idnits 2.17.1 draft-ietf-mile-rfc5070-bis-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 20, 2013) is 3838 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Looks like a reference, but probably isn't: '0-9' on line 3938 -- Looks like a reference, but probably isn't: '0-4' on line 3938 -- Looks like a reference, but probably isn't: '0-5' on line 3938 -- Looks like a reference, but probably isn't: 'RFC3275' on line 2902 -- Possible downref: Non-RFC (?) normative reference: ref. '1' -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' -- Possible downref: Non-RFC (?) normative reference: ref. '5' ** Obsolete normative reference: RFC 4646 (ref. '7') (Obsoleted by RFC 5646) -- Possible downref: Non-RFC (?) normative reference: ref. '9' ** Obsolete normative reference: RFC 2822 (ref. '11') (Obsoleted by RFC 5322) -- Possible downref: Non-RFC (?) normative reference: ref. '13' -- Possible downref: Non-RFC (?) normative reference: ref. '14' Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 15 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: April 23, 2014 October 20, 2013 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-02 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation that provides a framework for sharing information 15 commonly exchanged by Computer Security Incident Response Teams 16 (CSIRTs) about computer security incidents. This document describes 17 the information model for the IODEF and provides an associated data 18 model specified with XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 23, 2014. 37 Copyright Notice 39 Copyright (c) 2013 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 5 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 6 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 7 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 7 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 8 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 8 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 8 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 8 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 9 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 9 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 9 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 9 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 10 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 10 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 10 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 10 88 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 89 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 11 90 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 11 91 3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . 15 92 3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 16 93 3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 16 94 3.6. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 18 95 3.7. Campaign Class . . . . . . . . . . . . . . . . . . . . . 18 96 3.8. AdditionalData Class . . . . . . . . . . . . . . . . . . 19 97 3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 21 98 3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 24 99 3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 25 100 3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 25 101 3.9.4. Telephone and Fax Classes . . . . . . . . . . . . . . 26 102 3.10. Time Classes . . . . . . . . . . . . . . . . . . . . . . 26 103 3.10.1. StartTime . . . . . . . . . . . . . . . . . . . . . 27 104 3.10.2. EndTime . . . . . . . . . . . . . . . . . . . . . . 27 105 3.10.3. DetectTime . . . . . . . . . . . . . . . . . . . . . 27 106 3.10.4. ReportTime . . . . . . . . . . . . . . . . . . . . . 27 107 3.10.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 27 108 3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 27 109 3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 28 110 3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 29 111 3.12.1. Impact Class . . . . . . . . . . . . . . . . . . . . 30 112 3.12.2. TimeImpact Class . . . . . . . . . . . . . . . . . . 32 113 3.12.3. MonetaryImpact Class . . . . . . . . . . . . . . . . 34 114 3.12.4. Confidence Class . . . . . . . . . . . . . . . . . . 35 115 3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 36 116 3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 36 117 3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 38 118 3.14.1. Relating the Incident and EventData Classes . . . . 40 119 3.14.2. Cardinality of EventData . . . . . . . . . . . . . . 40 120 3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 41 121 3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 43 122 3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 44 123 3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 47 124 3.18.1. Counter Class . . . . . . . . . . . . . . . . . . . 48 125 3.18.2. Address Class . . . . . . . . . . . . . . . . . . . 49 126 3.18.3. NodeRole Class . . . . . . . . . . . . . . . . . . . 51 127 3.19. Service Class . . . . . . . . . . . . . . . . . . . . . . 53 128 3.19.1. Application Class . . . . . . . . . . . . . . . . . 54 129 3.20. OperatingSystem Class . . . . . . . . . . . . . . . . . . 56 130 3.21. Record Class . . . . . . . . . . . . . . . . . . . . . . 56 131 3.21.1. RecordData Class . . . . . . . . . . . . . . . . . . 56 132 3.21.2. RecordPattern Class . . . . . . . . . . . . . . . . 58 133 3.21.3. RecordItem Class . . . . . . . . . . . . . . . . . . 59 134 3.22. RegistryKeyModified Class . . . . . . . . . . . . . . . . 59 135 3.22.1. Key Class . . . . . . . . . . . . . . . . . . . . . 60 136 3.23. HashInformation Class . . . . . . . . . . . . . . . . . . 61 137 4. Processing Considerations . . . . . . . . . . . . . . . . . . 62 138 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 63 139 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 63 140 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 63 141 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 64 142 5.1. Extending the Enumerated Values of Attributes . . . . . . 65 143 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 65 144 6. Internationalization Issues . . . . . . . . . . . . . . . . . 67 145 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 68 146 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 68 147 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 70 148 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 72 149 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 74 150 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 75 151 9. Security Considerations . . . . . . . . . . . . . . . . . . . 109 152 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 109 153 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 110 154 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 110 155 12.1. Normative References . . . . . . . . . . . . . . . . . . 110 156 12.2. Informative References . . . . . . . . . . . . . . . . . 112 158 1. Introduction 160 Organizations require help from other parties to mitigate malicious 161 activity targeting their network and to gain insight into potential 162 threats. This coordination might entail working with an ISP to 163 filter attack traffic, contacting a remote site to take down a bot- 164 network, or sharing watch-lists of known malicious IP addresses in a 165 consortium. 167 The Incident Object Description Exchange Format (IODEF) is a format 168 for representing computer security information commonly exchanged 169 between Computer Security Incident Response Teams (CSIRTs). It 170 provides an XML representation for conveying: 172 o cyber intelligence to characterize threats; 174 o cyber incident reports to document particular cyber security 175 events or relationships between events; 177 o cyber event mitigation to request proactive and reactive 178 mitigation approaches to cyber intelligence or incidents; and 180 o cyber information sharing meta-data so that these various classes 181 of information can be exchanged among parties. 183 The data model encodes information about hosts, networks, and the 184 services running on these systems; attack methodology and associated 185 forensic evidence; impact of the activity; and limited approaches for 186 documenting workflow. 188 The overriding purpose of the IODEF is to enhance the operational 189 capabilities of CSIRTs. Community adoption of the IODEF provides an 190 improved ability to resolve incidents and convey situational 191 awareness by simplifying collaboration and data sharing. This 192 structured format provided by the IODEF allows for: 194 o increased automation in processing of incident data, since the 195 resources of security analysts to parse free-form textual 196 documents will be reduced; 198 o decreased effort in normalizing similar data (even when highly 199 structured) from different sources; and 201 o a common format on which to build interoperable tools for incident 202 handling and subsequent analysis, specifically when data comes 203 from multiple constituencies. 205 Coordinating with other CSIRTs is not strictly a technical problem. 206 There are numerous procedural, trust, and legal considerations that 207 might prevent an organization from sharing information. The IODEF 208 does not attempt to address them. However, operational 209 implementations of the IODEF will need to consider this broader 210 context. 212 Sections 3 and 8 specify the IODEF data model with text and an XML 213 schema. The types used by the data model are covered in Section 2. 214 Processing considerations, the handling of extensions, and 215 internationalization issues related to the data model are covered in 216 Sections 4, 5, and 6, respectively. Examples are listed in 217 Section 7. Section 1 provides the background for the IODEF, and 218 Section 9 documents the security considerations. 220 1.1. Changes from 5070 222 This document contains changes with respect to its predecessor 223 RFC5070. 225 o All of the RFC5070 Errata was implemented. 227 o Imported the xmlns:ds namespace to include digital signature hash 228 classes. 230 o The attributes @indicator-uid and @indicator-set-id were added to 231 various classes to reference commonly shared indicators. 233 o The following classes and attributes were added to the Service 234 class: Email, EmailSubject, X-Mailer, DomainData, AssetID, 235 @virtual, and @ownership. 237 o The following classes were added to the Record class: FileName, 238 ds:Reference, and WindowsRegistryKeysModified. 240 o The following classes were added to the RelatedActivity class: 241 ThreatActor, Campaign, Confidence, Description, and 242 AdditionalData. 244 o The following classes were added to the Contact class: 245 ContactTitle. 247 o (for consideration) The following class was added to the Node 248 class: URL. 250 o (for consideration) The following attributes was added to the 251 SoftwareType complexType: user-agent. 253 o Additional enumerated values were added to the following 254 attributes: @restriction, {Expectation, HistoryItem}@action, 255 NodeRole@category, Incident@purpose. 257 1.2. Terminology 259 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 260 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 261 document are to be interpreted as described in RFC2119 [6]. 263 Definitions for some of the common computer security-related 264 terminology used in this document can be found in Section 2 of [16]. 266 1.3. Notations 268 The normative IODEF data model is specified with the text in 269 Section 3 and the XML schema in Section 8. To help in the 270 understanding of the data elements, Section 3 also depicts the 271 underlying information model using Unified Modeling Language (UML). 272 This abstract presentation of the IODEF is not normative. 274 For clarity in this document, the term "XML document" will be used 275 when referring generically to any instance of an XML document. The 276 term "IODEF document" will be used to refer to specific elements and 277 attributes of the IODEF schema. The terms "class" and "element" will 278 be used interchangeably to reference either the corresponding data 279 element in the information or data models, respectively. 281 1.4. About the IODEF Data Model 283 The IODEF data model is a data representation that provides a 284 framework for sharing information commonly exchanged by CSIRTs about 285 computer security incidents. A number of considerations were made in 286 the design of the data model. 288 o The data model serves as a transport format. Therefore, its 289 specific representation is not the optimal representation for on- 290 disk storage, long-term archiving, or in-memory processing. 292 o As there is no precise widely agreed upon definition for an 293 incident, the data model does not attempt to dictate one through 294 its implementation. Rather, a broad understanding is assumed in 295 the IODEF that is flexible enough to encompass most operators. 297 o Describing an incident for all definitions would require an 298 extremely complex data model. Therefore, the IODEF only intends 299 to be a framework to convey commonly exchanged incident 300 information. It ensures that there are ample mechanisms for 301 extensibility to support organization-specific information, and 302 techniques to reference information kept outside of the explicit 303 data model. 305 o The domain of security analysis is not fully standardized and must 306 rely on free-form textual descriptions. The IODEF attempts to 307 strike a balance between supporting this free-form content, while 308 still allowing automated processing of incident information. 310 o The IODEF is only one of several security relevant data 311 representations being standardized. Attempts were made to ensure 312 they were complimentary. The data model of the Intrusion 313 Detection Message Exchange Format [17] influenced the design of 314 the IODEF. 316 Further discussion of the desirable properties for the IODEF can be 317 found in the Requirements for the Format for Incident Information 318 Exchange (FINE) [16]. 320 1.5. About the IODEF Implementation 322 The IODEF implementation is specified as an Extensible Markup 323 Language (XML) [1] Schema [2] in Section 8. 325 Implementing the IODEF in XML provides numerous advantages. Its 326 extensibility makes it ideal for specifying a data encoding framework 327 that supports various character encodings. Likewise, the abundance 328 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 329 simplified manipulation. However, XML is fundamentally a text 330 representation, which makes it inherently inefficient when binary 331 data must be embedded or large volumes of data must be exchanged. 333 2. IODEF Data Types 334 The various data elements of the IODEF data model are typed. This 335 section discusses these data types. When possible, native Schema 336 data types were adopted, but for more complicated formats, regular 337 expressions (see Appendix F of [3]) or external standards were used. 339 2.1. Integers 341 An integer is represented by the INTEGER data type. Integer data 342 MUST be encoded in Base 10. 344 The INTEGER data type is implemented as an "xs:integer" [3] in the 345 schema. 347 2.2. Real Numbers 349 Real (floating-point) attributes are represented by the REAL data 350 type. Real data MUST be encoded in Base 10. 352 The REAL data type is implemented as an "xs:float" [3] in the schema. 354 2.3. Characters and Strings 356 A single character is represented by the CHARACTER data type. A 357 character string is represented by the STRING data type. Special 358 characters must be encoded using entity references. See Section 4.1. 360 The CHARACTER and STRING data types are implement as an "xs:string" 361 [3] in the schema. 363 2.4. Multilingual Strings 365 STRING data that represents multi-character attributes in a language 366 different than the default encoding of the document is of the 367 ML_STRING data type. 369 The ML_STRING data type is implemented as an "iodef:MLStringType" in 370 the schema. 372 2.5. Bytes 374 A binary octet is represented by the BYTE data type. A sequence of 375 binary octets is represented by the BYTE[] data type. These octets 376 are encoded using base64. 378 The BYTE data type is implemented as an "xs:base64Binary" [3] in the 379 schema. 381 2.6. Hexadecimal Bytes 383 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 384 This octet is encoded as a character tuple consisting of two 385 hexadecimal digits. 387 The HEXBIN data type is implemented as an "xs:hexBinary" [3] in the 388 schema. 390 2.7. Enumerated Types 392 Enumerated types are represented by the ENUM data type, and consist 393 of an ordered list of acceptable values. Each value has a 394 representative keyword. Within the IODEF schema, the enumerated type 395 keywords are used as attribute values. 397 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 398 schema. 400 2.8. Date-Time Strings 402 Date-time strings are represented by the DATETIME data type. Each 403 date-time string identifies a particular instant in time; ranges are 404 not supported. 406 Date-time strings are formatted according to a subset of ISO 407 8601:2000 [13] documented in RFC 3339 [12]. 409 The DATETIME data type is implemented as an "xs:dateTime" [3] in the 410 schema. 412 2.9. Timezone String 414 A timezone offset from UTC is represented by the TIMEZONE data type. 415 It is formatted according to the following regular expression: 416 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 418 The TIMEZONE data type is implemented as an "xs:string" with a 419 regular expression constraint in the schema. This regular expression 420 is identical to the timezone representation implemented in an 421 "xs:dateTime". 423 2.10. Port Lists 424 A list of network ports are represented by the PORTLIST data type. A 425 PORTLIST consists of a comma-separated list of numbers and ranges 426 (N-M means ports N through M, inclusive). It is formatted according 427 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 428 For example, "2,5-15,30,32,40-50,55-60". 430 The PORTLIST data type is implemented as an "xs:string" with a 431 regular expression constraint in the schema. 433 2.11. Postal Address 435 A postal address is represented by the POSTAL data type. This data 436 type is an ML_STRING whose format is documented in Section 2.23 of 437 RFC 4519 [10]. It defines a postal address as a free-form multi-line 438 string separated by the "$" character. 440 The POSTAL data type is implemented as an "xs:string" in the schema. 442 2.12. Person or Organization 444 The name of an individual or organization is represented by the NAME 445 data type. This data type is an ML_STRING whose format is documented 446 in Section 2.3 of RFC 4519 [10]. 448 The NAME data type is implemented as an "xs:string" in the schema. 450 2.13. Telephone and Fax Numbers 452 A telephone or fax number is represented by the PHONE data type. The 453 format of the PHONE data type is documented in Section 2.35 of RFC 454 4519 [10]. 456 The PHONE data type is implemented as an "xs:string" in the schema. 458 2.14. Email String 460 An email address is represented by the EMAIL data type. The format 461 of the EMAIL data type is documented in Section 3.4.1 RFC 2822 [11] 463 The EMAIL data type is implemented as an "xs:string" in the schema. 465 2.15. Uniform Resource Locator strings 467 A uniform resource locator (URL) is represented by the URL data type. 468 The format of the URL data type is documented in RFC 2396 [8]. 470 The URL data type is implemented as an "xs:anyURI" in the schema. 472 3. The IODEF Data Model 474 In this section, the individual components of the IODEF data model 475 will be discussed in detail. For each class, the semantics will be 476 described and the relationship with other classes will be depicted 477 with UML. When necessary, specific comments will be made about 478 corresponding definition in the schema in Section 8 480 3.1. IODEF-Document Class 482 The IODEF-Document class is the top level class in the IODEF data 483 model. All IODEF documents are an instance of this class. 485 +-----------------+ 486 | IODEF-Document | 487 +-----------------+ 488 | STRING version |<>--{1..*}--[ Incident ] 489 | ENUM lang | 490 | STRING formatid | 491 +-----------------+ 493 Figure 1: IODEF-Document Class 495 The aggregate class that constitute IODEF-Document is: 497 Incident 498 One or more. The information related to a single incident. 500 The IODEF-Document class has three attributes: 502 version 503 Required. STRING. The IODEF specification version number to 504 which this IODEF document conforms. The value of this attribute 505 MUST be "2.00" 507 lang 508 Required. ENUM. A valid language code per RFC 4646 [7] 509 constrained by the definition of "xs:language". The 510 interpretation of this code is described in Section 6. 512 formatid 513 Optional. STRING. A free-form string to convey processing 514 instructions to the recipient of the document. Its semantics must 515 be negotiated out-of-band. 517 3.2. Incident Class 518 Every incident is represented by an instance of the Incident class. 519 This class provides a standardized representation for commonly 520 exchanged incident data. 522 +--------------------+ 523 | Incident | 524 +--------------------+ 525 | ENUM purpose |<>----------[ IncidentID ] 526 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 527 | ENUM lang |<>--{0..*}--[ RelatedActivity ] 528 | ENUM restriction |<>--{0..1}--[ DetectTime ] 529 | |<>--{0..1}--[ StartTime ] 530 | |<>--{0..1}--[ EndTime ] 531 | |<>----------[ ReportTime ] 532 | |<>--{0..*}--[ Description ] 533 | |<>--{1..*}--[ Assessment ] 534 | |<>--{0..*}--[ Method ] 535 | |<>--{1..*}--[ Contact ] 536 | |<>--{0..*}--[ EventData ] 537 | |<>--{0..1}--[ History ] 538 | |<>--{0..*}--[ AdditionalData ] 539 +--------------------+ 541 Figure 2: The Incident Class 543 The aggregate classes that constitute Incident are: 545 IncidentID 546 One. An incident tracking number assigned to this incident by the 547 CSIRT that generated the IODEF document. 549 AlternativeID 550 Zero or one. The incident tracking numbers used by other CSIRTs 551 to refer to the incident described in the document. 553 RelatedActivity 554 Zero or many. Related activity and attribution of this activity. 556 DetectTime 557 Zero or one. The time the incident was first detected. 559 StartTime 560 Zero or one. The time the incident started. 562 EndTime 563 Zero or one. The time the incident ended. 565 ReportTime 566 One. The time the incident was reported. 568 Description 569 Zero or more. ML_STRING. A free-form textual description of the 570 incident. 572 Assessment 573 One or more. A characterization of the impact of the incident. 575 Method 576 Zero or more. The techniques used by the intruder in the 577 incident. 579 Contact 580 One or more. Contact information for the parties involved in the 581 incident. 583 EventData 584 Zero or more. Description of the events comprising the incident. 586 History 587 Zero or one. A log of significant events or actions that occurred 588 during the course of handling the incident. 590 AdditionalData 591 Zero or more. Mechanism by which to extend the data model. 593 The Incident class has five attributes: 595 purpose 596 Required. ENUM. The purpose attribute represents the reason why 597 the IODEF document was created. It is closely related to the 598 Expectation class (Section 3.15). This attribute is defined as an 599 enumerated list: 601 1. traceback. The document was sent for trace-back purposes. 603 2. mitigation. The document was sent to request aid in 604 mitigating the described activity. 606 3. reporting. The document was sent to comply with reporting 607 requirements. 609 4. watch. The document was sent to convey indicators to watch 610 for particular activity. 612 5. other. The document was sent for purposes specified in the 613 Expectation class. 615 6. ext-value. An escape value used to extend this attribute. 616 See Section 5.1. 618 ext-purpose 619 Optional. STRING. A means by which to extend the purpose 620 attribute. See Section 5.1. 622 lang 623 Optional. ENUM. A valid language code per RFC 4646 [7] 624 constrained by the definition of "xs:language". The 625 interpretation of this code is described in Section 6. 627 restriction 628 Optional. ENUM. This attribute indicates the disclosure 629 guidelines to which the sender expects the recipient to adhere for 630 the information represented in this class and its children. This 631 guideline provides no security since there are no specified 632 technical means to ensure that the recipient of the document 633 handles the information as the sender requested. 635 The value of this attribute is logically inherited by the children 636 of this class. That is to say, the disclosure rules applied to 637 this class, also apply to its children. 639 It is possible to set a granular disclosure policy, since all of 640 the high-level classes (i.e., children of the Incident class) have 641 a restriction attribute. Therefore, a child can override the 642 guidelines of a parent class, be it to restrict or relax the 643 disclosure rules (e.g., a child has a weaker policy than an 644 ancestor; or an ancestor has a weak policy, and the children 645 selectively apply more rigid controls). The implicit value of the 646 restriction attribute for a class that did not specify one can be 647 found in the closest ancestor that did specify a value. 649 This attribute is defined as an enumerated value with a default 650 value of "private". Note that the default value of the 651 restriction attribute is only defined in the context of the 652 Incident class. In other classes where this attribute is used, no 653 default is specified. 655 1. public. The information can be freely distributed without 656 restriction. 658 2. partner. The information may be shared within a closed 659 community of peers, partners, or affected parties, but cannot 660 be openly published. 662 3. need-to-know. The information may be shared only within the 663 organization with individuals that have a need to know. 665 4. private. The information may not be shared. 667 5. default. The information can be shared according to an 668 information disclosure policy pre-arranged by the 669 communicating parties. 671 6. white. Same as 'public'. 673 7. green. Same as 'partner'. 675 8. amber. Same as 'need-to-know'. 677 9. red. Same as 'private'. 679 indicator-set-id 680 Optional. STRING. The indicator set ID is used to group related 681 indicators. 683 3.3. IncidentID Class 685 The IncidentID class represents an incident tracking number that is 686 unique in the context of the CSIRT and identifies the activity 687 characterized in an IODEF Document. This identifier would serve as 688 an index into the CSIRT incident handling system. The combination of 689 the name attribute and the string in the element content MUST be a 690 globally unique identifier describing the activity. Documents 691 generated by a given CSIRT MUST NOT reuse the same value unless they 692 are referencing the same incident. 694 +------------------+ 695 | IncidentID | 696 +------------------+ 697 | STRING | 698 | | 699 | STRING name | 700 | STRING instance | 701 | ENUM restriction | 702 +------------------+ 704 Figure 3: The IncidentID Class 706 The IncidentID class has three attributes: 708 name 709 Required. STRING. An identifier describing the CSIRT that 710 created the document. In order to have a globally unique CSIRT 711 name, the fully qualified domain name associated with the CSIRT 712 MUST be used. 714 instance 715 Optional. STRING. An identifier referencing a subset of the 716 named incident. 718 restriction 719 Optional. ENUM. This attribute has been defined in Section 3.2. 720 The default value is "public". 722 3.4. AlternativeID Class 724 The AlternativeID class lists the incident tracking numbers used by 725 CSIRTs, other than the one generating the document, to refer to the 726 identical activity described the IODEF document. A tracking number 727 listed as an AlternativeID references the same incident detected by 728 another CSIRT. The incident tracking numbers of the CSIRT that 729 generated the IODEF document must never be considered an 730 AlternativeID. 732 +------------------+ 733 | AlternativeID | 734 +------------------+ 735 | ENUM restriction |<>--{1..*}--[ IncidentID ] 736 | | 737 +------------------+ 739 Figure 4: The AlternativeID Class 741 The aggregate class that constitutes AlternativeID is: 743 IncidentID 744 One or more. The incident tracking number of another CSIRT. 746 The AlternativeID class has one attribute: 748 restriction 749 Optional. ENUM. This attribute has been defined in Section 3.2. 751 3.5. RelatedActivity Class 753 The RelatedActivity class relates the information described in the 754 rest of the IODEF document to previously observed incidents or 755 activity; and allows attribution to a specific actor or campaign. 757 +------------------+ 758 | RelatedActivity | 759 +------------------+ 760 | ENUM restriction |<>--{0..*}--[ IncidentID ] 761 | |<>--{0..*}--[ URL ] 762 | |<>--{0..*}--[ ThreatActor ] 763 | |<>--{0..*}--[ Campaign ] 764 | |<>--{0..1}--[ Confidence ] 765 | |<>--{0..*}--[ Description ] 766 | |<>--{0..*}--[ AdditionalData ] 767 +------------------+ 769 Figure 5: RelatedActivity Class 771 The aggregate classes that constitutes RelatedActivity are: 773 IncidentID 774 One or more. The incident tracking number of a related incident. 776 URL 777 One or more. URL. A URL to activity related to this incident. 779 ThreatActor 780 One or more. The threat actor to whom the described activity is 781 attributed. 783 Campaign 784 One or more. The campaign of a given threat actor to whom the 785 described activity is attributed. 787 Confidence 788 Zero or one. An estimate of the confidence in attributing this 789 RelatedActivity to the event described in the document. 791 Description 792 Zero or many. ML_STRING. A description of how these 793 relationships were derived. 795 AdditionalData 796 Zero or many. A mechanism by which to extend the data model. 798 RelatedActivity MUST at least have one instance of IncidentID, URL, 799 ThreatActor, or Campaign. 801 The RelatedActivity class has one attribute: 803 restriction 804 Optional. ENUM. This attribute has been defined in Section 3.2. 806 3.6. ThreatActor Class 808 The ThreatActor class describes a given actor. 810 +------------------+ 811 | Actor | 812 +------------------+ 813 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 814 | |<>--{0..*}--[ Description ] 815 | |<>--{0..*}--[ AdditionalData ] 816 +------------------+ 818 Figure 6: ThreatActor Class 820 The aggregate classes that constitutes ThreatActor are: 822 ThreatActorID 823 One or more. STRING. An identifier for the ThreatActor. 825 Description 826 One or more. ML_STRING. A description of the ThreatActor. 828 AdditionalData 829 Zero or many. A mechanism by which to extend the data model. 831 ThreatActor MUST have at least one instance of a ThreatActorID or 832 Description. 834 The ThreatActor class has one attribute: 836 restriction 837 Optional. ENUM. This attribute has been defined in Section 3.2. 839 3.7. Campaign Class 841 The Campaign class describes a ... 843 +------------------+ 844 | Campaign | 845 +------------------+ 846 | ENUM restriction |<>--{0..1}--[ CampaignID ] 847 | |<>--{0..*}--[ Description ] 848 | |<>--{0..*}--[ AdditionalData ] 849 +------------------+ 851 Figure 7: Campaign Class 853 The aggregate classes that constitutes Campaign are: 855 CampaignID 856 One or more. STRING. An identifier for the Campaign. 858 Description 859 One or more. ML_STRING. A description of the Campaign. 861 AdditionalData 862 Zero or many. A mechanism by which to extend the data model. 864 Campaign MUST have at least one instance of a Campaign or 865 Description. 867 The Campaign class has one attribute: 869 restriction 870 Optional. ENUM. This attribute has been defined in Section 3.2. 872 3.8. AdditionalData Class 874 The AdditionalData class serves as an extension mechanism for 875 information not otherwise represented in the data model. For 876 relatively simple information, atomic data types (e.g., integers, 877 strings) are provided with a mechanism to annotate their meaning. 878 The class can also be used to extend the data model (and the 879 associated Schema) to support proprietary extensions by encapsulating 880 entire XML documents conforming to another Schema (e.g., IDMEF). A 881 detailed discussion for extending the data model and the schema can 882 be found in Section 5. 884 Unlike XML, which is self-describing, atomic data must be documented 885 to convey its meaning. This information is described in the 886 'meaning' attribute. Since these description are outside the scope 887 of the specification, some additional coordination may be required to 888 ensure that a recipient of a document using the AdditionalData 889 classes can make sense of the custom extensions. 891 +------------------+ 892 | AdditionalData | 893 +------------------+ 894 | ANY | 895 | | 896 | ENUM dtype | 897 | STRING ext-dtype | 898 | STRING meaning | 899 | STRING formatid | 900 | ENUM restriction | 901 +------------------+ 903 Figure 8: The AdditionalData Class 905 The AdditionalData class has five attributes: 907 dtype 908 Required. ENUM. The data type of the element content. The 909 permitted values for this attribute are shown below. The default 910 value is "string". 912 1. boolean. The element content is of type BOOLEAN. 914 2. byte. The element content is of type BYTE. 916 3. character. The element content is of type CHARACTER. 918 4. date-time. The element content is of type DATETIME. 920 5. integer. The element content is of type INTEGER. 922 6. portlist. The element content is of type PORTLIST. 924 7. real. The element content is of type REAL. 926 8. string. The element content is of type STRING. 928 9. file. The element content is a base64 encoded binary file 929 encoded as a BYTE[] type. 931 10. frame. The element content is a layer-2 frame encoded as a 932 HEXBIN type. 934 11. packet. The element content is a layer-3 packet encoded as a 935 HEXBIN type. 937 12. ipv4-packet. The element content is an IPv4 packet encoded 938 as a HEXBIN type. 940 13. ipv6-packet. The element content is an IPv6 packet encoded 941 as a HEXBIN type. 943 14. path. The element content is a file-system path encoded as a 944 STRING type. 946 15. url. The element content is of type URL. 948 16. csv. The element content is a common separated value (CSV) 949 list per Section 2 of [20] encoded as a STRING type. 951 17. winreg. The element content is a Windows registry key 952 encoded as a STRING type. 954 18. xml. The element content is XML (see Section 5). 956 19. ext-value. An escape value used to extend this attribute. 957 See Section 5.1. 959 ext-dtype 960 Optional. STRING. A means by which to extend the dtype 961 attribute. See Section 5.1. 963 meaning 964 Optional. STRING. A free-form description of the element 965 content. 967 formatid 968 Optional. STRING. An identifier referencing the format and 969 semantics of the element content. 971 restriction 972 Optional. ENUM. This attribute has been defined in Section 3.2. 974 3.9. Contact Class 976 The Contact class describes contact information for organizations and 977 personnel involved in the incident. This class allows for the naming 978 of the involved party, specifying contact information for them, and 979 identifying their role in the incident. 981 People and organizations are treated interchangeably as contacts; one 982 can be associated with the other using the recursive definition of 983 the class (the Contact class is aggregated into the Contact class). 984 The 'type' attribute disambiguates the type of contact information 985 being provided. 987 The inheriting definition of Contact provides a way to relate 988 information without requiring the explicit use of identifiers in the 989 classes or duplication of data. A complete point of contact is 990 derived by a particular traversal from the root Contact class to the 991 leaf Contact class. As such, multiple points of contact might be 992 specified in a single instance of a Contact class. Each child 993 Contact class logically inherits contact information from its 994 ancestors. 996 +------------------+ 997 | Contact | 998 +------------------+ 999 | ENUM role |<>--{0..1}--[ ContactName ] 1000 | STRING ext-role |<>--{0..1}--[ ContactTitle ] 1001 | ENUM type |<>--{0..*}--[ Description ] 1002 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1003 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1004 | |<>--{0..*}--[ Email ] 1005 | |<>--{0..*}--[ Telephone ] 1006 | |<>--{0..1}--[ Fax ] 1007 | |<>--{0..1}--[ Timezone ] 1008 | |<>--{0..*}--[ Contact ] 1009 | |<>--{0..*}--[ AdditionalData ] 1010 +------------------+ 1012 Figure 9: The Contact Class 1014 The aggregate classes that constitute the Contact class are: 1016 ContactName 1017 Zero or one. ML_STRING. The name of the contact. The contact 1018 may either be an organization or a person. The type attribute 1019 disambiguates the semantics. 1021 ContactTitle 1022 Zero or one. ML_STRING. The title for the individual named in 1023 the ContactName. 1025 Description 1026 Zero or many. ML_STRING. A free-form description of this 1027 contact. In the case of a person, this is often the 1028 organizational title of the individual. 1030 RegistryHandle 1031 Zero or many. A handle name into the registry of the contact. 1033 PostalAddress 1034 Zero or one. The postal address of the contact. 1036 Email 1037 Zero or many. The email address of the contact. 1039 Telephone 1040 Zero or many. The telephone number of the contact. 1042 Fax 1043 Zero or one. The facsimile telephone number of the contact. 1045 Timezone 1046 Zero or one. TIMEZONE. The timezone in which the contact resides 1047 formatted according to Section 2.9. 1049 Contact 1050 Zero or many. A Contact instance contained within another Contact 1051 instance inherits the values of the parent(s). This recursive 1052 definition can be used to group common data pertaining to multiple 1053 points of contact and is especially useful when listing multiple 1054 contacts at the same organization. 1056 AdditionalData 1057 Zero or many. A mechanism by which to extend the data model. 1059 At least one of the aggregate classes MUST be present in an instance 1060 of the Contact class. This is not enforced in the IODEF schema as 1061 there is no simple way to accomplish it. 1063 The Contact class has five attributes: 1065 role 1066 Required. ENUM. Indicates the role the contact fulfills. This 1067 attribute is defined as an enumerated list: 1069 1. creator. The entity that generate the document. 1071 2. admin. An administrative contact for a host or network. 1073 3. tech. A technical contact for a host or network. 1075 4. irt. The CSIRT involved in handling the incident. 1077 5. cc. An entity that is to be kept informed about the handling 1078 of the incident. 1080 6. ext-value. An escape value used to extend this attribute. 1081 See Section 5.1. 1083 ext-role 1084 Optional. STRING. A means by which to extend the role attribute. 1085 See Section 5.1. 1087 type 1088 Required. ENUM. Indicates the type of contact being described. 1089 This attribute is defined as an enumerated list: 1091 1. person. The information for this contact references an 1092 individual. 1094 2. organization. The information for this contact references an 1095 organization. 1097 3. ext-value. An escape value used to extend this attribute. 1098 See Section 5.1. 1100 ext-type 1101 Optional. STRING. A means by which to extend the type attribute. 1102 See Section 5.1. 1104 restriction 1105 Optional. ENUM. This attribute is defined in Section 3.2. 1107 3.9.1. RegistryHandle Class 1109 The RegistryHandle class represents a handle into an Internet 1110 registry or community-specific database. The handle is specified in 1111 the element content and the type attribute specifies the database. 1113 +---------------------+ 1114 | RegistryHandle | 1115 +---------------------+ 1116 | STRING | 1117 | | 1118 | ENUM registry | 1119 | STRING ext-registry | 1120 +---------------------+ 1122 Figure 10: The RegistryHandle Class 1124 The RegistryHandle class has two attributes: 1126 registry 1127 Required. ENUM. The database to which the handle belongs. The 1128 possible values are: 1130 1. internic. Internet Network Information Center 1131 2. apnic. Asia Pacific Network Information Center 1133 3. arin. American Registry for Internet Numbers 1135 4. lacnic. Latin-American and Caribbean IP Address Registry 1137 5. ripe. Reseaux IP Europeens 1139 6. afrinic. African Internet Numbers Registry 1141 7. local. A database local to the CSIRT 1143 8. ext-value. An escape value used to extend this attribute. 1144 See Section 5.1. 1146 ext-registry 1147 Optional. STRING. A means by which to extend the registry 1148 attribute. See Section 5.1. 1150 3.9.2. PostalAddress Class 1152 The PostalAddress class specifies a postal address formatted 1153 according to the POSTAL data type (Section 2.11). 1155 +---------------------+ 1156 | PostalAddress | 1157 +---------------------+ 1158 | POSTAL | 1159 | | 1160 | ENUM meaning | 1161 | ENUM lang | 1162 +---------------------+ 1164 Figure 11: The PostalAddress Class 1166 The PostalAddress class has two attributes: 1168 meaning 1169 Optional. ENUM. A free-form description of the element content. 1171 lang 1172 Optional. ENUM. A valid language code per RFC 4646 [7] 1173 constrained by the definition of "xs:language". The 1174 interpretation of this code is described in Section 6. 1176 3.9.3. Email Class 1177 The Email class specifies an email address formatted according to 1178 EMAIL data type (Section 2.14). 1180 +--------------+ 1181 | Email | 1182 +--------------+ 1183 | EMAIL | 1184 | | 1185 | ENUM meaning | 1186 +--------------+ 1188 Figure 12: The Email Class 1190 The Email class has one attribute: 1192 meaning 1193 Optional. ENUM. A free-form description of the element content. 1195 3.9.4. Telephone and Fax Classes 1197 The Telephone and Fax classes specify a voice or fax telephone number 1198 respectively, and are formatted according to PHONE data type 1199 (Section 2.13). 1201 +--------------------+ 1202 | {Telephone | Fax } | 1203 +--------------------+ 1204 | PHONE | 1205 | | 1206 | ENUM meaning | 1207 +--------------------+ 1209 Figure 13: The Telephone and Fax Classes 1211 The Telephone class has one attribute: 1213 meaning 1214 Optional. ENUM. A free-form description of the element content 1215 (e.g., hours of coverage for a given number). 1217 3.10. Time Classes 1219 The data model uses five different classes to represent a timestamp. 1220 Their definition is identical, but each has a distinct name to convey 1221 a difference in semantics. 1223 The element content of each class is a timestamp formatted according 1224 to the DATETIME data type (see Section 2.8). 1226 +----------------------------------+ 1227 | {Start| End| Report| Detect}Time | 1228 +----------------------------------+ 1229 | DATETIME | 1230 +----------------------------------+ 1232 Figure 14: The Time Classes 1234 3.10.1. StartTime 1236 The StartTime class represents the time the incident began. 1238 3.10.2. EndTime 1240 The EndTime class represents the time the incident ended. 1242 3.10.3. DetectTime 1244 The DetectTime class represents the time the first activity of the 1245 incident was detected. 1247 3.10.4. ReportTime 1249 The ReportTime class represents the time the incident was reported. 1250 This timestamp MUST be the time at which the IODEF document was 1251 generated. 1253 3.10.5. DateTime 1255 The DateTime class is a generic representation of a timestamp. Infer 1256 its semantics from the parent class in which it is aggregated. 1258 3.11. Method Class 1260 The Method class describes the methodology used by the intruder to 1261 perpetrate the events of the incident. This class consists of a list 1262 of references describing the attack method and a free form 1263 description of the technique. 1265 +------------------+ 1266 | Method | 1267 +------------------+ 1268 | ENUM restriction |<>--{0..*}--[ Reference ] 1269 | |<>--{0..*}--[ Description ] 1270 | |<>--{0..*}--[ AdditionalData ] 1271 +------------------+ 1273 Figure 15: The Method Class 1275 The Method class is composed of three aggregate classes. 1277 Reference 1278 Zero or many. A reference to a vulnerability, malware sample, 1279 advisory, or analysis of an attack technique. 1281 Description 1282 Zero or many. ML_STRING. A free-form text description of the 1283 methodology used by the intruder. 1285 AdditionalData 1286 Zero or many. A mechanism by which to extend the data model. 1288 Either an instance of the Reference or Description class MUST be 1289 present. 1291 The Method class has one attribute: 1293 restriction 1294 Optional. ENUM. This attribute is defined in Section 3.2. 1296 3.11.1. Reference Class 1298 The Reference class is a reference to a vulnerability, IDS alert, 1299 malware sample, advisory, or attack technique. A reference consists 1300 of a name, a URL to this reference, and an optional description. 1302 +------------------+ 1303 | Reference | 1304 +------------------+ 1305 | |<>----------[ ReferenceName ] 1306 | |<>--{0..*}--[ URL ] 1307 | |<>--{0..*}--[ Description ] 1308 +------------------+ 1310 Figure 16: The Reference Class 1312 The aggregate classes that constitute Reference: 1314 ReferenceName 1315 One. ML_STRING. Name of the reference. 1317 URL 1318 Zero or many. URL. A URL associated with the reference. 1320 Description 1321 Zero or many. ML_STRING. A free-form text description of this 1322 reference. 1324 The Reference class has 4 attributes. 1326 indicator-uid 1327 Optional. STRING. A unique identifier for an Indicator. 1329 indicator-set-id 1330 Optional. STRING. The indicator set ID is used to group 1331 related indicators. 1333 attacktype 1334 Optional. ENUM. A unique identifier for an Indicator. 1336 ext-attacktype 1337 Optional. STRING. A mechanism by which to extend the 1338 Attack Type. 1340 3.12. Assessment Class 1342 The Assessment class describes the technical and non-technical 1343 repercussions of the incident on the CSIRT's constituency. 1345 This class was derived from the IDMEF[17]. 1347 +------------------+ 1348 | Assessment | 1349 +------------------+ 1350 | ENUM occurrence |<>--{0..*}--[ Impact ] 1351 | ENUM restriction |<>--{0..*}--[ TimeImpact ] 1352 | |<>--{0..*}--[ MonetaryImpact ] 1353 | |<>--{0..*}--[ Counter ] 1354 | |<>--{0..1}--[ Confidence ] 1355 | |<>--{0..*}--[ AdditionalData ] 1356 +------------------+ 1358 Figure 17: Assessment Class 1360 The aggregate classes that constitute Assessment are: 1362 Impact 1363 Zero or many. Technical impact of the incident on a network. 1365 TimeImpact 1366 Zero or many. Impact of the activity measured with respect to 1367 time. 1369 MonetaryImpact 1370 Zero or many. Impact of the activity measured with respect to 1371 financial loss. 1373 Counter 1374 Zero or more. A counter with which to summarize the magnitude of 1375 the activity. 1377 Confidence 1378 Zero or one. An estimate of confidence in the assessment. 1380 AdditionalData 1381 Zero or many. A mechanism by which to extend the data model. 1383 A least one instance of the possible three impact classes (i.e., 1384 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1386 The Assessment class has four attributes: 1388 occurrence 1389 Optional. ENUM. Specifies whether the assessment is describing 1390 actual or potential outcomes. 1392 1. actual. This assessment describes activity that has occurred. 1394 2. potential. This assessment describes potential activity that 1395 might occur. 1397 restriction 1398 Optional. ENUM. This attribute is defined in Section 3.2. 1400 indicator-uid 1401 Optional. STRING. A unique identifier for an Indicator. 1403 indicator-set-id 1404 Optional. STRING. The indicator set ID is used to group related 1405 indicators. 1407 3.12.1. Impact Class 1409 The Impact class allows for categorizing and describing the technical 1410 impact of the incident on the network of an organization. 1412 This class is based on the IDMEF [17]. 1414 +------------------+ 1415 | Impact | 1416 +------------------+ 1417 | ML_STRING | 1418 | | 1419 | ENUM lang | 1420 | ENUM severity | 1421 | ENUM completion | 1422 | ENUM type | 1423 | STRING ext-type | 1424 +------------------+ 1426 Figure 18: Impact Class 1428 The element content will be a free-form textual description of the 1429 impact. 1431 The Impact class has five attributes: 1433 lang 1434 Optional. ENUM. A valid language code per RFC 4646 [7] 1435 constrained by the definition of "xs:language". The 1436 interpretation of this code is described in Section 6. 1438 severity 1439 Optional. ENUM. An estimate of the relative severity of the 1440 activity. The permitted values are shown below. There is no 1441 default value. 1443 1. low. Low severity 1445 2. medium. Medium severity 1447 3. high. High severity 1449 completion 1450 Optional. ENUM. An indication whether the described activity was 1451 successful. The permitted values are shown below. There is no 1452 default value. 1454 1. failed. The attempted activity was not successful. 1456 2. succeeded. The attempted activity succeeded. 1458 type 1459 Required. ENUM. Classifies the malicious activity into incident 1460 categories. The permitted values are shown below. The default 1461 value is "other". 1463 1. admin. Administrative privileges were attempted. 1465 2. dos. A denial of service was attempted. 1467 3. file. An action that impacts the integrity of a file or 1468 database was attempted. 1470 4. info-leak. An attempt was made to exfiltrate information. 1472 5. misconfiguration. An attempt was made to exploit a mis- 1473 configuration in a system. 1475 6. policy. Activity violating site's policy was attempted. 1477 7. recon. Reconnaissance activity was attempted. 1479 8. social-engineering. A social engineering attack was 1480 attempted. 1482 9. user. User privileges were attempted. 1484 10. unknown. The classification of this activity is unknown. 1486 11. ext-value. An escape value used to extend this attribute. 1487 See Section 5.1. 1489 ext-type 1490 Optional. STRING. A means by which to extend the type attribute. 1491 See Section 5.1. 1493 3.12.2. TimeImpact Class 1495 The TimeImpact class describes the impact of the incident on an 1496 organization as a function of time. It provides a way to convey down 1497 time and recovery time. 1499 +---------------------+ 1500 | TimeImpact | 1501 +---------------------+ 1502 | REAL | 1503 | | 1504 | ENUM severity | 1505 | ENUM metric | 1506 | STRING ext-metric | 1507 | ENUM duration | 1508 | STRING ext-duration | 1509 +---------------------+ 1511 Figure 19: TimeImpact Class 1513 The element content is a positive, floating point (REAL) number 1514 specifying a unit of time. The duration and metric attributes will 1515 imply the semantics of the element content. 1517 The TimeImpact class has five attributes: 1519 severity 1520 Optional. ENUM. An estimate of the relative severity of the 1521 activity. The permitted values are shown below. There is no 1522 default value. 1524 1. low. Low severity 1526 2. medium. Medium severity 1528 3. high. High severity 1530 metric 1531 Required. ENUM. Defines the metric in which the time is 1532 expressed. The permitted values are shown below. There is no 1533 default value. 1535 1. labor. Total staff-time to recovery from the activity (e.g., 1536 2 employees working 4 hours each would be 8 hours). 1538 2. elapsed. Elapsed time from the beginning of the recovery to 1539 its completion (i.e., wall-clock time). 1541 3. downtime. Duration of time for which some provided service(s) 1542 was not available. 1544 4. ext-value. An escape value used to extend this attribute. 1545 See Section 5.1. 1547 ext-metric 1548 Optional. STRING. A means by which to extend the metric 1549 attribute. See Section 5.1. 1551 duration 1552 Optional. ENUM. Defines a unit of time, that when combined with 1553 the metric attribute, fully describes a metric of impact that will 1554 be conveyed in the element content. The permitted values are 1555 shown below. The default value is "hour". 1557 1. second. The unit of the element content is seconds. 1559 2. minute. The unit of the element content is minutes. 1561 3. hour. The unit of the element content is hours. 1563 4. day. The unit of the element content is days. 1565 5. month. The unit of the element content is months. 1567 6. quarter. The unit of the element content is quarters. 1569 7. year. The unit of the element content is years. 1571 8. ext-value. An escape value used to extend this attribute. 1572 See Section 5.1. 1574 ext-duration 1575 Optional. STRING. A means by which to extend the duration 1576 attribute. See Section 5.1. 1578 3.12.3. MonetaryImpact Class 1580 The MonetaryImpact class describes the financial impact of the 1581 activity on an organization. For example, this impact may consider 1582 losses due to the cost of the investigation or recovery, diminished 1583 productivity of the staff, or a tarnished reputation that will affect 1584 future opportunities. 1586 +------------------+ 1587 | MonetaryImpact | 1588 +------------------+ 1589 | REAL | 1590 | | 1591 | ENUM severity | 1592 | STRING currency | 1593 +------------------+ 1595 Figure 20: MonetaryImpact Class 1597 The element content is a positive, floating point number (REAL) 1598 specifying a unit of currency described in the currency attribute. 1600 The MonetaryImpact class has two attributes: 1602 severity 1603 Optional. ENUM. An estimate of the relative severity of the 1604 activity. The permitted values are shown below. There is no 1605 default value. 1607 1. low. Low severity 1608 2. medium. Medium severity 1610 3. high. High severity 1612 currency 1613 Optional. STRING. Defines the currency in which the monetary 1614 impact is expressed. The permitted values are defined in ISO 1615 4217:2001, Codes for the representation of currencies and funds 1616 [14]. There is no default value. 1618 3.12.4. Confidence Class 1620 The Confidence class represents a best estimate of the validity and 1621 accuracy of the described impact (see Section 3.12) of the incident 1622 activity. This estimate can be expressed as a category or a numeric 1623 calculation. 1625 This class if based upon the IDMEF [17]). 1627 +------------------+ 1628 | Confidence | 1629 +------------------+ 1630 | REAL | 1631 | | 1632 | ENUM rating | 1633 +------------------+ 1635 Figure 21: Confidence Class 1637 The element content expresses a numerical assessment in the 1638 confidence of the data when the value of the rating attribute is 1639 "numeric". Otherwise, this element MUST be empty. 1641 The Confidence class has one attribute. 1643 rating 1644 Required. ENUM. A rating of the analytical validity of the 1645 specified Assessment. The permitted values are shown below. 1646 There is no default value. 1648 1. low. Low confidence in the validity. 1650 2. medium. Medium confidence in the validity. 1652 3. high. High confidence in the validity. 1654 4. numeric. The element content contains a number that conveys 1655 the confidence of the data. The semantics of this number 1656 outside the scope of this specification. 1658 5. unknown. The confidence rating value is not known. 1660 3.13. History Class 1662 The History class is a log of the significant events or actions 1663 performed by the involved parties during the course of handling the 1664 incident. 1666 The level of detail maintained in this log is left up to the 1667 discretion of those handling the incident. 1669 +------------------+ 1670 | History | 1671 +------------------+ 1672 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1673 | | 1674 +------------------+ 1676 Figure 22: The History Class 1678 The class that constitutes History is: 1680 HistoryItem 1681 One or many. Entry in the history log of significant events or 1682 actions performed by the involved parties. 1684 The History class has one attribute: 1686 restriction 1687 Optional. ENUM. This attribute is defined in Section 3.2. The 1688 default value is "default". 1690 3.13.1. HistoryItem Class 1692 The HistoryItem class is an entry in the History (Section 3.13) log 1693 that documents a particular action or event that occurred in the 1694 course of handling the incident. The details of the entry are a 1695 free-form description, but each can be categorized with the type 1696 attribute. 1698 +-------------------+ 1699 | HistoryItem | 1700 +-------------------+ 1701 | ENUM restriction |<>----------[ DateTime ] 1702 | ENUM action |<>--{0..1}--[ IncidentId ] 1703 | STRING ext-action |<>--{0..1}--[ Contact ] 1704 | |<>--{0..*}--[ Description ] 1705 | |<>--{0..*}--[ AdditionalData ] 1706 +-------------------+ 1708 Figure 23: HistoryItem Class 1710 The aggregate classes that constitute HistoryItem are: 1712 DateTime 1713 One. Timestamp of this entry in the history log (e.g., when the 1714 action described in the Description was taken). 1716 IncidentID 1717 Zero or One. In a history log created by multiple parties, the 1718 IncidentID provides a mechanism to specify which CSIRT created a 1719 particular entry and references this organization's incident 1720 tracking number. When a single organization is maintaining the 1721 log, this class can be ignored. 1723 Contact 1724 Zero or One. Provides contact information for the person that 1725 performed the action documented in this class. 1727 Description 1728 Zero or many. ML_STRING. A free-form textual description of the 1729 action or event. 1731 AdditionalData 1732 Zero or many. A mechanism by which to extend the data model. 1734 The HistoryItem class has five attributes: 1736 restriction 1737 Optional. ENUM. This attribute has been defined in Section 3.2. 1739 action 1740 Required. ENUM. Classifies a performed action or occurrence 1741 documented in this history log entry. As activity will likely 1742 have been instigated either through a previously conveyed 1743 expectation or internal investigation, this attribute is identical 1744 to the category attribute of the Expectation class. The 1745 difference is only one of tense. When an action is in this class, 1746 it has been completed. See Section 3.15. 1748 ext-action 1749 Optional. STRING. A means by which to extend the action 1750 attribute. See Section 5.1. 1752 indicator-uid 1753 Optional. STRING. A unique identifier for an Indicator. 1755 indicator-set-id 1756 Optional. STRING. The indicator set ID is used to group related 1757 indicators. 1759 3.14. EventData Class 1761 The EventData class describes a particular event of the incident for 1762 a given set of hosts or networks. This description includes the 1763 systems from which the activity originated and those targeted, an 1764 assessment of the techniques used by the intruder, the impact of the 1765 activity on the organization, and any forensic evidence discovered. 1767 +------------------+ 1768 | EventData | 1769 +------------------+ 1770 | ENUM restriction |<>--{0..*}--[ Description ] 1771 | |<>--{0..1}--[ DetectTime ] 1772 | |<>--{0..1}--[ StartTime ] 1773 | |<>--{0..1}--[ EndTime ] 1774 | |<>--{0..*}--[ Contact ] 1775 | |<>--{0..1}--[ Assessment ] 1776 | |<>--{0..*}--[ Method ] 1777 | |<>--{0..*}--[ Flow ] 1778 | |<>--{0..*}--[ Expectation ] 1779 | |<>--{0..1}--[ Record ] 1780 | |<>--{0..*}--[ EventData ] 1781 | |<>--{0..*}--[ AdditionalData ] 1782 +------------------+ 1784 Figure 24: The EventData Class 1786 The aggregate classes that constitute EventData are: 1788 Description 1789 Zero or more. ML_STRING. A free-form textual description of the 1790 event. 1792 DetectTime 1793 Zero or one. The time the event was detected. 1795 StartTime 1796 Zero or one. The time the event started. 1798 EndTime 1799 Zero or one. The time the event ended. 1801 Contact 1802 Zero or more. Contact information for the parties involved in the 1803 event. 1805 Assessment 1806 Zero or one. The impact of the event on the target and the 1807 actions taken. 1809 Method 1810 Zero or more. The technique used by the intruder in the event. 1812 Flow 1813 Zero or more. A description of the systems or networks involved. 1815 Expectation 1816 Zero or more. The expected action to be performed by the 1817 recipient for the described event. 1819 Record 1820 Zero or one. Supportive data (e.g., log files) that provides 1821 additional information about the event. 1823 EventData 1824 Zero or more. EventData instances contained within another 1825 EventData instance inherit the values of the parent(s); this 1826 recursive definition can be used to group common data pertaining 1827 to multiple events. When EventData elements are defined 1828 recursively, only the leaf instances (those EventData instances 1829 not containing other EventData instances) represent actual events. 1831 AdditionalData 1832 Zero or more. An extension mechanism for data not explicitly 1833 represented in the data model. 1835 At least one of the aggregate classes MUST be present in an instance 1836 of the EventData class. This is not enforced in the IODEF schema as 1837 there is no simple way to accomplish it. 1839 The EventData class has two attributes: 1841 restriction 1842 Optional. ENUM. This attribute is defined in Section 3.2. The 1843 default value is "default". 1845 indicator-set-id 1846 Optional. STRING. The indicator set ID is used to group related 1847 indicators. 1849 3.14.1. Relating the Incident and EventData Classes 1851 There is substantial overlap in the Incident and EventData classes. 1852 Nevertheless, the semantics of these classes are quite different. 1853 The Incident class provides summary information about the entire 1854 incident, while the EventData class provides information about the 1855 individual events comprising the incident. In the most common case, 1856 the EventData class will provide more specific information for the 1857 general description provided in the Incident class. However, it may 1858 also be possible that the overall summarized information about the 1859 incident conflicts with some individual information in an EventData 1860 class when there is a substantial composition of various events in 1861 the incident. In such a case, the interpretation of the more 1862 specific EventData MUST supersede the more generic information 1863 provided in IncidentData. 1865 3.14.2. Cardinality of EventData 1867 The EventData class can be thought of as a container for the 1868 properties of an event in an incident. These properties include: the 1869 hosts involved, impact of the incident activity on the hosts, 1870 forensic logs, etc. With an instance of the EventData class, hosts 1871 (i.e., System class) are grouped around these common properties. 1873 The recursive definition (or instance property inheritance) of the 1874 EventData class (the EventData class is aggregated into the EventData 1875 class) provides a way to related information without requiring the 1876 explicit use of unique attribute identifiers in the classes or 1877 duplicating information. Instead, the relative depth (nesting) of a 1878 class is used to group (relate) information. 1880 For example, an EventData class might be used to describe two 1881 machines involved in an incident. This description can be achieved 1882 using multiple instances of the Flow class. It happens that there is 1883 a common technical contact (i.e., Contact class) for these two 1884 machines, but the impact (i.e., Assessment class) on them is 1885 different. A depiction of the representation for this situation can 1886 be found in Figure 25. 1888 +------------------+ 1889 | EventData | 1890 +------------------+ 1891 | |<>----[ Contact ] 1892 | | 1893 | |<>----[ EventData ]<>----[ Flow ] 1894 | | [ ]<>----[ Assessment ] 1895 | | 1896 | |<>----[ EventData ]<>----[ Flow ] 1897 | | [ ]<>----[ Assessment ] 1898 +------------------+ 1900 Figure 25: Recursion in the EventData Class 1902 3.15. Expectation Class 1904 The Expectation class conveys to the recipient of the IODEF document 1905 the actions the sender is requesting. The scope of the requested 1906 action is limited to purview of the EventData class in which this 1907 class is aggregated. 1909 +-------------------+ 1910 | Expectation | 1911 +-------------------+ 1912 | ENUM restriction |<>--{0..*}--[ Description ] 1913 | ENUM severity |<>--{0..1}--[ StartTime ] 1914 | ENUM action |<>--{0..1}--[ EndTime ] 1915 | STRING ext-action |<>--{0..1}--[ Contact ] 1916 +-------------------+ 1918 Figure 26: The Expectation Class 1920 The aggregate classes that constitute Expectation are: 1922 Description 1923 Zero or many. ML_STRING. A free-form description of the desired 1924 action(s). 1926 StartTime 1927 Zero or one. The time at which the sender would like the action 1928 performed. A timestamp that is earlier than the ReportTime 1929 specified in the Incident class denotes that the sender would like 1930 the action performed as soon as possible. The absence of this 1931 element indicates no expections of when the recipient would like 1932 the action performed. 1934 EndTime 1935 Zero or one. The time by which the sensor expects the recipient 1936 to complete the action. If the recipient cannot complete the 1937 action before EndTime, the recipient MUST NOT carry out the 1938 action. Because of transit delays, clock drift, and so on, the 1939 sender MUST be prepared for the recipient to have carried out the 1940 action, even if it completes past EndTime. 1942 Contact 1943 Zero or one. The expected actor for the action. 1945 The Expectations class has six attributes: 1947 restriction 1948 Optional. ENUM. This attribute is defined in Section 3.2. The 1949 default value is "default". 1951 severity 1952 Optional. ENUM. Indicates the desired priority of the action. 1953 This attribute is an enumerated list with no default value, and 1954 the semantics of these relative measures are context dependant. 1956 1. low. Low priority 1958 2. medium. Medium priority 1960 3. high. High priority 1962 action 1963 Optional. ENUM. Classifies the type of action requested. This 1964 attribute is an enumerated list with a default value of "other". 1966 1. nothing. No action is requested. Do nothing with the 1967 information. 1969 2. contact-source-site. Contact the site(s) identified as the 1970 source of the activity. 1972 3. contact-target-site. Contact the site(s) identified as the 1973 target of the activity. 1975 4. contact-sender. Contact the originator of the document. 1977 5. investigate. Investigate the systems(s) listed in the event. 1979 6. block-host. Block traffic from the machine(s) listed as 1980 sources the event. 1982 7. block-network. Block traffic from the network(s) lists as 1983 sources in the event. 1985 8. block-port. Block the port listed as sources in the event. 1987 9. rate-limit-host. Rate-limit the traffic from the machine(s) 1988 listed as sources in the event. 1990 10. rate-limit-network. Rate-limit the traffic from the 1991 network(s) lists as sources in the event. 1993 11. rate-limit-port. Rate-limit the port(s) listed as sources in 1994 the event. 1996 12. remediate-other. Remediate the activity in a way other than 1997 by rate limiting or blocking. 1999 13. status-triage. Conveys receipts and the triaging of an 2000 incident. 2002 14. status-new-info. Conveys that new information was received 2003 for this incident. 2005 15. watch-and-report. Watch for the described activity and share 2006 if seen. 2008 16. other. Perform some custom action described in the 2009 Description class. 2011 17. ext-value. An escape value used to extend this attribute. 2012 See Section 5.1. 2014 ext-action 2015 Optional. STRING. A means by which to extend the action 2016 attribute. See Section 5.1. 2018 indicator-uid 2019 Optional. STRING. A unique identifier for an Indicator. 2021 indicator-set-id 2022 Optional. STRING. The indicator set ID is used to group related 2023 indicators. 2025 3.16. Flow Class 2027 The Flow class groups related the source and target hosts. 2029 +------------------+ 2030 | Flow | 2031 +------------------+ 2032 | |<>--{1..*}--[ System ] 2033 +------------------+ 2035 Figure 27: The Flow Class 2037 The aggregate class that constitutes Flow is: 2039 System 2040 One or More. A host or network involved in an event. 2042 The Flow System class has no attributes. 2044 3.17. System Class 2046 The System class describes a system or network involved in an event. 2047 The systems or networks represented by this class are categorized 2048 according to the role they played in the incident through the 2049 category attribute. The value of this category attribute dictates 2050 the semantics of the aggregated classes in the System class. If the 2051 category attribute has a value of "source", then the aggregated 2052 classes denote the machine and service from which the activity is 2053 originating. With a category attribute value of "target" or 2054 "intermediary", then the machine or service is the one targeted in 2055 the activity. A value of "sensor" dictates that this System was part 2056 of an instrumentation to monitor the network. 2058 +---------------------+ 2059 | System | 2060 +---------------------+ 2061 | ENUM restriction |<>----------[ Node ] 2062 | ENUM category |<>--{0..*}--[ Service ] 2063 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2064 | STRING interface |<>--{0..*}--[ Counter ] 2065 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2066 | ENUM virtual |<>--{0..*}--[ Description ] 2067 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2068 | ENUM ext-ownership | 2069 +---------------------+ 2071 Figure 28: The System Class 2073 The aggregate classes that constitute System are: 2075 Node 2076 One. A host or network involved in the incident. 2078 Service 2079 Zero or more. A network service running on the system. 2081 OperatingSystem 2082 Zero or more. The operating system running on the system. 2084 Counter 2085 Zero or more. A counter with which to summarize properties of 2086 this host or network. 2088 AssetID 2089 Zero or more. An asset identifier for the System. 2091 Description 2092 Zero or more. ML_STRING. A free-form text description of the 2093 System. 2095 AdditionalData 2096 Zero or more. A mechanism by which to extend the data model. 2098 The System class has eight attributes: 2100 restriction 2101 Optional. ENUM. This attribute is defined in Section 3.2. 2103 category 2104 Optional. ENUM. Classifies the role the host or network played 2105 in the incident. The possible values are: 2107 1. source. The System was the source of the event. 2109 2. target. The System was the target of the event. 2111 3. watchlist-source. The source of the event was on a watchlist. 2113 4. watchlist-target. The target of the event was on a watchlist. 2115 5. intermediate. The System was an intermediary in the event. 2117 6. sensor. The System was a sensor monitoring the event. 2119 7. infrastructure. The System was an infrastructure node of 2120 IODEF document exchange. 2122 8. ext-value. An escape value used to extend this attribute. 2123 See Section 5.1. 2125 ext-category 2126 Optional. STRING. A means by which to extend the category 2127 attribute. See Section 5.1. 2129 indicator-set-id 2130 Optional. STRING. The indicator set ID is used to group related 2131 indicators. 2133 interface 2134 Optional. STRING. Specifies the interface on which the event(s) 2135 on this System originated. If the Node class specifies a network 2136 rather than a host, this attribute has no meaning. 2138 spoofed 2139 Optional. ENUM. An indication of confidence in whether this 2140 System was the true target or attacking host. The permitted 2141 values for this attribute are shown below. The default value is 2142 "unknown". 2144 1. unknown. The accuracy of the category attribute value is 2145 unknown. 2147 2. yes. The category attribute value is probably incorrect. In 2148 the case of a source, the System is likely a decoy; with a 2149 target, the System was likely not the intended victim. 2151 3. no. The category attribute value is believed to be correct. 2153 virtual 2154 Optional. ENUM. Indicates whether this System is a virtual or 2155 physical device. The default value is "no". The possible values 2156 are: 2158 1. yes. The System is a virtual device. 2160 2. no. The System is a physical device. 2162 ownership 2163 Optional. ENUM. Describes the ownership of this System relative 2164 to the sender of the IODEF document. The possible values are: 2166 1. organization. The System is owned by the organization. 2168 2. personal. The System is owned by employee or affiliate of the 2169 organization. 2171 3. partner. The System is owned by a partner of the 2172 organization. 2174 4. customer. The System is owned by a customer of the 2175 organization. 2177 5. no-relationship. The System is owned by an entity that has no 2178 known relationship with the organization. 2180 6. unknown. The ownership of the System is unknown. 2182 7. ext-value. An escape value used to extend this attribute. 2183 See Section 5.1. 2185 ext-ownership 2186 Optional. STRING. A means by which to extend the ownership 2187 attribute. See Section 5.1. 2189 3.18. Node Class 2191 The Node class names an asset or network. 2193 This class was derived from the IDMEF [17]. 2195 +---------------+ 2196 | Node | 2197 +---------------+ 2198 | |<>--{0..*}--[ NodeName ] 2199 | |<>--{0..*}--[ DomainData ] 2200 | |<>--{0..*}--[ Address ] 2201 | |<>--{0..1}--[ Location ] 2202 | |<>--{0..1}--[ DateTime ] 2203 | |<>--{0..*}--[ NodeRole ] 2204 | |<>--{0..*}--[ Counter ] 2205 +---------------+ 2207 Figure 29: The Node Class 2209 The aggregate classes that constitute Node are: 2211 NodeName 2212 Zero or more. ML_STRING. The name of the Node (e.g., fully 2213 qualified domain name). This information MUST be provided if no 2214 Address information is given. 2216 DomainData 2217 Zero or more. The DomainData Class and Subclasses from RFC 5901. 2219 Address 2220 Zero or more. The hardware, network, or application address of 2221 the Node. If a NodeName is not provided, at least one Address 2222 MUST be specified. 2224 Location 2225 Zero or one. ML_STRING. A free-from description of the physical 2226 location of the equipment. 2228 DateTime 2229 Zero or one. A timestamp of when the resolution between the name 2230 and address was performed. This information MAY be provided if 2231 both an Address and NodeName are specified. 2233 NodeRole 2234 Zero or more. The intended purpose of the Node. 2236 Counter 2237 Zero or more. A counter with which to summarizes properties of 2238 this host or network. 2240 3.18.1. Counter Class 2242 The Counter class summarize multiple occurrences of some event, or 2243 conveys counts or rates on various features (e.g., packets, sessions, 2244 events). 2246 The value of the counter is the element content with its units 2247 represented in the type attribute. A rate for a given feature can be 2248 expressed by setting the duration attribute. The complete semantics 2249 are entirely context dependant based on the class in which the 2250 Counter is aggregated. 2252 +---------------------+ 2253 | Counter | 2254 +---------------------+ 2255 | REAL | 2256 | | 2257 | ENUM type | 2258 | STRING ext-type | 2259 | STRING meaning | 2260 | ENUM duration | 2261 | STRING ext-duration | 2262 +---------------------+ 2264 Figure 30: The Counter Class 2266 The Counter class has three attribute: 2268 type 2269 Required. ENUM. Specifies the units of the element content. 2271 1. byte. Count of bytes. 2273 2. packet. Count of packets. 2275 3. flow. Count of flow (e.g., NetFlow records). 2277 4. session. Count of sessions. 2279 5. alert. Count of notifications generated by another system 2280 (e.g., IDS or SIM). 2282 6. message. Count of messages (e.g., mail messages). 2284 7. event. Count of events. 2286 8. host. Count of hosts. 2288 9. site. Count of site. 2290 10. organization. Count of organizations. 2292 11. ext-value. An escape value used to extend this attribute. 2293 See Section 5.1. 2295 ext-type 2296 Optional. STRING. A means by which to extend the type attribute. 2297 See Section 5.1. 2299 duration 2300 Optional. ENUM. If present, the Counter class represents a rate 2301 rather than a count over the entire event. In that case, this 2302 attribute specifies the denominator of the rate (where the type 2303 attribute specified the nominator). The possible values of this 2304 attribute are defined in Section 3.12.2 2306 ext-duration 2307 Optional. STRING. A means by which to extend the duration 2308 attribute. See Section 5.1. 2310 3.18.2. Address Class 2312 The Address class represents a hardware (layer-2), network (layer-3), 2313 or application (layer-7) address. 2315 This class was derived from the IDMEF [17]. 2317 +---------------------+ 2318 | Address | 2319 +---------------------+ 2320 | ENUM category | 2321 | STRING ext-category | 2322 | STRING vlan-name | 2323 | INTEGER vlan-num | 2324 +---------------------+ 2325 Figure 31: The Address Class 2327 The Address class has five attributes: 2329 category 2330 Optional. ENUM. The type of address represented. The permitted 2331 values for this attribute are shown below. The default value is 2332 "ipv4-addr". 2334 1. asn. Autonomous System Number 2336 2. atm. Asynchronous Transfer Mode (ATM) address 2338 3. e-mail. Electronic mail address (RFC 822) 2340 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2341 (a.b.c.d) 2343 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2344 slash, significant bits (a.b.c.d/nn) 2346 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2347 notation, slash, network mask in dotted-decimal notation 2348 (a.b.c.d/w.x.y.z) 2350 7. ipv6-addr. IPv6 host address 2352 8. ipv6-net. IPv6 network address, slash, significant bits 2354 9. ipv6-net-mask. IPv6 network address, slash, network mask 2356 10. mac. Media Access Control (MAC) address 2358 11. site-uri. A URL or URI for a site. 2360 12. ext-value. An escape value used to extend this attribute. 2361 See Section 5.1. 2363 ext-category 2364 Optional. STRING. A means by which to extend the category 2365 attribute. See Section 5.1. 2367 vlan-name 2368 Optional. STRING. The name of the Virtual LAN to which the 2369 address belongs. 2371 vlan-num 2372 Optional. STRING. The number of the Virtual LAN to which the 2373 address belongs. 2375 indicator-uid 2376 Optional. STRING. A unique identifier for an Indicator. 2378 3.18.3. NodeRole Class 2380 The NodeRole class describes the intended function performed by a 2381 particular host. 2383 +---------------------+ 2384 | NodeRole | 2385 +---------------------+ 2386 | ENUM category | 2387 | STRING ext-category | 2388 | ENUM lang | 2389 +---------------------+ 2391 Figure 32: The NodeRole Class 2393 The NodeRole class has three attributes: 2395 category 2396 Required. ENUM. Functionality provided by a node. 2398 1. client. Client computer 2400 2. client-enterprise. Client computer on the enterprise network 2402 3. client-partner. Client computer on network of a partner 2404 4. client-remote. Client computer remotely connected to the 2405 enterprise network 2407 5. client-kiosk. Client computer is serves as a kiosk 2409 6. client-mobile. Client is a mobile device 2411 7. server-internal. Server with internal services 2413 8. server-public. Server with public services 2415 9. www. WWW server 2417 10. mail. Mail server 2419 11. messaging. Messaging server (e.g., NNTP, IRC, IM) 2420 12. streaming. Streaming-media server 2422 13. voice. Voice server (e.g., SIP, H.323) 2424 14. file. File server (e.g., SMB, CVS, AFS) 2426 15. ftp. FTP server 2428 16. p2p. Peer-to-peer node 2430 17. name. Name server (e.g., DNS, WINS) 2432 18. directory. Directory server (e.g., LDAP, finger, whois) 2434 19. credential. Credential server (e.g., domain controller, 2435 Kerberos) 2437 20. print. Print server 2439 21. application. Application server 2441 22. database. Database server 2443 23. backup. Backup server 2445 24. dhcp. DHCP server 2447 25. infra. Infrastructure server (e.g., router, firewall, DHCP) 2449 26. infra-firewall. Firewall 2451 27. infra-router. Router 2453 28. infra-switch. Switch 2455 29. camera. Camera server 2457 30. proxy. Proxy server 2459 31. remote-access. Remote access server 2461 32. log. Log server (e.g., syslog) 2463 33. virtualization. Server running virtual machines 2465 34. pos. Point-of-sale device 2467 35. scada. Supervisory control and data acquisition system 2468 36. scada-supervisory. Supervisory system for a SCADA 2470 37. ext-value. An escape value used to extend this attribute. 2471 See Section 5.1. 2473 ext-category 2474 Optional. STRING. A means by which to extend the category 2475 attribute. See Section 5.1. 2477 lang 2478 Optional. ENUM. A valid language code per RFC 4646 [7] 2479 constrained by the definition of "xs:language". The 2480 interpretation of this code is described in Section 6. 2482 3.19. Service Class 2484 The Service class describes a network service of a host or network. 2485 The service is identified by specific port or list of ports, along 2486 with the application listening on that port. 2488 When Service occurs as an aggregate class of a System that is a 2489 source, then this service is the one from which activity of interest 2490 is originating. Conversely, when Service occurs as an aggregate 2491 class of a System that is a target, then that service is the one to 2492 which activity of interest is directed. 2494 This class was derived from the IDMEF [17]. 2496 +---------------------+ 2497 | Service | 2498 +---------------------+ 2499 | INTEGER ip_protocol |<>--{0..1}--[ Port ] 2500 | |<>--{0..1}--[ Portlist ] 2501 | |<>--{0..1}--[ ProtoCode ] 2502 | |<>--{0..1}--[ ProtoType ] 2503 | |<>--{0..1}--[ ProtoField ] 2504 | |<>--{0..1}--[ Application ] 2505 +---------------------+ 2507 Figure 33: The Service Class 2509 The aggregate classes that constitute Service are: 2511 Port 2512 Zero or one. INTEGER. A port number. 2514 Portlist 2515 Zero or one. PORTLIST. A list of port numbers formatted 2516 according to Section 2.10. 2518 ProtoCode 2519 Zero or one. INTEGER. A layer-4 protocol-specific code field 2520 (e.g., ICMP code field). 2522 ProtoType 2523 Zero or one. INTEGER. A layer-4 protocol specific type field 2524 (e.g., ICMP type field). 2526 ProtoField 2527 Zero or one. INTEGER. A layer-4 protocol specific flag field 2528 (e.g., TCP flag field). 2530 Application 2531 Zero or one. The application bound to the specified Port or 2532 Portlist. 2534 Either a Port or Portlist class MUST be specified for a given 2535 instance of a Service class. 2537 When a given System classes with category="source" and another with 2538 category="target" are aggregated into a single Flow class, and each 2539 of these System classes has a Service and Portlist class, an implicit 2540 relationship between these Porlists exists. If N ports are listed 2541 for a System@category="source", and M ports are listed for 2542 System@category="target", the number of ports in N must be equal to 2543 M. Likewise, the ports MUST be listed in an identical sequence such 2544 that the n-th port in the source corresponds to the n-th port of the 2545 target. If N is greater than 1, a given instance of a a Flow class 2546 MUST only have a single instance of a System@category="source" and 2547 System@category="target". 2549 The Service class has three attributes: 2551 ip_protocol 2552 Required. INTEGER. The IANA protocol number. 2554 indicator-uid 2555 Optional. STRING. A unique identifier for an Indicator. 2557 indicator-set-id 2558 Optional. STRING. The indicator set ID is used to group related 2559 indicators. 2561 3.19.1. Application Class 2562 The Application class describes an application running on a System 2563 providing a Service. 2565 +--------------------+ 2566 | Application | 2567 +--------------------+ 2568 | STRING swid |<>--{0..1}--[ URL ] 2569 | STRING configid | 2570 | STRING vendor | 2571 | STRING family | 2572 | STRING name | 2573 | STRING version | 2574 | STRING patch | 2575 +--------------------+ 2577 Figure 34: The Application Class 2579 The aggregate class that constitute Application is: 2581 URL 2582 Zero or one. URL. A URL describing the application. 2584 The Application class has seven attributes: 2586 swid 2587 Optional. STRING. An identifier that can be used to reference 2588 this software, where the default value is "0". 2590 configid 2591 Optional. STRING. An identifier that can be used to reference a 2592 particular configuration of this software, where the default value 2593 is "0". 2595 vendor 2596 Optional. STRING. Vendor name of the software. 2598 family 2599 Optional. STRING. Family of the software. 2601 name 2602 Optional. STRING. Name of the software. 2604 version 2605 Optional. STRING. Version of the software. 2607 patch 2608 Optional. STRING. Patch or service pack level of the software. 2610 3.20. OperatingSystem Class 2612 The OperatingSystem class describes the operating system running on a 2613 System. The definition is identical to the Application class 2614 (Section 3.19.1). 2616 3.21. Record Class 2618 The Record class is a container class for log and audit data that 2619 provides supportive information about the incident. The source of 2620 this data will often be the output of monitoring tools. These logs 2621 substantiate the activity described in the document. 2623 +------------------+ 2624 | Record | 2625 +------------------+ 2626 | ENUM restriction |<>--{1..*}--[ RecordData ] 2627 +------------------+ 2629 Figure 35: Record Class 2631 The aggregate class that constitutes Record is: 2633 RecordData 2634 One or more. Log or audit data generated by a particular type of 2635 sensor. Separate instances of the RecordData class SHOULD be used 2636 for each sensor type. 2638 The Record class has one attribute: 2640 restriction 2641 Optional. ENUM. This attribute has been defined in Section 3.2. 2643 3.21.1. RecordData Class 2645 The RecordData class groups log or audit data from a given sensor 2646 (e.g., IDS, firewall log) and provides a way to annotate the output. 2648 +------------------+ 2649 | RecordData | 2650 +------------------+ 2651 | ENUM restriction |<>--{0..1}--[ DateTime ] 2652 | |<>--{0..*}--[ Description ] 2653 | |<>--{0..1}--[ Application ] 2654 | |<>--{0..*}--[ RecordPattern ] 2655 | |<>--{0..*}--[ RecordItem ] 2656 | |<>--{0..1}--[ HashInformation ] 2657 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 2658 | |<>--{0..*}--[ AdditionalData ] 2659 +------------------+ 2661 Figure 36: The RecordData Class 2663 The aggregate classes that constitutes RecordData is: 2665 DateTime 2666 Zero or one. Timestamp of the RecordItem data. 2668 Description 2669 Zero or more. ML_STRING. Free-form textual description of the 2670 provided RecordItem data. At minimum, this description should 2671 convey the significance of the provided RecordItem data. 2673 Application 2674 Zero or one. Information about the sensor used to generate the 2675 RecordItem data. 2677 RecordPattern 2678 Zero or more. A search string to precisely find the relevant data 2679 in a RecordItem. 2681 RecordItem 2682 Zero or more. Log, audit, or forensic data. 2684 HashInformation 2685 Zero or one. The file name and hash of a file indicator. 2687 WindowsRegistryKeysModified 2688 Zero or more. The registry keys that were modified that are 2689 indicator(s). 2691 AdditionalData 2692 Zero or more. An extension mechanism for data not explicitly 2693 represented in the data model. 2695 The RecordData class has three attribute: 2697 restriction 2698 Optional. ENUM. This attribute has been defined in Section 3.2. 2700 indicator-uid 2701 Optional. STRING. A unique identifier for an Indicator. 2703 indicator-set-id 2704 Optional. STRING. The indicator set ID is used to group related 2705 indicators. 2707 3.21.2. RecordPattern Class 2709 The RecordPattern class describes where in the content of the 2710 RecordItem relevant information can be found. It provides a way to 2711 reference subsets of information, identified by a pattern, in a large 2712 log file, audit trail, or forensic data. 2714 +-----------------------+ 2715 | RecordPattern | 2716 +-----------------------+ 2717 | STRING | 2718 | | 2719 | ENUM type | 2720 | STRING ext-type | 2721 | INTEGER offset | 2722 | ENUM offsetunit | 2723 | STRING ext-offsetunit | 2724 | INTEGER instance | 2725 +-----------------------+ 2727 Figure 37: The RecordPattern Class 2729 The specific pattern to search with in the RecordItem is defined in 2730 the body of the element. It is further annotated by four attributes: 2732 type 2733 Required. ENUM. Describes the type of pattern being specified in 2734 the element content. The default is "regex". 2736 1. regex. regular expression, per Appendix F of [3]. 2738 2. binary. Binhex encoded binary pattern, per the HEXBIN data 2739 type. 2741 3. xpath. XML Path (XPath) [5] 2743 4. ext-value. An escape value used to extend this attribute. 2744 See Section 5.1. 2746 ext-type 2747 Optional. STRING. A means by which to extend the type attribute. 2748 See Section 5.1. 2750 offset 2751 Optional. INTEGER. Amount of units (determined by the offsetunit 2752 attribute) to seek into the RecordItem data before matching the 2753 pattern. 2755 offsetunit 2756 Optional. ENUM. Describes the units of the offset attribute. 2757 The default is "line". 2759 1. line. Offset is a count of lines. 2761 2. byte. Offset is a count of bytes. 2763 3. ext-value. An escape value used to extend this attribute. 2764 See Section 5.1. 2766 ext-offsetunit 2767 Optional. STRING. A means by which to extend the offsetunit 2768 attribute. See Section 5.1. 2770 instance 2771 Optional. INTEGER. Number of types to apply the specified 2772 pattern. 2774 3.21.3. RecordItem Class 2776 The RecordItem class provides a way to incorporate relevant logs, 2777 audit trails, or forensic data to support the conclusions made during 2778 the course of analyzing the incident. The class supports both the 2779 direct encapsulation of the data, as well as, provides primitives to 2780 reference data stored elsewhere. 2782 This class is identical to AdditionalData class (Section 3.8). 2784 3.22. RegistryKeyModified Class 2786 The Registry Key Modified class represents operating system registry 2787 keys that have been modified as part and may constitue an indicator 2788 of compromise. 2790 +-----------------------+ 2791 | RegistryKeyModified | 2792 +-----------------------+ 2793 | |<>----------[ Key ] 2794 +-----------------------+ 2796 Figure 38: The RegistryKeyModified Class 2798 The aggregate class that constitutes the Registry Key Modified class 2799 is: 2801 Key 2802 One. The Window Registry Key. 2804 3.22.1. Key Class 2806 The Key class shows name and value pairs representing an operating 2807 system registry key and its value. The key and value are encoded as 2808 in Microsoft .reg files. 2810 +--------------------------+ 2811 | Key | 2812 +--------------------------+ 2813 | ENUM regsitryaction |<>--{0..*}--[ KeyName ] 2814 | STRING ext-category |<>--{0..*}--[ Value ] 2815 | ENUM type | 2816 | STRING ext-type | 2817 | STRING indicator-uid | 2818 | STRING inidicator-set-id | 2819 +--------------------------+ 2821 Figure 39: The Registry Key Modified Class 2823 The aggregate classes that constitutes Key are: 2825 KeyName 2826 Zero or more. The name of the registry key. 2828 Value 2829 Zero or more. The value of the registry key. 2831 The Key class has six attributes: 2833 registryaction 2834 Optional. ENUM. The type of action. 2836 1. add-key. Registry key added. 2838 2. add-value. Value added to registry key. 2840 3. delete-key. Registry key deleted. 2842 4. delete-value. Value deleted from registry key. 2844 5. modify-key. Registry key modified. 2846 6. modify-value. Value modified for registry key. 2848 7. ext-value. External value. 2850 ext-category 2851 Optional. Extension category. 2853 type 2854 Optional. Type 2856 1. watchlist. Registry key information that is provided in a 2857 watchlist. 2859 2. ext-value. Registry key information from an external source. 2861 indicator-uid 2862 Optional. STRING. A unique identifier for an Indicator. 2864 indicator-set-id 2865 Optional. STRING. The indicator set ID is used to group related 2866 indicators. 2868 3.23. HashInformation Class 2870 This class are the hash and signature details that are needed for 2871 providing context for indicators. 2873 +--------------------------+ 2874 | HashInformation | 2875 +--------------------------+ 2876 | ENUM type |<>--{0..*}--[ FileName ] 2877 | STRING ext-category |<>--{0..*}--[ FileSize ] 2878 | BOOL valid |<>--{0..*}--[ ds:Signature ] 2879 | STRING indicator-uid |<>--{0..*}--[ ds:KeyInfo ] 2880 | STRING inidicator-set-id |<>--{0..*}--[ ds:Reference ] 2881 +--------------------------+ 2883 Figure 40: The Hash Sig Details Class 2885 The aggregate classes that constitutes HashInformation are: 2887 FileName 2888 Zero or more. ML_STRING. The name of the file. 2890 FileSize 2891 Zero or more. INTEGER. The size of the file in bytes. 2893 ds:Signature 2894 Zero or more. 2896 ds:KeyInfo 2897 Zero or more. 2899 ds:Reference 2900 Zero or more. The algorithm identification and value of a hash 2901 computed over the malware executable. This entire element is 2902 imported from [RFC3275]. Refer to RFC 5901. 2904 The HashInformation class has five attributes: 2906 type 2907 Optional. ENUM. The Hash Type. 2909 1. PKI-email-ds. PKI email digital signature. 2911 2. PKI-file-ds. PKI file digital signature. 2913 3. PKI-email-ds_watchlist. Watchlist of PKI email digital 2914 signatures. 2916 4. PKI-file-ds_watchlist. Watchlist of PKI file digital 2917 signatures. 2919 5. PGP-email-ds. PGP email digital signature. 2921 6. PGP-file-ds. PGP file digital signature. 2923 7. PGP-email-ds-watchlist. Watchlist of PGP email digital 2924 signatures. 2926 8. PGP-file-ds-watchlist. Watchlist of PGP file digital 2927 signatures 2929 9. file-hash. A file hash. 2931 10. email-hash. An email hash. 2933 11. file-hash-watchlist. Watchlist of file hashes 2935 12. email-hash-watchlist. Watchlist of email hashes 2937 13. ext-value. Extension value. 2939 indicator-uid 2940 Optional. STRING. A unique identifier for an Indicator. 2942 indicator-set-id 2943 Optional. STRING. The indicator set ID is used to group related 2944 indicators. 2946 4. Processing Considerations 2947 This section defines additional requirements on creating and parsing 2948 IODEF documents. 2950 4.1. Encoding 2952 Every IODEF document MUST begin with an XML declaration, and MUST 2953 specify the XML version used. If UTF-8 encoding is not used, the 2954 character encoding MUST also be explicitly specified. The IODEF 2955 conforms to all XML data encoding conventions and constraints. 2957 The XML declaration with no character encoding will read as follows: 2959 2961 When a character encoding is specified, the XML declaration will read 2962 like the following: 2964 2966 Where "charset" is the name of the character encoding as registered 2967 with the Internet Assigned Numbers Authority (IANA), see [9]. 2969 The following characters have special meaning in XML and MUST be 2970 escaped with their entity reference equivalent: "&", "<", ">", "\"" 2971 (double quotation mark), and "'" (apostrophe). These entity 2972 references are "&", "<", ">", """, and "'" 2973 respectively. 2975 4.2. IODEF Namespace 2977 The IODEF schema declares a namespace of 2978 "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each 2979 IODEF document MUST include a valid reference to the IODEF schema 2980 using the "xsi:schemaLocation" attribute. An example of such a 2981 declaration would look as follows: 2983 3073 A given extension attribute MUST NOT be set unless the corresponding 3074 extensible attribute has been set to "ext-value". 3076 5.2. Extending Classes 3078 The classes of the data model can be extended only through the use of 3079 the AdditionalData and RecordItem classes. These container classes, 3080 collectively referred to as the extensible classes, are implemented 3081 with the iodef:ExtensionType data type in the schema. They provide 3082 the ability to have new atomic or XML-encoded data elements in all of 3083 the top-level classes of the Incident class and a few of the more 3084 complicated subordinate classes. As there are multiple instances of 3085 the extensible classes in the data model, there is discretion on 3086 where to add a new data element. It is RECOMMENDED that the 3087 extension be placed in the most closely related class to the new 3088 information. 3090 Extensions using the atomic data types (i.e., all values of the dtype 3091 attributes other than "xml") MUST: 3093 1. Set the element content of extensible class to the desired value, 3094 and 3096 2. Set the dtype attribute to correspond to the data type of the 3097 element content. 3099 The following guidelines exist for extensions using XML: 3101 1. The element content of the extensible class MUST be set to the 3102 desired value and the dtype attribute MUST be set to "xml". 3104 2. The extension schema MUST declare a separate namespace. It is 3105 RECOMMENDED that these extensions have the prefix "iodef-". This 3106 recommendation makes readability of the document easier by 3107 allowing the reader to infer which namespaces relate to IODEF by 3108 inspection. 3110 3. It is RECOMMENDED that extension schemas follow the naming 3111 convention of the IODEF data model. This makes reading an 3112 extended IODEF document look like any other IODEF document. The 3113 names of all elements are capitalized. For elements with 3114 composed names, a capital letter is used for each word. 3115 Attribute names are lower case. Attributes with composed names 3116 are separated by a hyphen. 3118 4. Parsers that encounter an unrecognized element in a namespace 3119 that they do support MUST reject the document as a syntax error. 3121 5. There are security and performance implications in requiring 3122 implementations to dynamically download schemas at run time. 3123 Thus, implementations SHOULD NOT download schemas at runtime, 3124 unless implementations take appropriate precautions and are 3125 prepared for potentially significant network, processing, and 3126 time-out demands. 3128 6. Some users of the IODEF may have private schema definitions that 3129 might not be available on the Internet. In this situation, if a 3130 IODEF document leaks out of the private use space, references to 3131 some of those document schemas may not be resolvable. This has 3132 two implications. First, references to private schemas may never 3133 resolve. As such, in addition to the suggestion that 3134 implementations do not download schemas at runtime mentioned 3135 above, recipients MUST be prepared for a schema definition in an 3136 IODEF document never to resolve. 3138 The following schema and XML document excerpt provide a template for 3139 an extension schema and its use in the IODEF document. 3141 This example schema defines a namespace of "iodef-extension1" and a 3142 single element named "newdata". 3144 3148 attributeFormDefault="unqualified" 3149 elementFormDefault="qualified"> 3150 3154 3155 3157 The following XML excerpt demonstrates the use of the above schema as 3158 an extension to the IODEF. 3160 3167 3168 ... 3169 3170 3171 Field that could not be represented elsewhere 3172 3173 3174 3226 3228 3232 3233 189493 3234 2001-09-13T23:19:24+00:00 3235 Host sending out Code Red probes 3236 3237 3238 3239 3240 3241 Example.com CSIRT 3242 example-com 3243 contact@csirt.example.com 3244 3245 3246 3247 3248 3249
192.0.2.200
3250 57 3251 3252 3253 3254 3255
192.0.2.16/28
3256 3257 3258 80 3259 3260 3261 3262 3263 3264 3265 3266 2001-09-13T18:11:21+02:00 3267 Web-server logs 3268 3269 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 3270 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3271 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3272 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3273 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 3274 3275 3276 3277 http://mylogs.example.com/logs/httpd_access 3278 3280 3281 3282 3283 3285 3286 2001-09-14T08:19:01+00:00 3287 Notification sent to 3288 constituency-contact@192.0.2.200 3289 3290 3291 3292 3294 7.2. Reconnaissance 3296 An example of a CSIRT reporting a scanning activity. 3298 3299 3301 3305 3306 59334 3307 2006-08-02T05:54:02-05:00 3308 3309 3310 3311 3312 3313 3314 nmap 3315 http://nmap.toolsite.example.com 3316 3317 3318 3320 3321 CSIRT for example.com 3322 contact@csirt.example.com 3323 +1 412 555 12345 3324 3326 3327 Joe Smith 3328 smith@csirt.example.com 3329 3330 3331 3332 3338 3339 3340 3341
192.0.2.200
3342 3343 3344 60524,60526,60527,60531 3345 3346 3347 3348 3349
192.0.2.201
3350 3351 3352 137-139,445 3353 3354 3355 3356 3358 3359 3360 3361
192.0.2.240
3362 3363 3364 3365 3366
192.0.2.64/28
3367 3368 3369 445 3370 3371 3372 3374 3375 3376 3378 7.3. Bot-Net Reporting 3380 An example of a CSIRT reporting a bot-network. 3382 3383 3385 3389 3390 908711 3391 2006-06-08T05:44:53-05:00 3392 Large bot-net 3393 3394 3395 3396 3397 3398 3399 GT Bot 3400 3401 3403 3404 CA-2003-22 3405 http://www.cert.org/advisories/CA-2003-22.html 3406 Root compromise via this IE vulnerability to 3407 install the GT Bot 3408 3409 3410 3412 3413 Joe Smith 3414 jsmith@csirt.example.com 3415 3416 3417 These hosts are compromised and acting as bots 3418 communicating with irc.example.com. 3420 3421 3423 3424 3425
192.0.2.1
3426 3427 10000 3428 bot 3429 3430 3431 3432 3433
192.0.2.3
3434 3435 250000 3436 bot 3437 3438 3439 3440 3441 irc.example.com 3442
192.0.2.20
3443 2006-06-08T01:01:03-05:00 3444 3445 3446 IRC server on #give-me-cmd channel 3447 3448 3449 3450 3451 3452 3453 Confirm the source and take machines off-line and 3454 remediate 3455 3456 3457 3458 3459 3461 7.4. Watch List 3463 An example of a CSIRT conveying a watch-list. 3465 3466 3467 3470 3474 3475 908711 3476 2006-08-01T00:00:00-05:00 3477 3478 Watch-list of known bad IPs or networks 3479 3480 3481 3482 3483 3484 3485 CSIRT for example.com 3486 contact@csirt.example.com 3487 3488 3490 3491 3492 3493 3494
192.0.2.53
3495 3496 Source of numerous attacks 3497 3498 3499 3501 3502 3503 3504 3505 3506 3507
192.0.2.16/28
3509 3510 3511 Source of heavy scanning over past 1-month 3512 3513 3514 3515 3516 3517 3518
192.0.2.241
3519 3520 C2 IRC server 3521 3522 3523 3525 3526 3527 3528 3530 8. The IODEF Schema 3532 3539 3542 3543 3544 Incident Object Description Exchange Format v2.0, RFC5070-bis 3545 3546 3548 3578 3583 3584 3585 3586 3588 3589 3591 3593 3595 3596 3597 3602 3603 3604 3605 3606 3607 3614 3615 3616 3618 3620 3622 3624 3626 3627 3629 3631 3633 3635 3637 3639 3641 3642 3643 3644 3645 3646 3647 3648 3649 3650 3651 3652 3653 3654 3656 3658 3660 3661 3663 3664 3665 3670 3671 3672 3673 3674 3676 3678 3681 3682 3683 3685 3690 3691 3692 3693 3695 3696 3699 3700 3702 3707 3708 3709 3710 3712 3713 3715 3716 3717 3722 3723 3724 3725 3726 3728 3730 3732 3734 3735 3737 3739 3741 3742 3744 3745 3747 3752 3753 3754 3755 3756 3757 3758 3760 3761 3763 3764 3766 3767 3769 3770 3771 3773 3778 3779 3780 3781 3782 3783 3784 3786 3787 3789 3790 3792 3793 3796 3797 3798 3800 3805 3806 3811 3812 3813 3814 3816 3818 3820 3822 3824 3826 3828 3830 3832 3834 3836 3837 3838 3839 3840 3841 3842 3843 3844 3845 3846 3847 3848 3849 3851 3852 3853 3854 3855 3856 3857 3858 3859 3860 3862 3864 3865 3866 3868 3870 3871 3872 3873 3874 3875 3876 3877 3878 3879 3880 3881 3882 3883 3884 3885 3886 3887 3888 3890 3892 3893 3894 3896 3897 3898 3899 3900 3902 3903 3904 3905 3906 3907 3908 3910 3911 3912 3913 3915 3916 3917 3919 3924 3926 3928 3930 3932 3934 3936 3937 3938 3939 3941 3942 3947 3948 3949 3950 3952 3953 3956 3957 3958 3959 3960 3961 3962 3964 3966 3968 3970 3971 3973 3975 3977 3980 3982 3986 3988 3990 3991 3996 3997 3998 3999 4001 4003 4005 4007 4008 4011 4013 4015 4017 4019 4021 4024 4026 4027 4028 4033 4034 4035 4036 4037 4038 4039 4040 4042 4043 4045 4046 4047 4052 4053 4054 4055 4057 4059 4061 4062 4069 4071 4074 4076 4077 4079 4080 4082 4083 4085 4090 4091 4092 4093 4094 4095 4096 4097 4098 4100 4101 4103 4104 4105 4106 4107 4108 4109 4110 4111 4112 4114 4118 4120 4125 4127 4128 4129 4130 4131 4132 4133 4135 4136 4137 4138 4139 4140 4141 4142 4143 4145 4146 4147 4150 4151 4152 4153 4154 4155 4156 4157 4158 4159 4160 4161 4162 4163 4164 4165 4167 4168 4169 4170 4171 4172 4173 4174 4175 4177 4179 4180 4181 4182 4183 4184 4185 4186 4187 4188 4190 4192 4194 4195 4196 4197 4198 4199 4200 4201 4202 4204 4206 4207 4208 4209 4210 4211 4212 4213 4214 4215 4216 4217 4218 4219 4220 4221 4222 4223 4224 4225 4230 4231 4232 4233 4235 4237 4239 4241 4243 4245 4247 4249 4251 4253 4255 4257 4258 4260 4261 4263 4264 4265 4270 4275 4276 4277 4278 4280 4281 4282 4283 4288 4289 4290 4291 4292 4294 4296 4298 4300 4302 4304 4305 4307 4309 4310 4311 4312 4313 4314 4316 4317 4318 4319 4320 4321 4322 4323 4324 4325 4327 4329 4331 4333 4334 4335 4336 4337 4338 4339 4340 4341 4343 4344 4345 4346 4347 4348 4349 4350 4351 4352 4353 4354 4355 4356 4358 4359 4360 4365 4366 4367 4368 4369 4371 4373 4376 4378 4387 4388 4390 4392 4394 4396 4397 4398 4399 4400 4401 4402 4403 4404 4405 4406 4407 4408 4409 4410 4411 4412 4413 4414 4415 4416 4417 4418 4419 4420 4421 4422 4424 4426 4428 4431 4434 4435 4436 4437 4438 4439 4440 4441 4442 4443 4444 4445 4446 4447 4448 4449 4450 4451 4452 4453 4454 4455 4456 4457 4458 4459 4460 4461 4462 4463 4464 4465 4466 4467 4468 4469 4470 4471 4472 4473 4474 4475 4476 4477 4478 4479 4480 4481 4482 4483 4484 4485 4486 4488 4491 4492 4493 4494 4495 4500 4501 4502 4503 4504 4506 4508 4509 4511 4513 4515 4517 4520 4521 4523 4525 4527 4529 4531 4532 4534 4537 4539 4543 4545 4546 4547 4548 4549 4550 4551 4552 4557 4558 4559 4560 4561 4562 4563 4564 4565 4566 4567 4568 4569 4570 4571 4572 4573 4574 4575 4576 4577 4578 4580 4582 4584 4586 4587 4588 4589 4591 4596 4601 4602 4603 4604 4605 4607 4609 4610 4612 4614 4619 4620 4621 4622 4624 4626 4628 4630 4633 4635 4636 4637 4638 4639 4640 4641 4642 4643 4645 4646 4648 4649 4650 4651 4652 4653 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4668 4669 4670 4671 4672 4673 4674 4675 4676 4677 4678 4679 4681 4683 4684 4685 4686 4687 4688 4689 4690 4691 4692 4693 4694 4695 4696 4697 4698 4699 4700 4701 4702 4703 4704 4705 4706 4707 4708 4709 4710 4711 4712 4713 4714 4715 4716 4717 4718 4719 4720 4721 4722 4723 4724 4725 4726 4727 4728 4729 4730 4732 4733 4734 4736 4741 4742 4743 4744 4746 4747 4749 4750 4751 4752 4753 4754 4756 4759 4761 4763 4766 4768 4770 4772 4773 4779 4782 4784 4785 4787 4789 4791 4795 4797 4798 4800 4801 4802 4803 4804 4805 4806 4807 4808 4809 4810 4811 4812 4813 4814 4816 4818 4820 4821 4822 4823 4824 4825 4826 4827 4828 4830 4832 4833 4834 4835 4836 4838 4843 4844 4845 4846 4847 4848 4850 4851 4853 4854 4855 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4869 4870 4871 4872 4875 4877 4879 4880 4886 4894 4895 4896 4898 4900 4906 4908 4910 4912 4913 4914 4915 4916 4917 4918 4919 4920 4921 4922 4923 4924 4925 4926 4927 4928 4929 4932 4933 4934 4935 4936 4938 4940 4941 4943 4945 4947 4949 4951 4956 4957 4958 4960 4961 4963 4965 4967 4969 4971 4976 4978 4980 4982 4983 4985 4988 4993 4995 4997 5002 5003 5004 5005 5006 5007 5008 5009 5010 5012 5013 5014 5015 5016 5017 5019 5020 5022 5024 5026 5028 5030 5031 5036 5037 5038 5039 5040 5041 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5141 9. Security Considerations 5143 The IODEF data model itself does not directly introduce security 5144 issues. Rather, it simply defines a representation for incident 5145 information. As the data encoded by the IODEF might be considered 5146 privacy sensitive by the parties exchanging the information or by 5147 those described by it, care needs to be taken in ensuring the 5148 appropriate disclosure during both document exchange and subsequent 5149 processing. The former must be handled by a messaging format, but 5150 the latter risk must be addressed by the systems that process, store, 5151 and archive IODEF documents and information derived from them. 5153 The contents of an IODEF document may include a request for action or 5154 an IODEF parser may independently have logic to take certain actions 5155 based on information that it finds. For this reason, care must be 5156 taken by the parser to properly authenticate the recipient of the 5157 document and ascribe an appropriate confidence to the data prior to 5158 action. 5160 The underlying messaging format and protocol used to exchange 5161 instances of the IODEF MUST provide appropriate guarantees of 5162 confidentiality, integrity, and authenticity. The use of a 5163 standardized security protocol is encouraged. The Real-time Inter- 5164 network Defense (RID) protocol [18] and its associated transport 5165 binding IODEF/RID over SOAP [19] provide such security. 5167 In order to suggest data processing and handling guidelines of the 5168 encoded information, the IODEF allows a document sender to convey a 5169 privacy policy using the restriction attribute. The various 5170 instances of this attribute allow different data elements of the 5171 document to be covered by dissimilar policies. While flexible, it 5172 must be stressed that this approach only serves as a guideline from 5173 the sender, as the recipient is free to ignore it. The issue of 5174 enforcement is not a technical problem. 5176 10. IANA Considerations 5178 This document uses URNs to describe an XML namespace and schema 5179 conforming to a registry mechanism described in [15] 5181 Registration for the IODEF namespace: 5183 o URI: urn:ietf:params:xml:ns:iodef-2.0 5185 o Registrant Contact: See the first author of the "Author's Address" 5186 section of this document. 5188 o XML: None. Namespace URIs do not represent an XML specification. 5190 Registration for the IODEF XML schema: 5192 o URI: urn:ietf:params:xml:schema:iodef-2.0 5194 o Registrant Contact: See the first author of the "Author's Address" 5195 section of this document. 5197 o XML: See the "IODEF Schema" in Section 8 of this document. 5199 11. Acknowledgments 5201 The following groups and individuals, listed alphabetically, 5202 contributed substantially to this document and should be recognized 5203 for their efforts. 5205 o Patrick Cain, Cooper-Cain Group, Inc. 5207 o The eCSIRT.net Project 5209 o The Incident Object Description and Exchange Format Working-Group 5210 of the TERENA task-force (TF-CSIRT) 5212 o Glenn Mansfield Keeni, Cyber Solutions, Inc. 5214 o Hiroyuki Kido, NARA Institute of Science and Technology 5216 o Kathleen Moriarty, EMC Corporation 5218 o Brian Trammell, ETH Zurich 5220 o Jan Meijer, SURFnet bv 5222 o Yuri Demchenko, University of Amsterdam 5224 12. References 5226 12.1. Normative References 5228 [1] World Wide Web Consortium, "Extensible Markup Language 5229 (XML) 1.0 (Second Edition)", W3C Recommendation , October 5230 2000, . 5232 [2] World Wide Web Consortium, "XML XML Schema Part 1: 5233 Structures Second Edition", W3C Recommendation , October 5234 2004, . 5236 [3] World Wide Web Consortium, "XML Schema Part 2: Datatypes 5237 Second Edition", W3C Recommendation , October 2004, 5238 . 5240 [4] World Wide Web Consortium, "Namespaces in XML", W3C 5241 Recommendation , January 1999, 5242 . 5244 [5] World Wide Web Consortium, "XML Path Language (XPath) 5245 2.0", W3C Candidate Recommendation , June 2006, 5246 . 5248 [6] Bradner, S., "Key words for use in RFCs to Indicate 5249 Requirement Levels", RFC 2119, March 1997. 5251 [7] Philips, A. and M. Davis, "Tags for Identifying of 5252 Languages", RFC 4646, September 2006. 5254 [8] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 5255 Resource Identifiers (URI): Generic Syntax", RFC 3986, 5256 January 2005`. 5258 [9] Freed, N. and J. Postel, "IANA Charset Registration 5259 Procedures", BCP 2978, October 2000. 5261 [10] Sciberras, A., "Schema for User Applications", RFC 4519, 5262 June 2006. 5264 [11] Resnick, P., "Internet Message Format", RFC 2822, April 5265 2001. 5267 [12] Klyne, G. and C. Newman, "Date and Time on the Internet: 5268 Timestamps", RFC 3339, July 2002. 5270 [13] International Organization for Standardization, 5271 "International Standard: Data elements and interchange 5272 formats - Information interchange - Representation of 5273 dates and times", ISO 8601, Second Edition, December 2000. 5275 [14] International Organization for Standardization, 5276 "International Standard: Codes for the representation of 5277 currencies and funds, ISO 4217:2001", ISO 4217:2001, 5278 August 2001. 5280 [15] Mealling, M., "The IETF XML Registry", RFC 3688, January 5281 2004. 5283 12.2. Informative References 5285 [16] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 5286 for the Format for Incident Information Exchange (FINE)", 5287 Work in Progress, June 2006. 5289 [17] Debar, H., Curry, D., Debar, H., and B. Feinstein, 5290 "Intrusion Detection Message Exchange Format", RFC 4765, 5291 March 2007. 5293 [18] Moriarty, K., "Real-time Inter-network Defense", Work in 5294 Progress, April 2007. 5296 [19] Moriarty, K. and B. Trammell, "IODEF/RID over SOAP", Work 5297 in Progress, April 2007. 5299 [20] Shafranovich, Y., "Common Format and MIME Type for Comma- 5300 Separated Values (CSV) File ", RFC 4180, October 2005. 5302 Authors' Addresses 5304 Roman Danyliw 5305 CERT - Software Engineering Institute 5306 Pittsburgh, PA 5307 USA 5309 EMail: rdd@cert.org 5311 Paul Stoecker 5312 RSA 5313 Reston, VA 5314 USA 5316 EMail: paul.stoecker@rsa.com