uri"/> <xs:extension base="iodef:PositiveFloatType">
<xs:enumeration value="ext-value"/> <xs:attribute name="severity"
</xs:restriction> type="iodef:severity-type"/>
</xs:simpleType> <xs:attribute name="currency"
</xs:attribute> type="xs:string"/>
<xs:attribute name="ext-category" </xs:extension>
type="xs:string" use="optional"/> </xs:simpleContent>
<xs:attribute name="vlan-name" </xs:complexType>
type="xs:string"/> </xs:element>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
==================================================================
== EventData class ==
==================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element name="NodeRole"> <xs:element ref="iodef:EventData"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleContent> <xs:element ref="iodef:AdditionalData"
<xs:extension base="iodef:MLStringType"> minOccurs="0" maxOccurs="unbounded"/>
<xs:attribute name="category" use="required"> </xs:sequence>
<xs:simpleType> <xs:attribute name="restriction"
<xs:restriction base="xs:NMTOKEN"> type="iodef:restriction-type"
<xs:enumeration value="client"/> default="default"/>
<xs:enumeration value="client-enterprise"/> <xs:attribute name="ext-restriction"
<xs:enumeration value="client-partner"/> type="xs:string" use="optional"/>
<xs:enumeration value="client-remote"/> <xs:attribute name="observable-id"
<xs:enumeration value="client-kiosk"/> type="xs:ID" use="optional"/>
<xs:enumeration value="client-mobile"/> </xs:complexType>
<xs:enumeration value="server-internal"/> </xs:element>
<xs:enumeration value="server-public"/> <!--
<xs:enumeration value="www"/> ==================================================================
<xs:enumeration value="mail"/> == Flow class ==
<xs:enumeration value="webmail" /> ==================================================================
<xs:enumeration value="messaging"/> -->
<xs:enumeration value="streaming"/> <!-- Added System unbounded for use only when the source or
<xs:enumeration value="voice"/> target watchlist is in use, otherwise only one system entry
<xs:enumeration value="file"/> is expected.
<xs:enumeration value="ftp"/> -->
<xs:enumeration value="p2p"/> <xs:element name="Flow">
<xs:enumeration value="name"/> <xs:complexType>
<xs:enumeration value="directory"/> <xs:sequence>
<xs:enumeration value="credential"/> <xs:element ref="iodef:System"
<xs:enumeration value="print"/> maxOccurs="unbounded"/>
<xs:enumeration value="application"/> </xs:sequence>
<xs:enumeration value="database"/> </xs:complexType>
<xs:enumeration value="backup"/> </xs:element>
<xs:enumeration value="dhcp"/> <!--
<xs:enumeration value="assessment"/> ==================================================================
<xs:enumeration value="source-control"/> == System class ==
<xs:enumeration value="config-management"/> ==================================================================
<xs:enumeration value="monitoring"/> -->
<xs:enumeration value="infra"/> <xs:element name="System">
<xs:enumeration value="infra-firewall"/> <xs:complexType>
<xs:enumeration value="infra-router"/> <xs:sequence>
<xs:enumeration value="infra-switch"/> <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:enumeration value="camera"/> <xs:element ref="iodef:NodeRole"
<xs:enumeration value="proxy"/> minOccurs="0" maxOccurs="unbounded" />
<xs:enumeration value="remote-access"/> <xs:element ref="iodef:Service"
<xs:enumeration value="log"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="virtualization"/> <xs:element ref="iodef:OperatingSystem"
<xs:enumeration value="pos"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="scada"/> <xs:element ref="iodef:Counter"
<xs:enumeration value="scada-supervisory"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <xs:element name="AssetID" type="xs:string"
================================================================== minOccurs="0" maxOccurs="unbounded"/>
== Service Class == <xs:element ref="iodef:Description"
================================================================== minOccurs="0" maxOccurs="unbounded"/>
--> <xs:element ref="iodef:AdditionalData"
<xs:element name="Service"> minOccurs="0" maxOccurs="unbounded"/>
<xs:complexType> </xs:sequence>
<xs:sequence> <xs:attribute name="restriction"
<xs:choice minOccurs="0"> type="iodef:restriction-type"/>
<xs:element name="Port" <xs:attribute name="ext-restriction"
type="xs:integer"/> type="xs:string" use="optional"/>
<xs:element name="Portlist" <xs:attribute name="category">
type="iodef:PortlistType"/> <xs:simpleType>
</xs:choice> <xs:restriction base="xs:NMTOKEN">
<xs:element name="ProtoType" <xs:enumeration value="source"/>
type="xs:integer" minOccurs="0"/> <xs:enumeration value="target"/>
<xs:element name="ProtoCode" <xs:enumeration value="intermediate"/>
type="xs:integer" minOccurs="0"/> <xs:enumeration value="sensor"/>
<xs:element name="ProtoField" <xs:enumeration value="infrastructure"/>
type="xs:integer" minOccurs="0"/> <xs:enumeration value="ext-value"/>
<xs:element name="ApplicationHeader" </xs:restriction>
type="iodef:ApplicationHeaderType" </xs:simpleType>
minOccurs="0" maxOccurs="unbounded"/> </xs:attribute>
<xs:element ref="EmailData" minOccurs="0"/> <xs:attribute name="ext-category"
<xs:element ref="iodef:Application" type="xs:string" use="optional"/>
minOccurs="0"/> <xs:attribute name="interface"
</xs:sequence> type="xs:string"/>
<xs:attribute name="ip-protocol" <xs:attribute name="spoofed" type="yes-no-unknown-type"
type="xs:integer" use="required"/> default="unknown" />
<xs:attribute name="observable-id" <xs:attribute name="virtual" type="yes-no-unknown-type"
type="xs:ID" use="optional"/> use="optional" default="unknown"/>
</xs:complexType> <xs:attribute name="ownership">
</xs:element> <xs:simpleType>
<xs:simpleType name="PortlistType"> <xs:restriction base="xs:NMTOKEN">
<xs:restriction base="xs:string"> <xs:enumeration value="organization"/>
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:enumeration value="personal"/>
</xs:restriction> <xs:enumeration value="partner"/>
</xs:simpleType> <xs:enumeration value="customer"/>
<!-- <xs:enumeration value="no-relationship"/>
================================================================== <xs:enumeration value="unknown"/>
== Counter class == <xs:enumeration value="ext-value"/>
================================================================== </xs:restriction>
--> </xs:simpleType>
<xs:element name="Counter"> </xs:attribute>
<xs:complexType> <xs:attribute name="ext-ownership"
<xs:simpleContent> type="xs:string" use="optional"/>
<xs:extension base="xs:double"> </xs:complexType>
<xs:attribute name="type" use="required"> </xs:element>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element> <!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!-- <xs:element name="Location" type="iodef:MLStringType"/>
==================================================================
== EmailData class ==
==================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
<xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="SignatureData"
minOccurs="0" />
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="NodeRole">
================================================================== <xs:complexType>
== DomainData class - from RFC5901 == <xs:simpleContent>
================================================================== <xs:extension base="iodef:MLStringType">
--> <xs:attribute name="category" use="required">
<xs:element name="DomainData"> <xs:simpleType>
<xs:complexType> <xs:restriction base="xs:NMTOKEN">
<xs:sequence> <xs:enumeration value="client"/>
<xs:element name="Name" <xs:enumeration value="client-enterprise"/>
type="xs:string" maxOccurs="1" /> <xs:enumeration value="client-partner"/>
<xs:element name="DateDomainWasChecked" <xs:enumeration value="client-remote"/>
type="xs:dateTime" <xs:enumeration value="client-kiosk"/>
minOccurs="0" maxOccurs="1" /> <xs:enumeration value="client-mobile"/>
<xs:element name="RegistrationDate" <xs:enumeration value="server-internal"/>
type="xs:dateTime" <xs:enumeration value="server-public"/>
minOccurs="0" maxOccurs="1" /> <xs:enumeration value="www"/>
<xs:element name="ExpirationDate" <xs:enumeration value="mail"/>
type="xs:dateTime" <xs:enumeration value="webmail" />
minOccurs="0" maxOccurs="1" /> <xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" />
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RelatedDNS" <!--
type="iodef:RelatedDNSEntryType" ==================================================================
minOccurs="0" maxOccurs="unbounded" /> == Service Class ==
<xs:element ref="iodef:Nameservers" ==================================================================
minOccurs="0" maxOccurs="unbounded" /> -->
<xs:element ref="iodef:DomainContacts" <xs:element name="Service">
minOccurs="0" maxOccurs="1" /> <xs:complexType>
</xs:sequence> <xs:sequence>
<xs:element name="ServiceName"
type="xs:string" minOccurs="0"/>
<xs:attribute name="system-status"> <xs:choice minOccurs="0">
<xs:simpleType> <xs:element name="Port"
<xs:restriction base="xs:string"> type="xs:integer"/>
<xs:enumeration value="spoofed"/> <xs:element name="Portlist"
<xs:enumeration value="fraudulent"/> type="iodef:PortlistType"/>
<xs:enumeration value="innocent-hacked"/> </xs:choice>
<xs:enumeration value="innocent-hijacked"/> <xs:element name="ProtoType"
<xs:enumeration value="unknown"/> type="xs:integer" minOccurs="0"/>
<xs:enumeration value="ext-value"/> <xs:element name="ProtoCode"
</xs:restriction> type="xs:integer" minOccurs="0"/>
</xs:simpleType> <xs:element name="ProtoField"
</xs:attribute> type="xs:integer" minOccurs="0"/>
<xs:attribute name="ext-system-status" <xs:element name="ApplicationHeader"
type="xs:string" use="optional"/> type="iodef:ApplicationHeaderType"
<xs:attribute name="domain-status"> minOccurs="0" maxOccurs="unbounded"/>
<xs:simpleType> <xs:element ref="EmailData" minOccurs="0"/>
<xs:restriction base="xs:string"> <xs:element ref="iodef:Application"
<xs:enumeration value="reservedDelegation"/> minOccurs="0"/>
<xs:enumeration value="assignedAndActive"/> </xs:sequence>
<xs:enumeration value="assignedAndInactive"/> <xs:attribute name="ip-protocol"
<xs:enumeration value="assignedAndOnHold"/> type="xs:integer" use="required"/>
<xs:enumeration value="revoked"/> <xs:attribute name="observable-id"
<xs:enumeration value="transferPending"/> type="xs:ID" use="optional"/>
<xs:enumeration value="registryLock"/> </xs:complexType>
<xs:enumeration value="registrarLock"/> </xs:element>
<xs:enumeration value="other"/> <xs:simpleType name="PortlistType">
<xs:enumeration value="unknown"/> <xs:restriction base="xs:string">
<xs:enumeration value="ext-value"/> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> <!--
<xs:attribute name="ext-domain-status" ==================================================================
type="xs:string" use="optional"/> == Counter class ==
<xs:attribute name="observable-id" ==================================================================
type="xs:ID" use="optional"/> -->
</xs:complexType> <xs:element name="Counter">
</xs:element> <xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required"
default="counter">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
<xs:element name="RelatedDNS" </xs:simpleType>
type="iodef:RelatedDNSEntryType"/> </xs:attribute>
<xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="record-type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent> <xs:attribute name="unit" use="required">
</xs:complexType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Nameservers"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == EmailData class ==
<xs:element name="Server" type="xs:string"/> ==================================================================
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> -->
</xs:sequence> <xs:element name="EmailData">
</xs:complexType> <xs:complexType>
</xs:element> <xs:sequence>
<xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="DomainContacts"> <xs:element name="EmailHeaderField"
<xs:complexType> type="iodef:ApplicationHeaderType"
<xs:choice> minOccurs="0"/>
<xs:element name="SameDomainContact" <xs:element ref="iodef:HashData"
type="xs:string"/> minOccurs="0" />
<xs:element ref="iodef:Contact" <xs:element ref="SignatureData"
maxOccurs="unbounded" minOccurs="1"/> minOccurs="0" />
</xs:choice> </xs:sequence>
</xs:complexType> <xs:attribute name="observable-id"
</xs:element> type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ==================================================================
== Record class == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="Record"> <xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:RecordData" <xs:element name="Name"
maxOccurs="unbounded"/> type="xs:string" maxOccurs="1" />
</xs:sequence> <xs:element name="DateDomainWasChecked"
<xs:attribute name="restriction" type="xs:dateTime"
type="iodef:restriction-type"/> minOccurs="0" maxOccurs="1" />
<xs:attribute name="ext-restriction" <xs:element name="RegistrationDate"
type="xs:string" use="optional"/> type="xs:dateTime"
</xs:complexType> minOccurs="0" maxOccurs="1" />
</xs:element> <xs:element name="ExpirationDate"
<xs:element name="RecordData"> type="xs:dateTime"
<xs:complexType> minOccurs="0" maxOccurs="1" />
<xs:sequence> <xs:element name="RelatedDNS"
<xs:element ref="iodef:DateTime" type="iodef:RelatedDNSEntryType"
minOccurs="0"/> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:element ref="iodef:Application" <xs:attribute name="system-status">
minOccurs="0"/> <xs:simpleType>
<xs:element ref="iodef:RecordPattern" <xs:restriction base="xs:string">
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="spoofed"/>
<xs:element ref="iodef:RecordItem" <xs:enumeration value="fraudulent"/>
maxOccurs="unbounded"/> <xs:enumeration value="innocent-hacked"/>
<xs:element ref="iodef:FileData" <xs:enumeration value="innocent-hijacked"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="unknown"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:enumeration value="ext-value"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:restriction>
<xs:element ref="iodef:CertificateData" </xs:simpleType>
minOccurs="0" maxOccurs="unbounded"/> </xs:attribute>
<xs:element ref="iodef:AdditionalData" <xs:attribute name="ext-system-status"
minOccurs="0" maxOccurs="unbounded"/> type="xs:string" use="optional"/>
</xs:sequence> <xs:attribute name="domain-status">
<xs:attribute name="restriction" <xs:simpleType>
type="iodef:restriction-type"/> <xs:restriction base="xs:string">
<xs:attribute name="ext-restriction" <xs:enumeration value="reservedDelegation"/>
type="xs:string" use="optional"/> <xs:enumeration value="assignedAndActive"/>
<xs:attribute name="observable-id" <xs:enumeration value="assignedAndInactive"/>
type="xs:ID" use="optional"/> <xs:enumeration value="assignedAndOnHold"/>
</xs:complexType> <xs:enumeration value="revoked"/>
</xs:element> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern"> <xs:element name="RelatedDNS"
<xs:complexType> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="type" use="required"> <xs:attribute name="record-type" use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/> <xs:enumeration value="A"/>
<xs:enumeration value="binary"/> <xs:enumeration value="AAAA"/>
<xs:enumeration value="xpath"/> <xs:enumeration value="AFSDB"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="APL"/>
</xs:restriction> <xs:enumeration value="AXFR"/>
</xs:simpleType> <xs:enumeration value="CAA"/>
</xs:attribute> <xs:enumeration value="CERT"/>
<xs:attribute name="ext-type" <xs:enumeration value="CNAME"/>
type="xs:string" use="optional"/> <xs:enumeration value="DHCID"/>
<xs:attribute name="offset" <xs:enumeration value="DLV"/>
type="xs:integer" use="optional"/> <xs:enumeration value="DNAME"/>
<xs:attribute name="offsetunit" <xs:enumeration value="DNSKEY"/>
use="optional" default="line"> <xs:enumeration value="DS"/>
<xs:simpleType> <xs:enumeration value="HIP"/>
<xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="IXFR"/>
<xs:enumeration value="line"/> <xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="byte"/> <xs:enumeration value="LOC"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="MX"/>
</xs:restriction> <xs:enumeration value="NAPTR"/>
</xs:simpleType> <xs:enumeration value="NS"/>
</xs:attribute> <xs:enumeration value="NSEC"/>
<xs:attribute name="ext-offsetunit" <xs:enumeration value="NSEC3"/>
type="xs:string" use="optional"/> <xs:enumeration value="NSEC3PARAM"/>
<xs:attribute name="instance" <xs:enumeration value="OPT"/>
type="xs:integer" use="optional"/> <xs:enumeration value="PTR"/>
</xs:extension> <xs:enumeration value="RRSIG"/>
</xs:simpleContent> <xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="Nameservers">
================================================================ <xs:complexType>
== Classes to describe a file == <xs:sequence>
================================================================ <xs:element name="Server" type="xs:string"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
<xs:element name="FileData"> </xs:sequence>
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="File"> <xs:element name="DomainContacts">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:choice>
<xs:element name="FileName" type="xs:string" <xs:element name="SameDomainContact"
minOccurs="0" /> type="xs:string"/>
<xs:element name="FileSize" type="xs:integer" <xs:element ref="iodef:Contact"
minOccurs="0" /> maxOccurs="unbounded" minOccurs="1"/>
<xs:element name="FileType" type="xs:integer" </xs:choice>
minOccurs="0" />
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="ds:Signature"
minOccurs="0" />
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FileProperties"
type="iodef:ExtensionType"/>
<!--
================================================================
== Classes to describe a hash ==
================================================================
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element name="HashTarget" type="iodef:MLStringType"
minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-scope"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod" />
<xs:element ref="ds:DigestValue" />
<xs:element ref="ds:CanonicalizationMethod" />
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == Record class ==
<xs:element ref="iodef:AdditionalData" /> ==================================================================
<xs:element ref="iodef:Application" -->
minOccurs="0"/> <xs:element name="Record">
</xs:sequence> <xs:complexType>
</xs:complexType> <xs:sequence>
</xs:element> <xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <xs:element name="RecordPattern">
================================================================ <xs:complexType>
== Classes to describe a signature == <xs:simpleContent>
================================================================ <xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="SignatureData"> <!--
<xs:complexType> ================================================================
<xs:sequence> == Classes to describe a file ==
<xs:element ref="ds:Signature" ================================================================
maxOccurs="unbounded" /> -->
</xs:sequence>
</xs:complexType>
</xs:element>
<!-- <xs:element name="FileData">
================================================================ <xs:complexType>
== Classes to describe a certficate == <xs:sequence>
================================================================ <xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CertificateData"> <xs:element name="File">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Certificate" <xs:element name="FileName" type="xs:string"
maxOccurs="unbounded"/> minOccurs="0" />
</xs:sequence> <xs:element name="FileSize" type="xs:integer"
<xs:attribute name="observable-id" minOccurs="0" />
type="xs:ID" use="optional"/> <xs:element name="FileType" type="xs:integer"
<xs:attribute name="restriction" minOccurs="0" />
type="iodef:restriction-type"/> <xs:element ref="iodef:URL"
<xs:attribute name="ext-restriction" minOccurs="0" maxOccurs="unbounded"/>
type="xs:string" use="optional"/> <xs:element ref="iodef:HashData"
</xs:complexType> minOccurs="0" />
</xs:element> <xs:element ref="ds:Signature"
minOccurs="0" />
<xs:element name="Application"
type="iodef:SoftwareType" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate"> <xs:element name="FileProperties"
<xs:complexType> type="iodef:ExtensionType"/>
<xs:sequence>
<xs:element ref="ds:X509Data" />
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================== ================================================================
== Classes that describe software == == Classes to describe a hash ==
================================================================== ================================================================
--> -->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<!-- <xs:element name="HashData">
==================================================================
== IndicatorData classes ==
==================================================================
<xs:element name="IndicatorData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Indicator" <xs:element name="HashTarget" type="iodef:MLStringType"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator"> <xs:element ref="iodef:Hash"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-scope"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IndicatorID" /> <xs:element ref="ds:DigestMethod" />
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element ref="ds:DigestValue" />
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="ds:CanonicalizationMethod" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Application"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" </xs:sequence>
minOccurs="0" /> </xs:complexType>
<xs:element ref="iodef:EndTime" </xs:element>
minOccurs="0" />
<xs:element ref="iodef:Confidence"
minOccurs="0" />
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable" />
<xs:element ref="iodef:ObservableReference" />
<xs:element ref="iodef:IndicatorExpression" />
<xs:element ref="iodef:IndicatorReference" />
</xs:choice>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID"> <xs:element name="FuzzyHash">
<xs:complexType> <xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IndicatorID" <xs:element ref="iodef:AdditionalData" />
maxOccurs="unbounded"/> <xs:element ref="iodef:Application"
</xs:sequence> minOccurs="0"/>
<xs:attribute name="restriction" </xs:sequence>
type="iodef:restriction-type"/> </xs:complexType>
<xs:attribute name="ext-restriction" </xs:element>
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Observable"> <!--
<xs:complexType> ================================================================
== Classes to describe a signature ==
================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Address" <xs:element ref="ds:Signature"
minOccurs="0"/> maxOccurs="unbounded" />
<xs:element ref="iodef:DomainData" </xs:sequence>
minOccurs="0"/> </xs:complexType>
<xs:element ref="iodef:EmailData" </xs:element>
minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <!--
type="xs:string" use="optional"/> ================================================================
</xs:complexType> == Classes to describe a certficate ==
</xs:element> ================================================================
-->
<xs:element name="IndicatorExpression"> <xs:element name="CertificateData">
<xs:complexType> <xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:element ref="ds:X509Data" />
<xs:element ref="iodef:IndicatorExpression"
minOccurs="0"/>
<xs:element ref="iodef:Observable"
minOccurs="0" />
<xs:element ref="iodef:ObservableReference"
minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference"
minOccurs="0"/>
</xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="operator" use="required"> <xs:attribute name="observable-id"
<xs:simpleType> type="xs:ID" use="optional"/>
<xs:restriction base="xs:NMTOKEN"> </xs:complexType>
<xs:enumeration value="not"/> </xs:element>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="ObservableReference"> <!--
<xs:complexType> ==================================================================
<xs:attribute name="uid-ref" == Classes that describe software ==
type="xs:IDREF" use="required"/> ==================================================================
</xs:complexType> -->
</xs:element> <xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<xs:element name="IndicatorReference"> <!--
<xs:complexType> ==================================================================
<xs:attribute name="uid-ref" == IndicatorData classes ==
type="xs:IDREF" use="optional"/> ==================================================================
<xs:attribute name="euid-ref" -->
type="xs:string" use="optional"/> <xs:element name="IndicatorData">
<xs:attribute name="version" <xs:complexType>
type="xs:string" use="optional"/> <xs:sequence>
</xs:complexType> <xs:element ref="iodef:Indicator"
</xs:element> minOccurs="1" maxOccurs="unbounded"/>
<!-- </xs:sequence>
================================================================== </xs:complexType>
== Miscellaneous simple classes == </xs:element>
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType"> <xs:element name="Indicator">
<xs:simpleContent> <xs:complexType>
<xs:extension base="xs:string"> <xs:sequence>
<xs:attribute name="translation-id" <xs:element ref="iodef:IndicatorID" />
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0" />
<xs:element ref="iodef:EndTime"
minOccurs="0" />
<xs:element ref="iodef:Confidence"
minOccurs="0" />
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable" />
<xs:element ref="iodef:ObservableReference" />
<xs:element ref="iodef:IndicatorExpression" />
<xs:element ref="iodef:IndicatorReference" />
</xs:choice>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:complexType>
</xs:simpleContent> </xs:element>
</xs:complexType>
<xs:complexType name="ExtensionType" mixed="true"> <xs:element name="IndicatorID">
<xs:sequence> <xs:complexType>
<xs:any namespace="##any" processContents="lax" <xs:simpleContent>
minOccurs="0" maxOccurs="unbounded"/> <xs:extension base="xs:ID">
</xs:sequence> <xs:attribute name="name"
<xs:attribute name="dtype" type="xs:string" use="required"/>
type="iodef:dtype-type" use="required"/> <xs:attribute name="version"
<xs:attribute name="meaning" type="xs:string" use="required"/>
type="xs:string"/> </xs:extension>
<xs:attribute name="formatid" </xs:simpleContent>
type="xs:string"/> </xs:complexType>
<xs:attribute name="restriction" </xs:element>
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="required"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
<!-- <xs:element name="AlternativeIndicatorID">
================================================================== <xs:complexType>
== Global attribute type declarations == <xs:sequence>
================================================================== <xs:element ref="iodef:IndicatorID"
--> maxOccurs="unbounded"/>
<xs:simpleType name="yes-no-type"> </xs:sequence>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="restriction"
<xs:enumeration value="yes"/> type="iodef:restriction-type"/>
<xs:enumeration value="no"/> <xs:attribute name="ext-restriction"
</xs:restriction> type="xs:string" use="optional"/>
</xs:simpleType> </xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Address"
minOccurs="0"/>
<xs:element ref="iodef:DomainData"
minOccurs="0"/>
<xs:element ref="iodef:EmailData"
minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:BulkObservable"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="yes-no-unknown-type"> <xs:element name="BulkObservable">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="yes"/> <xs:sequence>
<xs:enumeration value="no"/> <xs:element ref="iodef:BulkObservableFormat"
<xs:enumeration value="unknown"/> minOccurs="0"/>
</xs:restriction> <xs:element name="BulkObservableList"
</xs:simpleType> type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="type"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="fqdn"/>
<xs:enumeration value="doman-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="restriction-type"> <xs:element name="BulkObservableFormat">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="default"/> <xs:sequence>
<xs:enumeration value="public"/> <xs:element ref="iodef:Hash"
<xs:enumeration value="partner"/> minOccurs="0"/>
<xs:enumeration value="need-to-know"/> <xs:element ref="iodef:AdditionalData"
<xs:enumeration value="private"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="white"/> </xs:sequence>
<xs:enumeration value="green"/> </xs:complexType>
<xs:enumeration value="amber"/> </xs:element>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> <xs:element name="IndicatorExpression">
</xs:simpleType> <xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"
minOccurs="0"/>
<xs:element ref="iodef:Observable"
minOccurs="0" />
<xs:element ref="iodef:ObservableReference"
minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference"
minOccurs="0"/>
</xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="operator" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:simpleType name="severity-type"> <xs:element name="ObservableReference">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="low"/> <xs:attribute name="uid-ref"
<xs:enumeration value="medium"/> type="xs:IDREF" use="required"/>
<xs:enumeration value="high"/> </xs:complexType>
</xs:restriction> </xs:element>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type"> <xs:element name="IndicatorReference">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="nothing"/> <xs:attribute name="uid-ref"
<xs:enumeration value="contact-source-site"/> type="xs:IDREF" use="optional"/>
<xs:enumeration value="contact-target-site"/> <xs:attribute name="euid-ref"
<xs:enumeration value="contact-sender"/> type="xs:string" use="optional"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction> <xs:attribute name="version"
</xs:simpleType> type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Miscellaneous simple classes ==
==================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
==================================================================
== Data Types ==
==================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:complexType name="MLStringType">
<xs:restriction base="xs:NMTOKEN"> <xs:simpleContent>
<xs:enumeration value="boolean"/> <xs:extension base="xs:string">
<xs:enumeration value="byte"/> <xs:attribute name="translation-id"
<xs:enumeration value="bytes"/> type="xs:string" use="optional"/>
<xs:enumeration value="character"/> <xs:attribute ref="xml:lang" />
<xs:enumeration value="date-time"/> </xs:extension>
<xs:enumeration value="integer"/> </xs:simpleContent>
<xs:enumeration value="ntpstamp"/> </xs:complexType>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/> <xs:complexType name="ExtensionType" mixed="true">
<xs:enumeration value="string"/> <xs:sequence>
<xs:enumeration value="file"/> <xs:any namespace="##any" processContents="lax"
<xs:enumeration value="path"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="frame"/> </xs:sequence>
<xs:enumeration value="packet"/> <xs:attribute name="dtype"
<xs:enumeration value="ipv4-packet"/> type="iodef:dtype-type" use="required"/>
<xs:enumeration value="ipv6-packet"/> <xs:attribute name="meaning"
<xs:enumeration value="url"/> type="xs:string"/>
<xs:enumeration value="csv"/> <xs:attribute name="formatid"
<xs:enumeration value="winreg"/> type="xs:string"/>
<xs:enumeration value="xml"/> <xs:attribute name="restriction"
<xs:enumeration value="ext-value"/> type="iodef:restriction-type"/>
</xs:restriction> <xs:attribute name="ext-restriction"
</xs:simpleType> type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="optional"/>
<xs:attribute name="proto-name"
type="xs:integer" use="optional"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
<!--
==================================================================
== Global attribute type declarations ==
==================================================================
-->
<xs:simpleType name="yes-no-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store, the latter risk must be addressed by the systems that process, store,
skipping to change at page 155, line 10 skipping to change at page 162, line 10
The registries to be created are named in the table below in the The registries to be created are named in the table below in the
"Registry Name" column. The initial values for the Value and "Registry Name" column. The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)" Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points and "IV (Description)" columns respectively. The "IV (Value)" points
to a given schema attribute or type per Section 8. Each enumerated to a given schema attribute or type per Section 8. Each enumerated
value in the schema gets a corresponding entry in a given registry. value in the schema gets a corresponding entry in a given registry.
The "IV (Description)" points to a section in the text of this The "IV (Description)" points to a section in the text of this
document. The initial value of the Reference field of every registry document. The initial value of the Reference field of every registry
entry described below should be this document. entry described below should be this document.
+--------------------------+------------------------+---------------+ +--------------------------+-----------------------+----------------+
| Registry Name | IV (Value) | IV | | Registry Name | IV (Value) | IV |
| | | (Description) | | | | (Description) |
+--------------------------+------------------------+---------------+ +--------------------------+-----------------------+----------------+
| Restriction | iodef-restriction-type | Section 3.3.1 | | Restriction | iodef-restriction- | Section 3.3.1 |
| | | | | | type | |
| Incident-purpose | Incident@purpose | Section 3.2 | | | | |
| | | | | Incident-purpose | Incident@purpose | Section 3.2 |
| Incident-status | Incident@status | Section 3.2 | | | | |
| | | | | Incident-status | Incident@status | Section 3.2 |
| Contact-role | Contact@role | Section 3.10 | | | | |
| | | | | Contact-role | Contact@role | Section 3.10 |
| Contact-type | Contact@type | Section 3.10 | | | | |
| | | | | Contact-type | Contact@type | Section 3.10 |
| RegistryHandle-registry | RegistryHandle@registr | Section | | | | |
| | y | 3.10.1 | | RegistryHandle-registry | RegistryHandle@regist | Section 3.10.1 |
| | | | | | ry | |
| Expectation-action | iodef:action-type | Section 3.17 | | | | |
| | | | | Expectation-action | iodef:action-type | Section 3.17 |
| Discovery-source | Discovery@source | Section 3.12 | | | | |
| | | | | Discovery-source | Discovery@source | Section 3.12 |
| SystemImpact-type | SystemImpact@type | Section | | | | |
| | | 3.14.1 | | SystemImpact-type | SystemImpact@type | Section 3.14.1 |
| | | | | | | |
| BusinessImpact-severity | BusinessImpact@severit | Section | | BusinessImpact-severity | BusinessImpact@severi | Section 3.14.2 |
| | y | 3.14.2 | | | ty | |
| | | | | | | |
| BusinessImpact-type | BusinessImpact@type | Section | | BusinessImpact-type | BusinessImpact@type | Section 3.14.2 |
| | | 3.14.2 | | | | |
| | | | | TimeImpact-metrics | TimeImpact@metric | Section 3.14.3 |
| TimeImpact-metrics | TimeImpact@metric | Section | | | | |
| | | 3.14.3 | | TimeImpact-duration | iodef:duration-type | Section 3.14.3 |
| | | | | | | |
| TimeImpact-duration | iodef:duration-type | Section | | NodeRole-category | NodeRole@category | Section 3.20.2 |
| | | 3.14.3 | | | | |
| | | | | System-category | System@category | Section 3.19 |
| NodeRole-category | NodeRole@category | Section | | | | |
| | | 3.20.2 | | System-ownership | System@ownership | Section 3.19 |
| | | | | | | |
| System-category | System@category | Section 3.19 | | Address-category | Address@category | Section 3.20.1 |
| | | | | | | |
| System-ownership | System@ownership | Section 3.19 | | Counter-type | Counter@type | Section 3.20.3 |
| | | | | | | |
| Address-category | Address@category | Section | | Counter-unit | Counter@unit | Section 3.20.3 |
| | | 3.20.1 | | | | |
| | | | | DomainData-system-status | DomainData@system- | Section 3.21 |
| Counter-type | Counter@type | Section | | | status | |
| | | 3.20.3 | | | | |
| | | | | DomainData-domain-status | DomainData@domain- | Section 3.21 |
| DomainData-system-status | DomainData@system- | Section 3.21 | | | status | |
| | status | | | | | |
| | | | | RelatedDNS-record-type | RelatedDNS@record- | Section 3.21.1 |
| DomainData-domain-status | DomainData@domain- | Section 3.21 | | | type | |
| | status | | | | | |
| | | | | RecordPattern-type | RecordPattern@type | Section 3.25.2 |
| RelatedDNS-record-type | RelatedDNS@record-type | Section | | | | |
| | | 3.21.1 | | RecordPattern-offsetunit | RecordPattern@offsetu | Section 3.25.2 |
| | | | | | nit | |
| RecordPattern-type | RecordPattern@type | Section | | | | |
| | | 3.25.2 | | Key-registryaction | Key@registryaction | Section 3.26.1 |
| | | | | | | |
| RecordPattern-offsetunit | RecordPattern@offsetun | Section | | HashData-scope | HashData@scope | Section 3.29 |
| | it | 3.25.2 | | | | |
| | | | | BulkObservable-type | BulkObservable@type | Section |
| Key-registryaction | Key@registryaction | Section | | | | 3.32.3.1 |
| | | 3.26.1 | | | | |
| | | | | AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| HashData-scope | HashData@scope | Section 3.29 | | | | |
| | | | | EmailHeaderField-proto- | iodef:proto-dtype- | Section 3.22.1 |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 | | dtype | type | |
| | | | +--------------------------+-----------------------+----------------+
| EmailHeaderField-proto- | iodef:proto-dtype-type | Section |
| dtype | | 3.22.1 |
+--------------------------+------------------------+---------------+
Table 1: IANA Enumerated Value Registries Table 1: IANA Enumerated Value Registries
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
o Kathleen Moriarty, EMC Corporation o Kathleen Moriarty, EMC Corporation
 End of changes. 142 change blocks. 
2076 lines changed or deleted 2438 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/