draft-ietf-mile-rfc5070-bis-17.txt   draft-ietf-mile-rfc5070-bis-18.txt 
MILE Working Group R. Danyliw MILE Working Group R. Danyliw
Internet-Draft CERT Internet-Draft CERT
Obsoletes: 5070 (if approved) March 20, 2016 Obsoletes: 5070 (if approved) March 21, 2016
Intended status: Standards Track Intended status: Standards Track
Expires: September 21, 2016 Expires: September 22, 2016
The Incident Object Description Exchange Format v2 The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-17 draft-ietf-mile-rfc5070-bis-18
Abstract Abstract
The Incident Object Description Exchange Format (IODEF) defines a The Incident Object Description Exchange Format (IODEF) defines a
data representation for security incident reports and cyber data representation for security incident reports and cyber
indicators commonly exchanged by operational security teams for indicators commonly exchanged by operational security teams for
mitigation and watch and warning. This document describes the mitigation and watch and warning. This document describes the
information model for the IODEF and provides an associated data model information model for the IODEF and provides an associated data model
specified with XML Schema. specified with XML Schema.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2016. This Internet-Draft will expire on September 22, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 19 skipping to change at page 4, line 19
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 95
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 95
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 96 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 96
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 102 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 102
3.29.5. Expressions with IndicatorExpression . . . . . . . . 103 3.29.5. Expressions with IndicatorExpression . . . . . . . . 103
3.29.6. ObservableReference Class . . . . . . . . . . . . . 105 3.29.6. ObservableReference Class . . . . . . . . . . . . . 105
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 105 3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 105
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 106 3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 106
4. Processing Considerations . . . . . . . . . . . . . . . . . . 107 4. Processing Considerations . . . . . . . . . . . . . . . . . . 107
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 107 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 107
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 107 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 108
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 108 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 108
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 108 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 108
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 109 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 109
5.1. Extending the Enumerated Values of Attributes . . . . . . 109 5.1. Extending the Enumerated Values of Attributes . . . . . . 109
5.1.1. Private Extension of Enumerated Values . . . . . . . 109 5.1.1. Private Extension of Enumerated Values . . . . . . . 110
5.1.2. Public Extension of Enumerated Values . . . . . . . . 110 5.1.2. Public Extension of Enumerated Values . . . . . . . . 110
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 110 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 110
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 112 5.3. Deconflicting Private Extensions . . . . . . . . . . . . 112
6. Internationalization Issues . . . . . . . . . . . . . . . . . 113 6. Internationalization Issues . . . . . . . . . . . . . . . . . 113
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 114 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 114
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 114 7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 114
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 115 7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 115
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 116 8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 116
9. Security Considerations . . . . . . . . . . . . . . . . . . . 155 9. Security Considerations . . . . . . . . . . . . . . . . . . . 156
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 156 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 156
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 156 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 157
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 159 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 159
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 159 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 160
12.1. Normative References . . . . . . . . . . . . . . . . . . 159 12.1. Normative References . . . . . . . . . . . . . . . . . . 160
12.2. Informative References . . . . . . . . . . . . . . . . . 161 12.2. Informative References . . . . . . . . . . . . . . . . . 162
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 162 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 163
1. Introduction 1. Introduction
Organizations require help from other parties to mitigate malicious Organizations require help from other parties to mitigate malicious
activity targeting their network and to gain insight into potential activity targeting their network and to gain insight into potential
threats. This coordination might entail working with an ISP to threats. This coordination might entail working with an ISP to
filter attack traffic, contacting a remote site to take down a filter attack traffic, contacting a remote site to take down a
botnet, or sharing watch-lists of known malicious indicators in a botnet, or sharing watch-lists of known malicious indicators in a
consortium. consortium.
skipping to change at page 10, line 52 skipping to change at page 10, line 52
model by the URL data type. The format of the URL data type is model by the URL data type. The format of the URL data type is
documented in [RFC3986]. documented in [RFC3986].
The URL data type is implemented as a "xs:anyURI" type per The URL data type is implemented as a "xs:anyURI" type per
Section 3.2.17 of [W3C.SCHEMA.DTYPES]. Section 3.2.17 of [W3C.SCHEMA.DTYPES].
2.14. Identifiers and Identifier References 2.14. Identifiers and Identifier References
An identifier unique to the IODEF document is represented in the An identifier unique to the IODEF document is represented in the
information model by the ID data type. A reference to this information model by the ID data type. A reference to this
identifier is represented by the IDREF data type. The acceptable identifier is represented by the IDREF data type.
format of ID and IDREF is documented in Section 3.3.8 and 3.3.9 of
[W3C.SCHEMA.DTYPES].
The ID and IDREF data types are implemented in the model as "xs:ID" The ID and IDREF data types are implemented in the model as "xs:ID"
and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of
[W3C.SCHEMA.DTYPES]. [W3C.SCHEMA.DTYPES].
2.15. Software 2.15. Software
A particular version of software is represented in the information A particular version of software is represented in the information
model by the SOFTWARE data type. This software can be described by model by the SOFTWARE data type. This software can be described by
using a reference, a URL or with free-form text. using a reference, a URL or with free-form text.
skipping to change at page 12, line 13 skipping to change at page 12, line 13
software. software.
+----------------------+ +----------------------+
| SoftwareReference | | SoftwareReference |
+----------------------+ +----------------------+
| xs:any | | xs:any |
| | | |
| ENUM spec-name | | ENUM spec-name |
| STRING ext-spec-name | | STRING ext-spec-name |
| ENUM dtype | | ENUM dtype |
| STRING enum-dtype | | STRING ext-dtype |
+----------------------+ +----------------------+
Figure 3: The SoftwareReference Class Figure 3: The SoftwareReference Class
The element content varies according to the value of the spec-name The element content varies according to the value of the spec-name
attribute. It is defined in the data model as "xs:any" per attribute. It is defined in the data model as "xs:any" per
[W3C.SCHEMA]. [W3C.SCHEMA].
The attributes of the SoftwareReference class are: The attributes of the SoftwareReference class are:
skipping to change at page 12, line 39 skipping to change at page 12, line 39
"SoftwareReference-spec-id" IANA registry per Section 10.2 "SoftwareReference-spec-id" IANA registry per Section 10.2
1. custom. The element content is free-form and of the data type 1. custom. The element content is free-form and of the data type
specified by the dtype attribute. If this value is selected, specified by the dtype attribute. If this value is selected,
then the dtype attribute MUST be set. then the dtype attribute MUST be set.
2. cpe. The element content describes a Common Platform 2. cpe. The element content describes a Common Platform
Enumeration (CPE) entry. Enumeration (CPE) entry.
3. swid. The element content describes a software identification 3. swid. The element content describes a software identification
(SWID) tag per ISO/IEC 19770-2:2009. (SWID) tag per [ISO19770].
4. ext-value. A value used to indicate that this attribute is 4. ext-value. A value used to indicate that this attribute is
extended and the actual value is provided using the extended and the actual value is provided using the
corresponding ext-* attribute. See Section 5.1.1. corresponding ext-* attribute. See Section 5.1.1.
ext-spec-name ext-spec-name
Optional. STRING. A means by which to extend the spec-name Optional. STRING. A means by which to extend the spec-name
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
dtype dtype
skipping to change at page 76, line 7 skipping to change at page 76, line 7
Zero or one. A protocol header. See Section 3.20.2. Zero or one. A protocol header. See Section 3.20.2.
EmailData EmailData
Zero or one. Headers associated with an email message. See Zero or one. Headers associated with an email message. See
Section 3.21. Section 3.21.
Application Application
Zero or one. SOFTWARE. The application acting as either the Zero or one. SOFTWARE. The application acting as either the
client or server for the service. client or server for the service.
Either a Port or Portlist class MUST be specified for a given At least one of these classes MUST be present.
instance of a Service class.
When a given System classes with category="source" and another with When a given System classes with category="source" and another with
category="target" are aggregated into a single Flow class, and each category="target" are aggregated into a single Flow class, and each
of these System classes has a Service and Portlist class, an implicit of these System classes has a Service and Portlist class, an implicit
relationship between these Portlists exists. If N ports are listed relationship between these Portlists exists. If N ports are listed
for a System@category="source", and M ports are listed for for a System@category="source", and M ports are listed for
System@category="target", the number of ports in N must be equal to System@category="target", the number of ports in N must be equal to
M. Likewise, the ports MUST be listed in an identical sequence such M. Likewise, the ports MUST be listed in an identical sequence such
that the n-th port in the source corresponds to the n-th port of the that the n-th port in the source corresponds to the n-th port of the
target. If N is greater than 1, a given instance of a Flow class target. If N is greater than 1, a given instance of a Flow class
MUST only have a single instance of a System@category="source" and MUST only have a single instance of a System@category="source" and
System@category="target". System@category="target".
The attributes of the Service class are: The attributes of the Service class are:
ip-protocol ip-protocol
Required. INTEGER. The IANA assigned IP protocol number per Optional. INTEGER. The IANA assigned IP protocol number per
[IANA.Protocols]. [IANA.Protocols] The attribute MUST be set if a Port, Portlist,
ProtoCode, ProtoType, ProtoField class is present.
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.20.1. ServiceName Class 3.20.1. ServiceName Class
The ServiceName class identifies an application protocol. It can be The ServiceName class identifies an application protocol. It can be
described by referencing an IANA registered protocol, a URL or with described by referencing an IANA registered protocol, a URL or with
free-form text. free-form text.
skipping to change at page 79, line 7 skipping to change at page 79, line 7
EmailHeaders EmailHeaders
Zero or one. STRING. The headers of an email message. Zero or one. STRING. The headers of an email message.
EmailBody EmailBody
Zero or one. STRING. The body of an email message. Zero or one. STRING. The body of an email message.
EmailMessage EmailMessage
Zero or one. STRING. The headers and body of an email message. Zero or one. STRING. The headers and body of an email message.
HashData HashData
Zero or One. Hash(es) associated with this email message. See Zero or more. Hash(es) associated with this email message. See
Section 3.26. Section 3.26.
SignatureData SignatureData
Zero or One. Signature(s) associated with this email message. Zero or more. Signature(s) associated with this email message.
See Section 3.27. See Section 3.27.
The attribute of the EmailData class is: The attribute of the EmailData class is:
observable-id observable-id
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.22. Record Class 3.22. Record Class
The Record class is a container class for log and audit data that The Record class is a container class for log and audit data that
skipping to change at page 81, line 21 skipping to change at page 81, line 21
incident. See Section 3.23. incident. See Section 3.23.
CertificateData CertificateData
Zero or more. The certificates that were involved in the Zero or more. The certificates that were involved in the
incident. See Section 3.24. incident. See Section 3.24.
AdditionalData AdditionalData
Zero or more. EXTENSION. An extension mechanism for data not Zero or more. EXTENSION. An extension mechanism for data not
explicitly represented in the data model. explicitly represented in the data model.
At least one of the following classes MUST be present: RecordItem,
URL, FileData, WindowsRegistryKeysModified, CertificateData or
AdditionalData.
The attributes of the RecordData class are: The attributes of the RecordData class are:
restriction restriction
Optional. ENUM. See Section 3.3.1. Optional. ENUM. See Section 3.3.1.
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
observable-id observable-id
skipping to change at page 84, line 13 skipping to change at page 84, line 13
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.23.1. Key Class 3.23.1. Key Class
The Key class describes a Windows operating system registry key name The Key class describes a Windows operating system registry key name
and value pair, and the operation performed on it. and value pair, and the operation performed on it.
+---------------------------+ +---------------------------+
| Key | | Key |
+---------------------------+ +---------------------------+
| ENUM registryaction |<>----------[ KeyName ] | ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ] | STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id | | ID observable-id |
+---------------------------+ +---------------------------+
Figure 49: The Key Class Figure 49: The Key Class
The aggregate classes of the Key class are: The aggregate classes of the Key class are:
KeyName KeyName
One. STRING. The name of a Windows operating system registry key One. STRING. The name of a Windows operating system registry key
skipping to change at page 86, line 8 skipping to change at page 86, line 8
Optional. ID. See Section 3.3.2. Optional. ID. See Section 3.3.2.
3.24.1. Certificate Class 3.24.1. Certificate Class
The Certificate class describes a given X.509 certificate or The Certificate class describes a given X.509 certificate or
certificate chain. certificate chain.
+--------------------------+ +--------------------------+
| Certificate | | Certificate |
+--------------------------+ +--------------------------+
| ID observable-id |<>----------[ ds: X509Data ] | ID observable-id |<>----------[ ds:X509Data ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
+--------------------------+ +--------------------------+
Figure 51: The Certificate Class Figure 51: The Certificate Class
The aggregate classes of the Certificate class are: The aggregate classes of the Certificate class are:
ds:X509Data ds:X509Data
One. A given X.509 certificate or chain. See Section 4.4.4 of One. A given X.509 certificate or chain. See Section 4.4.4 of
[W3C.XMLSIG]. [W3C.XMLSIG].
skipping to change at page 88, line 48 skipping to change at page 88, line 48
Zero or One. STRING. An identifier that references a subset of Zero or One. STRING. An identifier that references a subset of
the object being hashed. The semantics of this identifier are the object being hashed. The semantics of this identifier are
specified by the scope attribute. specified by the scope attribute.
Hash Hash
Zero or more. The hash of an object. See Section 3.26.1. Zero or more. The hash of an object. See Section 3.26.1.
FuzzyHash FuzzyHash
Zero or more. The fuzzy hash of an object. See Section 3.26.2. Zero or more. The fuzzy hash of an object. See Section 3.26.2.
A single instance of Hash or FuzzyHash MUST be present. At least one instance of either Hash or FuzzyHash MUST be present.
The attribute of the HashData class is: The attribute of the HashData class is:
scope scope
Required. ENUM. Describes on which part of the object the hash Required. ENUM. Describes on which part of the object the hash
should be applied. These values are maintained in the "HashData- should be applied. These values are maintained in the "HashData-
scope" IANA registry per Section 10.2. scope" IANA registry per Section 10.2.
1. file-contents. A hash computed over the entire contents of a 1. file-contents. A hash computed over the entire contents of a
file. file.
skipping to change at page 90, line 18 skipping to change at page 90, line 18
The Hash class describes a cryptographic hash value; the algorithm The Hash class describes a cryptographic hash value; the algorithm
and application used to generate it; and the canonicalization method and application used to generate it; and the canonicalization method
applied to the object being hashed. applied to the object being hashed.
+----------------+ +----------------+
| Hash | | Hash |
+----------------+ +----------------+
| |<>----------[ ds:DigestMethod ] | |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ] | |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CanonicalizationMethod ] | |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ] | |<>--{0..1}--[ Application ]
+----------------+ +----------------+
Figure 55: The Hash Class Figure 55: The Hash Class
The aggregate classes of the Hash class are: The aggregate classes of the Hash class are:
ds:DigestMethod ds:DigestMethod
One. The hash algorithm used to generate the hash. See One. The hash algorithm used to generate the hash. See
Section 4.3.3.5 of [W3C.XMLSIG] Section 4.3.3.5 of [W3C.XMLSIG]
skipping to change at page 91, line 21 skipping to change at page 91, line 21
+--------------------------+ +--------------------------+
Figure 56: The FuzzyHash Class Figure 56: The FuzzyHash Class
The aggregate classes of the FuzzyHash class are: The aggregate classes of the FuzzyHash class are:
FuzzyHashValue FuzzyHashValue
One or more. EXTENSION. The computed fuzzy hash value. One or more. EXTENSION. The computed fuzzy hash value.
Application Application
Zero or One. SOFTWARE. The application used to calculate the Zero or one. SOFTWARE. The application used to calculate the
hash. hash.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The FuzzyData class has no attributes. The FuzzyData class has no attributes.
3.27. SignatureData Class 3.27. SignatureData Class
skipping to change at page 93, line 9 skipping to change at page 93, line 9
consists of observable features and phenomenon that aid in the consists of observable features and phenomenon that aid in the
forensic or proactive detection of malicious activity; and associated forensic or proactive detection of malicious activity; and associated
meta-data. An indicator can be described outright; by referencing or meta-data. An indicator can be described outright; by referencing or
composing previously defined indicators; or by referencing composing previously defined indicators; or by referencing
observables described in the incident report found in this document. observables described in the incident report found in this document.
+------------------------+ +------------------------+
| Indicator | | Indicator |
+------------------------+ +------------------------+
| ENUM restriction |<>----------[ IndicatorID ] | ENUM restriction |<>----------[ IndicatorID ]
| STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ] | STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ] | |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ] | |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ] | |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ] | |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ] | |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ] | |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ AttackPhase ] | |<>--{0..*}--[ AttackPhase ]
| |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+------------------------+ +------------------------+
Figure 59: The Indicator Class Figure 59: The Indicator Class
The aggregate classes of the Indicator class are: The aggregate classes of the Indicator class are:
IndicatorID IndicatorID
One. An identifier for this indicator. See Section 3.29.1 One. An identifier for this indicator. See Section 3.29.1
AlternativeIndicatorID AlternativeIndicatorID
Zero or one. An alternative identifier for this indicator. See Zero or more. An alternative identifier for this indicator. See
Section 3.29.2 Section 3.29.2
Description Description
Zero or more. ML_STRING. A free-form text description of the Zero or more. ML_STRING. A free-form text description of the
indicator. indicator.
StartTime StartTime
Zero or one. DATETIME. A timestamp of the start of the time Zero or one. DATETIME. A timestamp of the start of the time
period during which this indicator is valid. period during which this indicator is valid.
skipping to change at page 94, line 22 skipping to change at page 94, line 22
Zero or one. A reference to an observable feature or phenomenon Zero or one. A reference to an observable feature or phenomenon
defined elsewhere in the document. See Section 3.29.6. defined elsewhere in the document. See Section 3.29.6.
IndicatorExpression IndicatorExpression
Zero or one. A composition of observables. See Section 3.29.4. Zero or one. A composition of observables. See Section 3.29.4.
IndicatorReference IndicatorReference
Zero or one. A reference to an indicator. See Section 3.29.7. Zero or one. A reference to an indicator. See Section 3.29.7.
NodeRole NodeRole
Zero or many. The role of the system in the attack should this Zero or more. The role of the system in the attack should this
indicator be matched to it. See Section 3.18.2. indicator be matched to it. See Section 3.18.2.
AttackPhase AttackPhase
Zero or many. The phase in an attack lifecycle during which this Zero or more. The phase in an attack lifecycle during which this
indicator might be seen. See Section 3.29.8. indicator might be seen. See Section 3.29.8.
Reference
Zero or more. A reference to additional information relevant to
this indicator. See Section 3.11.1.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The Indicator class MUST have exactly one instance of an Observable, The Indicator class MUST have exactly one instance of an Observable,
IndicatorExpression, ObservableReference, or IndicatorReference IndicatorExpression, ObservableReference, or IndicatorReference
class. class.
The StartTime and EndTime classes can be used to define an interval The StartTime and EndTime classes can be used to define an interval
during which the indicator is valid. If both classes are present, during which the indicator is valid. If both classes are present,
skipping to change at page 97, line 5 skipping to change at page 97, line 5
ext-restriction ext-restriction
Optional. STRING. A means by which to extend the restriction Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1. attribute. See Section 5.1.1.
3.29.3. Observable Class 3.29.3. Observable Class
The Observable class describes a feature and phenomenon that can be The Observable class describes a feature and phenomenon that can be
observed or measured for the purposes of detecting malicious observed or measured for the purposes of detecting malicious
behavior. behavior.
+-------------------+ +------------------------+
| Observable | | Observable |
+-------------------+ +------------------------+
| |<>--{0..1}--[ Address ] | ENUM restriction |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ] | STRING ext-restriction |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Service ] | |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ] | |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ] | |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ] | |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ] | |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ] | |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ] | |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ] | |<>--{0..1}--[ Incident ]
| |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[ Expectation ]
| |<>--{0..*}--[ Reference ] | |<>--{0..1}--[ Reference ]
| |<>--{0..1}--[ Assessment ] | |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ HistoryItem ] | |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ] | |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ] | |<>--{0..*}--[ AdditionalData ]
+-------------------+ +------------------------+
Figure 62: The Observable Class Figure 62: The Observable Class
The aggregate classes of the Observable class are: The aggregate classes of the Observable class are:
Address Address
Zero or One. An Address observable. See Section 3.18.1. Zero or one. An Address observable. See Section 3.18.1.
DomainData DomainData
Zero or One. A DomainData observable. See Section 3.19. Zero or one. A DomainData observable. See Section 3.19.
Service Service
Zero or One. A Service observable. See Section 3.20. Zero or one. A Service observable. See Section 3.20.
EmailData EmailData
Zero or One. A EmailData observable. See Section 3.21. Zero or one. A EmailData observable. See Section 3.21.
WindowsRegistryKeysModified WindowsRegistryKeysModified
Zero or One. A WindowsRegistryKeysModified observable. See Zero or one. A WindowsRegistryKeysModified observable. See
Section 3.23. Section 3.23.
FileData FileData
Zero or One. A FileData observable. See Section 3.25. Zero or one. A FileData observable. See Section 3.25.
CertificateData CertificateData
Zero or One. A CertificateData observable. See Section 3.24. Zero or one. A CertificateData observable. See Section 3.24.
RegistryHandle RegistryHandle
Zero or One. A RegistryHandle observable. See Section 3.9.1. Zero or one. A RegistryHandle observable. See Section 3.9.1.
RecordData RecordData
Zero or One. A RecordData observable. See Section 3.22.1. Zero or one. A RecordData observable. See Section 3.22.1.
EventData EventData
Zero or One. An EventData observable. See Section 3.14. Zero or one. An EventData observable. See Section 3.14.
Incident Incident
Zero or One. An Incident observable. See Section 3.2. Zero or one. An Incident observable. See Section 3.2.
EventData EventData
Zero or One. An EventData observable. See Section 3.14. Zero or one. An EventData observable. See Section 3.14.
Expectation Expectation
Zero or One. An Expectation observable. See Section 3.15. Zero or one. An Expectation observable. See Section 3.15.
Reference Reference
Zero or One. A Reference observable. See Section 3.11.1. Zero or one. A Reference observable. See Section 3.11.1.
Assessment Assessment
Zero or One. An Assessment observable. See Section 3.12. Zero or one. An Assessment observable. See Section 3.12.
HistoryItem HistoryItem
Zero or One. A HistoryItem observable. See Section 3.13.1. Zero or one. A HistoryItem observable. See Section 3.13.1.
BulkObservable BulkObservable
Zero or One. A bulk list of observables. See Section 3.29.3.1. Zero or one. A bulk list of observables. See Section 3.29.3.1.
AdditionalData AdditionalData
Zero or more. EXTENSION. Mechanism by which to extend the data Zero or more. EXTENSION. Mechanism by which to extend the data
model. model.
The Observable class MUST have exactly one of the possible child The Observable class MUST have exactly one of the possible child
classes. classes.
The Observable class has no attributes. The attributes of the Observable class are:
restriction
Optional. ENUM. See Section 3.3.1.
ext-restriction
Optional. STRING. A means by which to extend the restriction
attribute. See Section 5.1.1.
3.29.3.1. BulkObservable Class 3.29.3.1. BulkObservable Class
The BulkObservable class allows the enumeration of a single type of The BulkObservable class allows the enumeration of a single type of
observables without requiring each one to be encoded individually in observables without requiring each one to be encoded individually in
multiple instances of the same class. multiple instances of the same class.
The type attribute describes the type of observable listed in the The type attribute describes the type of observable listed in the
child BulkObservableList class. The BulkObservableFormat class child BulkObservableList class. The BulkObservableFormat class
optionally provides additional meta-data. optionally provides additional meta-data.
skipping to change at page 105, line 10 skipping to change at page 105, line 24
Figure 69: A recursive IndicatorExpression with an operator attribute Figure 69: A recursive IndicatorExpression with an operator attribute
specified specified
Invalid algebraic expressions while valid XML, MUST not be specified. Invalid algebraic expressions while valid XML, MUST not be specified.
3.29.6. ObservableReference Class 3.29.6. ObservableReference Class
The ObservableReference describes a reference to an observable The ObservableReference describes a reference to an observable
feature or phenomenon described elsewhere in the document. feature or phenomenon described elsewhere in the document.
This class has no content. The ObservableReference class has no content.
+-------------------------+ +-------------------------+
| ObservableReference | | ObservableReference |
+-------------------------+ +-------------------------+
| EMPTY |
| |
| IDREF uid-ref | | IDREF uid-ref |
+-------------------------+ +-------------------------+
Figure 70: The ObservableReference Class Figure 70: The ObservableReference Class
The ObservableReference class has no content. The ObservableReference class has no content.
The attribute of the ObservableReference class is: The attribute of the ObservableReference class is:
uid-ref uid-ref
Required. IDREF. An identifier that serves as a reference to a Required. IDREF. An identifier that serves as a reference to a
class in the IODEF document. The referenced class will have this class in the IODEF document. The referenced class will have this
identifier set in its observable-id attribute. identifier set in its observable-id attribute.
3.29.7. IndicatorReference Class 3.29.7. IndicatorReference Class
The IndicatorReference describes a reference to an indicator. This The IndicatorReference describes a reference to an indicator. This
reference may be to an indicator described in this IODEF document or reference may be to an indicator described in this IODEF document or
in a previously exchanged IODEF document. in a previously exchanged IODEF document.
The IndicatorReference class has no content.
+--------------------------+ +--------------------------+
| IndicatorReference | | IndicatorReference |
+--------------------------+ +--------------------------+
| EMPTY |
| |
| IDREF uid-ref | | IDREF uid-ref |
| STRING euid-ref | | STRING euid-ref |
| STRING version | | STRING version |
+--------------------------+ +--------------------------+
Figure 71: The IndicatorReference Class Figure 71: The IndicatorReference Class
The IndicatorReference class has no content.
The attributes of the IndicatorReference class are: The attributes of the IndicatorReference class are:
uid-ref uid-ref
Optional. IDREF. An identifier that references an Indicator Optional. IDREF. An identifier that references an Indicator
class in the IODEF document. The referenced Indicator class will class in the IODEF document. The referenced Indicator class will
have this identifier set in its IndicatorID class. have this identifier set in its IndicatorID class.
euid-ref euid-ref
Optional. STRING. An identifier that references an IndicatorID Optional. STRING. An identifier that references an IndicatorID
not in this IODEF document. not in this IODEF document.
skipping to change at page 137, line 27 skipping to change at page 137, line 47
</xs:simpleType> </xs:simpleType>
<!-- <!--
=================================================================== ===================================================================
== Service Class == == Service Class ==
=================================================================== ===================================================================
--> -->
<xs:element name="Service"> <xs:element name="Service">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/> <xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:choice minOccurs="0"> <xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Port"/> <xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:Portlist"/>
</xs:choice>
<xs:element ref="iodef:ProtoType" minOccurs="0"/> <xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/> <xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element ref="iodef:ProtoField" minOccurs="0"/> <xs:element ref="iodef:ProtoField" minOccurs="0"/>
<xs:element ref="iodef:ApplicationHeader" minOccurs="0"/> <xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="ip-protocol" <xs:attribute name="ip-protocol"
type="xs:integer" use="required"/> type="xs:integer" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Port" type="xs:integer"/> <xs:element name="Port" type="xs:integer"/>
<xs:element name="Portlist" type="iodef:PortlistType"/> <xs:element name="Portlist" type="iodef:PortlistType"/>
<xs:element name="ProtoType" type="xs:integer"/> <xs:element name="ProtoType" type="xs:integer"/>
<xs:element name="ProtoCode" type="xs:integer"/> <xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/> <xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader"> <xs:element name="ApplicationHeader">
<xs:complexType> <xs:complexType>
skipping to change at page 138, line 13 skipping to change at page 138, line 31
<xs:element ref="iodef:ApplicationHeaderField" <xs:element ref="iodef:ApplicationHeaderField"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="ApplicationHeaderField" <xs:element name="ApplicationHeaderField"
type="iodef:ExtensionType"/> type="iodef:ExtensionType"/>
<xs:element name="ServiceName"> <xs:element name="ServiceName">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IANAService"/> <xs:element ref="iodef:IANAService"
minOccurs="0"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="IANAService" type="xs:string"/> <xs:element name="IANAService" type="xs:string"/>
<xs:element name="Application" type="iodef:SoftwareType"/> <xs:element name="Application" type="iodef:SoftwareType"/>
<!-- <!--
skipping to change at page 139, line 43 skipping to change at page 140, line 14
<xs:element ref="iodef:EmailTo" <xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/> <xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/> <xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/> <xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField" <xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/> <xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/> <xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/> <xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData" minOccurs="0"/> <xs:element ref="iodef:HashData"
<xs:element ref="SignatureData" minOccurs="0"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="SignatureData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="EmailTo" type="xs:string"/> <xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/> <xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/> <xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/> <xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/> <xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/> <xs:element name="EmailHeaders" type="xs:string"/>
skipping to change at page 142, line 21 skipping to change at page 142, line 42
</xs:element> </xs:element>
<xs:element name="RecordData"> <xs:element name="RecordData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description" <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern" <xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData" <xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData" <xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
skipping to change at page 144, line 4 skipping to change at page 144, line 26
<xs:element name="Key"> <xs:element name="Key">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:KeyName"/> <xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/> <xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="registryaction" <xs:attribute name="registryaction"
type="key-registryaction-type"/> type="key-registryaction-type"/>
<xs:attribute name="ext-registryaction" <xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="KeyName" type="xs:string"/> <xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/> <xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type"> <xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/> <xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/> <xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/> <xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/> <xs:enumeration value="delete-value"/>
skipping to change at page 145, line 4 skipping to change at page 145, line 28
<xs:element ref="FileType" minOccurs="0"/> <xs:element ref="FileType" minOccurs="0"/>
<xs:element ref="iodef:URL" <xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" minOccurs="0"/> <xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="iodef:SignatureData" minOccurs="0"/> <xs:element ref="iodef:SignatureData" minOccurs="0"/>
<xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/> <xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
<xs:element ref="iodef:FileProperties" <xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/> <xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FileName" type="xs:string"/> <xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/> <xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:integer"/> <xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/> <xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/> <xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!-- <!--
==================================================================== ====================================================================
== HashData Class == == HashData Class ==
==================================================================== ====================================================================
--> -->
<xs:element name="HashData"> <xs:element name="HashData">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
skipping to change at page 146, line 4 skipping to change at page 146, line 28
</xs:restriction> </xs:restriction>
</xs:simpleType> </xs:simpleType>
<xs:element name="Hash"> <xs:element name="Hash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="ds:DigestMethod"/> <xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/> <xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod" <xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FuzzyHash"> <xs:element name="FuzzyHash">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:FuzzHashValue" <xs:element ref="iodef:FuzzyHashValue"
maxOccurs="unbounded"/> maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/> <xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!-- <!--
=================================================================== ===================================================================
== SignatureData Class == == SignatureData Class ==
=================================================================== ===================================================================
skipping to change at page 147, line 46 skipping to change at page 148, line 22
<xs:choice> <xs:choice>
<xs:element ref="iodef:Observable"/> <xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/> <xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorExpression"/> <xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:IndicatorReference"/> <xs:element ref="iodef:IndicatorReference"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:NodeRole" <xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AttackPhase" <xs:element ref="iodef:AttackPhase"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="IndicatorID"> <xs:element name="IndicatorID">
skipping to change at page 148, line 27 skipping to change at page 149, line 4
</xs:element> </xs:element>
<xs:element name="AlternativeIndicatorID"> <xs:element name="AlternativeIndicatorID">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/> <xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="Observable"> <xs:element name="Observable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:choice>
<xs:element ref="iodef:Address" minOccurs="0"/> <xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/> <xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/> <xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified" <xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/> minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/> <xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/> <xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/> <xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/> <xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0" <xs:element ref="iodef:Expectation" minOccurs="0"/>
maxOccurs="unbounded"/> <xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="Reference" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/> <xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/> <xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" minOccurs="0"/> <xs:element ref="iodef:AdditionalData"
</xs:sequence> minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction" <xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/> type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction" <xs:attribute name="ext-restriction"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BulkObservable"> <xs:element name="BulkObservable">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/> <xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList" <xs:element name="BulkObservableList"/>
type="xs:string" minOccurs="0"/> <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="type" <xs:attribute name="type"
type="bulkobservable-type-type" use="required"/> type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="bulkobservable-type-type"> <xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/> <xs:enumeration value="asn"/>
<xs:enumeration value="atm"/> <xs:enumeration value="atm"/>
skipping to change at page 150, line 15 skipping to change at page 150, line 40
</xs:simpleType> </xs:simpleType>
<xs:element name="BulkObservableFormat"> <xs:element name="BulkObservableFormat">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence>
<xs:element ref="iodef:Hash" minOccurs="0"/> <xs:element ref="iodef:Hash" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData" <xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/> minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:element name="BulkObservableList" type="xs:string"/>
<xs:element name="IndicatorExpression"> <xs:element name="IndicatorExpression">
<xs:complexType> <xs:complexType>
<xs:sequence> <xs:sequence maxOccurs="unbounded">
<xs:choice> <xs:choice>
<xs:element ref="iodef:IndicatorExpression" minOccurs="0"/> <xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:Observable" minOccurs="0"/> <xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference" minOccurs="0"/> <xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorReference" minOccurs="0"/> <xs:element ref="iodef:IndicatorReference"/>
</xs:choice> </xs:choice>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence> </xs:sequence>
<xs:attribute name="operator" <xs:attribute name="operator"
type="indicatorexpression-operator-type" type="indicatorexpression-operator-type"
use="optional" default="and"/> use="optional" default="and"/>
<xs:attribute name="ext-operator" <xs:attribute name="ext-operator"
type="xs:string" use="optional"/> type="xs:string" use="optional"/>
</xs:complexType> </xs:complexType>
</xs:element> </xs:element>
<xs:simpleType name="indicatorexpression-operator-type"> <xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN"> <xs:restriction base="xs:NMTOKEN">
skipping to change at page 161, line 41 skipping to change at page 162, line 22
10646", RFC 3629, November 2003. 10646", RFC 3629, November 2003.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO
10646", RFC 2781, February 2000. 10646", RFC 2781, February 2000.
[IANA.Media] [IANA.Media]
Internet Assigned Numbers Authority, "Media Types", March Internet Assigned Numbers Authority, "Media Types", March
2015, <http://www.iana.org/assignments/media-types/ 2015, <http://www.iana.org/assignments/media-types/
media-types.xhtml>. media-types.xhtml>.
[ISO19770]
International Organization for Standardization,
"Information technology -- Software asset management --
Part 2: Software identification tag, ISO/IEC
19770-2:2015", ISO 19770-2:2015, October 2015.
12.2. Informative References 12.2. Informative References
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident
Object Description Exchange Format", RFC 5070, December Object Description Exchange Format", RFC 5070, December
2007. 2007.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)",
RFC 6545, April 2012. RFC 6545, April 2012.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network [RFC6546] Trammell, B., "Transport of Real-time Inter-network
 End of changes. 75 change blocks. 
110 lines changed or deleted 129 lines changed or added

This html diff was produced by rfcdiff 1.44. The latest version is available from http://tools.ietf.org/tools/rfcdiff/