draft-ietf-mile-rfc5070-bis-14.txt   draft-ietf-mile-rfc5070-bis-15.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) P. Stoecker Obsoletes: 5070 (if approved) P. Stoecker
Intended status: Standards Track RSA Intended status: Standards Track RSA
Expires: January 21, 2016 July 20, 2015 Expires: April 18, 2016 October 16, 2015
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-14 draft-ietf-mile-rfc5070-bis-15
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for sharing information commonly exchanged by data representation for sharing information commonly exchanged by
Computer Security Incident Response Teams (CSIRTs) about computer Computer Security Incident Response Teams (CSIRTs) about computer
security incidents. This document describes the information model security incidents. This document describes the information model
for the IODEF and provides an associated data model specified with for the IODEF and provides an associated data model specified with
XML Schema. XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 21, 2016. This Internet-Draft will expire on April 18, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 24 skipping to change at page 2, line 24
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7
1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8
1.5. About the IODEF Implementation . . . . . . . . . . . . . 9 1.5. About the IODEF Implementation . . . . . . . . . . . . . 9
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 10
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 10 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 10
2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 11
2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 12 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 12
2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.12. Person or Organization . . . . . . . . . . . . . . . . . 12 2.12. Person or Organization . . . . . . . . . . . . . . . . . 12
2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12
2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 13
2.16. Identifiers and Identifier References . . . . . . . . . . 13 2.16. Identifiers and Identifier References . . . . . . . . . . 13
3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 18 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 18
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 18 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 18
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 19 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 19
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 21 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 21
skipping to change at page 3, line 25 skipping to change at page 3, line 25
3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 33 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 33
3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33
3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33
3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33 3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33
3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33 3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33
3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33
3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35
3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36
3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37
3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38
3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 40
3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 43
3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 45 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 45
3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 47 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 47
3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 48
3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48
3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49
3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51
3.16.1. Relating the Incident and EventData Classes . . . . 53 3.16.1. Relating the Incident and EventData Classes . . . . 53
3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53
3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54
3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57
3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58
3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61
3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62
skipping to change at page 4, line 22 skipping to change at page 4, line 22
3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 86
3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 87
3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 88 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 88
3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 89
3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 91
3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 91
3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 92
3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 92
3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 93
3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 96 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95
3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 96
3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 102 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 101
3.32.5. ObservableReference Class . . . . . . . . . . . . . 103 3.32.5. Expressions with IndicatorExpression . . . . . . . . 103
3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 104 3.32.6. ObservableReference Class . . . . . . . . . . . . . 104
3.32.7. IndicatorReference Class . . . . . . . . . . . . . . 105
4. Processing Considerations . . . . . . . . . . . . . . . . . . 105 4. Processing Considerations . . . . . . . . . . . . . . . . . . 105
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 105 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 105
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 105 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 106
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 106 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 106
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 107 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 107
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 108 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 108
5.1. Extending the Enumerated Values of Attributes . . . . . . 108 5.1. Extending the Enumerated Values of Attributes . . . . . . 108
5.1.1. Private Extension of Enumerated Values . . . . . . . 108 5.1.1. Private Extension of Enumerated Values . . . . . . . 109
5.1.2. Public Extension of Enumerated Values . . . . . . . . 109 5.1.2. Public Extension of Enumerated Values . . . . . . . . 109
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 109 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 109
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 111 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 111
6. Internationalization Issues . . . . . . . . . . . . . . . . . 111 6. Internationalization Issues . . . . . . . . . . . . . . . . . 112
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 113 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 113
7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 113 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 113
7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 114 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 114
7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 116 7.3. Incident Report . . . . . . . . . . . . . . . . . . . . . 115
7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 118 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 115
8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 119 9. Security Considerations . . . . . . . . . . . . . . . . . . . 160
9. Security Considerations . . . . . . . . . . . . . . . . . . . 164 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 161
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 164 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 161
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 165 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 161
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 165 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 164
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 167 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 164
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 168 12.1. Normative References . . . . . . . . . . . . . . . . . . 164
12.1. Normative References . . . . . . . . . . . . . . . . . . 168 12.2. Informative References . . . . . . . . . . . . . . . . . 166
12.2. Informative References . . . . . . . . . . . . . . . . . 170 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 167
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 171
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a bot- filter attack traffic, contacting a remote site to take down a bot-
network, or sharing watch-lists of known malicious IP addresses in a network, or sharing watch-lists of known malicious IP addresses in a
consortium. consortium.
skipping to change at page 6, line 41 skipping to change at page 6, line 41
o Imported the xmlns:ds namespace to include digital signature hash o Imported the xmlns:ds namespace to include digital signature hash
classes. classes.
o The following classes were added to IODEF-Document: o The following classes were added to IODEF-Document:
AdditionalData. AdditionalData.
o The following class and attribute was added to Incident: o The following class and attribute was added to Incident:
IndicatorData and @status. IndicatorData and @status.
o The following classes were added to Incident and EventData: o The following classes were added to Incident and EventData:
Discovery. GenerationTime and Discovery.
o The following classes and attributes were added to the Service o The following classes and attributes were added to the Service
class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, class: EmailData, DomainData, AssetID, ApplicationHeader @virtual,
and @ownership. Service@ip_protocol was renamed to @ip-protocol. and @ownership. Service@ip_protocol was renamed to @ip-protocol.
o The following classes were added to the Record class: HashData and o The following classes were added to the Record class: HashData and
WindowsRegistryKeysModified. WindowsRegistryKeysModified.
o The following classes were added to the RelatedActivity class: o The following classes were added to the RelatedActivity class:
ThreatActor, Campaign, Confidence, Description, and ThreatActor, Campaign, Confidence, Description, and
skipping to change at page 7, line 38 skipping to change at page 7, line 38
AdditionalData@dtype, System@spoofed. AdditionalData@dtype, System@spoofed.
o Added option for public extension of enumerated attributes with an o Added option for public extension of enumerated attributes with an
IANA registry and added @ext-restriction. IANA registry and added @ext-restriction.
o Removed Impact class in favor of using SystemImpact and o Removed Impact class in favor of using SystemImpact and
IncidentCategory. IncidentCategory.
o iodef:MLStringType uses xml:lang and @translation-id. o iodef:MLStringType uses xml:lang and @translation-id.
o Incident/ReportTime and Assessment are longer mandatory.
o Incident/GenerateTime is mandatory.
1.2. Terminology 1.2. Terminology
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT,"
"SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Definitions for some of the common computer security-related Definitions for some of the common computer security-related
terminology used in this document can be found in Section 2 of terminology used in this document can be found in Section 2 of
[refs.requirements]. [refs.requirements].
skipping to change at page 9, line 48 skipping to change at page 10, line 11
The REAL data type is implemented as an "xs:float" in The REAL data type is implemented as an "xs:float" in
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
2.3. Characters and Strings 2.3. Characters and Strings
A single character is represented by the CHARACTER data type. A A single character is represented by the CHARACTER data type. A
character string is represented by the STRING data type. Special character string is represented by the STRING data type. Special
characters must be encoded using entity references. See Section 4.1. characters must be encoded using entity references. See Section 4.1.
The CHARACTER and STRING data types are implement as an "xs:string" The CHARACTER and STRING data types are implemented as an "xs:string"
in [W3C.SCHEMA.DTYPES]. in [W3C.SCHEMA.DTYPES].
2.4. Multilingual Strings 2.4. Multilingual Strings
A character string that needs to be represented in a language A character string that needs to be represented in a language
different than the default encoding of the document is of the different than the default encoding of the document is of the
ML_STRING data type. ML_STRING data type.
ML_STRING data type is implemented as the "iodef:MLStringType" type ML_STRING data type is implemented as the "iodef:MLStringType" type
in the schema. This type extends the "xs:string" to include two in the schema. This type extends the "xs:string" to include two
skipping to change at page 15, line 15 skipping to change at page 15, line 15
+-------------------------+ +-------------------------+
| Incident | | Incident |
+-------------------------+ +-------------------------+
| ENUM purpose |<>----------[ IncidentID ] | ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM status |<>--{0..*}--[ RelatedActivity ] | ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING ext-status |<>--{0..1}--[ DetectTime ] | STRING ext-status |<>--{0..1}--[ DetectTime ]
| ENUM xml:lang |<>--{0..1}--[ StartTime ] | ENUM xml:lang |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ] | ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
| STRING observable-id |<>----------[ ReportTime ] | STRING observable-id |<>--{0..1}--[ ReportTime ]
| |<>--{0..1}--[ GenerationTime ] | |<>----------[ GenerationTime ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ] | |<>--{0..*} [ Discovery ]
| |<>--{1..*}--[ Assessment ] | |<>--{0..*}--[ Assessment ]
| |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ] | |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ IndicatorData ] | |<>--{0..*}--[ IndicatorData ]
| |<>--{0..1}--[ History ] | |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 3: The Incident Class Figure 3: The Incident Class
skipping to change at page 16, line 7 skipping to change at page 16, line 7
StartTime StartTime
Zero or one. The time the incident started. Zero or one. The time the incident started.
EndTime EndTime
Zero or one. The time the incident ended. Zero or one. The time the incident ended.
RecoveryTime RecoveryTime
Zero or one. The time the site recovered from the incident. Zero or one. The time the site recovered from the incident.
ReportTime ReportTime
One. The time the incident was reported. Zero or one. The time the incident was reported.
GenerationTime GenerationTime
Zero or one. The time the content in this Incident class was One. The time the content in this Incident class was generated.
generated.
Description Description
Zero or more. ML_STRING. A free-form textual description of the Zero or more. ML_STRING. A free-form textual description of the
incident. incident.
Discovery Discovery
Zero or more. The means by which this incident was detected. Zero or more. The means by which this incident was detected.
Assessment Assessment
One or more. A characterization of the impact of the incident. Zero or more. A characterization of the impact of the incident.
Method Method
Zero or more. The techniques used by the intruder in the Zero or more. The techniques used by the intruder in the
incident. incident.
Contact Contact
One or more. Contact information for the parties involved in the One or more. Contact information for the parties involved in the
incident. incident.
EventData EventData
skipping to change at page 17, line 44 skipping to change at page 17, line 44
2. in-progress. The contents of this document are under 2. in-progress. The contents of this document are under
investigation. investigation.
3. forwarded. The document has been forwarded to another party 3. forwarded. The document has been forwarded to another party
for handling. for handling.
4. resolved. The investigation into the activity in this 4. resolved. The investigation into the activity in this
document has concluded. document has concluded.
5. future. The described activity is suspected to occur in the 5. future. The described activity has not yet been detected.
future.
6. ext-value. An escape value used to extend this attribute. 6. ext-value. An escape value used to extend this attribute.
See Section 5.1.1. See Section 5.1.1.
ext-status ext-status
Optional. STRING. A means by which to extend the status Optional. STRING. A means by which to extend the status
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
xml:lang xml:lang
Optional. ENUM. A language identifier per Section 2.12 of Optional. ENUM. A language identifier per Section 2.12 of
skipping to change at page 19, line 40 skipping to change at page 19, line 40
9. red. Same as 'private'. 9. red. Same as 'private'.
10. ext-value. An escape value used to extend this attribute. See 10. ext-value. An escape value used to extend this attribute. See
Section 5.1.1. Section 5.1.1.
3.3.2. observable-id Attribute 3.3.2. observable-id Attribute
Information included in an incident report may be an observable Information included in an incident report may be an observable
relevant to an indicator. The observable-id attribute provides a relevant to an indicator. The observable-id attribute provides a
unique identifier in the scope of the document for this observable. unique identifier in the scope of the document for this observable.
This identifier can then used to reference the observable with an This identifier can then be used to reference the observable with an
ObservableReference class to define an indicator in the IndicatorData ObservableReference class to define an indicator in the IndicatorData
class. class.
3.4. IncidentID Class 3.4. IncidentID Class
The IncidentID class represents an incident tracking number that is The IncidentID class represents an incident tracking number that is
unique in the context of the CSIRT and identifies the activity unique in the context of the CSIRT and identifies the activity
characterized in an IODEF Document. This identifier would serve as characterized in an IODEF Document. This identifier would serve as
an index into the CSIRT incident handling system. The combination of an index into the CSIRT incident handling system. The combination of
the name attribute and the string in the element content MUST be a the name attribute and the string in the element content MUST be a
skipping to change at page 22, line 44 skipping to change at page 22, line 44
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.7. ThreatActor Class 3.7. ThreatActor Class
The ThreatActor class describes a given actor. The ThreatActor class describes a given actor.
+------------------------+ +------------------------+
| Actor | | ThreatActor |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..1}--[ ThreatActorID ] | ENUM restriction |<>--{0..1}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 7: ThreatActor Class Figure 7: ThreatActor Class
The aggregate classes that constitutes ThreatActor are: The aggregate classes that constitutes ThreatActor are:
skipping to change at page 36, line 6 skipping to change at page 36, line 6
| ENUM restriction |<>----------[ Application ] | ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ DetectionConfiguration ] | |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+ +------------------------+
Figure 17: The DetectionPattern Class Figure 17: The DetectionPattern Class
The DetectionPattern class is composed of three aggregate classes. The DetectionPattern class is composed of three aggregate classes.
Application Application
. One. The application for which the DetectionConfiguration or One. The application for which the DetectionConfiguration or
Description is being provided. Description is being provided.
Description Description
Zero or more. ML_STRING. A free-form text description of how to Zero or more. ML_STRING. A free-form text description of how to
use the Application or provided DetectionConfiguration. use the Application or provided DetectionConfiguration.
DetectionConfiguration DetectionConfiguration
Zero or more. STRING. A machine consumable configuration to find Zero or more. STRING. A machine consumable configuration to find
a pattern of activity. a pattern of activity.
skipping to change at page 36, line 31 skipping to change at page 36, line 31
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.13. Method Class 3.13. Method Class
The Method class describes the tactics, techniques, or procedures The Method class describes the tactics, techniques, procedures or
used by the intruder in the incident. This class consists of both a underlying issue used by the intruder in the incident. This class
list of references describing the attack method and a free form consists of both a list of references describing the attack methods
description. and weaknesses and a free form description.
+------------------------+ +------------------------+
| Method | | Method |
+------------------------+ +------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ] | ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ] | STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 18: The Method Class Figure 18: The Method Class
The Method class is composed of three aggregate classes. The Method class is composed of six aggregate classes.
enum:Reference enum:Reference
Zero or more. A reference to a vulnerability, malware sample, Zero or more. A reference to a vulnerability, malware sample,
advisory, or analysis of an attack technique. advisory, or analysis of an attack technique.
Description Description
Zero or more. ML_STRING. A free-form text description of Zero or more. ML_STRING. A free-form text description of
techniques, tactics, or procedures used by the intruder. techniques, tactics, or procedures used by the intruder.
sci:AttackPattern
Zero or more. A reference to an pattern of attack or exploitation
per [RFC-SCI]
sci:Vulnerability
Zero or more. A reference to a vulnerability per [RFC-SCI]
sci:Weakness
Zero or more. A reference to the exploited weakness per [RFC-SCI]
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
Either an instance of the Reference or Description class MUST be An instance of one of these child MUST be present.
present.
The Method class has two attributes: The Method class has two attributes:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
skipping to change at page 38, line 26 skipping to change at page 38, line 40
| Assessment | | Assessment |
+-------------------------+ +-------------------------+
| ENUM occurrence |<>--{0..*}--[ IncidentCategory ] | ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ SystemImpact ] | ENUM restriction |<>--{0..*}--[ SystemImpact ]
| STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ] | ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ] | |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ] | |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ] | |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ Cause ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------------+ +-------------------------+
Figure 20: Assessment Class Figure 20: Assessment Class
The aggregate classes that constitute Assessment are: The aggregate classes that constitute Assessment are:
IncidentCategory IncidentCategory
Zero or more. ML_STRING. A free-form text description Zero or more. ML_STRING. A free-form text description
skipping to change at page 39, line 15 skipping to change at page 39, line 31
IntendedImpact IntendedImpact
Zero or more. Intended impact to the victim by the attacker. Zero or more. Intended impact to the victim by the attacker.
Identically defined as Section 3.14.2 but describes intent rather Identically defined as Section 3.14.2 but describes intent rather
than the realized impact. than the realized impact.
Counter Counter
Zero or more. A counter with which to summarize the magnitude of Zero or more. A counter with which to summarize the magnitude of
the activity. the activity.
MitigatingFactor MitigatingFactor
Zero or one. ML_STRING. A description of a mitigating factor an Zero or more. ML_STRING. A description of a mitigating factor an
impact. impact.
Cause
Zero or more. ML_STRING. A description of the underlying cause
of the impact.
Confidence Confidence
Zero or one. An estimate of confidence in the assessment. Zero or one. An estimate of confidence in the assessment.
AdditionalData AdditionalData
Zero or more. A mechanism by which to extend the data model. Zero or more. A mechanism by which to extend the data model.
A least one instance of the possible three impact classes (i.e., A least one instance of the possible three impact classes (i.e.,
Impact, TimeImpact, or MonetaryImpact) MUST be present. Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has four attributes: The Assessment class has four attributes:
skipping to change at page 53, line 40 skipping to change at page 53, line 40
general description provided in the Incident class. However, it may general description provided in the Incident class. However, it may
also be possible that the overall summarized information about the also be possible that the overall summarized information about the
incident conflicts with some individual information in an EventData incident conflicts with some individual information in an EventData
class when there is a substantial composition of various events in class when there is a substantial composition of various events in
the incident. In such a case, the interpretation of the more the incident. In such a case, the interpretation of the more
specific EventData MUST supersede the more generic information specific EventData MUST supersede the more generic information
provided in Incident. provided in Incident.
3.16.2. Cardinality of EventData 3.16.2. Cardinality of EventData
The EventData class can be thought of as a container for the The EventData class is container for the properties of an event in an
properties of an event in an incident. These properties include: the incident. These properties include: the hosts involved, impact of
hosts involved, impact of the incident activity on the hosts, the incident activity on the hosts, forensic logs, etc. With an
forensic logs, etc. With an instance of the EventData class, hosts instance of the EventData class, hosts are grouped around these
(i.e., System class) are grouped around these common properties. common properties.
The recursive definition (or instance property inheritance) of the The recursive definition of the EventData class (the EventData class
EventData class (the EventData class is aggregated into the EventData is aggregated into the EventData class) provides a way to relate
class) provides a way to relate information without requiring the information without requiring the explicit use of unique attribute
explicit use of unique attribute identifiers in the classes or identifiers in the classes or duplicating information. Instead, the
duplicating information. Instead, the relative depth (nesting) of a relative depth (nesting) of a class is used to group (relate)
class is used to group (relate) information. information.
For example, an EventData class might be used to describe two For example, an EventData class might be used to describe two
machines involved in an incident. This description can be achieved machines involved in an incident. This description can be achieved
using multiple instances of the Flow class. It happens that there is using multiple instances of the Flow class. It happens that there is
a common technical contact (i.e., Contact class) for these two a common technical contact (i.e., Contact class) for these two
machines, but the impact (i.e., Assessment class) on them is machines, but the impact (i.e., Assessment class) on them is
different. A depiction of the representation for this situation can different. A depiction of the representation for this situation can
be found in Figure 29. be found in Figure 29.
+------------------+ +------------------+
skipping to change at page 62, line 4 skipping to change at page 62, line 4
Address Address
Zero or more. The hardware, network, or application address of Zero or more. The hardware, network, or application address of
the Node. If a DomainData is not provided, at least one Address the Node. If a DomainData is not provided, at least one Address
MUST be specified. MUST be specified.
PostalAddress PostalAddress
Zero or one. The postal address of the asset. Zero or one. The postal address of the asset.
Location Location
Zero or more. ML_STRING. A free-from description of the physical Zero or more. ML_STRING. A free-form description of the physical
location of the Node. This description may provide a more location of the Node. This description may provide a more
detailed description of where in the PostalAddress this Node is detailed description of where in the PostalAddress this Node is
found (e.g., room number, rack number, slot number in a chassis). found (e.g., room number, rack number, slot number in a chassis).
Counter Counter
Zero or more. A counter with which to summarizes properties of Zero or more. A counter with which to summarizes properties of
this host or network. this host or network.
The Node class has no attributes. The Node class has no attributes.
skipping to change at page 72, line 48 skipping to change at page 72, line 48
+--------------------+ +--------------------+
Figure 40: The DomainContacts Class Figure 40: The DomainContacts Class
The aggregate classes that constitute DomainContacts are: The aggregate classes that constitute DomainContacts are:
SameDomainContact SameDomainContact
Zero or one. STRING. A domain name already cited in this Zero or one. STRING. A domain name already cited in this
document or through previous exchange that contains the identical document or through previous exchange that contains the identical
contact information as the domain name in question. The domain contact information as the domain name in question. The domain
contact information associated with this domain should be used in contact information associated with this domain should be used
lieu of explicit definition with the Contact class. instead of an explicit definition with the Contact class.
Contact Contact
One or more. Contact information for the domain. See One or more. Contact information for the domain. See
Section 3.10. Section 3.10.
3.22. Service Class 3.22. Service Class
The Service class describes a network service of a host or network. The Service class describes a network service of a host or network.
The service is identified by specific port or list of ports, along The service is identified by specific port or list of ports, along
with the application listening on that port. with the application listening on that port.
skipping to change at page 78, line 29 skipping to change at page 78, line 29
+----------------------+ +----------------------+
Figure 45: The SoftwareReference Class Figure 45: The SoftwareReference Class
The element body of this class varies according to the value of the The element body of this class varies according to the value of the
spec-name attribute. spec-name attribute.
The SoftwareReference class has four attributes: The SoftwareReference class has four attributes:
spec-name spec-name
Required. ENUM. Identifies the format and semantics of the the Required. ENUM. Identifies the format and semantics of the
element body of this class. Formal standards and specifications element body of this class. Formal standards and specifications
can be referenced as well as free-form description with user- can be referenced as well as free-form description with user-
provided data-types. These values are maintained in the provided data-types. These values are maintained in the
"SoftwareReference-spec-id" IANA registry per Table 1 "SoftwareReference-spec-id" IANA registry per Table 1
1. custom. The element content is free-form and of the data type 1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected, specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set. then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform 2. cpe. The element content describes a Common Platform
skipping to change at page 87, line 8 skipping to change at page 87, line 8
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.27.1. Certificate Class 3.27.1. Certificate Class
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ENUM valid |<>----------[ ds: X509Data ] | ID observable-id |<>----------[ ds: X509Data ]
| ID observable-id | | |<>--{0..*}--[ Description ]
+--------------------------+ +--------------------------+
Figure 53: The Certificate Class Figure 53: The Certificate Class
The aggregate classes that constitutes Certificate are: The aggregate classes that constitutes Certificate are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
The Certificate class has one attribute: Description
Zero or more. ML_STRING. Free-form textual description
valid explaining the context of this certificate.
Optional. Indicates whether a given certificate has a valid
signature. An invalid signature may be due to an invalid
certificate chain, a signature not decoding properly, or a
certificate contents not matching the hash.
1. yes. The certificate is valid.
2. no. The certificate is not valid. The Certificate class has one attribute:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.28. FileData Class 3.28. FileData Class
The FileData class describes files of interest identified during the The FileData class describes files of interest identified during the
analysis of an incident. analysis of an incident.
+------------------------+ +------------------------+
skipping to change at page 94, line 35 skipping to change at page 94, line 23
Contact Contact
Zero or more. Contact information for this indicator. See Zero or more. Contact information for this indicator. See
Section 3.10. Section 3.10.
Observable Observable
Zero or one. An observable feature or phenomenon of this Zero or one. An observable feature or phenomenon of this
indicator. See Section 3.32.3. indicator. See Section 3.32.3.
ObservableReference ObservableReference
Zero or one. A reference to a feature or phenomenon defined Zero or one. A reference to a feature or phenomenon defined
elsewhere in the document. See Section 3.32.5. elsewhere in the document. See Section 3.32.6.
IndicatorExpression IndicatorExpression
Zero or one. A composition of observables. See Section 3.32.4. Zero or one. A composition of observables. See Section 3.32.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. Zero or one. A reference to an indicator.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
skipping to change at page 99, line 32 skipping to change at page 98, line 47
Figure 65: The BulkObservable Class Figure 65: The BulkObservable Class
The aggregate classes that constitutes BulkObservable are: The aggregate classes that constitutes BulkObservable are:
BulkObservableFormat BulkObservableFormat
Zero or one. Provides additional meta-data about the observables Zero or one. Provides additional meta-data about the observables
enumerated in the BulkObservableList class. enumerated in the BulkObservableList class.
BulkObservableList BulkObservableList
One. STRING. A list of observables, one per line. Each line is One. STRING. A list of observables, one per line. Each line is
separated with either a CR character or CR-and-LF characters. The separated with either a LF character or CR-and-LF characters. The
type attribute will specify the which observables will be listed. type attribute will specify the which observables will be listed.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9. Section 3.9.
The BulkObservable class has two attributes: The BulkObservable class has two attributes:
type type
Optional. ENUM. The type of the observable listed in the child Optional. ENUM. The type of the observable listed in the child
skipping to change at page 102, line 37 skipping to change at page 101, line 49
3.32.4. IndicatorExpression Class 3.32.4. IndicatorExpression Class
The IndicatorExpression describes an expression composed of observed The IndicatorExpression describes an expression composed of observed
phenomenon or features, or indicators. Elements of the expression phenomenon or features, or indicators. Elements of the expression
can be described directly, reference relevant data from other parts can be described directly, reference relevant data from other parts
of a given IODEF document, or reference previously defined of a given IODEF document, or reference previously defined
indicators. indicators.
All child classes of a given instance of IndicatorExpression form a All child classes of a given instance of IndicatorExpression form a
boolean algebraic expression where the operator between them is boolean algebraic expression where the operator between them is
determined by the operator attribute. Nesting an IndicatorExpression determined by the operator attribute.
in itself is akin to a parenthesis in the expression.
+--------------------------+ +--------------------------+
| IndicatorExpression | | IndicatorExpression |
+--------------------------+ +--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ] | ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| |<>--{0..*}--[ Observable ] | |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ] | |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ] | |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+--------------------------+ +--------------------------+
skipping to change at page 103, line 22 skipping to change at page 102, line 36
ObservableReference ObservableReference
Zero or more. A reference to another observable. Zero or more. A reference to another observable.
IndicatorReference IndicatorReference
Zero or more. A reference to another indicator. Zero or more. A reference to another indicator.
AdditionalData AdditionalData
Zero or more. Mechanism by which to extend the data model. See Zero or more. Mechanism by which to extend the data model. See
Section 3.9 Section 3.9
... TODO Additional text is required to describe the valid
combinations of classes and how the operator class should be applied
...
The IndicatorExpression class has one attribute: The IndicatorExpression class has one attribute:
operator operator
Optional. ENUM. The operator to be applied between the child Optional. ENUM. The operator to be applied between the child
elements. elements. The default value is "and". These values are
maintained in the "IndicatorExpression-operator" IANA registry per
Table 1.
1. not. negation operator. 1. not. negation operator.
2. and. conjunction operator. 2. and. conjunction operator.
3. or. disjunction operator. 3. or. disjunction operator.
4. xor. exclusive disjunction operator. 4. xor. exclusive disjunction operator.
3.32.5. ObservableReference Class 3.32.5. Expressions with IndicatorExpression
Boolean algebraic expressions can be used specify relationships
between observables and indicator. These expressions are constructed
through the use of the operator attribute and parent-child
relationships in IndicatorExpressions. These expressions should be
parsed as follows:
1. The operator specified by the operator attribute is applied
between each of the child elements of the immediate parent
IndicatorExpression element. If no operator attribute is
specified, it should be assumed to be an AND.
2. A nested IndicatorExpression element with a parent
IndicatorExpression is the equivalent of a parentheses in the
expression.
The following four examples illustrate these parsing rules:
1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
Equivalent expression: (O1 AND O2)
Figure 68: Nested elements in an IndicatorExpression without an
operator attribute specified
1 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
Equivalent expression: (O1 OR O2)
Figure 69: Nested elements in an IndicatorExpression with an operator
attribute specified
1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
2 [O3]: <Observable>..</Observable>
4 : </IndicatorExpression>
Equivalent expression: ((O1 OR O2) OR O3)
Figure 70: Nested elements with a recursive IndicatorExpression with
an operator attribute specified
1 : <IndicatorExpression operator="not">
2 : <IndicatorExpression operator="and">
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
4 : </IndicatorExpression>
Equivalent expression: (NOT (O1 AND O2))
Figure 71: A recursive IndicatorExpression with an operator attribute
specified
Invalid algebriac expressions while valid XML, MUST not be specified.
3.32.6. ObservableReference Class
The ObservableReference describes a reference to an observable The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document. feature or phenomenon described elsewhere in the document.
This class has no content. This class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 68: The ObservableReference Class Figure 72: The ObservableReference Class
The ObservableReference class has one attributes: The ObservableReference class has one attribute:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in the observable-id attribute. identifier set in the observable-id attribute.
3.32.6. IndicatorReference Class 3.32.7. IndicatorReference Class
The IndicatorReference describes a reference to an indicator. This The IndicatorReference describes a reference to an indicator. This
reference may be to an indicator described in the IODEF document or reference may be to an indicator described in the IODEF document or
in a previously exchanged IODEF document. in a previously exchanged IODEF document.
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY | | EMPTY |
| | | |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 69: The IndicatorReference Class Figure 73: The IndicatorReference Class
The IndicatorReference class has one attributes: The IndicatorReference class has one attribute:
uid-ref uid-ref
Optional. IDREF. An identifier that serves as a reference to an Optional. IDREF. An identifier that serves as a reference to an
Indicator class in the IODEF document. The referenced Indicator Indicator class in the IODEF document. The referenced Indicator
class will have this identifier set in the IndicatorID class. class will have this identifier set in the IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
not in this IODEF document. not in this IODEF document.
skipping to change at page 107, line 32 skipping to change at page 108, line 19
o The Node/NodeName class was removed in favor of representing o The Node/NodeName class was removed in favor of representing
domain names with Node/DomainData/Name class. The Node/DataTime domain names with Node/DomainData/Name class. The Node/DataTime
class was also removed so that the Node/DomainData/ class was also removed so that the Node/DomainData/
DateDomainWasChecked class can represent the time at which the DateDomainWasChecked class can represent the time at which the
name to address resolution occurred. name to address resolution occurred.
o The Node/NodeRole class was moved to System/NodeRole. o The Node/NodeRole class was moved to System/NodeRole.
o The Reference class is now defined by [RFC-ENUM]. o The Reference class is now defined by [RFC-ENUM].
o Extending enumerated values is now handled through collection of o Attributes with enumerated values can now also be extended with
IANA registries. All attributes of with a name prefixed by "ext-" IANA registries.
have been removed.
o The data previously represented in the Impact class is now in the o The data previously represented in the Impact class is now in the
SystemImpact and IncidentCategory classes. The Impact class has SystemImpact and IncidentCategory classes. The Impact class has
been removed. been removed.
o The Description class has been redefined to use xml:lang and o The Description class has been redefined to use xml:lang and
@translation-id. IODEF-document also uses xml:lang. @translation-id. IODEF-document also uses xml:lang.
o The semantics of Counter@type in v1 are now represented in o The semantics of Counter@type in v1 are now represented in
Counter@unit. Counter@unit.
skipping to change at page 111, line 14 skipping to change at page 111, line 38
<IODEF-Document <IODEF-Document
version="2.00" lang="en-US" version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd"> xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting"> <Incident purpose="reporting">
... ...
<AdditionalData dtype="xml" meaning="xml"> <AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata> <iodef-extension1:newdata>
Field that could not be represented elsewhere Field that could not be represented elsewhere
</iodef-extension1:newdata> </iodef-extension1:newdata>
</AdditionalData> </AdditionalData>
</Incident>
</IODEF-Document </IODEF-Document
5.3. Deconflicting Private Extensions 5.3. Deconflicting Private Extensions
Private extensions used in a document can be labeled to attribute Private extensions used in a document can be labeled to attribute
their original specifier using the private-enum-name and private- their original specifier using the private-enum-name and private-
enum-id attributes. This allows a recipient of a document to enum-id attributes. This allows a recipient of a document to
disambiguate private extensions. Only a single private extension can disambiguate private extensions. Only a single private extension can
be identified in a given IODEF-Document. be identified in a given IODEF-Document.
skipping to change at page 113, line 12 skipping to change at page 113, line 38
and localization, the intent is not to do so at the detriment of and localization, the intent is not to do so at the detriment of
interoperability. While the IODEF does support different languages, interoperability. While the IODEF does support different languages,
the data model also relies heavily on standardized enumerated the data model also relies heavily on standardized enumerated
attributes that can crudely approximate the contents of the document. attributes that can crudely approximate the contents of the document.
With this approach, a CSIRT should be able to make some sense of an With this approach, a CSIRT should be able to make some sense of an
IODEF document it receives even if the text based data elements are IODEF document it receives even if the text based data elements are
written in a language unfamiliar to the analyst. written in a language unfamiliar to the analyst.
7. Examples 7. Examples
This section provides examples of an incident encoded in the IODEF. This section provides examples of IODEF documents. These examples do
These examples do not necessarily represent the only way to encode a not necessarily represent the only way to encode particular
particular incident. information.
7.1. Worm 7.1. Minimal Example
An example of a CSIRT reporting an instance of the Code Red worm. A document containing only the mandatory elements and attributes.
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!-- This example demonstrates a report for a very <!-- Minimum IODEF document -->
old worm (Code Red) --> <IODEF-Document version="2.00" xml:lang="en"
<IODEF-Document version="2.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> "http://www.iana.org/assignments/xmlregistry/schema/
<Incident purpose="reporting"> iodef-2.0.xsd">
<IncidentID name="csirt.example.com">189493</IncidentID> <Incident purpose="reporting" restriction="private">
<ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <IncidentID name="csirt.example.com">492382</IncidentID>
<Description>Host sending out Code Red probes</Description> <GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
<!-- An administrative privilege was attempted, but failed --> <Contact type="organization" role="creator">
<Assessment>
<Impact completion="failed" type="admin"/>
</Assessment>
<Contact role="creator" type="organization">
<ContactName>Example.com CSIRT</ContactName>
<RegistryHandle registry="arin">example-com</RegistryHandle>
<Email>contact@csirt.example.com</Email> <Email>contact@csirt.example.com</Email>
</Contact> </Contact>
<EventData> <!-- Add more fields to make the document useful -->
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.200</Address>
<Counter type="event">57</Counter>
</Node>
</System>
<System category="target">
<Node>
<Address category="ipv4-net">192.0.2.16/28</Address>
</Node>
<Service ip_protocol="6">
<Port>80</Port>
</Service>
</System>
</Flow>
<Expectation action="block-host" />
<!-- <RecordItem> has an excerpt from a log -->
<Record>
<RecordData>
<DateTime>2001-09-13T18:11:21+02:00</DateTime>
<Description>Web-server logs</Description>
<RecordItem dtype="string">
192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</RecordItem>
<!-- Additional logs -->
<RecordItem dtype="url">
http://mylogs.example.com/logs/httpd_access</RecordItem>
</RecordData>
</Record>
</EventData>
<History>
<!-- Contact was previously made with the source network
owner -->
<HistoryItem action="contact-source-site">
<DateTime>2001-09-14T08:19:01+00:00</DateTime>
<Description>Notification sent to
constituency-contact@192.0.2.200</Description>
</HistoryItem>
</History>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.2. Reconnaissance 7.2. Indicators from a Campaign
An example of a CSIRT reporting a scanning activity. An example of C2 domains from a given campaign.
<?xml version="1.0" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8"?>
<!-- This example describes reconnaissance activity: one-to-one <!-- A list of C2 domains associated with a campaign -->
and one-to-many scanning --> <IODEF-Document version="2.00" xml:lang="en"
<IODEF-Document version="2.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> "http://www.iana.org/assignments/xml-registry/schema/
<Incident purpose="reporting"> iodef-2.0.xsd">
<IncidentID name="csirt.example.com">59334</IncidentID> <Incident purpose="watch" restriction="green">
<ReportTime>2006-08-02T05:54:02-05:00</ReportTime> <IncidentID name="csirt.example.com">897923</IncidentID>
<Assessment> <RelatedActivity>
<Impact type="recon" completion="succeeded" /> <ThreatActor>
</Assessment> <ThreatActorID>
<Method> TA-12-AGGRESSIVE-BUTTERFLY
<!-- Reference to the scanning tool "nmap" --> </ThreatActorID>
<Reference> <Description>Aggressive Butterfly</Description>
<ReferenceName>nmap</ReferenceName> </ThreatActor>
<URL>http://nmap.toolsite.example.com</URL> <Campaign>
</Reference> <CampaignID>C-2015-59405</CampaignID>
</Method> <Description>Orange Giraffe</Description>
<!-- Organizational contact and that for staff in that </Campaign>
organization --> </RelatedActivity>
<Contact role="creator" type="organization"> <GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<ContactName>CSIRT for example.com</ContactName> <Description>Summarizes the Indicators of Compromise
<Email>contact@csirt.example.com</Email> for the Orange Giraffe campaign of the Aggressive
<Telephone>+1 412 555 12345</Telephone> Butterfly crime gang.
<!-- Since this <Contact> is nested, Joe Smith is part of </Description>
the CSIRT for example.com --> <Assessment>
<Contact role="tech" type="person" restriction="need-to-know"> <BusinessImpact type="breach-proprietary"/>
<ContactName>Joe Smith</ContactName> </Assessment>
<Email>smith@csirt.example.com</Email> <Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>contact@csirt.example.com</Email>
</Contact> </Contact>
</Contact> <IndicatorData>
<EventData> <Indicator>
<!-- Scanning activity as follows: <IndicatorID name="csirt.example.com" version="1">
192.0.2.1:60524 >> 192.0.2.3:137 G90823490
192.0.2.1:60526 >> 192.0.2.3:138 </IndicatorID>
192.0.2.1:60527 >> 192.0.2.3:139 <Description>C2 domains</Description>
192.0.2.1:60531 >> 192.0.2.3:445 <StartTime>2014-12-02T11:18:00-05:00</StartTime>
--> <Observable>
<Flow> <BulkObservable type="fqdn">
<System category="source"> <BulkObservableList>
<Node> kj290023j09r34.example.com
<Address category="ipv4-addr">192.0.2.200</Address> 09ijk23jfj0k8.example.net
</Node> klknjwfjiowjefr923.example.org
<Service ip_protocol="6"> oimireik79msd.example.org
<Portlist>60524,60526,60527,60531</Portlist> </BulkObservableList>
</Service> </BulkObservable>
</System> </Observable>
<System category="target"> </Indicator>
<Node> </IndicatorData>
<Address category="ipv4-addr">192.0.2.201</Address>
</Node>
<Service ip_protocol="6">
<Portlist>137-139,445</Portlist>
</Service>
</System>
</Flow>
<!-- Scanning activity as follows:
192.0.2.2 >> 192.0.2.3/28:445 -->
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.240</Address>
</Node>
</System>
<System category="target">
<Node>
<Address category="ipv4-net">192.0.2.64/28</Address>
</Node>
<Service ip_protocol="6">
<Port>445</Port>
</Service>
</System>
</Flow>
</EventData>
</Incident>
</IODEF-Document>
7.3. Bot-Net Reporting
An example of a CSIRT reporting a bot-network.
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This example describes a compromise and subsequent installation
of bots -->
<IODEF-Document version="2.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="mitigation">
<IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-06-08T05:44:53-05:00</ReportTime>
<Description>Large bot-net</Description>
<Assessment>
<Impact type="dos" severity="high" completion="succeeded" />
</Assessment>
<Method>
<!-- References a given piece of malware, "GT Bot" -->
<Reference>
<ReferenceName>GT Bot</ReferenceName>
</Reference>
<!-- References the vulnerability used to compromise the
machines -->
<Reference>
<ReferenceName>CA-2003-22</ReferenceName>
<URL>http://www.cert.org/advisories/CA-2003-22.html</URL>
<Description>Root compromise via this IE vulnerability to
install the GT Bot</Description>
</Reference>
</Method>
<!-- A member of the CSIRT that is coordinating this
incident -->
<Contact type="person" role="irt">
<ContactName>Joe Smith</ContactName>
<Email>jsmith@csirt.example.com</Email>
</Contact>
<EventData>
<Description>These hosts are compromised and acting as bots
communicating with irc.example.com.</Description>
<Flow>
<!-- bot running on 192.0.2.1 and sending DoS traffic at
10,000 bytes/second -->
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.1</Address>
</Node>
<Counter type="byte" duration="second">10000</Counter>
<Description>bot</Description>
</System>
<!-- a second bot on 192.0.2.3 -->
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.3</Address>
</Node>
<Counter type="byte" duration="second">250000</Counter>
<Description>bot</Description>
</System>
<!-- Command-and-control IRC server for these bots-->
<System category="intermediate">
<Node>
<NodeName>irc.example.com</NodeName>
<Address category="ipv4-addr">192.0.2.20</Address>
<DateTime>2006-06-08T01:01:03-05:00</DateTime>
</Node>
<Description>
IRC server on #give-me-cmd channel
</Description>
</System>
</Flow>
<!-- Request to take these machines offline -->
<Expectation action="investigate">
<Description>
Confirm the source and take machines off-line and
remediate
</Description>
</Expectation>
</EventData>
</Incident> </Incident>
</IODEF-Document> </IODEF-Document>
7.4. Watch List 7.3. Incident Report
An example of a CSIRT conveying a watch-list. An example of an incident report.
<?xml version="1.0" encoding="UTF-8" ?> ... TODO ...
<!-- This example demonstrates a trivial IP watch-list -->
<!-- @formatid is set to "watch-list-043" to demonstrate how
additional semantics about this document could be conveyed
assuming both parties understood it-->
<IODEF-Document version="2.00" lang="en" formatid="watch-list-043"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-08-01T00:00:00-05:00</ReportTime>
<Description>
Watch-list of known bad IPs or networks
</Description>
<Assessment>
<Impact type="admin" completion="succeeded" />
<Impact type="recon" completion="succeeded" />
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>contact@csirt.example.com</Email>
</Contact>
<!-- Separate <EventData> is used to convey
different <Expectation> -->
<EventData>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.53</Address>
</Node>
<Description>Source of numerous attacks</Description>
</System>
</Flow>
<!-- Expectation class indicating that sender of list would
like to be notified if activity from the host is seen -->
<Expectation action="contact-sender" />
</EventData>
<EventData>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-net">192.0.2.16/28</Address>
</Node>
<Description>
Source of heavy scanning over past 1-month
</Description>
</System>
</Flow>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.241</Address>
</Node>
<Description>C2 IRC server</Description>
</System>
</Flow>
<!-- Expectation class recommends that these networks
be filtered -->
<Expectation action="block-host" />
</EventData>
</Incident>
</IODEF-Document>
8. The IODEF Schema 8. The IODEF Schema
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0" <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0" xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified" elementFormDefault="qualified"
attributeFormDefault="unqualified"> attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#" <xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/ schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/> REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0" <xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/xml-registry/schema/iodef-enum-1.0.xsd" /> schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-enum-1.0.xsd" />
<xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0"
schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-sci-1.0.xsd" />
<xs:import namespace="http://www.w3.org/XML/1998/namespace" <xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd" /> schemaLocation="http://www.w3c.org/2001/xml.xsd" />
<xs:annotation> <xs:annotation>
<xs:documentation> <xs:documentation>
Incident Object Description Exchange Format v2.0, RFC5070bis Incident Object Description Exchange Format v2.0, RFC5070bis
</xs:documentation> </xs:documentation>
</xs:annotation> </xs:annotation>
<!-- <!--
================================================================== ==================================================================
skipping to change at page 121, line 13 skipping to change at page 117, line 19
<xs:element ref="iodef:RelatedActivity" <xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" <xs:element ref="iodef:DetectTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:StartTime" <xs:element ref="iodef:StartTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:EndTime" <xs:element ref="iodef:EndTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" <xs:element ref="iodef:RecoveryTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:ReportTime"
<xs:element ref="iodef:GenerationTime"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:GenerationTime"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery" <xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" <xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Method" <xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" <xs:element ref="iodef:Contact"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData" <xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorData"
minOccurs="0" />
<xs:element ref="iodef:History" <xs:element ref="iodef:History"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="purpose" use="required" <xs:attribute name="purpose" use="required"
type="incident-purpose-type"/> type="incident-purpose-type"/>
<xs:attribute name="ext-purpose" <xs:attribute name="ext-purpose"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="status" type="incident-status-type"/> <xs:attribute name="status" type="incident-status-type"/>
skipping to change at page 131, line 44 skipping to change at page 128, line 4
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Method class == == Method class ==
================================================================== ==================================================================
--> -->
<xs:element name="Method"> <xs:element name="Method">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Reference"
<xs:element ref="iodef:Reference"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"/> <xs:element ref="iodef:Description"
</xs:choice> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:AttackPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Vulnerability"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Weakness"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
skipping to change at page 132, line 49 skipping to change at page 129, line 15
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded"> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/> <xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/> <xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/> <xs:element ref="iodef:MonetaryImpact"/>
<xs:element ref="iodef:IntendedImpact"/> <xs:element ref="iodef:IntendedImpact"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:Counter" <xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="MitigatingFactor" <xs:element ref="iodef:MitigatingFactor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Cause"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="occurrence"> <xs:attribute name="occurrence">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/> <xs:enumeration value="actual"/>
<xs:enumeration value="potential"/> <xs:enumeration value="potential"/>
skipping to change at page 133, line 31 skipping to change at page 129, line 47
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/> <xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact" <xs:element name="BusinessImpact"
type="iodef:BusinessImpactType"/> type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact" <xs:element name="IntendedImpact"
type="iodef:BusinessImpactType"/> type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor" <xs:element name="MitigatingFactor"
type="iodef:MLStringType"/> type="iodef:MLStringType"/>
<xs:element name="Cause"
type="iodef:MLStringType"/>
<xs:element name="SystemImpact"> <xs:element name="SystemImpact">
<xs:complexType> <xs:complexType>
<xs:simpleContent> <xs:simpleContent>
<xs:extension base="iodef:MLStringType"> <xs:extension base="iodef:MLStringType">
<xs:attribute name="severity" <xs:attribute name="severity"
type="iodef:severity-type"/> type="iodef:severity-type"/>
<xs:attribute name="completion"> <xs:attribute name="completion">
<xs:simpleType> <xs:simpleType>
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/> <xs:enumeration value="failed"/>
skipping to change at page 134, line 18 skipping to change at page 130, line 34
<xs:simpleType name="systemimpact-type-type"> <xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="admin"/> <xs:enumeration value="admin"/>
<xs:enumeration value="takeover-account"/> <xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/> <xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/> <xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/> <xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/> <xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/> <xs:enumeration value="availability-data"/>
<xs:enumeration value="availibility-account"/> <xs:enumeration value="availability-account"/>
<xs:enumeration value="availibility-service"/> <xs:enumeration value="availability-service"/>
<xs:enumeration value="availibility-system"/> <xs:enumeration value="availability-system"/>
<xs:enumeration value="damaged-system"/> <xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/> <xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/> <xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/> <xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/> <xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/> <xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/> <xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/> <xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/> <xs:enumeration value="traffic-redirection"/>
skipping to change at page 153, line 49 skipping to change at page 150, line 19
type="iodef:restriction-type"/> type="iodef:restriction-type"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Certificate"> <xs:element name="Certificate">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:X509Data" /> <xs:element ref="ds:X509Data" />
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" <xs:attribute name="observable-id"
type="xs:ID" use="optional"/> type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<!-- <!--
================================================================== ==================================================================
== Classes that describe software == == Classes that describe software ==
================================================================== ==================================================================
--> -->
<xs:complexType name="SoftwareType"> <xs:complexType name="SoftwareType">
<xs:sequence> <xs:sequence>
skipping to change at page 159, line 18 skipping to change at page 155, line 38
<xs:element ref="iodef:ObservableReference" <xs:element ref="iodef:ObservableReference"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:IndicatorReference" <xs:element ref="iodef:IndicatorReference"
minOccurs="0"/> minOccurs="0"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID" <xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="operator" <xs:attribute name="operator"
type="indicatorexpression-operator-type" type="indicatorexpression-operator-type"
use="required"> use="optional"
default="and">
</xs:attribute> </xs:attribute>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="indicatorexpression-operator-type"> <xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/> <xs:enumeration value="not"/>
<xs:enumeration value="and"/> <xs:enumeration value="and"/>
<xs:enumeration value="or"/> <xs:enumeration value="or"/>
<xs:enumeration value="xor"/> <xs:enumeration value="xor"/>
skipping to change at page 164, line 17 skipping to change at page 160, line 37
issues. Rather, it simply defines a representation for incident issues. Rather, it simply defines a representation for incident
information. As the data encoded by the IODEF might be considered information. As the data encoded by the IODEF might be considered
privacy sensitive by the parties exchanging the information or by privacy sensitive by the parties exchanging the information or by
those described by it, care needs to be taken in ensuring the those described by it, care needs to be taken in ensuring the
appropriate disclosure during both document exchange and subsequent appropriate disclosure during both document exchange and subsequent
processing. The former must be handled by a messaging format, but processing. The former must be handled by a messaging format, but
the latter risk must be addressed by the systems that process, store, the latter risk must be addressed by the systems that process, store,
and archive IODEF documents and information derived from them. and archive IODEF documents and information derived from them.
Executable content could be embedded into the IODEF document directly Executable content could be embedded into the IODEF document directly
or through an extension. The IODEF parser should handle this content or through an extension. The IODEF parser MUST handle this content
with care to prevent unintentional automated execution. with care to prevent unintentional automated execution.
The contents of an IODEF document may include a request for action or The contents of an IODEF document may include a request for action or
an IODEF parser may independently have logic to take certain actions an IODEF parser may independently have logic to take certain actions
based on information that it finds. For this reason, care must be based on information that it finds. For this reason, care must be
taken by the parser to properly authenticate the recipient of the taken by the parser to properly authenticate the recipient of the
document and ascribe an appropriate confidence to the data prior to document and ascribe an appropriate confidence to the data prior to
action. action.
The underlying messaging format and protocol used to exchange The underlying messaging format and protocol used to exchange
skipping to change at page 166, line 10 skipping to change at page 162, line 28
The registries to be created are named in the table below in the The registries to be created are named in the table below in the
"Registry Name" column. The initial values for the Value and "Registry Name" column. The initial values for the Value and
Description fields of a given registry are listed in the "IV (Value)" Description fields of a given registry are listed in the "IV (Value)"
and "IV (Description)" columns respectively. The "IV (Value)" points and "IV (Description)" columns respectively. The "IV (Value)" points
to a given schema attribute or type per Section 8. Each enumerated to a given schema attribute or type per Section 8. Each enumerated
value in the schema gets a corresponding entry in a given registry. value in the schema gets a corresponding entry in a given registry.
The "IV (Description)" points to a section in the text of this The "IV (Description)" points to a section in the text of this
document. The initial value of the Reference field of every registry document. The initial value of the Reference field of every registry
entry described below should be this document. entry described below should be this document.
+--------------------------+-----------------------+----------------+ +-------------------------+-------------------------+---------------+
| Registry Name | IV (Value) | IV | | Registry Name | IV (Value) | IV |
| | | (Description) | | | | (Description) |
+--------------------------+-----------------------+----------------+ +-------------------------+-------------------------+---------------+
| Restriction | iodef-restriction- | Section 3.3.1 | | Restriction | iodef-restriction-type | Section 3.3.1 |
| | type | | | | | |
| | | | | Incident-purpose | Incident@purpose | Section 3.2 |
| Incident-purpose | Incident@purpose | Section 3.2 | | | | |
| | | | | Incident-status | Incident@status | Section 3.2 |
| Incident-status | Incident@status | Section 3.2 | | | | |
| | | | | Contact-role | Contact@role | Section 3.10 |
| Contact-role | Contact@role | Section 3.10 | | | | |
| | | | | Contact-type | Contact@type | Section 3.10 |
| Contact-type | Contact@type | Section 3.10 | | | | |
| | | | | RegistryHandle-registry | RegistryHandle@registry | Section |
| RegistryHandle-registry | RegistryHandle@regist | Section 3.10.1 | | | | 3.10.1 |
| | ry | | | | | |
| | | | | Expectation-action | iodef:action-type | Section 3.17 |
| Expectation-action | iodef:action-type | Section 3.17 | | | | |
| | | | | Discovery-source | Discovery@source | Section 3.12 |
| Discovery-source | Discovery@source | Section 3.12 | | | | |
| | | | | SystemImpact-type | SystemImpact@type | Section |
| SystemImpact-type | SystemImpact@type | Section 3.14.1 | | | | 3.14.1 |
| | | | | | | |
| BusinessImpact-severity | BusinessImpact@severi | Section 3.14.2 | | BusinessImpact-severity | BusinessImpact@severity | Section |
| | ty | | | | | 3.14.2 |
| | | | | | | |
| BusinessImpact-type | BusinessImpact@type | Section 3.14.2 | | BusinessImpact-type | BusinessImpact@type | Section |
| | | | | | | 3.14.2 |
| TimeImpact-metrics | TimeImpact@metric | Section 3.14.3 | | | | |
| | | | | TimeImpact-metrics | TimeImpact@metric | Section |
| TimeImpact-duration | iodef:duration-type | Section 3.14.3 | | | | 3.14.3 |
| | | | | | | |
| NodeRole-category | NodeRole@category | Section 3.20.2 | | TimeImpact-duration | iodef:duration-type | Section |
| | | | | | | 3.14.3 |
| System-category | System@category | Section 3.19 | | | | |
| | | | | NodeRole-category | NodeRole@category | Section |
| System-ownership | System@ownership | Section 3.19 | | | | 3.20.2 |
| | | | | | | |
| Address-category | Address@category | Section 3.20.1 | | System-category | System@category | Section 3.19 |
| | | | | | | |
| Counter-type | Counter@type | Section 3.20.3 | | System-ownership | System@ownership | Section 3.19 |
| | | | | | | |
| Counter-unit | Counter@unit | Section 3.20.3 | | Address-category | Address@category | Section |
| | | | | | | 3.20.1 |
| DomainData-system-status | DomainData@system- | Section 3.21 | | | | |
| | status | | | Counter-type | Counter@type | Section |
| | | | | | | 3.20.3 |
| DomainData-domain-status | DomainData@domain- | Section 3.21 | | | | |
| | status | | | Counter-unit | Counter@unit | Section |
| | | | | | | 3.20.3 |
| RelatedDNS-record-type | RelatedDNS@record- | Section 3.21.1 | | | | |
| | type | | | DomainData-system- | DomainData@system- | Section 3.21 |
| | | | | status | status | |
| RecordPattern-type | RecordPattern@type | Section 3.25.2 | | | | |
| | | | | DomainData-domain- | DomainData@domain- | Section 3.21 |
| RecordPattern-offsetunit | RecordPattern@offsetu | Section 3.25.2 | | status | status | |
| | nit | | | | | |
| | | | | RelatedDNS-record-type | RelatedDNS@record-type | Section |
| Key-registryaction | Key@registryaction | Section 3.26.1 | | | | 3.21.1 |
| | | | | | | |
| HashData-scope | HashData@scope | Section 3.29 | | RecordPattern-type | RecordPattern@type | Section |
| | | | | | | 3.25.2 |
| BulkObservable-type | BulkObservable@type | Section | | | | |
| | | 3.32.3.1 | | RecordPattern- | RecordPattern@offsetuni | Section |
| | | | | offsetunit | t | 3.25.2 |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 | | | | |
| | | | | Key-registryaction | Key@registryaction | Section |
| ApplicationHeader-proto- | iodef:proto-dtype- | Section 3.22.2 | | | | 3.26.1 |
| dtype | type | | | | | |
| | | | | HashData-scope | HashData@scope | Section 3.29 |
| SoftwareReference-dtype | SoftwareReference | Section 3.22.4 | | | | |
+--------------------------+-----------------------+----------------+ | BulkObservable-type | BulkObservable@type | Section |
| | | 3.32.3.1 |
| | | |
| IndicatorExpression- | IndicatorExpression@ope | Section |
| operator | rator | 3.32.4 |
| | | |
| AdditionalData-dtype | iodef:dtype-type | Section 3.9 |
| | | |
| ApplicationHeader- | iodef:proto-dtype-type | Section |
| proto-dtype | | 3.22.2 |
| | | |
| SoftwareReference-dtype | SoftwareReference | Section |
| | | 3.22.4 |
+-------------------------+-------------------------+---------------+
Table 1: IANA Enumerated Value Registries Table 1: IANA Enumerated Value Registries
11. Acknowledgments 11. Acknowledgments
The following groups and individuals, listed alphabetically, The following groups and individuals, listed alphabetically,
contributed substantially to this document and should be recognized contributed substantially to this document and should be recognized
for their efforts. for their efforts.
o Kathleen Moriarty, EMC Corporation ... TODO ...
o Brian Trammell, ETH Zurich
o Patrick Cain, Cooper-Cain Group, Inc.
o ... TODO many more to add ...
12. References 12. References
12.1. Normative References 12.1. Normative References
[W3C.XML] World Wide Web Consortium, "Extensible Markup Language [W3C.XML] World Wide Web Consortium, "Extensible Markup Language
(XML) 1.0 (Second Edition)", W3C Recommendation , October (XML) 1.0 (Second Edition)", W3C Recommendation , October
2000, <http://www.w3.org/TR/2000/REC-xml-20001006>. 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
[W3C.SCHEMA] [W3C.SCHEMA]
skipping to change at page 169, line 21 skipping to change at page 165, line 47
[RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October
2008. 2008.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, July 2002. Timestamps", RFC 3339, July 2002.
[RFC-ENUM] [RFC-ENUM]
Montville, A. and D. Black, "IODEF Enumeration Reference Montville, A. and D. Black, "IODEF Enumeration Reference
Format", RFC ENUM, January 2015. Format", RFC ENUM, January 2015.
[RFC-SCI] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An
Incident Object Description Exchange Format (IODEF)
Extension for Structured Cybersecurity Information",
RFC 5901, April 2014.
[ISO8601] International Organization for Standardization, [ISO8601] International Organization for Standardization,
"International Standard: Data elements and interchange "International Standard: Data elements and interchange
formats - Information interchange - Representation of formats - Information interchange - Representation of
dates and times", ISO 8601, Second Edition, December 2000. dates and times", ISO 8601, Second Edition, December 2000.
[ISO4217] International Organization for Standardization, [ISO4217] International Organization for Standardization,
"International Standard: Codes for the representation of "International Standard: Codes for the representation of
currencies and funds, ISO 4217:2001", ISO 4217:2001, currencies and funds, ISO 4217:2001", ISO 4217:2001,
August 2001. August 2001.
 End of changes. 86 change blocks. 
494 lines changed or deleted 381 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/