draft-ietf-mile-rfc5070-bis-12.txt   draft-ietf-mile-rfc5070-bis-13.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: December 20, 2015 June 18, 2015 Expires: December 22, 2015 June 20, 2015
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-12 draft-ietf-mile-rfc5070-bis-13
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 20, 2015. This Internet-Draft will expire on December 22, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 49 skipping to change at page 3, line 49
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 75 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 75
3.22.2. Application Class . . . . . . . . . . . . . . . . . 76 3.22.2. Application Class . . . . . . . . . . . . . . . . . 76
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 78 3.22.3. SoftwareReference Class . . . . . . . . . . . . . . 77
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 78 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 79
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 79 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 79 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 81 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 80
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 82 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 82
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 83 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 83
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 83 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84
3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 84 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 84
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 85 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 85
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 86 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 86 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 88 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 87
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 89 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 90 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 90
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 91 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 91 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 92 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 94 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 94 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 95 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 100 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96
3.32.5. ObservableReference Class . . . . . . . . . . . . . 102 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 101
3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 102 3.32.5. ObservableReference Class . . . . . . . . . . . . . 103
4. Processing Considerations . . . . . . . . . . . . . . . . . . 103 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 103
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 103 4. Processing Considerations . . . . . . . . . . . . . . . . . . 104
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 103 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 104
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 104 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 104
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 105 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 105
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 106 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 106
5.1. Extending the Enumerated Values of Attributes . . . . . . 106 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 107
5.1.1. Private Extension of Enumerated Values . . . . . . . 106 5.1. Extending the Enumerated Values of Attributes . . . . . . 107
5.1.2. Public Extension of Enumerated Values . . . . . . . . 107 5.1.1. Private Extension of Enumerated Values . . . . . . . 107
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 107 5.1.2. Public Extension of Enumerated Values . . . . . . . . 108
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 109 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 108
6. Internationalization Issues . . . . . . . . . . . . . . . . . 109 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 110
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 111 6. Internationalization Issues . . . . . . . . . . . . . . . . . 110
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 111 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 112 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 114 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 113
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 116 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 115
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 117 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 117
9. Security Considerations . . . . . . . . . . . . . . . . . . . 160 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 118
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 160 9. Security Considerations . . . . . . . . . . . . . . . . . . . 162
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 161 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 162
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 163
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 163 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 163
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 165
12.1. Normative References . . . . . . . . . . . . . . . . . . 164 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 166
12.2. Informative References . . . . . . . . . . . . . . . . . 166 12.1. Normative References . . . . . . . . . . . . . . . . . . 166
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 167 12.2. Informative References . . . . . . . . . . . . . . . . . 168
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 169
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 17, line 44 skipping to change at page 17, line 44
2. in-progress. The contents of this document are under 2. in-progress. The contents of this document are under
investigation. investigation.
3. forwarded. The document has been forwarded to another party 3. forwarded. The document has been forwarded to another party
for handling. for handling.
4. resolved. The investigation into the activity in this 4. resolved. The investigation into the activity in this
document has concluded. document has concluded.
5. future. The . 5. future. The described activity is suspected to occur in the
future.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-status ext-status
Optional. STRING. A means by which to extend the status Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
skipping to change at page 67, line 46 skipping to change at page 67, line 46
ext-type ext-type
Optional. STRING. A means by which to extend the type attribute. Optional. STRING. A means by which to extend the type attribute.
See Section 5.1.1. See Section 5.1.1.
unit unit
Required. ENUM. Specifies the units of the element content. Required. ENUM. Specifies the units of the element content.
These values are maintained in the "Counter-unit" IANA registry These values are maintained in the "Counter-unit" IANA registry
per Table 1. per Table 1.
1. byte. Bytes. 1. byte. Bytes transferred.
2. mbit. Megabits (Mbits). 2. mbit. Megabits (Mbits) transfered.
3. packet. Packets. 3. packet. Packets.
4. flow. Network flow records. 4. flow. Network flow records.
5. session. Sessions. 5. session. Sessions.
6. alert. Notifications generated by another system (e.g., IDS 6. alert. Notifications generated by another system (e.g., IDS
or SIM). or SIM).
skipping to change at page 75, line 46 skipping to change at page 75, line 46
corresponding to the application layer protocol whose field will corresponding to the application layer protocol whose field will
be represented. be represented.
field field
Required. STRING. The name of the protocol field whose value Required. STRING. The name of the protocol field whose value
will be found in the element body. will be found in the element body.
dtype dtype
Required. ENUM. The data type of the element content. The Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". value is "string". These values are maintained in the
"ApplicationHeader-proto-dtype" IANA registry per Table 1.
1. boolean. The element content is of type BOOLEAN. 1. boolean. The element content is of type BOOLEAN.
2. byte. The element content is of type BYTE. 2. byte. The element content is of type BYTE.
3. bytes. The element content is of type HEXBIN. 3. bytes. The element content is of type HEXBIN.
4. character. The element content is of type CHARACTER. 4. character. The element content is of type CHARACTER.
5. date-time. The element content is of type DATETIME. 5. date-time. The element content is of type DATETIME.
skipping to change at page 76, line 40 skipping to change at page 76, line 42
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
Either the proto or proto-name attribute MUST be set. If both are Either the proto or proto-name attribute MUST be set. If both are
set, they MUST correspond to the same entry in the registry. set, they MUST correspond to the same entry in the registry.
3.22.2. Application Class 3.22.2. Application Class
The Application class describes an application running on a System The Application class describes a software application. It can be
providing a Service. described by using formal reference, a URL or with free-form text.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| STRING swid |<>--{0..1}--[ URL ] | |<>--{0..1}--[ SoftwareReference ]
| STRING configid | | |<>--{0..*}--[ URL ]
| STRING vendor | | |<>--{0..*}--[ Description ]
| STRING family |
| STRING name |
| STRING version |
| STRING patch |
+--------------------+ +--------------------+
Figure 43: The Application Class Figure 43: The Application Class
The aggregate class that constitute Application is: The aggregate classes that constitute Application:
SoftwareReference
Zero or one. Reference to a software application.
URL URL
Zero or one. URL. A URL describing the application. Zero or more. URL. A URL associated with the application.
The Application class has seven attributes: Description
Zero or more. ML_STRING. A free-form text description of this
application.
swid At least one of these classes MUST be present.
Optional. STRING. An identifier that can be used to reference
this software, where the default value is "0".
configid The Application class has no attributes.
Optional. STRING. An identifier that can be used to reference a
particular configuration of this software, where the default value
is "0".
vendor 3.22.3. SoftwareReference Class
Optional. STRING. Vendor name of the software.
family The Application class describes a software application. It can be
Optional. STRING. Family of the software. described by using formal reference, a URL or with free-form text.
name +----------------------+
Optional. STRING. Name of the software. | SoftwareReference |
+----------------------+
| ANY |
| |
| ENUM spec-name |
| STRING ext-spec-name |
| ENUM dtype |
| STRING enum-dtype |
+----------------------+
version Figure 44: The SoftwareReference Class
Optional. STRING. Version of the software.
patch The element body of this class varies according to the value of the
Optional. STRING. Patch or service pack level of the software. spec-name attribute.
The SoftwareReference class has four attributes:
spec-name
Required. ENUM. Identifies the format and semantics of the the
element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user-
provided data-types. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1
1. custom. The element content is of the type specified by the
dtype attribute. If this value is selected, then the dtype
attribute MUST be set.
2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry [fix me. reference].
3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference].
4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-spec-name
Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1.
dtype
Required. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the
"SoftwareReference-dtype" IANA registry per Table 1.
1. bytes. The element content is of type HEXBIN.
2. integer. The element content is of type INTEGER.
3. real. The element content is of type REAL.
4. string. The element content is of type STRING.
5. xml. The element content is XML. See Section 5.
6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1.
ext-dtype
Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1.
3.23. OperatingSystem Class 3.23. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.22.2). (Section 3.22.2).
3.24. EmailData Class 3.24. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message. Common
skipping to change at page 78, line 28 skipping to change at page 79, line 28
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ] | |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 44: EmailData Class Figure 45: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
skipping to change at page 79, line 27 skipping to change at page 80, line 27
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------------+ +------------------------+
| Record | | Record |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 45: Record Class Figure 46: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has two attributes: The Record class has two attributes:
skipping to change at page 80, line 20 skipping to change at page 81, line 20
| ID observable-id |<>--{0..1}--[ Application ] | ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ] | |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}-- | |<>--{0..*}--
| | [ WindowsRegistryKeysModified ] | | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 46: The RecordData Class Figure 47: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 81, line 37 skipping to change at page 82, line 37
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 47: The RecordPattern Class Figure 48: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1. maintained in the "RecordPattern-type" IANA registry per Table 1.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
skipping to change at page 83, line 17 skipping to change at page 84, line 17
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+ +-----------------------------+
Figure 48: The WindowsRegistryKeysModified Class Figure 49: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has one attribute: The WindowsRegistryKeysModified class has one attribute:
observable-id observable-id
skipping to change at page 83, line 43 skipping to change at page 84, line 43
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 49: The Key Class Figure 50: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
skipping to change at page 84, line 48 skipping to change at page 85, line 48
The CertificateData class describes X.509 certificates. The CertificateData class describes X.509 certificates.
+------------------------+ +------------------------+
| CertificateData | | CertificateData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ Certificate ] | ID observable-id |<>--{1..*}--[ Certificate ]
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 50: The CertificateData Class Figure 51: The CertificateData Class
The aggregate classes that constitutes CertificateData are: The aggregate classes that constitutes CertificateData are:
Certificate Certificate
One or more. A certificate. One or more. A certificate.
The CertificateData class has three attributes: The CertificateData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 85, line 32 skipping to change at page 86, line 32
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ENUM valid |<>----------[ ds: X509Data ] | ENUM valid |<>----------[ ds: X509Data ]
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 51: The Certificate Class Figure 52: The Certificate Class
The aggregate classes that constitutes Certificate are: The aggregate classes that constitutes Certificate are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
The Certificate class has one attribute: The Certificate class has one attribute:
valid valid
skipping to change at page 86, line 19 skipping to change at page 87, line 19
analysis of an incident. analysis of an incident.
+------------------------+ +------------------------+
| FileData | | FileData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ File ] | ID observable-id |<>--{1..*}--[ File ]
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 52: The FileData Class Figure 53: The FileData Class
The aggregate class that constitutes FileData is: The aggregate class that constitutes FileData is:
File File
One or more. A description of a file. One or more. A description of a file.
The FileData class has three attributes: The FileData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 87, line 18 skipping to change at page 88, line 18
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ] | |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..*}--[ FileProperties ]
+-----------------------+ +-----------------------+
Figure 53: The File Class Figure 54: The File Class
The aggregate classes that constitutes File are: The aggregate classes that constitutes File are:
FileName FileName
Zero or One. STRING. The name of the file. Zero or One. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or One. INTEGER. The size of the file in bytes.
FileType FileType
skipping to change at page 88, line 19 skipping to change at page 89, line 19
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ] | ENUM scope |<>--{0..1}--[ HashTarget ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 54: The HashData Class Figure 55: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes HashData are:
HashTarget HashTarget
Zero or One. An identifier that references a a subset of the Zero or One. An identifier that references a a subset of the
object per the @scope attribute. object per the @scope attribute.
Hash Hash
Zero or more. The hash generated on the object. Zero or more. The hash generated on the object.
skipping to change at page 90, line 14 skipping to change at page 91, line 14
+----------------+ +----------------+
| Hash | | Hash |
+----------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CannonicalizationMethod ] | |<>--{0..1}--[ ds:CannonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 55: The Hash Class Figure 56: The Hash Class
The aggregate classes that constitutes Hash are: The aggregate classes that constitutes Hash are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
skipping to change at page 90, line 47 skipping to change at page 91, line 47
The FuzzyHash class describes a fuzzy hash (in an extensible way) and The FuzzyHash class describes a fuzzy hash (in an extensible way) and
the application used to generate it. the application used to generate it.
+--------------------------+ +--------------------------+
| FuzzyHash | | FuzzyHash |
+--------------------------+ +--------------------------+
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+--------------------------+ +--------------------------+
Figure 56: The FuzzyHash Class Figure 57: The FuzzyHash Class
The aggregate classes that constitutes FuzzyHash are: The aggregate classes that constitutes FuzzyHash are:
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
Application Application
Zero or One. The application used to calculate the hash. Zero or One. The application used to calculate the hash.
skipping to change at page 91, line 23 skipping to change at page 92, line 23
The SignatureData class describes different signatures on an given The SignatureData class describes different signatures on an given
object. object.
+--------------------------+ +--------------------------+
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 57: The SignatureData Class Figure 58: The SignatureData Class
The aggregate classes that constitutes SignatureData are: The aggregate classes that constitutes SignatureData are:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attribute: The SignatureData class has no attribute:
3.31. IndicatorData Class 3.31. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes the indicators identified from
analysis of an incident. analysis of an incident.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 58: The IndicatorData Class Figure 59: The IndicatorData Class
The aggregate class that constitutes IndicatorData is: The aggregate class that constitutes IndicatorData is:
Indicator Indicator
One or more. An indicator from the incident. One or more. An indicator from the incident.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.32. Indicator Class 3.32. Indicator Class
skipping to change at page 92, line 32 skipping to change at page 93, line 32
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 59: The Indicator Class Figure 60: The Indicator Class
The aggregate classes that constitute Indicator are: The aggregate classes that constitute Indicator are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.32.1 One. An identifier for this indicator. See Section 3.32.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.32.2 Section 3.32.2
skipping to change at page 94, line 24 skipping to change at page 95, line 24
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 60: The IndicatorID Class Figure 61: The IndicatorID Class
The IndicatorID class has two attributes: The IndicatorID class has two attributes:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
skipping to change at page 94, line 50 skipping to change at page 95, line 50
The AlternativeIndicatorID class lists alternative identifiers for an The AlternativeIndicatorID class lists alternative identifiers for an
indicator. indicator.
+-------------------------+ +-------------------------+
| AlternativeIndicatorID | | AlternativeIndicatorID |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction | | STRING ext-restriction |
+-------------------------+ +-------------------------+
Figure 61: The AlternativeIndicatorID Class Figure 62: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is: The aggregate class that constitutes AlternativeIndicatorID is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. One or more. A reference to an indicator.
The AlternativeIndicatorID class has two attributes: The AlternativeIndicatorID class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
skipping to change at page 95, line 36 skipping to change at page 96, line 36
| Observable | | Observable |
+-------------------+ +-------------------+
| |<>--{0..1}--[ Address ] | |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ] | |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 62: The Observable Class Figure 63: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes that constitute Observable are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.20.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.21. Zero or One. A DomainData observable. See Section 3.21.
Service Service
skipping to change at page 96, line 28 skipping to change at page 97, line 29
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See Zero or One. A WindowsRegistryKeysModified observable. See
Section 3.26. Section 3.26.
FileData FileData
Zero or One. A FileData observable. See Section 3.28. Zero or One. A FileData observable. See Section 3.28.
CertificateData CertificateData
Zero or One. A CertificateData observable. See Section 3.27. Zero or One. A CertificateData observable. See Section 3.27.
RegistryHandle
Zero or One. A RegistryHandle observable. See Section 3.10.1.
RecordData RecordData
Zero or One. A RecordData observable. See Section 3.25.1. Zero or One. A RecordData observable. See Section 3.25.1.
EventData EventData
Zero or One. An EventData observable. See Section 3.16. Zero or One. An EventData observable. See Section 3.16.
Incident Incident
Zero or One. An Incident observable. See Section 3.2. Zero or One. An Incident observable. See Section 3.2.
EventData EventData
skipping to change at page 97, line 32 skipping to change at page 98, line 37
meta-data. meta-data.
+---------------------------+ +---------------------------+
| BulkObservable | | BulkObservable |
+---------------------------+ +---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ] | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ] | STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 63: The BulkObservable Class Figure 64: The BulkObservable Class
The aggregate classes that constitutes BulkObservable are: The aggregate classes that constitutes BulkObservable are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class. enumerated in the BulkObservableList class.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
seperated with either a CR or CR-and-LF. The type attribute will seperated with either a CR or CR-and-LF. The type attribute will
skipping to change at page 100, line 19 skipping to change at page 101, line 24
The ObservableFormat class specifies meta-data about the format of an The ObservableFormat class specifies meta-data about the format of an
observable enumerated in a sibling BulkObservableList class. observable enumerated in a sibling BulkObservableList class.
+---------------------------+ +---------------------------+
| BulkObservableFormat | | BulkObservableFormat |
+---------------------------+ +---------------------------+
| |<>--{0..1}--[ Hash ] | |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 64: The BulkObservableFormat Class Figure 65: The BulkObservableFormat Class
The aggregate classes that constitutes BulkObservableFormat are: The aggregate classes that constitutes BulkObservableFormat are:
Hash Hash
Zero or one. Describes the format of a hash. Zero or one. Describes the format of a hash.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
skipping to change at page 101, line 15 skipping to change at page 102, line 15
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 65: The IndicatorExpression Class Figure 66: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable.
skipping to change at page 102, line 20 skipping to change at page 103, line 20
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 66: The ObservableReference Class Figure 67: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attributes:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.32.6. IndicatorReference Class 3.32.6. IndicatorReference Class
skipping to change at page 102, line 45 skipping to change at page 103, line 45
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 67: The IndicatorReference Class Figure 68: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attributes:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
skipping to change at page 117, line 39 skipping to change at page 118, line 39
</Flow> </Flow>
<!-- Expectation class recommends that these networks <!-- Expectation class recommends that these networks
be filtered --> be filtered -->
<Expectation action="block-host" /> <Expectation action="block-host" />
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlms:xml="http://www.w3c.org/XML/1998/namespace" xmlms:xml="http://www.w3c.org/XML/1998/namespace"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3c.org/XML/1998/namespace" <xs:import namespace="http://www.w3c.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd"> schemaLocation="http://www.w3c.org/2001/xml.xsd">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/xml- schemaLocation="http://www.iana.org/assignments/xml-registry/schema/iodef-enum-1.0.xsd" />
registry/schema/iodef-enum-1.0.xsd" /> <xs:annotation>
<xs:annotation> <xs:documentation>
<xs:documentation> Incident Object Description Exchange Format v2.0, RFC5070-bis
Incident Object Description Exchange Format v2.0, RFC5070-bis </xs:documentation>
</xs:documentation> </xs:annotation>
</xs:annotation>
<!--
==================================================================
== IODEF-Document class ==
==================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident"
maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version"
type="xs:string" fixed="2.00"/>
<xs:attribute ref="xml:lang" />
<xs:attribute name="format-id"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-name"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
=== Incident class ===
==================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <!--
minOccurs="0"/> ==================================================================
<xs:element ref="iodef:StartTime" == IODEF-Document class ==
minOccurs="0"/> ==================================================================
<xs:element ref="iodef:EndTime" -->
minOccurs="0"/> <xs:element name="IODEF-Document">
<xs:element ref="iodef:RecoveryTime" <xs:complexType>
minOccurs="0"/> <xs:sequence>
<xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:Incident"
<xs:element ref="iodef:GenerationTime" maxOccurs="unbounded"/>
minOccurs="0"/> <xs:element ref="iodef:AdditionalData"
<xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:sequence>
<xs:element ref="iodef:Discovery" <xs:attribute name="version"
minOccurs="0" maxOccurs="unbounded"/> type="xs:string" fixed="2.00"/>
<xs:element ref="iodef:Assessment" <xs:attribute ref="xml:lang" />
maxOccurs="unbounded"/> <xs:attribute name="format-id"
<xs:element ref="iodef:Method" type="xs:string" use="optional"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="private-enum-name"
<xs:element ref="iodef:Contact" type="xs:string" use="optional"/>
maxOccurs="unbounded"/> <xs:attribute name="private-enum-id"
<xs:element ref="iodef:EventData" type="xs:string" use="optional"/>
minOccurs="0" maxOccurs="unbounded"/> </xs:complexType>
<xs:element ref="iodef:History" </xs:element>
minOccurs="0"/> <!--
<xs:element ref="iodef:AdditionalData" ==================================================================
minOccurs="0" maxOccurs="unbounded"/> === Incident class ===
</xs:sequence> ==================================================================
<xs:attribute name="purpose" use="required"> -->
<xs:simpleType> <xs:element name="Incident">
<xs:restriction base="xs:NMTOKEN"> <xs:complexType>
<xs:enumeration value="traceback"/> <xs:sequence>
<xs:enumeration value="mitigation"/> <xs:element ref="iodef:IncidentID"/>
<xs:enumeration value="reporting"/> <xs:element ref="iodef:AlternativeID"
<xs:enumeration value="watch" /> minOccurs="0"/>
<xs:enumeration value="other"/> <xs:element ref="iodef:RelatedActivity"
<xs:enumeration value="ext-value"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:restriction> <xs:element ref="iodef:DetectTime"
</xs:simpleType> minOccurs="0"/>
</xs:attribute> <xs:element ref="iodef:StartTime"
<xs:attribute name="ext-purpose" minOccurs="0"/>
type="xs:string" use="optional"/> <xs:element ref="iodef:EndTime"
<xs:attribute name="status"> minOccurs="0"/>
<xs:simpleType> <xs:element ref="iodef:RecoveryTime"
<xs:restriction base="xs:NMTOKEN"> minOccurs="0"/>
<xs:enumeration value="new"/> <xs:element ref="iodef:ReportTime"/>
<xs:enumeration value="in-progress"/> <xs:element ref="iodef:GenerationTime"
<xs:enumeration value="forwarded"/> minOccurs="0"/>
<xs:enumeration value="resolved" /> <xs:element ref="iodef:Description"
<xs:enumeration value="future"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="ext-value"/> <xs:element ref="iodef:Discovery"
</xs:restriction> minOccurs="0" maxOccurs="unbounded"/>
</xs:simpleType> <xs:element ref="iodef:Assessment"
</xs:attribute> maxOccurs="unbounded"/>
<xs:attribute name="ext-status" <xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="status">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" />
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="private"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" /> <xs:attribute name="restriction"
<xs:attribute name="restriction" type="iodef:restriction-type"
type="iodef:restriction-type" default="public"/>
default="private"/> <xs:attribute name="ext-restriction"
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" </xs:extension>
type="xs:ID" use="optional"/> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<!--
==================================================================
== IncidentID class ==
==================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"
default="public"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!-- <!--
================================================================== ==================================================================
== AlternativeID class == == AlternativeID class ==
================================================================== ==================================================================
--> -->
<xs:element name="AlternativeID"> <xs:element name="AlternativeID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== RelatedActivity class == == RelatedActivity class ==
================================================================== ==================================================================
--> -->
<xs:element name="RelatedActivity"> <xs:element name="RelatedActivity">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor" <xs:element ref="iodef:ThreatActor"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign" <xs:element ref="iodef:Campaign"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Confidence" <xs:element ref="iodef:Confidence"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== ThreatActor class == == ThreatActor class ==
================================================================== ==================================================================
--> -->
<xs:element name="ThreatActor"> <xs:element name="ThreatActor">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ThreatActorID" /> <xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ThreatActorID" type="xs:string"/> <xs:element name="ThreatActorID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Campaign class == == Campaign class ==
================================================================== ==================================================================
--> -->
<xs:element name="Campaign"> <xs:element name="Campaign">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:CampaignID"/> <xs:element ref="iodef:CampaignID"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="CampaignID" type="xs:string"/> <xs:element name="CampaignID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== AdditionalData class == == AdditionalData class ==
================================================================== ==================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Contact class == == Contact class ==
================================================================== ==================================================================
--> -->
<xs:element name="Contact"> <xs:element name="Contact">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ContactName" <xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle" <xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle" <xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Email" <xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone" <xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax" <xs:element ref="iodef:Fax"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Timezone" <xs:element ref="iodef:Timezone"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="role" use="required"> <xs:attribute name="role" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/> <xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/> <xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/> <xs:enumeration value="admin"/>
<xs:enumeration value="tech"/> <xs:enumeration value="tech"/>
<xs:enumeration value="provider"/> <xs:enumeration value="provider"/>
<xs:enumeration value="zone"/> <xs:enumeration value="zone"/>
<xs:enumeration value="user"/> <xs:enumeration value="user"/>
<xs:enumeration value="billing"/> <xs:enumeration value="billing"/>
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/> <xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/> <xs:enumeration value="irt"/>
<xs:enumeration value="cc"/> <xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/> <xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/> <xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/> <xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/> <xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/> <xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/> <xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-role" <xs:attribute name="ext-role"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/> <xs:enumeration value="person"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ContactName" <xs:element name="ContactName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="ContactTitle" <xs:element name="ContactTitle"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="RegistryHandle"> <xs:element name="RegistryHandle">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="registry"> <xs:attribute name="registry">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/> <xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/> <xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/> <xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/> <xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/> <xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/> <xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/> <xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-registry" <xs:attribute name="ext-registry"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="PostalAddress"> <xs:element name="PostalAddress">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/> <xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/> <xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <xs:complexType name="ContactMeansType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<!-- <!--
================================================================== ==================================================================
== Time-based classes == == Time-based classes ==
================================================================== ==================================================================
--> -->
<xs:element name="DateTime" <xs:element name="DateTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="ReportTime" <xs:element name="ReportTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="DetectTime" <xs:element name="DetectTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="StartTime" <xs:element name="StartTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="EndTime" <xs:element name="EndTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="RecoveryTime" <xs:element name="RecoveryTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="GenerationTime" <xs:element name="GenerationTime"
type="xs:dateTime"/> type="xs:dateTime"/>
<xs:element name="Timezone" <xs:element name="Timezone"
type="iodef:TimezoneType"/> type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType"> <xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== History class == == History class ==
================================================================== ==================================================================
--> -->
<xs:element name="History"> <xs:element name="History">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:HistoryItem" <xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="HistoryItem"> <xs:element name="HistoryItem">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA" <xs:element name="DefinedCOA"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Expectation class == == Expectation class ==
================================================================== ==================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA" <xs:element name="DefinedCOA"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" default="other"/> type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Discovery class == == Discovery class ==
================================================================== ==================================================================
--> -->
<xs:element name="Discovery"> <xs:element name="Discovery">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern" <xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="source" <xs:attribute name="source"
use="optional" default="unknown"> use="optional" default="unknown">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/> <xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/> <xs:enumeration value="hips"/>
<xs:enumeration value="siem"/> <xs:enumeration value="siem"/>
<xs:enumeration value="av"/> <xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/> <xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/> <xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/> <xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/> <xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/> <xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/> <xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/> <xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/> <xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/> <xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/> <xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/> <xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/> <xs:enumeration value="leo"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="actor"/> <xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-source" <xs:attribute name="ext-source"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DetectionPattern"> <xs:element name="DetectionPattern">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Application"/> <xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration" <xs:element name="DetectionConfiguration"
type="xs:string" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Method class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/> <xs:element ref="iodef:Description"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Reference class == == Reference class ==
================================================================== ==================================================================
--> -->
<xs:element name="Reference"> <xs:element name="Reference">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="enum:ReferenceName" <xs:element ref="enum:ReferenceName"
minOccurs="0" /> minOccurs="0" />
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Assessment class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Assessment">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="IncidentCategory" <xs:element name="IncidentCategory"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:SystemImpact"/>
<xs:element name="BusinessImpact" <xs:element name="BusinessImpact"
type="iodef:BusinessImpactType" /> type="iodef:BusinessImpactType" />
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element name="IntendedImpact" <xs:element name="IntendedImpact"
type="iodef:BusinessImpactType"/> type="iodef:BusinessImpactType"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor" <xs:element name="MitigatingFactor"
type="iodef:MLStringType" type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/> <xs:enumeration value="actual"/>
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="SystemImpact"> <xs:element name="SystemImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/> <xs:enumeration value="succeeded"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="type" <xs:attribute name="type"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/> <xs:enumeration value="admin"/>
<xs:enumeration value="takeover-account"/> <xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/> <xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/> <xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/> <xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/> <xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/> <xs:enumeration value="availability-data"/>
<xs:enumeration value="availibility-account"/> <xs:enumeration value="availibility-account"/>
<xs:enumeration value="availibility-service"/> <xs:enumeration value="availibility-service"/>
<xs:enumeration value="availibility-system"/> <xs:enumeration value="availibility-system"/>
<xs:enumeration value="damaged-system"/> <xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/> <xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/> <xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/> <xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/> <xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/> <xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/> <xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/> <xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/> <xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/> <xs:enumeration value="policy"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:complexType name="BusinessImpactType"> <xs:complexType name="BusinessImpactType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/> <xs:enumeration value="none"/>
<xs:enumeration value="low"/> <xs:enumeration value="low"/>
<xs:enumeration value="medium"/> <xs:enumeration value="medium"/>
<xs:enumeration value="high"/> <xs:enumeration value="high"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-severity" <xs:attribute name="ext-severity"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" <xs:attribute name="type"
use="optional"> use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/> <xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" /> <xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/> <xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/> <xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/> <xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/> <xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/> <xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/> <xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/> <xs:enumeration value="extortion"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:element name="TimeImpact"> <xs:element name="TimeImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="metric" <xs:attribute name="metric"
use="required"> use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/> <xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/> <xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/> <xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="MonetaryImpact"> <xs:element name="MonetaryImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="currency" <xs:attribute name="currency"
type="xs:string"/> type="xs:string"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Confidence"> <xs:element name="Confidence">
<xs:complexType mixed="true"> <xs:complexType mixed="true">
<xs:attribute name="rating" use="required"> <xs:attribute name="rating" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/> <xs:enumeration value="low"/>
<xs:enumeration value="medium"/> <xs:enumeration value="medium"/>
<xs:enumeration value="high"/> <xs:enumeration value="high"/>
<xs:enumeration value="numeric"/> <xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EventData class == == EventData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EventData"> <xs:element name="EventData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" <xs:element ref="iodef:RecoveryTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ReportTime" <xs:element ref="iodef:ReportTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery" <xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Method" <xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow" <xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation" <xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" <xs:element ref="iodef:Record"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="default"/> default="default"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Flow class == == Flow class ==
================================================================== ==================================================================
--> -->
<!-- Added System unbounded for use only when the source or <!-- Added System unbounded for use only when the source or
target watchlist is in use, otherwise only one system entry target watchlist is in use, otherwise only one system entry
is expected. is expected.
--> -->
<xs:element name="Flow"> <xs:element name="Flow">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:System" <xs:element ref="iodef:System"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== System class == == System class ==
================================================================== ==================================================================
--> -->
<xs:element name="System"> <xs:element name="System">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/> <xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Service" <xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem" <xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID" type="xs:string" <xs:element name="AssetID" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="category"> <xs:attribute name="category">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/> <xs:enumeration value="source"/>
<xs:enumeration value="target"/> <xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/> <xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/> <xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/> <xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="interface" <xs:attribute name="interface"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type" <xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" /> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type" <xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/> use="optional" default="unknown"/>
<xs:attribute name="ownership"> <xs:attribute name="ownership">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="personal"/> <xs:enumeration value="personal"/>
<xs:enumeration value="partner"/> <xs:enumeration value="partner"/>
<xs:enumeration value="customer"/> <xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/> <xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-ownership" <xs:attribute name="ext-ownership"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:Address" <xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:PostalAddress" <xs:element ref="iodef:PostalAddress"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Location" <xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Address"> <xs:element name="Address">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr"> <xs:attribute name="category" default="ipv4-addr">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/> <xs:enumeration value="asn"/>
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/> <xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/> <xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/> <xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" <xs:attribute name="vlan-name"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="vlan-num" <xs:attribute name="vlan-num"
type="xs:integer"/> type="xs:integer"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole"> <xs:element name="NodeRole">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required"> <xs:attribute name="category" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/> <xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/> <xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/> <xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/> <xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/> <xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/> <xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/> <xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/> <xs:enumeration value="server-public"/>
<xs:enumeration value="www"/> <xs:enumeration value="www"/>
<xs:enumeration value="mail"/> <xs:enumeration value="mail"/>
<xs:enumeration value="webmail" /> <xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/> <xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/> <xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/> <xs:enumeration value="voice"/>
<xs:enumeration value="file"/> <xs:enumeration value="file"/>
<xs:enumeration value="ftp"/> <xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/> <xs:enumeration value="p2p"/>
<xs:enumeration value="name"/> <xs:enumeration value="name"/>
<xs:enumeration value="directory"/> <xs:enumeration value="directory"/>
<xs:enumeration value="credential"/> <xs:enumeration value="credential"/>
<xs:enumeration value="print"/> <xs:enumeration value="print"/>
<xs:enumeration value="application"/> <xs:enumeration value="application"/>
<xs:enumeration value="database"/> <xs:enumeration value="database"/>
<xs:enumeration value="backup"/> <xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/> <xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/> <xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/> <xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/> <xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/> <xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/> <xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/> <xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/> <xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/> <xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/> <xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/> <xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/> <xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/> <xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/> <xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/> <xs:enumeration value="pos"/>
<xs:enumeration value="scada"/> <xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/> <xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/> <xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/> <xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/> <xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/> <xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/> <xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/> <xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/> <xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/> <xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/> <xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/> <xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/> <xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/> <xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" /> <xs:attribute ref="xml:lang" />
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Service Class == == Service Class ==
================================================================== ==================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="ServiceName" <xs:element name="ServiceName"
type="xs:string" minOccurs="0"/> type="xs:string" minOccurs="0"/>
<xs:choice minOccurs="0"> <xs:choice minOccurs="0">
<xs:element name="Port" <xs:element name="Port"
type="xs:integer"/> type="xs:integer"/>
<xs:element name="Portlist" <xs:element name="Portlist"
type="iodef:PortlistType"/> type="iodef:PortlistType"/>
</xs:choice> </xs:choice>
<xs:element name="ProtoType" <xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode" <xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField" <xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/> type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader" <xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="EmailData" minOccurs="0"/> <xs:element ref="EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip-protocol" <xs:attribute name="ip-protocol"
type="xs:integer" use="required"/> type="xs:integer" use="required"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="PortlistType"> <xs:simpleType name="PortlistType">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== Counter class == == Counter class ==
================================================================== ==================================================================
--> -->
<xs:element name="Counter"> <xs:element name="Counter">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:double"> <xs:extension base="xs:double">
<xs:attribute name="type" use="required" <xs:attribute name="type" use="required"
default="counter"> default="counter">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/> <xs:enumeration value="counter"/>
<xs:enumeration value="rate"/> <xs:enumeration value="rate"/>
<xs:enumeration value="average"/> <xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="unit" use="required"> <xs:attribute name="unit" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/> <xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/> <xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/> <xs:enumeration value="packet"/>
<xs:enumeration value="flow"/> <xs:enumeration value="flow"/>
<xs:enumeration value="session"/> <xs:enumeration value="session"/>
<xs:enumeration value="event"/> <xs:enumeration value="event"/>
<xs:enumeration value="alert"/> <xs:enumeration value="alert"/>
<xs:enumeration value="message"/> <xs:enumeration value="message"/>
<xs:enumeration value="host"/> <xs:enumeration value="host"/>
<xs:enumeration value="site"/> <xs:enumeration value="site"/>
<xs:enumeration value="organization"/> <xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration" <xs:attribute name="ext-duration"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== EmailData class == == EmailData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EmailData"> <xs:element name="EmailData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="EmailFrom" <xs:element name="EmailFrom"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailX-Mailer" <xs:element name="EmailX-Mailer"
type="iodef:MLStringType" minOccurs="0"/> type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="EmailHeaderField" <xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType" type="iodef:ApplicationHeaderType"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:HashData" <xs:element ref="iodef:HashData"
minOccurs="0" /> minOccurs="0" />
<xs:element ref="SignatureData" <xs:element ref="SignatureData"
minOccurs="0" /> minOccurs="0" />
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Name" <xs:element name="Name"
type="xs:string" maxOccurs="1" /> type="xs:string" maxOccurs="1" />
<xs:element name="DateDomainWasChecked" <xs:element name="DateDomainWasChecked"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RegistrationDate" <xs:element name="RegistrationDate"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="ExpirationDate" <xs:element name="ExpirationDate"
type="xs:dateTime" type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType" type="iodef:RelatedDNSEntryType"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Nameservers" <xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts" <xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="system-status"> <xs:attribute name="system-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/> <xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/> <xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-system-status" <xs:attribute name="ext-system-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="domain-status"> <xs:attribute name="domain-status">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/> <xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/> <xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/> <xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/> <xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/> <xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/> <xs:enumeration value="other"/>
<xs:enumeration value="unknown"/> <xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="ext-value"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="ext-domain-status" <xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/> type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="record-type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element name="Server" type="xs:string"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element name="SameDomainContact"
type="xs:string"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded" minOccurs="1"/>
</xs:choice>
</xs:complexType>
</xs:element>
<!--
==================================================================
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="record-type" use="optional"> <xs:attribute name="type" use="required">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="regex"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="binary"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="xpath"/>
<xs:enumeration value="APL"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="AXFR"/> </xs:restriction>
<xs:enumeration value="CAA"/> </xs:simpleType>
<xs:enumeration value="CERT"/> </xs:attribute>
<xs:enumeration value="CNAME"/> <xs:attribute name="ext-type"
<xs:enumeration value="DHCID"/> type="xs:string" use="optional"/>
<xs:enumeration value="DLV"/> <xs:attribute name="offset"
<xs:enumeration value="DNAME"/> type="xs:integer" use="optional"/>
<xs:enumeration value="DNSKEY"/> <xs:attribute name="offsetunit"
<xs:enumeration value="DS"/> use="optional" default="line">
<xs:enumeration value="HIP"/> <xs:simpleType>
<xs:enumeration value="IXFR"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="IPSECKEY"/> <xs:enumeration value="line"/>
<xs:enumeration value="LOC"/> <xs:enumeration value="byte"/>
<xs:enumeration value="MX"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="NAPTR"/> </xs:restriction>
<xs:enumeration value="NS"/> </xs:simpleType>
<xs:enumeration value="NSEC"/> </xs:attribute>
<xs:enumeration value="NSEC3"/> <xs:attribute name="ext-offsetunit"
<xs:enumeration value="NSEC3PARAM"/> type="xs:string" use="optional"/>
<xs:enumeration value="OPT"/> <xs:attribute name="instance"
<xs:enumeration value="PTR"/> type="xs:integer" use="optional"/>
<xs:enumeration value="RRSIG"/> </xs:extension>
<xs:enumeration value="RP"/> </xs:simpleContent>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Nameservers"> <!--
<xs:complexType> ================================================================
<xs:sequence> == Classes to describe a file ==
<xs:element name="Server" type="xs:string"/> ================================================================
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> -->
</xs:sequence>
<xs:element name="FileData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DomainContacts"> <xs:element name="File">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:sequence>
<xs:element name="SameDomainContact" <xs:element name="FileName" type="xs:string"
type="xs:string"/> minOccurs="0" />
<xs:element ref="iodef:Contact" <xs:element name="FileSize" type="xs:integer"
maxOccurs="unbounded" minOccurs="1"/> minOccurs="0" />
</xs:choice> <xs:element name="FileType" type="xs:integer"
minOccurs="0" />
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="ds:Signature"
minOccurs="0" />
<xs:element name="Application"
type="iodef:SoftwareType" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <xs:element name="FileProperties"
================================================================== type="iodef:ExtensionType"/>
== Record class ==
==================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern"> <!--
<xs:complexType> ================================================================
<xs:simpleContent> == Classes to describe a hash ==
<xs:extension base="xs:string"> ================================================================
<xs:attribute name="type" use="required"> -->
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
==================================================================
== Class to describe Windows Registry Keys ==
==================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value"
type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
-&gt; <xs:element name="HashData">
<!-- <xs:complexType>
================================================================ <xs:sequence>
== Classes to describe a file == <xs:element name="HashTarget" type="iodef:MLStringType"
================================================================ minOccurs="0"/>
-->
<xs:element name="FileData"> <xs:element ref="iodef:Hash"
<xs:complexType> minOccurs="0" maxOccurs="unbounded"/>
<xs:sequence> <xs:element ref="iodef:FuzzyHash"
<xs:element ref="iodef:File" minOccurs="0" maxOccurs="unbounded"/>
minOccurs="1" maxOccurs="unbounded"/> </xs:sequence>
</xs:sequence> <xs:attribute name="scope" use="required">
<xs:attribute name="observable-id" <xs:simpleType>
type="xs:ID" use="optional"/> <xs:restriction base="xs:NMTOKEN">
<xs:attribute name="restriction" <xs:enumeration value="file-contents"/>
type="iodef:restriction-type"/> <xs:enumeration value="file-pe-section"/>
<xs:attribute name="ext-restriction" <xs:enumeration value="file-pe-iat"/>
type="xs:string" use="optional"/> <xs:enumeration value="file-pe-resource"/>
</xs:complexType> <xs:enumeration value="file-pdf-object"/>
</xs:element> <xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-scope"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="File"> <xs:element name="Hash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="FileName" type="xs:string" <xs:element ref="ds:DigestMethod" />
minOccurs="0" /> <xs:element ref="ds:DigestValue" />
<xs:element name="FileSize" type="xs:integer" <xs:element ref="ds:CanonicalizationMethod" />
minOccurs="0" /> <xs:element ref="iodef:Application"
<xs:element name="FileType" type="xs:integer" minOccurs="0"/>
minOccurs="0" /> </xs:sequence>
<xs:element ref="iodef:URL" </xs:complexType>
minOccurs="0" maxOccurs="unbounded"/> </xs:element>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="ds:Signature"
minOccurs="0" />
<xs:element name="Application"
type="iodef:SoftwareType" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileProperties" <xs:element name="FuzzyHash">
type="iodef:ExtensionType"/> <xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AdditionalData" />
<xs:element ref="iodef:Application"
minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!-- <!--
================================================================ ================================================================
== Classes to describe a hash == == Classes to describe a signature ==
================================================================ ================================================================
--> -->
-&gt; <xs:element name="SignatureData">
<xs:element name="HashData"> <xs:complexType>
<xs:complexType> <xs:sequence>
<xs:sequence> <xs:element ref="ds:Signature"
<xs:element name="HashTarget" type="iodef:MLStringType" maxOccurs="unbounded" />
minOccurs="0"/> </xs:sequence>
</xs:complexType>
</xs:element>
<xs:element ref="iodef:Hash" <!--
minOccurs="0" maxOccurs="unbounded"/> ================================================================
<xs:element ref="iodef:FuzzyHash" == Classes to describe a certficate ==
minOccurs="0" maxOccurs="unbounded"/> ================================================================
</xs:sequence> -->
<xs:attribute name="scope" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-scope"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Hash"> <xs:element name="CertificateData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:DigestMethod" /> <xs:element ref="iodef:Certificate"
<xs:element ref="ds:DigestValue" /> maxOccurs="unbounded"/>
<xs:element ref="ds:CanonicalizationMethod" /> </xs:sequence>
<xs:element ref="iodef:Application" <xs:attribute name="observable-id"
minOccurs="0"/> type="xs:ID" use="optional"/>
</xs:sequence> <xs:attribute name="restriction"
</xs:complexType> type="iodef:restriction-type"/>
</xs:element> <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash"> <xs:element name="Certificate">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:AdditionalData" /> <xs:element ref="ds:X509Data" />
<xs:element ref="iodef:Application" </xs:sequence>
minOccurs="0"/> <xs:attribute name="observable-id"
</xs:sequence> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================ ==================================================================
== Classes to describe a signature == == Classes that describe software ==
================================================================ ==================================================================
--> -->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:SoftwareReference"
minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="SignatureData"> <xs:element name="SoftwareReference">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:Signature" <xs:any namespace="##any" processContents="lax"
maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="spec-name" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/>
<xs:attribute name="dtype" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <xs:element name="Application"
================================================================ type="iodef:SoftwareType"/>
== Classes to describe a certficate == <xs:element name="OperatingSystem"
================================================================ type="iodef:SoftwareType"/>
-->
<xs:element name="CertificateData"> <!--
<xs:complexType> ==================================================================
<xs:sequence> == IndicatorData classes ==
<xs:element ref="iodef:Certificate" ==================================================================
maxOccurs="unbounded"/> -->
</xs:sequence> <xs:element name="IndicatorData">
<xs:attribute name="observable-id" <xs:complexType>
type="xs:ID" use="optional"/> <xs:sequence>
<xs:attribute name="restriction" <xs:element ref="iodef:Indicator"
type="iodef:restriction-type"/> minOccurs="1" maxOccurs="unbounded"/>
<xs:attribute name="ext-restriction" </xs:sequence>
type="xs:string" use="optional"/> </xs:complexType>
</xs:complexType> </xs:element>
</xs:element>
<xs:element name="Certificate"> <xs:element name="Indicator">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:X509Data" /> <xs:element ref="iodef:IndicatorID" />
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0" />
<xs:element ref="iodef:EndTime"
minOccurs="0" />
<xs:element ref="iodef:Confidence"
minOccurs="0" />
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable" />
<xs:element ref="iodef:ObservableReference" />
<xs:element ref="iodef:IndicatorExpression" />
<xs:element ref="iodef:IndicatorReference" />
</xs:choice>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="restriction"
type="xs:ID" use="optional"/> type="iodef:restriction-type"/>
</xs:complexType> <xs:attribute name="ext-restriction"
</xs:element> type="xs:string" use="optional"/>
</xs:complexType>
<!-- </xs:element>
==================================================================
== Classes that describe software ==
==================================================================
-->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<!--
==================================================================
== IndicatorData classes ==
==================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID" />
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0" />
<xs:element ref="iodef:EndTime"
minOccurs="0" />
<xs:element ref="iodef:Confidence"
minOccurs="0" />
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable" />
<xs:element ref="iodef:ObservableReference" />
<xs:element ref="iodef:IndicatorExpression" />
<xs:element ref="iodef:IndicatorReference" />
</xs:choice>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID"> <xs:element name="IndicatorID">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:ID"> <xs:extension base="xs:ID">
<xs:attribute name="name" <xs:attribute name="name"
type="xs:string" use="required"/> type="xs:string" use="required"/>
<xs:attribute name="version" <xs:attribute name="version"
type="xs:string" use="required"/> type="xs:string" use="required"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="AlternativeIndicatorID"> <xs:element name="AlternativeIndicatorID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IndicatorID" <xs:element ref="iodef:IndicatorID"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Address"
minOccurs="0"/>
<xs:element ref="iodef:DomainData"
minOccurs="0"/>
<xs:element ref="iodef:EmailData"
minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:BulkObservable"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservable"> <xs:element name="Observable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" <xs:element ref="iodef:Address"
minOccurs="0"/> minOccurs="0"/>
<xs:element name="BulkObservableList" <xs:element ref="iodef:DomainData"
type="xs:string" minOccurs="0"/> minOccurs="0"/>
</xs:sequence>
<xs:attribute name="type"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="fqdn"/>
<xs:enumeration value="doman-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservableFormat"> <xs:element ref="iodef:EmailData"
<xs:complexType> minOccurs="0"/>
<xs:sequence> <xs:element name="ApplicationHeader"
<xs:element ref="iodef:Hash" type="iodef:ApplicationHeaderType"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0"/>
</xs:sequence> <xs:element ref="iodef:FileData"
</xs:complexType> minOccurs="0"/>
</xs:element> <xs:element ref="iodef:CertificateData"
minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0"/>
<xs:element ref="iodef:RecordData"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0"/>
<xs:element ref="iodef:Incident"
minOccurs="0"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:HistoryItem"
minOccurs="0"/>
<xs:element ref="iodef:BulkObservable"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorExpression"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:element ref="iodef:BulkObservableFormat"
<xs:element ref="iodef:IndicatorExpression" minOccurs="0"/>
minOccurs="0"/> <xs:element name="BulkObservableList"
<xs:element ref="iodef:Observable" type="xs:string" minOccurs="0"/>
minOccurs="0" /> </xs:sequence>
<xs:element ref="iodef:ObservableReference" <xs:attribute name="type"
minOccurs="0"/> use="required">
<xs:element ref="iodef:IndicatorReference" <xs:simpleType>
minOccurs="0"/> <xs:restriction base="xs:NMTOKEN">
</xs:choice> <xs:enumeration value="asn"/>
<xs:element ref="iodef:AlternativeIndicatorID" <xs:enumeration value="atm"/>
minOccurs="0" maxOccurs="unbounded"/> <xs:enumeration value="e-mail"/>
</xs:sequence> <xs:enumeration value="ipv4-addr"/>
<xs:attribute name="operator" use="required"> <xs:enumeration value="ipv4-net"/>
<xs:simpleType> <xs:enumeration value="ipv4-net-mask"/>
<xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="not"/> <xs:enumeration value="ipv6-net"/>
<xs:enumeration value="and"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="or"/> <xs:enumeration value="mac"/>
<xs:enumeration value="xor"/> <xs:enumeration value="site-uri"/>
</xs:restriction> <xs:enumeration value="fqdn"/>
</xs:simpleType> <xs:enumeration value="doman-name"/>
</xs:attribute> <xs:enumeration value="domain-to-ipv4"/>
</xs:complexType> <xs:enumeration value="domain-to-ipv6"/>
</xs:element> <xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ObservableReference"> <xs:element name="BulkObservableFormat">
<xs:complexType> <xs:complexType>
<xs:attribute name="uid-ref" <xs:sequence>
type="xs:IDREF" use="required"/> <xs:element ref="iodef:Hash"
</xs:complexType> minOccurs="0"/>
</xs:element> <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="IndicatorReference"> </xs:element>
<xs:complexType>
<xs:attribute name="uid-ref"
type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref"
type="xs:string" use="optional"/>
<xs:attribute name="version" <xs:element name="IndicatorExpression">
type="xs:string" use="optional"/> <xs:complexType>
</xs:complexType> <xs:sequence>
</xs:element> <xs:choice>
<!-- <xs:element ref="iodef:IndicatorExpression"
================================================================== minOccurs="0"/>
== Miscellaneous simple classes == <xs:element ref="iodef:Observable"
================================================================== minOccurs="0" />
--> <xs:element ref="iodef:ObservableReference"
<xs:element name="Description" minOccurs="0"/>
type="iodef:MLStringType"/> <xs:element ref="iodef:IndicatorReference"
<xs:element name="URL" minOccurs="0"/>
type="xs:anyURI"/> </xs:choice>
<!-- <xs:element ref="iodef:AlternativeIndicatorID"
================================================================== minOccurs="0" maxOccurs="unbounded"/>
== Data Types == </xs:sequence>
================================================================== <xs:attribute name="operator" use="required">
--> <xs:simpleType>
<xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:NMTOKEN">
<xs:restriction base="xs:float"> <xs:enumeration value="not"/>
<xs:minExclusive value="0"/> <xs:enumeration value="and"/>
</xs:restriction> <xs:enumeration value="or"/>
</xs:simpleType> <xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:complexType name="MLStringType"> <xs:element name="ObservableReference">
<xs:simpleContent> <xs:complexType>
<xs:extension base="xs:string"> <xs:attribute name="uid-ref"
<xs:attribute name="translation-id" type="xs:IDREF" use="required"/>
type="xs:string" use="optional"/> </xs:complexType>
<xs:attribute ref="xml:lang" /> </xs:element>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ExtensionType" mixed="true"> <xs:element name="IndicatorReference">
<xs:sequence> <xs:complexType>
<xs:any namespace="##any" processContents="lax" <xs:attribute name="uid-ref"
minOccurs="0" maxOccurs="unbounded"/> type="xs:IDREF" use="optional"/>
</xs:sequence> <xs:attribute name="euid-ref"
<xs:attribute name="dtype" type="xs:string" use="optional"/>
type="iodef:dtype-type" use="required"/> <xs:attribute name="version"
<xs:attribute name="meaning" type="xs:string" use="optional"/>
type="xs:string"/> </xs:complexType>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true"> </xs:element>
<xs:sequence> <!--
<xs:any namespace="##any" processContents="lax" ==================================================================
minOccurs="0" maxOccurs="unbounded"/> == Miscellaneous simple classes ==
</xs:sequence> ==================================================================
<xs:attribute name="proto" -->
type="xs:integer" use="optional"/> <xs:element name="Description"
<xs:attribute name="proto-name" type="iodef:MLStringType"/>
type="xs:integer" use="optional"/> <xs:element name="URL"
<xs:attribute name="field" type="xs:anyURI"/>
type="xs:string" use="required"/> <!--
<xs:attribute name="dtype" ==================================================================
type="iodef:proto-dtype-type" == Data Types ==
use="required"/> ==================================================================
<xs:attribute name="observable-id" -->
type="xs:ID" use="optional"/> <xs:simpleType name="PositiveFloatType">
</xs:complexType> <xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<!-- <xs:complexType name="MLStringType">
================================================================== <xs:simpleContent>
== Global attribute type declarations == <xs:extension base="xs:string">
================================================================== <xs:attribute name="translation-id"
--> type="xs:string" use="optional"/>
<xs:simpleType name="yes-no-type"> <xs:attribute ref="xml:lang" />
<xs:restriction base="xs:NMTOKEN"> </xs:extension>
<xs:enumeration value="yes"/> </xs:simpleContent>
<xs:enumeration value="no"/> </xs:complexType>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="yes-no-unknown-type"> <xs:complexType name="ExtensionType" mixed="true">
<xs:restriction base="xs:NMTOKEN"> <xs:sequence>
<xs:enumeration value="yes"/> <xs:any namespace="##any" processContents="lax"
<xs:enumeration value="no"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:enumeration value="unknown"/> </xs:sequence>
</xs:restriction> <xs:attribute name="dtype"
</xs:simpleType> type="iodef:dtype-type" use="required"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
<xs:complexType name="ApplicationHeaderType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="proto"
type="xs:integer" use="optional"/>
<xs:attribute name="proto-name"
type="xs:integer" use="optional"/>
<xs:attribute name="field"
type="xs:string" use="required"/>
<xs:attribute name="dtype"
type="iodef:proto-dtype-type"
use="required"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
<xs:simpleType name="restriction-type"> <!--
<xs:restriction base="xs:NMTOKEN"> ==================================================================
<xs:enumeration value="default"/> == Global attribute type declarations ==
<xs:enumeration value="public"/> ==================================================================
<xs:enumeration value="partner"/> -->
<xs:enumeration value="need-to-know"/> <xs:simpleType name="yes-no-type">
<xs:enumeration value="private"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="white"/> <xs:enumeration value="yes"/>
<xs:enumeration value="green"/> <xs:enumeration value="no"/>
<xs:enumeration value="amber"/> </xs:restriction>
<xs:enumeration value="red"/> </xs:simpleType>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type"> <xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/> <xs:enumeration value="yes"/>
<xs:enumeration value="medium"/> <xs:enumeration value="no"/>
<xs:enumeration value="high"/> <xs:enumeration value="unknown"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type"> <xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/> <xs:enumeration value="default"/>
<xs:enumeration value="contact-source-site"/> <xs:enumeration value="public"/>
<xs:enumeration value="contact-target-site"/> <xs:enumeration value="partner"/>
<xs:enumeration value="contact-sender"/> <xs:enumeration value="need-to-know"/>
<xs:enumeration value="investigate"/> <xs:enumeration value="private"/>
<xs:enumeration value="block-host"/> <xs:enumeration value="white"/>
<xs:enumeration value="block-network"/> <xs:enumeration value="green"/>
<xs:enumeration value="block-port"/> <xs:enumeration value="amber"/>
<xs:enumeration value="rate-limit-host"/> <xs:enumeration value="red"/>
<xs:enumeration value="rate-limit-network"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="rate-limit-port"/> </xs:restriction>
<xs:enumeration value="redirect-traffic"/> </xs:simpleType>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="low"/>
<xs:enumeration value="byte"/> <xs:enumeration value="medium"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="high"/>
<xs:enumeration value="character"/> </xs:restriction>
<xs:enumeration value="date-time"/> </xs:simpleType>
<xs:enumeration value="integer"/> <xs:simpleType name="duration-type">
<xs:enumeration value="ntpstamp"/> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="portlist"/> <xs:enumeration value="second"/>
<xs:enumeration value="real"/> <xs:enumeration value="minute"/>
<xs:enumeration value="string"/> <xs:enumeration value="hour"/>
<xs:enumeration value="file"/> <xs:enumeration value="day"/>
<xs:enumeration value="path"/> <xs:enumeration value="month"/>
<xs:enumeration value="frame"/> <xs:enumeration value="quarter"/>
<xs:enumeration value="packet"/> <xs:enumeration value="year"/>
<xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ext-value"/>
<xs:enumeration value="ipv6-packet"/> </xs:restriction>
<xs:enumeration value="url"/> </xs:simpleType>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type"> <xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/> <xs:enumeration value="nothing"/>
<xs:enumeration value="byte"/> <xs:enumeration value="contact-source-site"/>
<xs:enumeration value="bytes"/> <xs:enumeration value="contact-target-site"/>
<xs:enumeration value="character"/> <xs:enumeration value="contact-sender"/>
<xs:enumeration value="date-time"/> <xs:enumeration value="investigate"/>
<xs:enumeration value="integer"/> <xs:enumeration value="block-host"/>
<xs:enumeration value="real"/> <xs:enumeration value="block-network"/>
<xs:enumeration value="string"/> <xs:enumeration value="block-port"/>
<xs:enumeration value="xml"/> <xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="ext-value"/> <xs:enumeration value="rate-limit-network"/>
</xs:restriction> <xs:enumeration value="rate-limit-port"/>
</xs:simpleType> <xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema> <xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="proto-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
9. Security Considerations 9. Security Considerations
The IODEF data model itself does not directly introduce security The IODEF data model itself does not directly introduce security
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store, the latter risk must be addressed by the systems that process, store,
skipping to change at page 163, line 30 skipping to change at page 165, line 30
| | | | | | | |
| Key-registryaction | Key@registryaction | Section 3.26.1 | | Key-registryaction | Key@registryaction | Section 3.26.1 |
| | | | | | | |
| HashData-scope | HashData@scope | Section 3.29 | | HashData-scope | HashData@scope | Section 3.29 |
| | | | | | | |
| BulkObservable-type | BulkObservable@type | Section | | BulkObservable-type | BulkObservable@type | Section |
| | | 3.32.3.1 | | | | 3.32.3.1 |
| | | | | | | |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 | | AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| | | | | | | |
| EmailHeaderField-proto- | iodef:proto-dtype- | Section 3.22.1 | | ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.1 |
| dtype | type | | | dtype | type | |
| | | |
| SoftwareReference-dtype | SoftwareReference | Section 3.22.3 |
+--------------------------+-----------------------+----------------+ +--------------------------+-----------------------+----------------+
Table 1: IANA Enumerated Value Registries Table 1: IANA Enumerated Value Registries
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
 End of changes. 131 change blocks. 
2076 lines changed or deleted 2177 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/