idnits 2.17.1 draft-ietf-mile-rfc5070-bis-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 3 instances of too long lines in the document, the longest one being 22 characters in excess of 72. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 23, 2014) is 3563 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 4924, but not defined == Missing Reference: '0-4' is mentioned on line 4924, but not defined == Missing Reference: '0-5' is mentioned on line 4924, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' ** Obsolete normative reference: RFC 4646 (Obsoleted by RFC 5646) -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: January 24, 2015 July 23, 2014 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-07 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on January 24, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 10 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 88 2.16. Identifiers and Identifier References . . . . . . . . . . 11 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 11 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 16 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 20 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 27 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 28 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 29 111 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 29 112 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 29 113 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 114 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 115 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 32 116 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 117 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 118 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 36 119 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 38 120 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 121 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 122 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 123 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 42 124 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 44 125 3.16.1. Relating the Incident and EventData Classes . . . . 46 126 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 46 127 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 47 128 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 50 129 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 50 130 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 53 131 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 54 132 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 56 133 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 58 134 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 59 135 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 62 136 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 62 137 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 63 138 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 63 139 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 65 140 3.22.2. Application Class . . . . . . . . . . . . . . . . . 67 141 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 68 142 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 68 143 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 69 144 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 69 145 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 70 146 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 72 147 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 72 148 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 73 149 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 74 150 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 75 151 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 75 152 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 78 153 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 78 154 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 79 155 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 80 156 3.29.5. ObservableReference Class . . . . . . . . . . . . . 82 157 3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 82 158 4. Processing Considerations . . . . . . . . . . . . . . . . . . 83 159 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 83 160 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 84 161 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 84 162 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 85 163 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 85 164 5.1. Extending the Enumerated Values of Attributes . . . . . . 85 165 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 86 166 6. Internationalization Issues . . . . . . . . . . . . . . . . . 88 167 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 89 168 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 89 169 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 91 170 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 92 171 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 94 172 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 96 173 9. Security Considerations . . . . . . . . . . . . . . . . . . . 132 174 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 133 175 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 134 176 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 134 177 12.1. Normative References . . . . . . . . . . . . . . . . . . 134 178 12.2. Informative References . . . . . . . . . . . . . . . . . 136 180 1. Introduction 182 Organizations require help from other parties to mitigate malicious 183 activity targeting their network and to gain insight into potential 184 threats. This coordination might entail working with an ISP to 185 filter attack traffic, contacting a remote site to take down a bot- 186 network, or sharing watch-lists of known malicious IP addresses in a 187 consortium. 189 The Incident Object Description Exchange Format (IODEF) is a format 190 for representing computer security information commonly exchanged 191 between Computer Security Incident Response Teams (CSIRTs). It 192 provides an XML representation for conveying: 194 o cyber intelligence to characterize threats; 196 o cyber incident reports to document particular cyber security 197 events or relationships between events; 199 o cyber event mitigation to request proactive and reactive 200 mitigation approaches to cyber intelligence or incidents; and 202 o cyber information sharing meta-data so that these various classes 203 of information can be exchanged among parties. 205 The data model encodes information about hosts, networks, and the 206 services running on these systems; attack methodology and associated 207 forensic evidence; impact of the activity; and limited approaches for 208 documenting workflow. 210 The overriding purpose of the IODEF is to enhance the operational 211 capabilities of CSIRTs. Community adoption of the IODEF provides an 212 improved ability to resolve incidents and convey situational 213 awareness by simplifying collaboration and data sharing. This 214 structured format provided by the IODEF allows for: 216 o increased automation in processing of incident data, since the 217 resources of security analysts to parse free-form textual 218 documents will be reduced; 220 o decreased effort in normalizing similar data (even when highly 221 structured) from different sources; and 223 o a common format on which to build interoperable tools for incident 224 handling and subsequent analysis, specifically when data comes 225 from multiple constituencies. 227 Coordinating with other CSIRTs is not strictly a technical problem. 228 There are numerous procedural, trust, and legal considerations that 229 might prevent an organization from sharing information. The IODEF 230 does not attempt to address them. However, operational 231 implementations of the IODEF will need to consider this broader 232 context. 234 Sections 3 and 8 specify the IODEF data model with text and an XML 235 schema. The types used by the data model are covered in Section 2. 236 Processing considerations, the handling of extensions, and 237 internationalization issues related to the data model are covered in 238 Sections 4, 5, and 6, respectively. Examples are listed in 239 Section 7. Section 1 provides the background for the IODEF, and 240 Section 9 documents the security considerations. 242 1.1. Changes from 5070 244 This document contains changes with respect to its predecessor 245 RFC5070. 247 o All of the RFC5070 Errata was implemented. 249 o Imported the xmlns:ds namespace to include digital signature hash 250 classes. 252 o The @indicator-* attributes were added to various classes to 253 reference commonly shared indicators. 255 o The following classes were added to IODEF-Document: 256 AdditionalData. 258 o The following class was added to Incident: IndicatorData. 260 o The following classes were added to Incident and EventData: 261 Discovery. 263 o The following classes and attributes were added to the Service 264 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 265 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 267 o The following classes were added to the Record class: FileName and 268 WindowsRegistryKeysModified. 270 o The following classes were added to the RelatedActivity class: 271 ThreatActor, Campaign, Confidence, Description, and 272 AdditionalData. 274 o The following classes were added to Assessment: BusinessImpact. 276 o The following classes were added to Node: PostalAddress and 277 DomainData. The following classes were removed from Node: Removed 278 NodeName and DateTime. 280 o The following classes were added to the Contact class: 281 ContactTitle. 283 o The following classes were added to Expectation and HistoryItem: 284 DefinedCOA. 286 o (for consideration) The following attributes was added to the 287 SoftwareType complexType: user-agent. 289 o Additional enumerated values were added to the following 290 attributes: @restriction, {Expectation, HistoryItem}@action, 291 NodeRole@category, Incident@purpose, Contact@role, 292 AdditionalData@dtype, System@spoofed. 294 1.2. Terminology 296 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 297 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 298 document are to be interpreted as described in [RFC2119]. 300 Definitions for some of the common computer security-related 301 terminology used in this document can be found in Section 2 of 302 [refs.requirements]. 304 1.3. Notations 306 The normative IODEF data model is specified with the text in 307 Section 3 and the XML schema in Section 8. To help in the 308 understanding of the data elements, Section 3 also depicts the 309 underlying information model using Unified Modeling Language (UML). 310 This abstract presentation of the IODEF is not normative. 312 For clarity in this document, the term "XML document" will be used 313 when referring generically to any instance of an XML document. The 314 term "IODEF document" will be used to refer to specific elements and 315 attributes of the IODEF schema. The terms "class" and "element" will 316 be used interchangeably to reference either the corresponding data 317 element in the information or data models, respectively. 319 1.4. About the IODEF Data Model 321 The IODEF data model is a data representation that provides a 322 framework for sharing information commonly exchanged by CSIRTs about 323 computer security incidents. A number of considerations were made in 324 the design of the data model. 326 o The data model serves as a transport format. Therefore, its 327 specific representation is not the optimal representation for on- 328 disk storage, long-term archiving, or in-memory processing. 330 o As there is no precise widely agreed upon definition for an 331 incident, the data model does not attempt to dictate one through 332 its implementation. Rather, a broad understanding is assumed in 333 the IODEF that is flexible enough to encompass most operators. 335 o Describing an incident for all definitions would require an 336 extremely complex data model. Therefore, the IODEF only intends 337 to be a framework to convey commonly exchanged incident 338 information. It ensures that there are ample mechanisms for 339 extensibility to support organization-specific information, and 340 techniques to reference information kept outside of the explicit 341 data model. 343 o The domain of security analysis is not fully standardized and must 344 rely on free-form textual descriptions. The IODEF attempts to 345 strike a balance between supporting this free-form content, while 346 still allowing automated processing of incident information. 348 o The IODEF is only one of several security relevant data 349 representations being standardized. Attempts were made to ensure 350 they were complementary. The data model of the Intrusion 351 Detection Message Exchange Format [RFC4765] influenced the design 352 of the IODEF. 354 Further discussion of the desirable properties for the IODEF can be 355 found in the Requirements for the Format for Incident Information 356 Exchange (FINE) [refs.requirements]. 358 1.5. About the IODEF Implementation 360 The IODEF implementation is specified as an Extensible Markup 361 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 363 Implementing the IODEF in XML provides numerous advantages. Its 364 extensibility makes it ideal for specifying a data encoding framework 365 that supports various character encodings. Likewise, the abundance 366 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 367 simplified manipulation. However, XML is fundamentally a text 368 representation, which makes it inherently inefficient when binary 369 data must be embedded or large volumes of data must be exchanged. 371 2. IODEF Data Types 373 The various data elements of the IODEF data model are typed. This 374 section discusses these data types. When possible, native Schema 375 data types were adopted, but for more complicated formats, regular 376 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 377 standards were used. 379 2.1. Integers 381 An integer is represented by the INTEGER data type. Integer data 382 MUST be encoded in Base 10. 384 The INTEGER data type is implemented as an "xs:integer" in 385 [W3C.SCHEMA.DTYPES]. 387 2.2. Real Numbers 389 Real (floating-point) attributes are represented by the REAL data 390 type. Real data MUST be encoded in Base 10. 392 The REAL data type is implemented as an "xs:float" in 393 [W3C.SCHEMA.DTYPES]. 395 2.3. Characters and Strings 397 A single character is represented by the CHARACTER data type. A 398 character string is represented by the STRING data type. Special 399 characters must be encoded using entity references. See Section 4.1. 401 The CHARACTER and STRING data types are implement as an "xs:string" 402 in [W3C.SCHEMA.DTYPES]. 404 2.4. Multilingual Strings 406 STRING data that represents multi-character attributes in a language 407 different than the default encoding of the document is of the 408 ML_STRING data type. 410 The ML_STRING data type is implemented as an "iodef:MLStringType" in 411 the schema. 413 2.5. Bytes 415 A binary octet is represented by the BYTE data type. A sequence of 416 binary octets is represented by the BYTE[] data type. These octets 417 are encoded using base64. 419 The BYTE data type is implemented as an "xs:base64Binary" in 420 [W3C.SCHEMA.DTYPES]. 422 2.6. Hexadecimal Bytes 424 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 425 This octet is encoded as a character tuple consisting of two 426 hexadecimal digits. 428 The HEXBIN data type is implemented as an "xs:hexBinary" in 429 [W3C.SCHEMA.DTYPES]. 431 2.7. Enumerated Types 433 Enumerated types are represented by the ENUM data type, and consist 434 of an ordered list of acceptable values. Each value has a 435 representative keyword. Within the IODEF schema, the enumerated type 436 keywords are used as attribute values. 438 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 439 schema. 441 2.8. Date-Time Strings 443 Date-time strings are represented by the DATETIME data type. Each 444 date-time string identifies a particular instant in time; ranges are 445 not supported. 447 Date-time strings are formatted according to a subset of [ISO8601] 448 documented in [RFC3339]. 450 The DATETIME data type is implemented as an "xs:dateTime" in the 451 schema. 453 2.9. Timezone String 455 A timezone offset from UTC is represented by the TIMEZONE data type. 456 It is formatted according to the following regular expression: 457 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 459 The TIMEZONE data type is implemented as an "xs:string" with a 460 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 461 expression is identical to the timezone representation implemented in 462 an "xs:dateTime". 464 2.10. Port Lists 466 A list of network ports are represented by the PORTLIST data type. A 467 PORTLIST consists of a comma-separated list of numbers and ranges 468 (N-M means ports N through M, inclusive). It is formatted according 469 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 470 For example, "2,5-15,30,32,40-50,55-60". 472 The PORTLIST data type is implemented as an "xs:string" with a 473 regular expression constraint in the schema. 475 2.11. Postal Address 477 A postal address is represented by the POSTAL data type. This data 478 type is an ML_STRING whose format is documented in Section 2.23 of 480 [RFC4519]. It defines a postal address as a free-form multi-line 481 string separated by the "$" character. 483 The POSTAL data type is implemented as an "xs:string" in the schema. 485 2.12. Person or Organization 487 The name of an individual or organization is represented by the NAME 488 data type. This data type is an ML_STRING whose format is documented 489 in Section 2.3 of [RFC4519]. 491 The NAME data type is implemented as an "xs:string" in the schema. 493 2.13. Telephone and Fax Numbers 495 A telephone or fax number is represented by the PHONE data type. The 496 format of the PHONE data type is documented in Section 2.35 of 497 [RFC4519]. 499 The PHONE data type is implemented as an "xs:string" in the schema. 501 2.14. Email String 503 An email address is represented by the EMAIL data type. The format 504 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 506 The EMAIL data type is implemented as an "xs:string" in the schema. 508 2.15. Uniform Resource Locator strings 510 A uniform resource locator (URL) is represented by the URL data type. 511 The format of the URL data type is documented in [RFC3986]. 513 The URL data type is implemented as an "xs:anyURI" in the schema. 515 2.16. Identifiers and Identifier References 517 An identifier unique to the Document is represented by the ID data 518 type. A reference to this identifier is represented by the IDREF 519 data type. The acceptable format of ID and IDREF is documented in 520 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 522 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 523 in the schema. 525 3. The IODEF Data Model 526 In this section, the individual components of the IODEF data model 527 will be discussed in detail. For each class, the semantics will be 528 described and the relationship with other classes will be depicted 529 with UML. When necessary, specific comments will be made about 530 corresponding definition in the schema in Section 8 532 3.1. IODEF-Document Class 534 The IODEF-Document class is the top level class in the IODEF data 535 model. All IODEF documents are an instance of this class. 537 +-----------------+ 538 | IODEF-Document | 539 +-----------------+ 540 | STRING version |<>--{1..*}--[ Incident ] 541 | ENUM lang |<>--{0..*}--[ AdditionalData ] 542 | STRING formatid | 543 +-----------------+ 545 Figure 1: IODEF-Document Class 547 The aggregate class that constitute IODEF-Document is: 549 Incident 550 One or more. The information related to a single incident. 552 AdditionalData 553 Zero or more. Mechanism by which to extend the data model. See 554 Section 3.9 556 The IODEF-Document class has three attributes: 558 version 559 Required. STRING. The IODEF specification version number to 560 which this IODEF document conforms. The value of this attribute 561 MUST be "2.00" 563 lang 564 Required. ENUM. A valid language code per [RFC4646] constrained 565 by the definition of "xs:language". The interpretation of this 566 code is described in Section 6. 568 formatid 569 Optional. STRING. A free-form string to convey processing 570 instructions to the recipient of the document. Its semantics must 571 be negotiated out-of-band. 573 3.2. Incident Class 575 Every incident is represented by an instance of the Incident class. 576 This class provides a standardized representation for commonly 577 exchanged incident data. 579 +-------------------------+ 580 | Incident | 581 +-------------------------+ 582 | ENUM purpose |<>----------[ IncidentID ] 583 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 584 | ENUM lang |<>--{0..*}--[ RelatedActivity ] 585 | ENUM restriction |<>--{0..1}--[ DetectTime ] 586 | STRING observable-uid |<>--{0..1}--[ StartTime ] 587 | |<>--{0..1}--[ EndTime ] 588 | |<>----------[ ReportTime ] 589 | |<>--{0..*}--[ Description ] 590 | |<>--{0..*} [ Discovery ] 591 | |<>--{1..*}--[ Assessment ] 592 | |<>--{0..*}--[ Method ] 593 | |<>--{1..*}--[ Contact ] 594 | |<>--{0..*}--[ EventData ] 595 | |<>--{0..*}--[ IndicatorData ] 596 | |<>--{0..1}--[ History ] 597 | |<>--{0..*}--[ AdditionalData ] 598 +-------------------------+ 600 Figure 2: The Incident Class 602 The aggregate classes that constitute Incident are: 604 IncidentID 605 One. An incident tracking number assigned to this incident by the 606 CSIRT that generated the IODEF document. 608 AlternativeID 609 Zero or one. The incident tracking numbers used by other CSIRTs 610 to refer to the incident described in the document. 612 RelatedActivity 613 Zero or more. Related activity and attribution of this activity. 615 DetectTime 616 Zero or one. The time the incident was first detected. 618 StartTime 619 Zero or one. The time the incident started. 621 EndTime 622 Zero or one. The time the incident ended. 624 ReportTime 625 One. The time the incident was reported. 627 Description 628 Zero or more. ML_STRING. A free-form textual description of the 629 incident. 631 Discovery 632 Zero or more. The means by which this incident was detected. 634 Assessment 635 One or more. A characterization of the impact of the incident. 637 Method 638 Zero or more. The techniques used by the intruder in the 639 incident. 641 Contact 642 One or more. Contact information for the parties involved in the 643 incident. 645 EventData 646 Zero or more. Description of the events comprising the incident. 648 IndicatorData 649 Zero or more. Description of indicators. 651 History 652 Zero or one. A log of significant events or actions that occurred 653 during the course of handling the incident. 655 AdditionalData 656 Zero or more. Mechanism by which to extend the data model. 658 The Incident class has four attributes: 660 purpose 661 Required. ENUM. The purpose attribute represents the reason why 662 the IODEF document was created. It is closely related to the 663 Expectation class (Section 3.17). This attribute is defined as an 664 enumerated list: 666 1. traceback. The document was sent for trace-back purposes. 668 2. mitigation. The document was sent to request aid in 669 mitigating the described activity. 671 3. reporting. The document was sent to comply with reporting 672 requirements. 674 4. watch. The document was sent to convey indicators to watch 675 for particular activity. 677 5. other. The document was sent for purposes specified in the 678 Expectation class. 680 6. ext-value. An escape value used to extend this attribute. 681 See Section 5.1. 683 ext-purpose 684 Optional. STRING. A means by which to extend the purpose 685 attribute. See Section 5.1. 687 lang 688 Optional. ENUM. A valid language code per [RFC4646] constrained 689 by the definition of "xs:language". The interpretation of this 690 code is described in Section 6. 692 restriction 693 Optional. ENUM. See Section 3.3.1. 695 observable-id 696 Optional. ID. See Section 3.3.2. 698 3.3. Common Attributes 700 There are a number of recurring attributes used by the data model. 701 They are documented in this section. 703 3.3.1. restriction Attribute 705 The restriction attribute indicates the disclosure guidelines to 706 which the sender expects the recipient to adhere for the information 707 represented in this class and its children. This guideline provides 708 no security since there are no specified technical means to ensure 709 that the recipient of the document handles the information as the 710 sender requested. 712 The value of this attribute is logically inherited by the children of 713 this class. That is to say, the disclosure rules applied to this 714 class, also apply to its children. 716 It is possible to set a granular disclosure policy, since all of the 717 high-level classes (i.e., children of the Incident class) have a 718 restriction attribute. Therefore, a child can override the 719 guidelines of a parent class, be it to restrict or relax the 720 disclosure rules (e.g., a child has a weaker policy than an ancestor; 721 or an ancestor has a weak policy, and the children selectively apply 722 more rigid controls). The implicit value of the restriction 723 attribute for a class that did not specify one can be found in the 724 closest ancestor that did specify a value. 726 This attribute is defined as an enumerated value with a default value 727 of "private". Note that the default value of the restriction 728 attribute is only defined in the context of the Incident class. In 729 other classes where this attribute is used, no default is specified. 731 1. public. The information can be freely distributed without 732 restriction. 734 2. partner. The information may be shared within a closed community 735 of peers, partners, or affected parties, but cannot be openly 736 published. 738 3. need-to-know. The information may be shared only within the 739 organization with individuals that have a need to know. 741 4. private. The information may not be shared. 743 5. default. The information can be shared according to an 744 information disclosure policy pre-arranged by the communicating 745 parties. 747 6. white. Same as 'public'. 749 7. green. Same as 'partner'. 751 8. amber. Same as 'need-to-know'. 753 9. red. Same as 'private'. 755 3.3.2. observable-id Attribute 757 Information included in an incident report may be an observable 758 relevant to an indicator. The observable-id attribute provides a 759 unique identifier in the scope of the document for this observable. 760 This identifer can then used to reference the observable with an 761 ObservableReference class to define an indicator in the IndicatorData 762 class. 764 3.4. IncidentID Class 766 The IncidentID class represents an incident tracking number that is 767 unique in the context of the CSIRT and identifies the activity 768 characterized in an IODEF Document. This identifier would serve as 769 an index into the CSIRT incident handling system. The combination of 770 the name attribute and the string in the element content MUST be a 771 globally unique identifier describing the activity. Documents 772 generated by a given CSIRT MUST NOT reuse the same value unless they 773 are referencing the same incident. 775 +------------------+ 776 | IncidentID | 777 +------------------+ 778 | STRING | 779 | | 780 | STRING name | 781 | STRING instance | 782 | ENUM restriction | 783 +------------------+ 785 Figure 3: The IncidentID Class 787 The IncidentID class has three attributes: 789 name 790 Required. STRING. An identifier describing the CSIRT that 791 created the document. In order to have a globally unique CSIRT 792 name, the fully qualified domain name associated with the CSIRT 793 MUST be used. 795 instance 796 Optional. STRING. An identifier referencing a subset of the 797 named incident. 799 restriction 800 Optional. ENUM. See Section 3.3.1. The default value is 801 "public". 803 3.5. AlternativeID Class 805 The AlternativeID class lists the incident tracking numbers used by 806 CSIRTs, other than the one generating the document, to refer to the 807 identical activity described in the IODEF document. A tracking 808 number listed as an AlternativeID references the same incident 809 detected by another CSIRT. The incident tracking numbers of the 810 CSIRT that generated the IODEF document must never be considered an 811 AlternativeID. 813 +------------------+ 814 | AlternativeID | 815 +------------------+ 816 | ENUM restriction |<>--{1..*}--[ IncidentID ] 817 | | 818 +------------------+ 820 Figure 4: The AlternativeID Class 822 The aggregate class that constitutes AlternativeID is: 824 IncidentID 825 One or more. The incident tracking number of another CSIRT. 827 The AlternativeID class has one attribute: 829 restriction 830 Optional. ENUM. This attribute has been defined in Section 3.2. 832 3.6. RelatedActivity Class 834 The RelatedActivity class relates the information described in the 835 rest of the IODEF document to previously observed incidents or 836 activity; and allows attribution to a specific actor or campaign. 838 +------------------+ 839 | RelatedActivity | 840 +------------------+ 841 | ENUM restriction |<>--{0..*}--[ IncidentID ] 842 | |<>--{0..*}--[ URL ] 843 | |<>--{0..*}--[ ThreatActor ] 844 | |<>--{0..*}--[ Campaign ] 845 | |<>--{0..1}--[ Confidence ] 846 | |<>--{0..*}--[ Description ] 847 | |<>--{0..*}--[ AdditionalData ] 848 +------------------+ 850 Figure 5: RelatedActivity Class 852 The aggregate classes that constitutes RelatedActivity are: 854 IncidentID 855 One or more. The incident tracking number of a related incident. 857 URL 858 One or more. URL. A URL to activity related to this incident. 860 ThreatActor 861 One or more. The threat actor to whom the described activity is 862 attributed. 864 Campaign 865 One or more. The campaign of a given threat actor to whom the 866 described activity is attributed. 868 Confidence 869 Zero or one. An estimate of the confidence in attributing this 870 RelatedActivity to the event described in the document. 872 Description 873 Zero or more. ML_STRING. A description of how these 874 relationships were derived. 876 AdditionalData 877 Zero or more. A mechanism by which to extend the data model. 879 RelatedActivity MUST at least have one instance of IncidentID, URL, 880 ThreatActor, or Campaign. 882 The RelatedActivity class has one attribute: 884 restriction 885 Optional. ENUM. See Section 3.3.1. 887 3.7. ThreatActor Class 889 The ThreatActor class describes a given actor. 891 +------------------+ 892 | Actor | 893 +------------------+ 894 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 895 | |<>--{0..*}--[ Description ] 896 | |<>--{0..*}--[ AdditionalData ] 897 +------------------+ 899 Figure 6: ThreatActor Class 901 The aggregate classes that constitutes ThreatActor are: 903 ThreatActorID 904 One or more. STRING. An identifier for the ThreatActor. 906 Description 907 One or more. ML_STRING. A description of the ThreatActor. 909 AdditionalData 910 Zero or more. A mechanism by which to extend the data model. 912 ThreatActor MUST have at least one instance of a ThreatActorID or 913 Description. 915 The ThreatActor class has one attribute: 917 restriction 918 Optional. ENUM. See Section 3.3.1. 920 3.8. Campaign Class 922 The Campaign class describes a ... 924 +------------------+ 925 | Campaign | 926 +------------------+ 927 | ENUM restriction |<>--{0..1}--[ CampaignID ] 928 | |<>--{0..*}--[ Description ] 929 | |<>--{0..*}--[ AdditionalData ] 930 +------------------+ 932 Figure 7: Campaign Class 934 The aggregate classes that constitutes Campaign are: 936 CampaignID 937 One or more. STRING. An identifier for the Campaign. 939 Description 940 One or more. ML_STRING. A description of the Campaign. 942 AdditionalData 943 Zero or more. A mechanism by which to extend the data model. 945 Campaign MUST have at least one instance of a Campaign or 946 Description. 948 The Campaign class has one attribute: 950 restriction 951 Optional. ENUM. See Section 3.3.1. 953 3.9. AdditionalData Class 955 The AdditionalData class serves as an extension mechanism for 956 information not otherwise represented in the data model. For 957 relatively simple information, atomic data types (e.g., integers, 958 strings) are provided with a mechanism to annotate their meaning. 959 The class can also be used to extend the data model (and the 960 associated Schema) to support proprietary extensions by encapsulating 961 entire XML documents conforming to another Schema. A detailed 962 discussion for extending the data model and the schema can be found 963 in Section 5. 965 Unlike XML, which is self-describing, atomic data must be documented 966 to convey its meaning. This information is described in the 967 'meaning' attribute. Since these description are outside the scope 968 of the specification, some additional coordination may be required to 969 ensure that a recipient of a document using the AdditionalData 970 classes can make sense of the custom extensions. 972 +------------------+ 973 | AdditionalData | 974 +------------------+ 975 | ANY | 976 | | 977 | ENUM dtype | 978 | STRING ext-dtype | 979 | STRING meaning | 980 | STRING formatid | 981 | ENUM restriction | 982 +------------------+ 984 Figure 8: The AdditionalData Class 986 The AdditionalData class has five attributes: 988 dtype 989 Required. ENUM. The data type of the element content. The 990 permitted values for this attribute are shown below. The default 991 value is "string". 993 1. boolean. The element content is of type BOOLEAN. 995 2. byte. The element content is of type BYTE. 997 3. bytes. The element content is of type HEXBIN. 999 4. character. The element content is of type CHARACTER. 1001 5. date-time. The element content is of type DATETIME. 1003 6. ntpstamp. Same as date-time. 1005 7. integer. The element content is of type INTEGER. 1007 8. portlist. The element content is of type PORTLIST. 1009 9. real. The element content is of type REAL. 1011 10. string. The element content is of type STRING. 1013 11. file. The element content is a base64 encoded binary file 1014 encoded as a BYTE[] type. 1016 12. path. The element content is a file-system path encoded as a 1017 STRING type. 1019 13. frame. The element content is a layer-2 frame encoded as a 1020 HEXBIN type. 1022 14. packet. The element content is a layer-3 packet encoded as a 1023 HEXBIN type. 1025 15. ipv4-packet. The element content is an IPv4 packet encoded 1026 as a HEXBIN type. 1028 16. ipv6-packet. The element content is an IPv6 packet encoded 1029 as a HEXBIN type. 1031 17. url. The element content is of type URL. 1033 18. csv. The element content is a common separated value (CSV) 1034 list per Section 2 of [RFC4180] encoded as a STRING type. 1036 19. winreg. The element content is a Windows registry key 1037 encoded as a STRING type. 1039 20. xml. The element content is XML. See Section 5. 1041 21. ext-value. An escape value used to extend this attribute. 1042 See Section 5.1. 1044 ext-dtype 1045 Optional. STRING. A means by which to extend the dtype 1046 attribute. See Section 5.1. 1048 meaning 1049 Optional. STRING. A free-form description of the element 1050 content. 1052 formatid 1053 Optional. STRING. An identifier referencing the format and 1054 semantics of the element content. 1056 restriction 1057 Optional. ENUM. See Section 3.3.1. 1059 3.10. Contact Class 1061 The Contact class describes contact information for organizations and 1062 personnel involved in the incident. This class allows for the naming 1063 of the involved party, specifying contact information for them, and 1064 identifying their role in the incident. 1066 People and organizations are treated interchangeably as contacts; one 1067 can be associated with the other using the recursive definition of 1068 the class (the Contact class is aggregated into the Contact class). 1069 The 'type' attribute disambiguates the type of contact information 1070 being provided. 1072 The inheriting definition of Contact provides a way to relate 1073 information without requiring the explicit use of identifiers in the 1074 classes or duplication of data. A complete point of contact is 1075 derived by a particular traversal from the root Contact class to the 1076 leaf Contact class. As such, multiple points of contact might be 1077 specified in a single instance of a Contact class. Each child 1078 Contact class logically inherits contact information from its 1079 ancestors. 1081 +------------------+ 1082 | Contact | 1083 +------------------+ 1084 | ENUM role |<>--{0..1}--[ ContactName ] 1085 | STRING ext-role |<>--{0..1}--[ ContactTitle ] 1086 | ENUM type |<>--{0..*}--[ Description ] 1087 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1088 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1089 | |<>--{0..*}--[ Email ] 1090 | |<>--{0..*}--[ Telephone ] 1091 | |<>--{0..1}--[ Fax ] 1092 | |<>--{0..1}--[ Timezone ] 1093 | |<>--{0..*}--[ Contact ] 1094 | |<>--{0..*}--[ AdditionalData ] 1095 +------------------+ 1097 Figure 9: The Contact Class 1099 The aggregate classes that constitute the Contact class are: 1101 ContactName 1102 Zero or one. ML_STRING. The name of the contact. The contact 1103 may either be an organization or a person. The type attribute 1104 disambiguates the semantics. 1106 ContactTitle 1107 Zero or one. ML_STRING. The title for the individual named in 1108 the ContactName. 1110 Description 1111 Zero or more. ML_STRING. A free-form description of this 1112 contact. In the case of a person, this is often the 1113 organizational title of the individual. 1115 RegistryHandle 1116 Zero or more. A handle name into the registry of the contact. 1118 PostalAddress 1119 Zero or one. The postal address of the contact. 1121 Email 1122 Zero or more. The email address of the contact. 1124 Telephone 1125 Zero or more. The telephone number of the contact. 1127 Fax 1128 Zero or one. The facsimile telephone number of the contact. 1130 Timezone 1131 Zero or one. TIMEZONE. The timezone in which the contact resides 1132 formatted according to Section 2.9. 1134 Contact 1135 Zero or more. A Contact instance contained within another Contact 1136 instance inherits the values of the parent(s). This recursive 1137 definition can be used to group common data pertaining to multiple 1138 points of contact and is especially useful when listing multiple 1139 contacts at the same organization. 1141 AdditionalData 1142 Zero or more. A mechanism by which to extend the data model. 1144 At least one of the aggregate classes MUST be present in an instance 1145 of the Contact class. This is not enforced in the IODEF schema as 1146 there is no simple way to accomplish it. 1148 The Contact class has five attributes: 1150 role 1151 Required. ENUM. Indicates the role the contact fulfills. This 1152 attribute is defined as an enumerated list: 1154 1. creator. The entity that generate the document. 1156 2. reporter. The entity that reported the information. 1158 3. admin. An administrative contact or business owner for an 1159 asset or organization. 1161 4. tech. An entity responsible for the day-to-day management of 1162 technical issues for an asset or organization. 1164 5. provider. An external hosting provider for an asset. 1166 6. zone. An entity with authority over a DNS zone. 1168 7. user. An end-user of an asset or part of an organization. 1170 8. billing. An entity responsible for billing issues for an 1171 asset or organization. 1173 9. legal. An entity responsible for legal issue related to an 1174 asset or organization. 1176 10. irt. An entity responsible for handling security issues for 1177 an asset or organization. 1179 11. abuse. An entity responsible for handling abuse originating 1180 from an asset or organization. 1182 12. cc. An entity that is to be kept informed about the events 1183 related to an asset or organization. 1185 13. cc-irt. A CSIRT or information sharing organization 1186 coordinating activity related to an asset or organization. 1188 14. le. A law enforcement entity supporting the investigation of 1189 activity affecting an asset or organization. 1191 15. vendor. The vendor that produces an asset. 1193 16. ext-value. An escape value used to extend this attribute. 1194 See Section 5.1. 1196 ext-role 1197 Optional. STRING. A means by which to extend the role attribute. 1198 See Section 5.1. 1200 type 1201 Required. ENUM. Indicates the type of contact being described. 1202 This attribute is defined as an enumerated list: 1204 1. person. The information for this contact references an 1205 individual. 1207 2. organization. The information for this contact references an 1208 organization. 1210 3. ext-value. An escape value used to extend this attribute. 1211 See Section 5.1. 1213 ext-type 1214 Optional. STRING. A means by which to extend the type attribute. 1215 See Section 5.1. 1217 restriction 1218 Optional. ENUM. This attribute is defined in Section 3.2. 1220 3.10.1. RegistryHandle Class 1222 The RegistryHandle class represents a handle into an Internet 1223 registry or community-specific database. The handle is specified in 1224 the element content and the type attribute specifies the database. 1226 +---------------------+ 1227 | RegistryHandle | 1228 +---------------------+ 1229 | STRING | 1230 | | 1231 | ENUM registry | 1232 | STRING ext-registry | 1233 +---------------------+ 1235 Figure 10: The RegistryHandle Class 1237 The RegistryHandle class has two attributes: 1239 registry 1240 Required. ENUM. The database to which the handle belongs. The 1241 possible values are: 1243 1. internic. Internet Network Information Center 1244 2. apnic. Asia Pacific Network Information Center 1246 3. arin. American Registry for Internet Numbers 1248 4. lacnic. Latin-American and Caribbean IP Address Registry 1250 5. ripe. Reseaux IP Europeens 1252 6. afrinic. African Internet Numbers Registry 1254 7. local. A database local to the CSIRT 1256 8. ext-value. An escape value used to extend this attribute. 1257 See Section 5.1. 1259 ext-registry 1260 Optional. STRING. A means by which to extend the registry 1261 attribute. See Section 5.1. 1263 3.10.2. PostalAddress Class 1265 The PostalAddress class specifies a postal address formatted 1266 according to the POSTAL data type (Section 2.11). 1268 +---------------------+ 1269 | PostalAddress | 1270 +---------------------+ 1271 | POSTAL | 1272 | | 1273 | ENUM meaning | 1274 | ENUM lang | 1275 +---------------------+ 1277 Figure 11: The PostalAddress Class 1279 The PostalAddress class has two attributes: 1281 meaning 1282 Optional. ENUM. A free-form description of the element content. 1284 lang 1285 Optional. ENUM. A valid language code per [RFC4646] constrained 1286 by the definition of "xs:language". The interpretation of this 1287 code is described in Section 6. 1289 3.10.3. Email Class 1290 The Email class specifies an email address formatted according to 1291 EMAIL data type (Section 2.14). 1293 +--------------+ 1294 | Email | 1295 +--------------+ 1296 | EMAIL | 1297 | | 1298 | ENUM meaning | 1299 +--------------+ 1301 Figure 12: The Email Class 1303 The Email class has one attribute: 1305 meaning 1306 Optional. ENUM. A free-form description of the element content. 1308 3.10.4. Telephone and Fax Classes 1310 The Telephone and Fax classes specify a voice or fax telephone number 1311 respectively, and are formatted according to PHONE data type 1312 (Section 2.13). 1314 +--------------------+ 1315 | {Telephone | Fax } | 1316 +--------------------+ 1317 | PHONE | 1318 | | 1319 | ENUM meaning | 1320 +--------------------+ 1322 Figure 13: The Telephone and Fax Classes 1324 The Telephone class has one attribute: 1326 meaning 1327 Optional. ENUM. A free-form description of the element content 1328 (e.g., hours of coverage for a given number). 1330 3.11. Time Classes 1332 The data model uses five different classes to represent a timestamp. 1333 Their definition is identical, but each has a distinct name to convey 1334 a difference in semantics. 1336 The element content of each class is a timestamp formatted according 1337 to the DATETIME data type (see Section 2.8). 1339 +----------------------------------+ 1340 | {Start| End| Report| Detect}Time | 1341 +----------------------------------+ 1342 | DATETIME | 1343 +----------------------------------+ 1345 Figure 14: The Time Classes 1347 3.11.1. StartTime Class 1349 The StartTime class represents the time the incident began. 1351 3.11.2. EndTime Class 1353 The EndTime class represents the time the incident ended. 1355 3.11.3. DetectTime Class 1357 The DetectTime class represents the time the first activity of the 1358 incident was detected. 1360 3.11.4. ReportTime Class 1362 The ReportTime class represents the time the incident was reported. 1363 This timestamp MUST be the time at which the IODEF document was 1364 generated. 1366 3.11.5. DateTime 1368 The DateTime class is a generic representation of a timestamp. Infer 1369 its semantics from the parent class in which it is aggregated. 1371 3.12. Discovery Class 1373 The Discovery class describes how an incident was detected. 1375 +-------------------+ 1376 | Discovery | 1377 +-------------------+ 1378 | ENUM source |<>--{0..*}--[ Description ] 1379 | STRING ext-source |<>--{0..*}--[ Contact ] 1380 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1381 +-------------------+ 1383 Figure 15: The Discovery Class 1385 The Discovery class is composed of three aggregate classes. 1387 Description 1388 Zero or more. ML_STRING. A free-form text description of how 1389 this incident was detected. 1391 Contact 1392 Zero or more. Contact information for the party that discovered 1393 the incident. 1395 DetectionPattern 1396 Zero or more. Describes an application-specific configuration 1397 that detected the incident. 1399 The Discovery class has three attribute: 1401 source 1402 Optional. ENUM. Categorizes the techniques used to discover the 1403 incident. These values are partially derived from Table 3-1 of 1404 [NIST800.61rev2]. 1406 1. idps. Intrusion Detection or Prevention system. 1408 2. siem. Security Information and Event Management System. 1410 3. av. Antivirus or and antispam software. 1412 4. file-integrity. File integrity checking software. 1414 5. third-party-monitoring. Contracted third-party monitoring 1415 service. 1417 6. os-log. Operating system logs. 1419 7. application-log. Application logs. 1421 8. device-log. Network device logs. 1423 9. network-flow. Network flow analysis. 1425 10. investigation. Manual investigation initiated based on 1426 timely notification of a new vulnerability or exploit. 1428 11. internal-notification. A party within the organization 1429 discovered the activity 1431 12. external-notification. A party outside of the organization 1432 discovered the activity. 1434 13. unknown. Unknown detection approach. 1436 14. ext-value. An escape value used to extend this attribute. 1437 See Section 5.1. 1439 ext-source 1440 Optional. STRING. A means by which to extend the source 1441 attribute. See Section 5.1. 1443 restriction 1444 Optional. ENUM. This attribute is defined in Section 3.2. 1446 3.12.1. DetectionPattern Class 1448 The DetectionPattern class describes a configuration or signature 1449 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1450 protection, network analysis, malware analysis, or host forensics 1451 tool to identify a particular phenomenon. This class requires the 1452 identification of the target application and allows the configuration 1453 to be describes in either free-form or machine readable form. 1455 +------------------+ 1456 | DetectionPattern | 1457 +------------------+ 1458 | ENUM restriction |<>----------[ Application ] 1459 | |<>--{0..*}--[ Description ] 1460 | |<>--{0..*}--[ DetectionConfiguration ] 1461 +------------------+ 1463 Figure 16: The DetectionPattern Class 1465 The DetectionPattern class is composed of three aggregate classes. 1467 Application 1468 . One. The application for which the DetectionConfiguration or 1469 Description is being provided. 1471 Description 1472 Zero or more. ML_STRING. A free-form text description of how to 1473 use the Application or provided DetectionConfiguration. 1475 DetectionConfiguration 1476 Zero or more. STRING. A machine consumable configuration to find 1477 a pattern of activity. 1479 Either an instance of the Description or DetectionConfiguration class 1480 MUST be present. 1482 The Method class has one attribute: 1484 restriction 1485 Optional. ENUM. This attribute is defined in Section 3.2. 1487 3.13. Method Class 1489 The Method class describes the tactics, techniques, or procedures 1490 used by the intruder in the incident. This class consists of both a 1491 list of references describing the attack method and a free form 1492 description. 1494 +------------------+ 1495 | Method | 1496 +------------------+ 1497 | ENUM restriction |<>--{0..*}--[ Reference ] 1498 | |<>--{0..*}--[ Description ] 1499 | |<>--{0..*}--[ AdditionalData ] 1500 +------------------+ 1502 Figure 17: The Method Class 1504 The Method class is composed of three aggregate classes. 1506 Reference 1507 Zero or more. A reference to a vulnerability, malware sample, 1508 advisory, or analysis of an attack technique. 1510 Description 1511 Zero or more. ML_STRING. A free-form text description of 1512 techniques, tactics, or procedures used by the intruder. 1514 AdditionalData 1515 Zero or more. A mechanism by which to extend the data model. 1517 Either an instance of the Reference or Description class MUST be 1518 present. 1520 The Method class has one attribute: 1522 restriction 1523 Optional. ENUM. This attribute is defined in Section 3.2. 1525 3.13.1. Reference Class 1527 The Reference class is a reference to a vulnerability, IDS alert, 1528 malware sample, advisory, or attack technique. A reference consists 1529 of a name, a URL to this reference, and an optional description. 1531 +-------------------------+ 1532 | Reference | 1533 +-------------------------+ 1534 | ENUM attacktype |<>----------[ ReferenceName ] 1535 | STRING ext-attacktype |<>--{0..*}--[ URL ] 1536 | ID observable-id |<>--{0..*}--[ Description ] 1537 +-------------------------+ 1539 Figure 18: The Reference Class 1541 The aggregate classes that constitute Reference: 1543 ReferenceName 1544 One. ML_STRING. Name of the reference. 1546 URL 1547 Zero or more. URL. A URL associated with the reference. 1549 Description 1550 Zero or more. ML_STRING. A free-form text description of this 1551 reference. 1553 The Reference class has 3 attributes. 1555 attacktype 1556 Optional. ENUM. TODO. 1558 ext-attacktype 1559 Optional. STRING. A mechanism by which to extend the 1560 Attack Type. 1562 observable-id 1563 Optional. ID. See Section 3.3.2. 1565 3.14. Assessment Class 1567 The Assessment class describes the repercussions of the incident to 1568 the victim. 1570 +-------------------------+ 1571 | Assessment | 1572 +-------------------------+ 1573 | ENUM occurrence |<>--{0..*}--[ Impact ] 1574 | ENUM restriction |<>--{0..*}--[ BusinessImpact ] 1575 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1576 | |<>--{0..*}--[ MonetaryImpact ] 1577 | |<>--{0..*}--[ Counter ] 1578 | |<>--{0..1}--[ Confidence ] 1579 | |<>--{0..*}--[ AdditionalData ] 1580 +-------------------------+ 1582 Figure 19: Assessment Class 1584 The aggregate classes that constitute Assessment are: 1586 Impact 1587 Zero or more. Technical characterization of the impact of the 1588 activity on the victim's enterprise. 1590 BusinessImpact 1591 Zero or more. Impact of the activity on the business functions of 1592 the victim organization. 1594 TimeImpact 1595 Zero or more. Impact of the activity measured with respect to 1596 time. 1598 MonetaryImpact 1599 Zero or more. Impact of the activity measured with respect to 1600 financial loss. 1602 Counter 1603 Zero or more. A counter with which to summarize the magnitude of 1604 the activity. 1606 Confidence 1607 Zero or one. An estimate of confidence in the assessment. 1609 AdditionalData 1610 Zero or more. A mechanism by which to extend the data model. 1612 A least one instance of the possible three impact classes (i.e., 1613 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1615 The Assessment class has three attributes: 1617 occurrence 1618 Optional. ENUM. Specifies whether the assessment is describing 1619 actual or potential outcomes. 1621 1. actual. This assessment describes activity that has occurred. 1623 2. potential. This assessment describes potential activity that 1624 might occur. 1626 restriction 1627 Optional. ENUM. This attribute is defined in Section 3.2. 1629 observable-id 1630 Optional. ID. See Section 3.3.2. 1632 3.14.1. Impact Class 1634 The Impact class allows for categorizing and describing the technical 1635 impact of the incident on the network of an organization. 1637 This class is based on [RFC4765]. 1639 +------------------+ 1640 | Impact | 1641 +------------------+ 1642 | ML_STRING | 1643 | | 1644 | ENUM lang | 1645 | ENUM severity | 1646 | ENUM completion | 1647 | ENUM type | 1648 | STRING ext-type | 1649 +------------------+ 1651 Figure 20: Impact Class 1653 The element content will be a free-form textual description of the 1654 impact. 1656 The Impact class has five attributes: 1658 lang 1659 Optional. ENUM. A valid language code per [RFC4646] constrained 1660 by the definition of "xs:language". The interpretation of this 1661 code is described in Section 6. 1663 severity 1664 Optional. ENUM. An estimate of the relative severity of the 1665 activity. The permitted values are shown below. There is no 1666 default value. 1668 1. low. Low severity 1670 2. medium. Medium severity 1672 3. high. High severity 1674 completion 1675 Optional. ENUM. An indication whether the described activity was 1676 successful. The permitted values are shown below. There is no 1677 default value. 1679 1. failed. The attempted activity was not successful. 1681 2. succeeded. The attempted activity succeeded. 1683 type 1684 Required. ENUM. Classifies the malicious activity into incident 1685 categories. The permitted values are shown below. The default 1686 value is "other". 1688 1. admin. Administrative privileges were attempted. 1690 2. dos. A denial of service was attempted. 1692 3. file. An action that impacts the integrity of a file or 1693 database was attempted. 1695 4. info-leak. An attempt was made to exfiltrate information. 1697 5. misconfiguration. An attempt was made to exploit a mis- 1698 configuration in a system. 1700 6. policy. Activity violating site's policy was attempted. 1702 7. recon. Reconnaissance activity was attempted. 1704 8. social-engineering. A social engineering attack was 1705 attempted. 1707 9. user. User privileges were attempted. 1709 10. unknown. The classification of this activity is unknown. 1711 11. ext-value. An escape value used to extend this attribute. 1712 See Section 5.1. 1714 ext-type 1715 Optional. STRING. A means by which to extend the type attribute. 1716 See Section 5.1. 1718 3.14.2. BusinessImpact Class 1720 The BusinessImpact class describes and characterizes the degree to 1721 which the function of the organization was impacted by the Incident. 1723 The element body describes the impact to the organization as a free- 1724 form text string. The two attributes characterize the impact. 1726 +-------------------------+ 1727 | BusinessImpact | 1728 +-------------------------+ 1729 | ML_STRING | 1730 | | 1731 | ENUM severity | 1732 | STRING ext-severity | 1733 | ENUM type | 1734 | STRING ext-type | 1735 +-------------------------+ 1737 Figure 21: BusinessImpact Class 1739 The element content will be a free-form textual description of the 1740 impact to the organization. 1742 The BusinessImpact class has four attributes: 1744 severity 1745 Optional. ENUM. Characterizes the severity of the incident on 1746 business functions. The permitted values are shown below. They 1747 were derived from Table 3-2 of [NIST800.61rev2]. The default 1748 value is "unknown". 1750 1. none. No effect to the organization's ability to provide all 1751 services to all users. 1753 2. low. Minimal effect as the organization can still provide all 1754 critical services to all users but has lost efficiency. 1756 3. medium. The organization has lost the ability to provide a 1757 critical service to a subset of system users. 1759 4. high. The organization is no longer able to provide some 1760 critical services to any users. 1762 5. unknown. The impact is not known. 1764 6. ext-value. An escape value used to extend this attribute. 1765 See Section 5.1. 1767 ext-severity 1768 Optional. STRING. A means by which to extend the severity 1769 attribute. See Section 5.1. 1771 type 1772 Required. ENUM. Characterizes the effect this incident had on 1773 the business.Classifies the malicious activity into incident 1774 categories. The permitted values are shown below. There is no 1775 default value. 1777 1. breach-proprietary. Sensitive or proprietary information was 1778 accessed or exfiltrated. 1780 2. breach-privacy. Personally identifiable information was 1781 accessed or exfiltrated. 1783 3. loss-of-integrity. Sensitive or proprietary information was 1784 changed or deleted. 1786 4. loss-of-service. Service delivery was disrupted. 1788 5. loss-financial. Money or services were stolen. 1790 6. degraded-reputation. The reputation of the organization's 1791 brand was diminished. 1793 7. asset-damage. A cyber-physical system was damaged. 1795 8. asset-manipulation. A cyber-physical system was manipulated. 1797 9. legal. Incident resulted in legal or regulatory action 1799 10. ext-value. An escape value used to extend this attribute. 1800 See Section 5.1. 1802 ext-type 1803 Optional. STRING. A means by which to extend the type attribute. 1804 See Section 5.1. 1806 3.14.3. TimeImpact Class 1808 The TimeImpact class describes the impact of the incident on an 1809 organization as a function of time. It provides a way to convey down 1810 time and recovery time. 1812 +---------------------+ 1813 | TimeImpact | 1814 +---------------------+ 1815 | REAL | 1816 | | 1817 | ENUM severity | 1818 | ENUM metric | 1819 | STRING ext-metric | 1820 | ENUM duration | 1821 | STRING ext-duration | 1822 +---------------------+ 1824 Figure 22: TimeImpact Class 1826 The element content is a positive, floating point (REAL) number 1827 specifying a unit of time. The duration and metric attributes will 1828 imply the semantics of the element content. 1830 The TimeImpact class has five attributes: 1832 severity 1833 Optional. ENUM. An estimate of the relative severity of the 1834 activity. The permitted values are shown below. There is no 1835 default value. 1837 1. low. Low severity 1839 2. medium. Medium severity 1841 3. high. High severity 1843 metric 1844 Required. ENUM. Defines the metric in which the time is 1845 expressed. The permitted values are shown below. There is no 1846 default value. 1848 1. labor. Total staff-time to recovery from the activity (e.g., 1849 2 employees working 4 hours each would be 8 hours). 1851 2. elapsed. Elapsed time from the beginning of the recovery to 1852 its completion (i.e., wall-clock time). 1854 3. downtime. Duration of time for which some provided service(s) 1855 was not available. 1857 4. ext-value. An escape value used to extend this attribute. 1858 See Section 5.1. 1860 ext-metric 1861 Optional. STRING. A means by which to extend the metric 1862 attribute. See Section 5.1. 1864 duration 1865 Optional. ENUM. Defines a unit of time, that when combined with 1866 the metric attribute, fully describes a metric of impact that will 1867 be conveyed in the element content. The permitted values are 1868 shown below. The default value is "hour". 1870 1. second. The unit of the element content is seconds. 1872 2. minute. The unit of the element content is minutes. 1874 3. hour. The unit of the element content is hours. 1876 4. day. The unit of the element content is days. 1878 5. month. The unit of the element content is months. 1880 6. quarter. The unit of the element content is quarters. 1882 7. year. The unit of the element content is years. 1884 8. ext-value. An escape value used to extend this attribute. 1885 See Section 5.1. 1887 ext-duration 1888 Optional. STRING. A means by which to extend the duration 1889 attribute. See Section 5.1. 1891 3.14.4. MonetaryImpact Class 1893 The MonetaryImpact class describes the financial impact of the 1894 activity on an organization. For example, this impact may consider 1895 losses due to the cost of the investigation or recovery, diminished 1896 productivity of the staff, or a tarnished reputation that will affect 1897 future opportunities. 1899 +------------------+ 1900 | MonetaryImpact | 1901 +------------------+ 1902 | REAL | 1903 | | 1904 | ENUM severity | 1905 | STRING currency | 1906 +------------------+ 1908 Figure 23: MonetaryImpact Class 1910 The element content is a positive, floating point number (REAL) 1911 specifying a unit of currency described in the currency attribute. 1913 The MonetaryImpact class has two attributes: 1915 severity 1916 Optional. ENUM. An estimate of the relative severity of the 1917 activity. The permitted values are shown below. There is no 1918 default value. 1920 1. low. Low severity 1922 2. medium. Medium severity 1924 3. high. High severity 1926 currency 1927 Optional. STRING. Defines the currency in which the monetary 1928 impact is expressed. The permitted values are defined in "Codes 1929 for the representation of currencies and funds" of [ISO4217]. 1930 There is no default value. 1932 3.14.5. Confidence Class 1934 The Confidence class represents a best estimate of the validity and 1935 accuracy of the described impact (see Section 3.14) of the incident 1936 activity. This estimate can be expressed as a category or a numeric 1937 calculation. 1939 This class if based upon [RFC4765]. 1941 +------------------+ 1942 | Confidence | 1943 +------------------+ 1944 | REAL | 1945 | | 1946 | ENUM rating | 1947 +------------------+ 1949 Figure 24: Confidence Class 1951 The element content expresses a numerical assessment in the 1952 confidence of the data when the value of the rating attribute is 1953 "numeric". Otherwise, this element MUST be empty. 1955 The Confidence class has one attribute. 1957 rating 1958 Required. ENUM. A rating of the analytical validity of the 1959 specified Assessment. The permitted values are shown below. 1960 There is no default value. 1962 1. low. Low confidence in the validity. 1964 2. medium. Medium confidence in the validity. 1966 3. high. High confidence in the validity. 1968 4. numeric. The element content contains a number that conveys 1969 the confidence of the data. The semantics of this number 1970 outside the scope of this specification. 1972 5. unknown. The confidence rating value is not known. 1974 3.15. History Class 1976 The History class is a log of the significant events or actions 1977 performed by the involved parties during the course of handling the 1978 incident. 1980 The level of detail maintained in this log is left up to the 1981 discretion of those handling the incident. 1983 +------------------+ 1984 | History | 1985 +------------------+ 1986 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1987 | | 1988 +------------------+ 1990 Figure 25: The History Class 1992 The class that constitutes History is: 1994 HistoryItem 1995 One or many. Entry in the history log of significant events or 1996 actions performed by the involved parties. 1998 The History class has one attribute: 2000 restriction 2001 Optional. ENUM. This attribute is defined in Section 3.2. The 2002 default value is "default". 2004 3.15.1. HistoryItem Class 2005 The HistoryItem class is an entry in the History (Section 3.15) log 2006 that documents a particular action or event that occurred in the 2007 course of handling the incident. The details of the entry are a 2008 free-form description, but each can be categorized with the type 2009 attribute. 2011 +-------------------------+ 2012 | HistoryItem | 2013 +-------------------------+ 2014 | ENUM restriction |<>----------[ DateTime ] 2015 | ENUM action |<>--{0..1}--[ IncidentId ] 2016 | STRING ext-action |<>--{0..1}--[ Contact ] 2017 | ID observable-id |<>--{0..*}--[ Description ] 2018 | |<>--{0..*}--[ AdditionalData ] 2019 +-------------------------+ 2021 Figure 26: HistoryItem Class 2023 The aggregate classes that constitute HistoryItem are: 2025 DateTime 2026 One. Timestamp of this entry in the history log (e.g., when the 2027 action described in the Description was taken). 2029 IncidentID 2030 Zero or One. In a history log created by multiple parties, the 2031 IncidentID provides a mechanism to specify which CSIRT created a 2032 particular entry and references this organization's incident 2033 tracking number. When a single organization is maintaining the 2034 log, this class can be ignored. 2036 Contact 2037 Zero or One. Provides contact information for the person that 2038 performed the action documented in this class. 2040 Description 2041 Zero or more. ML_STRING. A free-form textual description of the 2042 action or event. 2044 DefinedCOA 2045 Zero or more. ML_STRING. A unique identifier meaningful to the 2046 sender and recipient of this document that references a course of 2047 action. This class MUST be present if the action attribute is set 2048 to "defined-coa". 2050 AdditionalData 2051 Zero or more. A mechanism by which to extend the data model. 2053 The HistoryItem class has four attributes: 2055 restriction 2056 Optional. ENUM. See Section 3.3.1. 2058 action 2059 Required. ENUM. Classifies a performed action or occurrence 2060 documented in this history log entry. As activity will likely 2061 have been instigated either through a previously conveyed 2062 expectation or internal investigation, this attribute is identical 2063 to the category attribute of the Expectation class. The 2064 difference is only one of tense. When an action is in this class, 2065 it has been completed. See Section 3.17. 2067 ext-action 2068 Optional. STRING. A means by which to extend the action 2069 attribute. See Section 5.1. 2071 observable-id 2072 Optional. ID. See Section 3.3.2. 2074 3.16. EventData Class 2076 The EventData class describes a particular event of the incident for 2077 a given set of hosts or networks. This description includes the 2078 systems from which the activity originated and those targeted, an 2079 assessment of the techniques used by the intruder, the impact of the 2080 activity on the organization, and any forensic evidence discovered. 2082 +-------------------------+ 2083 | EventData | 2084 +-------------------------+ 2085 | ENUM restriction |<>--{0..*}--[ Description ] 2086 | ID observable-id |<>--{0..1}--[ DetectTime ] 2087 | |<>--{0..1}--[ StartTime ] 2088 | |<>--{0..1}--[ EndTime ] 2089 | |<>--{0..*}--[ Contact ] 2090 | |<>--{0..*}--[ Discovery ] 2091 | |<>--{0..1}--[ Assessment ] 2092 | |<>--{0..*}--[ Method ] 2093 | |<>--{0..*}--[ Flow ] 2094 | |<>--{0..*}--[ Expectation ] 2095 | |<>--{0..1}--[ Record ] 2096 | |<>--{0..*}--[ EventData ] 2097 | |<>--{0..*}--[ AdditionalData ] 2098 +-------------------------+ 2100 Figure 27: The EventData Class 2102 The aggregate classes that constitute EventData are: 2104 Description 2105 Zero or more. ML_STRING. A free-form textual description of the 2106 event. 2108 DetectTime 2109 Zero or one. The time the event was detected. 2111 StartTime 2112 Zero or one. The time the event started. 2114 EndTime 2115 Zero or one. The time the event ended. 2117 Contact 2118 Zero or more. Contact information for the parties involved in the 2119 event. 2121 Discovery 2122 Zero or more. The means by which the event was detected. 2124 Assessment 2125 Zero or one. The impact of the event on the target and the 2126 actions taken. 2128 Method 2129 Zero or more. The technique used by the intruder in the event. 2131 Flow 2132 Zero or more. A description of the systems or networks involved. 2134 Expectation 2135 Zero or more. The expected action to be performed by the 2136 recipient for the described event. 2138 Record 2139 Zero or one. Supportive data (e.g., log files) that provides 2140 additional information about the event. 2142 EventData 2143 Zero or more. EventData instances contained within another 2144 EventData instance inherit the values of the parent(s); this 2145 recursive definition can be used to group common data pertaining 2146 to multiple events. When EventData elements are defined 2147 recursively, only the leaf instances (those EventData instances 2148 not containing other EventData instances) represent actual events. 2150 AdditionalData 2151 Zero or more. An extension mechanism for data not explicitly 2152 represented in the data model. 2154 At least one of the aggregate classes MUST be present in an instance 2155 of the EventData class. This is not enforced in the IODEF schema as 2156 there is no simple way to accomplish it. 2158 The EventData class has two attributes: 2160 restriction 2161 Optional. ENUM. This attribute is defined in Section 3.2. The 2162 default value is "default". 2164 observable-id 2165 Optional. ID. See Section 3.3.2. 2167 3.16.1. Relating the Incident and EventData Classes 2169 There is substantial overlap in the Incident and EventData classes. 2170 Nevertheless, the semantics of these classes are quite different. 2171 The Incident class provides summary information about the entire 2172 incident, while the EventData class provides information about the 2173 individual events comprising the incident. In the most common case, 2174 the EventData class will provide more specific information for the 2175 general description provided in the Incident class. However, it may 2176 also be possible that the overall summarized information about the 2177 incident conflicts with some individual information in an EventData 2178 class when there is a substantial composition of various events in 2179 the incident. In such a case, the interpretation of the more 2180 specific EventData MUST supersede the more generic information 2181 provided in Incident. 2183 3.16.2. Cardinality of EventData 2185 The EventData class can be thought of as a container for the 2186 properties of an event in an incident. These properties include: the 2187 hosts involved, impact of the incident activity on the hosts, 2188 forensic logs, etc. With an instance of the EventData class, hosts 2189 (i.e., System class) are grouped around these common properties. 2191 The recursive definition (or instance property inheritance) of the 2192 EventData class (the EventData class is aggregated into the EventData 2193 class) provides a way to relate information without requiring the 2194 explicit use of unique attribute identifiers in the classes or 2195 duplicating information. Instead, the relative depth (nesting) of a 2196 class is used to group (relate) information. 2198 For example, an EventData class might be used to describe two 2199 machines involved in an incident. This description can be achieved 2200 using multiple instances of the Flow class. It happens that there is 2201 a common technical contact (i.e., Contact class) for these two 2202 machines, but the impact (i.e., Assessment class) on them is 2203 different. A depiction of the representation for this situation can 2204 be found in Figure 28. 2206 +------------------+ 2207 | EventData | 2208 +------------------+ 2209 | |<>----[ Contact ] 2210 | | 2211 | |<>----[ EventData ]<>----[ Flow ] 2212 | | [ ]<>----[ Assessment ] 2213 | | 2214 | |<>----[ EventData ]<>----[ Flow ] 2215 | | [ ]<>----[ Assessment ] 2216 +------------------+ 2218 Figure 28: Recursion in the EventData Class 2220 3.17. Expectation Class 2222 The Expectation class conveys to the recipient of the IODEF document 2223 the actions the sender is requesting. The scope of the requested 2224 action is limited to purview of the EventData class in which this 2225 class is aggregated. 2227 +-------------------------+ 2228 | Expectation | 2229 +-------------------------+ 2230 | ENUM restriction |<>--{0..*}--[ Description ] 2231 | ENUM severity |<>--{0..*}--[ DefinedCOA ] 2232 | ENUM action |<>--{0..1}--[ StartTime ] 2233 | STRING ext-action |<>--{0..1}--[ EndTime ] 2234 | ID observable-id |<>--{0..1}--[ Contact ] 2235 +-------------------------+ 2237 Figure 29: The Expectation Class 2239 The aggregate classes that constitute Expectation are: 2241 Description 2242 Zero or more. ML_STRING. A free-form description of the desired 2243 action(s). 2245 DefinedCOA 2246 Zero or more. ML_STRING. A unique identifier meaningful to the 2247 sender and recipient of this document that references a course of 2248 action. This class MUST be present if the action attribute is set 2249 to "defined-coa". 2251 StartTime 2252 Zero or one. The time at which the sender would like the action 2253 performed. A timestamp that is earlier than the ReportTime 2254 specified in the Incident class denotes that the sender would like 2255 the action performed as soon as possible. The absence of this 2256 element indicates no expectations of when the recipient would like 2257 the action performed. 2259 EndTime 2260 Zero or one. The time by which the sender expects the recipient 2261 to complete the action. If the recipient cannot complete the 2262 action before EndTime, the recipient MUST NOT carry out the 2263 action. Because of transit delays, clock drift, and so on, the 2264 sender MUST be prepared for the recipient to have carried out the 2265 action, even if it completes past EndTime. 2267 Contact 2268 Zero or one. The expected actor for the action. 2270 The Expectations class has five attributes: 2272 restriction 2273 Optional. ENUM. This attribute is defined in Section 3.2. The 2274 default value is "default". 2276 severity 2277 Optional. ENUM. Indicates the desired priority of the action. 2278 This attribute is an enumerated list with no default value, and 2279 the semantics of these relative measures are context dependent. 2281 1. low. Low priority 2283 2. medium. Medium priority 2285 3. high. High priority 2287 action 2288 Optional. ENUM. Classifies the type of action requested. This 2289 attribute is an enumerated list with a default value of "other". 2291 1. nothing. No action is requested. Do nothing with the 2292 information. 2294 2. contact-source-site. Contact the site(s) identified as the 2295 source of the activity. 2297 3. contact-target-site. Contact the site(s) identified as the 2298 target of the activity. 2300 4. contact-sender. Contact the originator of the document. 2302 5. investigate. Investigate the systems(s) listed in the event. 2304 6. block-host. Block traffic from the machine(s) listed as 2305 sources the event. 2307 7. block-network. Block traffic from the network(s) lists as 2308 sources in the event. 2310 8. block-port. Block the port listed as sources in the event. 2312 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2313 listed as sources in the event. 2315 10. rate-limit-network. Rate-limit the traffic from the 2316 network(s) lists as sources in the event. 2318 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2319 the event. 2321 12. upgrade-software. Upgrade or patch the software or firmware 2322 on an asset. 2324 13. rebuild-asset. Reinstall the operating system and 2325 applications on an asset. 2327 14. remediate-other. Remediate the activity in a way other than 2328 by rate limiting or blocking. 2330 15. status-triage. Conveys receipts and the triaging of an 2331 incident. 2333 16. status-new-info. Conveys that new information was received 2334 for this incident. 2336 17. watch-and-report. Watch for the described activity and share 2337 if seen. 2339 18. defined-coa. Perform a predefined course of action (COA). 2340 The COA is named in the DefinedCOA class. 2342 19. other. Perform some custom action described in the 2343 Description class. 2345 20. ext-value. An escape value used to extend this attribute. 2346 See Section 5.1. 2348 ext-action 2349 Optional. STRING. A means by which to extend the action 2350 attribute. See Section 5.1. 2352 observable-id 2353 Optional. ID. See Section 3.3.2. 2355 3.18. Flow Class 2357 The Flow class groups related the source and target hosts. 2359 +------------------+ 2360 | Flow | 2361 +------------------+ 2362 | |<>--{1..*}--[ System ] 2363 +------------------+ 2365 Figure 30: The Flow Class 2367 The aggregate class that constitutes Flow is: 2369 System 2370 One or More. A host or network involved in an event. 2372 The Flow class has no attributes. 2374 3.19. System Class 2376 The System class describes a system or network involved in an event. 2377 The systems or networks represented by this class are categorized 2378 according to the role they played in the incident through the 2379 category attribute. The value of this category attribute dictates 2380 the semantics of the aggregated classes in the System class. If the 2381 category attribute has a value of "source", then the aggregated 2382 classes denote the machine and service from which the activity is 2383 originating. With a category attribute value of "target" or 2384 "intermediary", then the machine or service is the one targeted in 2385 the activity. A value of "sensor" dictates that this System was part 2386 of an instrumentation to monitor the network. 2388 +---------------------+ 2389 | System | 2390 +---------------------+ 2391 | ENUM restriction |<>----------[ Node ] 2392 | ENUM category |<>--{0..*}--[ Service ] 2393 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2394 | STRING interface |<>--{0..*}--[ Counter ] 2395 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2396 | ENUM virtual |<>--{0..*}--[ Description ] 2397 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2398 | ENUM ext-ownership | 2399 +---------------------+ 2401 Figure 31: The System Class 2403 The aggregate classes that constitute System are: 2405 Node 2406 One. A host or network involved in the incident. 2408 Service 2409 Zero or more. A network service running on the system. 2411 OperatingSystem 2412 Zero or more. The operating system running on the system. 2414 Counter 2415 Zero or more. A counter with which to summarize properties of 2416 this host or network. 2418 AssetID 2419 Zero or more. An asset identifier for the System. 2421 Description 2422 Zero or more. ML_STRING. A free-form text description of the 2423 System. 2425 AdditionalData 2426 Zero or more. A mechanism by which to extend the data model. 2428 The System class has eight attributes: 2430 restriction 2431 Optional. ENUM. This attribute is defined in Section 3.2. 2433 category 2434 Optional. ENUM. Classifies the role the host or network played 2435 in the incident. The possible values are: 2437 1. source. The System was the source of the event. 2439 2. target. The System was the target of the event. 2441 3. intermediate. The System was an intermediary in the event. 2443 4. sensor. The System was a sensor monitoring the event. 2445 5. infrastructure. The System was an infrastructure node of 2446 IODEF document exchange. 2448 6. ext-value. An escape value used to extend this attribute. 2449 See Section 5.1. 2451 ext-category 2452 Optional. STRING. A means by which to extend the category 2453 attribute. See Section 5.1. 2455 interface 2456 Optional. STRING. Specifies the interface on which the event(s) 2457 on this System originated. If the Node class specifies a network 2458 rather than a host, this attribute has no meaning. 2460 spoofed 2461 Optional. ENUM. An indication of confidence in whether this 2462 System was the true target or attacking host. The permitted 2463 values for this attribute are shown below. The default value is 2464 "unknown". 2466 1. unknown. The accuracy of the category attribute value is 2467 unknown. 2469 2. yes. The category attribute value is probably incorrect. In 2470 the case of a source, the System is likely a decoy; with a 2471 target, the System was likely not the intended victim. 2473 3. no. The category attribute value is believed to be correct. 2475 virtual 2476 Optional. ENUM. Indicates whether this System is a virtual or 2477 physical device. The default value is "unknown". The possible 2478 values are: 2480 1. yes. The System is a virtual device. 2482 2. no. The System is a physical device. 2484 3. unknown. It is not known if the System is virtual. 2486 ownership 2487 Optional. ENUM. Describes the ownership of this System relative 2488 to the sender of the IODEF document. The possible values are: 2490 1. organization. The System is owned by the organization. 2492 2. personal. The System is owned by employee or affiliate of the 2493 organization. 2495 3. partner. The System is owned by a partner of the 2496 organization. 2498 4. customer. The System is owned by a customer of the 2499 organization. 2501 5. no-relationship. The System is owned by an entity that has no 2502 known relationship with the organization. 2504 6. unknown. The ownership of the System is unknown. 2506 7. ext-value. An escape value used to extend this attribute. 2507 See Section 5.1. 2509 ext-ownership 2510 Optional. STRING. A means by which to extend the ownership 2511 attribute. See Section 5.1. 2513 3.20. Node Class 2515 The Node class names an asset or network. 2517 This class was derived from [RFC4765]. 2519 +---------------+ 2520 | Node | 2521 +---------------+ 2522 | |<>--{0..*}--[ DomainData ] 2523 | |<>--{0..*}--[ Address ] 2524 | |<>--{0..1}--[ PostalAddress ] 2525 | |<>--{0..1}--[ Location ] 2526 | |<>--{0..1}--[ DateTime ] 2527 | |<>--{0..*}--[ NodeRole ] 2528 | |<>--{0..*}--[ Counter ] 2529 +---------------+ 2531 Figure 32: The Node Class 2533 The aggregate classes that constitute Node are: 2535 DomainData 2536 Zero or more. The detailed domain (DNS) information associated 2537 with this Node. If an Address is not provided, at least one 2538 DomainData MUST be specified. 2540 Address 2541 Zero or more. The hardware, network, or application address of 2542 the Node. If a DomainData is not provided, at least one Address 2543 MUST be specified. 2545 PostalAddress 2546 Zero or one. The postal address of the asset. 2548 Location 2549 Zero or one. ML_STRING. A free-from description of the physical 2550 location of the Node. This description may provide a more 2551 detailed description of where in the PostalAddress this Node is 2552 found (e.g., room number, rack number, slot number in a chassis). 2554 NodeRole 2555 Zero or more. The intended purpose of the Node. 2557 Counter 2558 Zero or more. A counter with which to summarizes properties of 2559 this host or network. 2561 The Node class has no attributes. 2563 3.20.1. Address Class 2565 The Address class represents a hardware (layer-2), network (layer-3), 2566 or application (layer-7) address. 2568 This class was derived from [RFC4765]. 2570 +-------------------------+ 2571 | Address | 2572 +-------------------------+ 2573 | ENUM category | 2574 | STRING ext-category | 2575 | STRING vlan-name | 2576 | INTEGER vlan-num | 2577 | ID observable-id | 2578 +-------------------------+ 2580 Figure 33: The Address Class 2582 The Address class has five attributes: 2584 category 2585 Optional. ENUM. The type of address represented. The permitted 2586 values for this attribute are shown below. The default value is 2587 "ipv4-addr". 2589 1. asn. Autonomous System Number 2591 2. atm. Asynchronous Transfer Mode (ATM) address 2593 3. e-mail. Electronic mail address (RFC 822) 2595 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2596 (a.b.c.d) 2598 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2599 slash, significant bits (a.b.c.d/nn) 2601 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2602 notation, slash, network mask in dotted-decimal notation 2603 (a.b.c.d/w.x.y.z) 2605 7. ipv6-addr. IPv6 host address 2607 8. ipv6-net. IPv6 network address, slash, significant bits 2609 9. ipv6-net-mask. IPv6 network address, slash, network mask 2611 10. mac. Media Access Control (MAC) address 2613 11. site-uri. A URL or URI for a resource. 2615 12. ext-value. An escape value used to extend this attribute. 2616 See Section 5.1. 2618 ext-category 2619 Optional. STRING. A means by which to extend the category 2620 attribute. See Section 5.1. 2622 vlan-name 2623 Optional. STRING. The name of the Virtual LAN to which the 2624 address belongs. 2626 vlan-num 2627 Optional. STRING. The number of the Virtual LAN to which the 2628 address belongs. 2630 observable-id 2631 Optional. ID. See Section 3.3.2. 2633 3.20.2. NodeRole Class 2635 The NodeRole class describes the intended function performed by a 2636 particular host. 2638 +---------------------+ 2639 | NodeRole | 2640 +---------------------+ 2641 | ENUM category | 2642 | STRING ext-category | 2643 | ENUM lang | 2644 +---------------------+ 2646 Figure 34: The NodeRole Class 2648 The NodeRole class has three attributes: 2650 category 2651 Required. ENUM. Functionality provided by a node. 2653 1. client. Client computer 2655 2. client-enterprise. Client computer on the enterprise network 2657 3. client-partner. Client computer on network of a partner 2659 4. client-remote. Client computer remotely connected to the 2660 enterprise network 2662 5. client-kiosk. Client computer is serves as a kiosk 2664 6. client-mobile. Client is a mobile device 2666 7. server-internal. Server with internal services 2668 8. server-public. Server with public services 2670 9. www. WWW server 2672 10. mail. Mail server 2674 11. messaging. Messaging server (e.g., NNTP, IRC, IM) 2676 12. streaming. Streaming-media server 2678 13. voice. Voice server (e.g., SIP, H.323) 2680 14. file. File server (e.g., SMB, CVS, AFS) 2681 15. ftp. FTP server 2683 16. p2p. Peer-to-peer node 2685 17. name. Name server (e.g., DNS, WINS) 2687 18. directory. Directory server (e.g., LDAP, finger, whois) 2689 19. credential. Credential server (e.g., domain controller, 2690 Kerberos) 2692 20. print. Print server 2694 21. application. Application server 2696 22. database. Database server 2698 23. backup. Backup server 2700 24. dhcp. DHCP server 2702 25. infra. Infrastructure server (e.g., router, firewall, DHCP) 2704 26. infra-firewall. Firewall 2706 27. infra-router. Router 2708 28. infra-switch. Switch 2710 29. camera. Camera server 2712 30. proxy. Proxy server 2714 31. remote-access. Remote access server 2716 32. log. Log server (e.g., syslog) 2718 33. virtualization. Server running virtual machines 2720 34. pos. Point-of-sale device 2722 35. scada. Supervisory control and data acquisition system 2724 36. scada-supervisory. Supervisory system for a SCADA 2726 37. ext-value. An escape value used to extend this attribute. 2727 See Section 5.1. 2729 ext-category 2730 Optional. STRING. A means by which to extend the category 2731 attribute. See Section 5.1. 2733 lang 2734 Optional. ENUM. A valid language code per [RFC4646] constrained 2735 by the definition of "xs:language". The interpretation of this 2736 code is described in Section 6. 2738 3.20.3. Counter Class 2740 The Counter class summarize multiple occurrences of some event, or 2741 conveys counts or rates on various features (e.g., packets, sessions, 2742 events). 2744 The value of the counter is the element content with its units 2745 represented in the type attribute. A rate for a given feature can be 2746 expressed by setting the duration attribute. The complete semantics 2747 are entirely context dependent based on the class in which the 2748 Counter is aggregated. 2750 +---------------------+ 2751 | Counter | 2752 +---------------------+ 2753 | REAL | 2754 | | 2755 | ENUM type | 2756 | STRING ext-type | 2757 | STRING meaning | 2758 | ENUM duration | 2759 | STRING ext-duration | 2760 +---------------------+ 2762 Figure 35: The Counter Class 2764 The Counter class has five attribute: 2766 type 2767 Required. ENUM. Specifies the units of the element content. 2769 1. byte. Count of bytes. 2771 2. packet. Count of packets. 2773 3. flow. Count of network flow records. 2775 4. session. Count of sessions. 2777 5. alert. Count of notifications generated by another system 2778 (e.g., IDS or SIM). 2780 6. message. Count of messages (e.g., mail messages). 2782 7. event. Count of events. 2784 8. host. Count of hosts. 2786 9. site. Count of site. 2788 10. organization. Count of organizations. 2790 11. ext-value. An escape value used to extend this attribute. 2791 See Section 5.1. 2793 ext-type 2794 Optional. STRING. A means by which to extend the type attribute. 2795 See Section 5.1. 2797 meaning 2798 Optional. STRING. A free-form description of the metric 2799 represented by the Counter. 2801 duration 2802 Optional. ENUM. If present, the Counter class represents a rate 2803 rather than a count over the entire event. In that case, this 2804 attribute specifies the denominator of the rate (where the type 2805 attribute specified the nominator). The possible values of this 2806 attribute are defined in Section 3.14.3 2808 ext-duration 2809 Optional. STRING. A means by which to extend the duration 2810 attribute. See Section 5.1. 2812 3.21. DomainData Class 2814 The DomainData class describes a domain name and meta-data associated 2815 with this domain. 2817 +--------------------------+ 2818 | DomainData | 2819 +--------------------------+ 2820 | ENUM system-status |<>----------[ Name ] 2821 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 2822 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 2823 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 2824 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 2825 | |<>--{0..*}--[ Nameservers ] 2826 | |<>--{0..1}--[ DomainContacts ] 2827 | | 2828 +--------------------------+ 2830 Figure 36: The DomainData Class 2832 The aggregate classes that constitute DomainData are: 2834 Name 2835 One. ML_STRING. The domain name of the Node (e.g., fully 2836 qualified domain name). 2838 DateDomainWasChecked 2839 Zero or one. DATETIME. A timestamp of when the Name was 2840 resolved. 2842 RegistrationDate 2843 Zero or one. DATETIME. A timestamp of when domain listed in Name 2844 was registered. 2846 ExpirationDate 2847 Zero or one. DATETIME. A timestamp of when the domain listed in 2848 Name is set to expire. 2850 RelatedDNS 2851 Zero or more. Additional DNS records associated with this domain. 2853 Nameservers 2854 Zero or more. The name servers identified for the domain listed 2855 in Name. 2857 DomainContacts 2858 Zero or one. Contact information for the domain listed in Name 2859 supplied by the registrar or through a whois query. 2861 The DomainData class has five attribute: 2863 system-status 2864 Required. ENUM. Assesses the domain's involvement in the event. 2866 1. spoofed. This domain was spoofed. 2868 2. fraudulent. This domain was operated with fraudulent 2869 intentions. 2871 3. innocent-hacked. This domain was compromised by a third 2872 party. 2874 4. innocent-hijacked. This domain was deliberately hijacked. 2876 5. unknown. No categorization for this domain known. 2878 6. ext-value. An escape value used to extend this attribute. 2879 See Section 5.1. 2881 ext-system-status 2882 Optional. STRING. A means by which to extend the system-status 2883 attribute. See Section 5.1. 2885 domain-status 2886 Required. ENUM. Categorizes the registry status of the domain at 2887 the time the document was generated. These values and their 2888 associated descriptions are derived from Section 3.2.2 of 2889 [RFC3982]. 2891 1. reservedDelegation. The domain is permanently inactive. 2893 2. assignedAndActive. The domain is in a normal state. 2895 3. assignedAndInactive. The domain has an assigned registration 2896 but the delegation is inactive. 2898 4. assignedAndOnHold. The domain is under dispute. 2900 5. revoked. The domain is in the process of being purged from 2901 the database. 2903 6. transferPending. The domain is pending a change in 2904 authority. 2906 7. registryLock. The domain is on hold by the registry. 2908 8. registrarLock. Same as "registryLock". 2910 9. other. The domain has a known status but it is not one of 2911 the redefined enumerated values. 2913 10. unknown. The domain has an unknown status. 2915 11. ext-value. An escape value used to extend this attribute. 2916 See Section 5.1. 2918 ext-domain-status 2919 Optional. STRING. A means by which to extend the system-status 2920 attribute. See Section 5.1. 2922 observable-id 2923 Optional. ID. See Section 3.3.2. 2925 3.21.1. RelatedDNS 2927 The RelatedDNS class describes additional record types associated 2928 with a given domain name. The record type is described in the 2929 record-type attribute and the value of the record is the element 2930 content. ... TODO Issue #39 ... 2932 +----------------------+ 2933 | RelatedDNS | 2934 +----------------------+ 2935 | STRING | 2936 | | 2937 | ENUM record-type | 2938 | ENUM ext-record-type | 2939 +----------------------+ 2941 Figure 37: The RelatedDNS Class 2943 The RelatedDNS class has two attribute: 2945 record-type 2946 Required. ENUM. The DNS record type. ... TODO values need to be 2947 listed ... 2949 ext-record-type. An escape value used to extend this attribute. 2950 See Section 5.1. 2952 3.21.2. Nameservers Class 2954 The Nameservers class describes the name servers associated with a 2955 given domain. 2957 +--------------------+ 2958 | Nameservers | 2959 +--------------------+ 2960 | |<>----------[ Server ] 2961 | |<>--{1..*}--[ Address ] 2962 +--------------------+ 2964 Figure 38: The Nameservers Class 2966 The aggregate classes that constitute Nameservers are: 2968 Server 2969 One. ML_STRING. The domain name of the name server. 2971 Address 2972 One or more. The address of the name server. See Section 3.20.1. 2974 3.21.3. DomainContacts Class 2976 The DomainContacts class describes the contact information for a 2977 given domain provided either by the registrar or through a whois 2978 query. 2980 This contact information can be explicitly described through a 2981 Contact class or a reference can be provided to a domain with 2982 identical contact information. Either a single SameDomainContact 2983 MUST be present or one or many Contact classes. 2985 +--------------------+ 2986 | DomainContacts | 2987 +--------------------+ 2988 | |<>--{0..1}--[ SameDomainContact ] 2989 | |<>--{1..*}--[ Contact ] 2990 +--------------------+ 2992 Figure 39: The DomainContacts Class 2994 The aggregate classes that constitute DomainContacts are: 2996 SameDomainContact 2997 Zero or one. ML_STRING. A domain name already cited in this 2998 document or through previous exchange that contains the identical 2999 contact information as the domain name in question. The domain 3000 contact information associated with this domain should be used in 3001 lieu of explicit definition with the Contact class. 3003 Contact 3004 One or more. Contact information for the domain. See 3005 Section 3.10. 3007 3.22. Service Class 3009 The Service class describes a network service of a host or network. 3010 The service is identified by specific port or list of ports, along 3011 with the application listening on that port. 3013 When Service occurs as an aggregate class of a System that is a 3014 source, then this service is the one from which activity of interest 3015 is originating. Conversely, when Service occurs as an aggregate 3016 class of a System that is a target, then that service is the one to 3017 which activity of interest is directed. 3019 This class was derived from [RFC4765]. 3021 +-------------------------+ 3022 | Service | 3023 +-------------------------+ 3024 | INTEGER ip-protocol |<>--{0..1}--[ Port ] 3025 | ID observable-id |<>--{0..1}--[ Portlist ] 3026 | |<>--{0..1}--[ ProtoCode ] 3027 | |<>--{0..1}--[ ProtoType ] 3028 | |<>--{0..1}--[ ProtoField ] 3029 | |<>--{0..*}--[ ApplicationHeader ] 3030 | |<>--{0..1}--[ EmailData ] 3031 | |<>--{0..1}--[ Application ] 3032 +-------------------------+ 3034 Figure 40: The Service Class 3036 The aggregate classes that constitute Service are: 3038 Port 3039 Zero or one. INTEGER. A port number. 3041 Portlist 3042 Zero or one. PORTLIST. A list of port numbers formatted 3043 according to Section 2.10. 3045 ProtoCode 3046 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3047 specific code field (e.g., ICMP code field). 3049 ProtoType 3050 Zero or one. INTEGER. A transport layer (layer 4) protocol 3051 specific type field (e.g., ICMP type field). 3053 ProtoField 3054 Zero or one. INTEGER. A transport layer (layer 4) protocol 3055 specific flag field (e.g., TCP flag field). 3057 ApplicationHeader 3058 Zero or more. An application layer (layer 7) protocol header. 3059 See Section 3.22.1. 3061 EmailData 3062 Zero or one. Headers associated with an email. See Section 3.24. 3064 Application 3065 Zero or one. The application bound to the specified Port or 3066 Portlist. See Section 3.22.2. 3068 Either a Port or Portlist class MUST be specified for a given 3069 instance of a Service class. 3071 When a given System classes with category="source" and another with 3072 category="target" are aggregated into a single Flow class, and each 3073 of these System classes has a Service and Portlist class, an implicit 3074 relationship between these Portlists exists. If N ports are listed 3075 for a System@category="source", and M ports are listed for 3076 System@category="target", the number of ports in N must be equal to 3077 M. Likewise, the ports MUST be listed in an identical sequence such 3078 that the n-th port in the source corresponds to the n-th port of the 3079 target. If N is greater than 1, a given instance of a Flow class 3080 MUST only have a single instance of a System@category="source" and 3081 System@category="target". 3083 The Service class has two attributes: 3085 ip-protocol 3086 Required. INTEGER. The IANA assigned IP protocol number per 3087 [IANA.Protocols]. 3089 observable-id 3090 Optional. ID. See Section 3.3.2. 3092 3.22.1. ApplicationHeader Class 3094 The ApplicationHeader class allows the representation of arbitrary 3095 fields from an application layer protocol header and its 3096 corresponding value. 3098 +--------------------------+ 3099 | ApplicationHeader | 3100 +--------------------------+ 3101 | ANY | 3102 | | 3103 | INTEGER proto | 3104 | STRING field | 3105 | ENUM dtype | 3106 | ID observable-id | 3107 +--------------------------+ 3109 Figure 41: The ApplicationHeader Class 3111 The ApplicationHeader class has four attributes: 3113 proto 3114 Required. INTEGER. The IANA assigned port number per 3115 [IANA.Ports] corresponding to the application layer protocol whose 3116 field will be represented. 3118 field 3119 Required. STRING. The name of the protocol field whose value 3120 will be found in the element body. 3122 dtype 3123 Required. ENUM. The data type of the element content. The 3124 permitted values for this attribute are shown below. The default 3125 value is "string". 3127 1. boolean. The element content is of type BOOLEAN. 3129 2. byte. The element content is of type BYTE. 3131 3. bytes. The element content is of type HEXBIN. 3133 4. character. The element content is of type CHARACTER. 3135 5. date-time. The element content is of type DATETIME. 3137 6. integer. The element content is of type INTEGER. 3139 7. portlist. The element content is of type PORTLIST. 3141 8. real. The element content is of type REAL. 3143 9. string. The element content is of type STRING. 3145 10. file. The element content is a base64 encoded binary file 3146 encoded as a BYTE[] type. 3148 11. path. The element content is a file-system path encoded as a 3149 STRING type. 3151 12. xml. The element content is XML. See Section 5. 3153 13. ext-value. An escape value used to extend this attribute. 3154 See Section 5.1. 3156 ext-dtype 3157 Optional. STRING. A means by which to extend the dtype 3158 attribute. See Section 5.1. 3160 observable-id 3161 Optional. ID. See Section 3.3.2. 3163 3.22.2. Application Class 3165 The Application class describes an application running on a System 3166 providing a Service. 3168 +--------------------+ 3169 | Application | 3170 +--------------------+ 3171 | STRING swid |<>--{0..1}--[ URL ] 3172 | STRING configid | 3173 | STRING vendor | 3174 | STRING family | 3175 | STRING name | 3176 | STRING version | 3177 | STRING patch | 3178 +--------------------+ 3180 Figure 42: The Application Class 3182 The aggregate class that constitute Application is: 3184 URL 3185 Zero or one. URL. A URL describing the application. 3187 The Application class has seven attributes: 3189 swid 3190 Optional. STRING. An identifier that can be used to reference 3191 this software, where the default value is "0". 3193 configid 3194 Optional. STRING. An identifier that can be used to reference a 3195 particular configuration of this software, where the default value 3196 is "0". 3198 vendor 3199 Optional. STRING. Vendor name of the software. 3201 family 3202 Optional. STRING. Family of the software. 3204 name 3205 Optional. STRING. Name of the software. 3207 version 3208 Optional. STRING. Version of the software. 3210 patch 3211 Optional. STRING. Patch or service pack level of the software. 3213 3.23. OperatingSystem Class 3215 The OperatingSystem class describes the operating system running on a 3216 System. The definition is identical to the Application class 3217 (Section 3.22.2). 3219 3.24. EmailData Class 3221 The EmailData class describes headers from an email message. Common 3222 headers have dedicated classes, but arbitrary headers can also be 3223 described. 3225 +-------------------------+ 3226 | EmailData | 3227 +-------------------------+ 3228 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3229 | |<>--{0..1}--[ EmailSubject ] 3230 | |<>--{0..1}--[ EmailX-Mailer ] 3231 | |<>--{0..*}--[ EmailHeaderField ] 3232 +-------------------------+ 3234 Figure 43: EmailData Class 3236 The aggregate class that constitutes EmailData are: 3238 EmailFrom 3239 Zero or one. The value of the "From:" header field in an email. 3240 See Section 3.6.2 of [RFC5322]. 3242 EmailSubject 3243 Zero or one. The value of the "Subject:" header field in an 3244 email. See Section 3.6.4 of [RFC5322]. 3246 EmailX-Mailer 3247 Zero or one. The value of the "X-Mailer:" header field in an 3248 email. 3250 EmailHeaderField 3251 Zero or one. The value of an arbitrary header field in the email. 3252 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3253 set as follows: proto="25" and dtype="string". The name of the 3254 email header field MUST be set in the field attribute. 3256 The EmailData class has one attribute: 3258 observable-id 3259 Optional. ID. See Section 3.3.2. 3261 3.25. Record Class 3263 The Record class is a container class for log and audit data that 3264 provides supportive information about the incident. The source of 3265 this data will often be the output of monitoring tools. These logs 3266 substantiate the activity described in the document. 3268 +------------------+ 3269 | Record | 3270 +------------------+ 3271 | ENUM restriction |<>--{1..*}--[ RecordData ] 3272 +------------------+ 3274 Figure 44: Record Class 3276 The aggregate class that constitutes Record is: 3278 RecordData 3279 One or more. Log or audit data generated by a particular type of 3280 sensor. Separate instances of the RecordData class SHOULD be used 3281 for each sensor type. 3283 The Record class has one attribute: 3285 restriction 3286 Optional. ENUM. This attribute has been defined in Section 3.2. 3288 3.25.1. RecordData Class 3290 The RecordData class groups log or audit data from a given sensor 3291 (e.g., IDS, firewall log) and provides a way to annotate the output. 3293 +--------------------+ 3294 | RecordData | 3295 +--------------------+ 3296 | ENUM restriction |<>--{0..1}--[ DateTime ] 3297 | ID observable-id |<>--{0..*}--[ Description ] 3298 | |<>--{0..1}--[ Application ] 3299 | |<>--{0..*}--[ RecordPattern ] 3300 | |<>--{0..*}--[ RecordItem ] 3301 | |<>--{0..1}--[ HashData ] 3302 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 3303 | |<>--{0..*}--[ AdditionalData ] +--------------------+ 3305 Figure 45: The RecordData Class 3307 The aggregate classes that constitutes RecordData is: 3309 DateTime 3310 Zero or one. Timestamp of the RecordItem data. 3312 Description 3313 Zero or more. ML_STRING. Free-form textual description of the 3314 provided RecordItem data. At minimum, this description should 3315 convey the significance of the provided RecordItem data. 3317 Application 3318 Zero or one. Information about the sensor used to generate the 3319 RecordItem data. 3321 RecordPattern 3322 Zero or more. A search string to precisely find the relevant data 3323 in a RecordItem. 3325 RecordItem 3326 Zero or more. Log, audit, or forensic data. 3328 HashData 3329 Zero or one. The file name and hash of a file indicator. 3331 WindowsRegistryKeysModified 3332 Zero or more. The registry keys that were modified that are 3333 indicator(s). 3335 AdditionalData 3336 Zero or more. An extension mechanism for data not explicitly 3337 represented in the data model. 3339 The RecordData class has two attribute: 3341 restriction 3342 Optional. ENUM. See Section 3.3.1. 3344 observable-id 3345 Optional. ID. See Section 3.3.2. 3347 3.25.2. RecordPattern Class 3349 The RecordPattern class describes where in the content of the 3350 RecordItem relevant information can be found. It provides a way to 3351 reference subsets of information, identified by a pattern, in a large 3352 log file, audit trail, or forensic data. 3354 +-----------------------+ 3355 | RecordPattern | 3356 +-----------------------+ 3357 | STRING | 3358 | | 3359 | ENUM type | 3360 | STRING ext-type | 3361 | INTEGER offset | 3362 | ENUM offsetunit | 3363 | STRING ext-offsetunit | 3364 | INTEGER instance | 3365 +-----------------------+ 3367 Figure 46: The RecordPattern Class 3369 The specific pattern to search with in the RecordItem is defined in 3370 the body of the element. It is further annotated by six attributes: 3372 type 3373 Required. ENUM. Describes the type of pattern being specified in 3374 the element content. The default is "regex". 3376 1. regex. regular expression as defined by POSIX Extended 3377 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3379 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3380 type. 3382 3. xpath. XML Path (XPath) [W3C.XPATH] 3384 4. ext-value. An escape value used to extend this attribute. 3385 See Section 5.1. 3387 ext-type 3388 Optional. STRING. A means by which to extend the type attribute. 3389 See Section 5.1. 3391 offset 3392 Optional. INTEGER. Amount of units (determined by the offsetunit 3393 attribute) to seek into the RecordItem data before matching the 3394 pattern. 3396 offsetunit 3397 Optional. ENUM. Describes the units of the offset attribute. 3398 The default is "line". 3400 1. line. Offset is a count of lines. 3402 2. byte. Offset is a count of bytes. 3404 3. ext-value. An escape value used to extend this attribute. 3405 See Section 5.1. 3407 ext-offsetunit 3408 Optional. STRING. A means by which to extend the offsetunit 3409 attribute. See Section 5.1. 3411 instance 3412 Optional. INTEGER. Number of types to apply the specified 3413 pattern. 3415 3.25.3. RecordItem Class 3417 The RecordItem class provides a way to incorporate relevant logs, 3418 audit trails, or forensic data to support the conclusions made during 3419 the course of analyzing the incident. The class supports both the 3420 direct encapsulation of the data, as well as, provides primitives to 3421 reference data stored elsewhere. 3423 This class is identical to AdditionalData class (Section 3.9). 3425 3.26. WindowsRegistryKeysModified Class 3427 The WindowsRegistryKeysModified class describes Windows operating 3428 system registry keys and the operations that were performed on them. 3429 This class was derived from [RFC5901]. 3431 +-----------------------------+ 3432 | WindowsRegistryKeysModified | 3433 +-----------------------------+ 3434 | ID observable-id |<>--{1..*}--[ Key ] 3435 +-----------------------------+ 3437 Figure 47: The WindowsRegistryKeysModified Class 3439 The aggregate class that constitutes the WindowsRegistryKeysModified 3440 class is: 3442 Key 3443 One or many. The Window registry key. 3445 The WindowsRegistryKeysModified class has one attribute: 3447 observable-id 3448 Optional. ID. See Section 3.3.2. 3450 3.26.1. Key Class 3452 The Key class describes a particular Windows operating system 3453 registry key name and value pair, and the operation performed on it. 3455 +---------------------------+ 3456 | Key | 3457 +---------------------------+ 3458 | ENUM registryaction |<>----------[ KeyName ] 3459 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3460 | ID observable-id | 3461 +---------------------------+ 3463 Figure 48: The Key Class 3465 The aggregate classes that constitutes Key are: 3467 KeyName 3468 One. STRING. The name of the Windows operating system registry 3469 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3471 KeyValue 3472 Zero or one. STRING. The value of the associated registry key 3473 encoded as in Microsoft .reg files [KB310516]. 3475 The Key class has three attributes: 3477 registryaction 3478 Optional. ENUM. The type of action taken on the registry key. 3480 1. add-key. Registry key added. 3482 2. add-value. Value added to registry key. 3484 3. delete-key. Registry key deleted. 3486 4. delete-value. Value deleted from registry key. 3488 5. modify-key. Registry key modified. 3490 6. modify-value. Value modified for registry key. 3492 7. ext-value. External value. 3494 ext-registryaction 3495 Optional. A means by which to extend the registryaction 3496 attribute. See Section 5.1. 3498 observable-id 3499 Optional. ID. See Section 3.3.2. 3501 3.27. HashData Class 3503 The HashData class describes files names and associated hashes and 3504 signatures. ... TODO Fix Issue #20 and #25 ... 3506 +--------------------------+ 3507 | HashData | 3508 +--------------------------+ 3509 | ENUM type |<>--{0..*}--[ FileName ] 3510 | STRING ext-type |<>--{0..*}--[ FileSize ] 3511 | BOOL valid |<>--{0..*}--[ ds:Signature ] 3512 | ID observable-id |<>--{0..*}--[ ds:KeyInfo ] 3513 | |<>--{0..*}--[ ds:Reference ] 3514 | |<>--{0..*}--[ AdditionalData ] 3515 +--------------------------+ 3517 Figure 49: The HashData Class 3519 The aggregate classes that constitutes HashData are: 3521 FileName 3522 Zero or more. ML_STRING. The name of the file. 3524 FileSize 3525 Zero or more. INTEGER. The size of the file in bytes. 3527 ds:Signature 3528 Zero or more. 3530 ds:KeyInfo 3531 Zero or more. 3533 ds:Reference 3534 Zero or more. The algorithm identification and value of a hash 3535 computed over a file. This element is defined in [RFC3275]. 3536 Refer to RFC 5901. 3538 AdditionalData 3539 Zero or more. Mechanism by which to extend the data model. See 3540 Section 3.9 3542 The HashData class has four attributes: 3544 type 3545 Optional. ENUM. The Hash Type. 3547 1. PKI-email-ds. PKI email digital signature. 3549 2. PKI-file-ds. PKI file digital signature. 3551 3. PGP-email-ds. PGP email digital signature. 3553 4. PGP-file-ds. PGP file digital signature. 3555 5. file-hash. A file hash. 3557 6. email-hash. An email hash. 3559 7. ext-value. An escape value used to extend this attribute. 3560 See Section 5.1. 3562 ext-type 3563 Optional. STRING. A means by which to extend the type attribute. 3564 See Section 5.1. 3566 valid 3567 Optional. BOOLEAN. Indicates if the signature or hash is valid. 3569 observable-id 3570 Optional. ID. See Section 3.3.2. 3572 3.28. IndicatorData Class 3574 The IndicatorData class describes the indicators identified from 3575 analysis of an incident. 3577 +--------------------------+ 3578 | IndicatorData | 3579 +--------------------------+ 3580 | |<>--{1..*}--[ Indicator ] 3581 +--------------------------+ 3583 Figure 50: The IndicatorData Class 3585 The aggregate class that constitutes IndicatorData is: 3587 Indicator 3588 One or more. An indicator from the incident. 3590 The IndicatorData class has no attributes. 3592 3.29. Indicator Class 3593 The Indicator class describes a cyber indicator. An indicator 3594 consists of observable features and phenomenon that aid in the 3595 forensic or proactive detection of malicious activity, and associated 3596 meta-data. This indicator can be described outright or reference 3597 observable features and phenomenon described elsewhere in the 3598 incident information. Portions of an incident description can be 3599 composed to define an indicator, as can the indicators themselves. 3601 +--------------------+ 3602 | Indicator | 3603 +--------------------+ 3604 | ENUM restriction |<>----------[ IndicatorID ] 3605 | |<>--{0..1}--[ AlternativeIndicatorID ] 3606 | |<>--{0..*}--[ Description ] 3607 | |<>--{0..1}--[ StartTime ] 3608 | |<>--{0..1}--[ EndTime ] 3609 | |<>--{0..1}--[ Confidence ] 3610 | |<>--{0..*}--[ Contact ] 3611 | |<>--{0..1}--[ Observable ] 3612 | |<>--{0..1}--[ ObservableReference ] 3613 | |<>--{0..1}--[ IndicatorExpression ] 3614 | |<>--{0..1}--[ IndicatorReference ] 3615 | |<>--{0..*}--[ AdditionalData ] 3616 +--------------------+ 3618 Figure 51: The Indicator Class 3620 The aggregate classes that constitute Indicator are: 3622 IndicatorID 3623 One. An identifier for this indicator. See Section 3.29.1 3625 AlternativeIndicatorID 3626 Zero or one. An alternative identifier for this indicator. See 3627 Section 3.29.2 3629 Description 3630 Zero or more. ML_STRING. A free-form textual description of the 3631 indicator. 3633 StartTime 3634 Zero or one. DATETIME. A timestamp of the start of the time 3635 period during which this indicator is valid. 3637 EndTime 3638 Zero or one. DATETIME. A timestamp fo the end of the time period 3639 during which this indicaor is valid. 3641 Confidence 3642 Zero or one. An estimate of the confidence in the quality of the 3643 indicator. See Section 3.14.5. 3645 Contact 3646 Zero or more. Contact information for this indicator. See 3647 Section 3.10. 3649 Observable 3650 Zero or one. An observable feature or phenomenon of this 3651 indicator. See Section 3.29.3. 3653 ObservableReference 3654 Zero or one. A reference to a feature or phenomenon defined 3655 elsewhere in the document. See Section 3.29.5. 3657 IndicatorExpression 3658 Zero or one. A composition of observables. See Section 3.29.4. 3660 IndicatorReference 3661 Zero or one. A reference to an indicator. 3663 AdditionalData 3664 Zero or more. Mechanism by which to extend the data model. See 3665 Section 3.9 3667 The Indicator class MUST have exactly one instance of an Observable, 3668 IndicatorExpression, ObservableReference, or IndicatorReference 3669 class. 3671 The StartTime and EndTime classes can be used to define an interval 3672 during which the indicator is valid. If both classes are present, 3673 the indicator is consider valid only during the decribed interval. 3674 If neither class is provided, the indicator is considered valid 3675 during any time interval. If only a StartTime is provided, the 3676 indicator is valid anytime after this timestamp. If only an EndTime 3677 is provided, the indicator is valid anytime prior to this timestamp. 3679 The Indicator class has one attribute: 3681 restriction 3682 Optional. ENUM. See Section 3.3.1. 3684 3.29.1. IndicatorID Class 3686 The IndicatorID class identifies an indicator with a indentifier 3687 globally unique identifier. The combination of the name and version 3688 attributes, and the element content form this identifier. Indicators 3689 generated by given CSIRT MUST NOT resuse the same value unless they 3690 are referencing the same indicator. 3692 +------------------+ 3693 | IndicatorID | 3694 +------------------+ 3695 | ID | 3696 | | 3697 | STRING name | 3698 | STRING version | 3699 +------------------+ 3701 Figure 52: The IndicatorID Class 3703 The IndicatorID class has two attributes: 3705 name 3706 Required. STRING. An identifier describing the CSIRT that 3707 created the indicator. In order to have a globally unique CSIRT 3708 name, the fully qualified domain name associated with the CSIRT 3709 MUST be used. This format is identical to the IncidentID@name 3710 attribute in Section 3.4. 3712 version 3713 Required. STRING. A version number of an indicator. 3715 3.29.2. AlternativeIndicatorID Class 3717 The AlternativeIndicatorID class lists alternative identifiers for an 3718 indicator. 3720 +-------------------------+ 3721 | AlternativeIndicatorID | 3722 +-------------------------+ 3723 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 3724 | | 3725 +-------------------------+ 3727 Figure 53: The AlternativeIndicatorID Class 3729 The aggregate class that constitutes AlternativeIndicatorID is: 3731 IndicatorReference 3732 One or more. A reference to an indicator. 3734 The AlternativeIndicatorID class has one attribute: 3736 restriction 3737 Optional. ENUM. This attribute has been defined in Section 3.2. 3739 3.29.3. Observable Class 3741 The Observable class describes a feature and phenomenon that can be 3742 observed or measured for the purposes of detecting malicious 3743 behavior. 3745 +-------------------+ 3746 | Observable | 3747 +-------------------+ 3748 | |<>--{0..1}--[ Address ] 3749 | |<>--{0..1}--[ DomainData ] 3750 | |<>--{0..1}--[ Service ] 3751 | |<>--{0..1}--[ EmailData ] 3752 | |<>--{0..1}--[ ApplicationHeader ] 3753 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 3754 | |<>--{0..1}--[ HashData ] 3755 | |<>--{0..1}--[ RecordData ] 3756 | |<>--{0..1}--[ EventData ] 3757 | |<>--{0..1}--[ Incident ] 3758 | |<>--{0..*}--[ Expectation ] 3759 | |<>--{0..*}--[ Reference ] 3760 | |<>--{0..1}--[ Assessment ] 3761 | |<>--{0..1}--[ HistoryItem ] 3762 | |<>--{0..*}--[ AdditionalData ] 3763 +-------------------+ 3765 Figure 54: The Observable Class 3767 The aggregate classes that constitute Observable are: 3769 Address 3770 Zero or One. An Address observable. See Section 3.20.1. 3772 DomainData 3773 Zero or One. A DomainData observable. See Section 3.21. 3775 Service 3776 Zero or One. A Service observable. See Section 3.22. 3778 EmailData 3779 Zero or One. A EmailData observable. See Section 3.24. 3781 ApplicationHeader 3782 Zero or One. An ApplicationHeader observable. See 3783 Section 3.22.1. 3785 WindowsRegistryKeysModified 3786 Zero or One. A WindowsRegistryKeysModified observable. See 3787 Section 3.26. 3789 HashData 3790 Zero or One. A HashData observable. See Section 3.27. 3792 RecordData 3793 Zero or One. A RecordData observable. See Section 3.25.1. 3795 EventData 3796 Zero or One. An EventData observable. See Section 3.16. 3798 Incident 3799 Zero or One. An Incident observable. See Section 3.2. 3801 EventData 3802 Zero or One. An EventData observable. See Section 3.16. 3804 Expectation 3805 Zero or One. An Expectation observable. See Section 3.17. 3807 Reference 3808 Zero or One. A Reference observable. See Section 3.13.1. 3810 Assessment 3811 Zero or One. An Assessment observable. See Section 3.14. 3813 HistoryItem 3814 Zero or One. A HistoryItem observable. See Section 3.15.1. 3816 AdditionalData 3817 Zero or more. Mechanism by which to extend the data model. See 3818 Section 3.9. 3820 The Observable class MUST have exactly one of the possible child 3821 classes. 3823 The Observable class has no attributes. 3825 3.29.4. IndicatorExpression Class 3827 The IndicatorExpression describes an expression composed of observed 3828 phenomenon or features, or indicators. Elements of the expression 3829 can be described directly, reference relevant data from other parts 3830 of a given IODEF document, or reference previously defined 3831 indicators. 3833 All child classes of a given instance of IndicatorExpression form a 3834 boolean algebraic expression where the operator between them is 3835 determined by the operator attribute. Nesting an IndicatorExpression 3836 in itself is akin to a parenthesis in the expression. 3838 +--------------------------+ 3839 | IndicatorExpression | 3840 +--------------------------+ 3841 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 3842 | |<>--{0..*}--[ Observable ] 3843 | |<>--{0..*}--[ ObservableReference ] 3844 | |<>--{0..*}--[ IndicatorReference ] 3845 | |<>--{0..*}--[ AdditionalData ] 3846 +--------------------------+ 3848 Figure 55: The IndicatorExpression Class 3850 The aggregate classes that constitute IndicatorExpression are: 3852 IndicatorExpression 3853 Zero or more. An expression composed of other observables or 3854 indicators. 3856 Observable 3857 Zero or more. A description of an observable. 3859 ObservableReference 3860 Zero or more. A reference to another observable. 3862 IndicatorReference 3863 Zero or more. A reference to another indicator. 3865 AdditionalData 3866 Zero or more. Mechanism by which to extend the data model. See 3867 Section 3.9 3869 ... TODO Additional text is required to describe the valid 3870 combinations of classes and how the operator class should be applied 3871 ... 3873 The IndicatorExpression class has one attributes: 3875 operator 3876 Optional. ENUM. The operator to be applied between the child 3877 elements. 3879 1. not. negation operator. 3881 2. and. conjunction operator. 3883 3. or. disjunction operator. 3885 4. xor. exclusive disjunction operator. 3887 3.29.5. ObservableReference Class 3889 The ObservableReference describes a reference to an observable 3890 feature or phenomenon described elsewhere in the document. 3892 This class has no content. 3894 +-------------------------+ 3895 | ObservableReference | 3896 +-------------------------+ 3897 | EMPTY | 3898 | | 3899 | IDREF uid-ref | 3900 +-------------------------+ 3902 Figure 56: The ObservableReference Class 3904 The ObservableReference class has one attributes: 3906 uid-ref 3907 Required. IDREF. An identifier that serves as a reference to a 3908 class in the IODEF document. The referenced class will have this 3909 identifier set in the observable-id attribute. 3911 3.29.6. IndicatorReference Class 3913 The IndicatorReference describes a reference to an indicator. This 3914 reference may be to an indicator described in the IODEF document or 3915 in a previously exchanged IODEF document. 3917 +--------------------------+ 3918 | IndicatorReference | 3919 +--------------------------+ 3920 | EMPTY | 3921 | | 3922 | IDREF uid-ref | 3923 | STRING euid-ref | 3924 | STRING version | 3925 +--------------------------+ 3927 Figure 57: The IndicatorReference Class 3929 The IndicatorReference class has one attributes: 3931 uid-ref 3932 Optional. IDREF. An identifier that serves as a reference to an 3933 Indicator class in the IODEF document. The referenced Indicator 3934 class will have this identifier set in the IndicatorID class. 3936 euid-ref 3937 Optional. STRING. An identifier that references an IndicatorID 3938 not in this IODEF document. 3940 version 3941 Optional. STRING. A version number of an indicator. 3943 Either the uid-ref or the euid-ref attribute MUST be set. 3945 4. Processing Considerations 3947 This section defines additional requirements on creating and parsing 3948 IODEF documents. 3950 4.1. Encoding 3952 Every IODEF document MUST begin with an XML declaration, and MUST 3953 specify the XML version used. If UTF-8 encoding is not used, the 3954 character encoding MUST also be explicitly specified. The IODEF 3955 conforms to all XML data encoding conventions and constraints. 3957 The XML declaration with no character encoding will read as follows: 3959 3961 When a character encoding is specified, the XML declaration will read 3962 like the following: 3964 3966 Where "charset" is the name of the character encoding as registered 3967 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 3969 The following characters have special meaning in XML and MUST be 3970 escaped with their entity reference equivalent: "&", "<", ">", "\"" 3971 (double quotation mark), and "'" (apostrophe). These entity 3972 references are "&", "<", ">", """, and "'" 3973 respectively. 3975 4.2. IODEF Namespace 3977 The IODEF schema declares a namespace of 3978 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 3979 Each IODEF document MUST include a valid reference to the IODEF 3980 schema using the "xsi:schemaLocation" attribute. An example of such 3981 a declaration would look as follows: 3983 4087 A given extension attribute MUST NOT be set unless the corresponding 4088 extensible attribute has been set to "ext-value". 4090 5.2. Extending Classes 4092 The classes of the data model can be extended only through the use of 4093 the AdditionalData and RecordItem classes. These container classes, 4094 collectively referred to as the extensible classes, are implemented 4095 with the iodef:ExtensionType data type in the schema. They provide 4096 the ability to have new atomic or XML-encoded data elements in all of 4097 the top-level classes of the Incident class and a few of the more 4098 complicated subordinate classes. As there are multiple instances of 4099 the extensible classes in the data model, there is discretion on 4100 where to add a new data element. It is RECOMMENDED that the 4101 extension be placed in the most closely related class to the new 4102 information. 4104 Extensions using the atomic data types (i.e., all values of the dtype 4105 attributes other than "xml") MUST: 4107 1. Set the element content of extensible class to the desired value, 4108 and 4110 2. Set the dtype attribute to correspond to the data type of the 4111 element content. 4113 The following guidelines exist for extensions using XML: 4115 1. The element content of the extensible class MUST be set to the 4116 desired value and the dtype attribute MUST be set to "xml". 4118 2. The extension schema MUST declare a separate namespace. It is 4119 RECOMMENDED that these extensions have the prefix "iodef-". This 4120 recommendation makes readability of the document easier by 4121 allowing the reader to infer which namespaces relate to IODEF by 4122 inspection. 4124 3. It is RECOMMENDED that extension schemas follow the naming 4125 convention of the IODEF data model. This makes reading an 4126 extended IODEF document look like any other IODEF document. The 4127 names of all elements are capitalized. For elements with 4128 composed names, a capital letter is used for each word. 4129 Attribute names are lower case. Attributes with composed names 4130 are separated by a hyphen. 4132 4. Parsers that encounter an unrecognized element in a namespace 4133 that they do support MUST reject the document as a syntax error. 4135 5. There are security and performance implications in requiring 4136 implementations to dynamically download schemas at run time. 4137 Thus, implementations SHOULD NOT download schemas at runtime, 4138 unless implementations take appropriate precautions and are 4139 prepared for potentially significant network, processing, and 4140 time-out demands. 4142 6. Some users of the IODEF may have private schema definitions that 4143 might not be available on the Internet. In this situation, if a 4144 IODEF document leaks out of the private use space, references to 4145 some of those document schemas may not be resolvable. This has 4146 two implications. First, references to private schemas may never 4147 resolve. As such, in addition to the suggestion that 4148 implementations do not download schemas at runtime mentioned 4149 above, recipients MUST be prepared for a schema definition in an 4150 IODEF document never to resolve. 4152 The following schema and XML document excerpt provide a template for 4153 an extension schema and its use in the IODEF document. 4155 This example schema defines a namespace of "iodef-extension1" and a 4156 single element named "newdata". 4158 4162 attributeFormDefault="unqualified" 4163 elementFormDefault="qualified"> 4164 4168 4169 4171 The following XML excerpt demonstrates the use of the above schema as 4172 an extension to the IODEF. 4174 4181 4182 ... 4183 4184 4185 Field that could not be represented elsewhere 4186 4187 4188 4240 4242 4246 4247 189493 4248 2001-09-13T23:19:24+00:00 4249 Host sending out Code Red probes 4250 4251 4252 4253 4254 4255 Example.com CSIRT 4256 example-com 4257 contact@csirt.example.com 4258 4259 4260 4261 4262 4263
192.0.2.200
4264 57 4265 4266 4267 4268 4269
192.0.2.16/28
4270 4271 4272 80 4273 4274 4275 4276 4277 4278 4279 4280 2001-09-13T18:11:21+02:00 4281 Web-server logs 4282 4283 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 4284 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4285 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4286 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4287 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4288 4289 4290 4291 http://mylogs.example.com/logs/httpd_access 4292 4293 4294 4295 4296 4298 4299 2001-09-14T08:19:01+00:00 4300 Notification sent to 4301 constituency-contact@192.0.2.200 4302 4303 4304 4306 4308 7.2. Reconnaissance 4310 An example of a CSIRT reporting a scanning activity. 4312 4313 4315 4319 4320 59334 4321 2006-08-02T05:54:02-05:00 4322 4323 4324 4325 4326 4327 4328 nmap 4329 http://nmap.toolsite.example.com 4330 4331 4332 4334 4335 CSIRT for example.com 4336 contact@csirt.example.com 4337 +1 412 555 12345 4338 4340 4341 Joe Smith 4342 smith@csirt.example.com 4343 4344 4345 4346 4352 4353 4354 4355
192.0.2.200
4356 4357 4358 60524,60526,60527,60531 4359 4360 4361 4362 4363
192.0.2.201
4364 4365 4366 137-139,445 4367 4368 4369 4370 4372 4373 4374 4375
192.0.2.240
4376 4377 4378 4379 4380
192.0.2.64/28
4381 4382 4383 445 4384 4385 4386 4387 4388 4389 4391 7.3. Bot-Net Reporting 4393 An example of a CSIRT reporting a bot-network. 4395 4396 4399 4403 4404 908711 4405 2006-06-08T05:44:53-05:00 4406 Large bot-net 4407 4408 4409 4410 4411 4412 4413 GT Bot 4414 4415 4417 4418 CA-2003-22 4419 http://www.cert.org/advisories/CA-2003-22.html 4420 Root compromise via this IE vulnerability to 4421 install the GT Bot 4422 4423 4424 4426 4427 Joe Smith 4428 jsmith@csirt.example.com 4429 4430 4431 These hosts are compromised and acting as bots 4432 communicating with irc.example.com. 4433 4434 4436 4437 4438
192.0.2.1
4439 4440 10000 4441 bot 4442 4443 4444 4445 4446
192.0.2.3
4448 4449 250000 4450 bot 4451 4452 4453 4454 4455 irc.example.com 4456
192.0.2.20
4457 2006-06-08T01:01:03-05:00 4458 4459 4460 IRC server on #give-me-cmd channel 4461 4462 4463 4464 4465 4466 4467 Confirm the source and take machines off-line and 4468 remediate 4469 4470 4471 4472 4473 4475 7.4. Watch List 4477 An example of a CSIRT conveying a watch-list. 4479 4480 4481 4484 4488 4489 908711 4490 2006-08-01T00:00:00-05:00 4491 4492 Watch-list of known bad IPs or networks 4493 4494 4495 4496 4497 4498 4499 CSIRT for example.com 4500 contact@csirt.example.com 4501 4502 4504 4505 4506 4507 4508
192.0.2.53
4509 4510 Source of numerous attacks 4511 4512 4513 4515 4516 4517 4518 4519 4520 4521
192.0.2.16/28
4522 4523 4524 Source of heavy scanning over past 1-month 4525 4526 4527 4528 4529 4530 4531
192.0.2.241
4532 4533 C2 IRC server 4534 4535 4536 4538 4539 4540 4541 4543 8. The IODEF Schema 4545 4552 4555 4556 4557 Incident Object Description Exchange Format v2.0, RFC5070-bis 4558 4559 4561 4566 4567 4568 4569 4571 4573 4574 4576 4578 4580 4581 4582 4587 4588 4589 4590 4591 4593 4595 4597 4599 4601 4602 4604 4606 4608 4610 4612 4614 4616 4618 4619 4620 4621 4622 4623 4624 4625 4626 4627 4628 4629 4630 4631 4633 4635 4637 4640 4641 4642 4647 4648 4649 4650 4651 4653 4655 4658 4659 4660 4662 4667 4668 4669 4670 4672 4673 4675 4676 4678 4683 4684 4685 4686 4689 4690 4692 4693 4694 4699 4700 4701 4702 4703 4705 4707 4709 4711 4712 4714 4716 4718 4719 4721 4722 4724 4729 4730 4731 4732 4733 4734 4735 4738 4739 4741 4742 4744 4745 4747 4748 4749 4751 4756 4757 4758 4759 4760 4761 4762 4764 4765 4767 4768 4770 4771 4773 4774 4775 4777 4782 4783 4788 4789 4790 4791 4793 4795 4797 4799 4801 4803 4805 4807 4809 4811 4813 4814 4815 4816 4817 4818 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4835 4836 4837 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4850 4852 4853 4854 4856 4858 4859 4860 4861 4862 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4878 4879 4880 4881 4882 4883 4884 4885 4886 4888 4889 4890 4891 4892 4893 4894 4896 4897 4898 4899 4901 4902 4903 4905 4910 4912 4914 4916 4918 4920 4922 4923 4924 4925 4926 4927 4932 4933 4934 4935 4937 4938 4941 4942 4943 4944 4945 4946 4947 4949 4951 4953 4956 4958 4959 4961 4963 4965 4967 4968 4969 4974 4975 4976 4977 4979 4982 4984 4986 4988 4989 4992 4994 4996 4998 5000 5001 5003 5008 5009 5010 5011 5013 5015 5017 5018 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5041 5043 5044 5046 5047 5048 5049 5050 5052 5055 5056 5058 5059 5061 5066 5067 5068 5069 5070 5071 5072 5073 5075 5076 5078 5079 5080 5085 5086 5087 5088 5090 5092 5094 5095 5097 5098 5100 5101 5103 5104 5106 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5123 5124 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5137 5139 5140 5141 5142 5143 5144 5145 5147 5148 5149 5150 5151 5152 5153 5154 5155 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5172 5173 5174 5175 5177 5178 5179 5180 5181 5182 5183 5184 5185 5187 5188 5189 5190 5191 5192 5193 5194 5195 5196 5197 5198 5200 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5214 5215 5216 5217 5219 5221 5222 5223 5225 5226 5227 5228 5229 5231 5233 5234 5235 5236 5237 5238 5239 5240 5241 5242 5244 5246 5248 5249 5250 5251 5252 5253 5254 5255 5256 5258 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5284 5285 5286 5287 5289 5291 5293 5295 5297 5299 5301 5303 5305 5307 5309 5311 5313 5314 5318 5320 5321 5322 5327 5331 5332 5333 5334 5336 5337 5338 5339 5344 5345 5346 5347 5348 5350 5352 5354 5356 5358 5360 5361 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5377 5379 5381 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5398 5399 5400 5405 5406 5407 5408 5409 5411 5413 5414 5416 5418 5420 5422 5423 5424 5425 5426 5427 5428 5429 5430 5431 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5449 5451 5453 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5509 5511 5512 5513 5514 5515 5520 5521 5522 5523 5524 5526 5528 5529 5531 5533 5535 5538 5539 5541 5542 5544 5546 5547 5548 5549 5550 5551 5552 5553 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5581 5583 5585 5587 5588 5589 5590 5592 5597 5598 5599 5600 5602 5604 5607 5610 5611 5613 5614 5616 5621 5622 5623 5624 5626 5629 5632 5635 5638 5640 5642 5644 5645 5646 5647 5648 5649 5650 5651 5652 5653 5654 5655 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5672 5673 5675 5677 5678 5680 5682 5683 5684 5685 5686 5687 5688 5689 5690 5691 5692 5693 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5731 5732 5733 5735 5736 5737 5738 5739 5740 5741 5742 5744 5745 5746 5747 5749 5752 5753 5754 5756 5761 5762 5763 5764 5766 5767 5769 5770 5771 5772 5773 5774 5776 5778 5780 5782 5784 5786 5788 5790 5791 5793 5795 5796 5798 5799 5800 5801 5802 5803 5804 5805 5806 5807 5808 5809 5810 5811 5812 5814 5816 5818 5819 5820 5821 5822 5823 5824 5825 5826 5828 5830 5831 5832 5833 5834 5836 5841 5842 5843 5844 5845 5846 5847 5849 5850 5852 5853 5854 5855 5856 5857 5858 5859 5860 5861 5862 5863 5864 5865 5866 5868 5869 5870 5871 5873 5874 5876 5884 5885 5886 5887 5889 5891 5897 5899 5901 5903 5905 5906 5907 5908 5909 5910 5911 5912 5913 5914 5915 5918 5919 5920 5921 5922 5924 5926 5928 5930 5931 5933 5938 5939 5940 5942 5943 5945 5947 5949 5951 5953 5958 5960 5962 5964 5965 5967 5970 5975 5976 5977 5978 5980 5981 5982 5984 5985 5986 5987 5988 5990 5992 5994 5996 5998 6000 6001 6002 6003 6004 6005 6006 6007 6009 6010 6012 6013 6014 6015 6016 6018 6020 6021 6022 6024 6025 6026 6027 6029 6030 6032 6033 6035 6036 6037 6038 6040 6042 6044 6047 6049 6051 6053 6055 6057 6059 6061 6063 6065 6067 6068 6070 6071 6073 6074 6075 6076 6077 6079 6081 6083 6085 6086 6088 6089 6090 6091 6092 6093 6094 6095 6096 6097 6098 6099 6100 6102 6103 6104 6106 6107 6109 6110 6111 6113 6115 6117 6118 6119 6123 6125 6127 6132 6133 6134 6136 6137 6139 6140 6141 6142 6144 6145 6146 6148 6149 6150 6152 6153 6155 6157 6159 6161 6163 6165 6166 6167 6169 6170 6172 6174 6177 6179 6181 6186 6187 6188 6189 6190 6191 6193 6194 6195 6196 6197 6198 6199 6201 6202 6203 6204 6205 6206 6207 6208 6209 6210 6211 6212 6213 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6233 6234 6236 6237 6238 6239 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6256 6257 6258 6259 6261 6262 6263 6264 6265 6266 6267 6268 6269 6270 6271 6272 6273 6274 6275 6276 6277 6278 6279 6280 6281 6282 6283 6284 6285 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6302 6303 6304 6305 6306 6307 6308 6309 6310 6311 6312 6313 6314 6315 6316 6317 6319 9. Security Considerations 6321 The IODEF data model itself does not directly introduce security 6322 issues. Rather, it simply defines a representation for incident 6323 information. As the data encoded by the IODEF might be considered 6324 privacy sensitive by the parties exchanging the information or by 6325 those described by it, care needs to be taken in ensuring the 6326 appropriate disclosure during both document exchange and subsequent 6327 processing. The former must be handled by a messaging format, but 6328 the latter risk must be addressed by the systems that process, store, 6329 and archive IODEF documents and information derived from them. 6331 Executable content could be embedded into the IODEF document directly 6332 or through an extension. The IODEF parser should handle this content 6333 with care to prevent unintentional automated execution. 6335 The contents of an IODEF document may include a request for action or 6336 an IODEF parser may independently have logic to take certain actions 6337 based on information that it finds. For this reason, care must be 6338 taken by the parser to properly authenticate the recipient of the 6339 document and ascribe an appropriate confidence to the data prior to 6340 action. 6342 The underlying messaging format and protocol used to exchange 6343 instances of the IODEF MUST provide appropriate guarantees of 6344 confidentiality, integrity, and authenticity. The use of a 6345 standardized security protocol is encouraged. The Real-time Inter- 6346 network Defense (RID) protocol [RFC6545] and its associated transport 6347 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 6349 In order to suggest data processing and handling guidelines of the 6350 encoded information, the IODEF allows a document sender to convey a 6351 privacy policy using the restriction attribute. The various 6352 instances of this attribute allow different data elements of the 6353 document to be covered by dissimilar policies. While flexible, it 6354 must be stressed that this approach only serves as a guideline from 6355 the sender, as the recipient is free to ignore it. The issue of 6356 enforcement is not a technical problem. 6358 10. IANA Considerations 6360 This document uses URNs to describe an XML namespace and schema 6361 conforming to a registry mechanism described in [RFC3688] 6363 Registration for the IODEF namespace: 6365 o URI: urn:ietf:params:xml:ns:iodef-2.0 6367 o Registrant Contact: See the first author of the "Author's Address" 6368 section of this document. 6370 o XML: None. Namespace URIs do not represent an XML specification. 6372 Registration for the IODEF XML schema: 6374 o URI: urn:ietf:params:xml:schema:iodef-2.0 6375 o Registrant Contact: See the first author of the "Author's Address" 6376 section of this document. 6378 o XML: See the "IODEF Schema" in Section 8 of this document. 6380 11. Acknowledgments 6382 The following groups and individuals, listed alphabetically, 6383 contributed substantially to this document and should be recognized 6384 for their efforts. 6386 o Kathleen Moriarty, EMC Corporation 6388 o Brian Trammell, ETH Zurich 6390 o Patrick Cain, Cooper-Cain Group, Inc. 6392 o ... TODO many more to add ... 6394 12. References 6396 12.1. Normative References 6398 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 6399 (XML) 1.0 (Second Edition)", W3C Recommendation , October 6400 2000, . 6402 [W3C.SCHEMA] 6403 World Wide Web Consortium, "XML XML Schema Part 1: 6404 Structures Second Edition", W3C Recommendation , October 6405 2004, . 6407 [W3C.SCHEMA.DTYPES] 6408 World Wide Web Consortium, "XML Schema Part 2: Datatypes 6409 Second Edition", W3C Recommendation , October 2004, 6410 . 6412 [W3C.XMLNS] 6413 World Wide Web Consortium, "Namespaces in XML", W3C 6414 Recommendation , January 1999, 6415 . 6417 [W3C.XPATH] 6418 World Wide Web Consortium, "XML Path Language (XPath) 6419 2.0", W3C Candidate Recommendation , June 2006, 6420 . 6422 [IEEE.POSIX] 6423 Institute of Electrical and Electronics Engineers, 6424 "Information Technology - Portable Operating System 6425 Interface (POSIX) - Part 1: Base Definitions", IEEE 6426 1003.1, June 2001. 6428 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6429 Requirement Levels", RFC 2119, March 1997. 6431 [RFC4646] Philips, A. and M. Davis, "Tags for Identifying of 6432 Languages", RFC 4646, September 2006. 6434 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 6435 Resource Identifiers (URI): Generic Syntax", RFC 3986, 6436 January 2005`. 6438 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 6439 Procedures", BCP 2978, October 2000. 6441 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 6442 June 2006. 6444 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 6445 2008. 6447 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 6448 Timestamps", RFC 3339, July 2002. 6450 [ISO8601] International Organization for Standardization, 6451 "International Standard: Data elements and interchange 6452 formats - Information interchange - Representation of 6453 dates and times", ISO 8601, Second Edition, December 2000. 6455 [ISO4217] International Organization for Standardization, 6456 "International Standard: Codes for the representation of 6457 currencies and funds, ISO 4217:2001", ISO 4217:2001, 6458 August 2001. 6460 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 6461 2004. 6463 [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup 6464 Language) XML-Signature Syntax and Processing", RFC 3275, 6465 March 2002. 6467 [IANA.Ports] 6468 Internet Assigned Numbers Authority, "Service Name and 6469 Transport Protocol Port Number Registry", January 2014, 6470 . 6473 [IANA.Protocols] 6474 Internet Assigned Numbers Authority, "Assigned Internet 6475 Protocol Numbers", January 2014, . 6478 12.2. Informative References 6480 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 6481 Object Description Exchange Format", RFC 5070, December 6482 2007. 6484 [refs.requirements] 6485 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 6486 for the Format for Incident Information Exchange (FINE)", 6487 Work in Progress, June 2006. 6489 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 6490 "Intrusion Detection Message Exchange Format", RFC 4765, 6491 March 2007. 6493 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6494 6545, April 2012. 6496 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 6497 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 6498 2012. 6500 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 6501 Class for Reporting Phishing", RFC 5901, July 2010. 6503 [NIST800.61rev2] 6504 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 6505 "NIST Special Publication 800-61 Revision 2: Computer 6506 Security Incident Handling Guide", January 2012, . 6510 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 6511 Type for the Internet Registry Information Service 6512 (IRIS)", RFC 3982, January 2005. 6514 [KB310516] 6515 Microsoft Corporation, "How to add, modify, or delete 6516 registry subkeys and values by using a registration 6517 entries (.reg) file", December 2007. 6519 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 6520 Separated Values (CSV) File", RFC 4180, October 2005. 6522 Authors' Addresses 6524 Roman Danyliw 6525 CERT - Software Engineering Institute 6526 Pittsburgh, PA 6527 USA 6529 EMail: rdd@cert.org 6531 Paul Stoecker 6532 RSA 6533 Reston, VA 6534 USA 6536 EMail: paul.stoecker@rsa.com