draft-ietf-mile-rfc5070-bis-13.txt   draft-ietf-mile-rfc5070-bis-14.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: December 22, 2015 June 20, 2015 Expires: January 21, 2016 July 20, 2015
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-13 draft-ietf-mile-rfc5070-bis-14
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 22, 2015. This Internet-Draft will expire on January 21, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 47 skipping to change at page 3, line 47
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62
3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63
3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66
3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68
3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 71
3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71
3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 72
3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 73
3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 75 3.22.1. ServiceName Class . . . . . . . . . . . . . . . . . 74
3.22.2. Application Class . . . . . . . . . . . . . . . . . 76 3.22.2. ApplicationHeader Class . . . . . . . . . . . . . . 75
3.22.3. SoftwareReference Class . . . . . . . . . . . . . . 77 3.22.3. Application Class . . . . . . . . . . . . . . . . . 77
3.22.4. SoftwareReference Class . . . . . . . . . . . . . . 78
3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 79 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 79
3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 79
3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 80 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 80
3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 80 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 81
3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 82 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 82
3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 83 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 84
3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 84
3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 84 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 85
3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 85 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 86
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 87 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 90 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 101 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 102
3.32.5. ObservableReference Class . . . . . . . . . . . . . 103 3.32.5. ObservableReference Class . . . . . . . . . . . . . 103
3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 103 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 104
4. Processing Considerations . . . . . . . . . . . . . . . . . . 104 4. Processing Considerations . . . . . . . . . . . . . . . . . . 105
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 104 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 105
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 104 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 105
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 105 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 106
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 106 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 107
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 107 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 108
5.1. Extending the Enumerated Values of Attributes . . . . . . 107 5.1. Extending the Enumerated Values of Attributes . . . . . . 108
5.1.1. Private Extension of Enumerated Values . . . . . . . 107 5.1.1. Private Extension of Enumerated Values . . . . . . . 108
5.1.2. Public Extension of Enumerated Values . . . . . . . . 108 5.1.2. Public Extension of Enumerated Values . . . . . . . . 109
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 108 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 109
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 110 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 111
6. Internationalization Issues . . . . . . . . . . . . . . . . . 110 6. Internationalization Issues . . . . . . . . . . . . . . . . . 111
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 112 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 112 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 113 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 114
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 115 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 116
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 117 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 118
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 118 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 119
9. Security Considerations . . . . . . . . . . . . . . . . . . . 162 9. Security Considerations . . . . . . . . . . . . . . . . . . . 164
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 162 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 164
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 163 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 165
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 163 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 165
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 165 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 167
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 166 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 168
12.1. Normative References . . . . . . . . . . . . . . . . . . 166 12.1. Normative References . . . . . . . . . . . . . . . . . . 168
12.2. Informative References . . . . . . . . . . . . . . . . . 168 12.2. Informative References . . . . . . . . . . . . . . . . . 170
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 171
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 169
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 7, line 15 skipping to change at page 7, line 18
o The following classes were added to Node: PostalAddress and o The following classes were added to Node: PostalAddress and
DomainData. The following classes were removed from Node: Removed DomainData. The following classes were removed from Node: Removed
NodeName and DateTime. NodeName and DateTime.
o The following classes were added to the Contact class: o The following classes were added to the Contact class:
ContactTitle. ContactTitle.
o The following classes were added to Expectation and HistoryItem: o The following classes were added to Expectation and HistoryItem:
DefinedCOA. DefinedCOA.
o The following classes were aded to Service: ServiceName o The following classes were added to Service: ServiceName
o The following classes were added to Reference: ReferenceName o The following classes were added to Reference: ReferenceName
(replaced Name). (replaced Name).
o The following attributes were added to Counter: type and unit. o The following attributes were added to Counter: type and unit.
o Additional enumerated values were added to the following o Additional enumerated values were added to the following
attributes: @restriction, {Expectation, HistoryItem}@action, attributes: @restriction, {Expectation, HistoryItem}@action,
NodeRole@category, Incident@purpose, Contact@role, NodeRole@category, Incident@purpose, Contact@role,
AdditionalData@dtype, System@spoofed. AdditionalData@dtype, System@spoofed.
skipping to change at page 67, line 26 skipping to change at page 67, line 26
| STRING ext-duration | | STRING ext-duration |
+---------------------+ +---------------------+
Figure 36: The Counter Class Figure 36: The Counter Class
The Counter class has seven attribute: The Counter class has seven attribute:
type type
Required. ENUM. Specifies the type of counter specified in the Required. ENUM. Specifies the type of counter specified in the
element content. These values are maintained in the "Counter- element content. These values are maintained in the "Counter-
type" IANA registry per Table 1. The default value is "count". type" IANA registry per Table 1.
1. count. The Counter class value is a counter. 1. count. The Counter class value is a counter.
2. peak. The Counter class value is a peak value. 2. peak. The Counter class value is a peak value.
3. average. The Counter class value is an average. 3. average. The Counter class value is an average.
4. ext-value. An escape value used to extend this attribute. 4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
skipping to change at page 73, line 24 skipping to change at page 73, line 24
source, then this service is the one from which activity of interest source, then this service is the one from which activity of interest
is originating. Conversely, when Service occurs as an aggregate is originating. Conversely, when Service occurs as an aggregate
class of a System that is a target, then that service is the one to class of a System that is a target, then that service is the one to
which activity of interest is directed. which activity of interest is directed.
This class was derived from [RFC4765]. This class was derived from [RFC4765].
+-------------------------+ +-------------------------+
| Service | | Service |
+-------------------------+ +-------------------------+
+ INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ] | ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ProtoField ]
| |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..*}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+-------------------------+ +-------------------------+
Figure 41: The Service Class Figure 41: The Service Class
The aggregate classes that constitute Service are: The aggregate classes that constitute Service are:
ServiceName ServiceName
Zero or one. STRING. The name of the service per the "Service Zero or one. Identifies the the observed service.
Name" field of the [IANA.Ports] registry.
Port Port
Zero or one. INTEGER. A port number. Zero or one. INTEGER. A port number.
Portlist Portlist
Zero or one. PORTLIST. A list of port numbers formatted Zero or one. PORTLIST. A list of port numbers formatted
according to Section 2.10. according to Section 2.10.
ProtoCode ProtoCode
Zero or one. INTEGER. A transport layer (layer 4) protocol- Zero or one. INTEGER. A transport layer (layer 4) protocol-
skipping to change at page 74, line 17 skipping to change at page 74, line 15
ProtoType ProtoType
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific type field (e.g., ICMP type field). specific type field (e.g., ICMP type field).
ProtoField ProtoField
Zero or one. INTEGER. A transport layer (layer 4) protocol Zero or one. INTEGER. A transport layer (layer 4) protocol
specific flag field (e.g., TCP flag field). specific flag field (e.g., TCP flag field).
ApplicationHeader ApplicationHeader
Zero or more. An application layer (layer 7) protocol header. Zero or more. An application layer (layer 7) protocol header.
See Section 3.22.1. See Section 3.22.2.
EmailData EmailData
Zero or one. Headers associated with an email. See Section 3.24. Zero or one. Headers associated with an email. See Section 3.24.
Application Application
Zero or one. The application bound to the specified Port or Zero or one. The application bound to the specified Port or
Portlist. See Section 3.22.2. Portlist. See Section 3.22.3.
Either a Port or Portlist class MUST be specified for a given Either a Port or Portlist class MUST be specified for a given
instance of a Service class. instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
skipping to change at page 75, line 5 skipping to change at page 74, line 48
The Service class has two attributes: The Service class has two attributes:
ip-protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Required. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols].
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22.1. ApplicationHeader Class 3.22.1. ServiceName Class
The ServiceName class names an application protocol. It can be
described by referencing an IANA registered protocol, a URL or with
free-form text.
+--------------------+
| ServiceName |
+--------------------+
| |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 42: The ServiceName Class
The aggregate classes that constitute ServiceName:
IANAService
Zero or one. The name of the service per the "Service Name" field
of the [IANA.Ports] registry.
URL
Zero or more. URL. A URL describing the service.
Description
Zero or more. ML_STRING. A free-form text description of the
service.
At least one of these classes MUST be present.
The ServiceName class has no attributes.
3.22.2. ApplicationHeader Class
The ApplicationHeader class allows the representation of arbitrary The ApplicationHeader class allows the representation of arbitrary
fields from an application layer protocol header and its fields from an application layer protocol header and its
corresponding value. corresponding value.
+--------------------------+ +--------------------------+
| ApplicationHeader | | ApplicationHeader |
+--------------------------+ +--------------------------+
| ANY | | ANY |
| | | |
| INTEGER proto | | INTEGER proto |
| STRING proto-name | | STRING proto-name |
| STRING field | | STRING field |
| ENUM dtype | | ENUM dtype |
| STRING ext-dtype | | STRING ext-dtype |
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 42: The ApplicationHeader Class Figure 43: The ApplicationHeader Class
The ApplicationHeader class has six attributes: The ApplicationHeader class has six attributes:
proto proto
Optional. INTEGER. The IANA assigned port number per the Optional. INTEGER. The IANA assigned port number per the
"Protocol Number" field of the [IANA.Ports] registry corresponding "Protocol Number" field of the [IANA.Ports] registry corresponding
to the application layer protocol whose field will be represented. to the application layer protocol whose field will be represented.
proto-name proto-name
Optional. STRING. The IANA assigned service name per the Optional. STRING. The IANA assigned service name per the
skipping to change at page 76, line 40 skipping to change at page 77, line 18
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
Either the proto or proto-name attribute MUST be set. If both are Either the proto or proto-name attribute MUST be set. If both are
set, they MUST correspond to the same entry in the registry. set, they MUST correspond to the same entry in the registry.
3.22.2. Application Class 3.22.3. Application Class
The Application class describes a software application. It can be The Application class describes a software application. It can be
described by using formal reference, a URL or with free-form text. described by using formal reference, a URL or with free-form text.
+--------------------+ +--------------------+
| Application | | Application |
+--------------------+ +--------------------+
| |<>--{0..1}--[ SoftwareReference ] | |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------+ +--------------------+
Figure 43: The Application Class Figure 44: The Application Class
The aggregate classes that constitute Application: The aggregate classes that constitute Application:
SoftwareReference SoftwareReference
Zero or one. Reference to a software application. Zero or one. Reference to a software application.
URL URL
Zero or more. URL. A URL associated with the application. Zero or more. URL. A URL associated with the application.
Description Description
Zero or more. ML_STRING. A free-form text description of this Zero or more. ML_STRING. A free-form text description of this
application. application.
At least one of these classes MUST be present. At least one of these classes MUST be present.
The Application class has no attributes. The Application class has no attributes.
3.22.3. SoftwareReference Class 3.22.4. SoftwareReference Class
The Application class describes a software application. It can be The Application class describes a software application. It can be
described by using formal reference, a URL or with free-form text. described by using formal reference, a URL or with free-form text.
+----------------------+ +----------------------+
| SoftwareReference | | SoftwareReference |
+----------------------+ +----------------------+
| ANY | | ANY |
| | | |
| ENUM spec-name | | ENUM spec-name |
| STRING ext-spec-name | | STRING ext-spec-name |
| ENUM dtype | | ENUM dtype |
| STRING enum-dtype | | STRING enum-dtype |
+----------------------+ +----------------------+
Figure 44: The SoftwareReference Class Figure 45: The SoftwareReference Class
The element body of this class varies according to the value of the The element body of this class varies according to the value of the
spec-name attribute. spec-name attribute.
The SoftwareReference class has four attributes: The SoftwareReference class has four attributes:
spec-name spec-name
Required. ENUM. Identifies the format and semantics of the the Required. ENUM. Identifies the format and semantics of the the
element body of this class. Formal standards and specifications element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user- can be referenced as well as free-form description with user-
provided data-types. These values are maintained in the provided data-types. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1 "SoftwareReference-spec-id" IANA registry per Table 1
1. custom. The element content is of the type specified by the 1. custom. The element content is free-form and of the data type
dtype attribute. If this value is selected, then the dtype specified by the dtype attribute. If this value is selected,
attribute MUST be set. then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform 2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry [fix me. reference]. Enumeration (CPE) entry [fix me. reference].
3. swid. The element content describes a software identification 3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference]. (SWID) tag per ISO/IEC 19770-2:2009 [fix me. reference].
4. ext-value. An escape value used to extend this attribute. 4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-spec-name ext-spec-name
Optional. STRING. A means by which to extend the spec-name Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
dtype dtype
Required. ENUM. The data type of the element content. The Optional. ENUM. The data type of the element content. The
permitted values for this attribute are shown below. The default permitted values for this attribute are shown below. The default
value is "string". These values are maintained in the value is "string". These values are maintained in the
"SoftwareReference-dtype" IANA registry per Table 1. "SoftwareReference-dtype" IANA registry per Table 1.
1. bytes. The element content is of type HEXBIN. 1. bytes. The element content is of type HEXBIN.
2. integer. The element content is of type INTEGER. 2. integer. The element content is of type INTEGER.
3. real. The element content is of type REAL. 3. real. The element content is of type REAL.
skipping to change at page 79, line 9 skipping to change at page 79, line 30
See Section 5.1.1. See Section 5.1.1.
ext-dtype ext-dtype
Optional. STRING. A means by which to extend the dtype Optional. STRING. A means by which to extend the dtype
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.23. OperatingSystem Class 3.23. OperatingSystem Class
The OperatingSystem class describes the operating system running on a The OperatingSystem class describes the operating system running on a
System. The definition is identical to the Application class System. The definition is identical to the Application class
(Section 3.22.2). (Section 3.22.3).
3.24. EmailData Class 3.24. EmailData Class
The EmailData class describes headers from an email message. Common The EmailData class describes headers from an email message. Common
headers have dedicated classes, but arbitrary headers can also be headers have dedicated classes, but arbitrary headers can also be
described. described.
+-------------------------+ +-------------------------+
| EmailData | | EmailData |
+-------------------------+ +-------------------------+
| ID observable-id |<>--{0..1}--[ EmailFrom ] | ID observable-id |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ] | |<>--{0..*}--[ SignatureData ]
+-------------------------+ +-------------------------+
Figure 45: EmailData Class Figure 46: EmailData Class
The aggregate class that constitutes EmailData are: The aggregate class that constitutes EmailData are:
EmailFrom EmailFrom
Zero or one. The value of the "From:" header field in an email. Zero or one. The value of the "From:" header field in an email.
See Section 3.6.2 of [RFC5322]. See Section 3.6.2 of [RFC5322].
EmailSubject EmailSubject
Zero or one. The value of the "Subject:" header field in an Zero or one. The value of the "Subject:" header field in an
email. See Section 3.6.4 of [RFC5322]. email. See Section 3.6.4 of [RFC5322].
EmailX-Mailer EmailX-Mailer
Zero or one. The value of the "X-Mailer:" header field in an Zero or one. The value of the "X-Mailer:" header field in an
email. email.
EmailHeaderField EmailHeaderField
Zero or one. The value of an arbitrary header field in the email. Zero or one. The value of an arbitrary header field in the email.
See Section 3.22.1. The attributes of EmailHeaderField MUST be See Section 3.22.2. The attributes of EmailHeaderField MUST be
set as follows: proto="25" or proto-name="smtp", or both can be set as follows: proto="25" or proto-name="smtp", or both can be
set; and dtype="string". The name of the email header field MUST set; and dtype="string". The name of the email header field MUST
be set in the field attribute. be set in the field attribute.
HashData HashData
Zero or One. Hash(es) associated with this email. Zero or One. Hash(es) associated with this email.
SignatureData SignatureData
Zero or One. Signature(s) associated with this email. Zero or One. Signature(s) associated with this email.
skipping to change at page 80, line 27 skipping to change at page 80, line 49
this data will often be the output of monitoring tools. These logs this data will often be the output of monitoring tools. These logs
substantiate the activity described in the document. substantiate the activity described in the document.
+------------------------+ +------------------------+
| Record | | Record |
+------------------------+ +------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ] | ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 46: Record Class Figure 47: Record Class
The aggregate class that constitutes Record is: The aggregate class that constitutes Record is:
RecordData RecordData
One or more. Log or audit data generated by a particular type of One or more. Log or audit data generated by a particular type of
sensor. Separate instances of the RecordData class SHOULD be used sensor. Separate instances of the RecordData class SHOULD be used
for each sensor type. for each sensor type.
The Record class has two attributes: The Record class has two attributes:
skipping to change at page 81, line 20 skipping to change at page 81, line 39
| ID observable-id |<>--{0..1}--[ Application ] | ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ FileData ]
| |<>--{0..*}--[ CertificateData ] | |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}-- | |<>--{0..*}--
| | [ WindowsRegistryKeysModified ] | | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 47: The RecordData Class Figure 48: The RecordData Class
The aggregate classes that constitutes RecordData is: The aggregate classes that constitutes RecordData is:
DateTime DateTime
Zero or one. Timestamp of the RecordItem data. Zero or one. Timestamp of the RecordItem data.
Description Description
Zero or more. ML_STRING. Free-form textual description of the Zero or more. ML_STRING. Free-form textual description of the
provided RecordItem data. At minimum, this description should provided RecordItem data. At minimum, this description should
convey the significance of the provided RecordItem data. convey the significance of the provided RecordItem data.
skipping to change at page 82, line 37 skipping to change at page 83, line 18
| STRING | | STRING |
| | | |
| ENUM type | | ENUM type |
| STRING ext-type | | STRING ext-type |
| INTEGER offset | | INTEGER offset |
| ENUM offsetunit | | ENUM offsetunit |
| STRING ext-offsetunit | | STRING ext-offsetunit |
| INTEGER instance | | INTEGER instance |
+-----------------------+ +-----------------------+
Figure 48: The RecordPattern Class Figure 49: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in The specific pattern to search with in the RecordItem is defined in
the body of the element. It is further annotated by six attributes: the body of the element. It is further annotated by six attributes:
type type
Required. ENUM. Describes the type of pattern being specified in Required. ENUM. Describes the type of pattern being specified in
the element content. The default is "regex". These values are the element content. The default is "regex". These values are
maintained in the "RecordPattern-type" IANA registry per Table 1. maintained in the "RecordPattern-type" IANA registry per Table 1.
1. regex. regular expression as defined by POSIX Extended 1. regex. regular expression as defined by POSIX Extended
Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
2. binary. Binhex encoded binary pattern, per the HEXBIN data 2. binary. Binhex encoded binary pattern, per the HEXBIN data
type. type.
3. xpath. XML Path (XPath) [W3C.XPATH] 3. xpath. XML Path (XPath) [W3C.XPATH]
4. ext-value. An escape value used to extend this attribute. 4. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-type ext-type
skipping to change at page 84, line 17 skipping to change at page 84, line 42
The WindowsRegistryKeysModified class describes Windows operating The WindowsRegistryKeysModified class describes Windows operating
system registry keys and the operations that were performed on them. system registry keys and the operations that were performed on them.
This class was derived from [RFC5901]. This class was derived from [RFC5901].
+-----------------------------+ +-----------------------------+
| WindowsRegistryKeysModified | | WindowsRegistryKeysModified |
+-----------------------------+ +-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ] | ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+ +-----------------------------+
Figure 49: The WindowsRegistryKeysModified Class Figure 50: The WindowsRegistryKeysModified Class
The aggregate class that constitutes the WindowsRegistryKeysModified The aggregate class that constitutes the WindowsRegistryKeysModified
class is: class is:
Key Key
One or many. The Window registry key. One or many. The Window registry key.
The WindowsRegistryKeysModified class has one attribute: The WindowsRegistryKeysModified class has one attribute:
observable-id observable-id
skipping to change at page 84, line 43 skipping to change at page 85, line 19
registry key name and value pair, and the operation performed on it. registry key name and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 50: The Key Class Figure 51: The Key Class
The aggregate classes that constitutes Key are: The aggregate classes that constitutes Key are:
KeyName KeyName
One. STRING. The name of the Windows operating system registry One. STRING. The name of the Windows operating system registry
key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName])
KeyValue KeyValue
Zero or one. STRING. The value of the associated registry key Zero or one. STRING. The value of the associated registry key
encoded as in Microsoft .reg files [KB310516]. encoded as in Microsoft .reg files [KB310516].
skipping to change at page 85, line 48 skipping to change at page 86, line 24
The CertificateData class describes X.509 certificates. The CertificateData class describes X.509 certificates.
+------------------------+ +------------------------+
| CertificateData | | CertificateData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ Certificate ] | ID observable-id |<>--{1..*}--[ Certificate ]
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 51: The CertificateData Class Figure 52: The CertificateData Class
The aggregate classes that constitutes CertificateData are: The aggregate classes that constitutes CertificateData are:
Certificate Certificate
One or more. A certificate. One or more. A certificate.
The CertificateData class has three attributes: The CertificateData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 86, line 32 skipping to change at page 87, line 12
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ENUM valid |<>----------[ ds: X509Data ] | ENUM valid |<>----------[ ds: X509Data ]
| ID observable-id | | ID observable-id |
+--------------------------+ +--------------------------+
Figure 52: The Certificate Class Figure 53: The Certificate Class
The aggregate classes that constitutes Certificate are: The aggregate classes that constitutes Certificate are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
The Certificate class has one attribute: The Certificate class has one attribute:
valid valid
skipping to change at page 87, line 19 skipping to change at page 87, line 48
analysis of an incident. analysis of an incident.
+------------------------+ +------------------------+
| FileData | | FileData |
+------------------------+ +------------------------+
| ID observable-id |<>--{1..*}--[ File ] | ID observable-id |<>--{1..*}--[ File ]
| ENUM restriction | | ENUM restriction |
| STRING ext-restriction | | STRING ext-restriction |
+------------------------+ +------------------------+
Figure 53: The FileData Class Figure 54: The FileData Class
The aggregate class that constitutes FileData is: The aggregate class that constitutes FileData is:
File File
One or more. A description of a file. One or more. A description of a file.
The FileData class has three attributes: The FileData class has three attributes:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 88, line 18 skipping to change at page 88, line 35
| ID observable-id |<>--{0..1}--[ FileName ] | ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ] | |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ] | |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ] | |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ] | |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ] | |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ] | |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ] | |<>--{0..*}--[ FileProperties ]
+-----------------------+ +-----------------------+
Figure 54: The File Class Figure 55: The File Class
The aggregate classes that constitutes File are: The aggregate classes that constitutes File are:
FileName FileName
Zero or One. STRING. The name of the file. Zero or One. STRING. The name of the file.
FileSize FileSize
Zero or One. INTEGER. The size of the file in bytes. Zero or One. INTEGER. The size of the file in bytes.
FileType FileType
skipping to change at page 88, line 44 skipping to change at page 89, line 13
Zero or more. A URL reference to the file. Zero or more. A URL reference to the file.
HashData HashData
Zero or One. Hash(es) associated with this file. Zero or One. Hash(es) associated with this file.
SignatureData SignatureData
Zero or One. Signature(s) associated with this file. Zero or One. Signature(s) associated with this file.
AssociatedSoftware AssociatedSoftware
Zero or One. The software application or operating system to Zero or One. The software application or operating system to
which this file belongs. See Section 3.22.2 for the definition. which this file belongs. See Section 3.22.3 for the definition.
FileProperties FileProperties
Zero or more. Mechanism by which to extend the data model to Zero or more. Mechanism by which to extend the data model to
describe properties of the file. See Section 3.9. describe properties of the file. See Section 3.9.
The File class has one attribute: The File class has one attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
skipping to change at page 89, line 19 skipping to change at page 89, line 37
object (e.g., file, part of a file, email). object (e.g., file, part of a file, email).
+--------------------------+ +--------------------------+
| HashData | | HashData |
+--------------------------+ +--------------------------+
| ENUM scope |<>--{0..1}--[ HashTarget ] | ENUM scope |<>--{0..1}--[ HashTarget ]
| |<>--{0..*}--[ Hash ] | |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ] | |<>--{0..*}--[ FuzzyHash ]
+--------------------------+ +--------------------------+
Figure 55: The HashData Class Figure 56: The HashData Class
The aggregate classes that constitutes HashData are: The aggregate classes that constitutes HashData are:
HashTarget HashTarget
Zero or One. An identifier that references a a subset of the Zero or One. An identifier that references a a subset of the
object per the @scope attribute. object per the @scope attribute.
Hash Hash
Zero or more. The hash generated on the object. Zero or more. The hash generated on the object.
skipping to change at page 91, line 14 skipping to change at page 91, line 21
+----------------+ +----------------+
| Hash | | Hash |
+----------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CannonicalizationMethod ] | |<>--{0..1}--[ ds:CannonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 56: The Hash Class Figure 57: The Hash Class
The aggregate classes that constitutes Hash are: The aggregate classes that constitutes Hash are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
ds:DigestValue ds:DigestValue
One. The computed hash value. See Section 4.3.3.6 of One. The computed hash value. See Section 4.3.3.6 of
[W3C.XMLSIG]. [W3C.XMLSIG].
ds:CannonicalizationMethod ds:CannonicalizationMethod
Zero or one. The cannonicalization method used for the has. See Zero or one. The canonicalization method used for the has. See
Section 4.3.1 of [W3C.XMLSIG]. Section 4.3.1 of [W3C.XMLSIG].
Application Application
Zero or One. The application used to calculate the hash. Zero or One. The application used to calculate the hash.
The HashData class has no attribute: The HashData class has no attribute:
3.29.2. FuzzyHash Class 3.29.2. FuzzyHash Class
The FuzzyHash class describes a fuzzy hash (in an extensible way) and The FuzzyHash class describes a fuzzy hash (in an extensible way) and
the application used to generate it. the application used to generate it.
+--------------------------+ +--------------------------+
| FuzzyHash | | FuzzyHash |
+--------------------------+ +--------------------------+
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+--------------------------+ +--------------------------+
Figure 57: The FuzzyHash Class Figure 58: The FuzzyHash Class
The aggregate classes that constitutes FuzzyHash are: The aggregate classes that constitutes FuzzyHash are:
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
Application Application
Zero or One. The application used to calculate the hash. Zero or One. The application used to calculate the hash.
skipping to change at page 92, line 23 skipping to change at page 92, line 36
The SignatureData class describes different signatures on an given The SignatureData class describes different signatures on an given
object. object.
+--------------------------+ +--------------------------+
| SignatureData | | SignatureData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ ds:Signature ] | |<>--{1..*}--[ ds:Signature ]
+--------------------------+ +--------------------------+
Figure 58: The SignatureData Class Figure 59: The SignatureData Class
The aggregate classes that constitutes SignatureData are: The aggregate classes that constitutes SignatureData are:
Signature Signature
One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] One or more. An given signature. See Section 4.2 of [W3C.XMLSIG]
The SignatureData class has no attribute: The SignatureData class has no attribute:
3.31. IndicatorData Class 3.31. IndicatorData Class
The IndicatorData class describes the indicators identified from The IndicatorData class describes the indicators identified from
analysis of an incident. analysis of an incident.
+--------------------------+ +--------------------------+
| IndicatorData | | IndicatorData |
+--------------------------+ +--------------------------+
| |<>--{1..*}--[ Indicator ] | |<>--{1..*}--[ Indicator ]
+--------------------------+ +--------------------------+
Figure 59: The IndicatorData Class Figure 60: The IndicatorData Class
The aggregate class that constitutes IndicatorData is: The aggregate class that constitutes IndicatorData is:
Indicator Indicator
One or more. An indicator from the incident. One or more. An indicator from the incident.
The IndicatorData class has no attributes. The IndicatorData class has no attributes.
3.32. Indicator Class 3.32. Indicator Class
skipping to change at page 93, line 32 skipping to change at page 93, line 47
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 60: The Indicator Class Figure 61: The Indicator Class
The aggregate classes that constitute Indicator are: The aggregate classes that constitute Indicator are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.32.1 One. An identifier for this indicator. See Section 3.32.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or one. An alternative identifier for this indicator. See
Section 3.32.2 Section 3.32.2
skipping to change at page 95, line 24 skipping to change at page 95, line 36
+------------------+ +------------------+
| IndicatorID | | IndicatorID |
+------------------+ +------------------+
| ID | | ID |
| | | |
| STRING name | | STRING name |
| STRING version | | STRING version |
+------------------+ +------------------+
Figure 61: The IndicatorID Class Figure 62: The IndicatorID Class
The IndicatorID class has two attributes: The IndicatorID class has two attributes:
name name
Required. STRING. An identifier describing the CSIRT that Required. STRING. An identifier describing the CSIRT that
created the indicator. In order to have a globally unique CSIRT created the indicator. In order to have a globally unique CSIRT
name, the fully qualified domain name associated with the CSIRT name, the fully qualified domain name associated with the CSIRT
MUST be used. This format is identical to the IncidentID@name MUST be used. This format is identical to the IncidentID@name
attribute in Section 3.4. attribute in Section 3.4.
skipping to change at page 95, line 50 skipping to change at page 96, line 17
The AlternativeIndicatorID class lists alternative identifiers for an The AlternativeIndicatorID class lists alternative identifiers for an
indicator. indicator.
+-------------------------+ +-------------------------+
| AlternativeIndicatorID | | AlternativeIndicatorID |
+-------------------------+ +-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ] | ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction | | STRING ext-restriction |
+-------------------------+ +-------------------------+
Figure 62: The AlternativeIndicatorID Class Figure 63: The AlternativeIndicatorID Class
The aggregate class that constitutes AlternativeIndicatorID is: The aggregate class that constitutes AlternativeIndicatorID is:
IndicatorReference IndicatorReference
One or more. A reference to an indicator. One or more. A reference to an indicator.
The AlternativeIndicatorID class has two attributes: The AlternativeIndicatorID class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
skipping to change at page 96, line 48 skipping to change at page 97, line 28
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..*}--[ Expectation ]
| |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +-------------------+
Figure 63: The Observable Class Figure 64: The Observable Class
The aggregate classes that constitute Observable are: The aggregate classes that constitute Observable are:
Address Address
Zero or One. An Address observable. See Section 3.20.1. Zero or One. An Address observable. See Section 3.20.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.21. Zero or One. A DomainData observable. See Section 3.21.
Service Service
Zero or One. A Service observable. See Section 3.22. Zero or One. A Service observable. See Section 3.22.
EmailData EmailData
Zero or One. A EmailData observable. See Section 3.24. Zero or One. A EmailData observable. See Section 3.24.
ApplicationHeader ApplicationHeader
Zero or One. An ApplicationHeader observable. See Zero or One. An ApplicationHeader observable. See
Section 3.22.1. Section 3.22.2.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See Zero or One. A WindowsRegistryKeysModified observable. See
Section 3.26. Section 3.26.
FileData FileData
Zero or One. A FileData observable. See Section 3.28. Zero or One. A FileData observable. See Section 3.28.
CertificateData CertificateData
Zero or One. A CertificateData observable. See Section 3.27. Zero or One. A CertificateData observable. See Section 3.27.
skipping to change at page 98, line 37 skipping to change at page 99, line 22
meta-data. meta-data.
+---------------------------+ +---------------------------+
| BulkObservable | | BulkObservable |
+---------------------------+ +---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ] | ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ] | STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 64: The BulkObservable Class Figure 65: The BulkObservable Class
The aggregate classes that constitutes BulkObservable are: The aggregate classes that constitutes BulkObservable are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class. enumerated in the BulkObservableList class.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
seperated with either a CR or CR-and-LF. The type attribute will separated with either a CR character or CR-and-LF characters. The
specify the which observables will be listed. type attribute will specify the which observables will be listed.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
The BulkObservable class has two attributes: The BulkObservable class has two attributes:
type type
Optional. ENUM. The type of the observable listed in the child Optional. ENUM. The type of the observable listed in the child
ObservableList class. These values are maintained in the ObservableList class. These values are maintained in the
skipping to change at page 101, line 24 skipping to change at page 102, line 12
The ObservableFormat class specifies meta-data about the format of an The ObservableFormat class specifies meta-data about the format of an
observable enumerated in a sibling BulkObservableList class. observable enumerated in a sibling BulkObservableList class.
+---------------------------+ +---------------------------+
| BulkObservableFormat | | BulkObservableFormat |
+---------------------------+ +---------------------------+
| |<>--{0..1}--[ Hash ] | |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+---------------------------+ +---------------------------+
Figure 65: The BulkObservableFormat Class Figure 66: The BulkObservableFormat Class
The aggregate classes that constitutes BulkObservableFormat are: The aggregate classes that constitutes BulkObservableFormat are:
Hash Hash
Zero or one. Describes the format of a hash. Zero or one. Describes the format of a hash.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
skipping to change at page 102, line 15 skipping to change at page 102, line 50
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
Figure 66: The IndicatorExpression Class Figure 67: The IndicatorExpression Class
The aggregate classes that constitute IndicatorExpression are: The aggregate classes that constitute IndicatorExpression are:
IndicatorExpression IndicatorExpression
Zero or more. An expression composed of other observables or Zero or more. An expression composed of other observables or
indicators. indicators.
Observable Observable
Zero or more. A description of an observable. Zero or more. A description of an observable.
skipping to change at page 103, line 20 skipping to change at page 104, line 13
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 67: The ObservableReference Class Figure 68: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attributes:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.32.6. IndicatorReference Class 3.32.6. IndicatorReference Class
skipping to change at page 103, line 45 skipping to change at page 104, line 38
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 68: The IndicatorReference Class Figure 69: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attributes:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
skipping to change at page 110, line 26 skipping to change at page 111, line 26
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</IODEF-Document </IODEF-Document
5.3. Deconflicting Private Extensions 5.3. Deconflicting Private Extensions
Private extensions used in a document can be labeled to attribute Private extensions used in a document can be labeled to attribute
their original specifier using the private-enum-name and private- their original specifier using the private-enum-name and private-
enum-id attributes. This allows a recipient of a document to enum-id attributes. This allows a recipient of a document to
disambiguiate private extensions. Only a single private extension disambiguate private extensions. Only a single private extension can
can be identified in a given IODEF-Document. be identified in a given IODEF-Document.
If a CSIRT has only a single private extension, then only the If a CSIRT has only a single private extension, then only the
private-enum-name attribute needs to be specified. Additional, private-enum-name attribute needs to be specified. Additional,
multiple distinct private extensions or versioning of a single multiple distinct private extensions or versioning of a single
extension can be accomplished by also setting the corresponding extension can be accomplished by also setting the corresponding
private-num-id attribute. private-num-id attribute.
The following XML excerpt demonstrates the specification of a private The following XML excerpt demonstrates the specification of a private
extension from "example.com" with an identifier of "13". extension from "example.com" with an identifier of "13".
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
private-enum-name="example.com" private-enum-name="example.com"
private-enum-id="13" private-enum-id="13"
... ...
</IODEF-Document> </IODEF-Document>
If an unrecognized private extension is encountered in processing,
the recipient MAY reject the entire document as a syntax error.
6. Internationalization Issues 6. Internationalization Issues
Internationalization and localization is of specific concern to the Internationalization and localization is of specific concern to the
IODEF, since it is only through collaboration, often across language IODEF, since it is only through collaboration, often across language
barriers, that certain incidents be resolved and threat information barriers, that certain incidents be resolved and threat information
shared. The IODEF supports this goal by depending on XML constructs, shared. The IODEF supports this goal by depending on XML constructs,
and through explicit design choices in the data model. and through explicit design choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports Since IODEF is implemented as an XML Schema, it implicitly supports
all the different character encodings, such as UTF-8 and UTF-16, all the different character encodings, such as UTF-8 and UTF-16,
skipping to change at page 118, line 43 skipping to change at page 119, line 46
</EventData> </EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlms:xml="http://www.w3c.org/XML/1998/namespace"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3c.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/xml-registry/schema/iodef-enum-1.0.xsd" /> schemaLocation="http://www.iana.org/assignments/xml-registry/schema/iodef-enum-1.0.xsd" />
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd" />
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070-bis Incident Object Description Exchange Format v2.0, RFC5070bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
================================================================== ==================================================================
== IODEF-Document class == == IODEF-Document class ==
================================================================== ==================================================================
--> -->
<xs:element name="IODEF-Document"> <xs:element name="IODEF-Document">
<xs:complexType> <xs:complexType>
skipping to change at page 120, line 31 skipping to change at page 121, line 33
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History" <xs:element ref="iodef:History"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="purpose" use="required"> <xs:attribute name="purpose" use="required"
<xs:simpleType> type="incident-purpose-type"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose" <xs:attribute name="ext-purpose"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="status"> <xs:attribute name="status" type="incident-status-type"/>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-status" <xs:attribute name="ext-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" /> <xs:attribute ref="xml:lang" />
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
default="private"/> default="private"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="incident-purpose-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch" />
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="incident-status-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved" />
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== IncidentID class == == IncidentID class ==
================================================================== ==================================================================
--> -->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType"> <xs:complexType name="IncidentIDType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="name" <xs:attribute name="name"
skipping to change at page 122, line 48 skipping to change at page 124, line 4
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== ThreatActor class == == ThreatActor class ==
================================================================== ==================================================================
--> -->
<xs:element name="ThreatActor"> <xs:element name="ThreatActor">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice> <xs:choice>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ThreatActorID" /> <xs:element ref="iodef:ThreatActorID" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="1" maxOccurs="unbounded"/> minOccurs="1" maxOccurs="unbounded"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
skipping to change at page 124, line 10 skipping to change at page 125, line 14
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="CampaignID" type="xs:string"/> <xs:element name="CampaignID" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== AdditionalData class == == AdditionalData class ==
================================================================== ==================================================================
--> -->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/> <xs:element name="AdditionalData"
type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Contact class == == Contact class ==
================================================================== ==================================================================
--> -->
<xs:element name="Contact"> <xs:element name="Contact">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ContactName" <xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 124, line 42 skipping to change at page 125, line 47
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax" <xs:element ref="iodef:Fax"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Timezone" <xs:element ref="iodef:Timezone"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="role" use="required"> <xs:attribute name="role" use="required"
<xs:simpleType> type="contact-role-type"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role" <xs:attribute name="ext-role"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" use="required"> <xs:attribute name="type" use="required"
<xs:simpleType> type="contact-type-type"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="contact-role-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="zone"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="contact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ContactName" <xs:element name="ContactName"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="ContactTitle" <xs:element name="ContactTitle"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="RegistryHandle"> <xs:element name="RegistryHandle">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="registry"> <xs:attribute name="registry"
<xs:simpleType> type="registryhandle-registry-type"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry" <xs:attribute name="ext-registry"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="registryhandle-registry-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="PostalAddress"> <xs:element name="PostalAddress">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
skipping to change at page 127, line 48 skipping to change at page 129, line 9
<xs:element name="HistoryItem"> <xs:element name="HistoryItem">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" <xs:element ref="iodef:IncidentID"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA" <xs:element ref="iodef:DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
skipping to change at page 128, line 18 skipping to change at page 129, line 26
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="action" <xs:attribute name="action"
type="iodef:action-type" use="required"/> type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action" <xs:attribute name="ext-action"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="DefinedCOA" type="iodef:MLStringType"/>
<!-- <!--
================================================================== ==================================================================
== Expectation class == == Expectation class ==
================================================================== ==================================================================
--> -->
<xs:element name="Expectation"> <xs:element name="Expectation">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DefinedCOA" <xs:element ref="iodef:DefinedCOA"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" type="iodef:restriction-type"
skipping to change at page 129, line 21 skipping to change at page 130, line 32
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern" <xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="source" <xs:attribute name="source"
use="optional" default="unknown"> type="discovery-source-type"
<xs:simpleType> use="optional" default="unknown"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-source" <xs:attribute name="ext-source"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="discovery-source-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="DetectionPattern"> <xs:element name="DetectionPattern">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Application"/> <xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration" <xs:element name="DetectionConfiguration"
type="xs:string" type="xs:string"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
skipping to change at page 131, line 26 skipping to change at page 132, line 38
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Assessment class == == Assessment class ==
================================================================== ==================================================================
--> -->
<xs:element name="Assessment"> <xs:element name="Assessment">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="IncidentCategory" <xs:element ref="iodef:IncidentCategory"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:SystemImpact"/>
<xs:element name="BusinessImpact" <xs:element ref="iodef:BusinessImpact"/>
type="iodef:BusinessImpactType" />
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element name="IntendedImpact" <xs:element ref="iodef:IntendedImpact"/>
type="iodef:BusinessImpactType"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="MitigatingFactor" <xs:element ref="MitigatingFactor"
type="iodef:MLStringType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/> <xs:enumeration value="actual"/>
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
skipping to change at page 132, line 17 skipping to change at page 133, line 24
</xs:attribute> </xs:attribute>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact"
type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact"
type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor"
type="iodef:MLStringType"/>
<xs:element name="SystemImpact"> <xs:element name="SystemImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/> <xs:enumeration value="succeeded"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
<xs:attribute name="type" <xs:attribute name="type"
use="optional"> type="systemimpact-type-type"
<xs:simpleType> use="optional"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availibility-account"/>
<xs:enumeration value="availibility-service"/>
<xs:enumeration value="availibility-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/>
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availibility-account"/>
<xs:enumeration value="availibility-service"/>
<xs:enumeration value="availibility-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="BusinessImpactType"> <xs:complexType name="BusinessImpactType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
use="optional"> type="businessimpact-severity-type"
<xs:simpleType> use="optional"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-severity" <xs:attribute name="ext-severity"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="type" <xs:attribute name="type"
use="optional"> type="businessimpact-type-type"
<xs:simpleType> use="optional"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:simpleType name="businessimpact-severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="businessimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service" />
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="TimeImpact"> <xs:element name="TimeImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="metric" <xs:attribute name="metric" use="required"
use="required"> type="timeimpact-metric-type"/>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="timeimpact-metric-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="MonetaryImpact"> <xs:element name="MonetaryImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType"> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="currency" <xs:attribute name="currency"
type="xs:string"/> type="xs:string"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Confidence"> <xs:element name="Confidence">
<xs:complexType mixed="true"> <xs:complexType mixed="true">
<xs:attribute name="rating" use="required"> <xs:attribute name="rating" use="required"
<xs:simpleType> type="confidence-rating-type"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== EventData class == == EventData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EventData"> <xs:element name="EventData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 136, line 24 skipping to change at page 137, line 46
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Flow class == == Flow class ==
================================================================== ==================================================================
--> -->
<!-- Added System unbounded for use only when the source or
target watchlist is in use, otherwise only one system entry
is expected.
-->
<xs:element name="Flow"> <xs:element name="Flow">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:System" <xs:element ref="iodef:System"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== System class == == System class ==
================================================================== ==================================================================
--> -->
<xs:element name="System"> <xs:element name="System">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 137, line 16 skipping to change at page 138, line 35
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="category"> <xs:attribute name="category" type="system-category-type"/>
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="interface" <xs:attribute name="interface"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="spoofed" type="yes-no-unknown-type" <xs:attribute name="spoofed" type="yes-no-unknown-type"
default="unknown" /> default="unknown" />
<xs:attribute name="virtual" type="yes-no-unknown-type" <xs:attribute name="virtual" type="yes-no-unknown-type"
use="optional" default="unknown"/> use="optional" default="unknown"/>
<xs:attribute name="ownership"> <xs:attribute name="ownership" type="system-ownership-type"
<xs:simpleType> use="optional" />
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-ownership" <xs:attribute name="ext-ownership"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="system-ownership-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== Node class == == Node class ==
================================================================== ==================================================================
--> -->
<xs:element name="Node"> <xs:element name="Node">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData" minOccurs="0" <xs:element ref="iodef:DomainData" minOccurs="0"
skipping to change at page 138, line 34 skipping to change at page 140, line 6
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Address"> <xs:element name="Address">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr"> <xs:attribute name="category"
<xs:simpleType> type="address-category-type"
<xs:restriction base="xs:NMTOKEN"> default="ipv4-addr"/>
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" <xs:attribute name="vlan-name"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="vlan-num" <xs:attribute name="vlan-num"
type="xs:integer"/> type="xs:integer"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="address-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole"> <xs:element name="NodeRole">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required"> <xs:attribute name="category"
<xs:simpleType> type="noderole-category-type"
<xs:restriction base="xs:NMTOKEN"> use="required"/>
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category" <xs:attribute name="ext-category"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" />
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="noderole-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail" />
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== Service Class == == Service Class ==
================================================================== ==================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="ServiceName" <xs:element ref="iodef:ServiceName"
type="xs:string" minOccurs="0"/> minOccurs="0"/>
<xs:choice minOccurs="0"> <xs:choice minOccurs="0">
<xs:element name="Port" <xs:element ref="iodef:Port"/>
type="xs:integer"/> <xs:element ref="iodef:Portlist"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice> </xs:choice>
<xs:element name="ProtoType" <xs:element ref="iodef:ProtoType" minOccurs="0"/>
type="xs:integer" minOccurs="0"/> <xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element name="ProtoCode" <xs:element ref="iodef:ProtoField" minOccurs="0"/>
type="xs:integer" minOccurs="0"/> <xs:element ref="iodef:ApplicationHeader"
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="EmailData" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip-protocol" <xs:attribute name="ip-protocol"
type="xs:integer" use="required"/> type="xs:integer" use="required"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string"> <xs:element name="Port" type="xs:integer"/>
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> <xs:element name="Portlist" type="iodef:PortlistType"/>
</xs:restriction> <xs:element name="ProtoType" type="xs:integer"/>
</xs:simpleType> <xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader"
type="iodef:ApplicationHeaderType"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IANAService"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IANAService" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Counter class == == Counter class ==
================================================================== ==================================================================
--> -->
<xs:element name="Counter"> <xs:element name="Counter">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:double"> <xs:extension base="xs:double">
<xs:attribute name="type" use="required" <xs:attribute name="type"
default="counter"> type="counter-type-type"
<xs:simpleType> use="required"/>
<xs:restriction base="xs:NMTOKEN"> <xs:attribute name="unit"
<xs:enumeration value="counter"/> type="counter-unit-type"
<xs:enumeration value="rate"/> use="required"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="unit" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="duration" <xs:attribute name="duration"
type="iodef:duration-type"/> type="iodef:duration-type"/>
<xs:attribute name="ext-duration" <xs:attribute name="ext-duration"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="counter-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="counter-unit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================== ==================================================================
== EmailData class == == EmailData class ==
================================================================== ==================================================================
--> -->
<xs:element name="EmailData"> <xs:element name="EmailData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="EmailFrom" <xs:element ref="iodef:EmailFrom" minOccurs="0"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element name="EmailSubject" <xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
type="iodef:MLStringType" minOccurs="0"/> <xs:element ref="iodef:EmailHeaderField" minOccurs="0"/>
<xs:element name="EmailX-Mailer" <xs:element ref="iodef:HashData"
type="iodef:MLStringType" minOccurs="0"/> minOccurs="0" />
<xs:element ref="SignatureData"
<xs:element name="EmailHeaderField" minOccurs="0" />
type="iodef:ApplicationHeaderType"
minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" />
<xs:element ref="SignatureData"
minOccurs="0" />
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="EmailFrom" type="iodef:MLStringType"/>
<xs:element name="EmailSubject" type="iodef:MLStringType"/>
<xs:element name="EmailX-Mailer" type="iodef:MLStringType"/>
<xs:element name="EmailHeaderField"
type="iodef:ApplicationHeaderType"/>
<!-- <!--
================================================================== ==================================================================
== DomainData class - from RFC5901 == == DomainData class - from RFC5901 ==
================================================================== ==================================================================
--> -->
<xs:element name="DomainData"> <xs:element name="DomainData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Name" <xs:element ref="iodef:Name" maxOccurs="1" />
type="xs:string" maxOccurs="1" /> <xs:element ref="iodef:DateDomainWasChecked"
<xs:element name="DateDomainWasChecked"
type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RegistrationDate" <xs:element ref="iodef:RegistrationDate"
type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="ExpirationDate" <xs:element ref="iodef:ExpirationDate"
type="xs:dateTime"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
<xs:element name="RelatedDNS" <xs:element ref="iodef:RelatedDNS"
type="iodef:RelatedDNSEntryType"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Nameservers" <xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:DomainContacts" <xs:element ref="iodef:DomainContacts"
minOccurs="0" maxOccurs="1" /> minOccurs="0" maxOccurs="1" />
</xs:sequence> </xs:sequence>
<xs:attribute name="system-status"
<xs:attribute name="system-status"> type="domaindata-system-status-type"/>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-system-status" <xs:attribute name="ext-system-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="domain-status"> <xs:attribute name="domain-status"
<xs:simpleType> type="domaindata-domain-status-type"/>
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-domain-status" <xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RelatedDNS" <xs:element name="Name" type="xs:string"/>
type="iodef:RelatedDNSEntryType"/> <xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:complexType name="RelatedDNSEntryType"> <xs:element name="RegistrationDate" type="xs:dateTime"/>
<xs:element name="ExpirationDate" type="xs:dateTime"/>
<xs:simpleType name="domaindata-system-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domaindata-domain-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RelatedDNS">
<xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="record-type" use="optional"> <xs:attribute name="record-type" use="optional">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/> <xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/> <xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/> <xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/> <xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/> <xs:enumeration value="AXFR"/>
skipping to change at page 145, line 38 skipping to change at page 147, line 29
<xs:enumeration value="TKEY"/> <xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/> <xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/> <xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/> <xs:enumeration value="TXT"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
</xs:attribute> </xs:attribute>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element>
<xs:element name="Nameservers"> <xs:element name="Nameservers">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="Server" type="xs:string"/> <xs:element ref="iodef:Server"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Server" type="xs:string"/>
<xs:element name="DomainContacts"> <xs:element name="DomainContacts">
<xs:complexType> <xs:complexType>
<xs:choice> <xs:choice>
<xs:element name="SameDomainContact" <xs:element ref="iodef:SameDomainContact"/>
type="xs:string"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
maxOccurs="unbounded" minOccurs="1"/> maxOccurs="unbounded" minOccurs="1"/>
</xs:choice> </xs:choice>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="SameDomainContact" type="xs:string"/>
<!-- <!--
================================================================== ==================================================================
== Record class == == Record class ==
================================================================== ==================================================================
--> -->
<xs:element name="Record"> <xs:element name="Record">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:RecordData" <xs:element ref="iodef:RecordData"
skipping to change at page 147, line 10 skipping to change at page 149, line 4
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="RecordPattern"> <xs:element name="RecordPattern">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="type" use="required"> <xs:attribute name="type"
<xs:simpleType> type="recordpattern-type-type"
<xs:restriction base="xs:NMTOKEN"> use="required"/>
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="offset" <xs:attribute name="offset"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit" <xs:attribute name="offsetunit"
use="optional" default="line"> type="recordpattern-offsetunit-type"
<xs:simpleType> use="optional" default="line"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit" <xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="instance" <xs:attribute name="instance"
type="xs:integer" use="optional"/> type="xs:integer" use="optional"/>
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="recordpattern-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RecordItem" <xs:element name="RecordItem"
type="iodef:ExtensionType"/> type="iodef:ExtensionType"/>
<!-- <!--
================================================================== ==================================================================
== Class to describe Windows Registry Keys == == Class to describe Windows Registry Keys ==
================================================================== ==================================================================
-->
-->
<xs:element name="WindowsRegistryKeysModified"> <xs:element name="WindowsRegistryKeysModified">
-&gt; <xs:complexType>
<xs:complexType> <xs:sequence>
<xs:sequence> <xs:element ref="iodef:Key"
<xs:element name="Key" maxOccurs="unbounded"> maxOccurs="unbounded"/>
<xs:complexType> </xs:sequence>
<xs:sequence> <xs:attribute name="observable-id"
<xs:element name="KeyName" type="xs:string"/> type="xs:ID" use="optional"/>
<xs:element name="Value" </xs:complexType>
type="xs:string" minOccurs="0"/> </xs:element>
</xs:sequence>
<xs:attribute name="registryaction"> <xs:element name="Key">
<xs:simpleType> <xs:complexType>
<xs:restriction base="xs:NMTOKEN"> <xs:sequence>
<xs:enumeration value="add-key"/> <xs:element ref="iodef:KeyName"/>
<xs:enumeration value="add-value"/> <xs:element ref="iodef:Value" minOccurs="0"/>
<xs:enumeration value="delete-key"/> </xs:sequence>
<xs:enumeration value="delete-value"/> <xs:attribute name="registryaction"
<xs:enumeration value="modify-key"/> type="key-registryaction-type"/>
<xs:enumeration value="modify-value"/> <xs:attribute name="ext-registryaction"
<xs:enumeration value="ext-value"/> type="xs:string" use="optional"/>
</xs:restriction> </xs:complexType>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element> </xs:element>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!-- <!--
================================================================ ================================================================
== Classes to describe a file == == Classes to describe a file ==
================================================================ ================================================================
--> -->
<xs:element name="FileData"> <xs:element name="FileData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:File" <xs:element ref="iodef:File"
skipping to change at page 149, line 16 skipping to change at page 151, line 20
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="File"> <xs:element name="File">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="FileName" type="xs:string" <xs:element ref="iodef:FileName" minOccurs="0" />
minOccurs="0" /> <xs:element ref="iodef:FileSize" minOccurs="0" />
<xs:element name="FileSize" type="xs:integer" <xs:element ref="FileType" minOccurs="0" />
minOccurs="0" />
<xs:element name="FileType" type="xs:integer"
minOccurs="0" />
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" <xs:element ref="iodef:HashData"
minOccurs="0" /> minOccurs="0" />
<xs:element ref="ds:Signature" <xs:element ref="ds:Signature"
minOccurs="0" /> minOccurs="0" />
<xs:element name="Application" <xs:element name="Application"
type="iodef:SoftwareType" minOccurs="0"/> type="iodef:SoftwareType" minOccurs="0"/>
<xs:element ref="iodef:FileProperties" <xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FileProperties" <xs:element name="FileName" type="xs:string"/>
type="iodef:ExtensionType"/> <xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:integer"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!-- <!--
================================================================ ================================================================
== Classes to describe a hash == == Classes to describe a hash ==
================================================================ ================================================================
--> -->
<xs:element name="HashData"> <xs:element name="HashData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element name="HashTarget" type="iodef:MLStringType" <xs:element ref="iodef:HashTarget" minOccurs="0"/>
minOccurs="0"/>
<xs:element ref="iodef:Hash" <xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash" <xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="scope" use="required"> <xs:attribute name="scope"
<xs:simpleType> type="hashdata-scope-type"
<xs:restriction base="xs:NMTOKEN"> use="required"/>
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-scope" <xs:attribute name="ext-scope"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="HashTarget" type="iodef:MLStringType"/>
<xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Hash"> <xs:element name="Hash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:DigestMethod" /> <xs:element ref="ds:DigestMethod" />
<xs:element ref="ds:DigestValue" /> <xs:element ref="ds:DigestValue" />
<xs:element ref="ds:CanonicalizationMethod" /> <xs:element ref="ds:CanonicalizationMethod" />
<xs:element ref="iodef:Application" <xs:element ref="iodef:Application"
minOccurs="0"/> minOccurs="0"/>
</xs:sequence> </xs:sequence>
skipping to change at page 151, line 25 skipping to change at page 153, line 31
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================ ================================================================
== Classes to describe a certficate == == Classes to describe a certficate ==
================================================================ ================================================================
--> -->
<xs:element name="CertificateData"> <xs:element name="CertificateData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Certificate" <xs:element ref="iodef:Certificate"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Certificate"> <xs:element name="Certificate">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:X509Data" /> <xs:element ref="ds:X509Data" />
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType>
</xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe software == == Classes that describe software ==
================================================================== ==================================================================
--> -->
<xs:complexType name="SoftwareType"> <xs:complexType name="SoftwareType">
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:SoftwareReference" <xs:element ref="iodef:SoftwareReference"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded" /> minOccurs="0" maxOccurs="unbounded" />
</xs:sequence> </xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType> </xs:complexType>
<xs:element name="SoftwareReference"> <xs:element name="SoftwareReference">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="spec-name" use="required"> <xs:attribute name="spec-name"
<xs:simpleType> type="softwarereference-spec-name-type"
<xs:restriction base="xs:NMTOKEN"> use="required"/>
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-spec-name" <xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="dtype" use="required"> <xs:attribute name="dtype"
<xs:simpleType> type="softwarereference-dtype-type"
<xs:restriction base="xs:NMTOKEN"> use="optional"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-dtype" <xs:attribute name="ext-dtype"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Application" <xs:simpleType name="softwarereference-spec-name-type">
type="iodef:SoftwareType"/> <xs:restriction base="xs:NMTOKEN">
<xs:element name="OperatingSystem" <xs:enumeration value="custom"/>
type="iodef:SoftwareType"/> <xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="softwarereference-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Application" type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<!-- <!--
================================================================== ==================================================================
== IndicatorData classes == == IndicatorData classes ==
================================================================== ==================================================================
--> -->
<xs:element name="IndicatorData"> <xs:element name="IndicatorData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Indicator" <xs:element ref="iodef:Indicator"
skipping to change at page 156, line 4 skipping to change at page 157, line 46
<xs:element name="BulkObservable"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" <xs:element ref="iodef:BulkObservableFormat"
minOccurs="0"/> minOccurs="0"/>
<xs:element name="BulkObservableList" <xs:element name="BulkObservableList"
type="xs:string" minOccurs="0"/> type="xs:string" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" <xs:attribute name="type"
use="required"> type="observable-type-type"
<xs:simpleType> use="required"/>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="fqdn"/>
<xs:enumeration value="doman-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type" <xs:attribute name="ext-type"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="observable-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="fqdn"/>
<xs:enumeration value="doman-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="BulkObservableFormat"> <xs:element name="BulkObservableFormat">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Hash" <xs:element ref="iodef:Hash"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
skipping to change at page 157, line 23 skipping to change at page 159, line 16
<xs:element ref="iodef:Observable" <xs:element ref="iodef:Observable"
minOccurs="0" /> minOccurs="0" />
<xs:element ref="iodef:ObservableReference" <xs:element ref="iodef:ObservableReference"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference" <xs:element ref="iodef:IndicatorReference"
minOccurs="0"/> minOccurs="0"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="operator" use="required"> <xs:attribute name="operator"
<xs:simpleType> type="indicatorexpression-operator-type"
<xs:restriction base="xs:NMTOKEN"> use="required">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute> </xs:attribute>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ObservableReference"> <xs:element name="ObservableReference">
<xs:complexType> <xs:complexType>
<xs:attribute name="uid-ref" <xs:attribute name="uid-ref"
type="xs:IDREF" use="required"/> type="xs:IDREF" use="required"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="IndicatorReference"> <xs:element name="IndicatorReference">
<xs:complexType> <xs:complexType>
<xs:attribute name="uid-ref" <xs:attribute name="uid-ref"
skipping to change at page 158, line 4 skipping to change at page 159, line 48
<xs:element name="IndicatorReference"> <xs:element name="IndicatorReference">
<xs:complexType> <xs:complexType>
<xs:attribute name="uid-ref" <xs:attribute name="uid-ref"
type="xs:IDREF" use="optional"/> type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref" <xs:attribute name="euid-ref"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="version" <xs:attribute name="version"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Miscellaneous simple classes == == Miscellaneous simple classes ==
================================================================== ==================================================================
--> -->
<xs:element name="Description" <xs:element name="Description" type="iodef:MLStringType"/>
type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!-- <!--
================================================================== ==================================================================
== Data Types == == IODEF Basic Data Types ==
================================================================== ==================================================================
--> -->
<xs:simpleType name="PositiveFloatType"> <xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float"> <xs:restriction base="xs:float">
<xs:minExclusive value="0"/> <xs:minExclusive value="0"/>
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:complexType name="MLStringType"> <xs:complexType name="MLStringType">
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="xs:string"> <xs:extension base="xs:string">
<xs:attribute name="translation-id" <xs:attribute name="translation-id"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang" /> <xs:attribute ref="xml:lang" />
</xs:extension> </xs:extension>
</xs:simpleContent> </xs:simpleContent>
</xs:complexType> </xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true"> <xs:complexType name="ExtensionType" mixed="true">
<xs:sequence> <xs:sequence>
<xs:any namespace="##any" processContents="lax" <xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="dtype" <xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/> type="iodef:dtype-type" use="required"/>
<xs:attribute name="meaning" <xs:attribute name="meaning"
type="xs:string"/> type="xs:string"/>
<xs:attribute name="formatid" <xs:attribute name="formatid"
skipping to change at page 165, line 30 skipping to change at page 167, line 30
| | | | | | | |
| Key-registryaction | Key@registryaction | Section 3.26.1 | | Key-registryaction | Key@registryaction | Section 3.26.1 |
| | | | | | | |
| HashData-scope | HashData@scope | Section 3.29 | | HashData-scope | HashData@scope | Section 3.29 |
| | | | | | | |
| BulkObservable-type | BulkObservable@type | Section | | BulkObservable-type | BulkObservable@type | Section |
| | | 3.32.3.1 | | | | 3.32.3.1 |
| | | | | | | |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 | | AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| | | | | | | |
| ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.1 | | ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.2 |
| dtype | type | | | dtype | type | |
| | | | | | | |
| SoftwareReference-dtype | SoftwareReference | Section 3.22.3 | | SoftwareReference-dtype | SoftwareReference | Section 3.22.4 |
+--------------------------+-----------------------+----------------+ +--------------------------+-----------------------+----------------+
Table 1: IANA Enumerated Value Registries Table 1: IANA Enumerated Value Registries
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
skipping to change at page 166, line 41 skipping to change at page 168, line 41
<http://www.w3.org/TR/xpath20/>. <http://www.w3.org/TR/xpath20/>.
[W3C.XMLSIG] [W3C.XMLSIG]
World Wide Web Consortium, "XML Signature Syntax and World Wide Web Consortium, "XML Signature Syntax and
Processing 2.0", W3C Candidate Recommendation , June 2008, Processing 2.0", W3C Candidate Recommendation , June 2008,
<http://www.w3.org/TR/xmldsig-core/>. <http://www.w3.org/TR/xmldsig-core/>.
[IEEE.POSIX] [IEEE.POSIX]
Institute of Electrical and Electronics Engineers, Institute of Electrical and Electronics Engineers,
"Information Technology - Portable Operating System "Information Technology - Portable Operating System
Interface (POSIX) - Part 1: Base Definitions", IEEE Interface (POSIX) - Part 1: Base Definitions",
1003.1, June 2001. IEEE 1003.1, June 2001.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC5646] Philips, A. and M. Davis, "Tags for Identifying of [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of
Languages", RFC 5646, September 2009. Languages", RFC 5646, September 2009.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 3986, Resource Identifiers (URI): Generic Syntax", RFC 3986,
January 2005`. January 2005`.
skipping to change at page 168, line 25 skipping to change at page 170, line 25
[refs.requirements] [refs.requirements]
Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements
for the Format for Incident Information Exchange (FINE)", for the Format for Incident Information Exchange (FINE)",
Work in Progress, June 2006. Work in Progress, June 2006.
[RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein,
"Intrusion Detection Message Exchange Format", RFC 4765, "Intrusion Detection Message Exchange Format", RFC 4765,
March 2007. March 2007.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
6545, April 2012. RFC 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
Defense (RID) Messages over HTTP/TLS", RFC 6546, April Defense (RID) Messages over HTTP/TLS", RFC 6546, April
2012. 2012.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document
Class for Reporting Phishing", RFC 5901, July 2010. Class for Reporting Phishing", RFC 5901, July 2010.
[NIST800.61rev2] [NIST800.61rev2]
Cichonski, P., Millar, T., Grance, T., and K. Scarfone, Cichonski, P., Millar, T., Grance, T., and K. Scarfone,
 End of changes. 161 change blocks. 
700 lines changed or deleted 778 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/