idnits 2.17.1 draft-ietf-mile-rfc5070-bis-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 2 instances of too long lines in the document, the longest one being 13 characters in excess of 72. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 26, 2014) is 3463 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 4943, but not defined == Missing Reference: '0-4' is mentioned on line 4943, but not defined == Missing Reference: '0-5' is mentioned on line 4943, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFC-ENUM' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 8 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: April 29, 2015 October 26, 2014 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-09 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on April 29, 2015. 37 Copyright Notice 39 Copyright (c) 2014 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 7 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 8 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 8 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 9 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 9 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 10 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 10 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 10 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 10 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 11 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 11 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 11 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 11 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 11 88 2.16. Identifiers and Identifier References . . . . . . . . . . 11 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 12 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 12 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 13 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 15 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 15 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 17 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 17 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 18 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 18 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 19 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 20 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 21 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 23 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 26 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 27 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 28 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 28 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 29 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 29 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 29 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 29 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 30 111 3.11.5. DateTime . . . . . . . . . . . . . . . . . . . . . . 30 112 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 30 113 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 31 114 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 32 115 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 33 116 3.14.1. Impact Class . . . . . . . . . . . . . . . . . . . . 35 117 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 36 118 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 38 119 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 40 120 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 41 121 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 42 122 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 43 123 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 45 124 3.16.1. Relating the Incident and EventData Classes . . . . 47 125 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 47 126 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 48 127 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 51 128 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 51 129 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 54 130 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 55 131 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 57 132 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 60 133 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 61 134 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 64 135 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 64 136 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 65 137 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 66 138 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 67 139 3.22.2. Application Class . . . . . . . . . . . . . . . . . 69 140 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 70 141 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 70 142 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 71 143 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 72 144 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 73 145 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 74 146 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 74 147 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 75 148 3.27. HashData Class . . . . . . . . . . . . . . . . . . . . . 76 149 3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 78 150 3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 78 151 3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 80 152 3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 81 153 3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 82 154 3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 83 155 3.29.5. ObservableReference Class . . . . . . . . . . . . . 85 156 3.29.6. IndicatorReference Class . . . . . . . . . . . . . . 85 157 4. Processing Considerations . . . . . . . . . . . . . . . . . . 86 158 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 86 159 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 87 160 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 87 161 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 88 162 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 88 163 5.1. Extending the Enumerated Values of Attributes . . . . . . 89 164 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 89 165 6. Internationalization Issues . . . . . . . . . . . . . . . . . 91 166 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 92 167 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 92 168 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 94 169 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 96 170 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 97 171 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 99 172 9. Security Considerations . . . . . . . . . . . . . . . . . . . 135 173 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 136 174 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 136 175 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 137 176 12.1. Normative References . . . . . . . . . . . . . . . . . . 137 177 12.2. Informative References . . . . . . . . . . . . . . . . . 139 179 1. Introduction 181 Organizations require help from other parties to mitigate malicious 182 activity targeting their network and to gain insight into potential 183 threats. This coordination might entail working with an ISP to 184 filter attack traffic, contacting a remote site to take down a bot- 185 network, or sharing watch-lists of known malicious IP addresses in a 186 consortium. 188 The Incident Object Description Exchange Format (IODEF) is a format 189 for representing computer security information commonly exchanged 190 between Computer Security Incident Response Teams (CSIRTs). It 191 provides an XML representation for conveying: 193 o cyber intelligence to characterize threats; 195 o cyber incident reports to document particular cyber security 196 events or relationships between events; 198 o cyber event mitigation to request proactive and reactive 199 mitigation approaches to cyber intelligence or incidents; and 201 o cyber information sharing meta-data so that these various classes 202 of information can be exchanged among parties. 204 The data model encodes information about hosts, networks, and the 205 services running on these systems; attack methodology and associated 206 forensic evidence; impact of the activity; and limited approaches for 207 documenting workflow. 209 The overriding purpose of the IODEF is to enhance the operational 210 capabilities of CSIRTs. Community adoption of the IODEF provides an 211 improved ability to resolve incidents and convey situational 212 awareness by simplifying collaboration and data sharing. This 213 structured format provided by the IODEF allows for: 215 o increased automation in processing of incident data, since the 216 resources of security analysts to parse free-form textual 217 documents will be reduced; 219 o decreased effort in normalizing similar data (even when highly 220 structured) from different sources; and 222 o a common format on which to build interoperable tools for incident 223 handling and subsequent analysis, specifically when data comes 224 from multiple constituencies. 226 Coordinating with other CSIRTs is not strictly a technical problem. 227 There are numerous procedural, trust, and legal considerations that 228 might prevent an organization from sharing information. The IODEF 229 does not attempt to address them. However, operational 230 implementations of the IODEF will need to consider this broader 231 context. 233 Sections 3 and 8 specify the IODEF data model with text and an XML 234 schema. The types used by the data model are covered in Section 2. 235 Processing considerations, the handling of extensions, and 236 internationalization issues related to the data model are covered in 237 Sections 4, 5, and 6, respectively. Examples are listed in 238 Section 7. Section 1 provides the background for the IODEF, and 239 Section 9 documents the security considerations. 241 1.1. Changes from 5070 243 This document contains changes with respect to its predecessor 244 RFC5070. 246 o All of the RFC5070 Errata was implemented. 248 o Imported the xmlns:ds namespace to include digital signature hash 249 classes. 251 o The following classes were added to IODEF-Document: 252 AdditionalData. 254 o The following class was added to Incident: IndicatorData. 256 o The following classes were added to Incident and EventData: 257 Discovery. 259 o The following classes and attributes were added to the Service 260 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 261 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 263 o The following classes were added to the Record class: HashData and 264 WindowsRegistryKeysModified. 266 o The following classes were added to the RelatedActivity class: 267 ThreatActor, Campaign, Confidence, Description, and 268 AdditionalData. 270 o The following classes were added to Assessment: BusinessImpact and 271 MitigatingFactor. 273 o The following classes were added to Node: PostalAddress and 274 DomainData. The following classes were removed from Node: Removed 275 NodeName and DateTime. 277 o The following classes were added to the Contact class: 278 ContactTitle. 280 o The following classes were added to Expectation and HistoryItem: 281 DefinedCOA. 283 o Additional enumerated values were added to the following 284 attributes: @restriction, {Expectation, HistoryItem}@action, 285 NodeRole@category, Incident@purpose, Contact@role, 286 AdditionalData@dtype, System@spoofed. 288 1.2. Terminology 290 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 291 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 292 document are to be interpreted as described in [RFC2119]. 294 Definitions for some of the common computer security-related 295 terminology used in this document can be found in Section 2 of 296 [refs.requirements]. 298 1.3. Notations 300 The normative IODEF data model is specified with the text in 301 Section 3 and the XML schema in Section 8. To help in the 302 understanding of the data elements, Section 3 also depicts the 303 underlying information model using Unified Modeling Language (UML). 304 This abstract presentation of the IODEF is not normative. 306 For clarity in this document, the term "XML document" will be used 307 when referring generically to any instance of an XML document. The 308 term "IODEF document" will be used to refer to specific elements and 309 attributes of the IODEF schema. The terms "class" and "element" will 310 be used interchangeably to reference either the corresponding data 311 element in the information or data models, respectively. 313 1.4. About the IODEF Data Model 315 The IODEF data model is a data representation that provides a 316 framework for sharing information commonly exchanged by CSIRTs about 317 computer security incidents. A number of considerations were made in 318 the design of the data model. 320 o The data model serves as a transport format. Therefore, its 321 specific representation is not the optimal representation for on- 322 disk storage, long-term archiving, or in-memory processing. 324 o As there is no precise widely agreed upon definition for an 325 incident, the data model does not attempt to dictate one through 326 its implementation. Rather, a broad understanding is assumed in 327 the IODEF that is flexible enough to encompass most operators. 329 o Describing an incident for all definitions would require an 330 extremely complex data model. Therefore, the IODEF only intends 331 to be a framework to convey commonly exchanged incident 332 information. It ensures that there are ample mechanisms for 333 extensibility to support organization-specific information, and 334 techniques to reference information kept outside of the explicit 335 data model. 337 o The domain of security analysis is not fully standardized and must 338 rely on free-form textual descriptions. The IODEF attempts to 339 strike a balance between supporting this free-form content, while 340 still allowing automated processing of incident information. 342 o The IODEF is only one of several security relevant data 343 representations being standardized. Attempts were made to ensure 344 they were complementary. The data model of the Intrusion 345 Detection Message Exchange Format [RFC4765] influenced the design 346 of the IODEF. 348 Further discussion of the desirable properties for the IODEF can be 349 found in the Requirements for the Format for Incident Information 350 Exchange (FINE) [refs.requirements]. 352 1.5. About the IODEF Implementation 354 The IODEF implementation is specified as an Extensible Markup 355 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 357 Implementing the IODEF in XML provides numerous advantages. Its 358 extensibility makes it ideal for specifying a data encoding framework 359 that supports various character encodings. Likewise, the abundance 360 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 361 simplified manipulation. However, XML is fundamentally a text 362 representation, which makes it inherently inefficient when binary 363 data must be embedded or large volumes of data must be exchanged. 365 2. IODEF Data Types 367 The various data elements of the IODEF data model are typed. This 368 section discusses these data types. When possible, native Schema 369 data types were adopted, but for more complicated formats, regular 370 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 371 standards were used. 373 2.1. Integers 375 An integer is represented by the INTEGER data type. Integer data 376 MUST be encoded in Base 10. 378 The INTEGER data type is implemented as an "xs:integer" in 379 [W3C.SCHEMA.DTYPES]. 381 2.2. Real Numbers 383 Real (floating-point) attributes are represented by the REAL data 384 type. Real data MUST be encoded in Base 10. 386 The REAL data type is implemented as an "xs:float" in 387 [W3C.SCHEMA.DTYPES]. 389 2.3. Characters and Strings 391 A single character is represented by the CHARACTER data type. A 392 character string is represented by the STRING data type. Special 393 characters must be encoded using entity references. See Section 4.1. 395 The CHARACTER and STRING data types are implement as an "xs:string" 396 in [W3C.SCHEMA.DTYPES]. 398 2.4. Multilingual Strings 400 STRING data that represents multi-character attributes in a language 401 different than the default encoding of the document is of the 402 ML_STRING data type. 404 The ML_STRING data type is implemented as an "iodef:MLStringType" in 405 the schema. 407 2.5. Bytes 409 A binary octet is represented by the BYTE data type. A sequence of 410 binary octets is represented by the BYTE[] data type. These octets 411 are encoded using base64. 413 The BYTE data type is implemented as an "xs:base64Binary" in 414 [W3C.SCHEMA.DTYPES]. 416 2.6. Hexadecimal Bytes 418 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 419 This octet is encoded as a character tuple consisting of two 420 hexadecimal digits. 422 The HEXBIN data type is implemented as an "xs:hexBinary" in 423 [W3C.SCHEMA.DTYPES]. 425 2.7. Enumerated Types 427 Enumerated types are represented by the ENUM data type, and consist 428 of an ordered list of acceptable values. Each value has a 429 representative keyword. Within the IODEF schema, the enumerated type 430 keywords are used as attribute values. 432 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 433 schema. 435 2.8. Date-Time Strings 437 Date-time strings are represented by the DATETIME data type. Each 438 date-time string identifies a particular instant in time. Ranges are 439 not supported. 441 Date-time strings are formatted according to a subset of [ISO8601] 442 documented in [RFC3339]. 444 The DATETIME data type is implemented as an "xs:dateTime" in the 445 schema. 447 2.9. Timezone String 449 A timezone offset from UTC is represented by the TIMEZONE data type. 450 It is formatted according to the following regular expression: 451 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 453 The TIMEZONE data type is implemented as an "xs:string" with a 454 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 455 expression is identical to the timezone representation implemented in 456 an "xs:dateTime". 458 2.10. Port Lists 460 A list of network ports are represented by the PORTLIST data type. A 461 PORTLIST consists of a comma-separated list of numbers and ranges 462 (N-M means ports N through M, inclusive). It is formatted according 463 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 464 For example, "2,5-15,30,32,40-50,55-60". 466 The PORTLIST data type is implemented as an "xs:string" with a 467 regular expression constraint in the schema. 469 2.11. Postal Address 471 A postal address is represented by the POSTAL data type. This data 472 type is an ML_STRING whose format is documented in Section 2.23 of 473 [RFC4519]. It defines a postal address as a free-form multi-line 474 string separated by the "$" character. 476 The POSTAL data type is implemented as an "xs:string" in the schema. 478 2.12. Person or Organization 480 The name of an individual or organization is represented by the NAME 481 data type. This data type is an ML_STRING whose format is documented 482 in Section 2.3 of [RFC4519]. 484 The NAME data type is implemented as an "xs:string" in the schema. 486 2.13. Telephone and Fax Numbers 488 A telephone or fax number is represented by the PHONE data type. The 489 format of the PHONE data type is documented in Section 2.35 of 490 [RFC4519]. 492 The PHONE data type is implemented as an "xs:string" in the schema. 494 2.14. Email String 496 An email address is represented by the EMAIL data type. The format 497 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 499 The EMAIL data type is implemented as an "xs:string" in the schema. 501 2.15. Uniform Resource Locator strings 503 A uniform resource locator (URL) is represented by the URL data type. 504 The format of the URL data type is documented in [RFC3986]. 506 The URL data type is implemented as an "xs:anyURI" in the schema. 508 2.16. Identifiers and Identifier References 510 An identifier unique to the Document is represented by the ID data 511 type. A reference to this identifier is represented by the IDREF 512 data type. The acceptable format of ID and IDREF is documented in 513 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 515 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 516 in the schema. 518 3. The IODEF Data Model 520 In this section, the individual components of the IODEF data model 521 will be discussed in detail. For each class, the semantics will be 522 described and the relationship with other classes will be depicted 523 with UML. When necessary, specific comments will be made about 524 corresponding definition in the schema in Section 8 526 3.1. IODEF-Document Class 528 The IODEF-Document class is the top level class in the IODEF data 529 model. All IODEF documents are an instance of this class. 531 +-----------------+ 532 | IODEF-Document | 533 +-----------------+ 534 | STRING version |<>--{1..*}--[ Incident ] 535 | ENUM lang |<>--{0..*}--[ AdditionalData ] 536 | STRING formatid | 537 +-----------------+ 539 Figure 1: IODEF-Document Class 541 The aggregate class that constitute IODEF-Document is: 543 Incident 544 One or more. The information related to a single incident. 546 AdditionalData 547 Zero or more. Mechanism by which to extend the data model. See 548 Section 3.9 550 The IODEF-Document class has three attributes: 552 version 553 Required. STRING. The IODEF specification version number to 554 which this IODEF document conforms. The value of this attribute 555 MUST be "2.00" 557 lang 558 Required. ENUM. A valid language code per [RFC5646] constrained 559 by the definition of "xs:language". The interpretation of this 560 code is described in Section 6. 562 formatid 563 Optional. STRING. A free-form string to convey processing 564 instructions to the recipient of the document. Its semantics must 565 be negotiated out-of-band. 567 3.2. Incident Class 569 Every incident is represented by an instance of the Incident class. 570 This class provides a standardized representation for commonly 571 exchanged incident data. 573 +-------------------------+ 574 | Incident | 575 +-------------------------+ 576 | ENUM purpose |<>----------[ IncidentID ] 577 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 578 | ENUM lang |<>--{0..*}--[ RelatedActivity ] 579 | ENUM restriction |<>--{0..1}--[ DetectTime ] 580 | STRING observable-id |<>--{0..1}--[ StartTime ] 581 | |<>--{0..1}--[ EndTime ] 582 | |<>--{0..1}--{ RecoveryTime ] 583 | |<>----------[ ReportTime ] 584 | |<>--{0..1}--[ GenerationTime ] 585 | |<>--{0..*}--[ Description ] 586 | |<>--{0..*} [ Discovery ] 587 | |<>--{1..*}--[ Assessment ] 588 | |<>--{0..*}--[ Method ] 589 | |<>--{1..*}--[ Contact ] 590 | |<>--{0..*}--[ EventData ] 591 | |<>--{0..*}--[ IndicatorData ] 592 | |<>--{0..1}--[ History ] 593 | |<>--{0..*}--[ AdditionalData ] 594 +-------------------------+ 596 Figure 2: The Incident Class 598 The aggregate classes that constitute Incident are: 600 IncidentID 601 One. An incident tracking number assigned to this incident by the 602 CSIRT that generated the IODEF document. 604 AlternativeID 605 Zero or one. The incident tracking numbers used by other CSIRTs 606 to refer to the incident described in the document. 608 RelatedActivity 609 Zero or more. Related activity and attribution of this activity. 611 DetectTime 612 Zero or one. The time the incident was first detected. 614 StartTime 615 Zero or one. The time the incident started. 617 EndTime 618 Zero or one. The time the incident ended. 620 RecoveryTime 621 Zero or one. The time the site recovered from the incident. 623 ReportTime 624 One. The time the incident was reported. 626 GenerationTime 627 One. The time the content in this Incident class was generated. 629 Description 630 Zero or more. ML_STRING. A free-form textual description of the 631 incident. 633 Discovery 634 Zero or more. The means by which this incident was detected. 636 Assessment 637 One or more. A characterization of the impact of the incident. 639 Method 640 Zero or more. The techniques used by the intruder in the 641 incident. 643 Contact 644 One or more. Contact information for the parties involved in the 645 incident. 647 EventData 648 Zero or more. Description of the events comprising the incident. 650 IndicatorData 651 Zero or more. Description of indicators. 653 History 654 Zero or one. A log of significant events or actions that occurred 655 during the course of handling the incident. 657 AdditionalData 658 Zero or more. Mechanism by which to extend the data model. 660 The Incident class has four attributes: 662 purpose 663 Required. ENUM. The purpose attribute represents the reason why 664 the IODEF document was created. It is closely related to the 665 Expectation class (Section 3.17). This attribute is defined as an 666 enumerated list: 668 1. traceback. The document was sent for trace-back purposes. 670 2. mitigation. The document was sent to request aid in 671 mitigating the described activity. 673 3. reporting. The document was sent to comply with reporting 674 requirements. 676 4. watch. The document was sent to convey indicators to watch 677 for particular activity. 679 5. other. The document was sent for purposes specified in the 680 Expectation class. 682 6. ext-value. An escape value used to extend this attribute. 683 See Section 5.1. 685 ext-purpose 686 Optional. STRING. A means by which to extend the purpose 687 attribute. See Section 5.1. 689 lang 690 Optional. ENUM. A valid language code per [RFC5646] constrained 691 by the definition of "xs:language". The interpretation of this 692 code is described in Section 6. 694 restriction 695 Optional. ENUM. See Section 3.3.1. 697 observable-id 698 Optional. ID. See Section 3.3.2. 700 3.3. Common Attributes 702 There are a number of recurring attributes used by the data model. 703 They are documented in this section. 705 3.3.1. restriction Attribute 707 The restriction attribute indicates the disclosure guidelines to 708 which the sender expects the recipient to adhere for the information 709 represented in this class and its children. This guideline provides 710 no security since there are no specified technical means to ensure 711 that the recipient of the document handles the information as the 712 sender requested. 714 The value of this attribute is logically inherited by the children of 715 this class. That is to say, the disclosure rules applied to this 716 class, also apply to its children. 718 It is possible to set a granular disclosure policy, since all of the 719 high-level classes (i.e., children of the Incident class) have a 720 restriction attribute. Therefore, a child can override the 721 guidelines of a parent class, be it to restrict or relax the 722 disclosure rules (e.g., a child has a weaker policy than an ancestor; 723 or an ancestor has a weak policy, and the children selectively apply 724 more rigid controls). The implicit value of the restriction 725 attribute for a class that did not specify one can be found in the 726 closest ancestor that did specify a value. 728 This attribute is defined as an enumerated value with a default value 729 of "private". Note that the default value of the restriction 730 attribute is only defined in the context of the Incident class. In 731 other classes where this attribute is used, no default is specified. 733 1. public. The information can be freely distributed without 734 restriction. 736 2. partner. The information may be shared within a closed community 737 of peers, partners, or affected parties, but cannot be openly 738 published. 740 3. need-to-know. The information may be shared only within the 741 organization with individuals that have a need to know. 743 4. private. The information may not be shared. 745 5. default. The information can be shared according to an 746 information disclosure policy pre-arranged by the communicating 747 parties. 749 6. white. Same as 'public'. 751 7. green. Same as 'partner'. 753 8. amber. Same as 'need-to-know'. 755 9. red. Same as 'private'. 757 3.3.2. observable-id Attribute 759 Information included in an incident report may be an observable 760 relevant to an indicator. The observable-id attribute provides a 761 unique identifier in the scope of the document for this observable. 762 This identifier can then used to reference the observable with an 763 ObservableReference class to define an indicator in the IndicatorData 764 class. 766 3.4. IncidentID Class 768 The IncidentID class represents an incident tracking number that is 769 unique in the context of the CSIRT and identifies the activity 770 characterized in an IODEF Document. This identifier would serve as 771 an index into the CSIRT incident handling system. The combination of 772 the name attribute and the string in the element content MUST be a 773 globally unique identifier describing the activity. Documents 774 generated by a given CSIRT MUST NOT reuse the same value unless they 775 are referencing the same incident. 777 +------------------+ 778 | IncidentID | 779 +------------------+ 780 | STRING | 781 | | 782 | STRING name | 783 | STRING instance | 784 | ENUM restriction | 785 +------------------+ 787 Figure 3: The IncidentID Class 789 The IncidentID class has three attributes: 791 name 792 Required. STRING. An identifier describing the CSIRT that 793 created the document. In order to have a globally unique CSIRT 794 name, the fully qualified domain name associated with the CSIRT 795 MUST be used. 797 instance 798 Optional. STRING. An identifier referencing a subset of the 799 named incident. 801 restriction 802 Optional. ENUM. See Section 3.3.1. The default value is 803 "public". 805 3.5. AlternativeID Class 807 The AlternativeID class lists the incident tracking numbers used by 808 CSIRTs, other than the one generating the document, to refer to the 809 identical activity described in the IODEF document. A tracking 810 number listed as an AlternativeID references the same incident 811 detected by another CSIRT. The incident tracking numbers of the 812 CSIRT that generated the IODEF document must never be considered an 813 AlternativeID. 815 +------------------+ 816 | AlternativeID | 817 +------------------+ 818 | ENUM restriction |<>--{1..*}--[ IncidentID ] 819 | | 820 +------------------+ 822 Figure 4: The AlternativeID Class 824 The aggregate class that constitutes AlternativeID is: 826 IncidentID 827 One or more. The incident tracking number of another CSIRT. 829 The AlternativeID class has one attribute: 831 restriction 832 Optional. ENUM. This attribute has been defined in Section 3.2. 834 3.6. RelatedActivity Class 836 The RelatedActivity class relates the information described in the 837 rest of the IODEF document to previously observed incidents or 838 activity; and allows attribution to a specific actor or campaign. 840 +------------------+ 841 | RelatedActivity | 842 +------------------+ 843 | ENUM restriction |<>--{0..*}--[ IncidentID ] 844 | |<>--{0..*}--[ URL ] 845 | |<>--{0..*}--[ ThreatActor ] 846 | |<>--{0..*}--[ Campaign ] 847 | |<>--{0..1}--[ Confidence ] 848 | |<>--{0..*}--[ Description ] 849 | |<>--{0..*}--[ AdditionalData ] 850 +------------------+ 852 Figure 5: RelatedActivity Class 854 The aggregate classes that constitutes RelatedActivity are: 856 IncidentID 857 One or more. The incident tracking number of a related incident. 859 URL 860 One or more. URL. A URL to activity related to this incident. 862 ThreatActor 863 One or more. The threat actor to whom the described activity is 864 attributed. 866 Campaign 867 One or more. The campaign of a given threat actor to whom the 868 described activity is attributed. 870 Confidence 871 Zero or one. An estimate of the confidence in attributing this 872 RelatedActivity to the event described in the document. 874 Description 875 Zero or more. ML_STRING. A description of how these 876 relationships were derived. 878 AdditionalData 879 Zero or more. A mechanism by which to extend the data model. 881 RelatedActivity MUST at least have one instance of IncidentID, URL, 882 ThreatActor, or Campaign. 884 The RelatedActivity class has one attribute: 886 restriction 887 Optional. ENUM. See Section 3.3.1. 889 3.7. ThreatActor Class 891 The ThreatActor class describes a given actor. 893 +------------------+ 894 | Actor | 895 +------------------+ 896 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 897 | |<>--{0..*}--[ Description ] 898 | |<>--{0..*}--[ AdditionalData ] 899 +------------------+ 901 Figure 6: ThreatActor Class 903 The aggregate classes that constitutes ThreatActor are: 905 ThreatActorID 906 One or more. STRING. An identifier for the ThreatActor. 908 Description 909 One or more. ML_STRING. A description of the ThreatActor. 911 AdditionalData 912 Zero or more. A mechanism by which to extend the data model. 914 ThreatActor MUST have at least one instance of a ThreatActorID or 915 Description. 917 The ThreatActor class has one attribute: 919 restriction 920 Optional. ENUM. See Section 3.3.1. 922 3.8. Campaign Class 924 The Campaign class describes a ... 926 +------------------+ 927 | Campaign | 928 +------------------+ 929 | ENUM restriction |<>--{0..1}--[ CampaignID ] 930 | |<>--{0..*}--[ Description ] 931 | |<>--{0..*}--[ AdditionalData ] 932 +------------------+ 934 Figure 7: Campaign Class 936 The aggregate classes that constitutes Campaign are: 938 CampaignID 939 One or more. STRING. An identifier for the Campaign. 941 Description 942 One or more. ML_STRING. A description of the Campaign. 944 AdditionalData 945 Zero or more. A mechanism by which to extend the data model. 947 Campaign MUST have at least one instance of a Campaign or 948 Description. 950 The Campaign class has one attribute: 952 restriction 953 Optional. ENUM. See Section 3.3.1. 955 3.9. AdditionalData Class 957 The AdditionalData class serves as an extension mechanism for 958 information not otherwise represented in the data model. For 959 relatively simple information, atomic data types (e.g., integers, 960 strings) are provided with a mechanism to annotate their meaning. 961 The class can also be used to extend the data model (and the 962 associated Schema) to support proprietary extensions by encapsulating 963 entire XML documents conforming to another Schema. A detailed 964 discussion for extending the data model and the schema can be found 965 in Section 5. 967 Unlike XML, which is self-describing, atomic data must be documented 968 to convey its meaning. This information is described in the 969 'meaning' attribute. Since these description are outside the scope 970 of the specification, some additional coordination may be required to 971 ensure that a recipient of a document using the AdditionalData 972 classes can make sense of the custom extensions. 974 +------------------+ 975 | AdditionalData | 976 +------------------+ 977 | ANY | 978 | | 979 | ENUM dtype | 980 | STRING ext-dtype | 981 | STRING meaning | 982 | STRING formatid | 983 | ENUM restriction | 984 +------------------+ 986 Figure 8: The AdditionalData Class 988 The AdditionalData class has five attributes: 990 dtype 991 Required. ENUM. The data type of the element content. The 992 permitted values for this attribute are shown below. The default 993 value is "string". 995 1. boolean. The element content is of type BOOLEAN. 997 2. byte. The element content is of type BYTE. 999 3. bytes. The element content is of type HEXBIN. 1001 4. character. The element content is of type CHARACTER. 1003 5. date-time. The element content is of type DATETIME. 1005 6. ntpstamp. Same as date-time. 1007 7. integer. The element content is of type INTEGER. 1009 8. portlist. The element content is of type PORTLIST. 1011 9. real. The element content is of type REAL. 1013 10. string. The element content is of type STRING. 1015 11. file. The element content is a base64 encoded binary file 1016 encoded as a BYTE[] type. 1018 12. path. The element content is a file-system path encoded as a 1019 STRING type. 1021 13. frame. The element content is a layer-2 frame encoded as a 1022 HEXBIN type. 1024 14. packet. The element content is a layer-3 packet encoded as a 1025 HEXBIN type. 1027 15. ipv4-packet. The element content is an IPv4 packet encoded 1028 as a HEXBIN type. 1030 16. ipv6-packet. The element content is an IPv6 packet encoded 1031 as a HEXBIN type. 1033 17. url. The element content is of type URL. 1035 18. csv. The element content is a common separated value (CSV) 1036 list per Section 2 of [RFC4180] encoded as a STRING type. 1038 19. winreg. The element content is a Windows registry key 1039 encoded as a STRING type. 1041 20. xml. The element content is XML. See Section 5. 1043 21. ext-value. An escape value used to extend this attribute. 1044 See Section 5.1. 1046 ext-dtype 1047 Optional. STRING. A means by which to extend the dtype 1048 attribute. See Section 5.1. 1050 meaning 1051 Optional. STRING. A free-form description of the element 1052 content. 1054 formatid 1055 Optional. STRING. An identifier referencing the format and 1056 semantics of the element content. 1058 restriction 1059 Optional. ENUM. See Section 3.3.1. 1061 3.10. Contact Class 1063 The Contact class describes contact information for organizations and 1064 personnel involved in the incident. This class allows for the naming 1065 of the involved party, specifying contact information for them, and 1066 identifying their role in the incident. 1068 People and organizations are treated interchangeably as contacts; one 1069 can be associated with the other using the recursive definition of 1070 the class (the Contact class is aggregated into the Contact class). 1071 The 'type' attribute disambiguates the type of contact information 1072 being provided. 1074 The inheriting definition of Contact provides a way to relate 1075 information without requiring the explicit use of identifiers in the 1076 classes or duplication of data. A complete point of contact is 1077 derived by a particular traversal from the root Contact class to the 1078 leaf Contact class. As such, multiple points of contact might be 1079 specified in a single instance of a Contact class. Each child 1080 Contact class logically inherits contact information from its 1081 ancestors. 1083 +------------------+ 1084 | Contact | 1085 +------------------+ 1086 | ENUM role |<>--{0..1}--[ ContactName ] 1087 | STRING ext-role |<>--{0..1}--[ ContactTitle ] 1088 | ENUM type |<>--{0..*}--[ Description ] 1089 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1090 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1091 | |<>--{0..*}--[ Email ] 1092 | |<>--{0..*}--[ Telephone ] 1093 | |<>--{0..1}--[ Fax ] 1094 | |<>--{0..1}--[ Timezone ] 1095 | |<>--{0..*}--[ Contact ] 1096 | |<>--{0..*}--[ AdditionalData ] 1097 +------------------+ 1099 Figure 9: The Contact Class 1101 The aggregate classes that constitute the Contact class are: 1103 ContactName 1104 Zero or one. ML_STRING. The name of the contact. The contact 1105 may either be an organization or a person. The type attribute 1106 disambiguates the semantics. 1108 ContactTitle 1109 Zero or one. ML_STRING. The title for the individual named in 1110 the ContactName. 1112 Description 1113 Zero or more. ML_STRING. A free-form description of this 1114 contact. In the case of a person, this is often the 1115 organizational title of the individual. 1117 RegistryHandle 1118 Zero or more. A handle name into the registry of the contact. 1120 PostalAddress 1121 Zero or one. The postal address of the contact. 1123 Email 1124 Zero or more. The email address of the contact. 1126 Telephone 1127 Zero or more. The telephone number of the contact. 1129 Fax 1130 Zero or one. The facsimile telephone number of the contact. 1132 Timezone 1133 Zero or one. TIMEZONE. The timezone in which the contact resides 1134 formatted according to Section 2.9. 1136 Contact 1137 Zero or more. A Contact instance contained within another Contact 1138 instance inherits the values of the parent(s). This recursive 1139 definition can be used to group common data pertaining to multiple 1140 points of contact and is especially useful when listing multiple 1141 contacts at the same organization. 1143 AdditionalData 1144 Zero or more. A mechanism by which to extend the data model. 1146 At least one of the aggregate classes MUST be present in an instance 1147 of the Contact class. This is not enforced in the IODEF schema as 1148 there is no simple way to accomplish it. 1150 The Contact class has five attributes: 1152 role 1153 Required. ENUM. Indicates the role the contact fulfills. This 1154 attribute is defined as an enumerated list: 1156 1. creator. The entity that generate the document. 1158 2. reporter. The entity that reported the information. 1160 3. admin. An administrative contact or business owner for an 1161 asset or organization. 1163 4. tech. An entity responsible for the day-to-day management of 1164 technical issues for an asset or organization. 1166 5. provider. An external hosting provider for an asset. 1168 6. zone. An entity with authority over a DNS zone. 1170 7. user. An end-user of an asset or part of an organization. 1172 8. billing. An entity responsible for billing issues for an 1173 asset or organization. 1175 9. legal. An entity responsible for legal issue related to an 1176 asset or organization. 1178 10. irt. An entity responsible for handling security issues for 1179 an asset or organization. 1181 11. abuse. An entity responsible for handling abuse originating 1182 from an asset or organization. 1184 12. cc. An entity that is to be kept informed about the events 1185 related to an asset or organization. 1187 13. cc-irt. A CSIRT or information sharing organization 1188 coordinating activity related to an asset or organization. 1190 14. le. A law enforcement entity supporting the investigation of 1191 activity affecting an asset or organization. 1193 15. vendor. The vendor that produces an asset. 1195 16. ext-value. An escape value used to extend this attribute. 1196 See Section 5.1. 1198 ext-role 1199 Optional. STRING. A means by which to extend the role attribute. 1200 See Section 5.1. 1202 type 1203 Required. ENUM. Indicates the type of contact being described. 1204 This attribute is defined as an enumerated list: 1206 1. person. The information for this contact references an 1207 individual. 1209 2. organization. The information for this contact references an 1210 organization. 1212 3. ext-value. An escape value used to extend this attribute. 1213 See Section 5.1. 1215 ext-type 1216 Optional. STRING. A means by which to extend the type attribute. 1217 See Section 5.1. 1219 restriction 1220 Optional. ENUM. This attribute is defined in Section 3.2. 1222 3.10.1. RegistryHandle Class 1224 The RegistryHandle class represents a handle into an Internet 1225 registry or community-specific database. The handle is specified in 1226 the element content and the type attribute specifies the database. 1228 +---------------------+ 1229 | RegistryHandle | 1230 +---------------------+ 1231 | STRING | 1232 | | 1233 | ENUM registry | 1234 | STRING ext-registry | 1235 +---------------------+ 1237 Figure 10: The RegistryHandle Class 1239 The RegistryHandle class has two attributes: 1241 registry 1242 Required. ENUM. The database to which the handle belongs. The 1243 possible values are: 1245 1. internic. Internet Network Information Center 1247 2. apnic. Asia Pacific Network Information Center 1249 3. arin. American Registry for Internet Numbers 1251 4. lacnic. Latin-American and Caribbean IP Address Registry 1253 5. ripe. Reseaux IP Europeens 1255 6. afrinic. African Internet Numbers Registry 1257 7. local. A database local to the CSIRT 1259 8. ext-value. An escape value used to extend this attribute. 1260 See Section 5.1. 1262 ext-registry 1263 Optional. STRING. A means by which to extend the registry 1264 attribute. See Section 5.1. 1266 3.10.2. PostalAddress Class 1268 The PostalAddress class specifies a postal address formatted 1269 according to the POSTAL data type (Section 2.11). 1271 +---------------------+ 1272 | PostalAddress | 1273 +---------------------+ 1274 | POSTAL | 1275 | | 1276 | STRING meaning | 1277 | ENUM lang | 1278 +---------------------+ 1280 Figure 11: The PostalAddress Class 1282 The PostalAddress class has two attributes: 1284 meaning 1285 Optional. STRING. A free-form description of the element 1286 content. 1288 lang 1289 Optional. ENUM. A valid language code per [RFC5646] constrained 1290 by the definition of "xs:language". The interpretation of this 1291 code is described in Section 6. 1293 3.10.3. Email Class 1295 The Email class specifies an email address formatted according to 1296 EMAIL data type (Section 2.14). 1298 +--------------+ 1299 | Email | 1300 +--------------+ 1301 | EMAIL | 1302 | | 1303 | ENUM meaning | 1304 +--------------+ 1306 Figure 12: The Email Class 1308 The Email class has one attribute: 1310 meaning 1311 Optional. ENUM. A free-form description of the element content. 1313 3.10.4. Telephone and Fax Classes 1315 The Telephone and Fax classes specify a voice or fax telephone number 1316 respectively, and are formatted according to PHONE data type 1317 (Section 2.13). 1319 +--------------------+ 1320 | {Telephone | Fax } | 1321 +--------------------+ 1322 | PHONE | 1323 | | 1324 | ENUM meaning | 1325 +--------------------+ 1327 Figure 13: The Telephone and Fax Classes 1329 The Telephone class has one attribute: 1331 meaning 1332 Optional. ENUM. A free-form description of the element content 1333 (e.g., hours of coverage for a given number). 1335 3.11. Time Classes 1337 The data model uses five different classes to represent a timestamp. 1338 Their definition is identical, but each has a distinct name to convey 1339 a difference in semantics. 1341 The element content of each class is a timestamp formatted according 1342 to the DATETIME data type (see Section 2.8). 1344 +----------------------------------+ 1345 | {Start| End| Report| Detect}Time | 1346 +----------------------------------+ 1347 | DATETIME | 1348 +----------------------------------+ 1350 Figure 14: The Time Classes 1352 3.11.1. StartTime Class 1354 The StartTime class represents the time the incident began. 1356 3.11.2. EndTime Class 1358 The EndTime class represents the time the incident ended. 1360 3.11.3. DetectTime Class 1362 The DetectTime class represents the time the first activity of the 1363 incident was detected. 1365 3.11.4. ReportTime Class 1367 The ReportTime class represents the time the incident was reported. 1368 This timestamp MUST be the time at which the IODEF document was 1369 generated. 1371 3.11.5. DateTime 1373 The DateTime class is a generic representation of a timestamp. Infer 1374 its semantics from the parent class in which it is aggregated. 1376 3.12. Discovery Class 1378 The Discovery class describes how an incident was detected. 1380 +-------------------+ 1381 | Discovery | 1382 +-------------------+ 1383 | ENUM source |<>--{0..*}--[ Description ] 1384 | STRING ext-source |<>--{0..*}--[ Contact ] 1385 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1386 +-------------------+ 1388 Figure 15: The Discovery Class 1390 The Discovery class is composed of three aggregate classes. 1392 Description 1393 Zero or more. ML_STRING. A free-form text description of how 1394 this incident was detected. 1396 Contact 1397 Zero or more. Contact information for the party that discovered 1398 the incident. 1400 DetectionPattern 1401 Zero or more. Describes an application-specific configuration 1402 that detected the incident. 1404 The Discovery class has three attribute: 1406 source 1407 Optional. ENUM. Categorizes the techniques used to discover the 1408 incident. These values are partially derived from Table 3-1 of 1409 [NIST800.61rev2]. 1411 1. idps. Intrusion Detection or Prevention system. 1413 2. siem. Security Information and Event Management System. 1415 3. av. Antivirus or and antispam software. 1417 4. file-integrity. File integrity checking software. 1419 5. third-party-monitoring. Contracted third-party monitoring 1420 service. 1422 6. os-log. Operating system logs. 1424 7. application-log. Application logs. 1426 8. device-log. Network device logs. 1428 9. network-flow. Network flow analysis. 1430 10. investigation. Manual investigation initiated based on 1431 timely notification of a new vulnerability or exploit. 1433 11. internal-notification. A party within the organization 1434 discovered the activity 1436 12. external-notification. A party outside of the organization 1437 discovered the activity. 1439 13. unknown. Unknown detection approach. 1441 14. ext-value. An escape value used to extend this attribute. 1442 See Section 5.1. 1444 ext-source 1445 Optional. STRING. A means by which to extend the source 1446 attribute. See Section 5.1. 1448 restriction 1449 Optional. ENUM. This attribute is defined in Section 3.2. 1451 3.12.1. DetectionPattern Class 1453 The DetectionPattern class describes a configuration or signature 1454 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1455 protection, network analysis, malware analysis, or host forensics 1456 tool to identify a particular phenomenon. This class requires the 1457 identification of the target application and allows the configuration 1458 to be describes in either free-form or machine readable form. 1460 +------------------+ 1461 | DetectionPattern | 1462 +------------------+ 1463 | ENUM restriction |<>----------[ Application ] 1464 | |<>--{0..*}--[ Description ] 1465 | |<>--{0..*}--[ DetectionConfiguration ] 1466 +------------------+ 1468 Figure 16: The DetectionPattern Class 1470 The DetectionPattern class is composed of three aggregate classes. 1472 Application 1473 . One. The application for which the DetectionConfiguration or 1474 Description is being provided. 1476 Description 1477 Zero or more. ML_STRING. A free-form text description of how to 1478 use the Application or provided DetectionConfiguration. 1480 DetectionConfiguration 1481 Zero or more. STRING. A machine consumable configuration to find 1482 a pattern of activity. 1484 Either an instance of the Description or DetectionConfiguration class 1485 MUST be present. 1487 The Method class has one attribute: 1489 restriction 1490 Optional. ENUM. This attribute is defined in Section 3.2. 1492 3.13. Method Class 1494 The Method class describes the tactics, techniques, or procedures 1495 used by the intruder in the incident. This class consists of both a 1496 list of references describing the attack method and a free form 1497 description. 1499 +------------------+ 1500 | Method | 1501 +------------------+ 1502 | ENUM restriction |<>--{0..*}--[ enum:Reference ] 1503 | |<>--{0..*}--[ Description ] 1504 | |<>--{0..*}--[ AdditionalData ] 1505 +------------------+ 1507 Figure 17: The Method Class 1509 The Method class is composed of three aggregate classes. 1511 enum:Reference 1512 Zero or more. A reference to a vulnerability, malware sample, 1513 advisory, or analysis of an attack technique per [RFC-ENUM]. 1515 Description 1516 Zero or more. ML_STRING. A free-form text description of 1517 techniques, tactics, or procedures used by the intruder. 1519 AdditionalData 1520 Zero or more. A mechanism by which to extend the data model. 1522 Either an instance of the Reference or Description class MUST be 1523 present. 1525 The Method class has one attribute: 1527 restriction 1528 Optional. ENUM. This attribute is defined in Section 3.2. 1530 3.14. Assessment Class 1532 The Assessment class describes the repercussions of the incident to 1533 the victim. 1535 +-------------------------+ 1536 | Assessment | 1537 +-------------------------+ 1538 | ENUM occurrence |<>--{0..*}--[ Impact ] 1539 | ENUM restriction |<>--{0..*}--[ BusinessImpact ] 1540 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1541 | |<>--{0..*}--[ MonetaryImpact ] 1542 | |<>--{0..*}--[ Counter ] 1543 | |<>--{0..*}--[ MitigatingFactor ] 1544 | |<>--{0..1}--[ Confidence ] 1545 | |<>--{0..*}--[ AdditionalData ] 1546 +-------------------------+ 1548 Figure 18: Assessment Class 1550 The aggregate classes that constitute Assessment are: 1552 Impact 1553 Zero or more. Technical characterization of the impact of the 1554 activity on the victim's enterprise. 1556 BusinessImpact 1557 Zero or more. Impact of the activity on the business functions of 1558 the victim organization. 1560 TimeImpact 1561 Zero or more. Impact of the activity measured with respect to 1562 time. 1564 MonetaryImpact 1565 Zero or more. Impact of the activity measured with respect to 1566 financial loss. 1568 Counter 1569 Zero or more. A counter with which to summarize the magnitude of 1570 the activity. 1572 MitigatingFactor 1573 Zero or one. ML_STRING. A description of a mitigating factor an 1574 impact. 1576 Confidence 1577 Zero or one. An estimate of confidence in the assessment. 1579 AdditionalData 1580 Zero or more. A mechanism by which to extend the data model. 1582 A least one instance of the possible three impact classes (i.e., 1583 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1585 The Assessment class has three attributes: 1587 occurrence 1588 Optional. ENUM. Specifies whether the assessment is describing 1589 actual or potential outcomes. 1591 1. actual. This assessment describes activity that has occurred. 1593 2. potential. This assessment describes potential activity that 1594 might occur. 1596 restriction 1597 Optional. ENUM. This attribute is defined in Section 3.2. 1599 observable-id 1600 Optional. ID. See Section 3.3.2. 1602 3.14.1. Impact Class 1604 The Impact class allows for categorizing and describing the technical 1605 impact of the incident on the network of an organization. 1607 This class is based on [RFC4765]. 1609 +------------------+ 1610 | Impact | 1611 +------------------+ 1612 | ML_STRING | 1613 | | 1614 | ENUM lang | 1615 | ENUM severity | 1616 | ENUM completion | 1617 | ENUM type | 1618 | STRING ext-type | 1619 +------------------+ 1621 Figure 19: Impact Class 1623 The element content will be a free-form textual description of the 1624 impact. 1626 The Impact class has five attributes: 1628 lang 1629 Optional. ENUM. A valid language code per [RFC5646] constrained 1630 by the definition of "xs:language". The interpretation of this 1631 code is described in Section 6. 1633 severity 1634 Optional. ENUM. An estimate of the relative severity of the 1635 activity. The permitted values are shown below. There is no 1636 default value. 1638 1. low. Low severity 1640 2. medium. Medium severity 1642 3. high. High severity 1644 completion 1645 Optional. ENUM. An indication whether the described activity was 1646 successful. The permitted values are shown below. There is no 1647 default value. 1649 1. failed. The attempted activity was not successful. 1651 2. succeeded. The attempted activity succeeded. 1653 type 1654 Required. ENUM. Classifies the malicious activity into incident 1655 categories. The permitted values are shown below. The default 1656 value is "unknown". 1658 1. admin. Administrative privileges were attempted. 1660 2. dos. A denial of service was attempted. 1662 3. file. An action that impacts the integrity of a file or 1663 database was attempted. 1665 4. info-leak. An attempt was made to exfiltrate information. 1667 5. misconfiguration. An attempt was made to exploit a mis- 1668 configuration in a system. 1670 6. policy. Activity violating site's policy was attempted. 1672 7. recon. Reconnaissance activity was attempted. 1674 8. social-engineering. A social engineering attack was 1675 attempted. 1677 9. user. User privileges were attempted. 1679 10. unknown. The classification of this activity is unknown. 1681 11. ext-value. An escape value used to extend this attribute. 1682 See Section 5.1. 1684 ext-type 1685 Optional. STRING. A means by which to extend the type attribute. 1686 See Section 5.1. 1688 3.14.2. BusinessImpact Class 1690 The BusinessImpact class describes and characterizes the degree to 1691 which the function of the organization was impacted by the Incident. 1693 The element body describes the impact to the organization as a free- 1694 form text string. The two attributes characterize the impact. 1696 +-------------------------+ 1697 | BusinessImpact | 1698 +-------------------------+ 1699 | ML_STRING | 1700 | | 1701 | ENUM severity | 1702 | STRING ext-severity | 1703 | ENUM type | 1704 | STRING ext-type | 1705 +-------------------------+ 1707 Figure 20: BusinessImpact Class 1709 The element content will be a free-form textual description of the 1710 impact to the organization. 1712 The BusinessImpact class has four attributes: 1714 severity 1715 Optional. ENUM. Characterizes the severity of the incident on 1716 business functions. The permitted values are shown below. They 1717 were derived from Table 3-2 of [NIST800.61rev2]. The default 1718 value is "unknown". 1720 1. none. No effect to the organization's ability to provide all 1721 services to all users. 1723 2. low. Minimal effect as the organization can still provide all 1724 critical services to all users but has lost efficiency. 1726 3. medium. The organization has lost the ability to provide a 1727 critical service to a subset of system users. 1729 4. high. The organization is no longer able to provide some 1730 critical services to any users. 1732 5. unknown. The impact is not known. 1734 6. ext-value. An escape value used to extend this attribute. 1735 See Section 5.1. 1737 ext-severity 1738 Optional. STRING. A means by which to extend the severity 1739 attribute. See Section 5.1. 1741 type 1742 Required. ENUM. Characterizes the effect this incident had on 1743 the business.Classifies the malicious activity into incident 1744 categories. The permitted values are shown below. There is no 1745 default value. 1747 1. breach-proprietary. Sensitive or proprietary information was 1748 accessed or exfiltrated. 1750 2. breach-privacy. Personally identifiable information was 1751 accessed or exfiltrated. 1753 3. loss-of-integrity. Sensitive or proprietary information was 1754 changed or deleted. 1756 4. loss-of-service. Service delivery was disrupted. 1758 5. loss-financial. Money or services were stolen. 1760 6. degraded-reputation. The reputation of the organization's 1761 brand was diminished. 1763 7. asset-damage. A cyber-physical system was damaged. 1765 8. asset-manipulation. A cyber-physical system was manipulated. 1767 9. legal. Incident resulted in legal or regulatory action 1769 10. ext-value. An escape value used to extend this attribute. 1770 See Section 5.1. 1772 ext-type 1773 Optional. STRING. A means by which to extend the type attribute. 1774 See Section 5.1. 1776 3.14.3. TimeImpact Class 1778 The TimeImpact class describes the impact of the incident on an 1779 organization as a function of time. It provides a way to convey down 1780 time and recovery time. 1782 +---------------------+ 1783 | TimeImpact | 1784 +---------------------+ 1785 | REAL | 1786 | | 1787 | ENUM severity | 1788 | ENUM metric | 1789 | STRING ext-metric | 1790 | ENUM duration | 1791 | STRING ext-duration | 1792 +---------------------+ 1794 Figure 21: TimeImpact Class 1796 The element content is a positive, floating point (REAL) number 1797 specifying a unit of time. The duration and metric attributes will 1798 imply the semantics of the element content. 1800 The TimeImpact class has five attributes: 1802 severity 1803 Optional. ENUM. An estimate of the relative severity of the 1804 activity. The permitted values are shown below. There is no 1805 default value. 1807 1. low. Low severity 1809 2. medium. Medium severity 1811 3. high. High severity 1813 metric 1814 Required. ENUM. Defines the metric in which the time is 1815 expressed. The permitted values are shown below. There is no 1816 default value. 1818 1. labor. Total staff-time to recovery from the activity (e.g., 1819 2 employees working 4 hours each would be 8 hours). 1821 2. elapsed. Elapsed time from the beginning of the recovery to 1822 its completion (i.e., wall-clock time). 1824 3. downtime. Duration of time for which some provided service(s) 1825 was not available. 1827 4. ext-value. An escape value used to extend this attribute. 1828 See Section 5.1. 1830 ext-metric 1831 Optional. STRING. A means by which to extend the metric 1832 attribute. See Section 5.1. 1834 duration 1835 Optional. ENUM. Defines a unit of time, that when combined with 1836 the metric attribute, fully describes a metric of impact that will 1837 be conveyed in the element content. The permitted values are 1838 shown below. The default value is "hour". 1840 1. second. The unit of the element content is seconds. 1842 2. minute. The unit of the element content is minutes. 1844 3. hour. The unit of the element content is hours. 1846 4. day. The unit of the element content is days. 1848 5. month. The unit of the element content is months. 1850 6. quarter. The unit of the element content is quarters. 1852 7. year. The unit of the element content is years. 1854 8. ext-value. An escape value used to extend this attribute. 1855 See Section 5.1. 1857 ext-duration 1858 Optional. STRING. A means by which to extend the duration 1859 attribute. See Section 5.1. 1861 3.14.4. MonetaryImpact Class 1863 The MonetaryImpact class describes the financial impact of the 1864 activity on an organization. For example, this impact may consider 1865 losses due to the cost of the investigation or recovery, diminished 1866 productivity of the staff, or a tarnished reputation that will affect 1867 future opportunities. 1869 +------------------+ 1870 | MonetaryImpact | 1871 +------------------+ 1872 | REAL | 1873 | | 1874 | ENUM severity | 1875 | STRING currency | 1876 +------------------+ 1878 Figure 22: MonetaryImpact Class 1880 The element content is a positive, floating point number (REAL) 1881 specifying a unit of currency described in the currency attribute. 1883 The MonetaryImpact class has two attributes: 1885 severity 1886 Optional. ENUM. An estimate of the relative severity of the 1887 activity. The permitted values are shown below. There is no 1888 default value. 1890 1. low. Low severity 1892 2. medium. Medium severity 1894 3. high. High severity 1896 currency 1897 Optional. STRING. Defines the currency in which the monetary 1898 impact is expressed. The permitted values are defined in "Codes 1899 for the representation of currencies and funds" of [ISO4217]. 1900 There is no default value. 1902 3.14.5. Confidence Class 1904 The Confidence class represents a best estimate of the validity and 1905 accuracy of the described impact (see Section 3.14) of the incident 1906 activity. This estimate can be expressed as a category or a numeric 1907 calculation. 1909 This class if based upon [RFC4765]. 1911 +------------------+ 1912 | Confidence | 1913 +------------------+ 1914 | REAL | 1915 | | 1916 | ENUM rating | 1917 +------------------+ 1919 Figure 23: Confidence Class 1921 The element content expresses a numerical assessment in the 1922 confidence of the data when the value of the rating attribute is 1923 "numeric". Otherwise, this element MUST be empty. 1925 The Confidence class has one attribute. 1927 rating 1928 Required. ENUM. A rating of the analytical validity of the 1929 specified Assessment. The permitted values are shown below. 1930 There is no default value. 1932 1. low. Low confidence in the validity. 1934 2. medium. Medium confidence in the validity. 1936 3. high. High confidence in the validity. 1938 4. numeric. The element content contains a number that conveys 1939 the confidence of the data. The semantics of this number 1940 outside the scope of this specification. 1942 5. unknown. The confidence rating value is not known. 1944 3.15. History Class 1946 The History class is a log of the significant events or actions 1947 performed by the involved parties during the course of handling the 1948 incident. 1950 The level of detail maintained in this log is left up to the 1951 discretion of those handling the incident. 1953 +------------------+ 1954 | History | 1955 +------------------+ 1956 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 1957 | | 1958 +------------------+ 1960 Figure 24: The History Class 1962 The class that constitutes History is: 1964 HistoryItem 1965 One or many. Entry in the history log of significant events or 1966 actions performed by the involved parties. 1968 The History class has one attribute: 1970 restriction 1971 Optional. ENUM. This attribute is defined in Section 3.2. The 1972 default value is "default". 1974 3.15.1. HistoryItem Class 1976 The HistoryItem class is an entry in the History (Section 3.15) log 1977 that documents a particular action or event that occurred in the 1978 course of handling the incident. The details of the entry are a 1979 free-form description, but each can be categorized with the type 1980 attribute. 1982 +-------------------------+ 1983 | HistoryItem | 1984 +-------------------------+ 1985 | ENUM restriction |<>----------[ DateTime ] 1986 | ENUM action |<>--{0..1}--[ IncidentId ] 1987 | STRING ext-action |<>--{0..1}--[ Contact ] 1988 | ID observable-id |<>--{0..*}--[ Description ] 1989 | |<>--{0..*}--[ AdditionalData ] 1990 +-------------------------+ 1992 Figure 25: HistoryItem Class 1994 The aggregate classes that constitute HistoryItem are: 1996 DateTime 1997 One. Timestamp of this entry in the history log (e.g., when the 1998 action described in the Description was taken). 2000 IncidentID 2001 Zero or One. In a history log created by multiple parties, the 2002 IncidentID provides a mechanism to specify which CSIRT created a 2003 particular entry and references this organization's incident 2004 tracking number. When a single organization is maintaining the 2005 log, this class can be ignored. 2007 Contact 2008 Zero or One. Provides contact information for the person that 2009 performed the action documented in this class. 2011 Description 2012 Zero or more. ML_STRING. A free-form textual description of the 2013 action or event. 2015 DefinedCOA 2016 Zero or more. ML_STRING. A unique identifier meaningful to the 2017 sender and recipient of this document that references a course of 2018 action. This class MUST be present if the action attribute is set 2019 to "defined-coa". 2021 AdditionalData 2022 Zero or more. A mechanism by which to extend the data model. 2024 The HistoryItem class has four attributes: 2026 restriction 2027 Optional. ENUM. See Section 3.3.1. 2029 action 2030 Required. ENUM. Classifies a performed action or occurrence 2031 documented in this history log entry. As activity will likely 2032 have been instigated either through a previously conveyed 2033 expectation or internal investigation, this attribute is identical 2034 to the action attribute of the Expectation class. The difference 2035 is only one of tense. When an action is in this class, it has 2036 been completed. See Section 3.17. 2038 ext-action 2039 Optional. STRING. A means by which to extend the action 2040 attribute. See Section 5.1. 2042 observable-id 2043 Optional. ID. See Section 3.3.2. 2045 3.16. EventData Class 2047 The EventData class describes a particular event of the incident for 2048 a given set of hosts or networks. This description includes the 2049 systems from which the activity originated and those targeted, an 2050 assessment of the techniques used by the intruder, the impact of the 2051 activity on the organization, and any forensic evidence discovered. 2053 +-------------------------+ 2054 | EventData | 2055 +-------------------------+ 2056 | ENUM restriction |<>--{0..*}--[ Description ] 2057 | ID observable-id |<>--{0..1}--[ DetectTime ] 2058 | |<>--{0..1}--[ StartTime ] 2059 | |<>--{0..1}--[ EndTime ] 2060 | |<>--{0..1}--[ RecoveryTime ] 2061 | |<>--{0..1}--[ ReportTime ] 2062 | |<>--{0..*}--[ Contact ] 2063 | |<>--{0..*}--[ Discovery ] 2064 | |<>--{0..1}--[ Assessment ] 2065 | |<>--{0..*}--[ Method ] 2066 | |<>--{0..*}--[ Flow ] 2067 | |<>--{0..*}--[ Expectation ] 2068 | |<>--{0..1}--[ Record ] 2069 | |<>--{0..*}--[ EventData ] 2070 | |<>--{0..*}--[ AdditionalData ] 2071 +-------------------------+ 2073 Figure 26: The EventData Class 2075 The aggregate classes that constitute EventData are: 2077 Description 2078 Zero or more. ML_STRING. A free-form textual description of the 2079 event. 2081 DetectTime 2082 Zero or one. The time the event was detected. 2084 StartTime 2085 Zero or one. The time the event started. 2087 EndTime 2088 Zero or one. The time the event ended. 2090 RecoveryTime 2091 Zero or one. The time the site recovered from the event. 2093 ReportTime 2094 One. The time the event was reported. 2096 Contact 2097 Zero or more. Contact information for the parties involved in the 2098 event. 2100 Discovery 2101 Zero or more. The means by which the event was detected. 2103 Assessment 2104 Zero or one. The impact of the event on the target and the 2105 actions taken. 2107 Method 2108 Zero or more. The technique used by the intruder in the event. 2110 Flow 2111 Zero or more. A description of the systems or networks involved. 2113 Expectation 2114 Zero or more. The expected action to be performed by the 2115 recipient for the described event. 2117 Record 2118 Zero or one. Supportive data (e.g., log files) that provides 2119 additional information about the event. 2121 EventData 2122 Zero or more. EventData instances contained within another 2123 EventData instance inherit the values of the parent(s); this 2124 recursive definition can be used to group common data pertaining 2125 to multiple events. When EventData elements are defined 2126 recursively, only the leaf instances (those EventData instances 2127 not containing other EventData instances) represent actual events. 2129 AdditionalData 2130 Zero or more. An extension mechanism for data not explicitly 2131 represented in the data model. 2133 At least one of the aggregate classes MUST be present in an instance 2134 of the EventData class. This is not enforced in the IODEF schema as 2135 there is no simple way to accomplish it. 2137 The EventData class has two attributes: 2139 restriction 2140 Optional. ENUM. This attribute is defined in Section 3.2. The 2141 default value is "default". 2143 observable-id 2144 Optional. ID. See Section 3.3.2. 2146 3.16.1. Relating the Incident and EventData Classes 2148 There is substantial overlap in the Incident and EventData classes. 2149 Nevertheless, the semantics of these classes are quite different. 2150 The Incident class provides summary information about the entire 2151 incident, while the EventData class provides information about the 2152 individual events comprising the incident. In the most common case, 2153 the EventData class will provide more specific information for the 2154 general description provided in the Incident class. However, it may 2155 also be possible that the overall summarized information about the 2156 incident conflicts with some individual information in an EventData 2157 class when there is a substantial composition of various events in 2158 the incident. In such a case, the interpretation of the more 2159 specific EventData MUST supersede the more generic information 2160 provided in Incident. 2162 3.16.2. Cardinality of EventData 2164 The EventData class can be thought of as a container for the 2165 properties of an event in an incident. These properties include: the 2166 hosts involved, impact of the incident activity on the hosts, 2167 forensic logs, etc. With an instance of the EventData class, hosts 2168 (i.e., System class) are grouped around these common properties. 2170 The recursive definition (or instance property inheritance) of the 2171 EventData class (the EventData class is aggregated into the EventData 2172 class) provides a way to relate information without requiring the 2173 explicit use of unique attribute identifiers in the classes or 2174 duplicating information. Instead, the relative depth (nesting) of a 2175 class is used to group (relate) information. 2177 For example, an EventData class might be used to describe two 2178 machines involved in an incident. This description can be achieved 2179 using multiple instances of the Flow class. It happens that there is 2180 a common technical contact (i.e., Contact class) for these two 2181 machines, but the impact (i.e., Assessment class) on them is 2182 different. A depiction of the representation for this situation can 2183 be found in Figure 27. 2185 +------------------+ 2186 | EventData | 2187 +------------------+ 2188 | |<>----[ Contact ] 2189 | | 2190 | |<>----[ EventData ]<>----[ Flow ] 2191 | | [ ]<>----[ Assessment ] 2192 | | 2193 | |<>----[ EventData ]<>----[ Flow ] 2194 | | [ ]<>----[ Assessment ] 2195 +------------------+ 2197 Figure 27: Recursion in the EventData Class 2199 3.17. Expectation Class 2201 The Expectation class conveys to the recipient of the IODEF document 2202 the actions the sender is requesting. The scope of the requested 2203 action is limited to purview of the EventData class in which this 2204 class is aggregated. 2206 +-------------------------+ 2207 | Expectation | 2208 +-------------------------+ 2209 | ENUM restriction |<>--{0..*}--[ Description ] 2210 | ENUM severity |<>--{0..*}--[ DefinedCOA ] 2211 | ENUM action |<>--{0..1}--[ StartTime ] 2212 | STRING ext-action |<>--{0..1}--[ EndTime ] 2213 | ID observable-id |<>--{0..1}--[ Contact ] 2214 +-------------------------+ 2216 Figure 28: The Expectation Class 2218 The aggregate classes that constitute Expectation are: 2220 Description 2221 Zero or more. ML_STRING. A free-form description of the desired 2222 action(s). 2224 DefinedCOA 2225 Zero or more. ML_STRING. A unique identifier meaningful to the 2226 sender and recipient of this document that references a course of 2227 action. This class MUST be present if the action attribute is set 2228 to "defined-coa". 2230 StartTime 2231 Zero or one. The time at which the sender would like the action 2232 performed. A timestamp that is earlier than the ReportTime 2233 specified in the Incident class denotes that the sender would like 2234 the action performed as soon as possible. The absence of this 2235 element indicates no expectations of when the recipient would like 2236 the action performed. 2238 EndTime 2239 Zero or one. The time by which the sender expects the recipient 2240 to complete the action. If the recipient cannot complete the 2241 action before EndTime, the recipient MUST NOT carry out the 2242 action. Because of transit delays, clock drift, and so on, the 2243 sender MUST be prepared for the recipient to have carried out the 2244 action, even if it completes past EndTime. 2246 Contact 2247 Zero or one. The expected actor for the action. 2249 The Expectations class has five attributes: 2251 restriction 2252 Optional. ENUM. This attribute is defined in Section 3.2. The 2253 default value is "default". 2255 severity 2256 Optional. ENUM. Indicates the desired priority of the action. 2257 This attribute is an enumerated list with no default value, and 2258 the semantics of these relative measures are context dependent. 2260 1. low. Low priority 2262 2. medium. Medium priority 2264 3. high. High priority 2266 action 2267 Optional. ENUM. Classifies the type of action requested. This 2268 attribute is an enumerated list with a default value of "other". 2270 1. nothing. No action is requested. Do nothing with the 2271 information. 2273 2. contact-source-site. Contact the site(s) identified as the 2274 source of the activity. 2276 3. contact-target-site. Contact the site(s) identified as the 2277 target of the activity. 2279 4. contact-sender. Contact the originator of the document. 2281 5. investigate. Investigate the systems(s) listed in the event. 2283 6. block-host. Block traffic from the machine(s) listed as 2284 sources the event. 2286 7. block-network. Block traffic from the network(s) lists as 2287 sources in the event. 2289 8. block-port. Block the port listed as sources in the event. 2291 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2292 listed as sources in the event. 2294 10. rate-limit-network. Rate-limit the traffic from the 2295 network(s) lists as sources in the event. 2297 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2298 the event. 2300 12. upgrade-software. Upgrade or patch the software or firmware 2301 on an asset. 2303 13. rebuild-asset. Reinstall the operating system and 2304 applications on an asset. 2306 14. remediate-other. Remediate the activity in a way other than 2307 by rate limiting or blocking. 2309 15. status-triage. Conveys receipts and the triaging of an 2310 incident. 2312 16. status-new-info. Conveys that new information was received 2313 for this incident. 2315 17. watch-and-report. Watch for the described activity and share 2316 if seen. 2318 18. defined-coa. Perform a predefined course of action (COA). 2319 The COA is named in the DefinedCOA class. 2321 19. other. Perform some custom action described in the 2322 Description class. 2324 20. ext-value. An escape value used to extend this attribute. 2325 See Section 5.1. 2327 ext-action 2328 Optional. STRING. A means by which to extend the action 2329 attribute. See Section 5.1. 2331 observable-id 2332 Optional. ID. See Section 3.3.2. 2334 3.18. Flow Class 2336 The Flow class groups related the source and target hosts. 2338 +------------------+ 2339 | Flow | 2340 +------------------+ 2341 | |<>--{1..*}--[ System ] 2342 +------------------+ 2344 Figure 29: The Flow Class 2346 The aggregate class that constitutes Flow is: 2348 System 2349 One or More. A host or network involved in an event. 2351 The Flow class has no attributes. 2353 3.19. System Class 2355 The System class describes a system or network involved in an event. 2356 The systems or networks represented by this class are categorized 2357 according to the role they played in the incident through the 2358 category attribute. The value of this category attribute dictates 2359 the semantics of the aggregated classes in the System class. If the 2360 category attribute has a value of "source", then the aggregated 2361 classes denote the machine and service from which the activity is 2362 originating. With a category attribute value of "target" or 2363 "intermediary", then the machine or service is the one targeted in 2364 the activity. A value of "sensor" dictates that this System was part 2365 of an instrumentation to monitor the network. 2367 +---------------------+ 2368 | System | 2369 +---------------------+ 2370 | ENUM restriction |<>----------[ Node ] 2371 | ENUM category |<>--{0..*}--[ NodeRole ] 2372 | STRING ext-category |<>--{0..*}--[ Service ] 2373 | STRING interface |<>--{0..*}--[ OperatingSystem ] 2374 | ENUM spoofed |<>--{0..*}--[ Counter ] 2375 | ENUM virtual |<>--{0..*}--[ AssetID ] 2376 | ENUM ownership |<>--{0..*}--[ Description ] 2377 | ENUM ext-ownership |<>--{0..*}--[ AdditionalData ] 2378 +---------------------+ 2380 Figure 30: The System Class 2382 The aggregate classes that constitute System are: 2384 Node 2385 One. A host or network involved in the incident. 2387 NodeRole 2388 Zero or more. The intended purpose of the system. 2390 Service 2391 Zero or more. A network service running on the system. 2393 OperatingSystem 2394 Zero or more. The operating system running on the system. 2396 Counter 2397 Zero or more. A counter with which to summarize properties of 2398 this host or network. 2400 AssetID 2401 Zero or more. An asset identifier for the System. 2403 Description 2404 Zero or more. ML_STRING. A free-form text description of the 2405 System. 2407 AdditionalData 2408 Zero or more. A mechanism by which to extend the data model. 2410 The System class has eight attributes: 2412 restriction 2413 Optional. ENUM. This attribute is defined in Section 3.2. 2415 category 2416 Optional. ENUM. Classifies the role the host or network played 2417 in the incident. The possible values are: 2419 1. source. The System was the source of the event. 2421 2. target. The System was the target of the event. 2423 3. intermediate. The System was an intermediary in the event. 2425 4. sensor. The System was a sensor monitoring the event. 2427 5. infrastructure. The System was an infrastructure node of 2428 IODEF document exchange. 2430 6. ext-value. An escape value used to extend this attribute. 2431 See Section 5.1. 2433 ext-category 2434 Optional. STRING. A means by which to extend the category 2435 attribute. See Section 5.1. 2437 interface 2438 Optional. STRING. Specifies the interface on which the event(s) 2439 on this System originated. If the Node class specifies a network 2440 rather than a host, this attribute has no meaning. 2442 spoofed 2443 Optional. ENUM. An indication of confidence in whether this 2444 System was the true target or attacking host. The permitted 2445 values for this attribute are shown below. The default value is 2446 "unknown". 2448 1. unknown. The accuracy of the category attribute value is 2449 unknown. 2451 2. yes. The category attribute value is probably incorrect. In 2452 the case of a source, the System is likely a decoy; with a 2453 target, the System was likely not the intended victim. 2455 3. no. The category attribute value is believed to be correct. 2457 virtual 2458 Optional. ENUM. Indicates whether this System is a virtual or 2459 physical device. The default value is "unknown". The possible 2460 values are: 2462 1. yes. The System is a virtual device. 2464 2. no. The System is a physical device. 2466 3. unknown. It is not known if the System is virtual. 2468 ownership 2469 Optional. ENUM. Describes the ownership of this System relative 2470 to the sender of the IODEF document. The possible values are: 2472 1. organization. The System is owned by the organization. 2474 2. personal. The System is owned by employee or affiliate of the 2475 organization. 2477 3. partner. The System is owned by a partner of the 2478 organization. 2480 4. customer. The System is owned by a customer of the 2481 organization. 2483 5. no-relationship. The System is owned by an entity that has no 2484 known relationship with the organization. 2486 6. unknown. The ownership of the System is unknown. 2488 7. ext-value. An escape value used to extend this attribute. 2489 See Section 5.1. 2491 ext-ownership 2492 Optional. STRING. A means by which to extend the ownership 2493 attribute. See Section 5.1. 2495 3.20. Node Class 2497 The Node class names an asset or network. 2499 This class was derived from [RFC4765]. 2501 +---------------+ 2502 | Node | 2503 +---------------+ 2504 | |<>--{0..*}--[ DomainData ] 2505 | |<>--{0..*}--[ Address ] 2506 | |<>--{0..1}--[ PostalAddress ] 2507 | |<>--{0..1}--[ Location ] 2508 | |<>--{0..1}--[ DateTime ] 2509 | |<>--{0..*}--[ Counter ] 2510 +---------------+ 2512 Figure 31: The Node Class 2514 The aggregate classes that constitute Node are: 2516 DomainData 2517 Zero or more. The detailed domain (DNS) information associated 2518 with this Node. If an Address is not provided, at least one 2519 DomainData MUST be specified. 2521 Address 2522 Zero or more. The hardware, network, or application address of 2523 the Node. If a DomainData is not provided, at least one Address 2524 MUST be specified. 2526 PostalAddress 2527 Zero or one. The postal address of the asset. 2529 Location 2530 Zero or one. ML_STRING. A free-from description of the physical 2531 location of the Node. This description may provide a more 2532 detailed description of where in the PostalAddress this Node is 2533 found (e.g., room number, rack number, slot number in a chassis). 2535 Counter 2536 Zero or more. A counter with which to summarizes properties of 2537 this host or network. 2539 The Node class has no attributes. 2541 3.20.1. Address Class 2543 The Address class represents a hardware (layer-2), network (layer-3), 2544 or application (layer-7) address. 2546 This class was derived from [RFC4765]. 2548 +-------------------------+ 2549 | Address | 2550 +-------------------------+ 2551 | ENUM category | 2552 | STRING ext-category | 2553 | STRING vlan-name | 2554 | INTEGER vlan-num | 2555 | ID observable-id | 2556 +-------------------------+ 2558 Figure 32: The Address Class 2560 The Address class has five attributes: 2562 category 2563 Optional. ENUM. The type of address represented. The permitted 2564 values for this attribute are shown below. The default value is 2565 "ipv4-addr". 2567 1. asn. Autonomous System Number 2569 2. atm. Asynchronous Transfer Mode (ATM) address 2571 3. e-mail. Electronic mail address (RFC 822) 2573 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2574 (a.b.c.d) 2576 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2577 slash, significant bits (a.b.c.d/nn) 2579 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2580 notation, slash, network mask in dotted-decimal notation 2581 (a.b.c.d/w.x.y.z) 2583 7. ipv6-addr. IPv6 host address 2585 8. ipv6-net. IPv6 network address, slash, significant bits 2587 9. ipv6-net-mask. IPv6 network address, slash, network mask 2589 10. mac. Media Access Control (MAC) address 2591 11. site-uri. A URL or URI for a resource. 2593 12. ext-value. An escape value used to extend this attribute. 2594 See Section 5.1. 2596 ext-category 2597 Optional. STRING. A means by which to extend the category 2598 attribute. See Section 5.1. 2600 vlan-name 2601 Optional. STRING. The name of the Virtual LAN to which the 2602 address belongs. 2604 vlan-num 2605 Optional. STRING. The number of the Virtual LAN to which the 2606 address belongs. 2608 observable-id 2609 Optional. ID. See Section 3.3.2. 2611 3.20.2. NodeRole Class 2613 The NodeRole class describes the function performed by a particular . 2615 +---------------------+ 2616 | NodeRole | 2617 +---------------------+ 2618 | ENUM category | 2619 | STRING ext-category | 2620 | ENUM lang | 2621 +---------------------+ 2623 Figure 33: The NodeRole Class 2625 The NodeRole class has three attributes: 2627 category 2628 Required. ENUM. Functionality provided by a node. 2630 1. client. Client computer 2632 2. client-enterprise. Client computer on the enterprise network 2634 3. client-partner. Client computer on network of a partner 2636 4. client-remote. Client computer remotely connected to the 2637 enterprise network 2639 5. client-kiosk. Client computer is serves as a kiosk 2641 6. client-mobile. Client is a mobile device 2643 7. server-internal. Server with internal services 2644 8. server-public. Server with public services 2646 9. www. WWW server 2648 10. mail. Mail server 2650 11. webmail. Web mail server 2652 12. messaging. Messaging server (e.g., NNTP, IRC, IM) 2654 13. streaming. Streaming-media server 2656 14. voice. Voice server (e.g., SIP, H.323) 2658 15. file. File server (e.g., SMB, CVS, AFS) 2660 16. ftp. FTP server 2662 17. p2p. Peer-to-peer node 2664 18. name. Name server (e.g., DNS, WINS) 2666 19. directory. Directory server (e.g., LDAP, finger, whois) 2668 20. credential. Credential server (e.g., domain controller, 2669 Kerberos) 2671 21. print. Print server 2673 22. application. Application server 2675 23. database. Database server 2677 24. backup. Backup server 2679 25. dhcp. DHCP server 2681 26. assessment. Assessment server (e.g., vulnerability scanner, 2682 end-point assessment) 2684 27. source-control. Source code control server 2686 28. config-management. Configuration management server 2688 29. monitoring. Security monitoring server (e.g., IDS) 2690 30. infra. Infrastructure server (e.g., router, firewall, DHCP) 2691 31. infra-firewall. Firewall 2693 32. infra-router. Router 2695 33. infra-switch. Switch 2697 34. camera. Camera and video system 2699 35. proxy. Proxy server 2701 36. remote-access. Remote access server 2703 37. log. Log server (e.g., syslog) 2705 38. virtualization. Server running virtual machines 2707 39. pos. Point-of-sale device 2709 40. scada. Supervisory control and data acquisition system 2711 41. scada-supervisory. Supervisory system for a SCADA 2713 42. sinkhole. Traffic sinkhole destination 2715 43. honeypot. Honeypot server 2717 44. c2. Malicious command and control server 2719 45. malware-distribution. Server that distributes malware 2721 46. drop-server. Server to which exfiltrated content is 2722 uploaded. 2724 47. hop-point. Intermediary server used to get to a victim. 2726 48. reflector. A system used in a reflector attacker. 2728 49. phishing-site. Site hosting phishing content 2730 50. spear-phishing-site. Site hosting spear-phishing content 2732 51. recruiting-site. Site to recruit 2734 52. fraudulent-site. Fraudulent site. 2736 53. ext-value. An escape value used to extend this attribute. 2737 See Section 5.1. 2739 ext-category 2740 Optional. STRING. A means by which to extend the category 2741 attribute. See Section 5.1. 2743 lang 2744 Optional. ENUM. A valid language code per [RFC5646] constrained 2745 by the definition of "xs:language". The interpretation of this 2746 code is described in Section 6. 2748 3.20.3. Counter Class 2750 The Counter class summarize multiple occurrences of some event, or 2751 conveys counts or rates on various features (e.g., packets, sessions, 2752 events). 2754 The value of the counter is the element content with its units 2755 represented in the type attribute. A rate for a given feature can be 2756 expressed by setting the duration attribute. The complete semantics 2757 are entirely context dependent based on the class in which the 2758 Counter is aggregated. 2760 +---------------------+ 2761 | Counter | 2762 +---------------------+ 2763 | REAL | 2764 | | 2765 | ENUM type | 2766 | STRING ext-type | 2767 | STRING meaning | 2768 | ENUM duration | 2769 | STRING ext-duration | 2770 +---------------------+ 2772 Figure 34: The Counter Class 2774 The Counter class has five attribute: 2776 type 2777 Required. ENUM. Specifies the units of the element content. 2779 1. byte. Count of bytes. 2781 2. packet. Count of packets. 2783 3. flow. Count of network flow records. 2785 4. session. Count of sessions. 2787 5. alert. Count of notifications generated by another system 2788 (e.g., IDS or SIM). 2790 6. message. Count of messages (e.g., mail messages). 2792 7. event. Count of events. 2794 8. host. Count of hosts. 2796 9. site. Count of site. 2798 10. organization. Count of organizations. 2800 11. ext-value. An escape value used to extend this attribute. 2801 See Section 5.1. 2803 ext-type 2804 Optional. STRING. A means by which to extend the type attribute. 2805 See Section 5.1. 2807 meaning 2808 Optional. STRING. A free-form description of the metric 2809 represented by the Counter. 2811 duration 2812 Optional. ENUM. If present, the Counter class represents a rate 2813 rather than a count over the entire event. In that case, this 2814 attribute specifies the denominator of the rate (where the type 2815 attribute specified the nominator). The possible values of this 2816 attribute are defined in Section 3.14.3 2818 ext-duration 2819 Optional. STRING. A means by which to extend the duration 2820 attribute. See Section 5.1. 2822 3.21. DomainData Class 2824 The DomainData class describes a domain name and meta-data associated 2825 with this domain. 2827 +--------------------------+ 2828 | DomainData | 2829 +--------------------------+ 2830 | ENUM system-status |<>----------[ Name ] 2831 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 2832 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 2833 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 2834 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 2835 | |<>--{0..*}--[ Nameservers ] 2836 | |<>--{0..1}--[ DomainContacts ] 2837 | | 2838 +--------------------------+ 2840 Figure 35: The DomainData Class 2842 The aggregate classes that constitute DomainData are: 2844 Name 2845 One. ML_STRING. The domain name of the Node (e.g., fully 2846 qualified domain name). 2848 DateDomainWasChecked 2849 Zero or one. DATETIME. A timestamp of when the Name was 2850 resolved. 2852 RegistrationDate 2853 Zero or one. DATETIME. A timestamp of when domain listed in Name 2854 was registered. 2856 ExpirationDate 2857 Zero or one. DATETIME. A timestamp of when the domain listed in 2858 Name is set to expire. 2860 RelatedDNS 2861 Zero or more. Additional DNS records associated with this domain. 2863 Nameservers 2864 Zero or more. The name servers identified for the domain listed 2865 in Name. 2867 DomainContacts 2868 Zero or one. Contact information for the domain listed in Name 2869 supplied by the registrar or through a whois query. 2871 The DomainData class has five attribute: 2873 system-status 2874 Required. ENUM. Assesses the domain's involvement in the event. 2876 1. spoofed. This domain was spoofed. 2878 2. fraudulent. This domain was operated with fraudulent 2879 intentions. 2881 3. innocent-hacked. This domain was compromised by a third 2882 party. 2884 4. innocent-hijacked. This domain was deliberately hijacked. 2886 5. unknown. No categorization for this domain known. 2888 6. ext-value. An escape value used to extend this attribute. 2889 See Section 5.1. 2891 ext-system-status 2892 Optional. STRING. A means by which to extend the system-status 2893 attribute. See Section 5.1. 2895 domain-status 2896 Required. ENUM. Categorizes the registry status of the domain at 2897 the time the document was generated. These values and their 2898 associated descriptions are derived from Section 3.2.2 of 2899 [RFC3982]. 2901 1. reservedDelegation. The domain is permanently inactive. 2903 2. assignedAndActive. The domain is in a normal state. 2905 3. assignedAndInactive. The domain has an assigned registration 2906 but the delegation is inactive. 2908 4. assignedAndOnHold. The domain is under dispute. 2910 5. revoked. The domain is in the process of being purged from 2911 the database. 2913 6. transferPending. The domain is pending a change in 2914 authority. 2916 7. registryLock. The domain is on hold by the registry. 2918 8. registrarLock. Same as "registryLock". 2920 9. other. The domain has a known status but it is not one of 2921 the redefined enumerated values. 2923 10. unknown. The domain has an unknown status. 2925 11. ext-value. An escape value used to extend this attribute. 2926 See Section 5.1. 2928 ext-domain-status 2929 Optional. STRING. A means by which to extend the system-status 2930 attribute. See Section 5.1. 2932 observable-id 2933 Optional. ID. See Section 3.3.2. 2935 3.21.1. RelatedDNS 2937 The RelatedDNS class describes additional record types associated 2938 with a given domain name. The record type is described in the 2939 record-type attribute and the value of the record is the element 2940 content. ... TODO Issue #39 ... 2942 +----------------------+ 2943 | RelatedDNS | 2944 +----------------------+ 2945 | STRING | 2946 | | 2947 | ENUM record-type | 2948 | ENUM ext-record-type | 2949 +----------------------+ 2951 Figure 36: The RelatedDNS Class 2953 The RelatedDNS class has two attribute: 2955 record-type 2956 Required. ENUM. The DNS record type. ... TODO values need to be 2957 listed ... 2959 ext-record-type. An escape value used to extend this attribute. 2960 See Section 5.1. 2962 3.21.2. Nameservers Class 2964 The Nameservers class describes the name servers associated with a 2965 given domain. 2967 +--------------------+ 2968 | Nameservers | 2969 +--------------------+ 2970 | |<>----------[ Server ] 2971 | |<>--{1..*}--[ Address ] 2972 +--------------------+ 2974 Figure 37: The Nameservers Class 2976 The aggregate classes that constitute Nameservers are: 2978 Server 2979 One. ML_STRING. The domain name of the name server. 2981 Address 2982 One or more. The address of the name server. See Section 3.20.1. 2984 3.21.3. DomainContacts Class 2986 The DomainContacts class describes the contact information for a 2987 given domain provided either by the registrar or through a whois 2988 query. 2990 This contact information can be explicitly described through a 2991 Contact class or a reference can be provided to a domain with 2992 identical contact information. Either a single SameDomainContact 2993 MUST be present or one or many Contact classes. 2995 +--------------------+ 2996 | DomainContacts | 2997 +--------------------+ 2998 | |<>--{0..1}--[ SameDomainContact ] 2999 | |<>--{1..*}--[ Contact ] 3000 +--------------------+ 3002 Figure 38: The DomainContacts Class 3004 The aggregate classes that constitute DomainContacts are: 3006 SameDomainContact 3007 Zero or one. ML_STRING. A domain name already cited in this 3008 document or through previous exchange that contains the identical 3009 contact information as the domain name in question. The domain 3010 contact information associated with this domain should be used in 3011 lieu of explicit definition with the Contact class. 3013 Contact 3014 One or more. Contact information for the domain. See 3015 Section 3.10. 3017 3.22. Service Class 3019 The Service class describes a network service of a host or network. 3020 The service is identified by specific port or list of ports, along 3021 with the application listening on that port. 3023 When Service occurs as an aggregate class of a System that is a 3024 source, then this service is the one from which activity of interest 3025 is originating. Conversely, when Service occurs as an aggregate 3026 class of a System that is a target, then that service is the one to 3027 which activity of interest is directed. 3029 This class was derived from [RFC4765]. 3031 +-------------------------+ 3032 | Service | 3033 +-------------------------+ 3034 | INTEGER ip-protocol |<>--{0..1}--[ Port ] 3035 | ID observable-id |<>--{0..1}--[ Portlist ] 3036 | |<>--{0..1}--[ ProtoCode ] 3037 | |<>--{0..1}--[ ProtoType ] 3038 | |<>--{0..1}--[ ProtoField ] 3039 | |<>--{0..*}--[ ApplicationHeader ] 3040 | |<>--{0..1}--[ EmailData ] 3041 | |<>--{0..1}--[ Application ] 3042 +-------------------------+ 3044 Figure 39: The Service Class 3046 The aggregate classes that constitute Service are: 3048 Port 3049 Zero or one. INTEGER. A port number. 3051 Portlist 3052 Zero or one. PORTLIST. A list of port numbers formatted 3053 according to Section 2.10. 3055 ProtoCode 3056 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3057 specific code field (e.g., ICMP code field). 3059 ProtoType 3060 Zero or one. INTEGER. A transport layer (layer 4) protocol 3061 specific type field (e.g., ICMP type field). 3063 ProtoField 3064 Zero or one. INTEGER. A transport layer (layer 4) protocol 3065 specific flag field (e.g., TCP flag field). 3067 ApplicationHeader 3068 Zero or more. An application layer (layer 7) protocol header. 3069 See Section 3.22.1. 3071 EmailData 3072 Zero or one. Headers associated with an email. See Section 3.24. 3074 Application 3075 Zero or one. The application bound to the specified Port or 3076 Portlist. See Section 3.22.2. 3078 Either a Port or Portlist class MUST be specified for a given 3079 instance of a Service class. 3081 When a given System classes with category="source" and another with 3082 category="target" are aggregated into a single Flow class, and each 3083 of these System classes has a Service and Portlist class, an implicit 3084 relationship between these Portlists exists. If N ports are listed 3085 for a System@category="source", and M ports are listed for 3086 System@category="target", the number of ports in N must be equal to 3087 M. Likewise, the ports MUST be listed in an identical sequence such 3088 that the n-th port in the source corresponds to the n-th port of the 3089 target. If N is greater than 1, a given instance of a Flow class 3090 MUST only have a single instance of a System@category="source" and 3091 System@category="target". 3093 The Service class has two attributes: 3095 ip-protocol 3096 Required. INTEGER. The IANA assigned IP protocol number per 3097 [IANA.Protocols]. 3099 observable-id 3100 Optional. ID. See Section 3.3.2. 3102 3.22.1. ApplicationHeader Class 3104 The ApplicationHeader class allows the representation of arbitrary 3105 fields from an application layer protocol header and its 3106 corresponding value. 3108 +--------------------------+ 3109 | ApplicationHeader | 3110 +--------------------------+ 3111 | ANY | 3112 | | 3113 | INTEGER proto | 3114 | STRING field | 3115 | ENUM dtype | 3116 | ID observable-id | 3117 +--------------------------+ 3119 Figure 40: The ApplicationHeader Class 3121 The ApplicationHeader class has four attributes: 3123 proto 3124 Required. INTEGER. The IANA assigned port number per 3125 [IANA.Ports] corresponding to the application layer protocol whose 3126 field will be represented. 3128 field 3129 Required. STRING. The name of the protocol field whose value 3130 will be found in the element body. 3132 dtype 3133 Required. ENUM. The data type of the element content. The 3134 permitted values for this attribute are shown below. The default 3135 value is "string". 3137 1. boolean. The element content is of type BOOLEAN. 3139 2. byte. The element content is of type BYTE. 3141 3. bytes. The element content is of type HEXBIN. 3143 4. character. The element content is of type CHARACTER. 3145 5. date-time. The element content is of type DATETIME. 3147 6. integer. The element content is of type INTEGER. 3149 7. portlist. The element content is of type PORTLIST. 3151 8. real. The element content is of type REAL. 3153 9. string. The element content is of type STRING. 3155 10. file. The element content is a base64 encoded binary file 3156 encoded as a BYTE[] type. 3158 11. path. The element content is a file-system path encoded as a 3159 STRING type. 3161 12. xml. The element content is XML. See Section 5. 3163 13. ext-value. An escape value used to extend this attribute. 3164 See Section 5.1. 3166 ext-dtype 3167 Optional. STRING. A means by which to extend the dtype 3168 attribute. See Section 5.1. 3170 observable-id 3171 Optional. ID. See Section 3.3.2. 3173 3.22.2. Application Class 3175 The Application class describes an application running on a System 3176 providing a Service. 3178 +--------------------+ 3179 | Application | 3180 +--------------------+ 3181 | STRING swid |<>--{0..1}--[ URL ] 3182 | STRING configid | 3183 | STRING vendor | 3184 | STRING family | 3185 | STRING name | 3186 | STRING version | 3187 | STRING patch | 3188 +--------------------+ 3190 Figure 41: The Application Class 3192 The aggregate class that constitute Application is: 3194 URL 3195 Zero or one. URL. A URL describing the application. 3197 The Application class has seven attributes: 3199 swid 3200 Optional. STRING. An identifier that can be used to reference 3201 this software, where the default value is "0". 3203 configid 3204 Optional. STRING. An identifier that can be used to reference a 3205 particular configuration of this software, where the default value 3206 is "0". 3208 vendor 3209 Optional. STRING. Vendor name of the software. 3211 family 3212 Optional. STRING. Family of the software. 3214 name 3215 Optional. STRING. Name of the software. 3217 version 3218 Optional. STRING. Version of the software. 3220 patch 3221 Optional. STRING. Patch or service pack level of the software. 3223 3.23. OperatingSystem Class 3225 The OperatingSystem class describes the operating system running on a 3226 System. The definition is identical to the Application class 3227 (Section 3.22.2). 3229 3.24. EmailData Class 3231 The EmailData class describes headers from an email message. Common 3232 headers have dedicated classes, but arbitrary headers can also be 3233 described. 3235 +-------------------------+ 3236 | EmailData | 3237 +-------------------------+ 3238 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3239 | |<>--{0..1}--[ EmailSubject ] 3240 | |<>--{0..1}--[ EmailX-Mailer ] 3241 | |<>--{0..*}--[ EmailHeaderField ] 3242 +-------------------------+ 3244 Figure 42: EmailData Class 3246 The aggregate class that constitutes EmailData are: 3248 EmailFrom 3249 Zero or one. The value of the "From:" header field in an email. 3250 See Section 3.6.2 of [RFC5322]. 3252 EmailSubject 3253 Zero or one. The value of the "Subject:" header field in an 3254 email. See Section 3.6.4 of [RFC5322]. 3256 EmailX-Mailer 3257 Zero or one. The value of the "X-Mailer:" header field in an 3258 email. 3260 EmailHeaderField 3261 Zero or one. The value of an arbitrary header field in the email. 3262 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3263 set as follows: proto="25" and dtype="string". The name of the 3264 email header field MUST be set in the field attribute. 3266 The EmailData class has one attribute: 3268 observable-id 3269 Optional. ID. See Section 3.3.2. 3271 3.25. Record Class 3273 The Record class is a container class for log and audit data that 3274 provides supportive information about the incident. The source of 3275 this data will often be the output of monitoring tools. These logs 3276 substantiate the activity described in the document. 3278 +------------------+ 3279 | Record | 3280 +------------------+ 3281 | ENUM restriction |<>--{1..*}--[ RecordData ] 3282 +------------------+ 3284 Figure 43: Record Class 3286 The aggregate class that constitutes Record is: 3288 RecordData 3289 One or more. Log or audit data generated by a particular type of 3290 sensor. Separate instances of the RecordData class SHOULD be used 3291 for each sensor type. 3293 The Record class has one attribute: 3295 restriction 3296 Optional. ENUM. This attribute has been defined in Section 3.2. 3298 3.25.1. RecordData Class 3300 The RecordData class groups log or audit data from a given sensor 3301 (e.g., IDS, firewall log) and provides a way to annotate the output. 3303 +-------------------+ 3304 | RecordData | 3305 +-------------------+ 3306 | ENUM restriction |<>--{0..1}--[ DateTime ] 3307 | ID observable-id |<>--{0..*}--[ Description ] 3308 | |<>--{0..1}--[ Application ] 3309 | |<>--{0..*}--[ RecordPattern ] 3310 | |<>--{0..*}--[ RecordItem ] 3311 | |<>--{0..1}--[ HashData ] 3312 | |<>--{0..*}--[ WindowsRegistryKeysModified ] 3313 | |<>--{0..*}--[ AdditionalData ]+-------------------+ 3315 Figure 44: The RecordData Class 3317 The aggregate classes that constitutes RecordData is: 3319 DateTime 3320 Zero or one. Timestamp of the RecordItem data. 3322 Description 3323 Zero or more. ML_STRING. Free-form textual description of the 3324 provided RecordItem data. At minimum, this description should 3325 convey the significance of the provided RecordItem data. 3327 Application 3328 Zero or one. Information about the sensor used to generate the 3329 RecordItem data. 3331 RecordPattern 3332 Zero or more. A search string to precisely find the relevant data 3333 in a RecordItem. 3335 RecordItem 3336 Zero or more. Log, audit, or forensic data. 3338 HashData 3339 Zero or one. The file name and hash of a file indicator. 3341 WindowsRegistryKeysModified 3342 Zero or more. The registry keys that were modified that are 3343 indicator(s). 3345 AdditionalData 3346 Zero or more. An extension mechanism for data not explicitly 3347 represented in the data model. 3349 The RecordData class has two attribute: 3351 restriction 3352 Optional. ENUM. See Section 3.3.1. 3354 observable-id 3355 Optional. ID. See Section 3.3.2. 3357 3.25.2. RecordPattern Class 3359 The RecordPattern class describes where in the content of the 3360 RecordItem relevant information can be found. It provides a way to 3361 reference subsets of information, identified by a pattern, in a large 3362 log file, audit trail, or forensic data. 3364 +-----------------------+ 3365 | RecordPattern | 3366 +-----------------------+ 3367 | STRING | 3368 | | 3369 | ENUM type | 3370 | STRING ext-type | 3371 | INTEGER offset | 3372 | ENUM offsetunit | 3373 | STRING ext-offsetunit | 3374 | INTEGER instance | 3375 +-----------------------+ 3377 Figure 45: The RecordPattern Class 3379 The specific pattern to search with in the RecordItem is defined in 3380 the body of the element. It is further annotated by six attributes: 3382 type 3383 Required. ENUM. Describes the type of pattern being specified in 3384 the element content. The default is "regex". 3386 1. regex. regular expression as defined by POSIX Extended 3387 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3389 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3390 type. 3392 3. xpath. XML Path (XPath) [W3C.XPATH] 3393 4. ext-value. An escape value used to extend this attribute. 3394 See Section 5.1. 3396 ext-type 3397 Optional. STRING. A means by which to extend the type attribute. 3398 See Section 5.1. 3400 offset 3401 Optional. INTEGER. Amount of units (determined by the offsetunit 3402 attribute) to seek into the RecordItem data before matching the 3403 pattern. 3405 offsetunit 3406 Optional. ENUM. Describes the units of the offset attribute. 3407 The default is "line". 3409 1. line. Offset is a count of lines. 3411 2. byte. Offset is a count of bytes. 3413 3. ext-value. An escape value used to extend this attribute. 3414 See Section 5.1. 3416 ext-offsetunit 3417 Optional. STRING. A means by which to extend the offsetunit 3418 attribute. See Section 5.1. 3420 instance 3421 Optional. INTEGER. Number of types to apply the specified 3422 pattern. 3424 3.25.3. RecordItem Class 3426 The RecordItem class provides a way to incorporate relevant logs, 3427 audit trails, or forensic data to support the conclusions made during 3428 the course of analyzing the incident. The class supports both the 3429 direct encapsulation of the data, as well as, provides primitives to 3430 reference data stored elsewhere. 3432 This class is identical to AdditionalData class (Section 3.9). 3434 3.26. WindowsRegistryKeysModified Class 3436 The WindowsRegistryKeysModified class describes Windows operating 3437 system registry keys and the operations that were performed on them. 3438 This class was derived from [RFC5901]. 3440 +-----------------------------+ 3441 | WindowsRegistryKeysModified | 3442 +-----------------------------+ 3443 | ID observable-id |<>--{1..*}--[ Key ] 3444 +-----------------------------+ 3446 Figure 46: The WindowsRegistryKeysModified Class 3448 The aggregate class that constitutes the WindowsRegistryKeysModified 3449 class is: 3451 Key 3452 One or many. The Window registry key. 3454 The WindowsRegistryKeysModified class has one attribute: 3456 observable-id 3457 Optional. ID. See Section 3.3.2. 3459 3.26.1. Key Class 3461 The Key class describes a particular Windows operating system 3462 registry key name and value pair, and the operation performed on it. 3464 +---------------------------+ 3465 | Key | 3466 +---------------------------+ 3467 | ENUM registryaction |<>----------[ KeyName ] 3468 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3469 | ID observable-id | 3470 +---------------------------+ 3472 Figure 47: The Key Class 3474 The aggregate classes that constitutes Key are: 3476 KeyName 3477 One. STRING. The name of the Windows operating system registry 3478 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3480 KeyValue 3481 Zero or one. STRING. The value of the associated registry key 3482 encoded as in Microsoft .reg files [KB310516]. 3484 The Key class has three attributes: 3486 registryaction 3487 Optional. ENUM. The type of action taken on the registry key. 3489 1. add-key. Registry key added. 3491 2. add-value. Value added to registry key. 3493 3. delete-key. Registry key deleted. 3495 4. delete-value. Value deleted from registry key. 3497 5. modify-key. Registry key modified. 3499 6. modify-value. Value modified for registry key. 3501 7. ext-value. External value. 3503 ext-registryaction 3504 Optional. A means by which to extend the registryaction 3505 attribute. See Section 5.1. 3507 observable-id 3508 Optional. ID. See Section 3.3.2. 3510 3.27. HashData Class 3512 The HashData class describes files names and associated hashes and 3513 signatures. ... TODO Fix Issue #20 and #25 ... 3515 +--------------------------+ 3516 | HashData | 3517 +--------------------------+ 3518 | ENUM type |<>--{0..*}--[ FileName ] 3519 | STRING ext-type |<>--{0..*}--[ FileSize ] 3520 | BOOL valid |<>--{0..*}--[ ds:Signature ] 3521 | ID observable-id |<>--{0..*}--[ ds:KeyInfo ] 3522 | |<>--{0..*}--[ ds:Reference ] 3523 | |<>--{0..*}--[ AdditionalData ] 3524 +--------------------------+ 3526 Figure 48: The HashData Class 3528 The aggregate classes that constitutes HashData are: 3530 FileName 3531 Zero or more. ML_STRING. The name of the file. 3533 FileSize 3534 Zero or more. INTEGER. The size of the file in bytes. 3536 ds:Signature 3537 Zero or more. 3539 ds:KeyInfo 3540 Zero or more. 3542 ds:Reference 3543 Zero or more. The algorithm identification and value of a hash 3544 computed over a file. This element is defined in [RFC3275]. 3545 Refer to RFC 5901. 3547 AdditionalData 3548 Zero or more. Mechanism by which to extend the data model. See 3549 Section 3.9 3551 The HashData class has four attributes: 3553 type 3554 Optional. ENUM. The Hash Type. 3556 1. PKI-email-ds. PKI email digital signature. 3558 2. PKI-file-ds. PKI file digital signature. 3560 3. PGP-email-ds. PGP email digital signature. 3562 4. PGP-file-ds. PGP file digital signature. 3564 5. file-hash. A hash computed over the entire contents of a 3565 file. 3567 6. email-hash. A hash computed over the headers and body of an 3568 email message. 3570 7. email-headers-hash. A hash computed over all of the headers 3571 of an email message. 3573 8. email-body-hash. A hash computed over the body of an email 3574 message. 3576 9. email-headers-hash. A hash computed over all of the email 3577 headers. 3579 10. ext-value. An escape value used to extend this attribute. 3580 See Section 5.1. 3582 ext-type 3583 Optional. STRING. A means by which to extend the type attribute. 3584 See Section 5.1. 3586 valid 3587 Optional. BOOLEAN. Indicates if the signature or hash is valid. 3589 observable-id 3590 Optional. ID. See Section 3.3.2. 3592 3.28. IndicatorData Class 3594 The IndicatorData class describes the indicators identified from 3595 analysis of an incident. 3597 +--------------------------+ 3598 | IndicatorData | 3599 +--------------------------+ 3600 | |<>--{1..*}--[ Indicator ] 3601 +--------------------------+ 3603 Figure 49: The IndicatorData Class 3605 The aggregate class that constitutes IndicatorData is: 3607 Indicator 3608 One or more. An indicator from the incident. 3610 The IndicatorData class has no attributes. 3612 3.29. Indicator Class 3614 The Indicator class describes a cyber indicator. An indicator 3615 consists of observable features and phenomenon that aid in the 3616 forensic or proactive detection of malicious activity, and associated 3617 meta-data. This indicator can be described outright or reference 3618 observable features and phenomenon described elsewhere in the 3619 incident information. Portions of an incident description can be 3620 composed to define an indicator, as can the indicators themselves. 3622 +--------------------+ 3623 | Indicator | 3624 +--------------------+ 3625 | ENUM restriction |<>----------[ IndicatorID ] 3626 | |<>--{0..1}--[ AlternativeIndicatorID ] 3627 | |<>--{0..*}--[ Description ] 3628 | |<>--{0..1}--[ StartTime ] 3629 | |<>--{0..1}--[ EndTime ] 3630 | |<>--{0..1}--[ Confidence ] 3631 | |<>--{0..*}--[ Contact ] 3632 | |<>--{0..1}--[ Observable ] 3633 | |<>--{0..1}--[ ObservableReference ] 3634 | |<>--{0..1}--[ IndicatorExpression ] 3635 | |<>--{0..1}--[ IndicatorReference ] 3636 | |<>--{0..*}--[ AdditionalData ] 3637 +--------------------+ 3639 Figure 50: The Indicator Class 3641 The aggregate classes that constitute Indicator are: 3643 IndicatorID 3644 One. An identifier for this indicator. See Section 3.29.1 3646 AlternativeIndicatorID 3647 Zero or one. An alternative identifier for this indicator. See 3648 Section 3.29.2 3650 Description 3651 Zero or more. ML_STRING. A free-form textual description of the 3652 indicator. 3654 StartTime 3655 Zero or one. DATETIME. A timestamp of the start of the time 3656 period during which this indicator is valid. 3658 EndTime 3659 Zero or one. DATETIME. A timestamp of the end of the time period 3660 during which this indicator is valid. 3662 Confidence 3663 Zero or one. An estimate of the confidence in the quality of the 3664 indicator. See Section 3.14.5. 3666 Contact 3667 Zero or more. Contact information for this indicator. See 3668 Section 3.10. 3670 Observable 3671 Zero or one. An observable feature or phenomenon of this 3672 indicator. See Section 3.29.3. 3674 ObservableReference 3675 Zero or one. A reference to a feature or phenomenon defined 3676 elsewhere in the document. See Section 3.29.5. 3678 IndicatorExpression 3679 Zero or one. A composition of observables. See Section 3.29.4. 3681 IndicatorReference 3682 Zero or one. A reference to an indicator. 3684 AdditionalData 3685 Zero or more. Mechanism by which to extend the data model. See 3686 Section 3.9 3688 The Indicator class MUST have exactly one instance of an Observable, 3689 IndicatorExpression, ObservableReference, or IndicatorReference 3690 class. 3692 The StartTime and EndTime classes can be used to define an interval 3693 during which the indicator is valid. If both classes are present, 3694 the indicator is consider valid only during the described interval. 3695 If neither class is provided, the indicator is considered valid 3696 during any time interval. If only a StartTime is provided, the 3697 indicator is valid anytime after this timestamp. If only an EndTime 3698 is provided, the indicator is valid anytime prior to this timestamp. 3700 The Indicator class has one attribute: 3702 restriction 3703 Optional. ENUM. See Section 3.3.1. 3705 3.29.1. IndicatorID Class 3707 The IndicatorID class identifies an indicator with a globally unique 3708 identifier. The combination of the name and version attributes, and 3709 the element content form this identifier. Indicators generated by 3710 given CSIRT MUST NOT reuse the same value unless they are referencing 3711 the same indicator. 3713 +------------------+ 3714 | IndicatorID | 3715 +------------------+ 3716 | ID | 3717 | | 3718 | STRING name | 3719 | STRING version | 3720 +------------------+ 3722 Figure 51: The IndicatorID Class 3724 The IndicatorID class has two attributes: 3726 name 3727 Required. STRING. An identifier describing the CSIRT that 3728 created the indicator. In order to have a globally unique CSIRT 3729 name, the fully qualified domain name associated with the CSIRT 3730 MUST be used. This format is identical to the IncidentID@name 3731 attribute in Section 3.4. 3733 version 3734 Required. STRING. A version number of an indicator. 3736 3.29.2. AlternativeIndicatorID Class 3738 The AlternativeIndicatorID class lists alternative identifiers for an 3739 indicator. 3741 +-------------------------+ 3742 | AlternativeIndicatorID | 3743 +-------------------------+ 3744 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 3745 | | 3746 +-------------------------+ 3748 Figure 52: The AlternativeIndicatorID Class 3750 The aggregate class that constitutes AlternativeIndicatorID is: 3752 IndicatorReference 3753 One or more. A reference to an indicator. 3755 The AlternativeIndicatorID class has one attribute: 3757 restriction 3758 Optional. ENUM. This attribute has been defined in Section 3.2. 3760 3.29.3. Observable Class 3762 The Observable class describes a feature and phenomenon that can be 3763 observed or measured for the purposes of detecting malicious 3764 behavior. 3766 +-------------------+ 3767 | Observable | 3768 +-------------------+ 3769 | |<>--{0..1}--[ Address ] 3770 | |<>--{0..1}--[ DomainData ] 3771 | |<>--{0..1}--[ Service ] 3772 | |<>--{0..1}--[ EmailData ] 3773 | |<>--{0..1}--[ ApplicationHeader ] 3774 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 3775 | |<>--{0..1}--[ HashData ] 3776 | |<>--{0..1}--[ RecordData ] 3777 | |<>--{0..1}--[ EventData ] 3778 | |<>--{0..1}--[ Incident ] 3779 | |<>--{0..*}--[ Expectation ] 3780 | |<>--{0..*}--[ enum:Reference ] 3781 | |<>--{0..1}--[ Assessment ] 3782 | |<>--{0..1}--[ HistoryItem ] 3783 | |<>--{0..*}--[ AdditionalData ] 3784 +-------------------+ 3786 Figure 53: The Observable Class 3788 The aggregate classes that constitute Observable are: 3790 Address 3791 Zero or One. An Address observable. See Section 3.20.1. 3793 DomainData 3794 Zero or One. A DomainData observable. See Section 3.21. 3796 Service 3797 Zero or One. A Service observable. See Section 3.22. 3799 EmailData 3800 Zero or One. A EmailData observable. See Section 3.24. 3802 ApplicationHeader 3803 Zero or One. An ApplicationHeader observable. See 3804 Section 3.22.1. 3806 WindowsRegistryKeysModified 3807 Zero or One. A WindowsRegistryKeysModified observable. See 3808 Section 3.26. 3810 HashData 3811 Zero or One. A HashData observable. See Section 3.27. 3813 RecordData 3814 Zero or One. A RecordData observable. See Section 3.25.1. 3816 EventData 3817 Zero or One. An EventData observable. See Section 3.16. 3819 Incident 3820 Zero or One. An Incident observable. See Section 3.2. 3822 EventData 3823 Zero or One. An EventData observable. See Section 3.16. 3825 Expectation 3826 Zero or One. An Expectation observable. See Section 3.17. 3828 enum:Reference 3829 Zero or One. A Reference observable. See [RFC-ENUM]. 3831 Assessment 3832 Zero or One. An Assessment observable. See Section 3.14. 3834 HistoryItem 3835 Zero or One. A HistoryItem observable. See Section 3.15.1. 3837 AdditionalData 3838 Zero or more. Mechanism by which to extend the data model. See 3839 Section 3.9. 3841 The Observable class MUST have exactly one of the possible child 3842 classes. 3844 The Observable class has no attributes. 3846 3.29.4. IndicatorExpression Class 3848 The IndicatorExpression describes an expression composed of observed 3849 phenomenon or features, or indicators. Elements of the expression 3850 can be described directly, reference relevant data from other parts 3851 of a given IODEF document, or reference previously defined 3852 indicators. 3854 All child classes of a given instance of IndicatorExpression form a 3855 boolean algebraic expression where the operator between them is 3856 determined by the operator attribute. Nesting an IndicatorExpression 3857 in itself is akin to a parenthesis in the expression. 3859 +--------------------------+ 3860 | IndicatorExpression | 3861 +--------------------------+ 3862 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 3863 | |<>--{0..*}--[ Observable ] 3864 | |<>--{0..*}--[ ObservableReference ] 3865 | |<>--{0..*}--[ IndicatorReference ] 3866 | |<>--{0..*}--[ AdditionalData ] 3867 +--------------------------+ 3869 Figure 54: The IndicatorExpression Class 3871 The aggregate classes that constitute IndicatorExpression are: 3873 IndicatorExpression 3874 Zero or more. An expression composed of other observables or 3875 indicators. 3877 Observable 3878 Zero or more. A description of an observable. 3880 ObservableReference 3881 Zero or more. A reference to another observable. 3883 IndicatorReference 3884 Zero or more. A reference to another indicator. 3886 AdditionalData 3887 Zero or more. Mechanism by which to extend the data model. See 3888 Section 3.9 3890 ... TODO Additional text is required to describe the valid 3891 combinations of classes and how the operator class should be applied 3892 ... 3894 The IndicatorExpression class has one attributes: 3896 operator 3897 Optional. ENUM. The operator to be applied between the child 3898 elements. 3900 1. not. negation operator. 3902 2. and. conjunction operator. 3904 3. or. disjunction operator. 3906 4. xor. exclusive disjunction operator. 3908 3.29.5. ObservableReference Class 3910 The ObservableReference describes a reference to an observable 3911 feature or phenomenon described elsewhere in the document. 3913 This class has no content. 3915 +-------------------------+ 3916 | ObservableReference | 3917 +-------------------------+ 3918 | EMPTY | 3919 | | 3920 | IDREF uid-ref | 3921 +-------------------------+ 3923 Figure 55: The ObservableReference Class 3925 The ObservableReference class has one attributes: 3927 uid-ref 3928 Required. IDREF. An identifier that serves as a reference to a 3929 class in the IODEF document. The referenced class will have this 3930 identifier set in the observable-id attribute. 3932 3.29.6. IndicatorReference Class 3934 The IndicatorReference describes a reference to an indicator. This 3935 reference may be to an indicator described in the IODEF document or 3936 in a previously exchanged IODEF document. 3938 +--------------------------+ 3939 | IndicatorReference | 3940 +--------------------------+ 3941 | EMPTY | 3942 | | 3943 | IDREF uid-ref | 3944 | STRING euid-ref | 3945 | STRING version | 3946 +--------------------------+ 3948 Figure 56: The IndicatorReference Class 3950 The IndicatorReference class has one attributes: 3952 uid-ref 3953 Optional. IDREF. An identifier that serves as a reference to an 3954 Indicator class in the IODEF document. The referenced Indicator 3955 class will have this identifier set in the IndicatorID class. 3957 euid-ref 3958 Optional. STRING. An identifier that references an IndicatorID 3959 not in this IODEF document. 3961 version 3962 Optional. STRING. A version number of an indicator. 3964 Either the uid-ref or the euid-ref attribute MUST be set. 3966 4. Processing Considerations 3968 This section defines additional requirements on creating and parsing 3969 IODEF documents. 3971 4.1. Encoding 3973 Every IODEF document MUST begin with an XML declaration, and MUST 3974 specify the XML version used. If UTF-8 encoding is not used, the 3975 character encoding MUST also be explicitly specified. The IODEF 3976 conforms to all XML data encoding conventions and constraints. 3978 The XML declaration with no character encoding will read as follows: 3980 3982 When a character encoding is specified, the XML declaration will read 3983 like the following: 3985 3987 Where "charset" is the name of the character encoding as registered 3988 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 3990 The following characters have special meaning in XML and MUST be 3991 escaped with their entity reference equivalent: "&", "<", ">", "\"" 3992 (double quotation mark), and "'" (apostrophe). These entity 3993 references are "&", "<", ">", """, and "'" 3994 respectively. 3996 4.2. IODEF Namespace 3998 The IODEF schema declares a namespace of 3999 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 4000 Each IODEF document MUST include a valid reference to the IODEF 4001 schema using the "xsi:schemaLocation" attribute. An example of such 4002 a declaration would look as follows: 4004 4115 A given extension attribute MUST NOT be set unless the corresponding 4116 extensible attribute has been set to "ext-value". 4118 5.2. Extending Classes 4120 The classes of the data model can be extended only through the use of 4121 the AdditionalData and RecordItem classes. These container classes, 4122 collectively referred to as the extensible classes, are implemented 4123 with the iodef:ExtensionType data type in the schema. They provide 4124 the ability to have new atomic or XML-encoded data elements in all of 4125 the top-level classes of the Incident class and a few of the more 4126 complicated subordinate classes. As there are multiple instances of 4127 the extensible classes in the data model, there is discretion on 4128 where to add a new data element. It is RECOMMENDED that the 4129 extension be placed in the most closely related class to the new 4130 information. 4132 Extensions using the atomic data types (i.e., all values of the dtype 4133 attributes other than "xml") MUST: 4135 1. Set the element content of extensible class to the desired value, 4136 and 4138 2. Set the dtype attribute to correspond to the data type of the 4139 element content. 4141 The following guidelines exist for extensions using XML: 4143 1. The element content of the extensible class MUST be set to the 4144 desired value and the dtype attribute MUST be set to "xml". 4146 2. The extension schema MUST declare a separate namespace. It is 4147 RECOMMENDED that these extensions have the prefix "iodef-". This 4148 recommendation makes readability of the document easier by 4149 allowing the reader to infer which namespaces relate to IODEF by 4150 inspection. 4152 3. It is RECOMMENDED that extension schemas follow the naming 4153 convention of the IODEF data model. This makes reading an 4154 extended IODEF document look like any other IODEF document. The 4155 names of all elements are capitalized. For elements with 4156 composed names, a capital letter is used for each word. 4157 Attribute names are lower case. Attributes with composed names 4158 are separated by a hyphen. 4160 4. Parsers that encounter an unrecognized element in a namespace 4161 that they do support MUST reject the document as a syntax error. 4163 5. There are security and performance implications in requiring 4164 implementations to dynamically download schemas at run time. 4165 Thus, implementations SHOULD NOT download schemas at runtime, 4166 unless implementations take appropriate precautions and are 4167 prepared for potentially significant network, processing, and 4168 time-out demands. 4170 6. Some users of the IODEF may have private schema definitions that 4171 might not be available on the Internet. In this situation, if a 4172 IODEF document leaks out of the private use space, references to 4173 some of those document schemas may not be resolvable. This has 4174 two implications. First, references to private schemas may never 4175 resolve. As such, in addition to the suggestion that 4176 implementations do not download schemas at runtime mentioned 4177 above, recipients MUST be prepared for a schema definition in an 4178 IODEF document never to resolve. 4180 The following schema and XML document excerpt provide a template for 4181 an extension schema and its use in the IODEF document. 4183 This example schema defines a namespace of "iodef-extension1" and a 4184 single element named "newdata". 4186 4190 attributeFormDefault="unqualified" 4191 elementFormDefault="qualified"> 4192 4196 4197 4199 The following XML excerpt demonstrates the use of the above schema as 4200 an extension to the IODEF. 4202 4209 4210 ... 4211 4212 4213 Field that could not be represented elsewhere 4214 4215 4216 4268 4270 4274 4275 189493 4276 2001-09-13T23:19:24+00:00 4277 Host sending out Code Red probes 4278 4279 4280 4282 4283 4284 Example.com CSIRT 4285 example-com 4286 contact@csirt.example.com 4287 4288 4289 4290 4291 4292
192.0.2.200
4293 57 4294 4295 4296 4297 4298
192.0.2.16/28
4299 4300 4301 80 4302 4303 4304 4305 4306 4307 4308 4309 2001-09-13T18:11:21+02:00 4310 Web-server logs 4311 4312 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 4313 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4314 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4315 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4316 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4317 4318 4319 4320 http://mylogs.example.com/logs/httpd_access 4321 4322 4323 4324 4325 4327 4328 2001-09-14T08:19:01+00:00 4329 Notification sent to 4330 constituency-contact@192.0.2.200 4331 4332 4333 4334 4336 7.2. Reconnaissance 4338 An example of a CSIRT reporting a scanning activity. 4340 4341 4343 4347 4348 59334 4349 2006-08-02T05:54:02-05:00 4350 4351 4352 4353 4354 4355 4356 nmap 4357 http://nmap.toolsite.example.com 4358 4359 4360 4362 4363 CSIRT for example.com 4364 contact@csirt.example.com 4365 +1 412 555 12345 4366 4368 4369 Joe Smith 4370 smith@csirt.example.com 4371 4372 4373 4374 4380 4381 4382 4383
192.0.2.200
4384 4385 4386 60524,60526,60527,60531 4387 4388 4389 4390 4391
192.0.2.201
4392 4393 4394 137-139,445 4395 4396 4397 4398 4400 4401 4402 4403
192.0.2.240
4404 4405 4406 4407 4408
192.0.2.64/28
4409 4410 4411 445 4412 4413 4414 4415 4416 4417 4419 7.3. Bot-Net Reporting 4421 An example of a CSIRT reporting a bot-network. 4423 4424 4426 4430 4431 908711 4432 2006-06-08T05:44:53-05:00 4433 Large bot-net 4434 4435 4436 4437 4438 4439 4440 GT Bot 4441 4442 4444 4445 CA-2003-22 4446 http://www.cert.org/advisories/CA-2003-22.html 4447 Root compromise via this IE vulnerability to 4448 install the GT Bot 4449 4450 4451 4453 4454 Joe Smith 4455 jsmith@csirt.example.com 4456 4457 4458 These hosts are compromised and acting as bots 4459 communicating with irc.example.com. 4460 4461 4463 4464 4465
192.0.2.1
4467 4468 10000 4469 bot 4470 4471 4472 4473 4474
192.0.2.3
4475 4476 250000 4477 bot 4478 4479 4480 4481 4482 irc.example.com 4483
192.0.2.20
4484 2006-06-08T01:01:03-05:00 4485 4486 4487 IRC server on #give-me-cmd channel 4488 4489 4490 4491 4492 4493 4494 Confirm the source and take machines off-line and 4495 remediate 4496 4497 4498 4499 4500 4502 7.4. Watch List 4504 An example of a CSIRT conveying a watch-list. 4506 4507 4508 4511 4515 4516 908711 4517 2006-08-01T00:00:00-05:00 4518 4519 Watch-list of known bad IPs or networks 4520 4521 4522 4523 4524 4525 4526 CSIRT for example.com 4527 contact@csirt.example.com 4528 4529 4531 4532 4533 4534 4535
192.0.2.53
4536 4537 Source of numerous attacks 4538 4539 4540 4542 4543 4544 4545 4546 4547 4548
192.0.2.16/28
4549 4550 4551 Source of heavy scanning over past 1-month 4552 4553 4554 4555 4556 4557 4558
192.0.2.241
4559 4560 C2 IRC server 4562 4563 4564 4566 4567 4568 4569 4571 8. The IODEF Schema 4573 4581 4584 4586 4587 4588 Incident Object Description Exchange Format v2.0, RFC5070-bis 4589 4590 4592 4597 4598 4599 4600 4602 4604 4605 4607 4610 4612 4613 4614 4619 4620 4621 4622 4623 4625 4627 4629 4631 4633 4635 4636 4638 4640 4642 4644 4646 4648 4650 4652 4654 4655 4656 4657 4658 4659 4660 4661 4662 4663 4664 4665 4666 4667 4669 4671 4673 4675 4676 4677 4682 4683 4684 4685 4686 4688 4690 4693 4694 4695 4697 4702 4703 4704 4705 4707 4708 4710 4711 4712 4717 4718 4719 4720 4721 4723 4725 4727 4729 4730 4732 4734 4736 4737 4739 4740 4742 4747 4748 4749 4750 4751 4752 4753 4755 4756 4758 4759 4761 4762 4764 4765 4766 4768 4773 4774 4775 4776 4777 4778 4779 4781 4782 4784 4785 4787 4788 4790 4791 4792 4794 4799 4800 4805 4806 4807 4808 4810 4812 4814 4816 4818 4820 4822 4824 4826 4828 4830 4831 4832 4833 4834 4835 4836 4837 4838 4839 4840 4841 4842 4843 4844 4845 4846 4847 4848 4849 4851 4852 4853 4854 4856 4857 4858 4859 4860 4861 4862 4863 4864 4865 4867 4869 4870 4871 4873 4875 4876 4877 4878 4879 4880 4881 4882 4883 4884 4885 4886 4887 4888 4889 4890 4891 4892 4893 4895 4896 4897 4898 4899 4900 4901 4902 4903 4905 4906 4907 4908 4909 4910 4911 4913 4914 4915 4916 4918 4919 4920 4922 4927 4929 4931 4933 4935 4937 4939 4941 4942 4943 4944 4945 4946 4951 4952 4953 4954 4956 4957 4960 4961 4962 4963 4964 4965 4966 4968 4970 4972 4975 4977 4978 4980 4982 4984 4986 4987 4988 4993 4994 4995 4996 4998 5001 5003 5005 5007 5008 5011 5013 5015 5017 5019 5020 5022 5027 5028 5029 5030 5032 5034 5036 5037 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5060 5062 5063 5065 5066 5067 5068 5069 5071 5074 5075 5077 5078 5080 5085 5086 5087 5088 5089 5090 5092 5093 5095 5096 5098 5099 5101 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5117 5120 5121 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5134 5136 5137 5138 5139 5140 5141 5142 5144 5145 5146 5147 5148 5149 5150 5151 5152 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5173 5174 5175 5176 5177 5178 5179 5180 5181 5183 5184 5185 5186 5187 5188 5189 5190 5191 5192 5193 5194 5196 5198 5199 5200 5201 5202 5203 5204 5205 5206 5207 5208 5209 5210 5211 5212 5213 5215 5216 5217 5218 5220 5221 5222 5223 5224 5226 5228 5229 5230 5231 5232 5233 5234 5235 5237 5238 5240 5242 5244 5245 5246 5247 5248 5249 5250 5251 5252 5254 5256 5257 5258 5259 5260 5261 5262 5263 5264 5265 5266 5267 5268 5269 5270 5271 5272 5273 5274 5275 5280 5281 5282 5283 5286 5288 5290 5292 5294 5296 5298 5300 5302 5304 5306 5308 5310 5312 5314 5315 5318 5320 5321 5322 5327 5331 5332 5333 5334 5336 5337 5338 5339 5344 5345 5346 5347 5348 5349 5350 5351 5352 5353 5354 5355 5356 5357 5358 5359 5360 5361 5362 5363 5364 5365 5366 5367 5368 5369 5370 5371 5372 5373 5374 5375 5376 5377 5378 5379 5380 5381 5382 5383 5384 5385 5386 5387 5388 5389 5390 5391 5392 5393 5394 5395 5396 5397 5398 5399 5400 5401 5402 5403 5404 5405 5406 5407 5408 5409 5410 5411 5413 5414 5415 5416 5418 5420 5422 5424 5426 5428 5431 5432 5434 5435 5436 5437 5438 5439 5440 5441 5442 5443 5444 5445 5446 5448 5450 5452 5454 5455 5456 5457 5458 5459 5460 5461 5462 5463 5464 5465 5466 5467 5469 5470 5471 5476 5477 5478 5479 5480 5482 5484 5485 5487 5489 5491 5493 5494 5495 5496 5497 5498 5499 5500 5501 5502 5503 5504 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5520 5522 5524 5526 5528 5529 5530 5531 5532 5537 5538 5539 5540 5541 5543 5545 5546 5548 5550 5552 5555 5556 5558 5559 5561 5563 5564 5565 5566 5567 5568 5569 5570 5575 5576 5577 5578 5579 5580 5581 5582 5583 5584 5585 5586 5587 5588 5589 5590 5591 5592 5593 5594 5595 5596 5598 5600 5602 5604 5605 5606 5607 5609 5614 5615 5616 5617 5619 5621 5623 5626 5627 5629 5630 5632 5637 5638 5639 5640 5642 5645 5648 5651 5654 5656 5658 5660 5661 5662 5663 5664 5665 5666 5667 5668 5669 5670 5671 5673 5674 5675 5676 5677 5678 5679 5680 5681 5682 5683 5684 5685 5686 5687 5688 5689 5691 5693 5694 5696 5698 5699 5700 5701 5702 5703 5704 5705 5706 5707 5708 5709 5710 5711 5712 5713 5714 5715 5716 5717 5718 5719 5720 5721 5722 5723 5724 5725 5726 5727 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5747 5748 5749 5751 5752 5753 5754 5755 5756 5757 5758 5760 5761 5762 5763 5765 5767 5769 5770 5772 5777 5778 5779 5780 5782 5783 5785 5786 5787 5788 5789 5790 5792 5794 5796 5798 5800 5802 5804 5806 5807 5809 5811 5812 5814 5815 5816 5817 5818 5819 5820 5821 5822 5823 5824 5825 5826 5827 5828 5830 5832 5834 5835 5836 5837 5838 5839 5840 5841 5842 5844 5846 5847 5848 5849 5850 5852 5857 5858 5859 5860 5861 5862 5863 5864 5866 5867 5868 5869 5870 5871 5872 5873 5874 5875 5876 5877 5878 5879 5880 5882 5883 5884 5885 5887 5888 5890 5898 5899 5900 5901 5903 5905 5907 5909 5911 5913 5914 5915 5916 5917 5918 5919 5920 5921 5922 5923 5924 5925 5928 5929 5930 5931 5932 5934 5936 5938 5940 5941 5943 5948 5949 5950 5952 5953 5955 5957 5959 5961 5963 5965 5967 5968 5970 5973 5978 5979 5980 5981 5983 5984 5985 5987 5988 5989 5990 5991 5993 5995 5997 5999 6001 6003 6004 6005 6006 6007 6009 6010 6011 6013 6014 6016 6017 6018 6019 6020 6022 6024 6025 6026 6027 6029 6030 6031 6032 6034 6035 6037 6038 6040 6041 6042 6043 6045 6047 6049 6052 6054 6056 6058 6060 6062 6064 6066 6068 6070 6072 6073 6075 6076 6078 6079 6080 6081 6082 6084 6086 6088 6090 6091 6093 6094 6095 6096 6097 6098 6099 6100 6101 6102 6103 6104 6106 6108 6109 6110 6112 6113 6115 6116 6117 6119 6121 6123 6124 6125 6130 6132 6134 6139 6140 6141 6142 6143 6145 6146 6147 6148 6150 6151 6152 6153 6154 6155 6157 6158 6160 6162 6164 6166 6168 6170 6171 6172 6174 6175 6177 6179 6182 6184 6186 6191 6192 6193 6194 6195 6196 6198 6199 6200 6201 6202 6203 6204 6206 6207 6208 6209 6210 6211 6212 6213 6214 6215 6216 6217 6218 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6232 6233 6234 6235 6236 6237 6238 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6256 6257 6258 6259 6260 6261 6262 6263 6265 6266 6267 6268 6269 6270 6271 6272 6273 6274 6275 6276 6277 6278 6279 6280 6281 6282 6283 6284 6285 6286 6287 6288 6289 6291 6292 6293 6294 6295 6296 6297 6298 6299 6300 6301 6302 6303 6304 6306 6307 6308 6309 6310 6311 6312 6313 6314 6315 6316 6317 6318 6319 6320 6321 6323 9. Security Considerations 6325 The IODEF data model itself does not directly introduce security 6326 issues. Rather, it simply defines a representation for incident 6327 information. As the data encoded by the IODEF might be considered 6328 privacy sensitive by the parties exchanging the information or by 6329 those described by it, care needs to be taken in ensuring the 6330 appropriate disclosure during both document exchange and subsequent 6331 processing. The former must be handled by a messaging format, but 6332 the latter risk must be addressed by the systems that process, store, 6333 and archive IODEF documents and information derived from them. 6335 Executable content could be embedded into the IODEF document directly 6336 or through an extension. The IODEF parser should handle this content 6337 with care to prevent unintentional automated execution. 6339 The contents of an IODEF document may include a request for action or 6340 an IODEF parser may independently have logic to take certain actions 6341 based on information that it finds. For this reason, care must be 6342 taken by the parser to properly authenticate the recipient of the 6343 document and ascribe an appropriate confidence to the data prior to 6344 action. 6346 The underlying messaging format and protocol used to exchange 6347 instances of the IODEF MUST provide appropriate guarantees of 6348 confidentiality, integrity, and authenticity. The use of a 6349 standardized security protocol is encouraged. The Real-time Inter- 6350 network Defense (RID) protocol [RFC6545] and its associated transport 6351 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 6353 In order to suggest data processing and handling guidelines of the 6354 encoded information, the IODEF allows a document sender to convey a 6355 privacy policy using the restriction attribute. The various 6356 instances of this attribute allow different data elements of the 6357 document to be covered by dissimilar policies. While flexible, it 6358 must be stressed that this approach only serves as a guideline from 6359 the sender, as the recipient is free to ignore it. The issue of 6360 enforcement is not a technical problem. 6362 10. IANA Considerations 6364 This document uses URNs to describe an XML namespace and schema 6365 conforming to a registry mechanism described in [RFC3688] 6367 Registration for the IODEF namespace: 6369 o URI: urn:ietf:params:xml:ns:iodef-2.0 6371 o Registrant Contact: See the first author of the "Author's Address" 6372 section of this document. 6374 o XML: None. Namespace URIs do not represent an XML specification. 6376 Registration for the IODEF XML schema: 6378 o URI: urn:ietf:params:xml:schema:iodef-2.0 6380 o Registrant Contact: See the first author of the "Author's Address" 6381 section of this document. 6383 o XML: See the "IODEF Schema" in Section 8 of this document. 6385 11. Acknowledgments 6387 The following groups and individuals, listed alphabetically, 6388 contributed substantially to this document and should be recognized 6389 for their efforts. 6391 o Kathleen Moriarty, EMC Corporation 6393 o Brian Trammell, ETH Zurich 6394 o Patrick Cain, Cooper-Cain Group, Inc. 6396 o ... TODO many more to add ... 6398 12. References 6400 12.1. Normative References 6402 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 6403 (XML) 1.0 (Second Edition)", W3C Recommendation , October 6404 2000, . 6406 [W3C.SCHEMA] 6407 World Wide Web Consortium, "XML XML Schema Part 1: 6408 Structures Second Edition", W3C Recommendation , October 6409 2004, . 6411 [W3C.SCHEMA.DTYPES] 6412 World Wide Web Consortium, "XML Schema Part 2: Datatypes 6413 Second Edition", W3C Recommendation , October 2004, 6414 . 6416 [W3C.XMLNS] 6417 World Wide Web Consortium, "Namespaces in XML", W3C 6418 Recommendation , January 1999, 6419 . 6421 [W3C.XPATH] 6422 World Wide Web Consortium, "XML Path Language (XPath) 6423 2.0", W3C Candidate Recommendation , June 2006, 6424 . 6426 [IEEE.POSIX] 6427 Institute of Electrical and Electronics Engineers, 6428 "Information Technology - Portable Operating System 6429 Interface (POSIX) - Part 1: Base Definitions", IEEE 6430 1003.1, June 2001. 6432 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 6433 Requirement Levels", RFC 2119, March 1997. 6435 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 6436 Languages", RFC 5646, September 2009. 6438 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 6439 Resource Identifiers (URI): Generic Syntax", RFC 3986, 6440 January 2005`. 6442 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 6443 Procedures", BCP 2978, October 2000. 6445 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 6446 June 2006. 6448 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 6449 2008. 6451 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 6452 Timestamps", RFC 3339, July 2002. 6454 [RFC-ENUM] 6455 Montville, A. and D. Black, "IODEF Enumeration Reference 6456 Format", RFC ENUM, November 2014. 6458 [ISO8601] International Organization for Standardization, 6459 "International Standard: Data elements and interchange 6460 formats - Information interchange - Representation of 6461 dates and times", ISO 8601, Second Edition, December 2000. 6463 [ISO4217] International Organization for Standardization, 6464 "International Standard: Codes for the representation of 6465 currencies and funds, ISO 4217:2001", ISO 4217:2001, 6466 August 2001. 6468 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 6469 2004. 6471 [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup 6472 Language) XML-Signature Syntax and Processing", RFC 3275, 6473 March 2002. 6475 [IANA.Ports] 6476 Internet Assigned Numbers Authority, "Service Name and 6477 Transport Protocol Port Number Registry", January 2014, 6478 . 6481 [IANA.Protocols] 6482 Internet Assigned Numbers Authority, "Assigned Internet 6483 Protocol Numbers", January 2014, 6484 . 6487 12.2. Informative References 6489 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 6490 Object Description Exchange Format", RFC 5070, December 6491 2007. 6493 [refs.requirements] 6494 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 6495 for the Format for Incident Information Exchange (FINE)", 6496 Work in Progress, June 2006. 6498 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 6499 "Intrusion Detection Message Exchange Format", RFC 4765, 6500 March 2007. 6502 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6503 6545, April 2012. 6505 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 6506 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 6507 2012. 6509 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 6510 Class for Reporting Phishing", RFC 5901, July 2010. 6512 [NIST800.61rev2] 6513 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 6514 "NIST Special Publication 800-61 Revision 2: Computer 6515 Security Incident Handling Guide", January 2012, 6516 . 6519 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 6520 Type for the Internet Registry Information Service 6521 (IRIS)", RFC 3982, January 2005. 6523 [KB310516] 6524 Microsoft Corporation, "How to add, modify, or delete 6525 registry subkeys and values by using a registration 6526 entries (.reg) file", December 2007. 6528 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 6529 Separated Values (CSV) File", RFC 4180, October 2005. 6531 Authors' Addresses 6533 Roman Danyliw 6534 CERT - Software Engineering Institute 6535 Pittsburgh, PA 6536 USA 6538 EMail: rdd@cert.org 6540 Paul Stoecker 6541 RSA 6542 Reston, VA 6543 USA 6545 EMail: paul.stoecker@rsa.com