idnits 2.17.1 draft-hong-i2nsf-nsf-monitoring-data-model-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 464 has weird spacing: '...cy-name str...' == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 5, 2018) is 2243 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Hong 3 Internet-Draft J. Jeong 4 Intended status: Standards Track J. Kim 5 Expires: September 6, 2018 Sungkyunkwan University 6 S. Hares 7 L. Xia 8 Huawei 9 H. Birkholz 10 Fraunhofer SIT 11 March 5, 2018 13 YANG Data Model for Monitoring I2NSF Network Security Functions 14 draft-hong-i2nsf-nsf-monitoring-data-model-02 16 Abstract 18 This document proposes a YANG data model for monitoring Network 19 Security Functions (NSFs) in the Interface to Network Security 20 Functions (I2NSF) system. If the monitoring of NSFs is performed in 21 a comrehensive way, it is possible to detect the indication of 22 malicious activity, anomalous behavior or the potential sign of 23 denial of service attacks in a timely manner. This monitoring 24 functionality is based on the monitoring information that is 25 generated by NSFs. Thus, this document describes not only a data 26 tree to specify an information model for monitoring NSFs, but also 27 the corresponding YANG data model for monitoring NSFs. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on September 6, 2018. 46 Copyright Notice 48 Copyright (c) 2018 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents 53 (https://trustee.ietf.org/license-info) in effect on the date of 54 publication of this document. Please review these documents 55 carefully, as they describe your rights and restrictions with respect 56 to this document. Code Components extracted from this document must 57 include Simplified BSD License text as described in Section 4.e of 58 the Trust Legal Provisions and are provided without warranty as 59 described in the Simplified BSD License. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 2 65 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Tree Diagrams . . . . . . . . . . . . . . . . . . . . . . 3 67 4. Information Model Structure . . . . . . . . . . . . . . . . . 3 68 5. YANG Data Model . . . . . . . . . . . . . . . . . . . . . . . 11 69 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 42 70 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 42 71 7.1. Normative References . . . . . . . . . . . . . . . . . . 42 72 7.2. Informative References . . . . . . . . . . . . . . . . . 43 73 Appendix A. draft-hong-i2nsf-nsf-monitoring-data-model-02 . . . 44 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 76 1. Introduction 78 This document defines a YANG [RFC6020] data model for monitoring 79 Network Security Functions (NSFs). This monitoring means the 80 aquisition of vital information about NSFs via notifications, events, 81 records or counters. The data model for the monitoring presented in 82 this document is derived from the information model for monitoring 83 NSFs through the NSF-Facing Interface specified in 84 [i2nsf-monitoring-im]. 86 2. Requirements Language 88 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 89 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 90 document are to be interpreted as described in [RFC2119]. 92 3. Terminology 94 This document uses the terminology described in 95 [i2nsf-terminology][i2nsf-framework]. Especially, the following 96 terms are from [i2nsf-monitoring-im]. 98 o Information Model: An information model is a representation of 99 concepts of interest to an environment in a form that is 100 independent of data repository, data definition language, query 101 language, implementation language, and protocol. 103 o Data Model: A data model is a representation of concepts of 104 interest to an environment in a form that is dependent on data 105 repository, data definition language, query language, 106 implementation language, and protocol. 108 3.1. Tree Diagrams 110 A simplified graphical representation of the data model is used in 111 this document. The meaning of the symbols in these diagrams 112 [i2rs-rib-data-model] is as follows: 114 o Brackets "[" and "]" enclose list keys. 116 o Abbreviations before data node names: "rw" means configuration 117 (read-write) and "ro" state data (read-only). 119 o Symbols after data node names: "?" means an optional node and "*" 120 denotes a "list" and "leaf-list". 122 o Parentheses enclose choice and case nodes, and case nodes are also 123 marked with a colon (":"). 125 o Ellipsis ("...") stands for contents of subtrees that are not 126 shown. 128 4. Information Model Structure 130 Figure 1 shows the overview of a structure tree of monitoring 131 information based on the [i2nsf-monitoring-im]. 133 module: ietf-i2nsf-nsf-monitoring-dm 134 +--rw counters 135 +--rw system-interface 136 | +--rw interface-name? string 137 | +--rw in-total-traffic-pkts? uint32 138 | +--rw out-total-traffic-pkts? uint32 139 | +--rw in-total-traffic-bytes? uint32 140 | +--rw out-total-traffic-bytes? uint32 141 | +--rw in-drop-traffic-pkts? uint32 142 | +--rw out-drop-traffic-pkts? uint32 143 | +--rw in-drop-traffic-bytes? uint32 144 | +--rw out-drop-traffic-bytes? uint32 145 | +--rw total-traffic? uint32 146 | +--rw in-traffic-ave-rate? uint32 147 | +--rw in-traffic-peak-rate? uint32 148 | +--rw in-traffic-ave-speed? uint32 149 | +--rw in-traffic-peak-speed? uint32 150 | +--rw out-traffic-ave-rate? uint32 151 | +--rw out-traffic-peak-rate? uint32 152 | +--rw out-traffic-ave-speed? uint32 153 | +--rw out-traffic-peak-speed? uint32 154 +--rw nsf-firewall 155 | +--rw src-ip? inet:ipv4-address 156 | +--rw dst-ip? inet:ipv4-address 157 | +--rw src-port? inet:port-number 158 | +--rw dst-port? inet:port-number 159 | +--rw src-zone? string 160 | +--rw dst-zone? string 161 | +--rw src-region? string 162 | +--rw dst-region? string 163 | +--rw policy-id uint8 164 | +--rw policy-name string 165 | +--rw src-user? string 166 | +--rw protocol 167 | | +--rw tcp? boolean 168 | | +--rw udp? boolean 169 | | +--rw icmp? boolean 170 | | +--rw icmpv6? boolean 171 | | +--rw ip? boolean 172 | | +--rw http? boolean 173 | | +--rw ftp? boolean 174 | +--rw total-traffic? uint32 175 | +--rw in-traffic-ave-rate? uint32 176 | +--rw in-traffic-peak-rate? uint32 177 | +--rw in-traffic-ave-speed? uint32 178 | +--rw in-traffic-peak-speed? uint32 179 | +--rw out-traffic-ave-rate? uint32 180 | +--rw out-traffic-peak-rate? uint32 181 | +--rw out-traffic-ave-speed? uint32 182 | +--rw out-traffic-peak-speed? uint32 183 | +--rw diretcions 184 | +--rw in-interface? boolean 185 | +--rw out-interface? boolean 186 +--rw nsf-policy-hits 187 +--rw src-ip? inet:ipv4-address 188 +--rw dst-ip? inet:ipv4-address 189 +--rw src-port? inet:port-number 190 +--rw dst-port? inet:port-number 191 +--rw src-zone? string 192 +--rw dst-zone? string 193 +--rw src-region? string 194 +--rw dst-region? string 195 +--rw policy-id uint8 196 +--rw policy-name string 197 +--rw src-user? string 198 +--rw protocol 199 | +--rw tcp? boolean 200 | +--rw udp? boolean 201 | +--rw icmp? boolean 202 | +--rw icmpv6? boolean 203 | +--rw ip? boolean 204 | +--rw http? boolean 205 | +--rw ftp? boolean 206 +--rw total-traffic? uint32 207 +--rw in-traffic-ave-rate? uint32 208 +--rw in-traffic-peak-rate? uint32 209 +--rw in-traffic-ave-speed? uint32 210 +--rw in-traffic-peak-speed? uint32 211 +--rw out-traffic-ave-rate? uint32 212 +--rw out-traffic-peak-rate? uint32 213 +--rw out-traffic-ave-speed? uint32 214 +--rw out-traffic-peak-speed? uint32 215 +--rw hit-times? uint32 216 notifications: 217 +---n system-detection-alarm 218 | +--ro alarm-catagory? identityref 219 | +--ro usage? uint8 220 | +--ro threshold? uint8 221 | +--ro message string 222 | +--ro time-stamp yang:date-and-time 223 | +--ro severity severity 224 +---n system-detection-access-violation 225 | +--ro group string 226 | +--ro login-ip-addr inet:ipv4-address 227 | +--ro authentication? identityref 228 | +--ro message string 229 | +--ro time-stamp yang:date-and-time 230 | +--ro severity severity 231 +---n system-detection-config-change 232 | +--ro group string 233 | +--ro login-ip-addr inet:ipv4-address 234 | +--ro authentication? identityref 235 | +--ro message string 236 | +--ro time-stamp yang:date-and-time 237 | +--ro severity severity 238 +---n nsf-detection-flood 239 | +--ro event-message? string 240 | +--ro src-ip? inet:ipv4-address 241 | +--ro dst-ip? inet:ipv4-address 242 | +--ro src-port? inet:port-number 243 | +--ro dst-port? inet:port-number 244 | +--ro src-zone? string 245 | +--ro dst-zone? string 246 | +--ro rule-id uint8 247 | +--ro rule-name string 248 | +--ro profile? string 249 | +--ro raw-info? string 250 | +--ro flood-catagory? identityref 251 | +--ro start-time yang:date-and-time 252 | +--ro end-time yang:date-and-time 253 | +--ro attack-rate? uint32 254 | +--ro attack-speed? uint32 255 | +--ro vendor-name? string 256 | +--ro nsf-name? string 257 | +--ro message string 258 | +--ro time-stamp yang:date-and-time 259 | +--ro severity severity 260 +---n nsf-detection-session-table 261 | +--ro current-session? uint8 262 | +--ro maximum-session? uint8 263 | +--ro threshold? uint8 264 | +--ro table-indentifier? string 265 | +--ro vendor-name? string 266 | +--ro nsf-name? string 267 | +--ro message string 268 | +--ro time-stamp yang:date-and-time 269 | +--ro severity severity 270 +---n nsf-detection-virus 271 | +--ro event-message? string 272 | +--ro src-ip? inet:ipv4-address 273 | +--ro dst-ip? inet:ipv4-address 274 | +--ro src-port? inet:port-number 275 | +--ro dst-port? inet:port-number 276 | +--ro src-zone? string 277 | +--ro dst-zone? string 278 | +--ro rule-id uint8 279 | +--ro rule-name string 280 | +--ro profile? string 281 | +--ro raw-info? string 282 | +--ro virus? identityref 283 | +--ro virus-name? string 284 | +--ro file-type? string 285 | +--ro file-name? string 286 | +--ro vendor-name? string 287 | +--ro nsf-name? string 288 | +--ro message string 289 | +--ro time-stamp yang:date-and-time 290 | +--ro severity severity 291 +---n nsf-detection-intrusion 292 | +--ro event-message? string 293 | +--ro src-ip? inet:ipv4-address 294 | +--ro dst-ip? inet:ipv4-address 295 | +--ro src-port? inet:port-number 296 | +--ro dst-port? inet:port-number 297 | +--ro src-zone? string 298 | +--ro dst-zone? string 299 | +--ro rule-id uint8 300 | +--ro rule-name string 301 | +--ro profile? string 302 | +--ro raw-info? string 303 | +--ro protocol 304 | | +--ro tcp? boolean 305 | | +--ro udp? boolean 306 | | +--ro icmp? boolean 307 | | +--ro icmpv6? boolean 308 | | +--ro ip? boolean 309 | | +--ro http? boolean 310 | | +--ro ftp? boolean 311 | +--ro intrusion? identityref 312 | +--ro vendor-name? string 313 | +--ro nsf-name? string 314 | +--ro message string 315 | +--ro time-stamp yang:date-and-time 316 | +--ro severity severity 317 +---n nsf-detection-botnet 318 | +--ro event-message? string 319 | +--ro src-ip? inet:ipv4-address 320 | +--ro dst-ip? inet:ipv4-address 321 | +--ro src-port? inet:port-number 322 | +--ro dst-port? inet:port-number 323 | +--ro src-zone? string 324 | +--ro dst-zone? string 325 | +--ro rule-id uint8 326 | +--ro rule-name string 327 | +--ro profile? string 328 | +--ro raw-info? string 329 | +--ro attack-type? identityref 330 | +--ro protocol 331 | | +--ro tcp? boolean 332 | | +--ro udp? boolean 333 | | +--ro icmp? boolean 334 | | +--ro icmpv6? boolean 335 | | +--ro ip? boolean 336 | | +--ro http? boolean 337 | | +--ro ftp? boolean 338 | +--ro botnet-name? string 339 | +--ro role? string 340 | +--ro vendor-name? string 341 | +--ro nsf-name? string 342 | +--ro message string 343 | +--ro time-stamp yang:date-and-time 344 | +--ro severity severity 345 +---n nsf-detection-web-attack 346 | +--ro event-message? string 347 | +--ro src-ip? inet:ipv4-address 348 | +--ro dst-ip? inet:ipv4-address 349 | +--ro src-port? inet:port-number 350 | +--ro dst-port? inet:port-number 351 | +--ro src-zone? string 352 | +--ro dst-zone? string 353 | +--ro rule-id uint8 354 | +--ro rule-name string 355 | +--ro profile? string 356 | +--ro raw-info? string 357 | +--ro web-attack? identityref 358 | +--ro protocol 359 | | +--ro tcp? boolean 360 | | +--ro udp? boolean 361 | | +--ro icmp? boolean 362 | | +--ro icmpv6? boolean 363 | | +--ro ip? boolean 364 | | +--ro http? boolean 365 | | +--ro ftp? boolean 366 | +--ro request? identityref 367 | +--ro req-uri? string 368 | +--ro uri-category? string 369 | +--ro filter* identityref 370 | +--ro vendor-name? string 371 | +--ro nsf-name? string 372 | +--ro message string 373 | +--ro time-stamp yang:date-and-time 374 | +--ro severity severity 375 +---n system-log-access-event 376 | +--ro login-ip inet:ipv4-address 377 | +--ro administrator? string 378 | +--ro login-mode? login-mode 379 | +--ro operation-type? operation-type 380 | +--ro result? string 381 | +--ro content? string 382 | +--ro vendor-name? string 383 | +--ro nsf-name? string 384 +---n system-log-res-util-report 385 | +--ro system-status? string 386 | +--ro cpu-usage? uint8 387 | +--ro memory-usage? uint8 388 | +--ro disk-usage? uint8 389 | +--ro disk-left? uint8 390 | +--ro session-num? uint8 391 | +--ro process-num? uint8 392 | +--ro in-traffic-rate? uint32 393 | +--ro out-traffic-rate? uint32 394 | +--ro in-traffic-speed? uint32 395 | +--ro out-traffic-speed? uint32 396 | +--ro vendor-name? string 397 | +--ro nsf-name? string 398 +---n system-log-user-activity-event 399 | +--ro user string 400 | +--ro group string 401 | +--ro login-ip inet:ipv4-address 402 | +--ro authentication? identityref 403 | +--ro accese? identityref 404 | +--ro online-duration? string 405 | +--ro logout-duration? string 406 | +--ro addtional-info? string 407 | +--ro vendor-name? string 408 | +--ro nsf-name? string 409 +---n nsf-log-ddos 410 | +--ro attack-type? identityref 411 | +--ro attack-ave-rate? uint32 412 | +--ro attack-ave-speed? uint32 413 | +--ro attack-pkt-num? uint32 414 | +--ro attack-src-ip? inet:ipv4-address 415 | +--ro action? log-action 416 | +--ro os? string 417 | +--ro vendor-name? string 418 | +--ro nsf-name? string 419 | +--ro message string 420 | +--ro time-stamp yang:date-and-time 421 | +--ro severity severity 422 +---n nsf-log-virus 423 | +--ro attack-type? identityref 424 | +--ro action? log-action 425 | +--ro os? string 426 | +--ro time yang:date-and-time 427 | +--ro vendor-name? string 428 | +--ro nsf-name? string 429 | +--ro message string 430 | +--ro time-stamp yang:date-and-time 431 | +--ro severity severity 432 +---n nsf-log-intrusion 433 | +--ro attack-type? identityref 434 | +--ro action? log-action 435 | +--ro time yang:date-and-time 436 | +--ro attack-rate? uint32 437 | +--ro attack-speed? uint32 438 | +--ro vendor-name? string 439 | +--ro nsf-name? string 440 | +--ro message string 441 | +--ro time-stamp yang:date-and-time 442 | +--ro severity severity 443 +---n nsf-log-botnet 444 | +--ro attack-type? identityref 445 | +--ro action? log-action 446 | +--ro botnet-pkt-num? uint8 447 | +--ro os? string 448 | +--ro vendor-name? string 449 | +--ro nsf-name? string 450 | +--ro message string 451 | +--ro time-stamp yang:date-and-time 452 | +--ro severity severity 453 +---n nsf-log-dpi 454 | +--ro attack-type? dpi-type 455 | +--ro src-ip? inet:ipv4-address 456 | +--ro dst-ip? inet:ipv4-address 457 | +--ro src-port? inet:port-number 458 | +--ro dst-port? inet:port-number 459 | +--ro src-zone? string 460 | +--ro dst-zone? string 461 | +--ro src-region? string 462 | +--ro dst-region? string 463 | +--ro policy-id uint8 464 | +--ro policy-name string 465 | +--ro src-user? string 466 | +--ro vendor-name? string 467 | +--ro nsf-name? string 468 | +--ro message string 469 | +--ro time-stamp yang:date-and-time 470 | +--ro severity severity 471 +---n nsf-log-vuln-scan 472 | +--ro vulnerability-id? uint8 473 | +--ro victim-ip? inet:ipv4-address 474 | +--ro protocol 475 | | +--ro tcp? boolean 476 | | +--ro udp? boolean 477 | | +--ro icmp? boolean 478 | | +--ro icmpv6? boolean 479 | | +--ro ip? boolean 480 | | +--ro http? boolean 481 | | +--ro ftp? boolean 482 | +--ro port-num? inet:port-number 483 | +--ro level? severity 484 | +--ro os? string 485 | +--ro addtional-info? string 486 | +--ro vendor-name? string 487 | +--ro nsf-name? string 488 | +--ro message string 489 | +--ro time-stamp yang:date-and-time 490 | +--ro severity severity 491 +---n nsf-log-web-attack 492 +--ro attack-type? identityref 493 +--ro rsp-code? string 494 +--ro req-clientapp? string 495 +--ro req-cookies? string 496 +--ro req-host? string 497 +--ro raw-info? string 498 +--ro vendor-name? string 499 +--ro nsf-name? string 500 +--ro message string 501 +--ro time-stamp yang:date-and-time 502 +--ro severity severity 504 Figure 1: Information Model for NSF Monitoring 506 5. YANG Data Model 508 This section introduces a YANG data model for the information model 509 of monitoring inforamtion based on [i2nsf-monitoring-im]. 511 file "ietf-i2nsf-nsf-monitoring-dm@2018-03-05.yang" 513 module ietf-i2nsf-nsf-monitoring-dm { 514 namespace 515 "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring-dm"; 516 prefix 517 monitoring-information; 518 import ietf-inet-types{ 519 prefix inet; 520 } 521 import ietf-yang-types { 522 prefix yang; 523 } 524 organization 525 "IETF I2NSF (Interface to Network Security Functions) 526 Working Group"; 528 contact 529 "WG Web: 530 WG List: 532 WG Chair: Linda Dunbar 533 535 Editor: Dongjin Hong 536 538 Editor: Jaehoon Paul Jeong 539 "; 541 description 542 "This module defines a YANG data module for monitoring NSFs."; 544 revision "2018-03-05" { 545 description "Third revision"; 546 reference 547 "draft-zhang-i2nsf-info-model-monitoring-05"; 548 } 550 typedef severity { 551 type enumeration { 552 enum high { 553 description 554 "high-level"; 555 } 556 enum middle { 557 description 558 "middle-level"; 559 } 560 enum low { 561 description 562 "low-level"; 563 } 564 } 565 description 566 "An indicator representing severity"; 567 } 568 typedef log-action { 569 type enumeration { 570 enum allow { 571 description 572 "If action is allow"; 573 } 574 enum alert { 575 description 576 "If action is alert"; 577 } 578 enum block { 579 description 580 "If action is block"; 581 } 582 enum discard { 583 description 584 "If action is discard"; 585 } 586 enum declare { 587 description 588 "If action is declare"; 589 } 590 enum block-ip { 591 description 592 "If action is block-ip"; 593 } 594 enum block-service{ 595 description 596 "If action is block-service"; 597 } 598 } 599 description 600 "This is used for protocol"; 601 } 602 typedef dpi-type{ 603 type enumeration { 604 enum file-blocking{ 605 description 606 "DPI for blocking file"; 607 } 608 enum data-filtering{ 609 description 610 "DPI for filtering data"; 611 } 612 enum application-behavior-control{ 613 description 614 "DPI for controlling application behavior"; 615 } 616 } 617 description 618 "This is used for dpi type"; 619 } 620 typedef operation-type{ 621 type enumeration { 622 enum login{ 623 description 624 "Login operation"; 625 } 626 enum logout{ 627 description 628 "Logout operation"; 629 } 630 enum configuration{ 631 description 632 "Configuration operation"; 633 } 634 } 635 description 636 "An indicator representing operation-type"; 637 } 638 typedef login-mode{ 639 type enumeration { 640 enum root{ 641 description 642 "Root login-mode"; 643 } 644 enum user{ 645 description 646 "User login-mode"; 647 } 648 enum guest{ 649 description 650 "Guest login-mode"; 651 } 652 } 653 description 654 "An indicater representing login-mode"; 655 } 656 identity authentication-mode { 657 description 658 "User authentication mode types: e.g., Local Authentication, 659 Third-Party Server Authentication, 660 Authentication Exemption, or SSO Authentication."; 661 } 662 identity local-authentication { 663 base authentication-mode; 664 description 665 "Authentication-mode : local authentication."; 667 } 668 identity third-party-server-authentication { 669 base authentication-mode; 670 description 671 "If authentication-mode is 672 third-part-server-authentication"; 673 } 674 identity exemption-authentication { 675 base authentication-mode; 676 description 677 "If authentication-mode is 678 exemption-authentication"; 679 } 680 identity sso-authentication { 681 base authentication-mode; 682 description 683 "If authentication-mode is 684 sso-authentication"; 685 } 686 identity alarm-type { 687 description 688 "Base identity for detectable alarm types"; 689 } 690 identity memory-alarm { 691 base alarm-type; 692 description 693 "A memory alarm is alerted"; 694 } 695 identity cpu-alarm { 696 base alarm-type; 697 description 698 "A cpu alarm is alerted"; 699 } 700 identity disk-alarm { 701 base alarm-type; 702 description 703 "A disk alarm is alerted"; 704 } 705 identity hardware-alarm { 706 base alarm-type; 707 description 708 "A hardware alarm is alerted"; 709 } 710 identity interface-alarm { 711 base alarm-type; 712 description 713 "An interface alarm is alerted"; 714 } 715 identity flood-type { 716 description 717 "Base identity for detectable flood types"; 718 } 719 identity syn-flood { 720 base flood-type; 721 description 722 "A SYN flood is detected"; 723 } 724 identity ack-flood { 725 base flood-type; 726 description 727 "An ACK flood is detected"; 728 } 729 identity syn-ack-flood { 730 base flood-type; 731 description 732 "An SYN-ACK flood is detected"; 733 } 734 identity fin-rst-flood { 735 base flood-type; 736 description 737 "A FIN-RST flood is detected"; 738 } 739 identity tcp-con-flood { 740 base flood-type; 741 description 742 "A TCP connection flood is detected"; 743 } 744 identity udp-flood { 745 base flood-type; 746 description 747 "A UDP flood is detected"; 748 } 749 identity icmp-flood { 750 base flood-type; 751 description 752 "An ICMP flood is detected"; 753 } 754 identity https-flood { 755 base flood-type; 756 description 757 "A HTTPS flood is detected"; 758 } 759 identity http-flood { 760 base flood-type; 761 description 762 "A HTTP flood is detected"; 764 } 765 identity dns-reply-flood { 766 base flood-type; 767 description 768 "A DNS reply flood is detected"; 769 } 770 identity dns-query-flood { 771 base flood-type; 772 description 773 "A DNS query flood is detected"; 774 } 775 identity sip-flood { 776 base flood-type; 777 description 778 "A SIP flood is detected"; 779 } 780 identity attack-type { 781 description 782 "The root ID of attack based notification 783 in the notification taxonomy"; 784 } 785 identity system-attack-type { 786 base attack-type; 787 description 788 "This ID is intended to be used 789 in the context of system events"; 790 } 791 identity nsf-attack-type { 792 base attack-type; 793 description 794 "This ID is intended to be used in the context of nsf event"; 795 } 796 identity botnet-attack-type { 797 base nsf-attack-type; 798 description 799 "This is a ID stub limited to indicating 800 that this attack type is botnet. 801 The usual semantic/taxonomy is missing 802 and name is used."; 803 } 804 identity virus-type { 805 base nsf-attack-type; 806 description 807 "The type of virus. Can be multiple types at once. This attack 808 type is associated with a detected system-log virus-attack"; 809 } 810 identity trojan { 811 base virus-type; 812 description 813 "The detected virus type is trojan"; 814 } 815 identity worm { 816 base virus-type; 817 description 818 "The detected virus type is worm"; 819 } 820 identity macro { 821 base virus-type; 822 description 823 "The detected virus type is macro"; 824 } 825 identity intrusion-attack-type { 826 base nsf-attack-type; 827 description 828 "The attack type is associatied with 829 a detectedsystem-log intrusion"; 830 } 831 identity brute-force { 832 base intrusion-attack-type; 833 description 834 "The intrusion type is brute-force"; 835 } 836 identity buffer-overflow { 837 base intrusion-attack-type; 838 description 839 "The intrusion type is buffer-overflow"; 840 } 841 identity web-attack-type { 842 base nsf-attack-type; 843 description 844 "The attack type associated with 845 a detected system-log web-attack"; 846 } 847 identity command-injection { 848 base web-attack-type; 849 description 850 "The detected web attack type is command injection"; 851 } 852 identity xss { 853 base web-attack-type; 854 description 855 "The detected web attack type is XSS"; 856 } 857 identity csrf { 858 base web-attack-type; 859 description 860 "The detected web attack type is CSRF"; 861 } 862 identity ddos-attack-type { 863 base nsf-attack-type; 864 description 865 "The attack type is associated with a detected nsf-log event"; 866 } 868 identity req-method { 869 description 870 "A set of request types (if applicable). 871 For instance, PUT or GET in HTTP"; 872 } 873 identity put-req { 874 base req-method; 875 description 876 "The detected request type is PUT"; 877 } 878 identity get-req { 879 base req-method; 880 description 881 "The detected request type is GET"; 882 } 884 identity filter-type { 885 description 886 "The type of filter used to detect, for example, 887 a web-attack. Can be applicable to more than 888 web-attacks. Can be more than one type."; 889 } 890 identity whitelist { 891 base filter-type; 892 description 893 "The applied filter type is whitelist"; 894 } 895 identity blacklist { 896 base filter-type; 897 description 898 "The applied filter type is blacklist"; 899 } 900 identity user-defined { 901 base filter-type; 902 description 903 "The applied filter type is user-defined"; 904 } 905 identity balicious-category { 906 base filter-type; 907 description 908 "The applied filter is balicious category"; 909 } 910 identity unknown-filter { 911 base filter-type; 912 description 913 "The applied filter is unknown"; 914 } 916 identity access-mode { 917 description 918 "TBD"; 919 } 920 identity ppp { 921 base access-mode; 922 description 923 "Access-mode : ppp"; 924 } 925 identity svn { 926 base access-mode; 927 description 928 "Access-mode : svn"; 929 } 930 identity local { 931 base access-mode; 932 description 933 "Access-mode : local"; 934 } 936 grouping protocol { 937 description 938 "A set of protocols"; 939 container protocol { 940 description 941 "Protocol types: 942 TCP, UDP, ICMP, ICMPv6, IP, HTTP, FTP and etc."; 943 leaf tcp { 944 type boolean; 945 description 946 "TCP protocol type."; 947 } 948 leaf udp { 949 type boolean; 950 description 951 "UDP protocol type."; 952 } 953 leaf icmp { 954 type boolean; 955 description 956 "ICMP protocol type."; 957 } 958 leaf icmpv6 { 959 type boolean; 960 description 961 "ICMPv6 protocol type."; 962 } 963 leaf ip { 964 type boolean; 965 description 966 "IP protocol type."; 967 } 968 leaf http { 969 type boolean; 970 description 971 "HTTP protocol type."; 972 } 973 leaf ftp { 974 type boolean; 975 description 976 "ftp protocol type."; 977 } 978 } 979 } 980 grouping common-notification-content { 981 description 982 "TBD"; 983 leaf message { 984 type string; 985 mandatory true; 986 description 987 "This is a freetext annotation of 988 monitoring notification content"; 989 } 990 leaf time-stamp { 991 type yang:date-and-time; 992 mandatory true; 993 description 994 "Indicates the time of message generation"; 995 } 996 leaf severity { 997 type severity; 998 mandatory true; 999 description 1000 "The severity of the alarm such 1001 asvcritical, high, middle, low."; 1002 } 1003 } 1004 grouping common-nsf-notification-content { 1005 description 1006 "TBD"; 1007 leaf vendor-name { 1008 type string; 1009 description 1010 "The name of the NSF vendor"; 1011 } 1012 leaf nsf-name { 1013 type string; 1014 description 1015 "The name (or IP) of the NSF 1016 generating the message"; 1017 } 1018 } 1019 grouping i2nsf-system-alarm-type-content { 1020 description 1021 "A set of system alarm type contents"; 1022 leaf usage { 1023 type uint8; 1024 description 1025 "specifies the amount of usage"; 1026 } 1027 leaf threshold { 1028 type uint8; 1029 description 1030 "The threshold triggering the alarm or the event"; 1031 } 1032 } 1033 grouping i2nsf-system-event-type-content { 1034 description 1035 "System event metadata associated with system events caused 1036 by user activity."; 1037 leaf group { 1038 type string; 1039 mandatory true; 1040 description 1041 "Group to which a user belongs."; 1042 } 1043 leaf login-ip-addr { 1044 type inet:ipv4-address; 1045 mandatory true; 1046 description 1047 "Login IP address of a user."; 1048 } 1049 leaf authentication { 1050 type identityref { 1051 base authentication-mode; 1053 } 1054 description 1055 "TBD"; 1056 } 1057 } 1059 grouping i2nsf-nsf-event-type-content { 1060 description 1061 "A set of common IPv4-related NSF event 1062 content elements"; 1063 leaf event-message { 1064 type string; 1065 description 1066 "The message for nsf events"; 1067 } 1068 leaf src-ip { 1069 type inet:ipv4-address; 1070 description 1071 "The source IP address of the packet"; 1072 } 1073 leaf dst-ip { 1074 type inet:ipv4-address; 1075 description 1076 "The destination IP address of the packet"; 1077 } 1078 leaf src-port { 1079 type inet:port-number; 1080 description 1081 "The source port of the packet"; 1082 } 1083 leaf dst-port { 1084 type inet:port-number; 1085 description 1086 "The destination port of the packet"; 1087 } 1088 leaf src-zone { 1089 type string; 1090 description 1091 "The source security zone of the packet"; 1092 } 1093 leaf dst-zone { 1094 type string; 1095 description 1096 "The destination security zone of the packet"; 1097 } 1098 leaf rule-id { 1099 type uint8; 1100 mandatory true; 1101 description 1102 "The ID of the rule being triggered"; 1103 } 1104 leaf rule-name { 1105 type string; 1106 mandatory true; 1107 description 1108 "The name of the rule being triggered"; 1109 } 1110 leaf profile { 1111 type string; 1112 description 1113 "Security profile that traffic matches."; 1114 } 1115 leaf raw-info { 1116 type string; 1117 description 1118 "The information describing the packet 1119 triggering the event."; 1120 } 1121 } 1122 grouping traffic-rates { 1123 description 1124 "A set of traffic rates 1125 for statistics data"; 1126 leaf total-traffic { 1127 type uint32; 1128 description 1129 "Total traffic"; 1130 } 1131 leaf in-traffic-ave-rate { 1132 type uint32; 1133 description 1134 "Inbound traffic average rate in pps"; 1135 } 1136 leaf in-traffic-peak-rate { 1137 type uint32; 1138 description 1139 "Inbound traffic peak rate in pps"; 1140 } 1141 leaf in-traffic-ave-speed { 1142 type uint32; 1143 description 1144 "Inbound traffic average speed in bps"; 1145 } 1146 leaf in-traffic-peak-speed { 1147 type uint32; 1148 description 1149 "Inbound traffic peak speed in bps"; 1150 } 1151 leaf out-traffic-ave-rate { 1152 type uint32; 1153 description 1154 "Outbound traffic average rate in pps"; 1155 } 1156 leaf out-traffic-peak-rate { 1157 type uint32; 1158 description 1159 "Outbound traffic peak rate in pps"; 1160 } 1161 leaf out-traffic-ave-speed { 1162 type uint32; 1163 description 1164 "Outbound traffic average speed in bps"; 1165 } 1166 leaf out-traffic-peak-speed { 1167 type uint32; 1168 description 1169 "Outbound traffic peak speed in bps"; 1170 } 1171 } 1172 grouping i2nsf-system-counter-type-content{ 1173 description 1174 "A set of system counter type contents"; 1175 leaf interface-name { 1176 type string; 1177 description 1178 "Network interface name configured in NSF"; 1179 } 1180 leaf in-total-traffic-pkts { 1181 type uint32; 1182 description 1183 "Total inbound packets"; 1184 } 1185 leaf out-total-traffic-pkts { 1186 type uint32; 1187 description 1188 "Total outbound packets"; 1189 } 1190 leaf in-total-traffic-bytes { 1191 type uint32; 1192 description 1193 "Total inbound bytes"; 1194 } 1195 leaf out-total-traffic-bytes { 1196 type uint32; 1197 description 1198 "Total outbound bytes"; 1199 } 1200 leaf in-drop-traffic-pkts { 1201 type uint32; 1202 description 1203 "Total inbound drop packets"; 1204 } 1205 leaf out-drop-traffic-pkts { 1206 type uint32; 1207 description 1208 "Total outbound drop packets"; 1209 } 1210 leaf in-drop-traffic-bytes { 1211 type uint32; 1212 description 1213 "Total inbound drop bytes"; 1214 } 1215 leaf out-drop-traffic-bytes { 1216 type uint32; 1217 description 1218 "Total outbound drop bytes"; 1219 } 1220 uses traffic-rates; 1221 } 1222 grouping i2nsf-nsf-counters-type-content{ 1223 description 1224 "A set of nsf counters type contents"; 1225 leaf src-ip { 1226 type inet:ipv4-address; 1227 description 1228 "The source IP address of the packet"; 1229 } 1230 leaf dst-ip { 1231 type inet:ipv4-address; 1232 description 1233 "The destination IP address of the packet"; 1234 } 1235 leaf src-port { 1236 type inet:port-number; 1237 description 1238 "The source port of the packet"; 1239 } 1240 leaf dst-port { 1241 type inet:port-number; 1242 description 1243 "The destination port of the packet"; 1244 } 1245 leaf src-zone { 1246 type string; 1247 description 1248 "The source security zone of the packet"; 1249 } 1250 leaf dst-zone { 1251 type string; 1252 description 1253 "The destination security zone of the packet"; 1254 } 1255 leaf src-region { 1256 type string; 1257 description 1258 "Source region of the traffic"; 1259 } 1260 leaf dst-region{ 1261 type string; 1262 description 1263 "Destination region of the traffic"; 1264 } 1265 leaf policy-id { 1266 type uint8; 1267 description 1268 "The ID of the policy being triggered"; 1269 } 1270 leaf policy-name { 1271 type string; 1272 description 1273 "The name of the policy being triggered"; 1274 } 1275 leaf src-user{ 1276 type string; 1277 description 1278 "User who generates traffic"; 1279 } 1280 uses protocol; 1281 uses traffic-rates; 1282 } 1284 notification system-detection-alarm { 1285 description 1286 "TBD"; 1287 leaf alarm-catagory { 1288 type identityref { 1289 base alarm-type; 1290 } 1291 description 1292 "TBD"; 1294 } 1295 uses i2nsf-system-alarm-type-content; 1296 uses common-notification-content; 1297 } 1298 notification system-detection-access-violation { 1299 description 1300 "This notification is sent, when a security-sensitive 1301 authentication action fails."; 1302 uses i2nsf-system-event-type-content; 1303 uses common-notification-content; 1304 } 1305 notification system-detection-config-change { 1306 description 1307 "This notification is sent, 1308 when an unauthorized confinguration 1309 change action is detected."; 1310 uses i2nsf-system-event-type-content; 1311 uses common-notification-content; 1312 } 1313 notification nsf-detection-flood { 1314 description 1315 "This notification is sent, 1316 when a specific flood type is detected"; 1317 uses i2nsf-nsf-event-type-content; 1318 leaf flood-catagory { 1319 type identityref { 1320 base flood-type; 1321 } 1322 description 1323 "TBD"; 1324 } 1325 leaf start-time { 1326 type yang:date-and-time; 1327 mandatory true; 1328 description 1329 "The time stamp indicating when the attack started"; 1330 } 1331 leaf end-time { 1332 type yang:date-and-time; 1333 mandatory true; 1334 description 1335 "The time stamp indicating when the attack ended"; 1336 } 1337 leaf attack-rate { 1338 type uint32; 1339 description 1340 "The PPS rate of attack traffic"; 1341 } 1342 leaf attack-speed { 1343 type uint32; 1344 description 1345 "The BPS speed of attack traffic"; 1346 } 1347 uses common-nsf-notification-content; 1348 uses common-notification-content; 1349 } 1350 notification nsf-detection-session-table { 1351 description 1352 "This notification is sent, when an a session table event 1353 is deteced"; 1354 leaf current-session { 1355 type uint8; 1356 description 1357 "The number of concurrent sessions"; 1358 } 1359 leaf maximum-session { 1360 type uint8; 1361 description 1362 "The maximum number of sessions that the session 1363 table can support"; 1364 } 1365 leaf threshold { 1366 type uint8; 1367 description 1368 "The threshold triggering the event"; 1369 } 1370 leaf table-indentifier { 1371 type string; 1372 description 1373 "The number of session table exceeded the threshold"; 1374 } 1375 uses common-nsf-notification-content; 1376 uses common-notification-content; 1377 } 1378 notification nsf-detection-virus { 1379 description 1380 "This notification is sent, when a virus is detected"; 1381 uses i2nsf-nsf-event-type-content; 1382 leaf virus { 1383 type identityref { 1384 base virus-type; 1385 } 1386 description 1387 "TBD"; 1388 } 1389 leaf virus-name { 1390 type string; 1391 description 1392 "The name of the detected virus"; 1393 } 1394 leaf file-type { 1395 type string; 1396 description 1397 "The type of file virus code is found in (if appicable)."; 1398 } 1399 leaf file-name { 1400 type string; 1401 description 1402 "The name of file virus code is found in (if appicable)."; 1403 } 1404 uses common-nsf-notification-content; 1405 uses common-notification-content; 1406 } 1407 notification nsf-detection-intrusion { 1408 description 1409 "This notification is send, when an intrusion event 1410 is detected."; 1411 uses i2nsf-nsf-event-type-content; 1412 uses protocol; 1413 leaf intrusion { 1414 type identityref { 1415 base intrusion-attack-type; 1416 } 1417 description 1418 "TBD"; 1419 } 1420 uses common-nsf-notification-content; 1421 uses common-notification-content; 1422 } 1423 notification nsf-detection-botnet { 1424 description 1425 "This notification is send, when a botnet event is 1426 detected"; 1427 uses i2nsf-nsf-event-type-content; 1428 leaf attack-type { 1429 type identityref { 1430 base botnet-attack-type; 1431 } 1432 description 1433 "TBD"; 1434 } 1435 uses protocol; 1436 leaf botnet-name { 1437 type string; 1438 description 1439 "The name of the detected botnet"; 1440 } 1441 leaf role { 1442 type string; 1443 description 1444 "The role of the communicating 1445 parties within the botnet"; 1446 } 1447 uses common-nsf-notification-content; 1448 uses common-notification-content; 1449 } 1450 notification nsf-detection-web-attack { 1451 description 1452 "This notification is send, when an attack event is 1453 detected"; 1454 uses i2nsf-nsf-event-type-content; 1455 leaf web-attack { 1456 type identityref { 1457 base web-attack-type; 1458 } 1459 description 1460 "TBD"; 1461 } 1462 uses protocol; 1463 leaf request { 1464 type identityref { 1465 base req-method; 1466 } 1467 description 1468 "TBD"; 1469 } 1470 leaf req-uri { 1471 type string; 1472 description 1473 "Requested URI"; 1474 } 1475 leaf uri-category { 1476 type string; 1477 description 1478 "Matched URI category"; 1479 } 1480 leaf-list filter { 1481 type identityref { 1482 base filter-type; 1483 } 1484 description 1485 "TBD"; 1487 } 1488 uses common-nsf-notification-content; 1489 uses common-notification-content; 1490 } 1491 notification system-log-access-event { 1492 description 1493 "The notification is send, if there is 1494 a new system log entry about 1495 a system access event"; 1496 leaf login-ip { 1497 type inet:ipv4-address; 1498 mandatory true; 1499 description 1500 "Login IP address of a user"; 1501 } 1502 leaf administrator { 1503 type string; 1504 description 1505 "Administrator that maintains the device"; 1506 } 1507 leaf login-mode { 1508 type login-mode; 1509 description 1510 "Specifies the administrator log-in mode"; 1511 } 1512 leaf operation-type { 1513 type operation-type; 1514 description 1515 "The operation type that the administrator execute"; 1516 } 1517 leaf result { 1518 type string; 1519 description 1520 "Command execution result"; 1521 } 1522 leaf content { 1523 type string; 1524 description 1525 "The Operation performed by an administrator after login"; 1526 } 1527 uses common-nsf-notification-content; 1528 } 1529 notification system-log-res-util-report { 1530 description 1531 "This notification is send, if there is 1532 a new log entry representing ressource 1533 utiliztation updates."; 1534 leaf system-status { 1535 type string; 1536 description 1537 "The current systems 1538 running status"; 1539 } 1540 leaf cpu-usage { 1541 type uint8; 1542 description 1543 "Specifies the relative amount of 1544 cpu usage wrt plattform ressources"; 1545 } 1546 leaf memory-usage { 1547 type uint8; 1548 description 1549 "Specifies the amount of memory usage"; 1550 } 1551 leaf disk-usage { 1552 type uint8; 1553 description 1554 "Specifies the amount of disk usage"; 1555 } 1556 leaf disk-left { 1557 type uint8; 1558 description 1559 "Specifies the amount of disk left"; 1560 } 1561 leaf session-num { 1562 type uint8; 1563 description 1564 "The total number of sessions"; 1565 } 1566 leaf process-num { 1567 type uint8; 1568 description 1569 "The total number of process"; 1570 } 1571 leaf in-traffic-rate { 1572 type uint32; 1573 description 1574 "The total inbound traffic rate in pps"; 1575 } 1576 leaf out-traffic-rate { 1577 type uint32; 1578 description 1579 "The total outbount traffic rate in pps"; 1580 } 1581 leaf in-traffic-speed { 1582 type uint32; 1583 description 1584 "The total inbound traffic speed in bps"; 1585 } 1586 leaf out-traffic-speed { 1587 type uint32; 1588 description 1589 "The total outbound traffic speed in bps"; 1590 } 1591 uses common-nsf-notification-content; 1592 } 1593 notification system-log-user-activity-event { 1594 description 1595 "This notification is send, if there is 1596 a new user activity log entry"; 1597 leaf user { 1598 type string; 1599 mandatory true; 1600 description 1601 "Name of a user"; 1602 } 1603 leaf group { 1604 type string; 1605 mandatory true; 1606 description 1607 "Group to which a user belongs."; 1608 } 1609 leaf login-ip { 1610 type inet:ipv4-address; 1611 mandatory true; 1612 description 1613 "Login IP address of a user."; 1614 } 1615 leaf authentication { 1616 type identityref { 1617 base authentication-mode; 1618 } 1619 description 1620 "TBD"; 1621 } 1622 leaf accese { 1623 type identityref { 1624 base access-mode; 1625 } 1626 description 1627 "TBD"; 1628 } 1629 leaf online-duration { 1630 type string; 1631 description 1632 "Online duration"; 1633 } 1634 leaf logout-duration { 1635 type string; 1636 description 1637 "Lockout duration"; 1638 } 1639 leaf addtional-info { 1640 type string; 1641 description 1642 "User activities. e.g., Successful 1643 User Login, Failed Login attempts, 1644 User Logout, Successful User 1645 Password Change, Failed User 1646 Password Change, User Lockout, 1647 User Unlocking, Unknown"; 1648 } 1649 uses common-nsf-notification-content; 1650 } 1651 notification nsf-log-ddos { 1652 description 1653 "This notification is send, if there is 1654 a new DDoS event log entry in the nsf log"; 1655 leaf attack-type { 1656 type identityref { 1657 base ddos-attack-type; 1658 } 1659 description 1660 "TBD"; 1661 } 1662 leaf attack-ave-rate { 1663 type uint32; 1664 description 1665 "The ave PPS of attack traffic"; 1666 } 1667 leaf attack-ave-speed { 1668 type uint32; 1669 description 1670 "the ave bps of attack traffic"; 1671 } 1672 leaf attack-pkt-num { 1673 type uint32; 1674 description 1675 "the number of attack packets"; 1676 } 1677 leaf attack-src-ip { 1678 type inet:ipv4-address; 1679 description 1680 "The source IP addresses of attack 1681 traffics. If there are a large 1682 amount of IP addresses, then 1683 pick a certain number of resources 1684 according to different rules."; 1685 } 1686 leaf action { 1687 type log-action; 1688 description 1689 "Action type: allow, alert, 1690 block, discard, declare, 1691 block-ip, block-service"; 1692 } 1693 leaf os { 1694 type string; 1695 description 1696 "simple os information"; 1697 } 1698 uses common-nsf-notification-content; 1699 uses common-notification-content; 1700 } 1701 notification nsf-log-virus { 1702 description 1703 "This notification is send, If there is 1704 a new virus event log enry in the nsf log"; 1705 leaf attack-type { 1706 type identityref { 1707 base virus-type; 1708 } 1709 description 1710 "TBD"; 1711 } 1712 leaf action { 1713 type log-action; 1714 description 1715 "Action type: allow, alert, 1716 block, discard, declare, 1717 block-ip, block-service"; 1718 } 1719 leaf os{ 1720 type string; 1721 description 1722 "simple os information"; 1723 } 1724 leaf time { 1725 type yang:date-and-time; 1726 mandatory true; 1727 description 1728 "Indicate the time when the message is generated"; 1729 } 1730 uses common-nsf-notification-content; 1731 uses common-notification-content; 1732 } 1733 notification nsf-log-intrusion { 1734 description 1735 "This notification is send, if there is 1736 a new intrusion event log entry in the nsf log"; 1737 leaf attack-type { 1738 type identityref { 1739 base intrusion-attack-type; 1740 } 1741 description 1742 "TBD"; 1743 } 1744 leaf action { 1745 type log-action; 1746 description 1747 "Action type: allow, alert, 1748 block, discard, declare, 1749 block-ip, block-service"; 1750 } 1751 leaf time { 1752 type yang:date-and-time; 1753 mandatory true; 1754 description 1755 "Indicate the time when the message is generated"; 1756 } 1757 leaf attack-rate { 1758 type uint32; 1759 description 1760 "The PPS of attack traffic"; 1761 } 1762 leaf attack-speed { 1763 type uint32; 1764 description 1765 "the bps of attack traffic"; 1766 } 1767 uses common-nsf-notification-content; 1768 uses common-notification-content; 1769 } 1770 notification nsf-log-botnet { 1771 description 1772 "This noticiation is send, if there is 1773 a new botnet event log in the nsf log"; 1774 leaf attack-type { 1775 type identityref { 1776 base botnet-attack-type; 1777 } 1778 description 1779 "TBD"; 1780 } 1781 leaf action { 1782 type log-action; 1783 description 1784 "Action type: allow, alert, 1785 block, discard, declare, 1786 block-ip, block-service"; 1787 } 1788 leaf botnet-pkt-num{ 1789 type uint8; 1790 description 1791 "The number of the packets sent to 1792 or from the detected botnet"; 1793 } 1794 leaf os{ 1795 type string; 1796 description 1797 "simple os information"; 1798 } 1799 uses common-nsf-notification-content; 1800 uses common-notification-content; 1801 } 1802 notification nsf-log-dpi { 1803 description 1804 "This notification is send, if there is 1805 a new dpi event in the nsf log"; 1806 leaf attack-type { 1807 type dpi-type; 1808 description 1809 "The type of the dpi"; 1810 } 1811 leaf src-ip { 1812 type inet:ipv4-address; 1813 description 1814 "The source IP address of the packet"; 1815 } 1816 leaf dst-ip { 1817 type inet:ipv4-address; 1818 description 1819 "The destination IP address of the packet"; 1820 } 1821 leaf src-port { 1822 type inet:port-number; 1823 description 1824 "The source port of the packet"; 1825 } 1826 leaf dst-port { 1827 type inet:port-number; 1828 description 1829 "The destination port of the packet"; 1830 } 1831 leaf src-zone { 1832 type string; 1833 description 1834 "The source security zone of the packet"; 1835 } 1836 leaf dst-zone { 1837 type string; 1838 description 1839 "The destination security zone of the packet"; 1840 } 1841 leaf src-region { 1842 type string; 1843 description 1844 "Source region of the traffic"; 1845 } 1846 leaf dst-region{ 1847 type string; 1848 description 1849 "Destination region of the traffic"; 1850 } 1851 leaf policy-id { 1852 type uint8; 1853 mandatory true; 1854 description 1855 "The ID of the policy being triggered"; 1856 } 1857 leaf policy-name { 1858 type string; 1859 mandatory true; 1860 description 1861 "The name of the policy being triggered"; 1862 } 1863 leaf src-user{ 1864 type string; 1865 description 1866 "User who generates traffic"; 1867 } 1868 uses common-nsf-notification-content; 1869 uses common-notification-content; 1870 } 1871 notification nsf-log-vuln-scan { 1872 description 1873 "This notification is send, if there is 1874 a new vulnerability-scan report in the nsf log"; 1875 leaf vulnerability-id { 1876 type uint8; 1877 description 1878 "The vulnerability id"; 1879 } 1880 leaf victim-ip { 1881 type inet:ipv4-address; 1882 description 1883 "IP address of the victim host which has vulnerabilities"; 1884 } 1885 uses protocol; 1886 leaf port-num { 1887 type inet:port-number; 1888 description 1889 "The port number"; 1890 } 1891 leaf level { 1892 type severity; 1893 description 1894 "The vulnerability severity"; 1895 } 1896 leaf os { 1897 type string; 1898 description 1899 "simple os information"; 1900 } 1901 leaf addtional-info { 1902 type string; 1903 description 1904 "TBD"; 1905 } 1906 uses common-nsf-notification-content; 1907 uses common-notification-content; 1908 } 1909 notification nsf-log-web-attack { 1910 description 1911 "This notificatio is send, if there is 1912 a new web-attack event in the nsf log"; 1913 leaf attack-type { 1914 type identityref { 1915 base web-attack-type; 1916 } 1917 description 1918 "TBD"; 1920 } 1921 leaf rsp-code { 1922 type string; 1923 description 1924 "Response code"; 1925 } 1926 leaf req-clientapp { 1927 type string; 1928 description 1929 "The client application"; 1930 } 1931 leaf req-cookies { 1932 type string; 1933 description 1934 "Cookies"; 1935 } 1936 leaf req-host { 1937 type string; 1938 description 1939 "The domain name of the requested host"; 1940 } 1941 leaf raw-info { 1942 type string; 1943 description 1944 "The information describing 1945 the packet triggering the event."; 1946 } 1947 uses common-nsf-notification-content; 1948 uses common-notification-content; 1949 } 1950 container counters { 1951 description 1952 "This is probably better covered by an import 1953 as this will not be notifications. 1954 Counter are not very suitable as telemetry, maybe 1955 via periodic subscriptions, which would still 1956 violate principle of least surprise."; 1957 container system-interface { 1958 description 1959 "The system counter type is interface counter"; 1960 uses i2nsf-system-counter-type-content; 1961 } 1962 container nsf-firewall { 1963 description 1964 "The nsf counter type is firewall counter"; 1965 uses i2nsf-nsf-counters-type-content; 1966 container diretcions { 1967 description 1968 "Inbound or Outbound"; 1969 leaf in-interface { 1970 type boolean; 1971 description 1972 "If the bound is inbound"; 1973 } 1974 leaf out-interface { 1975 type boolean; 1976 description 1977 "If the bound is outbound"; 1978 } 1979 } 1980 } 1981 container nsf-policy-hits { 1982 description 1983 "The counters of policy hit"; 1984 uses i2nsf-nsf-counters-type-content; 1985 leaf hit-times { 1986 type uint32; 1987 description 1988 "The hit times for policy"; 1989 } 1990 } 1991 } 1992 } 1993 1995 Figure 2: Data Model of Monitoring 1997 6. Acknowledgments 1999 This work was supported by Institute for Information & communications 2000 Technology Promotion (IITP) grant funded by the Korea government 2001 (MSIP) (R-20160222-002755, Cloud based Security Intelligence 2002 Technology Development for the Customized Security Service 2003 Provisioning). 2005 This document has greatly benefited from inputs by Daeyoung Hyun. 2007 7. References 2009 7.1. Normative References 2011 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2012 Requirement Levels", BCP 14, RFC 2119, March 1997. 2014 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 2015 Network Configuration Protocol (NETCONF)", RFC 6020, 2016 October 2010. 2018 7.2. Informative References 2020 [i2nsf-framework] 2021 Lopez,, D., Lopez,, E., Dunbar, L., Strassner, J., and R. 2022 Kumar, "Framework for Interface to Network Security 2023 Functions", draft-ietf-i2nsf-framework-10 (work in 2024 progress), November 2017. 2026 [i2nsf-monitoring-im] 2027 Xia,, L., Zhang,, D., Wu, Y., Kumar, R., Lohiya, A., and 2028 H. Birkholz, "An Information Model for the Monitoring of 2029 Network Security Functions (NSF)", draft-zhang-i2nsf-info- 2030 model-monitoring-05 (work in progress), October 2017. 2032 [i2nsf-terminology] 2033 Hares,, S., Strassner,, J., Lopez,, D., Xia,, L., and H. 2034 Birkholz,, "Interface to Network Security Functions 2035 (I2NSF) Terminology", draft-ietf-i2nsf-terminology-05 2036 (work in progress), October 2017. 2038 [i2rs-rib-data-model] 2039 Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, 2040 S., and N. Bahadur, "A YANG Data Model for Routing 2041 Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10 2042 (work in progress), February 2018. 2044 Appendix A. draft-hong-i2nsf-nsf-monitoring-data-model-02 2046 The following changes are made from draft-hong-i2nsf-nsf-monitoring- 2047 data-model-01: 2049 1. The YANG data model is defined in more detail based on the 2050 information model for monitoring NSFs. 2052 2. Some of descriptions for YANG data model are revised. 2054 3. Typos and grammatical errors are corrected. 2056 Authors' Addresses 2058 Dongjin Hong 2059 Department of Computer Engineering 2060 Sungkyunkwan University 2061 2066 Seobu-Ro, Jangan-Gu 2062 Suwon, Gyeonggi-Do 16419 2063 Republic of Korea 2065 Phone: +82 10 7630 5473 2066 EMail: dong.jin@skku.edu 2068 Jaehoon Paul Jeong 2069 Department of Software 2070 Sungkyunkwan University 2071 2066 Seobu-Ro, Jangan-Gu 2072 Suwon, Gyeonggi-Do 16419 2073 Republic of Korea 2075 Phone: +82 31 299 4957 2076 Fax: +82 31 290 7996 2077 EMail: pauljeong@skku.edu 2078 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 2080 Jinyong Tim Kim 2081 Department of Computer Engineering 2082 Sungkyunkwan University 2083 2066 Seobu-Ro, Jangan-Gu 2084 Suwon, Gyeonggi-Do 16419 2085 Republic of Korea 2087 Phone: +82 10 8273 0930 2088 EMail: timkim@skku.edu 2089 Susan Hares 2090 Huawei 2091 7453 Hickory Hill 2092 Saline, MI 48176 2093 USA 2095 Phone: +1-734-604-0332 2096 EMail: shares@ndzh.com 2098 Liang Xia (Frank) 2099 Huawei 2100 101 Software Avenue, Yuhuatai District 2101 Nanjing, Jiangsu 2102 China 2104 EMail: Frank.xialiang@huawei.com 2106 Henk Birkholz 2107 Fraunhofer Institute for Secure Information Technology 2108 Rheinstrasse 75 2109 Darmstadt 64295 2110 Germany 2112 EMail: henk.birkholz@sit.fraunhofer.de