idnits 2.17.1 draft-ietf-mile-rfc5070-bis-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 14 characters in excess of 72. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (August 5, 2014) is 3544 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 4931, but not defined == Missing Reference: '0-4' is mentioned on line 4931, but not defined == Missing Reference: '0-5' is mentioned on line 4931, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: February 6, 2015 August 5, 2014 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-08 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on February 6, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 88 2.16. Identifiers and Identifier References . . . . . . . . . . 11 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 16 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 17 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30 111 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30 112 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 113 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 114 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 115 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 33 116 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 34 117 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 118 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 37 119 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 39 120 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 41 121 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 42 122 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 43 123 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 44 124 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 46 125 3.16.1. Relating the Incident and EventData Classes . . . . 48 126 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 48 127 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 49 128 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 52 129 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 52 130 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 55 131 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 56 132 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 58 133 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60 134 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 61 135 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64 136 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 64 137 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65 138 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66 139 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 67 140 3.22.2. Application Class . . . . . . . . . . . . . . . . . 69 141 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70 142 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70 143 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71 144 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72 145 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73 146 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 74 147 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 74 148 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 75 149 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 76 150 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 78 151 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 78 152 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 80 153 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 81 154 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 82 155 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 83 156 3.29.5. ObservableReference Class . . . . . . . . . . . . . 85 157 3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 85 158 4. Processing Considerations . . . . . . . . . . . . . . . . . . 86 159 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 86 160 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 87 161 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 87 162 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 88 163 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 88 164 5.1. Extending the Enumerated Values of Attributes . . . . . . 88 165 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 89 166 6. Internationalization Issues . . . . . . . . . . . . . . . . . 91 167 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 92 168 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 92 169 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 94 170 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 96 171 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 97 172 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 99 173 9. Security Considerations . . . . . . . . . . . . . . . . . . . 135 174 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136 175 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 137 176 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 137 177 12.1. Normative References . . . . . . . . . . . . . . . . . . 137 178 12.2. Informative References . . . . . . . . . . . . . . . . . 139 180 1. Introduction 182 Organizations require help from other parties to mitigate malicious 183 activity targeting their network and to gain insight into potential 184 threats. This coordination might entail working with an ISP to 185 filter attack traffic, contacting a remote site to take down a bot- 186 network, or sharing watch-lists of known malicious IP addresses in a 187 consortium. 189 The Incident Object Description Exchange Format (IODEF) is a format 190 for representing computer security information commonly exchanged 191 between Computer Security Incident Response Teams (CSIRTs). It 192 provides an XML representation for conveying: 194 o cyber intelligence to characterize threats; 196 o cyber incident reports to document particular cyber security 197 events or relationships between events; 199 o cyber event mitigation to request proactive and reactive 200 mitigation approaches to cyber intelligence or incidents; and 202 o cyber information sharing meta-data so that these various classes 203 of information can be exchanged among parties. 205 The data model encodes information about hosts, networks, and the 206 services running on these systems; attack methodology and associated 207 forensic evidence; impact of the activity; and limited approaches for 208 documenting workflow. 210 The overriding purpose of the IODEF is to enhance the operational 211 capabilities of CSIRTs. Community adoption of the IODEF provides an 212 improved ability to resolve incidents and convey situational 213 awareness by simplifying collaboration and data sharing. This 214 structured format provided by the IODEF allows for: 216 o increased automation in processing of incident data, since the 217 resources of security analysts to parse free-form textual 218 documents will be reduced; 220 o decreased effort in normalizing similar data (even when highly 221 structured) from different sources; and 223 o a common format on which to build interoperable tools for incident 224 handling and subsequent analysis, specifically when data comes 225 from multiple constituencies. 227 Coordinating with other CSIRTs is not strictly a technical problem. 228 There are numerous procedural, trust, and legal considerations that 229 might prevent an organization from sharing information. The IODEF 230 does not attempt to address them. However, operational 231 implementations of the IODEF will need to consider this broader 232 context. 234 Sections 3 and 8 specify the IODEF data model with text and an XML 235 schema. The types used by the data model are covered in Section 2. 236 Processing considerations, the handling of extensions, and 237 internationalization issues related to the data model are covered in 238 Sections 4, 5, and 6, respectively. Examples are listed in 239 Section 7. Section 1 provides the background for the IODEF, and 240 Section 9 documents the security considerations. 242 1.1. Changes from 5070 244 This document contains changes with respect to its predecessor 245 RFC5070. 247 o All of the RFC5070 Errata was implemented. 249 o Imported the xmlns:ds namespace to include digital signature hash 250 classes. 252 o The @indicator-* attributes were added to various classes to 253 reference commonly shared indicators. 255 o The following classes were added to IODEF-Document: 256 AdditionalData. 258 o The following class was added to Incident: IndicatorData. 260 o The following classes were added to Incident and EventData: 261 Discovery. 263 o The following classes and attributes were added to the Service 264 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 265 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 267 o The following classes were added to the Record class: HashData and 268 WindowsRegistryKeysModified. 270 o The following classes were added to the RelatedActivity class: 271 ThreatActor, Campaign, Confidence, Description, and 272 AdditionalData. 274 o The following classes were added to Assessment: BusinessImpact and 275 MitigatingFactor. 277 o The following classes were added to Node: PostalAddress and 278 DomainData. The following classes were removed from Node: Removed 279 NodeName and DateTime. 281 o The following classes were added to the Contact class: 282 ContactTitle. 284 o The following classes were added to Expectation and HistoryItem: 285 DefinedCOA. 287 o (for consideration) The following attributes was added to the 288 SoftwareType complexType: user-agent. 290 o Additional enumerated values were added to the following 291 attributes: @restriction, {Expectation, HistoryItem}@action, 292 NodeRole@category, Incident@purpose, Contact@role, 293 AdditionalData@dtype, System@spoofed. 295 1.2. Terminology 297 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 298 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 299 document are to be interpreted as described in [RFC2119]. 301 Definitions for some of the common computer security-related 302 terminology used in this document can be found in Section 2 of 303 [refs.requirements]. 305 1.3. Notations 307 The normative IODEF data model is specified with the text in 308 Section 3 and the XML schema in Section 8. To help in the 309 understanding of the data elements, Section 3 also depicts the 310 underlying information model using Unified Modeling Language (UML). 311 This abstract presentation of the IODEF is not normative. 313 For clarity in this document, the term "XML document" will be used 314 when referring generically to any instance of an XML document. The 315 term "IODEF document" will be used to refer to specific elements and 316 attributes of the IODEF schema. The terms "class" and "element" will 317 be used interchangeably to reference either the corresponding data 318 element in the information or data models, respectively. 320 1.4. About the IODEF Data Model 322 The IODEF data model is a data representation that provides a 323 framework for sharing information commonly exchanged by CSIRTs about 324 computer security incidents. A number of considerations were made in 325 the design of the data model. 327 o The data model serves as a transport format. Therefore, its 328 specific representation is not the optimal representation for on- 329 disk storage, long-term archiving, or in-memory processing. 331 o As there is no precise widely agreed upon definition for an 332 incident, the data model does not attempt to dictate one through 333 its implementation. Rather, a broad understanding is assumed in 334 the IODEF that is flexible enough to encompass most operators. 336 o Describing an incident for all definitions would require an 337 extremely complex data model. Therefore, the IODEF only intends 338 to be a framework to convey commonly exchanged incident 339 information. It ensures that there are ample mechanisms for 340 extensibility to support organization-specific information, and 341 techniques to reference information kept outside of the explicit 342 data model. 344 o The domain of security analysis is not fully standardized and must 345 rely on free-form textual descriptions. The IODEF attempts to 346 strike a balance between supporting this free-form content, while 347 still allowing automated processing of incident information. 349 o The IODEF is only one of several security relevant data 350 representations being standardized. Attempts were made to ensure 351 they were complementary. The data model of the Intrusion 352 Detection Message Exchange Format [RFC4765] influenced the design 353 of the IODEF. 355 Further discussion of the desirable properties for the IODEF can be 356 found in the Requirements for the Format for Incident Information 357 Exchange (FINE) [refs.requirements]. 359 1.5. About the IODEF Implementation 361 The IODEF implementation is specified as an Extensible Markup 362 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 364 Implementing the IODEF in XML provides numerous advantages. Its 365 extensibility makes it ideal for specifying a data encoding framework 366 that supports various character encodings. Likewise, the abundance 367 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 368 simplified manipulation. However, XML is fundamentally a text 369 representation, which makes it inherently inefficient when binary 370 data must be embedded or large volumes of data must be exchanged. 372 2. IODEF Data Types 374 The various data elements of the IODEF data model are typed. This 375 section discusses these data types. When possible, native Schema 376 data types were adopted, but for more complicated formats, regular 377 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 378 standards were used. 380 2.1. Integers 382 An integer is represented by the INTEGER data type. Integer data 383 MUST be encoded in Base 10. 385 The INTEGER data type is implemented as an "xs:integer" in 386 [W3C.SCHEMA.DTYPES]. 388 2.2. Real Numbers 390 Real (floating-point) attributes are represented by the REAL data 391 type. Real data MUST be encoded in Base 10. 393 The REAL data type is implemented as an "xs:float" in 394 [W3C.SCHEMA.DTYPES]. 396 2.3. Characters and Strings 398 A single character is represented by the CHARACTER data type. A 399 character string is represented by the STRING data type. Special 400 characters must be encoded using entity references. See Section 4.1. 402 The CHARACTER and STRING data types are implement as an "xs:string" 403 in [W3C.SCHEMA.DTYPES]. 405 2.4. Multilingual Strings 407 STRING data that represents multi-character attributes in a language 408 different than the default encoding of the document is of the 409 ML_STRING data type. 411 The ML_STRING data type is implemented as an "iodef:MLStringType" in 412 the schema. 414 2.5. Bytes 416 A binary octet is represented by the BYTE data type. A sequence of 417 binary octets is represented by the BYTE[] data type. These octets 418 are encoded using base64. 420 The BYTE data type is implemented as an "xs:base64Binary" in 421 [W3C.SCHEMA.DTYPES]. 423 2.6. Hexadecimal Bytes 425 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 426 This octet is encoded as a character tuple consisting of two 427 hexadecimal digits. 429 The HEXBIN data type is implemented as an "xs:hexBinary" in 430 [W3C.SCHEMA.DTYPES]. 432 2.7. Enumerated Types 434 Enumerated types are represented by the ENUM data type, and consist 435 of an ordered list of acceptable values. Each value has a 436 representative keyword. Within the IODEF schema, the enumerated type 437 keywords are used as attribute values. 439 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 440 schema. 442 2.8. Date-Time Strings 444 Date-time strings are represented by the DATETIME data type. Each 445 date-time string identifies a particular instant in time. Ranges are 446 not supported. 448 Date-time strings are formatted according to a subset of [ISO8601] 449 documented in [RFC3339]. 451 The DATETIME data type is implemented as an "xs:dateTime" in the 452 schema. 454 2.9. Timezone String 456 A timezone offset from UTC is represented by the TIMEZONE data type. 457 It is formatted according to the following regular expression: 458 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 460 The TIMEZONE data type is implemented as an "xs:string" with a 461 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 462 expression is identical to the timezone representation implemented in 463 an "xs:dateTime". 465 2.10. Port Lists 467 A list of network ports are represented by the PORTLIST data type. A 468 PORTLIST consists of a comma-separated list of numbers and ranges 469 (N-M means ports N through M, inclusive). It is formatted according 470 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 471 For example, "2,5-15,30,32,40-50,55-60". 473 The PORTLIST data type is implemented as an "xs:string" with a 474 regular expression constraint in the schema. 476 2.11. Postal Address 478 A postal address is represented by the POSTAL data type. This data 479 type is an ML_STRING whose format is documented in Section 2.23 of 480 [RFC4519]. It defines a postal address as a free-form multi-line 481 string separated by the "$" character. 483 The POSTAL data type is implemented as an "xs:string" in the schema. 485 2.12. Person or Organization 487 The name of an individual or organization is represented by the NAME 488 data type. This data type is an ML_STRING whose format is documented 489 in Section 2.3 of [RFC4519]. 491 The NAME data type is implemented as an "xs:string" in the schema. 493 2.13. Telephone and Fax Numbers 495 A telephone or fax number is represented by the PHONE data type. The 496 format of the PHONE data type is documented in Section 2.35 of 497 [RFC4519]. 499 The PHONE data type is implemented as an "xs:string" in the schema. 501 2.14. Email String 503 An email address is represented by the EMAIL data type. The format 504 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 506 The EMAIL data type is implemented as an "xs:string" in the schema. 508 2.15. Uniform Resource Locator strings 510 A uniform resource locator (URL) is represented by the URL data type. 511 The format of the URL data type is documented in [RFC3986]. 513 The URL data type is implemented as an "xs:anyURI" in the schema. 515 2.16. Identifiers and Identifier References 517 An identifier unique to the Document is represented by the ID data 518 type. A reference to this identifier is represented by the IDREF 519 data type. The acceptable format of ID and IDREF is documented in 520 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 522 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 523 in the schema. 525 3. The IODEF Data Model 527 In this section, the individual components of the IODEF data model 528 will be discussed in detail. For each class, the semantics will be 529 described and the relationship with other classes will be depicted 530 with UML. When necessary, specific comments will be made about 531 corresponding definition in the schema in Section 8 533 3.1. IODEF-Document Class 535 The IODEF-Document class is the top level class in the IODEF data 536 model. All IODEF documents are an instance of this class. 538 +-----------------+ 539 | IODEF-Document | 540 +-----------------+ 541 | STRING version |<>--{1..*}--[ Incident ] 542 | ENUM lang |<>--{0..*}--[ AdditionalData ] 543 | STRING formatid | 544 +-----------------+ 546 Figure 1: IODEF-Document Class 548 The aggregate class that constitute IODEF-Document is: 550 Incident 551 One or more. The information related to a single incident. 553 AdditionalData 554 Zero or more. Mechanism by which to extend the data model. See 555 Section 3.9 557 The IODEF-Document class has three attributes: 559 version 560 Required. STRING. The IODEF specification version number to 561 which this IODEF document conforms. The value of this attribute 562 MUST be "2.00" 564 lang 565 Required. ENUM. A valid language code per [RFC5646] constrained 566 by the definition of "xs:language". The interpretation of this 567 code is described in Section 6. 569 formatid 570 Optional. STRING. A free-form string to convey processing 571 instructions to the recipient of the document. Its semantics must 572 be negotiated out-of-band. 574 3.2. Incident Class 576 Every incident is represented by an instance of the Incident class. 577 This class provides a standardized representation for commonly 578 exchanged incident data. 580 +-------------------------+ 581 | Incident | 582 +-------------------------+ 583 | ENUM purpose |<>----------[ IncidentID ] 584 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 585 | ENUM lang |<>--{0..*}--[ RelatedActivity ] 586 | ENUM restriction |<>--{0..1}--[ DetectTime ] 587 | STRING observable-id |<>--{0..1}--[ StartTime ] 588 | |<>--{0..1}--[ EndTime ] 589 | |<>----------[ ReportTime ] 590 | |<>--{0..*}--[ Description ] 591 | |<>--{0..*} [ Discovery ] 592 | |<>--{1..*}--[ Assessment ] 593 | |<>--{0..*}--[ Method ] 594 | |<>--{1..*}--[ Contact ] 595 | |<>--{0..*}--[ EventData ] 596 | |<>--{0..*}--[ IndicatorData ] 597 | |<>--{0..1}--[ History ] 598 | |<>--{0..*}--[ AdditionalData ] 599 +-------------------------+ 601 Figure 2: The Incident Class 603 The aggregate classes that constitute Incident are: 605 IncidentID 606 One. An incident tracking number assigned to this incident by the 607 CSIRT that generated the IODEF document. 609 AlternativeID 610 Zero or one. The incident tracking numbers used by other CSIRTs 611 to refer to the incident described in the document. 613 RelatedActivity 614 Zero or more. Related activity and attribution of this activity. 616 DetectTime 617 Zero or one. The time the incident was first detected. 619 StartTime 620 Zero or one. The time the incident started. 622 EndTime 623 Zero or one. The time the incident ended. 625 ReportTime 626 One. The time the incident was reported. 628 Description 629 Zero or more. ML_STRING. A free-form textual description of the 630 incident. 632 Discovery 633 Zero or more. The means by which this incident was detected. 635 Assessment 636 One or more. A characterization of the impact of the incident. 638 Method 639 Zero or more. The techniques used by the intruder in the 640 incident. 642 Contact 643 One or more. Contact information for the parties involved in the 644 incident. 646 EventData 647 Zero or more. Description of the events comprising the incident. 649 IndicatorData 650 Zero or more. Description of indicators. 652 History 653 Zero or one. A log of significant events or actions that occurred 654 during the course of handling the incident. 656 AdditionalData 657 Zero or more. Mechanism by which to extend the data model. 659 The Incident class has four attributes: 661 purpose 662 Required. ENUM. The purpose attribute represents the reason why 663 the IODEF document was created. It is closely related to the 664 Expectation class (Section 3.17). This attribute is defined as an 665 enumerated list: 667 1. traceback. The document was sent for trace-back purposes. 669 2. mitigation. The document was sent to request aid in 670 mitigating the described activity. 672 3. reporting. The document was sent to comply with reporting 673 requirements. 675 4. watch. The document was sent to convey indicators to watch 676 for particular activity. 678 5. other. The document was sent for purposes specified in the 679 Expectation class. 681 6. ext-value. An escape value used to extend this attribute. 682 See Section 5.1. 684 ext-purpose 685 Optional. STRING. A means by which to extend the purpose 686 attribute. See Section 5.1. 688 lang 689 Optional. ENUM. A valid language code per [RFC5646] constrained 690 by the definition of "xs:language". The interpretation of this 691 code is described in Section 6. 693 restriction 694 Optional. ENUM. See Section 3.3.1. 696 observable-id 697 Optional. ID. See Section 3.3.2. 699 3.3. Common Attributes 701 There are a number of recurring attributes used by the data model. 702 They are documented in this section. 704 3.3.1. restriction Attribute 706 The restriction attribute indicates the disclosure guidelines to 707 which the sender expects the recipient to adhere for the information 708 represented in this class and its children. This guideline provides 709 no security since there are no specified technical means to ensure 710 that the recipient of the document handles the information as the 711 sender requested. 713 The value of this attribute is logically inherited by the children of 714 this class. That is to say, the disclosure rules applied to this 715 class, also apply to its children. 717 It is possible to set a granular disclosure policy, since all of the 718 high-level classes (i.e., children of the Incident class) have a 719 restriction attribute. Therefore, a child can override the 720 guidelines of a parent class, be it to restrict or relax the 721 disclosure rules (e.g., a child has a weaker policy than an ancestor; 722 or an ancestor has a weak policy, and the children selectively apply 723 more rigid controls). The implicit value of the restriction 724 attribute for a class that did not specify one can be found in the 725 closest ancestor that did specify a value. 727 This attribute is defined as an enumerated value with a default value 728 of "private". Note that the default value of the restriction 729 attribute is only defined in the context of the Incident class. In 730 other classes where this attribute is used, no default is specified. 732 1. public. The information can be freely distributed without 733 restriction. 735 2. partner. The information may be shared within a closed community 736 of peers, partners, or affected parties, but cannot be openly 737 published. 739 3. need-to-know. The information may be shared only within the 740 organization with individuals that have a need to know. 742 4. private. The information may not be shared. 744 5. default. The information can be shared according to an 745 information disclosure policy pre-arranged by the communicating 746 parties. 748 6. white. Same as 'public'. 750 7. green. Same as 'partner'. 752 8. amber. Same as 'need-to-know'. 754 9. red. Same as 'private'. 756 3.3.2. observable-id Attribute 758 Information included in an incident report may be an observable 759 relevant to an indicator. The observable-id attribute provides a 760 unique identifier in the scope of the document for this observable. 761 This identifier can then used to reference the observable with an 762 ObservableReference class to define an indicator in the IndicatorData 763 class. 765 3.4. IncidentID Class 767 The IncidentID class represents an incident tracking number that is 768 unique in the context of the CSIRT and identifies the activity 769 characterized in an IODEF Document. This identifier would serve as 770 an index into the CSIRT incident handling system. The combination of 771 the name attribute and the string in the element content MUST be a 772 globally unique identifier describing the activity. Documents 773 generated by a given CSIRT MUST NOT reuse the same value unless they 774 are referencing the same incident. 776 +------------------+ 777 | IncidentID | 778 +------------------+ 779 | STRING | 780 | | 781 | STRING name | 782 | STRING instance | 783 | ENUM restriction | 784 +------------------+ 786 Figure 3: The IncidentID Class 788 The IncidentID class has three attributes: 790 name 791 Required. STRING. An identifier describing the CSIRT that 792 created the document. In order to have a globally unique CSIRT 793 name, the fully qualified domain name associated with the CSIRT 794 MUST be used. 796 instance 797 Optional. STRING. An identifier referencing a subset of the 798 named incident. 800 restriction 801 Optional. ENUM. See Section 3.3.1. The default value is 802 "public". 804 3.5. AlternativeID Class 806 The AlternativeID class lists the incident tracking numbers used by 807 CSIRTs, other than the one generating the document, to refer to the 808 identical activity described in the IODEF document. A tracking 809 number listed as an AlternativeID references the same incident 810 detected by another CSIRT. The incident tracking numbers of the 811 CSIRT that generated the IODEF document must never be considered an 812 AlternativeID. 814 +------------------+ 815 | AlternativeID | 816 +------------------+ 817 | ENUM restriction |<>--{1..*}--[ IncidentID ] 818 | | 819 +------------------+ 821 Figure 4: The AlternativeID Class 823 The aggregate class that constitutes AlternativeID is: 825 IncidentID 826 One or more. The incident tracking number of another CSIRT. 828 The AlternativeID class has one attribute: 830 restriction 831 Optional. ENUM. This attribute has been defined in Section 3.2. 833 3.6. RelatedActivity Class 835 The RelatedActivity class relates the information described in the 836 rest of the IODEF document to previously observed incidents or 837 activity; and allows attribution to a specific actor or campaign. 839 +------------------+ 840 | RelatedActivity | 841 +------------------+ 842 | ENUM restriction |<>--{0..*}--[ IncidentID ] 843 | |<>--{0..*}--[ URL ] 844 | |<>--{0..*}--[ ThreatActor ] 845 | |<>--{0..*}--[ Campaign ] 846 | |<>--{0..1}--[ Confidence ] 847 | |<>--{0..*}--[ Description ] 848 | |<>--{0..*}--[ AdditionalData ] 849 +------------------+ 851 Figure 5: RelatedActivity Class 853 The aggregate classes that constitutes RelatedActivity are: 855 IncidentID 856 One or more. The incident tracking number of a related incident. 858 URL 859 One or more. URL. A URL to activity related to this incident. 861 ThreatActor 862 One or more. The threat actor to whom the described activity is 863 attributed. 865 Campaign 866 One or more. The campaign of a given threat actor to whom the 867 described activity is attributed. 869 Confidence 870 Zero or one. An estimate of the confidence in attributing this 871 RelatedActivity to the event described in the document. 873 Description 874 Zero or more. ML_STRING. A description of how these 875 relationships were derived. 877 AdditionalData 878 Zero or more. A mechanism by which to extend the data model. 880 RelatedActivity MUST at least have one instance of IncidentID, URL, 881 ThreatActor, or Campaign. 883 The RelatedActivity class has one attribute: 885 restriction 886 Optional. ENUM. See Section 3.3.1. 888 3.7. ThreatActor Class 890 The ThreatActor class describes a given actor. 892 +------------------+ 893 | Actor | 894 +------------------+ 895 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 896 | |<>--{0..*}--[ Description ] 897 | |<>--{0..*}--[ AdditionalData ] 898 +------------------+ 900 Figure 6: ThreatActor Class 902 The aggregate classes that constitutes ThreatActor are: 904 ThreatActorID 905 One or more. STRING. An identifier for the ThreatActor. 907 Description 908 One or more. ML_STRING. A description of the ThreatActor. 910 AdditionalData 911 Zero or more. A mechanism by which to extend the data model. 913 ThreatActor MUST have at least one instance of a ThreatActorID or 914 Description. 916 The ThreatActor class has one attribute: 918 restriction 919 Optional. ENUM. See Section 3.3.1. 921 3.8. Campaign Class 923 The Campaign class describes a ... 925 +------------------+ 926 | Campaign | 927 +------------------+ 928 | ENUM restriction |<>--{0..1}--[ CampaignID ] 929 | |<>--{0..*}--[ Description ] 930 | |<>--{0..*}--[ AdditionalData ] 931 +------------------+ 933 Figure 7: Campaign Class 935 The aggregate classes that constitutes Campaign are: 937 CampaignID 938 One or more. STRING. An identifier for the Campaign. 940 Description 941 One or more. ML_STRING. A description of the Campaign. 943 AdditionalData 944 Zero or more. A mechanism by which to extend the data model. 946 Campaign MUST have at least one instance of a Campaign or 947 Description. 949 The Campaign class has one attribute: 951 restriction 952 Optional. ENUM. See Section 3.3.1. 954 3.9. AdditionalData Class 956 The AdditionalData class serves as an extension mechanism for 957 information not otherwise represented in the data model. For 958 relatively simple information, atomic data types (e.g., integers, 959 strings) are provided with a mechanism to annotate their meaning. 960 The class can also be used to extend the data model (and the 961 associated Schema) to support proprietary extensions by encapsulating 962 entire XML documents conforming to another Schema. A detailed 963 discussion for extending the data model and the schema can be found 964 in Section 5. 966 Unlike XML, which is self-describing, atomic data must be documented 967 to convey its meaning. This information is described in the 968 'meaning' attribute. Since these description are outside the scope 969 of the specification, some additional coordination may be required to 970 ensure that a recipient of a document using the AdditionalData 971 classes can make sense of the custom extensions. 973 +------------------+ 974 | AdditionalData | 975 +------------------+ 976 | ANY | 977 | | 978 | ENUM dtype | 979 | STRING ext-dtype | 980 | STRING meaning | 981 | STRING formatid | 982 | ENUM restriction | 983 +------------------+ 985 Figure 8: The AdditionalData Class 987 The AdditionalData class has five attributes: 989 dtype 990 Required. ENUM. The data type of the element content. The 991 permitted values for this attribute are shown below. The default 992 value is "string". 994 1. boolean. The element content is of type BOOLEAN. 996 2. byte. The element content is of type BYTE. 998 3. bytes. The element content is of type HEXBIN. 1000 4. character. The element content is of type CHARACTER. 1002 5. date-time. The element content is of type DATETIME. 1004 6. ntpstamp. Same as date-time. 1006 7. integer. The element content is of type INTEGER. 1008 8. portlist. The element content is of type PORTLIST. 1010 9. real. The element content is of type REAL. 1012 10. string. The element content is of type STRING. 1014 11. file. The element content is a base64 encoded binary file 1015 encoded as a BYTE[] type. 1017 12. path. The element content is a file-system path encoded as a 1018 STRING type. 1020 13. frame. The element content is a layer-2 frame encoded as a 1021 HEXBIN type. 1023 14. packet. The element content is a layer-3 packet encoded as a 1024 HEXBIN type. 1026 15. ipv4-packet. The element content is an IPv4 packet encoded 1027 as a HEXBIN type. 1029 16. ipv6-packet. The element content is an IPv6 packet encoded 1030 as a HEXBIN type. 1032 17. url. The element content is of type URL. 1034 18. csv. The element content is a common separated value (CSV) 1035 list per Section 2 of [RFC4180] encoded as a STRING type. 1037 19. winreg. The element content is a Windows registry key 1038 encoded as a STRING type. 1040 20. xml. The element content is XML. See Section 5. 1042 21. ext-value. An escape value used to extend this attribute. 1043 See Section 5.1. 1045 ext-dtype 1046 Optional. STRING. A means by which to extend the dtype 1047 attribute. See Section 5.1. 1049 meaning 1050 Optional. STRING. A free-form description of the element 1051 content. 1053 formatid 1054 Optional. STRING. An identifier referencing the format and 1055 semantics of the element content. 1057 restriction 1058 Optional. ENUM. See Section 3.3.1. 1060 3.10. Contact Class 1062 The Contact class describes contact information for organizations and 1063 personnel involved in the incident. This class allows for the naming 1064 of the involved party, specifying contact information for them, and 1065 identifying their role in the incident. 1067 People and organizations are treated interchangeably as contacts; one 1068 can be associated with the other using the recursive definition of 1069 the class (the Contact class is aggregated into the Contact class). 1070 The 'type' attribute disambiguates the type of contact information 1071 being provided. 1073 The inheriting definition of Contact provides a way to relate 1074 information without requiring the explicit use of identifiers in the 1075 classes or duplication of data. A complete point of contact is 1076 derived by a particular traversal from the root Contact class to the 1077 leaf Contact class. As such, multiple points of contact might be 1078 specified in a single instance of a Contact class. Each child 1079 Contact class logically inherits contact information from its 1080 ancestors. 1082 +------------------+ 1083 | Contact | 1084 +------------------+ 1085 | ENUM role |<>--{0..1}--[ ContactName ] 1086 | STRING ext-role |<>--{0..1}--[ ContactTitle ] 1087 | ENUM type |<>--{0..*}--[ Description ] 1088 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1089 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1090 | |<>--{0..*}--[ Email ] 1091 | |<>--{0..*}--[ Telephone ] 1092 | |<>--{0..1}--[ Fax ] 1093 | |<>--{0..1}--[ Timezone ] 1094 | |<>--{0..*}--[ Contact ] 1095 | |<>--{0..*}--[ AdditionalData ] 1096 +------------------+ 1098 Figure 9: The Contact Class 1100 The aggregate classes that constitute the Contact class are: 1102 ContactName 1103 Zero or one. ML_STRING. The name of the contact. The contact 1104 may either be an organization or a person. The type attribute 1105 disambiguates the semantics. 1107 ContactTitle 1108 Zero or one. ML_STRING. The title for the individual named in 1109 the ContactName. 1111 Description 1112 Zero or more. ML_STRING. A free-form description of this 1113 contact. In the case of a person, this is often the 1114 organizational title of the individual. 1116 RegistryHandle 1117 Zero or more. A handle name into the registry of the contact. 1119 PostalAddress 1120 Zero or one. The postal address of the contact. 1122 Email 1123 Zero or more. The email address of the contact. 1125 Telephone 1126 Zero or more. The telephone number of the contact. 1128 Fax 1129 Zero or one. The facsimile telephone number of the contact. 1131 Timezone 1132 Zero or one. TIMEZONE. The timezone in which the contact resides 1133 formatted according to Section 2.9. 1135 Contact 1136 Zero or more. A Contact instance contained within another Contact 1137 instance inherits the values of the parent(s). This recursive 1138 definition can be used to group common data pertaining to multiple 1139 points of contact and is especially useful when listing multiple 1140 contacts at the same organization. 1142 AdditionalData 1143 Zero or more. A mechanism by which to extend the data model. 1145 At least one of the aggregate classes MUST be present in an instance 1146 of the Contact class. This is not enforced in the IODEF schema as 1147 there is no simple way to accomplish it. 1149 The Contact class has five attributes: 1151 role 1152 Required. ENUM. Indicates the role the contact fulfills. This 1153 attribute is defined as an enumerated list: 1155 1. creator. The entity that generate the document. 1157 2. reporter. The entity that reported the information. 1159 3. admin. An administrative contact or business owner for an 1160 asset or organization. 1162 4. tech. An entity responsible for the day-to-day management of 1163 technical issues for an asset or organization. 1165 5. provider. An external hosting provider for an asset. 1167 6. zone. An entity with authority over a DNS zone. 1169 7. user. An end-user of an asset or part of an organization. 1171 8. billing. An entity responsible for billing issues for an 1172 asset or organization. 1174 9. legal. An entity responsible for legal issue related to an 1175 asset or organization. 1177 10. irt. An entity responsible for handling security issues for 1178 an asset or organization. 1180 11. abuse. An entity responsible for handling abuse originating 1181 from an asset or organization. 1183 12. cc. An entity that is to be kept informed about the events 1184 related to an asset or organization. 1186 13. cc-irt. A CSIRT or information sharing organization 1187 coordinating activity related to an asset or organization. 1189 14. le. A law enforcement entity supporting the investigation of 1190 activity affecting an asset or organization. 1192 15. vendor. The vendor that produces an asset. 1194 16. ext-value. An escape value used to extend this attribute. 1195 See Section 5.1. 1197 ext-role 1198 Optional. STRING. A means by which to extend the role attribute. 1199 See Section 5.1. 1201 type 1202 Required. ENUM. Indicates the type of contact being described. 1203 This attribute is defined as an enumerated list: 1205 1. person. The information for this contact references an 1206 individual. 1208 2. organization. The information for this contact references an 1209 organization. 1211 3. ext-value. An escape value used to extend this attribute. 1212 See Section 5.1. 1214 ext-type 1215 Optional. STRING. A means by which to extend the type attribute. 1216 See Section 5.1. 1218 restriction 1219 Optional. ENUM. This attribute is defined in Section 3.2. 1221 3.10.1. RegistryHandle Class 1223 The RegistryHandle class represents a handle into an Internet 1224 registry or community-specific database. The handle is specified in 1225 the element content and the type attribute specifies the database. 1227 +---------------------+ 1228 | RegistryHandle | 1229 +---------------------+ 1230 | STRING | 1231 | | 1232 | ENUM registry | 1233 | STRING ext-registry | 1234 +---------------------+ 1236 Figure 10: The RegistryHandle Class 1238 The RegistryHandle class has two attributes: 1240 registry 1241 Required. ENUM. The database to which the handle belongs. The 1242 possible values are: 1244 1. internic. Internet Network Information Center 1246 2. apnic. Asia Pacific Network Information Center 1248 3. arin. American Registry for Internet Numbers 1250 4. lacnic. Latin-American and Caribbean IP Address Registry 1252 5. ripe. Reseaux IP Europeens 1254 6. afrinic. African Internet Numbers Registry 1256 7. local. A database local to the CSIRT 1258 8. ext-value. An escape value used to extend this attribute. 1259 See Section 5.1. 1261 ext-registry 1262 Optional. STRING. A means by which to extend the registry 1263 attribute. See Section 5.1. 1265 3.10.2. PostalAddress Class 1267 The PostalAddress class specifies a postal address formatted 1268 according to the POSTAL data type (Section 2.11). 1270 +---------------------+ 1271 | PostalAddress | 1272 +---------------------+ 1273 | POSTAL | 1274 | | 1275 | STRING meaning | 1276 | ENUM lang | 1277 +---------------------+ 1279 Figure 11: The PostalAddress Class 1281 The PostalAddress class has two attributes: 1283 meaning 1284 Optional. STRING. A free-form description of the element 1285 content. 1287 lang 1288 Optional. ENUM. A valid language code per [RFC5646] constrained 1289 by the definition of "xs:language". The interpretation of this 1290 code is described in Section 6. 1292 3.10.3. Email Class 1294 The Email class specifies an email address formatted according to 1295 EMAIL data type (Section 2.14). 1297 +--------------+ 1298 | Email | 1299 +--------------+ 1300 | EMAIL | 1301 | | 1302 | ENUM meaning | 1303 +--------------+ 1305 Figure 12: The Email Class 1307 The Email class has one attribute: 1309 meaning 1310 Optional. ENUM. A free-form description of the element content. 1312 3.10.4. Telephone and Fax Classes 1314 The Telephone and Fax classes specify a voice or fax telephone number 1315 respectively, and are formatted according to PHONE data type 1316 (Section 2.13). 1318 +--------------------+ 1319 | {Telephone | Fax } | 1320 +--------------------+ 1321 | PHONE | 1322 | | 1323 | ENUM meaning | 1324 +--------------------+ 1326 Figure 13: The Telephone and Fax Classes 1328 The Telephone class has one attribute: 1330 meaning 1331 Optional. ENUM. A free-form description of the element content 1332 (e.g., hours of coverage for a given number). 1334 3.11. Time Classes 1336 The data model uses five different classes to represent a timestamp. 1337 Their definition is identical, but each has a distinct name to convey 1338 a difference in semantics. 1340 The element content of each class is a timestamp formatted according 1341 to the DATETIME data type (see Section 2.8). 1343 +----------------------------------+ 1344 | {Start| End| Report| Detect}Time | 1345 +----------------------------------+ 1346 | DATETIME | 1347 +----------------------------------+ 1349 Figure 14: The Time Classes 1351 3.11.1. StartTime Class 1353 The StartTime class represents the time the incident began. 1355 3.11.2. EndTime Class 1357 The EndTime class represents the time the incident ended. 1359 3.11.3. DetectTime Class 1361 The DetectTime class represents the time the first activity of the 1362 incident was detected. 1364 3.11.4. ReportTime Class 1366 The ReportTime class represents the time the incident was reported. 1367 This timestamp MUST be the time at which the IODEF document was 1368 generated. 1370 3.11.5. DateTime 1372 The DateTime class is a generic representation of a timestamp. Infer 1373 its semantics from the parent class in which it is aggregated. 1375 3.12. Discovery Class 1377 The Discovery class describes how an incident was detected. 1379 +-------------------+ 1380 | Discovery | 1381 +-------------------+ 1382 | ENUM source |<>--{0..*}--[ Description ] 1383 | STRING ext-source |<>--{0..*}--[ Contact ] 1384 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1385 +-------------------+ 1387 Figure 15: The Discovery Class 1389 The Discovery class is composed of three aggregate classes. 1391 Description 1392 Zero or more. ML_STRING. A free-form text description of how 1393 this incident was detected. 1395 Contact 1396 Zero or more. Contact information for the party that discovered 1397 the incident. 1399 DetectionPattern 1400 Zero or more. Describes an application-specific configuration 1401 that detected the incident. 1403 The Discovery class has three attribute: 1405 source 1406 Optional. ENUM. Categorizes the techniques used to discover the 1407 incident. These values are partially derived from Table 3-1 of 1408 [NIST800.61rev2]. 1410 1. idps. Intrusion Detection or Prevention system. 1412 2. siem. Security Information and Event Management System. 1414 3. av. Antivirus or and antispam software. 1416 4. file-integrity. File integrity checking software. 1418 5. third-party-monitoring. Contracted third-party monitoring 1419 service. 1421 6. os-log. Operating system logs. 1423 7. application-log. Application logs. 1425 8. device-log. Network device logs. 1427 9. network-flow. Network flow analysis. 1429 10. investigation. Manual investigation initiated based on 1430 timely notification of a new vulnerability or exploit. 1432 11. internal-notification. A party within the organization 1433 discovered the activity 1435 12. external-notification. A party outside of the organization 1436 discovered the activity. 1438 13. unknown. Unknown detection approach. 1440 14. ext-value. An escape value used to extend this attribute. 1441 See Section 5.1. 1443 ext-source 1444 Optional. STRING. A means by which to extend the source 1445 attribute. See Section 5.1. 1447 restriction 1448 Optional. ENUM. This attribute is defined in Section 3.2. 1450 3.12.1. DetectionPattern Class 1452 The DetectionPattern class describes a configuration or signature 1453 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1454 protection, network analysis, malware analysis, or host forensics 1455 tool to identify a particular phenomenon. This class requires the 1456 identification of the target application and allows the configuration 1457 to be describes in either free-form or machine readable form. 1459 +------------------+ 1460 | DetectionPattern | 1461 +------------------+ 1462 | ENUM restriction |<>----------[ Application ] 1463 | |<>--{0..*}--[ Description ] 1464 | |<>--{0..*}--[ DetectionConfiguration ] 1465 +------------------+ 1467 Figure 16: The DetectionPattern Class 1469 The DetectionPattern class is composed of three aggregate classes. 1471 Application 1472 . One. The application for which the DetectionConfiguration or 1473 Description is being provided. 1475 Description 1476 Zero or more. ML_STRING. A free-form text description of how to 1477 use the Application or provided DetectionConfiguration. 1479 DetectionConfiguration 1480 Zero or more. STRING. A machine consumable configuration to find 1481 a pattern of activity. 1483 Either an instance of the Description or DetectionConfiguration class 1484 MUST be present. 1486 The Method class has one attribute: 1488 restriction 1489 Optional. ENUM. This attribute is defined in Section 3.2. 1491 3.13. Method Class 1493 The Method class describes the tactics, techniques, or procedures 1494 used by the intruder in the incident. This class consists of both a 1495 list of references describing the attack method and a free form 1496 description. 1498 +------------------+ 1499 | Method | 1500 +------------------+ 1501 | ENUM restriction |<>--{0..*}--[ Reference ] 1502 | |<>--{0..*}--[ Description ] 1503 | |<>--{0..*}--[ AdditionalData ] 1504 +------------------+ 1506 Figure 17: The Method Class 1508 The Method class is composed of three aggregate classes. 1510 Reference 1511 Zero or more. A reference to a vulnerability, malware sample, 1512 advisory, or analysis of an attack technique. 1514 Description 1515 Zero or more. ML_STRING. A free-form text description of 1516 techniques, tactics, or procedures used by the intruder. 1518 AdditionalData 1519 Zero or more. A mechanism by which to extend the data model. 1521 Either an instance of the Reference or Description class MUST be 1522 present. 1524 The Method class has one attribute: 1526 restriction 1527 Optional. ENUM. This attribute is defined in Section 3.2. 1529 3.13.1. Reference Class 1531 The Reference class is a reference to a vulnerability, IDS alert, 1532 malware sample, advisory, or attack technique. A reference consists 1533 of a name, a URL to this reference, and an optional description. 1535 +-------------------------+ 1536 | Reference | 1537 +-------------------------+ 1538 | ENUM attacktype |<>----------[ ReferenceName ] 1539 | STRING ext-attacktype |<>--{0..*}--[ URL ] 1540 | ID observable-id |<>--{0..*}--[ Description ] 1541 +-------------------------+ 1543 Figure 18: The Reference Class 1545 The aggregate classes that constitute Reference: 1547 ReferenceName 1548 One. ML_STRING. Name of the reference. 1550 URL 1551 Zero or more. URL. A URL associated with the reference. 1553 Description 1554 Zero or more. ML_STRING. A free-form text description of this 1555 reference. 1557 The Reference class has 3 attributes. 1559 attacktype 1560 Optional. ENUM. TODO. 1562 ext-attacktype 1563 Optional. STRING. A mechanism by which to extend the Attack 1564 Type. 1566 observable-id 1567 Optional. ID. See Section 3.3.2. 1569 3.14. Assessment Class 1571 The Assessment class describes the repercussions of the incident to 1572 the victim. 1574 +-------------------------+ 1575 | Assessment | 1576 +-------------------------+ 1577 | ENUM occurrence |<>--{0..*}--[ Impact ] 1578 | ENUM restriction |<>--{0..*}--[ BusinessImpact ] 1579 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1580 | |<>--{0..*}--[ MonetaryImpact ] 1581 | |<>--{0..*}--[ Counter ] 1582 | |<>--{0..*}--[ MitigatingFactor ] 1583 | |<>--{0..1}--[ Confidence ] 1584 | |<>--{0..*}--[ AdditionalData ] 1585 +-------------------------+ 1587 Figure 19: Assessment Class 1589 The aggregate classes that constitute Assessment are: 1591 Impact 1592 Zero or more. Technical characterization of the impact of the 1593 activity on the victim's enterprise. 1595 BusinessImpact 1596 Zero or more. Impact of the activity on the business functions of 1597 the victim organization. 1599 TimeImpact 1600 Zero or more. Impact of the activity measured with respect to 1601 time. 1603 MonetaryImpact 1604 Zero or more. Impact of the activity measured with respect to 1605 financial loss. 1607 Counter 1608 Zero or more. A counter with which to summarize the magnitude of 1609 the activity. 1611 MitigatingFactor 1612 Zero or one. ML_STRING. A description of a mitigating factor an 1613 impact. 1615 Confidence 1616 Zero or one. An estimate of confidence in the assessment. 1618 AdditionalData 1619 Zero or more. A mechanism by which to extend the data model. 1621 A least one instance of the possible three impact classes (i.e., 1622 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1624 The Assessment class has three attributes: 1626 occurrence 1627 Optional. ENUM. Specifies whether the assessment is describing 1628 actual or potential outcomes. 1630 1. actual. This assessment describes activity that has occurred. 1632 2. potential. This assessment describes potential activity that 1633 might occur. 1635 restriction 1636 Optional. ENUM. This attribute is defined in Section 3.2. 1638 observable-id 1639 Optional. ID. See Section 3.3.2. 1641 3.14.1. Impact Class 1643 The Impact class allows for categorizing and describing the technical 1644 impact of the incident on the network of an organization. 1646 This class is based on [RFC4765]. 1648 +------------------+ 1649 | Impact | 1650 +------------------+ 1651 | ML_STRING | 1652 | | 1653 | ENUM lang | 1654 | ENUM severity | 1655 | ENUM completion | 1656 | ENUM type | 1657 | STRING ext-type | 1658 +------------------+ 1660 Figure 20: Impact Class 1662 The element content will be a free-form textual description of the 1663 impact. 1665 The Impact class has five attributes: 1667 lang 1668 Optional. ENUM. A valid language code per [RFC5646] constrained 1669 by the definition of "xs:language". The interpretation of this 1670 code is described in Section 6. 1672 severity 1673 Optional. ENUM. An estimate of the relative severity of the 1674 activity. The permitted values are shown below. There is no 1675 default value. 1677 1. low. Low severity 1679 2. medium. Medium severity 1681 3. high. High severity 1683 completion 1684 Optional. ENUM. An indication whether the described activity was 1685 successful. The permitted values are shown below. There is no 1686 default value. 1688 1. failed. The attempted activity was not successful. 1690 2. succeeded. The attempted activity succeeded. 1692 type 1693 Required. ENUM. Classifies the malicious activity into incident 1694 categories. The permitted values are shown below. The default 1695 value is "unknown". 1697 1. admin. Administrative privileges were attempted. 1699 2. dos. A denial of service was attempted. 1701 3. file. An action that impacts the integrity of a file or 1702 database was attempted. 1704 4. info-leak. An attempt was made to exfiltrate information. 1706 5. misconfiguration. An attempt was made to exploit a mis- 1707 configuration in a system. 1709 6. policy. Activity violating site's policy was attempted. 1711 7. recon. Reconnaissance activity was attempted. 1713 8. social-engineering. A social engineering attack was 1714 attempted. 1716 9. user. User privileges were attempted. 1718 10. unknown. The classification of this activity is unknown. 1720 11. ext-value. An escape value used to extend this attribute. 1721 See Section 5.1. 1723 ext-type 1724 Optional. STRING. A means by which to extend the type attribute. 1725 See Section 5.1. 1727 3.14.2. BusinessImpact Class 1729 The BusinessImpact class describes and characterizes the degree to 1730 which the function of the organization was impacted by the Incident. 1732 The element body describes the impact to the organization as a free- 1733 form text string. The two attributes characterize the impact. 1735 +-------------------------+ 1736 | BusinessImpact | 1737 +-------------------------+ 1738 | ML_STRING | 1739 | | 1740 | ENUM severity | 1741 | STRING ext-severity | 1742 | ENUM type | 1743 | STRING ext-type | 1744 +-------------------------+ 1746 Figure 21: BusinessImpact Class 1748 The element content will be a free-form textual description of the 1749 impact to the organization. 1751 The BusinessImpact class has four attributes: 1753 severity 1754 Optional. ENUM. Characterizes the severity of the incident on 1755 business functions. The permitted values are shown below. They 1756 were derived from Table 3-2 of [NIST800.61rev2]. The default 1757 value is "unknown". 1759 1. none. No effect to the organization's ability to provide all 1760 services to all users. 1762 2. low. Minimal effect as the organization can still provide all 1763 critical services to all users but has lost efficiency. 1765 3. medium. The organization has lost the ability to provide a 1766 critical service to a subset of system users. 1768 4. high. The organization is no longer able to provide some 1769 critical services to any users. 1771 5. unknown. The impact is not known. 1773 6. ext-value. An escape value used to extend this attribute. 1774 See Section 5.1. 1776 ext-severity 1777 Optional. STRING. A means by which to extend the severity 1778 attribute. See Section 5.1. 1780 type 1781 Required. ENUM. Characterizes the effect this incident had on 1782 the business.Classifies the malicious activity into incident 1783 categories. The permitted values are shown below. There is no 1784 default value. 1786 1. breach-proprietary. Sensitive or proprietary information was 1787 accessed or exfiltrated. 1789 2. breach-privacy. Personally identifiable information was 1790 accessed or exfiltrated. 1792 3. loss-of-integrity. Sensitive or proprietary information was 1793 changed or deleted. 1795 4. loss-of-service. Service delivery was disrupted. 1797 5. loss-financial. Money or services were stolen. 1799 6. degraded-reputation. The reputation of the organization's 1800 brand was diminished. 1802 7. asset-damage. A cyber-physical system was damaged. 1804 8. asset-manipulation. A cyber-physical system was manipulated. 1806 9. legal. Incident resulted in legal or regulatory action 1808 10. ext-value. An escape value used to extend this attribute. 1809 See Section 5.1. 1811 ext-type 1812 Optional. STRING. A means by which to extend the type attribute. 1813 See Section 5.1. 1815 3.14.3. TimeImpact Class 1817 The TimeImpact class describes the impact of the incident on an 1818 organization as a function of time. It provides a way to convey down 1819 time and recovery time. 1821 +---------------------+ 1822 | TimeImpact | 1823 +---------------------+ 1824 | REAL | 1825 | | 1826 | ENUM severity | 1827 | ENUM metric | 1828 | STRING ext-metric | 1829 | ENUM duration | 1830 | STRING ext-duration | 1831 +---------------------+ 1833 Figure 22: TimeImpact Class 1835 The element content is a positive, floating point (REAL) number 1836 specifying a unit of time. The duration and metric attributes will 1837 imply the semantics of the element content. 1839 The TimeImpact class has five attributes: 1841 severity 1842 Optional. ENUM. An estimate of the relative severity of the 1843 activity. The permitted values are shown below. There is no 1844 default value. 1846 1. low. Low severity 1848 2. medium. Medium severity 1850 3. high. High severity 1852 metric 1853 Required. ENUM. Defines the metric in which the time is 1854 expressed. The permitted values are shown below. There is no 1855 default value. 1857 1. labor. Total staff-time to recovery from the activity (e.g., 1858 2 employees working 4 hours each would be 8 hours). 1860 2. elapsed. Elapsed time from the beginning of the recovery to 1861 its completion (i.e., wall-clock time). 1863 3. downtime. Duration of time for which some provided service(s) 1864 was not available. 1866 4. ext-value. An escape value used to extend this attribute. 1867 See Section 5.1. 1869 ext-metric 1870 Optional. STRING. A means by which to extend the metric 1871 attribute. See Section 5.1. 1873 duration 1874 Optional. ENUM. Defines a unit of time, that when combined with 1875 the metric attribute, fully describes a metric of impact that will 1876 be conveyed in the element content. The permitted values are 1877 shown below. The default value is "hour". 1879 1. second. The unit of the element content is seconds. 1881 2. minute. The unit of the element content is minutes. 1883 3. hour. The unit of the element content is hours. 1885 4. day. The unit of the element content is days. 1887 5. month. The unit of the element content is months. 1889 6. quarter. The unit of the element content is quarters. 1891 7. year. The unit of the element content is years. 1893 8. ext-value. An escape value used to extend this attribute. 1894 See Section 5.1. 1896 ext-duration 1897 Optional. STRING. A means by which to extend the duration 1898 attribute. See Section 5.1. 1900 3.14.4. MonetaryImpact Class 1902 The MonetaryImpact class describes the financial impact of the 1903 activity on an organization. For example, this impact may consider 1904 losses due to the cost of the investigation or recovery, diminished 1905 productivity of the staff, or a tarnished reputation that will affect 1906 future opportunities. 1908 +------------------+ 1909 | MonetaryImpact | 1910 +------------------+ 1911 | REAL | 1912 | | 1913 | ENUM severity | 1914 | STRING currency | 1915 +------------------+ 1917 Figure 23: MonetaryImpact Class 1919 The element content is a positive, floating point number (REAL) 1920 specifying a unit of currency described in the currency attribute. 1922 The MonetaryImpact class has two attributes: 1924 severity 1925 Optional. ENUM. An estimate of the relative severity of the 1926 activity. The permitted values are shown below. There is no 1927 default value. 1929 1. low. Low severity 1931 2. medium. Medium severity 1933 3. high. High severity 1935 currency 1936 Optional. STRING. Defines the currency in which the monetary 1937 impact is expressed. The permitted values are defined in "Codes 1938 for the representation of currencies and funds" of [ISO4217]. 1939 There is no default value. 1941 3.14.5. Confidence Class 1943 The Confidence class represents a best estimate of the validity and 1944 accuracy of the described impact (see Section 3.14) of the incident 1945 activity. This estimate can be expressed as a category or a numeric 1946 calculation. 1948 This class if based upon [RFC4765]. 1950 +------------------+ 1951 | Confidence | 1952 +------------------+ 1953 | REAL | 1954 | | 1955 | ENUM rating | 1956 +------------------+ 1958 Figure 24: Confidence Class 1960 The element content expresses a numerical assessment in the 1961 confidence of the data when the value of the rating attribute is 1962 "numeric". Otherwise, this element MUST be empty. 1964 The Confidence class has one attribute. 1966 rating 1967 Required. ENUM. A rating of the analytical validity of the 1968 specified Assessment. The permitted values are shown below. 1969 There is no default value. 1971 1. low. Low confidence in the validity. 1973 2. medium. Medium confidence in the validity. 1975 3. high. High confidence in the validity. 1977 4. numeric. The element content contains a number that conveys 1978 the confidence of the data. The semantics of this number 1979 outside the scope of this specification. 1981 5. unknown. The confidence rating value is not known. 1983 3.15. History Class 1985 The History class is a log of the significant events or actions 1986 performed by the involved parties during the course of handling the 1987 incident. 1989 The level of detail maintained in this log is left up to the 1990 discretion of those handling the incident. 1992 +------------------+ 1993 | History | 1994 +------------------+ 1995 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1996 | | 1997 +------------------+ 1999 Figure 25: The History Class 2001 The class that constitutes History is: 2003 HistoryItem 2004 One or many. Entry in the history log of significant events or 2005 actions performed by the involved parties. 2007 The History class has one attribute: 2009 restriction 2010 Optional. ENUM. This attribute is defined in Section 3.2. The 2011 default value is "default". 2013 3.15.1. HistoryItem Class 2015 The HistoryItem class is an entry in the History (Section 3.15) log 2016 that documents a particular action or event that occurred in the 2017 course of handling the incident. The details of the entry are a 2018 free-form description, but each can be categorized with the type 2019 attribute. 2021 +-------------------------+ 2022 | HistoryItem | 2023 +-------------------------+ 2024 | ENUM restriction |<>----------[ DateTime ] 2025 | ENUM action |<>--{0..1}--[ IncidentId ] 2026 | STRING ext-action |<>--{0..1}--[ Contact ] 2027 | ID observable-id |<>--{0..*}--[ Description ] 2028 | |<>--{0..*}--[ AdditionalData ] 2029 +-------------------------+ 2031 Figure 26: HistoryItem Class 2033 The aggregate classes that constitute HistoryItem are: 2035 DateTime 2036 One. Timestamp of this entry in the history log (e.g., when the 2037 action described in the Description was taken). 2039 IncidentID 2040 Zero or One. In a history log created by multiple parties, the 2041 IncidentID provides a mechanism to specify which CSIRT created a 2042 particular entry and references this organization's incident 2043 tracking number. When a single organization is maintaining the 2044 log, this class can be ignored. 2046 Contact 2047 Zero or One. Provides contact information for the person that 2048 performed the action documented in this class. 2050 Description 2051 Zero or more. ML_STRING. A free-form textual description of the 2052 action or event. 2054 DefinedCOA 2055 Zero or more. ML_STRING. A unique identifier meaningful to the 2056 sender and recipient of this document that references a course of 2057 action. This class MUST be present if the action attribute is set 2058 to "defined-coa". 2060 AdditionalData 2061 Zero or more. A mechanism by which to extend the data model. 2063 The HistoryItem class has four attributes: 2065 restriction 2066 Optional. ENUM. See Section 3.3.1. 2068 action 2069 Required. ENUM. Classifies a performed action or occurrence 2070 documented in this history log entry. As activity will likely 2071 have been instigated either through a previously conveyed 2072 expectation or internal investigation, this attribute is identical 2073 to the action attribute of the Expectation class. The difference 2074 is only one of tense. When an action is in this class, it has 2075 been completed. See Section 3.17. 2077 ext-action 2078 Optional. STRING. A means by which to extend the action 2079 attribute. See Section 5.1. 2081 observable-id 2082 Optional. ID. See Section 3.3.2. 2084 3.16. EventData Class 2086 The EventData class describes a particular event of the incident for 2087 a given set of hosts or networks. This description includes the 2088 systems from which the activity originated and those targeted, an 2089 assessment of the techniques used by the intruder, the impact of the 2090 activity on the organization, and any forensic evidence discovered. 2092 +-------------------------+ 2093 | EventData | 2094 +-------------------------+ 2095 | ENUM restriction |<>--{0..*}--[ Description ] 2096 | ID observable-id |<>--{0..1}--[ DetectTime ] 2097 | |<>--{0..1}--[ StartTime ] 2098 | |<>--{0..1}--[ EndTime ] 2099 | |<>--{0..*}--[ Contact ] 2100 | |<>--{0..*}--[ Discovery ] 2101 | |<>--{0..1}--[ Assessment ] 2102 | |<>--{0..*}--[ Method ] 2103 | |<>--{0..*}--[ Flow ] 2104 | |<>--{0..*}--[ Expectation ] 2105 | |<>--{0..1}--[ Record ] 2106 | |<>--{0..*}--[ EventData ] 2107 | |<>--{0..*}--[ AdditionalData ] 2108 +-------------------------+ 2110 Figure 27: The EventData Class 2112 The aggregate classes that constitute EventData are: 2114 Description 2115 Zero or more. ML_STRING. A free-form textual description of the 2116 event. 2118 DetectTime 2119 Zero or one. The time the event was detected. 2121 StartTime 2122 Zero or one. The time the event started. 2124 EndTime 2125 Zero or one. The time the event ended. 2127 Contact 2128 Zero or more. Contact information for the parties involved in the 2129 event. 2131 Discovery 2132 Zero or more. The means by which the event was detected. 2134 Assessment 2135 Zero or one. The impact of the event on the target and the 2136 actions taken. 2138 Method 2139 Zero or more. The technique used by the intruder in the event. 2141 Flow 2142 Zero or more. A description of the systems or networks involved. 2144 Expectation 2145 Zero or more. The expected action to be performed by the 2146 recipient for the described event. 2148 Record 2149 Zero or one. Supportive data (e.g., log files) that provides 2150 additional information about the event. 2152 EventData 2153 Zero or more. EventData instances contained within another 2154 EventData instance inherit the values of the parent(s); this 2155 recursive definition can be used to group common data pertaining 2156 to multiple events. When EventData elements are defined 2157 recursively, only the leaf instances (those EventData instances 2158 not containing other EventData instances) represent actual events. 2160 AdditionalData 2161 Zero or more. An extension mechanism for data not explicitly 2162 represented in the data model. 2164 At least one of the aggregate classes MUST be present in an instance 2165 of the EventData class. This is not enforced in the IODEF schema as 2166 there is no simple way to accomplish it. 2168 The EventData class has two attributes: 2170 restriction 2171 Optional. ENUM. This attribute is defined in Section 3.2. The 2172 default value is "default". 2174 observable-id 2175 Optional. ID. See Section 3.3.2. 2177 3.16.1. Relating the Incident and EventData Classes 2179 There is substantial overlap in the Incident and EventData classes. 2180 Nevertheless, the semantics of these classes are quite different. 2181 The Incident class provides summary information about the entire 2182 incident, while the EventData class provides information about the 2183 individual events comprising the incident. In the most common case, 2184 the EventData class will provide more specific information for the 2185 general description provided in the Incident class. However, it may 2186 also be possible that the overall summarized information about the 2187 incident conflicts with some individual information in an EventData 2188 class when there is a substantial composition of various events in 2189 the incident. In such a case, the interpretation of the more 2190 specific EventData MUST supersede the more generic information 2191 provided in Incident. 2193 3.16.2. Cardinality of EventData 2195 The EventData class can be thought of as a container for the 2196 properties of an event in an incident. These properties include: the 2197 hosts involved, impact of the incident activity on the hosts, 2198 forensic logs, etc. With an instance of the EventData class, hosts 2199 (i.e., System class) are grouped around these common properties. 2201 The recursive definition (or instance property inheritance) of the 2202 EventData class (the EventData class is aggregated into the EventData 2203 class) provides a way to relate information without requiring the 2204 explicit use of unique attribute identifiers in the classes or 2205 duplicating information. Instead, the relative depth (nesting) of a 2206 class is used to group (relate) information. 2208 For example, an EventData class might be used to describe two 2209 machines involved in an incident. This description can be achieved 2210 using multiple instances of the Flow class. It happens that there is 2211 a common technical contact (i.e., Contact class) for these two 2212 machines, but the impact (i.e., Assessment class) on them is 2213 different. A depiction of the representation for this situation can 2214 be found in Figure 28. 2216 +------------------+ 2217 | EventData | 2218 +------------------+ 2219 | |<>----[ Contact ] 2220 | | 2221 | |<>----[ EventData ]<>----[ Flow ] 2222 | | [ ]<>----[ Assessment ] 2223 | | 2224 | |<>----[ EventData ]<>----[ Flow ] 2225 | | [ ]<>----[ Assessment ] 2226 +------------------+ 2228 Figure 28: Recursion in the EventData Class 2230 3.17. Expectation Class 2232 The Expectation class conveys to the recipient of the IODEF document 2233 the actions the sender is requesting. The scope of the requested 2234 action is limited to purview of the EventData class in which this 2235 class is aggregated. 2237 +-------------------------+ 2238 | Expectation | 2239 +-------------------------+ 2240 | ENUM restriction |<>--{0..*}--[ Description ] 2241 | ENUM severity |<>--{0..*}--[ DefinedCOA ] 2242 | ENUM action |<>--{0..1}--[ StartTime ] 2243 | STRING ext-action |<>--{0..1}--[ EndTime ] 2244 | ID observable-id |<>--{0..1}--[ Contact ] 2245 +-------------------------+ 2247 Figure 29: The Expectation Class 2249 The aggregate classes that constitute Expectation are: 2251 Description 2252 Zero or more. ML_STRING. A free-form description of the desired 2253 action(s). 2255 DefinedCOA 2256 Zero or more. ML_STRING. A unique identifier meaningful to the 2257 sender and recipient of this document that references a course of 2258 action. This class MUST be present if the action attribute is set 2259 to "defined-coa". 2261 StartTime 2262 Zero or one. The time at which the sender would like the action 2263 performed. A timestamp that is earlier than the ReportTime 2264 specified in the Incident class denotes that the sender would like 2265 the action performed as soon as possible. The absence of this 2266 element indicates no expectations of when the recipient would like 2267 the action performed. 2269 EndTime 2270 Zero or one. The time by which the sender expects the recipient 2271 to complete the action. If the recipient cannot complete the 2272 action before EndTime, the recipient MUST NOT carry out the 2273 action. Because of transit delays, clock drift, and so on, the 2274 sender MUST be prepared for the recipient to have carried out the 2275 action, even if it completes past EndTime. 2277 Contact 2278 Zero or one. The expected actor for the action. 2280 The Expectations class has five attributes: 2282 restriction 2283 Optional. ENUM. This attribute is defined in Section 3.2. The 2284 default value is "default". 2286 severity 2287 Optional. ENUM. Indicates the desired priority of the action. 2288 This attribute is an enumerated list with no default value, and 2289 the semantics of these relative measures are context dependent. 2291 1. low. Low priority 2293 2. medium. Medium priority 2295 3. high. High priority 2297 action 2298 Optional. ENUM. Classifies the type of action requested. This 2299 attribute is an enumerated list with a default value of "other". 2301 1. nothing. No action is requested. Do nothing with the 2302 information. 2304 2. contact-source-site. Contact the site(s) identified as the 2305 source of the activity. 2307 3. contact-target-site. Contact the site(s) identified as the 2308 target of the activity. 2310 4. contact-sender. Contact the originator of the document. 2312 5. investigate. Investigate the systems(s) listed in the event. 2314 6. block-host. Block traffic from the machine(s) listed as 2315 sources the event. 2317 7. block-network. Block traffic from the network(s) lists as 2318 sources in the event. 2320 8. block-port. Block the port listed as sources in the event. 2322 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2323 listed as sources in the event. 2325 10. rate-limit-network. Rate-limit the traffic from the 2326 network(s) lists as sources in the event. 2328 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2329 the event. 2331 12. upgrade-software. Upgrade or patch the software or firmware 2332 on an asset. 2334 13. rebuild-asset. Reinstall the operating system and 2335 applications on an asset. 2337 14. remediate-other. Remediate the activity in a way other than 2338 by rate limiting or blocking. 2340 15. status-triage. Conveys receipts and the triaging of an 2341 incident. 2343 16. status-new-info. Conveys that new information was received 2344 for this incident. 2346 17. watch-and-report. Watch for the described activity and share 2347 if seen. 2349 18. defined-coa. Perform a predefined course of action (COA). 2350 The COA is named in the DefinedCOA class. 2352 19. other. Perform some custom action described in the 2353 Description class. 2355 20. ext-value. An escape value used to extend this attribute. 2356 See Section 5.1. 2358 ext-action 2359 Optional. STRING. A means by which to extend the action 2360 attribute. See Section 5.1. 2362 observable-id 2363 Optional. ID. See Section 3.3.2. 2365 3.18. Flow Class 2367 The Flow class groups related the source and target hosts. 2369 +------------------+ 2370 | Flow | 2371 +------------------+ 2372 | |<>--{1..*}--[ System ] 2373 +------------------+ 2375 Figure 30: The Flow Class 2377 The aggregate class that constitutes Flow is: 2379 System 2380 One or More. A host or network involved in an event. 2382 The Flow class has no attributes. 2384 3.19. System Class 2386 The System class describes a system or network involved in an event. 2387 The systems or networks represented by this class are categorized 2388 according to the role they played in the incident through the 2389 category attribute. The value of this category attribute dictates 2390 the semantics of the aggregated classes in the System class. If the 2391 category attribute has a value of "source", then the aggregated 2392 classes denote the machine and service from which the activity is 2393 originating. With a category attribute value of "target" or 2394 "intermediary", then the machine or service is the one targeted in 2395 the activity. A value of "sensor" dictates that this System was part 2396 of an instrumentation to monitor the network. 2398 +---------------------+ 2399 | System | 2400 +---------------------+ 2401 | ENUM restriction |<>----------[ Node ] 2402 | ENUM category |<>--{0..*}--[ Service ] 2403 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2404 | STRING interface |<>--{0..*}--[ Counter ] 2405 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2406 | ENUM virtual |<>--{0..*}--[ Description ] 2407 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2408 | ENUM ext-ownership | 2409 +---------------------+ 2411 Figure 31: The System Class 2413 The aggregate classes that constitute System are: 2415 Node 2416 One. A host or network involved in the incident. 2418 Service 2419 Zero or more. A network service running on the system. 2421 OperatingSystem 2422 Zero or more. The operating system running on the system. 2424 Counter 2425 Zero or more. A counter with which to summarize properties of 2426 this host or network. 2428 AssetID 2429 Zero or more. An asset identifier for the System. 2431 Description 2432 Zero or more. ML_STRING. A free-form text description of the 2433 System. 2435 AdditionalData 2436 Zero or more. A mechanism by which to extend the data model. 2438 The System class has eight attributes: 2440 restriction 2441 Optional. ENUM. This attribute is defined in Section 3.2. 2443 category 2444 Optional. ENUM. Classifies the role the host or network played 2445 in the incident. The possible values are: 2447 1. source. The System was the source of the event. 2449 2. target. The System was the target of the event. 2451 3. intermediate. The System was an intermediary in the event. 2453 4. sensor. The System was a sensor monitoring the event. 2455 5. infrastructure. The System was an infrastructure node of 2456 IODEF document exchange. 2458 6. ext-value. An escape value used to extend this attribute. 2459 See Section 5.1. 2461 ext-category 2462 Optional. STRING. A means by which to extend the category 2463 attribute. See Section 5.1. 2465 interface 2466 Optional. STRING. Specifies the interface on which the event(s) 2467 on this System originated. If the Node class specifies a network 2468 rather than a host, this attribute has no meaning. 2470 spoofed 2471 Optional. ENUM. An indication of confidence in whether this 2472 System was the true target or attacking host. The permitted 2473 values for this attribute are shown below. The default value is 2474 "unknown". 2476 1. unknown. The accuracy of the category attribute value is 2477 unknown. 2479 2. yes. The category attribute value is probably incorrect. In 2480 the case of a source, the System is likely a decoy; with a 2481 target, the System was likely not the intended victim. 2483 3. no. The category attribute value is believed to be correct. 2485 virtual 2486 Optional. ENUM. Indicates whether this System is a virtual or 2487 physical device. The default value is "unknown". The possible 2488 values are: 2490 1. yes. The System is a virtual device. 2492 2. no. The System is a physical device. 2494 3. unknown. It is not known if the System is virtual. 2496 ownership 2497 Optional. ENUM. Describes the ownership of this System relative 2498 to the sender of the IODEF document. The possible values are: 2500 1. organization. The System is owned by the organization. 2502 2. personal. The System is owned by employee or affiliate of the 2503 organization. 2505 3. partner. The System is owned by a partner of the 2506 organization. 2508 4. customer. The System is owned by a customer of the 2509 organization. 2511 5. no-relationship. The System is owned by an entity that has no 2512 known relationship with the organization. 2514 6. unknown. The ownership of the System is unknown. 2516 7. ext-value. An escape value used to extend this attribute. 2517 See Section 5.1. 2519 ext-ownership 2520 Optional. STRING. A means by which to extend the ownership 2521 attribute. See Section 5.1. 2523 3.20. Node Class 2525 The Node class names an asset or network. 2527 This class was derived from [RFC4765]. 2529 +---------------+ 2530 | Node | 2531 +---------------+ 2532 | |<>--{0..*}--[ DomainData ] 2533 | |<>--{0..*}--[ Address ] 2534 | |<>--{0..1}--[ PostalAddress ] 2535 | |<>--{0..1}--[ Location ] 2536 | |<>--{0..1}--[ DateTime ] 2537 | |<>--{0..*}--[ NodeRole ] 2538 | |<>--{0..*}--[ Counter ] 2539 +---------------+ 2541 Figure 32: The Node Class 2543 The aggregate classes that constitute Node are: 2545 DomainData 2546 Zero or more. The detailed domain (DNS) information associated 2547 with this Node. If an Address is not provided, at least one 2548 DomainData MUST be specified. 2550 Address 2551 Zero or more. The hardware, network, or application address of 2552 the Node. If a DomainData is not provided, at least one Address 2553 MUST be specified. 2555 PostalAddress 2556 Zero or one. The postal address of the asset. 2558 Location 2559 Zero or one. ML_STRING. A free-from description of the physical 2560 location of the Node. This description may provide a more 2561 detailed description of where in the PostalAddress this Node is 2562 found (e.g., room number, rack number, slot number in a chassis). 2564 NodeRole 2565 Zero or more. The intended purpose of the Node. 2567 Counter 2568 Zero or more. A counter with which to summarizes properties of 2569 this host or network. 2571 The Node class has no attributes. 2573 3.20.1. Address Class 2575 The Address class represents a hardware (layer-2), network (layer-3), 2576 or application (layer-7) address. 2578 This class was derived from [RFC4765]. 2580 +-------------------------+ 2581 | Address | 2582 +-------------------------+ 2583 | ENUM category | 2584 | STRING ext-category | 2585 | STRING vlan-name | 2586 | INTEGER vlan-num | 2587 | ID observable-id | 2588 +-------------------------+ 2590 Figure 33: The Address Class 2592 The Address class has five attributes: 2594 category 2595 Optional. ENUM. The type of address represented. The permitted 2596 values for this attribute are shown below. The default value is 2597 "ipv4-addr". 2599 1. asn. Autonomous System Number 2601 2. atm. Asynchronous Transfer Mode (ATM) address 2603 3. e-mail. Electronic mail address (RFC 822) 2605 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2606 (a.b.c.d) 2608 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2609 slash, significant bits (a.b.c.d/nn) 2611 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2612 notation, slash, network mask in dotted-decimal notation 2613 (a.b.c.d/w.x.y.z) 2615 7. ipv6-addr. IPv6 host address 2617 8. ipv6-net. IPv6 network address, slash, significant bits 2619 9. ipv6-net-mask. IPv6 network address, slash, network mask 2621 10. mac. Media Access Control (MAC) address 2623 11. site-uri. A URL or URI for a resource. 2625 12. ext-value. An escape value used to extend this attribute. 2626 See Section 5.1. 2628 ext-category 2629 Optional. STRING. A means by which to extend the category 2630 attribute. See Section 5.1. 2632 vlan-name 2633 Optional. STRING. The name of the Virtual LAN to which the 2634 address belongs. 2636 vlan-num 2637 Optional. STRING. The number of the Virtual LAN to which the 2638 address belongs. 2640 observable-id 2641 Optional. ID. See Section 3.3.2. 2643 3.20.2. NodeRole Class 2645 The NodeRole class describes the intended function performed by a 2646 particular host. 2648 +---------------------+ 2649 | NodeRole | 2650 +---------------------+ 2651 | ENUM category | 2652 | STRING ext-category | 2653 | ENUM lang | 2654 +---------------------+ 2656 Figure 34: The NodeRole Class 2658 The NodeRole class has three attributes: 2660 category 2661 Required. ENUM. Functionality provided by a node. 2663 1. client. Client computer 2665 2. client-enterprise. Client computer on the enterprise network 2667 3. client-partner. Client computer on network of a partner 2669 4. client-remote. Client computer remotely connected to the 2670 enterprise network 2672 5. client-kiosk. Client computer is serves as a kiosk 2674 6. client-mobile. Client is a mobile device 2676 7. server-internal. Server with internal services 2678 8. server-public. Server with public services 2680 9. www. WWW server 2682 10. mail. Mail server 2684 11. webmail. Web mail server 2686 12. messaging. Messaging server (e.g., NNTP, IRC, IM) 2688 13. streaming. Streaming-media server 2690 14. voice. Voice server (e.g., SIP, H.323) 2691 15. file. File server (e.g., SMB, CVS, AFS) 2693 16. ftp. FTP server 2695 17. p2p. Peer-to-peer node 2697 18. name. Name server (e.g., DNS, WINS) 2699 19. directory. Directory server (e.g., LDAP, finger, whois) 2701 20. credential. Credential server (e.g., domain controller, 2702 Kerberos) 2704 21. print. Print server 2706 22. application. Application server 2708 23. database. Database server 2710 24. backup. Backup server 2712 25. dhcp. DHCP server 2714 26. infra. Infrastructure server (e.g., router, firewall, DHCP) 2716 27. infra-firewall. Firewall 2718 28. infra-router. Router 2720 29. infra-switch. Switch 2722 30. camera. Camera server 2724 31. proxy. Proxy server 2726 32. remote-access. Remote access server 2728 33. log. Log server (e.g., syslog) 2730 34. virtualization. Server running virtual machines 2732 35. pos. Point-of-sale device 2734 36. scada. Supervisory control and data acquisition system 2736 37. scada-supervisory. Supervisory system for a SCADA 2737 38. ext-value. An escape value used to extend this attribute. 2738 See Section 5.1. 2740 ext-category 2741 Optional. STRING. A means by which to extend the category 2742 attribute. See Section 5.1. 2744 lang 2745 Optional. ENUM. A valid language code per [RFC5646] constrained 2746 by the definition of "xs:language". The interpretation of this 2747 code is described in Section 6. 2749 3.20.3. Counter Class 2751 The Counter class summarize multiple occurrences of some event, or 2752 conveys counts or rates on various features (e.g., packets, sessions, 2753 events). 2755 The value of the counter is the element content with its units 2756 represented in the type attribute. A rate for a given feature can be 2757 expressed by setting the duration attribute. The complete semantics 2758 are entirely context dependent based on the class in which the 2759 Counter is aggregated. 2761 +---------------------+ 2762 | Counter | 2763 +---------------------+ 2764 | REAL | 2765 | | 2766 | ENUM type | 2767 | STRING ext-type | 2768 | STRING meaning | 2769 | ENUM duration | 2770 | STRING ext-duration | 2771 +---------------------+ 2773 Figure 35: The Counter Class 2775 The Counter class has five attribute: 2777 type 2778 Required. ENUM. Specifies the units of the element content. 2780 1. byte. Count of bytes. 2782 2. packet. Count of packets. 2784 3. flow. Count of network flow records. 2786 4. session. Count of sessions. 2788 5. alert. Count of notifications generated by another system 2789 (e.g., IDS or SIM). 2791 6. message. Count of messages (e.g., mail messages). 2793 7. event. Count of events. 2795 8. host. Count of hosts. 2797 9. site. Count of site. 2799 10. organization. Count of organizations. 2801 11. ext-value. An escape value used to extend this attribute. 2802 See Section 5.1. 2804 ext-type 2805 Optional. STRING. A means by which to extend the type attribute. 2806 See Section 5.1. 2808 meaning 2809 Optional. STRING. A free-form description of the metric 2810 represented by the Counter. 2812 duration 2813 Optional. ENUM. If present, the Counter class represents a rate 2814 rather than a count over the entire event. In that case, this 2815 attribute specifies the denominator of the rate (where the type 2816 attribute specified the nominator). The possible values of this 2817 attribute are defined in Section 3.14.3 2819 ext-duration 2820 Optional. STRING. A means by which to extend the duration 2821 attribute. See Section 5.1. 2823 3.21. DomainData Class 2825 The DomainData class describes a domain name and meta-data associated 2826 with this domain. 2828 +--------------------------+ 2829 | DomainData | 2830 +--------------------------+ 2831 | ENUM system-status |<>----------[ Name ] 2832 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 2833 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 2834 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 2835 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 2836 | |<>--{0..*}--[ Nameservers ] 2837 | |<>--{0..1}--[ DomainContacts ] 2838 | | 2839 +--------------------------+ 2841 Figure 36: The DomainData Class 2843 The aggregate classes that constitute DomainData are: 2845 Name 2846 One. ML_STRING. The domain name of the Node (e.g., fully 2847 qualified domain name). 2849 DateDomainWasChecked 2850 Zero or one. DATETIME. A timestamp of when the Name was 2851 resolved. 2853 RegistrationDate 2854 Zero or one. DATETIME. A timestamp of when domain listed in Name 2855 was registered. 2857 ExpirationDate 2858 Zero or one. DATETIME. A timestamp of when the domain listed in 2859 Name is set to expire. 2861 RelatedDNS 2862 Zero or more. Additional DNS records associated with this domain. 2864 Nameservers 2865 Zero or more. The name servers identified for the domain listed 2866 in Name. 2868 DomainContacts 2869 Zero or one. Contact information for the domain listed in Name 2870 supplied by the registrar or through a whois query. 2872 The DomainData class has five attribute: 2874 system-status 2875 Required. ENUM. Assesses the domain's involvement in the event. 2877 1. spoofed. This domain was spoofed. 2879 2. fraudulent. This domain was operated with fraudulent 2880 intentions. 2882 3. innocent-hacked. This domain was compromised by a third 2883 party. 2885 4. innocent-hijacked. This domain was deliberately hijacked. 2887 5. unknown. No categorization for this domain known. 2889 6. ext-value. An escape value used to extend this attribute. 2890 See Section 5.1. 2892 ext-system-status 2893 Optional. STRING. A means by which to extend the system-status 2894 attribute. See Section 5.1. 2896 domain-status 2897 Required. ENUM. Categorizes the registry status of the domain at 2898 the time the document was generated. These values and their 2899 associated descriptions are derived from Section 3.2.2 of 2900 [RFC3982]. 2902 1. reservedDelegation. The domain is permanently inactive. 2904 2. assignedAndActive. The domain is in a normal state. 2906 3. assignedAndInactive. The domain has an assigned registration 2907 but the delegation is inactive. 2909 4. assignedAndOnHold. The domain is under dispute. 2911 5. revoked. The domain is in the process of being purged from 2912 the database. 2914 6. transferPending. The domain is pending a change in 2915 authority. 2917 7. registryLock. The domain is on hold by the registry. 2919 8. registrarLock. Same as "registryLock". 2921 9. other. The domain has a known status but it is not one of 2922 the redefined enumerated values. 2924 10. unknown. The domain has an unknown status. 2926 11. ext-value. An escape value used to extend this attribute. 2927 See Section 5.1. 2929 ext-domain-status 2930 Optional. STRING. A means by which to extend the system-status 2931 attribute. See Section 5.1. 2933 observable-id 2934 Optional. ID. See Section 3.3.2. 2936 3.21.1. RelatedDNS 2938 The RelatedDNS class describes additional record types associated 2939 with a given domain name. The record type is described in the 2940 record-type attribute and the value of the record is the element 2941 content. ... TODO Issue #39 ... 2943 +----------------------+ 2944 | RelatedDNS | 2945 +----------------------+ 2946 | STRING | 2947 | | 2948 | ENUM record-type | 2949 | ENUM ext-record-type | 2950 +----------------------+ 2952 Figure 37: The RelatedDNS Class 2954 The RelatedDNS class has two attribute: 2956 record-type 2957 Required. ENUM. The DNS record type. ... TODO values need to be 2958 listed ... 2960 ext-record-type. An escape value used to extend this attribute. 2961 See Section 5.1. 2963 3.21.2. Nameservers Class 2965 The Nameservers class describes the name servers associated with a 2966 given domain. 2968 +--------------------+ 2969 | Nameservers | 2970 +--------------------+ 2971 | |<>----------[ Server ] 2972 | |<>--{1..*}--[ Address ] 2973 +--------------------+ 2975 Figure 38: The Nameservers Class 2977 The aggregate classes that constitute Nameservers are: 2979 Server 2980 One. ML_STRING. The domain name of the name server. 2982 Address 2983 One or more. The address of the name server. See Section 3.20.1. 2985 3.21.3. DomainContacts Class 2987 The DomainContacts class describes the contact information for a 2988 given domain provided either by the registrar or through a whois 2989 query. 2991 This contact information can be explicitly described through a 2992 Contact class or a reference can be provided to a domain with 2993 identical contact information. Either a single SameDomainContact 2994 MUST be present or one or many Contact classes. 2996 +--------------------+ 2997 | DomainContacts | 2998 +--------------------+ 2999 | |<>--{0..1}--[ SameDomainContact ] 3000 | |<>--{1..*}--[ Contact ] 3001 +--------------------+ 3003 Figure 39: The DomainContacts Class 3005 The aggregate classes that constitute DomainContacts are: 3007 SameDomainContact 3008 Zero or one. ML_STRING. A domain name already cited in this 3009 document or through previous exchange that contains the identical 3010 contact information as the domain name in question. The domain 3011 contact information associated with this domain should be used in 3012 lieu of explicit definition with the Contact class. 3014 Contact 3015 One or more. Contact information for the domain. See 3016 Section 3.10. 3018 3.22. Service Class 3020 The Service class describes a network service of a host or network. 3021 The service is identified by specific port or list of ports, along 3022 with the application listening on that port. 3024 When Service occurs as an aggregate class of a System that is a 3025 source, then this service is the one from which activity of interest 3026 is originating. Conversely, when Service occurs as an aggregate 3027 class of a System that is a target, then that service is the one to 3028 which activity of interest is directed. 3030 This class was derived from [RFC4765]. 3032 +-------------------------+ 3033 | Service | 3034 +-------------------------+ 3035 | INTEGER ip-protocol |<>--{0..1}--[ Port ] 3036 | ID observable-id |<>--{0..1}--[ Portlist ] 3037 | |<>--{0..1}--[ ProtoCode ] 3038 | |<>--{0..1}--[ ProtoType ] 3039 | |<>--{0..1}--[ ProtoField ] 3040 | |<>--{0..*}--[ ApplicationHeader ] 3041 | |<>--{0..1}--[ EmailData ] 3042 | |<>--{0..1}--[ Application ] 3043 +-------------------------+ 3045 Figure 40: The Service Class 3047 The aggregate classes that constitute Service are: 3049 Port 3050 Zero or one. INTEGER. A port number. 3052 Portlist 3053 Zero or one. PORTLIST. A list of port numbers formatted 3054 according to Section 2.10. 3056 ProtoCode 3057 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3058 specific code field (e.g., ICMP code field). 3060 ProtoType 3061 Zero or one. INTEGER. A transport layer (layer 4) protocol 3062 specific type field (e.g., ICMP type field). 3064 ProtoField 3065 Zero or one. INTEGER. A transport layer (layer 4) protocol 3066 specific flag field (e.g., TCP flag field). 3068 ApplicationHeader 3069 Zero or more. An application layer (layer 7) protocol header. 3070 See Section 3.22.1. 3072 EmailData 3073 Zero or one. Headers associated with an email. See Section 3.24. 3075 Application 3076 Zero or one. The application bound to the specified Port or 3077 Portlist. See Section 3.22.2. 3079 Either a Port or Portlist class MUST be specified for a given 3080 instance of a Service class. 3082 When a given System classes with category="source" and another with 3083 category="target" are aggregated into a single Flow class, and each 3084 of these System classes has a Service and Portlist class, an implicit 3085 relationship between these Portlists exists. If N ports are listed 3086 for a System@category="source", and M ports are listed for 3087 System@category="target", the number of ports in N must be equal to 3088 M. Likewise, the ports MUST be listed in an identical sequence such 3089 that the n-th port in the source corresponds to the n-th port of the 3090 target. If N is greater than 1, a given instance of a Flow class 3091 MUST only have a single instance of a System@category="source" and 3092 System@category="target". 3094 The Service class has two attributes: 3096 ip-protocol 3097 Required. INTEGER. The IANA assigned IP protocol number per 3098 [IANA.Protocols]. 3100 observable-id 3101 Optional. ID. See Section 3.3.2. 3103 3.22.1. ApplicationHeader Class 3105 The ApplicationHeader class allows the representation of arbitrary 3106 fields from an application layer protocol header and its 3107 corresponding value. 3109 +--------------------------+ 3110 | ApplicationHeader | 3111 +--------------------------+ 3112 | ANY | 3113 | | 3114 | INTEGER proto | 3115 | STRING field | 3116 | ENUM dtype | 3117 | ID observable-id | 3118 +--------------------------+ 3120 Figure 41: The ApplicationHeader Class 3122 The ApplicationHeader class has four attributes: 3124 proto 3125 Required. INTEGER. The IANA assigned port number per 3126 [IANA.Ports] corresponding to the application layer protocol whose 3127 field will be represented. 3129 field 3130 Required. STRING. The name of the protocol field whose value 3131 will be found in the element body. 3133 dtype 3134 Required. ENUM. The data type of the element content. The 3135 permitted values for this attribute are shown below. The default 3136 value is "string". 3138 1. boolean. The element content is of type BOOLEAN. 3140 2. byte. The element content is of type BYTE. 3142 3. bytes. The element content is of type HEXBIN. 3144 4. character. The element content is of type CHARACTER. 3146 5. date-time. The element content is of type DATETIME. 3148 6. integer. The element content is of type INTEGER. 3150 7. portlist. The element content is of type PORTLIST. 3152 8. real. The element content is of type REAL. 3154 9. string. The element content is of type STRING. 3156 10. file. The element content is a base64 encoded binary file 3157 encoded as a BYTE[] type. 3159 11. path. The element content is a file-system path encoded as a 3160 STRING type. 3162 12. xml. The element content is XML. See Section 5. 3164 13. ext-value. An escape value used to extend this attribute. 3165 See Section 5.1. 3167 ext-dtype 3168 Optional. STRING. A means by which to extend the dtype 3169 attribute. See Section 5.1. 3171 observable-id 3172 Optional. ID. See Section 3.3.2. 3174 3.22.2. Application Class 3176 The Application class describes an application running on a System 3177 providing a Service. 3179 +--------------------+ 3180 | Application | 3181 +--------------------+ 3182 | STRING swid |<>--{0..1}--[ URL ] 3183 | STRING configid | 3184 | STRING vendor | 3185 | STRING family | 3186 | STRING name | 3187 | STRING version | 3188 | STRING patch | 3189 +--------------------+ 3191 Figure 42: The Application Class 3193 The aggregate class that constitute Application is: 3195 URL 3196 Zero or one. URL. A URL describing the application. 3198 The Application class has seven attributes: 3200 swid 3201 Optional. STRING. An identifier that can be used to reference 3202 this software, where the default value is "0". 3204 configid 3205 Optional. STRING. An identifier that can be used to reference a 3206 particular configuration of this software, where the default value 3207 is "0". 3209 vendor 3210 Optional. STRING. Vendor name of the software. 3212 family 3213 Optional. STRING. Family of the software. 3215 name 3216 Optional. STRING. Name of the software. 3218 version 3219 Optional. STRING. Version of the software. 3221 patch 3222 Optional. STRING. Patch or service pack level of the software. 3224 3.23. OperatingSystem Class 3226 The OperatingSystem class describes the operating system running on a 3227 System. The definition is identical to the Application class 3228 (Section 3.22.2). 3230 3.24. EmailData Class 3232 The EmailData class describes headers from an email message. Common 3233 headers have dedicated classes, but arbitrary headers can also be 3234 described. 3236 +-------------------------+ 3237 | EmailData | 3238 +-------------------------+ 3239 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3240 | |<>--{0..1}--[ EmailSubject ] 3241 | |<>--{0..1}--[ EmailX-Mailer ] 3242 | |<>--{0..*}--[ EmailHeaderField ] 3243 +-------------------------+ 3245 Figure 43: EmailData Class 3247 The aggregate class that constitutes EmailData are: 3249 EmailFrom 3250 Zero or one. The value of the "From:" header field in an email. 3251 See Section 3.6.2 of [RFC5322]. 3253 EmailSubject 3254 Zero or one. The value of the "Subject:" header field in an 3255 email. See Section 3.6.4 of [RFC5322]. 3257 EmailX-Mailer 3258 Zero or one. The value of the "X-Mailer:" header field in an 3259 email. 3261 EmailHeaderField 3262 Zero or one. The value of an arbitrary header field in the email. 3263 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3264 set as follows: proto="25" and dtype="string". The name of the 3265 email header field MUST be set in the field attribute. 3267 The EmailData class has one attribute: 3269 observable-id 3270 Optional. ID. See Section 3.3.2. 3272 3.25. Record Class 3274 The Record class is a container class for log and audit data that 3275 provides supportive information about the incident. The source of 3276 this data will often be the output of monitoring tools. These logs 3277 substantiate the activity described in the document. 3279 +------------------+ 3280 | Record | 3281 +------------------+ 3282 | ENUM restriction |<>--{1..*}--[ RecordData ] 3283 +------------------+ 3285 Figure 44: Record Class 3287 The aggregate class that constitutes Record is: 3289 RecordData 3290 One or more. Log or audit data generated by a particular type of 3291 sensor. Separate instances of the RecordData class SHOULD be used 3292 for each sensor type. 3294 The Record class has one attribute: 3296 restriction 3297 Optional. ENUM. This attribute has been defined in Section 3.2. 3299 3.25.1. RecordData Class 3301 The RecordData class groups log or audit data from a given sensor 3302 (e.g., IDS, firewall log) and provides a way to annotate the output. 3304 +--------------------+ 3305 | RecordData | 3306 +--------------------+ 3307 | ENUM restriction |<>--{0..1}--[ DateTime ] 3308 | ID observable-id |<>--{0..*}--[ Description ] 3309 | |<>--{0..1}--[ Application ] 3310 | |<>--{0..*}--[ RecordPattern ] 3311 | |<>--{0..*}--[ RecordItem ] 3312 | |<>--{0..1}--[ HashData ] 3313 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 3314 | |<>--{0..*}--[ AdditionalData ]+--------------------+ 3316 Figure 45: The RecordData Class 3318 The aggregate classes that constitutes RecordData is: 3320 DateTime 3321 Zero or one. Timestamp of the RecordItem data. 3323 Description 3324 Zero or more. ML_STRING. Free-form textual description of the 3325 provided RecordItem data. At minimum, this description should 3326 convey the significance of the provided RecordItem data. 3328 Application 3329 Zero or one. Information about the sensor used to generate the 3330 RecordItem data. 3332 RecordPattern 3333 Zero or more. A search string to precisely find the relevant data 3334 in a RecordItem. 3336 RecordItem 3337 Zero or more. Log, audit, or forensic data. 3339 HashData 3340 Zero or one. The file name and hash of a file indicator. 3342 WindowsRegistryKeysModified 3343 Zero or more. The registry keys that were modified that are 3344 indicator(s). 3346 AdditionalData 3347 Zero or more. An extension mechanism for data not explicitly 3348 represented in the data model. 3350 The RecordData class has two attribute: 3352 restriction 3353 Optional. ENUM. See Section 3.3.1. 3355 observable-id 3356 Optional. ID. See Section 3.3.2. 3358 3.25.2. RecordPattern Class 3360 The RecordPattern class describes where in the content of the 3361 RecordItem relevant information can be found. It provides a way to 3362 reference subsets of information, identified by a pattern, in a large 3363 log file, audit trail, or forensic data. 3365 +-----------------------+ 3366 | RecordPattern | 3367 +-----------------------+ 3368 | STRING | 3369 | | 3370 | ENUM type | 3371 | STRING ext-type | 3372 | INTEGER offset | 3373 | ENUM offsetunit | 3374 | STRING ext-offsetunit | 3375 | INTEGER instance | 3376 +-----------------------+ 3378 Figure 46: The RecordPattern Class 3380 The specific pattern to search with in the RecordItem is defined in 3381 the body of the element. It is further annotated by six attributes: 3383 type 3384 Required. ENUM. Describes the type of pattern being specified in 3385 the element content. The default is "regex". 3387 1. regex. regular expression as defined by POSIX Extended 3388 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3390 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3391 type. 3393 3. xpath. XML Path (XPath) [W3C.XPATH] 3394 4. ext-value. An escape value used to extend this attribute. 3395 See Section 5.1. 3397 ext-type 3398 Optional. STRING. A means by which to extend the type attribute. 3399 See Section 5.1. 3401 offset 3402 Optional. INTEGER. Amount of units (determined by the offsetunit 3403 attribute) to seek into the RecordItem data before matching the 3404 pattern. 3406 offsetunit 3407 Optional. ENUM. Describes the units of the offset attribute. 3408 The default is "line". 3410 1. line. Offset is a count of lines. 3412 2. byte. Offset is a count of bytes. 3414 3. ext-value. An escape value used to extend this attribute. 3415 See Section 5.1. 3417 ext-offsetunit 3418 Optional. STRING. A means by which to extend the offsetunit 3419 attribute. See Section 5.1. 3421 instance 3422 Optional. INTEGER. Number of types to apply the specified 3423 pattern. 3425 3.25.3. RecordItem Class 3427 The RecordItem class provides a way to incorporate relevant logs, 3428 audit trails, or forensic data to support the conclusions made during 3429 the course of analyzing the incident. The class supports both the 3430 direct encapsulation of the data, as well as, provides primitives to 3431 reference data stored elsewhere. 3433 This class is identical to AdditionalData class (Section 3.9). 3435 3.26. WindowsRegistryKeysModified Class 3437 The WindowsRegistryKeysModified class describes Windows operating 3438 system registry keys and the operations that were performed on them. 3439 This class was derived from [RFC5901]. 3441 +-----------------------------+ 3442 | WindowsRegistryKeysModified | 3443 +-----------------------------+ 3444 | ID observable-id |<>--{1..*}--[ Key ] 3445 +-----------------------------+ 3447 Figure 47: The WindowsRegistryKeysModified Class 3449 The aggregate class that constitutes the WindowsRegistryKeysModified 3450 class is: 3452 Key 3453 One or many. The Window registry key. 3455 The WindowsRegistryKeysModified class has one attribute: 3457 observable-id 3458 Optional. ID. See Section 3.3.2. 3460 3.26.1. Key Class 3462 The Key class describes a particular Windows operating system 3463 registry key name and value pair, and the operation performed on it. 3465 +---------------------------+ 3466 | Key | 3467 +---------------------------+ 3468 | ENUM registryaction |<>----------[ KeyName ] 3469 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3470 | ID observable-id | 3471 +---------------------------+ 3473 Figure 48: The Key Class 3475 The aggregate classes that constitutes Key are: 3477 KeyName 3478 One. STRING. The name of the Windows operating system registry 3479 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3481 KeyValue 3482 Zero or one. STRING. The value of the associated registry key 3483 encoded as in Microsoft .reg files [KB310516]. 3485 The Key class has three attributes: 3487 registryaction 3488 Optional. ENUM. The type of action taken on the registry key. 3490 1. add-key. Registry key added. 3492 2. add-value. Value added to registry key. 3494 3. delete-key. Registry key deleted. 3496 4. delete-value. Value deleted from registry key. 3498 5. modify-key. Registry key modified. 3500 6. modify-value. Value modified for registry key. 3502 7. ext-value. External value. 3504 ext-registryaction 3505 Optional. A means by which to extend the registryaction 3506 attribute. See Section 5.1. 3508 observable-id 3509 Optional. ID. See Section 3.3.2. 3511 3.27. HashData Class 3513 The HashData class describes files names and associated hashes and 3514 signatures. ... TODO Fix Issue #20 and #25 ... 3516 +--------------------------+ 3517 | HashData | 3518 +--------------------------+ 3519 | ENUM type |<>--{0..*}--[ FileName ] 3520 | STRING ext-type |<>--{0..*}--[ FileSize ] 3521 | BOOL valid |<>--{0..*}--[ ds:Signature ] 3522 | ID observable-id |<>--{0..*}--[ ds:KeyInfo ] 3523 | |<>--{0..*}--[ ds:Reference ] 3524 | |<>--{0..*}--[ AdditionalData ] 3525 +--------------------------+ 3527 Figure 49: The HashData Class 3529 The aggregate classes that constitutes HashData are: 3531 FileName 3532 Zero or more. ML_STRING. The name of the file. 3534 FileSize 3535 Zero or more. INTEGER. The size of the file in bytes. 3537 ds:Signature 3538 Zero or more. 3540 ds:KeyInfo 3541 Zero or more. 3543 ds:Reference 3544 Zero or more. The algorithm identification and value of a hash 3545 computed over a file. This element is defined in [RFC3275]. 3546 Refer to RFC 5901. 3548 AdditionalData 3549 Zero or more. Mechanism by which to extend the data model. See 3550 Section 3.9 3552 The HashData class has four attributes: 3554 type 3555 Optional. ENUM. The Hash Type. 3557 1. PKI-email-ds. PKI email digital signature. 3559 2. PKI-file-ds. PKI file digital signature. 3561 3. PGP-email-ds. PGP email digital signature. 3563 4. PGP-file-ds. PGP file digital signature. 3565 5. file-hash. A hash computed over the entire contents of a 3566 file. 3568 6. email-hash. A hash computed over the headers and body of an 3569 email message. 3571 7. email-headers-hash. A hash computed over all of the headers 3572 of an email message. 3574 8. email-body-hash. A hash computed over the body of an email 3575 message. 3577 9. email-headers-hash. A hash computed over all of the email 3578 headers. 3580 10. ext-value. An escape value used to extend this attribute. 3581 See Section 5.1. 3583 ext-type 3584 Optional. STRING. A means by which to extend the type attribute. 3585 See Section 5.1. 3587 valid 3588 Optional. BOOLEAN. Indicates if the signature or hash is valid. 3590 observable-id 3591 Optional. ID. See Section 3.3.2. 3593 3.28. IndicatorData Class 3595 The IndicatorData class describes the indicators identified from 3596 analysis of an incident. 3598 +--------------------------+ 3599 | IndicatorData | 3600 +--------------------------+ 3601 | |<>--{1..*}--[ Indicator ] 3602 +--------------------------+ 3604 Figure 50: The IndicatorData Class 3606 The aggregate class that constitutes IndicatorData is: 3608 Indicator 3609 One or more. An indicator from the incident. 3611 The IndicatorData class has no attributes. 3613 3.29. Indicator Class 3615 The Indicator class describes a cyber indicator. An indicator 3616 consists of observable features and phenomenon that aid in the 3617 forensic or proactive detection of malicious activity, and associated 3618 meta-data. This indicator can be described outright or reference 3619 observable features and phenomenon described elsewhere in the 3620 incident information. Portions of an incident description can be 3621 composed to define an indicator, as can the indicators themselves. 3623 +--------------------+ 3624 | Indicator | 3625 +--------------------+ 3626 | ENUM restriction |<>----------[ IndicatorID ] 3627 | |<>--{0..1}--[ AlternativeIndicatorID ] 3628 | |<>--{0..*}--[ Description ] 3629 | |<>--{0..1}--[ StartTime ] 3630 | |<>--{0..1}--[ EndTime ] 3631 | |<>--{0..1}--[ Confidence ] 3632 | |<>--{0..*}--[ Contact ] 3633 | |<>--{0..1}--[ Observable ] 3634 | |<>--{0..1}--[ ObservableReference ] 3635 | |<>--{0..1}--[ IndicatorExpression ] 3636 | |<>--{0..1}--[ IndicatorReference ] 3637 | |<>--{0..*}--[ AdditionalData ] 3638 +--------------------+ 3640 Figure 51: The Indicator Class 3642 The aggregate classes that constitute Indicator are: 3644 IndicatorID 3645 One. An identifier for this indicator. See Section 3.29.1 3647 AlternativeIndicatorID 3648 Zero or one. An alternative identifier for this indicator. See 3649 Section 3.29.2 3651 Description 3652 Zero or more. ML_STRING. A free-form textual description of the 3653 indicator. 3655 StartTime 3656 Zero or one. DATETIME. A timestamp of the start of the time 3657 period during which this indicator is valid. 3659 EndTime 3660 Zero or one. DATETIME. A timestamp of the end of the time period 3661 during which this indicator is valid. 3663 Confidence 3664 Zero or one. An estimate of the confidence in the quality of the 3665 indicator. See Section 3.14.5. 3667 Contact 3668 Zero or more. Contact information for this indicator. See 3669 Section 3.10. 3671 Observable 3672 Zero or one. An observable feature or phenomenon of this 3673 indicator. See Section 3.29.3. 3675 ObservableReference 3676 Zero or one. A reference to a feature or phenomenon defined 3677 elsewhere in the document. See Section 3.29.5. 3679 IndicatorExpression 3680 Zero or one. A composition of observables. See Section 3.29.4. 3682 IndicatorReference 3683 Zero or one. A reference to an indicator. 3685 AdditionalData 3686 Zero or more. Mechanism by which to extend the data model. See 3687 Section 3.9 3689 The Indicator class MUST have exactly one instance of an Observable, 3690 IndicatorExpression, ObservableReference, or IndicatorReference 3691 class. 3693 The StartTime and EndTime classes can be used to define an interval 3694 during which the indicator is valid. If both classes are present, 3695 the indicator is consider valid only during the described interval. 3696 If neither class is provided, the indicator is considered valid 3697 during any time interval. If only a StartTime is provided, the 3698 indicator is valid anytime after this timestamp. If only an EndTime 3699 is provided, the indicator is valid anytime prior to this timestamp. 3701 The Indicator class has one attribute: 3703 restriction 3704 Optional. ENUM. See Section 3.3.1. 3706 3.29.1. IndicatorID Class 3708 The IndicatorID class identifies an indicator with a globally unique 3709 identifier. The combination of the name and version attributes, and 3710 the element content form this identifier. Indicators generated by 3711 given CSIRT MUST NOT reuse the same value unless they are referencing 3712 the same indicator. 3714 +------------------+ 3715 | IndicatorID | 3716 +------------------+ 3717 | ID | 3718 | | 3719 | STRING name | 3720 | STRING version | 3721 +------------------+ 3723 Figure 52: The IndicatorID Class 3725 The IndicatorID class has two attributes: 3727 name 3728 Required. STRING. An identifier describing the CSIRT that 3729 created the indicator. In order to have a globally unique CSIRT 3730 name, the fully qualified domain name associated with the CSIRT 3731 MUST be used. This format is identical to the IncidentID@name 3732 attribute in Section 3.4. 3734 version 3735 Required. STRING. A version number of an indicator. 3737 3.29.2. AlternativeIndicatorID Class 3739 The AlternativeIndicatorID class lists alternative identifiers for an 3740 indicator. 3742 +-------------------------+ 3743 | AlternativeIndicatorID | 3744 +-------------------------+ 3745 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 3746 | | 3747 +-------------------------+ 3749 Figure 53: The AlternativeIndicatorID Class 3751 The aggregate class that constitutes AlternativeIndicatorID is: 3753 IndicatorReference 3754 One or more. A reference to an indicator. 3756 The AlternativeIndicatorID class has one attribute: 3758 restriction 3759 Optional. ENUM. This attribute has been defined in Section 3.2. 3761 3.29.3. Observable Class 3763 The Observable class describes a feature and phenomenon that can be 3764 observed or measured for the purposes of detecting malicious 3765 behavior. 3767 +-------------------+ 3768 | Observable | 3769 +-------------------+ 3770 | |<>--{0..1}--[ Address ] 3771 | |<>--{0..1}--[ DomainData ] 3772 | |<>--{0..1}--[ Service ] 3773 | |<>--{0..1}--[ EmailData ] 3774 | |<>--{0..1}--[ ApplicationHeader ] 3775 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 3776 | |<>--{0..1}--[ HashData ] 3777 | |<>--{0..1}--[ RecordData ] 3778 | |<>--{0..1}--[ EventData ] 3779 | |<>--{0..1}--[ Incident ] 3780 | |<>--{0..*}--[ Expectation ] 3781 | |<>--{0..*}--[ Reference ] 3782 | |<>--{0..1}--[ Assessment ] 3783 | |<>--{0..1}--[ HistoryItem ] 3784 | |<>--{0..*}--[ AdditionalData ] 3785 +-------------------+ 3787 Figure 54: The Observable Class 3789 The aggregate classes that constitute Observable are: 3791 Address 3792 Zero or One. An Address observable. See Section 3.20.1. 3794 DomainData 3795 Zero or One. A DomainData observable. See Section 3.21. 3797 Service 3798 Zero or One. A Service observable. See Section 3.22. 3800 EmailData 3801 Zero or One. A EmailData observable. See Section 3.24. 3803 ApplicationHeader 3804 Zero or One. An ApplicationHeader observable. See 3805 Section 3.22.1. 3807 WindowsRegistryKeysModified 3808 Zero or One. A WindowsRegistryKeysModified observable. See 3809 Section 3.26. 3811 HashData 3812 Zero or One. A HashData observable. See Section 3.27. 3814 RecordData 3815 Zero or One. A RecordData observable. See Section 3.25.1. 3817 EventData 3818 Zero or One. An EventData observable. See Section 3.16. 3820 Incident 3821 Zero or One. An Incident observable. See Section 3.2. 3823 EventData 3824 Zero or One. An EventData observable. See Section 3.16. 3826 Expectation 3827 Zero or One. An Expectation observable. See Section 3.17. 3829 Reference 3830 Zero or One. A Reference observable. See Section 3.13.1. 3832 Assessment 3833 Zero or One. An Assessment observable. See Section 3.14. 3835 HistoryItem 3836 Zero or One. A HistoryItem observable. See Section 3.15.1. 3838 AdditionalData 3839 Zero or more. Mechanism by which to extend the data model. See 3840 Section 3.9. 3842 The Observable class MUST have exactly one of the possible child 3843 classes. 3845 The Observable class has no attributes. 3847 3.29.4. IndicatorExpression Class 3849 The IndicatorExpression describes an expression composed of observed 3850 phenomenon or features, or indicators. Elements of the expression 3851 can be described directly, reference relevant data from other parts 3852 of a given IODEF document, or reference previously defined 3853 indicators. 3855 All child classes of a given instance of IndicatorExpression form a 3856 boolean algebraic expression where the operator between them is 3857 determined by the operator attribute. Nesting an IndicatorExpression 3858 in itself is akin to a parenthesis in the expression. 3860 +--------------------------+ 3861 | IndicatorExpression | 3862 +--------------------------+ 3863 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 3864 | |<>--{0..*}--[ Observable ] 3865 | |<>--{0..*}--[ ObservableReference ] 3866 | |<>--{0..*}--[ IndicatorReference ] 3867 | |<>--{0..*}--[ AdditionalData ] 3868 +--------------------------+ 3870 Figure 55: The IndicatorExpression Class 3872 The aggregate classes that constitute IndicatorExpression are: 3874 IndicatorExpression 3875 Zero or more. An expression composed of other observables or 3876 indicators. 3878 Observable 3879 Zero or more. A description of an observable. 3881 ObservableReference 3882 Zero or more. A reference to another observable. 3884 IndicatorReference 3885 Zero or more. A reference to another indicator. 3887 AdditionalData 3888 Zero or more. Mechanism by which to extend the data model. See 3889 Section 3.9 3891 ... TODO Additional text is required to describe the valid 3892 combinations of classes and how the operator class should be applied 3893 ... 3895 The IndicatorExpression class has one attributes: 3897 operator 3898 Optional. ENUM. The operator to be applied between the child 3899 elements. 3901 1. not. negation operator. 3903 2. and. conjunction operator. 3905 3. or. disjunction operator. 3907 4. xor. exclusive disjunction operator. 3909 3.29.5. ObservableReference Class 3911 The ObservableReference describes a reference to an observable 3912 feature or phenomenon described elsewhere in the document. 3914 This class has no content. 3916 +-------------------------+ 3917 | ObservableReference | 3918 +-------------------------+ 3919 | EMPTY | 3920 | | 3921 | IDREF uid-ref | 3922 +-------------------------+ 3924 Figure 56: The ObservableReference Class 3926 The ObservableReference class has one attributes: 3928 uid-ref 3929 Required. IDREF. An identifier that serves as a reference to a 3930 class in the IODEF document. The referenced class will have this 3931 identifier set in the observable-id attribute. 3933 3.29.6. IndicatorReference Class 3935 The IndicatorReference describes a reference to an indicator. This 3936 reference may be to an indicator described in the IODEF document or 3937 in a previously exchanged IODEF document. 3939 +--------------------------+ 3940 | IndicatorReference | 3941 +--------------------------+ 3942 | EMPTY | 3943 | | 3944 | IDREF uid-ref | 3945 | STRING euid-ref | 3946 | STRING version | 3947 +--------------------------+ 3949 Figure 57: The IndicatorReference Class 3951 The IndicatorReference class has one attributes: 3953 uid-ref 3954 Optional. IDREF. An identifier that serves as a reference to an 3955 Indicator class in the IODEF document. The referenced Indicator 3956 class will have this identifier set in the IndicatorID class. 3958 euid-ref 3959 Optional. STRING. An identifier that references an IndicatorID 3960 not in this IODEF document. 3962 version 3963 Optional. STRING. A version number of an indicator. 3965 Either the uid-ref or the euid-ref attribute MUST be set. 3967 4. Processing Considerations 3969 This section defines additional requirements on creating and parsing 3970 IODEF documents. 3972 4.1. Encoding 3974 Every IODEF document MUST begin with an XML declaration, and MUST 3975 specify the XML version used. If UTF-8 encoding is not used, the 3976 character encoding MUST also be explicitly specified. The IODEF 3977 conforms to all XML data encoding conventions and constraints. 3979 The XML declaration with no character encoding will read as follows: 3981 3983 When a character encoding is specified, the XML declaration will read 3984 like the following: 3986 3988 Where "charset" is the name of the character encoding as registered 3989 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 3991 The following characters have special meaning in XML and MUST be 3992 escaped with their entity reference equivalent: "&", "<", ">", "\"" 3993 (double quotation mark), and "'" (apostrophe). These entity 3994 references are "&", "<", ">", """, and "'" 3995 respectively. 3997 4.2. IODEF Namespace 3999 The IODEF schema declares a namespace of 4000 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 4001 Each IODEF document MUST include a valid reference to the IODEF 4002 schema using the "xsi:schemaLocation" attribute. An example of such 4003 a declaration would look as follows: 4005 4109 A given extension attribute MUST NOT be set unless the corresponding 4110 extensible attribute has been set to "ext-value". 4112 5.2. Extending Classes 4114 The classes of the data model can be extended only through the use of 4115 the AdditionalData and RecordItem classes. These container classes, 4116 collectively referred to as the extensible classes, are implemented 4117 with the iodef:ExtensionType data type in the schema. They provide 4118 the ability to have new atomic or XML-encoded data elements in all of 4119 the top-level classes of the Incident class and a few of the more 4120 complicated subordinate classes. As there are multiple instances of 4121 the extensible classes in the data model, there is discretion on 4122 where to add a new data element. It is RECOMMENDED that the 4123 extension be placed in the most closely related class to the new 4124 information. 4126 Extensions using the atomic data types (i.e., all values of the dtype 4127 attributes other than "xml") MUST: 4129 1. Set the element content of extensible class to the desired value, 4130 and 4132 2. Set the dtype attribute to correspond to the data type of the 4133 element content. 4135 The following guidelines exist for extensions using XML: 4137 1. The element content of the extensible class MUST be set to the 4138 desired value and the dtype attribute MUST be set to "xml". 4140 2. The extension schema MUST declare a separate namespace. It is 4141 RECOMMENDED that these extensions have the prefix "iodef-". This 4142 recommendation makes readability of the document easier by 4143 allowing the reader to infer which namespaces relate to IODEF by 4144 inspection. 4146 3. It is RECOMMENDED that extension schemas follow the naming 4147 convention of the IODEF data model. This makes reading an 4148 extended IODEF document look like any other IODEF document. The 4149 names of all elements are capitalized. For elements with 4150 composed names, a capital letter is used for each word. 4151 Attribute names are lower case. Attributes with composed names 4152 are separated by a hyphen. 4154 4. Parsers that encounter an unrecognized element in a namespace 4155 that they do support MUST reject the document as a syntax error. 4157 5. There are security and performance implications in requiring 4158 implementations to dynamically download schemas at run time. 4159 Thus, implementations SHOULD NOT download schemas at runtime, 4160 unless implementations take appropriate precautions and are 4161 prepared for potentially significant network, processing, and 4162 time-out demands. 4164 6. Some users of the IODEF may have private schema definitions that 4165 might not be available on the Internet. In this situation, if a 4166 IODEF document leaks out of the private use space, references to 4167 some of those document schemas may not be resolvable. This has 4168 two implications. First, references to private schemas may never 4169 resolve. As such, in addition to the suggestion that 4170 implementations do not download schemas at runtime mentioned 4171 above, recipients MUST be prepared for a schema definition in an 4172 IODEF document never to resolve. 4174 The following schema and XML document excerpt provide a template for 4175 an extension schema and its use in the IODEF document. 4177 This example schema defines a namespace of "iodef-extension1" and a 4178 single element named "newdata". 4180 4184 attributeFormDefault="unqualified" 4185 elementFormDefault="qualified"> 4186 4190 4191 4193 The following XML excerpt demonstrates the use of the above schema as 4194 an extension to the IODEF. 4196 4203 4204 ... 4205 4206 4207 Field that could not be represented elsewhere 4208 4209 4210 4262 4264 4268 4269 189493 4270 2001-09-13T23:19:24+00:00 4271 Host sending out Code Red probes 4272 4273 4274 4276 4277 4278 Example.com CSIRT 4279 example-com 4280 contact@csirt.example.com 4281 4282 4283 4284 4285 4286
192.0.2.200
4287 57 4288 4289 4290 4291 4292
192.0.2.16/28
4293 4294 4295 80 4296 4297 4298 4299 4300 4301 4302 4303 2001-09-13T18:11:21+02:00 4304 Web-server logs 4305 4306 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 4307 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4308 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4309 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4310 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4311 4312 4313 4314 http://mylogs.example.com/logs/httpd_access 4315 4316 4317 4318 4319 4321 4322 2001-09-14T08:19:01+00:00 4323 Notification sent to 4324 constituency-contact@192.0.2.200 4325 4326 4327 4328 4330 7.2. Reconnaissance 4332 An example of a CSIRT reporting a scanning activity. 4334 4335 4337 4341 4342 59334 4343 2006-08-02T05:54:02-05:00 4344 4345 4346 4347 4348 4349 4350 nmap 4351 http://nmap.toolsite.example.com 4352 4353 4354 4356 4357 CSIRT for example.com 4358 contact@csirt.example.com 4359 +1 412 555 12345 4360 4362 4363 Joe Smith 4364 smith@csirt.example.com 4365 4366 4367 4368 4374 4375 4376 4377
192.0.2.200
4378 4379 4380 60524,60526,60527,60531 4381 4382 4383 4384 4385
192.0.2.201
4386 4387 4388 137-139,445 4389 4390 4391 4392 4394 4395 4396 4397
192.0.2.240
4398 4399 4400 4401 4402
192.0.2.64/28
4403 4404 4405 445 4406 4407 4408 4409 4410 4411 4413 7.3. Bot-Net Reporting 4415 An example of a CSIRT reporting a bot-network. 4417 4418 4420 4424 4425 908711 4426 2006-06-08T05:44:53-05:00 4427 Large bot-net 4428 4429 4430 4431 4432 4433 4434 GT Bot 4435 4436 4438 4439 CA-2003-22 4440 http://www.cert.org/advisories/CA-2003-22.html 4441 Root compromise via this IE vulnerability to 4442 install the GT Bot 4443 4444 4445 4447 4448 Joe Smith 4449 jsmith@csirt.example.com 4450 4451 4452 These hosts are compromised and acting as bots 4453 communicating with irc.example.com. 4454 4455 4457 4458 4459
192.0.2.1
4461 4462 10000 4463 bot 4464 4465 4466 4467 4468
192.0.2.3
4469 4470 250000 4471 bot 4472 4473 4474 4475 4476 irc.example.com 4477
192.0.2.20
4478 2006-06-08T01:01:03-05:00 4479 4480 4481 IRC server on #give-me-cmd channel 4482 4483 4484 4485 4486 4487 4488 Confirm the source and take machines off-line and 4489 remediate 4490 4491 4492 4493 4494 4496 7.4. Watch List 4498 An example of a CSIRT conveying a watch-list. 4500 4501 4502 4505 4509 4510 908711 4511 2006-08-01T00:00:00-05:00 4512 4513 Watch-list of known bad IPs or networks 4514 4515 4516 4517 4518 4519 4520 CSIRT for example.com 4521 contact@csirt.example.com 4522 4523 4525 4526 4527 4528 4529
192.0.2.53
4530 4531 Source of numerous attacks 4532 4533 4534 4536 4537 4538 4539 4540 4541 4542
192.0.2.16/28
4543 4544 4545 Source of heavy scanning over past 1-month 4546 4547 4548 4549 4550 4551 4552
192.0.2.241
4553 4554 C2 IRC server 4556 4557 4558 4560 4561 4562 4563 4565 8. The IODEF Schema 4567 4574 4577 4578 4579 Incident Object Description Exchange Format v2.0, RFC5070-bis 4580 4581 4583 4588 4589 4590 4591 4593 4595 4596 4598 4600 4602 4604 4605 4610 4611 4612 4613 4614 4616 4618 4620 4622 4624 4625 4627 4629 4631 4633 4635 4637 4639 4641 4642 4643 4644 4645 4646 4647 4648 4649 4650 4651 4653 4654 4655 4657 4659 4661 4663 4664 4665 4670 4671 4672 4673 4674 4676 4678 4681 4682 4683 4685 4690 4691 4692 4693 4695 4696 4698 4699 4700 4705 4706 4707 4708 4709 4711 4713 4715 4717 4718 4720 4722 4724 4725 4727 4728 4730 4735 4736 4737 4738 4739 4740 4741 4743 4744 4746 4747 4750 4751 4753 4754 4755 4757 4762 4763 4764 4765 4766 4767 4768 4770 4771 4773 4774 4776 4777 4779 4780 4781 4783 4788 4789 4794 4795 4796 4797 4799 4801 4803 4805 4807 4809 4811 4813 4815 4817 4819 4820 4821 4822 4823 4824 4825 4826 4827 4828 4829 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4844 4845 4846 4847 4848 4849 4850 4851 4852 4853 4855 4857 4858 4859 4861 4863 4864 4865 4866 4867 4868 4869 4870 4871 4872 4873 4874 4875 4876 4877 4878 4879 4880 4881 4883 4884 4885 4886 4888 4889 4890 4891 4892 4895 4896 4897 4898 4899 4900 4901 4903 4904 4905 4906 4908 4909 4910 4912 4917 4919 4921 4923 4925 4927 4929 4930 4931 4932 4933 4934 4939 4940 4941 4942 4944 4945 4948 4949 4950 4951 4952 4953 4954 4956 4958 4960 4963 4965 4966 4968 4970 4972 4974 4975 4976 4981 4982 4983 4984 4986 4989 4992 4994 4996 4997 5000 5002 5004 5006 5008 5009 5011 5016 5017 5018 5019 5021 5023 5025 5026 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5049 5051 5052 5054 5055 5056 5057 5058 5060 5063 5064 5066 5067 5069 5074 5075 5076 5077 5078 5079 5080 5081 5083 5084 5086 5087 5089 5094 5095 5096 5097 5099 5101 5103 5104 5106 5107 5109 5110 5112 5113 5115 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5131 5134 5135 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5149 5151 5152 5153 5154 5155 5156 5157 5159 5160 5161 5162 5163 5164 5165 5166 5167 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186 5188 5189 5190 5191 5192 5193 5194 5195 5196 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5211 5213 5214 5215 5216 5217 5218 5219 5220 5221 5222 5223 5224 5225 5226 5227 5228 5230 5231 5232 5233 5234 5235 5236 5237 5238 5240 5242 5243 5244 5245 5246 5247 5248 5249 5250 5251 5253 5255 5257 5258 5259 5260 5261 5262 5263 5264 5265 5267 5269 5270 5271 5272 5273 5274 5275 5276 5277 5278 5279 5280 5281 5282 5283 5284 5285 5286 5287 5288 5293 5294 5295 5296 5298 5300 5302 5304 5306 5308 5310 5312 5314 5316 5318 5320 5322 5323 5326 5328 5329 5331 5336 5340 5341 5342 5343 5345 5346 5347 5348 5353 5354 5355 5356 5357 5359 5361 5363 5365 5367 5369 5370 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5386 5388 5390 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5407 5408 5409 5414 5415 5416 5417 5418 5420 5422 5423 5425 5428 5430 5432 5433 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5447 5448 5449 5450 5451 5452 5453 5454 5455 5456 5457 5459 5461 5463 5465 5466 5467 5468 5469 5470 5471 5472 5473 5474 5475 5476 5477 5478 5479 5480 5481 5482 5483 5484 5485 5486 5487 5488 5489 5490 5491 5492 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5520 5522 5523 5525 5526 5527 5532 5533 5534 5535 5536 5538 5540 5541 5543 5545 5547 5550 5551 5553 5554 5556 5558 5559 5560 5561 5562 5563 5564 5565 5570 5571 5572 5573 5574 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5593 5595 5597 5599 5600 5601 5602 5604 5609 5610 5611 5612 5614 5616 5618 5622 5623 5625 5626 5628 5633 5634 5635 5636 5638 5641 5644 5647 5650 5652 5654 5656 5657 5658 5659 5660 5661 5662 5663 5664 5665 5666 5667 5669 5670 5671 5672 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5687 5689 5690 5692 5694 5695 5696 5697 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5743 5744 5745 5747 5748 5749 5750 5751 5752 5753 5754 5756 5757 5758 5759 5761 5763 5764 5765 5767 5772 5773 5774 5775 5777 5778 5780 5781 5782 5783 5784 5785 5787 5789 5791 5793 5795 5797 5799 5801 5802 5804 5806 5807 5809 5810 5811 5812 5813 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5825 5827 5829 5830 5831 5832 5833 5834 5835 5836 5837 5839 5841 5842 5843 5844 5845 5847 5852 5853 5854 5855 5856 5857 5858 5860 5861 5864 5865 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5880 5881 5882 5883 5885 5886 5888 5896 5897 5898 5899 5901 5903 5909 5911 5913 5915 5917 5918 5919 5920 5921 5922 5923 5924 5925 5926 5927 5928 5929 5932 5933 5934 5935 5936 5938 5940 5942 5944 5945 5947 5952 5953 5954 5956 5957 5959 5961 5963 5965 5967 5972 5974 5976 5978 5979 5981 5984 5989 5990 5991 5992 5994 5995 5996 5998 5999 6000 6001 6002 6004 6006 6009 6011 6013 6015 6016 6017 6018 6019 6020 6021 6022 6024 6025 6027 6028 6029 6030 6031 6033 6035 6036 6037 6038 6040 6041 6042 6043 6045 6046 6048 6049 6051 6052 6053 6054 6056 6058 6060 6063 6065 6067 6069 6071 6073 6075 6077 6079 6081 6083 6084 6086 6087 6089 6090 6091 6092 6093 6095 6097 6099 6101 6102 6104 6105 6106 6107 6108 6109 6110 6111 6112 6113 6114 6115 6116 6118 6119 6120 6122 6123 6125 6126 6127 6129 6131 6133 6134 6135 6140 6142 6144 6149 6150 6151 6152 6154 6156 6157 6158 6159 6161 6162 6163 6165 6166 6167 6169 6170 6172 6174 6176 6178 6180 6182 6183 6184 6186 6187 6189 6191 6194 6196 6198 6204 6205 6206 6207 6208 6209 6211 6212 6213 6214 6215 6216 6217 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6233 6234 6235 6236 6237 6238 6239 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6252 6254 6255 6256 6257 6258 6259 6260 6261 6262 6263 6264 6265 6266 6267 6268 6269 6270 6271 6272 6273 6274 6275 6276 6277 6279 6280 6281 6282 6283 6284 6285 6286 6287 6288 6289 6290 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6301 6302 6303 6305 6306 6307 6308 6309 6310 6311 6312 6313 6314 6315 6316 6317 6318 6320 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6331 6332 6333 6334 6335 6337 9. Security Considerations 6339 The IODEF data model itself does not directly introduce security 6340 issues. Rather, it simply defines a representation for incident 6341 information. As the data encoded by the IODEF might be considered 6342 privacy sensitive by the parties exchanging the information or by 6343 those described by it, care needs to be taken in ensuring the 6344 appropriate disclosure during both document exchange and subsequent 6345 processing. The former must be handled by a messaging format, but 6346 the latter risk must be addressed by the systems that process, store, 6347 and archive IODEF documents and information derived from them. 6349 Executable content could be embedded into the IODEF document directly 6350 or through an extension. The IODEF parser should handle this content 6351 with care to prevent unintentional automated execution. 6353 The contents of an IODEF document may include a request for action or 6354 an IODEF parser may independently have logic to take certain actions 6355 based on information that it finds. For this reason, care must be 6356 taken by the parser to properly authenticate the recipient of the 6357 document and ascribe an appropriate confidence to the data prior to 6358 action. 6360 The underlying messaging format and protocol used to exchange 6361 instances of the IODEF MUST provide appropriate guarantees of 6362 confidentiality, integrity, and authenticity. The use of a 6363 standardized security protocol is encouraged. The Real-time Inter- 6364 network Defense (RID) protocol [RFC6545] and its associated transport 6365 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 6367 In order to suggest data processing and handling guidelines of the 6368 encoded information, the IODEF allows a document sender to convey a 6369 privacy policy using the restriction attribute. The various 6370 instances of this attribute allow different data elements of the 6371 document to be covered by dissimilar policies. While flexible, it 6372 must be stressed that this approach only serves as a guideline from 6373 the sender, as the recipient is free to ignore it. The issue of 6374 enforcement is not a technical problem. 6376 10. IANA Considerations 6378 This document uses URNs to describe an XML namespace and schema 6379 conforming to a registry mechanism described in [RFC3688] 6381 Registration for the IODEF namespace: 6383 o URI: urn:ietf:params:xml:ns:iodef-2.0 6385 o Registrant Contact: See the first author of the "Author's Address" 6386 section of this document. 6388 o XML: None. Namespace URIs do not represent an XML specification. 6390 Registration for the IODEF XML schema: 6392 o URI: urn:ietf:params:xml:schema:iodef-2.0 6394 o Registrant Contact: See the first author of the "Author's Address" 6395 section of this document. 6397 o XML: See the "IODEF Schema" in Section 8 of this document. 6399 11. Acknowledgments 6401 The following groups and individuals, listed alphabetically, 6402 contributed substantially to this document and should be recognized 6403 for their efforts. 6405 o Kathleen Moriarty, EMC Corporation 6407 o Brian Trammell, ETH Zurich 6409 o Patrick Cain, Cooper-Cain Group, Inc. 6411 o ... TODO many more to add ... 6413 12. References 6415 12.1. Normative References 6417 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 6418 (XML) 1.0 (Second Edition)", W3C Recommendation , October 6419 2000, . 6421 [W3C.SCHEMA] 6422 World Wide Web Consortium, "XML XML Schema Part 1: 6423 Structures Second Edition", W3C Recommendation , October 6424 2004, . 6426 [W3C.SCHEMA.DTYPES] 6427 World Wide Web Consortium, "XML Schema Part 2: Datatypes 6428 Second Edition", W3C Recommendation , October 2004, 6429 . 6431 [W3C.XMLNS] 6432 World Wide Web Consortium, "Namespaces in XML", W3C 6433 Recommendation , January 1999, 6434 . 6436 [W3C.XPATH] 6437 World Wide Web Consortium, "XML Path Language (XPath) 6438 2.0", W3C Candidate Recommendation , June 2006, 6439 . 6441 [IEEE.POSIX] 6442 Institute of Electrical and Electronics Engineers, 6443 "Information Technology - Portable Operating System 6444 Interface (POSIX) - Part 1: Base Definitions", IEEE 6445 1003.1, June 2001. 6447 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6448 Requirement Levels", RFC 2119, March 1997. 6450 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 6451 Languages", RFC 5646, September 2009. 6453 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 6454 Resource Identifiers (URI): Generic Syntax", RFC 3986, 6455 January 2005`. 6457 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 6458 Procedures", BCP 2978, October 2000. 6460 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 6461 June 2006. 6463 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 6464 2008. 6466 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 6467 Timestamps", RFC 3339, July 2002. 6469 [ISO8601] International Organization for Standardization, 6470 "International Standard: Data elements and interchange 6471 formats - Information interchange - Representation of 6472 dates and times", ISO 8601, Second Edition, December 2000. 6474 [ISO4217] International Organization for Standardization, 6475 "International Standard: Codes for the representation of 6476 currencies and funds, ISO 4217:2001", ISO 4217:2001, 6477 August 2001. 6479 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 6480 2004. 6482 [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup 6483 Language) XML-Signature Syntax and Processing", RFC 3275, 6484 March 2002. 6486 [IANA.Ports] 6487 Internet Assigned Numbers Authority, "Service Name and 6488 Transport Protocol Port Number Registry", January 2014, 6489 . 6492 [IANA.Protocols] 6493 Internet Assigned Numbers Authority, "Assigned Internet 6494 Protocol Numbers", January 2014, 6495 . 6498 12.2. Informative References 6500 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 6501 Object Description Exchange Format", RFC 5070, December 6502 2007. 6504 [refs.requirements] 6505 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 6506 for the Format for Incident Information Exchange (FINE)", 6507 Work in Progress, June 2006. 6509 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 6510 "Intrusion Detection Message Exchange Format", RFC 4765, 6511 March 2007. 6513 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6514 6545, April 2012. 6516 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 6517 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 6518 2012. 6520 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 6521 Class for Reporting Phishing", RFC 5901, July 2010. 6523 [NIST800.61rev2] 6524 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 6525 "NIST Special Publication 800-61 Revision 2: Computer 6526 Security Incident Handling Guide", January 2012, 6527 . 6530 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 6531 Type for the Internet Registry Information Service 6532 (IRIS)", RFC 3982, January 2005. 6534 [KB310516] 6535 Microsoft Corporation, "How to add, modify, or delete 6536 registry subkeys and values by using a registration 6537 entries (.reg) file", December 2007. 6539 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 6540 Separated Values (CSV) File", RFC 4180, October 2005. 6542 Authors' Addresses 6544 Roman Danyliw 6545 CERT - Software Engineering Institute 6546 Pittsburgh, PA 6547 USA 6549 EMail: rdd@cert.org 6551 Paul Stoecker 6552 RSA 6553 Reston, VA 6554 USA 6556 EMail: paul.stoecker@rsa.com