idnits 2.17.1 draft-ietf-mile-rfc5070-bis-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 6 characters in excess of 72. -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? -- The draft header indicates that this document obsoletes RFC5070, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 23, 2015) is 3293 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: '0-9' is mentioned on line 5625, but not defined == Missing Reference: '0-4' is mentioned on line 5625, but not defined == Missing Reference: '0-5' is mentioned on line 5625, but not defined -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE.POSIX' -- Possible downref: Non-RFC (?) normative reference: ref. 'RFC-ENUM' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO8601' -- Possible downref: Non-RFC (?) normative reference: ref. 'ISO4217' ** Downref: Normative reference to an Informational RFC: RFC 2781 -- Obsolete informational reference (is this intentional?): RFC 5070 (Obsoleted by RFC 7970) -- Obsolete informational reference (is this intentional?): RFC 5226 (Obsoleted by RFC 8126) Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 MILE Working Group R. Danyliw 3 Internet-Draft CERT 4 Obsoletes: 5070 (if approved) P. Stoecker 5 Intended status: Standards Track RSA 6 Expires: September 24, 2015 March 23, 2015 8 The Incident Object Description Exchange Format v2 9 draft-ietf-mile-rfc5070-bis-11 11 Abstract 13 The Incident Object Description Exchange Format (IODEF) defines a 14 data representation for sharing information commonly exchanged by 15 Computer Security Incident Response Teams (CSIRTs) about computer 16 security incidents. This document describes the information model 17 for the IODEF and provides an associated data model specified with 18 XML Schema. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 24, 2015. 37 Copyright Notice 39 Copyright (c) 2015 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 This document may contain material from IETF Documents or IETF 53 Contributions published or made publicly available before November 54 10, 2008. The person(s) controlling the copyright in some of this 55 material may not have granted the IETF Trust the right to allow 56 modifications of such material outside the IETF Standards Process. 57 Without obtaining an adequate license from the person(s) controlling 58 the copyright in such materials, this document may not be modified 59 outside the IETF Standards Process, and derivative works of it may 60 not be created outside the IETF Standards Process, except to format 61 it for publication as an RFC or to translate it into languages other 62 than English. 64 Table of Contents 66 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5 67 1.1. Changes from 5070 . . . . . . . . . . . . . . . . . . . . 6 68 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 7 69 1.3. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7 70 1.4. About the IODEF Data Model . . . . . . . . . . . . . . . 8 71 1.5. About the IODEF Implementation . . . . . . . . . . . . . 8 72 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9 73 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9 74 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9 75 2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9 76 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9 77 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 10 78 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 10 79 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11 80 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 11 81 2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 11 82 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11 83 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . 12 84 2.12. Person or Organization . . . . . . . . . . . . . . . . . 12 85 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 12 86 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . 12 87 2.15. Uniform Resource Locator strings . . . . . . . . . . . . 12 88 2.16. Identifiers and Identifier References . . . . . . . . . . 12 89 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . 13 90 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 13 91 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 14 92 3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 17 93 3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 17 94 3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 18 95 3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 19 96 3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 20 97 3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 20 98 3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 22 99 3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 22 100 3.9. AdditionalData Class . . . . . . . . . . . . . . . . . . 23 101 3.10. Contact Class . . . . . . . . . . . . . . . . . . . . . . 26 102 3.10.1. RegistryHandle Class . . . . . . . . . . . . . . . . 29 103 3.10.2. PostalAddress Class . . . . . . . . . . . . . . . . 30 104 3.10.3. Email Class . . . . . . . . . . . . . . . . . . . . 31 105 3.10.4. Telephone and Fax Classes . . . . . . . . . . . . . 31 106 3.11. Time Classes . . . . . . . . . . . . . . . . . . . . . . 32 107 3.11.1. StartTime Class . . . . . . . . . . . . . . . . . . 32 108 3.11.2. EndTime Class . . . . . . . . . . . . . . . . . . . 32 109 3.11.3. DetectTime Class . . . . . . . . . . . . . . . . . . 33 110 3.11.4. ReportTime Class . . . . . . . . . . . . . . . . . . 33 111 3.11.5. GenerationTime Class . . . . . . . . . . . . . . . . 33 112 3.11.6. DateTime . . . . . . . . . . . . . . . . . . . . . . 33 113 3.12. Discovery Class . . . . . . . . . . . . . . . . . . . . . 33 114 3.12.1. DetectionPattern Class . . . . . . . . . . . . . . . 35 115 3.13. Method Class . . . . . . . . . . . . . . . . . . . . . . 36 116 3.13.1. Reference Class . . . . . . . . . . . . . . . . . . 37 117 3.14. Assessment Class . . . . . . . . . . . . . . . . . . . . 38 118 3.14.1. SystemImpact Class . . . . . . . . . . . . . . . . . 39 119 3.14.2. BusinessImpact Class . . . . . . . . . . . . . . . . 42 120 3.14.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 44 121 3.14.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 46 122 3.14.5. Confidence Class . . . . . . . . . . . . . . . . . . 47 123 3.15. History Class . . . . . . . . . . . . . . . . . . . . . . 48 124 3.15.1. HistoryItem Class . . . . . . . . . . . . . . . . . 49 125 3.16. EventData Class . . . . . . . . . . . . . . . . . . . . . 51 126 3.16.1. Relating the Incident and EventData Classes . . . . 53 127 3.16.2. Cardinality of EventData . . . . . . . . . . . . . . 53 128 3.17. Expectation Class . . . . . . . . . . . . . . . . . . . . 54 129 3.18. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 57 130 3.19. System Class . . . . . . . . . . . . . . . . . . . . . . 58 131 3.20. Node Class . . . . . . . . . . . . . . . . . . . . . . . 61 132 3.20.1. Address Class . . . . . . . . . . . . . . . . . . . 62 133 3.20.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 63 134 3.20.3. Counter Class . . . . . . . . . . . . . . . . . . . 66 135 3.21. DomainData Class . . . . . . . . . . . . . . . . . . . . 68 136 3.21.1. RelatedDNS . . . . . . . . . . . . . . . . . . . . . 70 137 3.21.2. Nameservers Class . . . . . . . . . . . . . . . . . 71 138 3.21.3. DomainContacts Class . . . . . . . . . . . . . . . . 71 139 3.22. Service Class . . . . . . . . . . . . . . . . . . . . . . 72 140 3.22.1. ApplicationHeader Class . . . . . . . . . . . . . . 74 141 3.22.2. Application Class . . . . . . . . . . . . . . . . . 76 142 3.23. OperatingSystem Class . . . . . . . . . . . . . . . . . . 77 143 3.24. EmailData Class . . . . . . . . . . . . . . . . . . . . . 77 144 3.25. Record Class . . . . . . . . . . . . . . . . . . . . . . 78 145 3.25.1. RecordData Class . . . . . . . . . . . . . . . . . . 78 146 3.25.2. RecordPattern Class . . . . . . . . . . . . . . . . 80 147 3.25.3. RecordItem Class . . . . . . . . . . . . . . . . . . 81 148 3.26. WindowsRegistryKeysModified Class . . . . . . . . . . . . 82 149 3.26.1. Key Class . . . . . . . . . . . . . . . . . . . . . 82 150 3.27. CertificateData Class . . . . . . . . . . . . . . . . . . 83 151 3.27.1. Certificate Class . . . . . . . . . . . . . . . . . 84 152 3.28. FileData Class . . . . . . . . . . . . . . . . . . . . . 85 153 3.28.1. File Class . . . . . . . . . . . . . . . . . . . . . 85 154 3.29. HashData Class . . . . . . . . . . . . . . . . . . . . . 87 155 3.29.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 88 156 3.29.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 89 157 3.30. SignatureData Class . . . . . . . . . . . . . . . . . . . 90 158 3.31. IndicatorData Class . . . . . . . . . . . . . . . . . . . 90 159 3.32. Indicator Class . . . . . . . . . . . . . . . . . . . . . 90 160 3.32.1. IndicatorID Class . . . . . . . . . . . . . . . . . 92 161 3.32.2. AlternativeIndicatorID Class . . . . . . . . . . . . 93 162 3.32.3. Observable Class . . . . . . . . . . . . . . . . . . 94 163 3.32.4. IndicatorExpression Class . . . . . . . . . . . . . 96 164 3.32.5. ObservableReference Class . . . . . . . . . . . . . 97 165 3.32.6. IndicatorReference Class . . . . . . . . . . . . . . 97 166 4. Processing Considerations . . . . . . . . . . . . . . . . . . 98 167 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 98 168 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 99 169 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 99 170 4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 100 171 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 101 172 5.1. Extending the Enumerated Values of Attributes . . . . . . 101 173 5.1.1. Private Extension of Enumerated Values . . . . . . . 101 174 5.1.2. Public Extension of Enumerated Values . . . . . . . . 102 175 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 102 176 6. Internationalization Issues . . . . . . . . . . . . . . . . . 104 177 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 105 178 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . 106 179 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . 107 180 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 109 181 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . 111 182 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . 112 183 9. Security Considerations . . . . . . . . . . . . . . . . . . . 153 184 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 153 185 10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 154 186 10.2. Enumerated Value Registries . . . . . . . . . . . . . . 154 187 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 156 188 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 157 189 12.1. Normative References . . . . . . . . . . . . . . . . . . 157 190 12.2. Informative References . . . . . . . . . . . . . . . . . 159 191 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 160 193 1. Introduction 195 Organizations require help from other parties to mitigate malicious 196 activity targeting their network and to gain insight into potential 197 threats. This coordination might entail working with an ISP to 198 filter attack traffic, contacting a remote site to take down a bot- 199 network, or sharing watch-lists of known malicious IP addresses in a 200 consortium. 202 The Incident Object Description Exchange Format (IODEF) is a format 203 for representing computer security information commonly exchanged 204 between Computer Security Incident Response Teams (CSIRTs). It 205 provides an XML representation for conveying: 207 o cyber intelligence to characterize threats; 209 o cyber incident reports to document particular cyber security 210 events or relationships between events; 212 o cyber event mitigation to request proactive and reactive 213 mitigation approaches to cyber intelligence or incidents; and 215 o cyber information sharing meta-data so that these various classes 216 of information can be exchanged among parties. 218 The data model encodes information about hosts, networks, and the 219 services running on these systems; attack methodology and associated 220 forensic evidence; impact of the activity; and limited approaches for 221 documenting workflow. 223 The overriding purpose of the IODEF is to enhance the operational 224 capabilities of CSIRTs. Community adoption of the IODEF provides an 225 improved ability to resolve incidents and convey situational 226 awareness by simplifying collaboration and data sharing. This 227 structured format provided by the IODEF allows for: 229 o increased automation in processing of incident data, since the 230 resources of security analysts to parse free-form textual 231 documents will be reduced; 233 o decreased effort in normalizing similar data (even when highly 234 structured) from different sources; and 236 o a common format on which to build interoperable tools for incident 237 handling and subsequent analysis, specifically when data comes 238 from multiple constituencies. 240 Coordinating with other CSIRTs is not strictly a technical problem. 241 There are numerous procedural, trust, and legal considerations that 242 might prevent an organization from sharing information. The IODEF 243 does not attempt to address them. However, operational 244 implementations of the IODEF will need to consider this broader 245 context. 247 Sections 3 and 8 specify the IODEF data model with text and an XML 248 schema. The types used by the data model are covered in Section 2. 249 Processing considerations, the handling of extensions, and 250 internationalization issues related to the data model are covered in 251 Sections 4, 5, and 6, respectively. Examples are listed in 252 Section 7. Section 1 provides the background for the IODEF, and 253 Section 9 documents the security considerations. 255 1.1. Changes from 5070 257 This document contains changes with respect to its predecessor 258 RFC5070. 260 o All of the RFC5070 Errata was implemented. 262 o Imported the xmlns:ds namespace to include digital signature hash 263 classes. 265 o The following classes were added to IODEF-Document: 266 AdditionalData. 268 o The following class and attribute was added to Incident: 269 IndicatorData and @status. 271 o The following classes were added to Incident and EventData: 272 Discovery. 274 o The following classes and attributes were added to the Service 275 class: EmailData, DomainData, AssetID, ApplicationHeader @virtual, 276 and @ownership. Service@ip_protocol was renamed to @ip-protocol. 278 o The following classes were added to the Record class: HashData and 279 WindowsRegistryKeysModified. 281 o The following classes were added to the RelatedActivity class: 282 ThreatActor, Campaign, Confidence, Description, and 283 AdditionalData. 285 o The following classes were added to Assessment: IncidentCategory, 286 SystemImpact, BusinessImpact, IntendedImpact and MitigatingFactor. 288 o The following classes were added to Node: PostalAddress and 289 DomainData. The following classes were removed from Node: Removed 290 NodeName and DateTime. 292 o The following classes were added to the Contact class: 293 ContactTitle. 295 o The following classes were added to Expectation and HistoryItem: 296 DefinedCOA. 298 o The following classes were added to Reference: ReferenceName 299 (replaced Name). 301 o Additional enumerated values were added to the following 302 attributes: @restriction, {Expectation, HistoryItem}@action, 303 NodeRole@category, Incident@purpose, Contact@role, 304 AdditionalData@dtype, System@spoofed. 306 o Added option for public extension of enumerated attributes with an 307 IANA registry and added @ext-restriction. 309 o Removed Impact class in favor of using SystemImpact and 310 IncidentCategory. 312 o iodef:MLStringType uses xml:lang and @translation-id. 314 1.2. Terminology 316 The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," 317 "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this 318 document are to be interpreted as described in [RFC2119]. 320 Definitions for some of the common computer security-related 321 terminology used in this document can be found in Section 2 of 322 [refs.requirements]. 324 1.3. Notations 326 The normative IODEF data model is specified with the text in 327 Section 3 and the XML schema in Section 8. To help in the 328 understanding of the data elements, Section 3 also depicts the 329 underlying information model using Unified Modeling Language (UML). 330 This abstract presentation of the IODEF is not normative. 332 For clarity in this document, the term "XML document" will be used 333 when referring generically to any instance of an XML document. The 334 term "IODEF document" will be used to refer to specific elements and 335 attributes of the IODEF schema. The terms "class" and "element" will 336 be used interchangeably to reference either the corresponding data 337 element in the information or data models, respectively. 339 1.4. About the IODEF Data Model 341 The IODEF data model is a data representation that provides a 342 framework for sharing information commonly exchanged by CSIRTs about 343 computer security incidents. A number of considerations were made in 344 the design of the data model. 346 o The data model serves as a transport format. Therefore, its 347 specific representation is not the optimal representation for on- 348 disk storage, long-term archiving, or in-memory processing. 350 o As there is no precise widely agreed upon definition for an 351 incident, the data model does not attempt to dictate one through 352 its implementation. Rather, a broad understanding is assumed in 353 the IODEF that is flexible enough to encompass most operators. 355 o Describing an incident for all definitions would require an 356 extremely complex data model. Therefore, the IODEF only intends 357 to be a framework to convey commonly exchanged incident 358 information. It ensures that there are ample mechanisms for 359 extensibility to support organization-specific information, and 360 techniques to reference information kept outside of the explicit 361 data model. 363 o The domain of security analysis is not fully standardized and must 364 rely on free-form textual descriptions. The IODEF attempts to 365 strike a balance between supporting this free-form content, while 366 still allowing automated processing of incident information. 368 o The IODEF is only one of several security relevant data 369 representations being standardized. Attempts were made to ensure 370 they were complementary. The data model of the Intrusion 371 Detection Message Exchange Format [RFC4765] influenced the design 372 of the IODEF. 374 Further discussion of the desirable properties for the IODEF can be 375 found in the Requirements for the Format for Incident Information 376 Exchange (FINE) [refs.requirements]. 378 1.5. About the IODEF Implementation 380 The IODEF implementation is specified as an Extensible Markup 381 Language (XML) [W3C.XML] Schema [W3C.SCHEMA]. 383 Implementing the IODEF in XML provides numerous advantages. Its 384 extensibility makes it ideal for specifying a data encoding framework 385 that supports various character encodings. Likewise, the abundance 386 of related technologies (e.g., XSL, XPath, XML-Signature) makes for 387 simplified manipulation. However, XML is fundamentally a text 388 representation, which makes it inherently inefficient when binary 389 data must be embedded or large volumes of data must be exchanged. 391 2. IODEF Data Types 393 The various data elements of the IODEF data model are typed. This 394 section discusses these data types. When possible, native Schema 395 data types were adopted, but for more complicated formats, regular 396 expressions (see Appendix F of [W3C.SCHEMA.DTYPES]) or external 397 standards were used. 399 2.1. Integers 401 An integer is represented by the INTEGER data type. Integer data 402 MUST be encoded in Base 10. 404 The INTEGER data type is implemented as an "xs:integer" in 405 [W3C.SCHEMA.DTYPES]. 407 2.2. Real Numbers 409 Real (floating-point) attributes are represented by the REAL data 410 type. Real data MUST be encoded in Base 10. 412 The REAL data type is implemented as an "xs:float" in 413 [W3C.SCHEMA.DTYPES]. 415 2.3. Characters and Strings 417 A single character is represented by the CHARACTER data type. A 418 character string is represented by the STRING data type. Special 419 characters must be encoded using entity references. See Section 4.1. 421 The CHARACTER and STRING data types are implement as an "xs:string" 422 in [W3C.SCHEMA.DTYPES]. 424 2.4. Multilingual Strings 426 STRING data that represents multi-character string in a language 427 different than the default encoding of the document is of the 428 ML_STRING data type. 430 ML_STRING data type is implemented as the "iodef:MLStringType" type 431 in the schema. This type extends the "xs:string" to include two 432 attributes. The body of any class that uses this type is the 433 multilingual string. 435 Multiple instances of a class of this type with the same parent that 436 have the same value set in the translation-id attribute are 437 considered translations. The language of a given class of this type 438 is set by the xml:lang attribute. 440 +------------------------+ 441 | iodef:MLStringType | 442 +------------------------+ 443 | ENUM xml:lang | 444 | STRING translation-id | 445 | | 446 +------------------------+ 448 Figure 1: The iodef:MLStringType Type 450 Classes of the iodef:MLStringType type have two attributes: 452 xml:lang 453 Optional. ENUM. A language identifier per Section 2.12 of 454 [W3C.XML] whose values and form are described in [RFC5646]. The 455 interpretation of this code is described in Section 6. 457 translation-id 458 Optional. STRING. An identifier to relate other instances of 459 this class as translations of this text. 461 2.5. Bytes 463 A binary octet is represented by the BYTE data type. A sequence of 464 binary octets is represented by the BYTE[] data type. These octets 465 are encoded using base64. 467 The BYTE data type is implemented as an "xs:base64Binary" in 468 [W3C.SCHEMA.DTYPES]. 470 2.6. Hexadecimal Bytes 472 A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. 473 This octet is encoded as a character tuple consisting of two 474 hexadecimal digits. 476 The HEXBIN data type is implemented as an "xs:hexBinary" in 477 [W3C.SCHEMA.DTYPES]. 479 2.7. Enumerated Types 481 Enumerated types are represented by the ENUM data type, and consist 482 of an ordered list of acceptable values. Each value has a 483 representative keyword. Within the IODEF schema, the enumerated type 484 keywords are used as attribute values. 486 The ENUM data type is implemented as a series of "xs:NMTOKEN" in the 487 schema. 489 2.8. Date-Time Strings 491 Date-time strings are represented by the DATETIME data type. Each 492 date-time string identifies a particular instant in time. Ranges are 493 not supported. 495 Date-time strings are formatted according to a subset of [ISO8601] 496 documented in [RFC3339]. 498 The DATETIME data type is implemented as an "xs:dateTime" in the 499 schema. 501 2.9. Timezone String 503 A timezone offset from UTC is represented by the TIMEZONE data type. 504 It is formatted according to the following regular expression: 505 "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]". 507 The TIMEZONE data type is implemented as an "xs:string" with a 508 regular expression constraint in [W3C.SCHEMA.DTYPES]. This regular 509 expression is identical to the timezone representation implemented in 510 an "xs:dateTime". 512 2.10. Port Lists 514 A list of network ports are represented by the PORTLIST data type. A 515 PORTLIST consists of a comma-separated list of numbers and ranges 516 (N-M means ports N through M, inclusive). It is formatted according 517 to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". 518 For example, "2,5-15,30,32,40-50,55-60". 520 The PORTLIST data type is implemented as an "xs:string" with a 521 regular expression constraint in the schema. 523 2.11. Postal Address 525 A postal address is represented by the POSTAL data type. This data 526 type is an ML_STRING whose format is documented in Section 2.23 of 527 [RFC4519]. It defines a postal address as a free-form multi-line 528 string separated by the "$" character. 530 The POSTAL data type is implemented as an "xs:string" in the schema. 532 2.12. Person or Organization 534 The name of an individual or organization is represented by the NAME 535 data type. This data type is an ML_STRING whose format is documented 536 in Section 2.3 of [RFC4519]. 538 The NAME data type is implemented as an "xs:string" in the schema. 540 2.13. Telephone and Fax Numbers 542 A telephone or fax number is represented by the PHONE data type. The 543 format of the PHONE data type is documented in Section 2.35 of 544 [RFC4519]. 546 The PHONE data type is implemented as an "xs:string" in the schema. 548 2.14. Email String 550 An email address is represented by the EMAIL data type. The format 551 of the EMAIL data type is documented in Section 3.4.1 [RFC5322]. 553 The EMAIL data type is implemented as an "xs:string" in the schema. 555 2.15. Uniform Resource Locator strings 557 A uniform resource locator (URL) is represented by the URL data type. 558 The format of the URL data type is documented in [RFC3986]. 560 The URL data type is implemented as an "xs:anyURI" in the schema. 562 2.16. Identifiers and Identifier References 564 An identifier unique to the Document is represented by the ID data 565 type. A reference to this identifier is represented by the IDREF 566 data type. The acceptable format of ID and IDREF is documented in 567 Section 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES]. 569 The ID and IDREF data types are implemented as "xs:ID" and "xs:IDREF" 570 in the schema. 572 3. The IODEF Data Model 574 In this section, the individual components of the IODEF data model 575 will be discussed in detail. For each class, the semantics will be 576 described and the relationship with other classes will be depicted 577 with UML. When necessary, specific comments will be made about 578 corresponding definition in the schema in Section 8 580 3.1. IODEF-Document Class 582 The IODEF-Document class is the top level class in the IODEF data 583 model. All IODEF documents are an instance of this class. 585 +-----------------+ 586 | IODEF-Document | 587 +-----------------+ 588 | STRING version |<>--{1..*}--[ Incident ] 589 | ENUM xml:lang |<>--{0..*}--[ AdditionalData ] 590 | STRING formatid | 591 +-----------------+ 593 Figure 2: IODEF-Document Class 595 The aggregate class that constitute IODEF-Document is: 597 Incident 598 One or more. The information related to a single incident. 600 AdditionalData 601 Zero or more. Mechanism by which to extend the data model. See 602 Section 3.9 604 The IODEF-Document class has three attributes: 606 version 607 Required. STRING. The IODEF specification version number to 608 which this IODEF document conforms. The value of this attribute 609 MUST be "2.00" 611 xml:lang 612 Optional. ENUM. A language identifier per Section 2.12 of 613 [W3C.XML] whose values and form are described in [RFC5646]. The 614 interpretation of this code is described in Section 6. 616 formatid 617 Optional. STRING. A free-form string to convey processing 618 instructions to the recipient of the document. Its semantics must 619 be negotiated out-of-band. 621 3.2. Incident Class 623 Every incident is represented by an instance of the Incident class. 624 This class provides a standardized representation for commonly 625 exchanged incident data. 627 +-------------------------+ 628 | Incident | 629 +-------------------------+ 630 | ENUM purpose |<>----------[ IncidentID ] 631 | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] 632 | ENUM status |<>--{0..*}--[ RelatedActivity ] 633 | STRING ext-status |<>--{0..1}--[ DetectTime ] 634 | ENUM xml:lang |<>--{0..1}--[ StartTime ] 635 | ENUM restriction |<>--{0..1}--[ EndTime ] 636 | STRING ext-restriction |<>--{0..1}--{ RecoveryTime ] 637 | STRING observable-id |<>----------[ ReportTime ] 638 | |<>--{0..1}--[ GenerationTime ] 639 | |<>--{0..*}--[ Description ] 640 | |<>--{0..*} [ Discovery ] 641 | |<>--{1..*}--[ Assessment ] 642 | |<>--{0..*}--[ Method ] 643 | |<>--{1..*}--[ Contact ] 644 | |<>--{0..*}--[ EventData ] 645 | |<>--{0..*}--[ IndicatorData ] 646 | |<>--{0..1}--[ History ] 647 | |<>--{0..*}--[ AdditionalData ] 648 +-------------------------+ 650 Figure 3: The Incident Class 652 The aggregate classes that constitute Incident are: 654 IncidentID 655 One. An incident tracking number assigned to this incident by the 656 CSIRT that generated the IODEF document. 658 AlternativeID 659 Zero or one. The incident tracking numbers used by other CSIRTs 660 to refer to the incident described in the document. 662 RelatedActivity 663 Zero or more. Related activity and attribution of this activity. 665 DetectTime 666 Zero or one. The time the incident was first detected. 668 StartTime 669 Zero or one. The time the incident started. 671 EndTime 672 Zero or one. The time the incident ended. 674 RecoveryTime 675 Zero or one. The time the site recovered from the incident. 677 ReportTime 678 One. The time the incident was reported. 680 GenerationTime 681 Zero or one. The time the content in this Incident class was 682 generated. 684 Description 685 Zero or more. ML_STRING. A free-form textual description of the 686 incident. 688 Discovery 689 Zero or more. The means by which this incident was detected. 691 Assessment 692 One or more. A characterization of the impact of the incident. 694 Method 695 Zero or more. The techniques used by the intruder in the 696 incident. 698 Contact 699 One or more. Contact information for the parties involved in the 700 incident. 702 EventData 703 Zero or more. Description of the events comprising the incident. 705 IndicatorData 706 Zero or more. Description of indicators. 708 History 709 Zero or one. A log of significant events or actions that occurred 710 during the course of handling the incident. 712 AdditionalData 713 Zero or more. Mechanism by which to extend the data model. 715 The Incident class has eight attributes: 717 purpose 718 Required. ENUM. The purpose attribute represents the reason why 719 the IODEF document was created. It is closely related to the 720 Expectation class (Section 3.17). These values are maintained in 721 the "Incident-purpose" IANA registry per Table 1. This attribute 722 is defined as an enumerated list: 724 1. traceback. The document was sent for trace-back purposes. 726 2. mitigation. The document was sent to request aid in 727 mitigating the described activity. 729 3. reporting. The document was sent to comply with reporting 730 requirements. 732 4. watch. The document was sent to convey indicators to watch 733 for particular activity. 735 5. other. The document was sent for purposes specified in the 736 Expectation class. 738 6. ext-value. An escape value used to extend this attribute. 739 See Section 5.1.1. 741 ext-purpose 742 Optional. STRING. A means by which to extend the purpose 743 attribute. See Section 5.1.1. 745 status 746 Optional. ENUM. The status attribute conveys the state in a 747 workflow where the incident is currently found. These values are 748 maintained in the "Incident-status" IANA registry per Table 1. 749 This attribute is defined as an enumerated list: 751 1. new. The document is newly reported and has not been 752 actioned. 754 2. in-progress. The contents of this document are under 755 investigation. 757 3. forwarded. The document has been forwarded to another party 758 for handling. 760 4. resolved. The investigation into the activity in this 761 document has concluded. 763 5. future. The . 765 6. ext-value. An escape value used to extend this attribute. 766 See Section 5.1.1. 768 ext-status 769 Optional. STRING. A means by which to extend the status 770 attribute. See Section 5.1.1. 772 xml:lang 773 Optional. ENUM. A language identifier per Section 2.12 of 774 [W3C.XML] whose values and form are described in [RFC5646]. The 775 interpretation of this code is described in Section 6. 777 restriction 778 Optional. ENUM. See Section 3.3.1. 780 ext-restriction 781 Optional. STRING. A means by which to extend the restriction 782 attribute. See Section 5.1.1. 784 observable-id 785 Optional. ID. See Section 3.3.2. 787 3.3. Common Attributes 789 There are a number of recurring attributes used by the data model. 790 They are documented in this section. 792 3.3.1. restriction Attribute 794 The restriction attribute indicates the disclosure guidelines to 795 which the sender expects the recipient to adhere for the information 796 represented in this class and its children. This guideline provides 797 no security since there are no specified technical means to ensure 798 that the recipient of the document handles the information as the 799 sender requested. 801 The value of this attribute is logically inherited by the children of 802 this class. That is to say, the disclosure rules applied to this 803 class, also apply to its children. 805 It is possible to set a granular disclosure policy, since all of the 806 high-level classes (i.e., children of the Incident class) have a 807 restriction attribute. Therefore, a child can override the 808 guidelines of a parent class, be it to restrict or relax the 809 disclosure rules (e.g., a child has a weaker policy than an ancestor; 810 or an ancestor has a weak policy, and the children selectively apply 811 more rigid controls). The implicit value of the restriction 812 attribute for a class that did not specify one can be found in the 813 closest ancestor that did specify a value. 815 This attribute is defined as an enumerated value with a default value 816 of "private". Note that the default value of the restriction 817 attribute is only defined in the context of the Incident class. In 818 other classes where this attribute is used, no default is specified. 820 These values are maintained in the "Restriction" IANA registry per 821 Table 1. 823 1. public. The information can be freely distributed without 824 restriction. 826 2. partner. The information may be shared within a closed 827 community of peers, partners, or affected parties, but cannot be 828 openly published. 830 3. need-to-know. The information may be shared only within the 831 organization with individuals that have a need to know. 833 4. private. The information may not be shared. 835 5. default. The information can be shared according to an 836 information disclosure policy pre-arranged by the communicating 837 parties. 839 6. white. Same as 'public'. 841 7. green. Same as 'partner'. 843 8. amber. Same as 'need-to-know'. 845 9. red. Same as 'private'. 847 10. ext-value. An escape value used to extend this attribute. See 848 Section 5.1.1. 850 3.3.2. observable-id Attribute 852 Information included in an incident report may be an observable 853 relevant to an indicator. The observable-id attribute provides a 854 unique identifier in the scope of the document for this observable. 855 This identifier can then used to reference the observable with an 856 ObservableReference class to define an indicator in the IndicatorData 857 class. 859 3.4. IncidentID Class 861 The IncidentID class represents an incident tracking number that is 862 unique in the context of the CSIRT and identifies the activity 863 characterized in an IODEF Document. This identifier would serve as 864 an index into the CSIRT incident handling system. The combination of 865 the name attribute and the string in the element content MUST be a 866 globally unique identifier describing the activity. Documents 867 generated by a given CSIRT MUST NOT reuse the same value unless they 868 are referencing the same incident. 870 +------------------------+ 871 | IncidentID | 872 +------------------------+ 873 | STRING | 874 | | 875 | STRING name | 876 | STRING instance | 877 | ENUM restriction | 878 | STRING ext-restriction | 879 +------------------------+ 881 Figure 4: The IncidentID Class 883 The IncidentID class has four attributes: 885 name 886 Required. STRING. An identifier describing the CSIRT that 887 created the document. In order to have a globally unique CSIRT 888 name, the fully qualified domain name associated with the CSIRT 889 MUST be used. 891 instance 892 Optional. STRING. An identifier referencing a subset of the 893 named incident. 895 restriction 896 Optional. ENUM. See Section 3.3.1. The default value is 897 "public". 899 ext-restriction 900 Optional. STRING. A means by which to extend the restriction 901 attribute. See Section 5.1.1. 903 3.5. AlternativeID Class 905 The AlternativeID class lists the incident tracking numbers used by 906 CSIRTs, other than the one generating the document, to refer to the 907 identical activity described in the IODEF document. A tracking 908 number listed as an AlternativeID references the same incident 909 detected by another CSIRT. The incident tracking numbers of the 910 CSIRT that generated the IODEF document must never be considered an 911 AlternativeID. 913 +------------------------+ 914 | AlternativeID | 915 +------------------------+ 916 | ENUM restriction |<>--{1..*}--[ IncidentID ] 917 | STRING ext-restriction | 918 +------------------------+ 920 Figure 5: The AlternativeID Class 922 The aggregate class that constitutes AlternativeID is: 924 IncidentID 925 One or more. The incident tracking number of another CSIRT. 927 The AlternativeID class has two attributes: 929 restriction 930 Optional. ENUM. See Section 3.3.1. 932 ext-restriction 933 Optional. STRING. A means by which to extend the restriction 934 attribute. See Section 5.1.1. 936 3.6. RelatedActivity Class 938 The RelatedActivity class relates the information described in the 939 rest of the IODEF document to previously observed incidents or 940 activity; and allows attribution to a specific actor or campaign. 942 +------------------------+ 943 | RelatedActivity | 944 +------------------------+ 945 | ENUM restriction |<>--{0..*}--[ IncidentID ] 946 | STRING ext-restriction |<>--{0..*}--[ URL ] 947 | |<>--{0..*}--[ ThreatActor ] 948 | |<>--{0..*}--[ Campaign ] 949 | |<>--{0..1}--[ Confidence ] 950 | |<>--{0..*}--[ Description ] 951 | |<>--{0..*}--[ AdditionalData ] 952 +------------------------+ 954 Figure 6: RelatedActivity Class 956 The aggregate classes that constitutes RelatedActivity are: 958 IncidentID 959 One or more. The incident tracking number of a related incident. 961 URL 962 One or more. URL. A URL to activity related to this incident. 964 ThreatActor 965 One or more. The threat actor to whom the described activity is 966 attributed. 968 Campaign 969 One or more. The campaign of a given threat actor to whom the 970 described activity is attributed. 972 Confidence 973 Zero or one. An estimate of the confidence in attributing this 974 RelatedActivity to the event described in the document. 976 Description 977 Zero or more. ML_STRING. A description of how these 978 relationships were derived. 980 AdditionalData 981 Zero or more. A mechanism by which to extend the data model. 983 RelatedActivity MUST at least have one instance of IncidentID, URL, 984 ThreatActor, or Campaign. 986 The RelatedActivity class has two attributes: 988 restriction 989 Optional. ENUM. See Section 3.3.1. 991 ext-restriction 992 Optional. STRING. A means by which to extend the restriction 993 attribute. See Section 5.1.1. 995 3.7. ThreatActor Class 997 The ThreatActor class describes a given actor. 999 +------------------------+ 1000 | Actor | 1001 +------------------------+ 1002 | ENUM restriction |<>--{0..1}--[ ThreatActorID ] 1003 | STRING ext-restriction |<>--{0..*}--[ Description ] 1004 | |<>--{0..*}--[ AdditionalData ] 1005 +------------------------+ 1007 Figure 7: ThreatActor Class 1009 The aggregate classes that constitutes ThreatActor are: 1011 ThreatActorID 1012 One or more. STRING. An identifier for the ThreatActor. 1014 Description 1015 One or more. ML_STRING. A description of the ThreatActor. 1017 AdditionalData 1018 Zero or more. A mechanism by which to extend the data model. 1020 ThreatActor MUST have at least one instance of a ThreatActorID or 1021 Description. 1023 The ThreatActor class has two attributes: 1025 restriction 1026 Optional. ENUM. See Section 3.3.1. 1028 ext-restriction 1029 Optional. STRING. A means by which to extend the restriction 1030 attribute. See Section 5.1.1. 1032 3.8. Campaign Class 1034 The Campaign class describes a campaign of attacks by a threat actor. 1036 +------------------------+ 1037 | Campaign | 1038 +------------------------+ 1039 | ENUM restriction |<>--{0..1}--[ CampaignID ] 1040 | STRING ext-restriction |<>--{0..*}--[ Description ] 1041 | |<>--{0..*}--[ AdditionalData ] 1042 +------------------------+ 1044 Figure 8: Campaign Class 1046 The aggregate classes that constitutes Campaign are: 1048 CampaignID 1049 One or more. STRING. An identifier for the Campaign. 1051 Description 1052 One or more. ML_STRING. A description of the Campaign. 1054 AdditionalData 1055 Zero or more. A mechanism by which to extend the data model. 1057 Campaign MUST have at least one instance of a Campaign or 1058 Description. 1060 The Campaign class has two attributes: 1062 restriction 1063 Optional. ENUM. See Section 3.3.1. 1065 ext-restriction 1066 Optional. STRING. A means by which to extend the restriction 1067 attribute. See Section 5.1.1. 1069 3.9. AdditionalData Class 1071 The AdditionalData class serves as an extension mechanism for 1072 information not otherwise represented in the data model. For 1073 relatively simple information, atomic data types (e.g., integers, 1074 strings) are provided with a mechanism to annotate their meaning. 1075 The class can also be used to extend the data model (and the 1076 associated Schema) to support proprietary extensions by encapsulating 1077 entire XML documents conforming to another Schema. A detailed 1078 discussion for extending the data model and the schema can be found 1079 in Section 5. 1081 Unlike XML, which is self-describing, atomic data must be documented 1082 to convey its meaning. This information is described in the 1083 'meaning' attribute. Since these description are outside the scope 1084 of the specification, some additional coordination may be required to 1085 ensure that a recipient of a document using the AdditionalData 1086 classes can make sense of the custom extensions. 1088 +------------------------+ 1089 | AdditionalData | 1090 +------------------------+ 1091 | ANY | 1092 | | 1093 | ENUM dtype | 1094 | STRING ext-dtype | 1095 | STRING meaning | 1096 | STRING formatid | 1097 | ENUM restriction | 1098 | STRING ext-restriction | 1099 +------------------------+ 1101 Figure 9: The AdditionalData Class 1103 The AdditionalData class has six attributes: 1105 dtype 1106 Required. ENUM. The data type of the element content. The 1107 permitted values for this attribute are shown below. The default 1108 value is "string". These values are maintained in the 1109 "AdditionalData-dtype" IANA registry per Table 1. 1111 1. boolean. The element content is of type BOOLEAN. 1113 2. byte. The element content is of type BYTE. 1115 3. bytes. The element content is of type HEXBIN. 1117 4. character. The element content is of type CHARACTER. 1119 5. date-time. The element content is of type DATETIME. 1121 6. ntpstamp. Same as date-time. 1123 7. integer. The element content is of type INTEGER. 1125 8. portlist. The element content is of type PORTLIST. 1127 9. real. The element content is of type REAL. 1129 10. string. The element content is of type STRING. 1131 11. file. The element content is a base64 encoded binary file 1132 encoded as a BYTE[] type. 1134 12. path. The element content is a file-system path encoded as a 1135 STRING type. 1137 13. frame. The element content is a layer-2 frame encoded as a 1138 HEXBIN type. 1140 14. packet. The element content is a layer-3 packet encoded as a 1141 HEXBIN type. 1143 15. ipv4-packet. The element content is an IPv4 packet encoded 1144 as a HEXBIN type. 1146 16. ipv6-packet. The element content is an IPv6 packet encoded 1147 as a HEXBIN type. 1149 17. url. The element content is of type URL. 1151 18. csv. The element content is a common separated value (CSV) 1152 list per Section 2 of [RFC4180] encoded as a STRING type. 1154 19. winreg. The element content is a Windows registry key 1155 encoded as a STRING type. 1157 20. xml. The element content is XML. See Section 5. 1159 21. ext-value. An escape value used to extend this attribute. 1160 See Section 5.1.1. 1162 ext-dtype 1163 Optional. STRING. A means by which to extend the dtype 1164 attribute. See Section 5.1.1. 1166 meaning 1167 Optional. STRING. A free-form description of the element 1168 content. 1170 formatid 1171 Optional. STRING. An identifier referencing the format and 1172 semantics of the element content. 1174 restriction 1175 Optional. ENUM. See Section 3.3.1. 1177 ext-restriction 1178 Optional. STRING. A means by which to extend the restriction 1179 attribute. See Section 5.1.1. 1181 3.10. Contact Class 1183 The Contact class describes contact information for organizations and 1184 personnel involved in the incident. This class allows for the naming 1185 of the involved party, specifying contact information for them, and 1186 identifying their role in the incident. 1188 People and organizations are treated interchangeably as contacts; one 1189 can be associated with the other using the recursive definition of 1190 the class (the Contact class is aggregated into the Contact class). 1191 The 'type' attribute disambiguates the type of contact information 1192 being provided. 1194 The inheriting definition of Contact provides a way to relate 1195 information without requiring the explicit use of identifiers in the 1196 classes or duplication of data. A complete point of contact is 1197 derived by a particular traversal from the root Contact class to the 1198 leaf Contact class. As such, multiple points of contact might be 1199 specified in a single instance of a Contact class. Each child 1200 Contact class logically inherits contact information from its 1201 ancestors. 1203 +------------------------+ 1204 | Contact | 1205 +------------------------+ 1206 | ENUM role |<>--{0..*}--[ ContactName ] 1207 | STRING ext-role |<>--{0..*}--[ ContactTitle ] 1208 | ENUM type |<>--{0..*}--[ Description ] 1209 | STRING ext-type |<>--{0..*}--[ RegistryHandle ] 1210 | ENUM restriction |<>--{0..1}--[ PostalAddress ] 1211 | STRING ext-restriction |<>--{0..*}--[ Email ] 1212 | |<>--{0..*}--[ Telephone ] 1213 | |<>--{0..1}--[ Fax ] 1214 | |<>--{0..1}--[ Timezone ] 1215 | |<>--{0..*}--[ Contact ] 1216 | |<>--{0..*}--[ AdditionalData ] 1217 +------------------------+ 1219 Figure 10: The Contact Class 1221 The aggregate classes that constitute the Contact class are: 1223 ContactName 1224 Zero or more. ML_STRING. The name of the contact. The contact 1225 may either be an organization or a person. The type attribute 1226 disambiguates the semantics. 1228 ContactTitle 1229 Zero or more. ML_STRING. The title for the individual named in 1230 the ContactName. 1232 Description 1233 Zero or more. ML_STRING. A free-form description of this 1234 contact. In the case of a person, this is often the 1235 organizational title of the individual. 1237 RegistryHandle 1238 Zero or more. A handle name into the registry of the contact. 1240 PostalAddress 1241 Zero or one. The postal address of the contact. 1243 Email 1244 Zero or more. The email address of the contact. 1246 Telephone 1247 Zero or more. The telephone number of the contact. 1249 Fax 1250 Zero or one. The facsimile telephone number of the contact. 1252 Timezone 1253 Zero or one. TIMEZONE. The timezone in which the contact resides 1254 formatted according to Section 2.9. 1256 Contact 1257 Zero or more. A Contact instance contained within another Contact 1258 instance inherits the values of the parent(s). This recursive 1259 definition can be used to group common data pertaining to multiple 1260 points of contact and is especially useful when listing multiple 1261 contacts at the same organization. 1263 AdditionalData 1264 Zero or more. A mechanism by which to extend the data model. 1266 At least one of the aggregate classes MUST be present in an instance 1267 of the Contact class. This is not enforced in the IODEF schema as 1268 there is no simple way to accomplish it. 1270 The Contact class has six attributes: 1272 role 1273 Required. ENUM. Indicates the role the contact fulfills. This 1274 attribute is defined as an enumerated list. These values are 1275 maintained in the "Contact-role" IANA registry per Table 1. 1277 1. creator. The entity that generate the document. 1279 2. reporter. The entity that reported the information. 1281 3. admin. An administrative contact or business owner for an 1282 asset or organization. 1284 4. tech. An entity responsible for the day-to-day management of 1285 technical issues for an asset or organization. 1287 5. provider. An external hosting provider for an asset. 1289 6. zone. An entity with authority over a DNS zone. 1291 7. user. An end-user of an asset or part of an organization. 1293 8. billing. An entity responsible for billing issues for an 1294 asset or organization. 1296 9. legal. An entity responsible for legal issue related to an 1297 asset or organization. 1299 10. irt. An entity responsible for handling security issues for 1300 an asset or organization. 1302 11. abuse. An entity responsible for handling abuse originating 1303 from an asset or organization. 1305 12. cc. An entity that is to be kept informed about the events 1306 related to an asset or organization. 1308 13. cc-irt. A CSIRT or information sharing organization 1309 coordinating activity related to an asset or organization. 1311 14. leo. A law enforcement organization supporting the 1312 investigation of activity affecting an asset or organization. 1314 15. vendor. The vendor that produces an asset. 1316 16. vendor-support. A vendor that provides services. 1318 17. victim. A victim in the incident. 1320 18. victim-notified. A victim in the incident who has been 1321 notified. 1323 19. ext-value. An escape value used to extend this attribute. 1324 See Section 5.1.1. 1326 ext-role 1327 Optional. STRING. A means by which to extend the role attribute. 1328 See Section 5.1.1. 1330 type 1331 Required. ENUM. Indicates the type of contact being described. 1332 This attribute is defined as an enumerated list. These values are 1333 maintained in the "Contact-type" IANA registry per Table 1. 1335 1. person. The information for this contact references an 1336 individual. 1338 2. organization. The information for this contact references an 1339 organization. 1341 3. ext-value. An escape value used to extend this attribute. 1342 See Section 5.1.1. 1344 ext-type 1345 Optional. STRING. A means by which to extend the type attribute. 1346 See Section 5.1.1. 1348 restriction 1349 Optional. ENUM. See Section 3.3.1. 1351 ext-restriction 1352 Optional. STRING. A means by which to extend the restriction 1353 attribute. See Section 5.1.1. 1355 3.10.1. RegistryHandle Class 1357 The RegistryHandle class represents a handle into an Internet 1358 registry or community-specific database. The handle is specified in 1359 the element content and the type attribute specifies the database. 1361 +---------------------+ 1362 | RegistryHandle | 1363 +---------------------+ 1364 | STRING | 1365 | | 1366 | ENUM registry | 1367 | STRING ext-registry | 1368 +---------------------+ 1370 Figure 11: The RegistryHandle Class 1372 The RegistryHandle class has two attributes: 1374 registry 1375 Required. ENUM. The database to which the handle belongs. These 1376 values are maintained in the "RegistryHandle-registry" IANA 1377 registry per Table 1. The possible values are: 1379 1. internic. Internet Network Information Center 1381 2. apnic. Asia Pacific Network Information Center 1383 3. arin. American Registry for Internet Numbers 1385 4. lacnic. Latin-American and Caribbean IP Address Registry 1387 5. ripe. Reseaux IP Europeens 1389 6. afrinic. African Internet Numbers Registry 1391 7. local. A database local to the CSIRT 1393 8. ext-value. An escape value used to extend this attribute. 1394 See Section 5.1.1. 1396 ext-registry 1397 Optional. STRING. A means by which to extend the registry 1398 attribute. See Section 5.1.1. 1400 3.10.2. PostalAddress Class 1402 The PostalAddress class specifies a postal address formatted 1403 according to the POSTAL data type (Section 2.11). 1405 +---------------------+ 1406 | PostalAddress | 1407 +---------------------+ 1408 | POSTAL | 1409 | | 1410 | STRING meaning | 1411 | ENUM xml:lang | 1412 +---------------------+ 1414 Figure 12: The PostalAddress Class 1416 The PostalAddress class has two attributes: 1418 meaning 1419 Optional. STRING. A free-form description of the element 1420 content. 1422 xml:lang 1423 Optional. ENUM. A language identifier per Section 2.12 of 1424 [W3C.XML] whose values and form are described in [RFC5646]. The 1425 interpretation of this code is described in Section 6. 1427 3.10.3. Email Class 1429 The Email class specifies an email address formatted according to 1430 EMAIL data type (Section 2.14). 1432 +--------------+ 1433 | Email | 1434 +--------------+ 1435 | EMAIL | 1436 | | 1437 | ENUM meaning | 1438 +--------------+ 1440 Figure 13: The Email Class 1442 The Email class has one attribute: 1444 meaning 1445 Optional. ENUM. A free-form description of the element content. 1447 3.10.4. Telephone and Fax Classes 1449 The Telephone and Fax classes specify a voice or fax telephone number 1450 respectively, and are formatted according to PHONE data type 1451 (Section 2.13). 1453 +--------------------+ 1454 | {Telephone | Fax } | 1455 +--------------------+ 1456 | PHONE | 1457 | | 1458 | ENUM meaning | 1459 +--------------------+ 1461 Figure 14: The Telephone and Fax Classes 1463 The Telephone class has one attribute: 1465 meaning 1466 Optional. ENUM. A free-form description of the element content 1467 (e.g., hours of coverage for a given number). 1469 3.11. Time Classes 1471 The data model uses six different classes to represent a timestamp. 1472 Their definition is identical, but each has a distinct name to convey 1473 a difference in semantics. 1475 The element content of each class is a timestamp formatted according 1476 to the DATETIME data type (see Section 2.8). 1478 +-----------------+ 1479 | StartTime | 1480 | EndTime | 1481 | ReportTime | 1482 | DetectTime | 1483 | GenerationTime | 1484 | DateTime | 1485 +-----------------+ 1486 | DATETIME | 1487 +-----------------+ 1489 Figure 15: The Time Classes 1491 3.11.1. StartTime Class 1493 The StartTime class represents the time the incident began. 1495 3.11.2. EndTime Class 1497 The EndTime class represents the time the incident ended. 1499 3.11.3. DetectTime Class 1501 The DetectTime class represents the time the first activity of the 1502 incident was detected. 1504 3.11.4. ReportTime Class 1506 The ReportTime class represents the time the incident was reported. 1508 3.11.5. GenerationTime Class 1510 The GenerationTime class represents the time when the IODEF document 1511 was produced. This timestamp MUST be the time at which the IODEF 1512 document was generated. 1514 3.11.6. DateTime 1516 The DateTime class is a generic representation of a timestamp. Infer 1517 its semantics from the parent class in which it is aggregated. 1519 3.12. Discovery Class 1521 The Discovery class describes how an incident was detected. 1523 +------------------------+ 1524 | Discovery | 1525 +------------------------+ 1526 | ENUM source |<>--{0..*}--[ Description ] 1527 | STRING ext-source |<>--{0..*}--[ Contact ] 1528 | ENUM restriction |<>--{0..*}--[ DetectionPattern ] 1529 | STRING ext-restriction | 1530 +------------------------+ 1532 Figure 16: The Discovery Class 1534 The Discovery class is composed of three aggregate classes. 1536 Description 1537 Zero or more. ML_STRING. A free-form text description of how 1538 this incident was detected. 1540 Contact 1541 Zero or more. Contact information for the party that discovered 1542 the incident. 1544 DetectionPattern 1545 Zero or more. Describes an application-specific configuration 1546 that detected the incident. 1548 The Discovery class has four attribute: 1550 source 1551 Optional. ENUM. Categorizes the techniques used to discover the 1552 incident. These values are partially derived from Table 3-1 of 1553 [NIST800.61rev2]. These values are maintained in the "Discovery- 1554 source" IANA registry per Table 1. 1556 1. nidps. Network Intrusion Detection or Prevention system. 1558 2. hips. Host-based Intrusion Prevention system. 1560 3. siem. Security Information and Event Management System. 1562 4. av. Antivirus or and antispam software. 1564 5. third-party-monitoring. Contracted third-party monitoring 1565 service. 1567 6. incident. The activity was discovered while investigating an 1568 unrelated incident. 1570 7. os-log. Operating system logs. 1572 8. application-log. Application logs. 1574 9. device-log. Network device logs. 1576 10. network-flow. Network flow analysis. 1578 11. passive-dns. Passive DNS analysis. 1580 12. investigation. Manual investigation initiated based on 1581 notification of a new vulnerability or exploit. 1583 13. audit. Security audit. 1585 14. internal-notification. A party within the organization 1586 reported the activity 1588 15. external-notification. A party outside of the organization 1589 reported the activity. 1591 16. leo. A law enforcement organization notified the victim 1592 organization. 1594 17. partner. A customer or business partner reported the 1595 activity to the victim organization. 1597 18. actor. The threat actor directly or indirectly reported this 1598 activity to the victim organization. 1600 19. unknown. Unknown detection approach. 1602 20. ext-value. An escape value used to extend this attribute. 1603 See Section 5.1.1. 1605 ext-source 1606 Optional. STRING. A means by which to extend the source 1607 attribute. See Section 5.1.1. 1609 restriction 1610 Optional. ENUM. See Section 3.3.1. 1612 ext-restriction 1613 Optional. STRING. A means by which to extend the restriction 1614 attribute. See Section 5.1.1. 1616 3.12.1. DetectionPattern Class 1618 The DetectionPattern class describes a configuration or signature 1619 that can be used by an IDS/IPS, SIEM, anti-virus, end-point 1620 protection, network analysis, malware analysis, or host forensics 1621 tool to identify a particular phenomenon. This class requires the 1622 identification of the target application and allows the configuration 1623 to be describes in either free-form or machine readable form. 1625 +------------------------+ 1626 | DetectionPattern | 1627 +------------------------+ 1628 | ENUM restriction |<>----------[ Application ] 1629 | STRING ext-restriction |<>--{0..*}--[ Description ] 1630 | |<>--{0..*}--[ DetectionConfiguration ] 1631 +------------------------+ 1633 Figure 17: The DetectionPattern Class 1635 The DetectionPattern class is composed of three aggregate classes. 1637 Application 1638 . One. The application for which the DetectionConfiguration or 1639 Description is being provided. 1641 Description 1642 Zero or more. ML_STRING. A free-form text description of how to 1643 use the Application or provided DetectionConfiguration. 1645 DetectionConfiguration 1646 Zero or more. STRING. A machine consumable configuration to find 1647 a pattern of activity. 1649 Either an instance of the Description or DetectionConfiguration class 1650 MUST be present. 1652 The DetectionPattern class has two attributes: 1654 restriction 1655 Optional. ENUM. See Section 3.3.1. 1657 ext-restriction 1658 Optional. STRING. A means by which to extend the restriction 1659 attribute. See Section 5.1.1. 1661 3.13. Method Class 1663 The Method class describes the tactics, techniques, or procedures 1664 used by the intruder in the incident. This class consists of both a 1665 list of references describing the attack method and a free form 1666 description. 1668 +------------------------+ 1669 | Method | 1670 +------------------------+ 1671 | ENUM restriction |<>--{0..*}--[ Reference ] 1672 | STRING ext-restriction |<>--{0..*}--[ Description ] 1673 | |<>--{0..*}--[ AdditionalData ] 1674 +------------------------+ 1676 Figure 18: The Method Class 1678 The Method class is composed of three aggregate classes. 1680 enum:Reference 1681 Zero or more. A reference to a vulnerability, malware sample, 1682 advisory, or analysis of an attack technique. 1684 Description 1685 Zero or more. ML_STRING. A free-form text description of 1686 techniques, tactics, or procedures used by the intruder. 1688 AdditionalData 1689 Zero or more. A mechanism by which to extend the data model. 1691 Either an instance of the Reference or Description class MUST be 1692 present. 1694 The Method class has two attributes: 1696 restriction 1697 Optional. ENUM. See Section 3.3.1. 1699 ext-restriction 1700 Optional. STRING. A means by which to extend the restriction 1701 attribute. See Section 5.1.1. 1703 3.13.1. Reference Class 1705 The Reference class is an external reference to relevant information 1706 such a vulnerability, IDS alert, malware sample, advisory, or attack 1707 technique. A reference consists of a name, a URL to this reference, 1708 and an optional description. 1710 +-------------------------+ 1711 | Reference | 1712 +-------------------------+ 1713 | ID observable-id |<>--{0..1}--[ enum:ReferenceName ] 1714 | |<>--{0..*}--[ URL ] 1715 | |<>--{0..*}--[ Description ] 1716 +-------------------------+ 1718 Figure 19: The Reference Class 1720 The aggregate classes that constitute Reference: 1722 ReferenceName 1723 Zero or one. Reference identifier per [RFC-ENUM]. 1725 URL 1726 Zero or more. URL. A URL associated with the reference. 1728 Description 1729 Zero or more. ML_STRING. A free-form text description of this 1730 reference. 1732 At least one of these classes MUST be present. 1734 The Reference class has one attribute. 1736 observable-id 1737 Optional. ID. See Section 3.3.2. 1739 3.14. Assessment Class 1741 The Assessment class describes the repercussions of the incident to 1742 the victim. 1744 +-------------------------+ 1745 | Assessment | 1746 +-------------------------+ 1747 | ENUM occurrence |<>--{0..*}--[ IncidentCategory ] 1748 | ENUM restriction |<>--{0..*}--[ SystemImpact ] 1749 | STRING ext-restriction |<>--{0..*}--[ BusinessImpact ] 1750 | ID observable-id |<>--{0..*}--[ TimeImpact ] 1751 | |<>--{0..*}--[ MonetaryImpact ] 1752 | |<>--{0..*}--[ IntendedImpact ] 1753 | |<>--{0..*}--[ Counter ] 1754 | |<>--{0..*}--[ MitigatingFactor ] 1755 | |<>--{0..1}--[ Confidence ] 1756 | |<>--{0..*}--[ AdditionalData ] 1757 +-------------------------+ 1759 Figure 20: Assessment Class 1761 The aggregate classes that constitute Assessment are: 1763 IncidentCategory 1764 Zero or more. ML_STRING. A free-form text description 1765 categorizing the type of Incident. 1767 SystemImpact 1768 Zero or more. Technical characterization of the impact of the 1769 activity on the victim's enterprise. 1771 BusinessImpact 1772 Zero or more. Impact of the activity on the business functions of 1773 the victim organization. 1775 TimeImpact 1776 Zero or more. Impact of the activity measured with respect to 1777 time. 1779 MonetaryImpact 1780 Zero or more. Impact of the activity measured with respect to 1781 financial loss. 1783 IntendedImpact 1784 Zero or more. Intended impact to the victim by the attacker. 1785 Identically defined as Section 3.14.2 but describes intent rather 1786 than the realized impact. 1788 Counter 1789 Zero or more. A counter with which to summarize the magnitude of 1790 the activity. 1792 MitigatingFactor 1793 Zero or one. ML_STRING. A description of a mitigating factor an 1794 impact. 1796 Confidence 1797 Zero or one. An estimate of confidence in the assessment. 1799 AdditionalData 1800 Zero or more. A mechanism by which to extend the data model. 1802 A least one instance of the possible three impact classes (i.e., 1803 Impact, TimeImpact, or MonetaryImpact) MUST be present. 1805 The Assessment class has four attributes: 1807 occurrence 1808 Optional. ENUM. Specifies whether the assessment is describing 1809 actual or potential outcomes. 1811 1. actual. This assessment describes activity that has occurred. 1813 2. potential. This assessment describes potential activity that 1814 might occur. 1816 restriction 1817 Optional. ENUM. See Section 3.3.1. 1819 ext-restriction 1820 Optional. STRING. A means by which to extend the restriction 1821 attribute. See Section 5.1.1. 1823 observable-id 1824 Optional. ID. See Section 3.3.2. 1826 3.14.1. SystemImpact Class 1828 The SystemImpact class describes the technical impact of the incident 1829 to the systems on the network. 1831 This class is based on [RFC4765]. 1833 +-----------------------+ 1834 | SystemImpact | 1835 +-----------------------+ 1836 | ML_STRING | 1837 | | 1838 | ENUM xml:lang | 1839 | STRING translation-id | 1840 | ENUM severity | 1841 | ENUM completion | 1842 | ENUM type | 1843 | STRING ext-type | 1844 +-----------------------+ 1846 Figure 21: SystemImpact Class 1848 The element content will be a free-form textual description of the 1849 impact. 1851 The SystemImpact class has six attributes: 1853 xml:lang 1854 Optional. ENUM. A language identifier. See Section 6. 1856 translation-id 1857 Optional. STRING. An identifier to relate other instances of 1858 this class as translations of this text. See Section 6. 1860 severity 1861 Optional. ENUM. An estimate of the relative severity of the 1862 activity. The permitted values are shown below. There is no 1863 default value. 1865 1. low. Low severity 1867 2. medium. Medium severity 1869 3. high. High severity 1871 completion 1872 Optional. ENUM. An indication whether the described activity was 1873 successful. The permitted values are shown below. There is no 1874 default value. 1876 1. failed. The attempted activity was not successful. 1878 2. succeeded. The attempted activity succeeded. 1880 type 1881 Required. ENUM. Classifies the impact. The permitted values are 1882 shown below. The default value is "unknown". These values are 1883 maintained in the "SystemImpact-type" IANA registry per Table 1. 1885 1. takeover-account. Control was taken of a given account 1886 (e.g., a social media account). 1888 2. takeover-service. Control was taken of a given service. 1890 3. takeover-system. Control was taken of a given system. 1892 4. cps-manipulation. A cyber physical system was manipulated. 1894 5. cps-damage. A cyber physical system was damaged. 1896 6. availability-data. Access to particular data was degraded or 1897 denied. 1899 7. availability-account. Access to an account was degraded or 1900 denied. 1902 8. availability-service. Access to a service was degraded or 1903 denied. 1905 9. availability-system. Access to a system was degraded or 1906 denied. 1908 10. damaged-system. Hardware on a system was irreparably 1909 damaged. 1911 11. damaged-data. Data on a system was deleted. 1913 12. breach-proprietary. Sensitive or proprietary information was 1914 accessed or exfiltrated. 1916 13. breach-privacy. Personally identifiable information was 1917 accessed or exfiltrated. 1919 14. breach-credential. Credential information was accessed or 1920 exfiltrated. 1922 15. breach-configuration. System configuration or data inventory 1923 was access or exfiltrated. 1925 16. integrity-data. Data on the system was modified. 1927 17. integrity-configuration. Application or system configuration 1928 was modified. 1930 18. integrity-hardware. Firmware of a hardware component was 1931 modified. 1933 19. traffic-redirection. Network traffic on the system was 1934 redirected 1936 20. monitoring-traffic. Network traffic emerging from a host was 1937 monitored. 1939 21. monitoring-host. System activity (e.g., running processes, 1940 keystrokes) were monitored. 1942 22. policy. Activity violated the system owner's acceptable use 1943 policy. 1945 23. unknown. The impact is unknown. 1947 24. ext-value. An escape value used to extend this attribute. 1948 See Section 5.1.1. 1950 ext-type 1951 Optional. STRING. A means by which to extend the type attribute. 1952 See Section 5.1.1. 1954 3.14.2. BusinessImpact Class 1956 The BusinessImpact class describes and characterizes the degree to 1957 which the function of the organization was impacted by the Incident. 1959 The element body describes the impact to the organization as a free- 1960 form text string. The two attributes characterize the impact. 1962 +-------------------------+ 1963 | BusinessImpact | 1964 +-------------------------+ 1965 | ML_STRING | 1966 | | 1967 | ENUM xml:lang | 1968 | STRING translation-id | 1969 | ENUM severity | 1970 | STRING ext-severity | 1971 | ENUM type | 1972 | STRING ext-type | 1973 +-------------------------+ 1975 Figure 22: BusinessImpact Class 1977 The element content will be a free-form textual description of the 1978 impact to the organization. 1980 The BusinessImpact class has four attributes: 1982 xml:lang 1983 Optional. ENUM. A language identifier. See Section 6. 1985 translation-id 1986 Optional. STRING. An identifier to relate other instances of 1987 this class as translations of this text. See Section 6. 1989 severity 1990 Optional. ENUM. Characterizes the severity of the incident on 1991 business functions. The permitted values are shown below. They 1992 were derived from Table 3-2 of [NIST800.61rev2]. The default 1993 value is "unknown". These values are maintained in the 1994 "BusinessImpact-severity" IANA registry per Table 1. 1996 1. none. No effect to the organization's ability to provide all 1997 services to all users. 1999 2. low. Minimal effect as the organization can still provide all 2000 critical services to all users but has lost efficiency. 2002 3. medium. The organization has lost the ability to provide a 2003 critical service to a subset of system users. 2005 4. high. The organization is no longer able to provide some 2006 critical services to any users. 2008 5. unknown. The impact is not known. 2010 6. ext-value. An escape value used to extend this attribute. 2011 See Section 5.1.1. 2013 ext-severity 2014 Optional. STRING. A means by which to extend the severity 2015 attribute. See Section 5.1.1. 2017 type 2018 Required. ENUM. Characterizes the effect this incident had on 2019 the business. The permitted values are shown below. There is no 2020 default value. These values are maintained in the 2021 "BusinessImpact-type" IANA registry per Table 1. 2023 1. breach-proprietary. Sensitive or proprietary information was 2024 accessed or exfiltrated. 2026 2. breach-privacy. Personally identifiable information was 2027 accessed or exfiltrated. 2029 3. breach-credential. Credential information was accessed or 2030 exfiltrated. 2032 4. loss-of-integrity. Sensitive or proprietary information was 2033 changed or deleted. 2035 5. loss-of-service. Service delivery was disrupted. 2037 6. theft-financial. Money was stolen. 2039 7. theft-service. Services were misappropriated. 2041 8. degraded-reputation. The reputation of the organization's 2042 brand was diminished. 2044 9. asset-damage. A cyber-physical system was damaged. 2046 10. asset-manipulation. A cyber-physical system was manipulated. 2048 11. legal. The incident resulted in legal or regulatory action. 2050 12. extortion. The incident resulted in actors extorting the 2051 victim organization. 2053 13. ext-value. An escape value used to extend this attribute. 2054 See Section 5.1.1. 2056 ext-type 2057 Optional. STRING. A means by which to extend the type attribute. 2058 See Section 5.1.1. 2060 3.14.3. TimeImpact Class 2062 The TimeImpact class describes the impact of the incident on an 2063 organization as a function of time. It provides a way to convey down 2064 time and recovery time. 2066 +---------------------+ 2067 | TimeImpact | 2068 +---------------------+ 2069 | REAL | 2070 | | 2071 | ENUM severity | 2072 | ENUM metric | 2073 | STRING ext-metrics | 2074 | ENUM duration | 2075 | STRING ext-duration | 2076 +---------------------+ 2078 Figure 23: TimeImpact Class 2080 The element content is a positive, floating point (REAL) number 2081 specifying a unit of time. The duration and metric attributes will 2082 imply the semantics of the element content. 2084 The TimeImpact class has five attributes: 2086 severity 2087 Optional. ENUM. An estimate of the relative severity of the 2088 activity. The permitted values are shown below. There is no 2089 default value. 2091 1. low. Low severity 2093 2. medium. Medium severity 2095 3. high. High severity 2097 metric 2098 Required. ENUM. Defines the metric in which the time is 2099 expressed. The permitted values are shown below. There is no 2100 default value. These values are maintained in the "TimeImpact- 2101 metric" IANA registry per Table 1. 2103 1. labor. Total staff-time to recovery from the activity (e.g., 2104 2 employees working 4 hours each would be 8 hours). 2106 2. elapsed. Elapsed time from the beginning of the recovery to 2107 its completion (i.e., wall-clock time). 2109 3. downtime. Duration of time for which some provided service(s) 2110 was not available. 2112 4. ext-value. An escape value used to extend this attribute. 2113 See Section 5.1.1. 2115 ext-metric 2116 Optional. STRING. A means by which to extend the metric 2117 attribute. See Section 5.1.1. 2119 duration 2120 Optional. ENUM. Defines a unit of time, that when combined with 2121 the metric attribute, fully describes a metric of impact that will 2122 be conveyed in the element content. The permitted values are 2123 shown below. The default value is "hour". These values are 2124 maintained in the "TimeImpact-duration" IANA registry per Table 1. 2126 1. second. The unit of the element content is seconds. 2128 2. minute. The unit of the element content is minutes. 2130 3. hour. The unit of the element content is hours. 2132 4. day. The unit of the element content is days. 2134 5. month. The unit of the element content is months. 2136 6. quarter. The unit of the element content is quarters. 2138 7. year. The unit of the element content is years. 2140 8. ext-value. An escape value used to extend this attribute. 2141 See Section 5.1.1. 2143 ext-duration 2144 Optional. STRING. A means by which to extend the duration 2145 attribute. See Section 5.1.1. 2147 3.14.4. MonetaryImpact Class 2149 The MonetaryImpact class describes the financial impact of the 2150 activity on an organization. For example, this impact may consider 2151 losses due to the cost of the investigation or recovery, diminished 2152 productivity of the staff, or a tarnished reputation that will affect 2153 future opportunities. 2155 +------------------+ 2156 | MonetaryImpact | 2157 +------------------+ 2158 | REAL | 2159 | | 2160 | ENUM severity | 2161 | STRING currency | 2162 +------------------+ 2164 Figure 24: MonetaryImpact Class 2166 The element content is a positive, floating point number (REAL) 2167 specifying a unit of currency described in the currency attribute. 2169 The MonetaryImpact class has two attributes: 2171 severity 2172 Optional. ENUM. An estimate of the relative severity of the 2173 activity. The permitted values are shown below. There is no 2174 default value. 2176 1. low. Low severity 2178 2. medium. Medium severity 2180 3. high. High severity 2182 currency 2183 Optional. STRING. Defines the currency in which the monetary 2184 impact is expressed. The permitted values are defined in "Codes 2185 for the representation of currencies and funds" of [ISO4217]. 2186 There is no default value. 2188 3.14.5. Confidence Class 2190 The Confidence class represents a best estimate of the validity and 2191 accuracy of the described impact (see Section 3.14) of the incident 2192 activity. This estimate can be expressed as a category or a numeric 2193 calculation. 2195 This class if based upon [RFC4765]. 2197 +------------------+ 2198 | Confidence | 2199 +------------------+ 2200 | REAL | 2201 | | 2202 | ENUM rating | 2203 +------------------+ 2205 Figure 25: Confidence Class 2207 The element content expresses a numerical assessment in the 2208 confidence of the data when the value of the rating attribute is 2209 "numeric". Otherwise, this element MUST be empty. 2211 The Confidence class has one attribute. 2213 rating 2214 Required. ENUM. A rating of the analytical validity of the 2215 specified Assessment. The permitted values are shown below. 2216 There is no default value. 2218 1. low. Low confidence in the validity. 2220 2. medium. Medium confidence in the validity. 2222 3. high. High confidence in the validity. 2224 4. numeric. The element content contains a number that conveys 2225 the confidence of the data. The semantics of this number 2226 outside the scope of this specification. 2228 5. unknown. The confidence rating value is not known. 2230 3.15. History Class 2232 The History class is a log of the significant events or actions 2233 performed by the involved parties during the course of handling the 2234 incident. 2236 The level of detail maintained in this log is left up to the 2237 discretion of those handling the incident. 2239 +------------------------+ 2240 | History | 2241 +------------------------+ 2242 | ENUM restriction |<>--{1..*}--[ HistoryItem ] 2243 | STRING ext-restriction | 2244 +------------------------+ 2246 Figure 26: The History Class 2248 The class that constitutes History is: 2250 HistoryItem 2251 One or many. Entry in the history log of significant events or 2252 actions performed by the involved parties. 2254 The History class has two attributes: 2256 restriction 2257 Optional. ENUM. See Section 3.3.1. The default value is 2258 "default". 2260 ext-restriction 2261 Optional. STRING. A means by which to extend the restriction 2262 attribute. See Section 5.1.1. 2264 3.15.1. HistoryItem Class 2266 The HistoryItem class is an entry in the History (Section 3.15) log 2267 that documents a particular action or event that occurred in the 2268 course of handling the incident. The details of the entry are a 2269 free-form description, but each can be categorized with the type 2270 attribute. 2272 +-------------------------+ 2273 | HistoryItem | 2274 +-------------------------+ 2275 | ENUM restriction |<>----------[ DateTime ] 2276 | STRING ext-restriction |<>--{0..1}--[ IncidentId ] 2277 | ENUM action |<>--{0..1}--[ Contact ] 2278 | STRING ext-action |<>--{0..*}--[ Description ] 2279 | ID observable-id |<>--{0..*}--[ DefinedCOA ] 2280 | |<>--{0..*}--[ AdditionalData ] 2281 +-------------------------+ 2283 Figure 27: HistoryItem Class 2285 The aggregate classes that constitute HistoryItem are: 2287 DateTime 2288 One. Timestamp of this entry in the history log (e.g., when the 2289 action described in the Description was taken). 2291 IncidentID 2292 Zero or One. In a history log created by multiple parties, the 2293 IncidentID provides a mechanism to specify which CSIRT created a 2294 particular entry and references this organization's incident 2295 tracking number. When a single organization is maintaining the 2296 log, this class can be ignored. 2298 Contact 2299 Zero or One. Provides contact information for the person that 2300 performed the action documented in this class. 2302 Description 2303 Zero or more. ML_STRING. A free-form textual description of the 2304 action or event. 2306 DefinedCOA 2307 Zero or more. ML_STRING. A unique identifier meaningful to the 2308 sender and recipient of this document that references a course of 2309 action. This class MUST be present if the action attribute is set 2310 to "defined-coa". 2312 AdditionalData 2313 Zero or more. A mechanism by which to extend the data model. 2315 The HistoryItem class has five attributes: 2317 restriction 2318 Optional. ENUM. See Section 3.3.1. 2320 ext-restriction 2321 Optional. STRING. A means by which to extend the restriction 2322 attribute. See Section 5.1.1. 2324 action 2325 Required. ENUM. Classifies a performed action or occurrence 2326 documented in this history log entry. As activity will likely 2327 have been instigated either through a previously conveyed 2328 expectation or internal investigation, this attribute is identical 2329 to the action attribute of the Expectation class. The difference 2330 is only one of tense. When an action is in this class, it has 2331 been completed. See Section 3.17. 2333 ext-action 2334 Optional. STRING. A means by which to extend the action 2335 attribute. See Section 5.1.1. 2337 observable-id 2338 Optional. ID. See Section 3.3.2. 2340 3.16. EventData Class 2342 The EventData class describes a particular event of the incident for 2343 a given set of hosts or networks. This description includes the 2344 systems from which the activity originated and those targeted, an 2345 assessment of the techniques used by the intruder, the impact of the 2346 activity on the organization, and any forensic evidence discovered. 2348 +-------------------------+ 2349 | EventData | 2350 +-------------------------+ 2351 | ENUM restriction |<>--{0..*}--[ Description ] 2352 | STRING ext-restriction |<>--{0..1}--[ DetectTime ] 2353 | ID observable-id |<>--{0..1}--[ StartTime ] 2354 | |<>--{0..1}--[ EndTime ] 2355 | |<>--{0..1}--[ RecoveryTime ] 2356 | |<>--{0..1}--[ ReportTime ] 2357 | |<>--{0..*}--[ Contact ] 2358 | |<>--{0..*}--[ Discovery ] 2359 | |<>--{0..1}--[ Assessment ] 2360 | |<>--{0..*}--[ Method ] 2361 | |<>--{0..*}--[ Flow ] 2362 | |<>--{0..*}--[ Expectation ] 2363 | |<>--{0..1}--[ Record ] 2364 | |<>--{0..*}--[ EventData ] 2365 | |<>--{0..*}--[ AdditionalData ] 2366 +-------------------------+ 2368 Figure 28: The EventData Class 2370 The aggregate classes that constitute EventData are: 2372 Description 2373 Zero or more. ML_STRING. A free-form textual description of the 2374 event. 2376 DetectTime 2377 Zero or one. The time the event was detected. 2379 StartTime 2380 Zero or one. The time the event started. 2382 EndTime 2383 Zero or one. The time the event ended. 2385 RecoveryTime 2386 Zero or one. The time the site recovered from the event. 2388 ReportTime 2389 One. The time the event was reported. 2391 Contact 2392 Zero or more. Contact information for the parties involved in the 2393 event. 2395 Discovery 2396 Zero or more. The means by which the event was detected. 2398 Assessment 2399 Zero or one. The impact of the event on the target and the 2400 actions taken. 2402 Method 2403 Zero or more. The technique used by the intruder in the event. 2405 Flow 2406 Zero or more. A description of the systems or networks involved. 2408 Expectation 2409 Zero or more. The expected action to be performed by the 2410 recipient for the described event. 2412 Record 2413 Zero or one. Supportive data (e.g., log files) that provides 2414 additional information about the event. 2416 EventData 2417 Zero or more. EventData instances contained within another 2418 EventData instance inherit the values of the parent(s); this 2419 recursive definition can be used to group common data pertaining 2420 to multiple events. When EventData elements are defined 2421 recursively, only the leaf instances (those EventData instances 2422 not containing other EventData instances) represent actual events. 2424 AdditionalData 2425 Zero or more. An extension mechanism for data not explicitly 2426 represented in the data model. 2428 At least one of the aggregate classes MUST be present in an instance 2429 of the EventData class. This is not enforced in the IODEF schema as 2430 there is no simple way to accomplish it. 2432 The EventData class has three attributes: 2434 restriction 2435 Optional. ENUM. See Section 3.3.1. The default value is 2436 "default". 2438 ext-restriction 2439 Optional. STRING. A means by which to extend the restriction 2440 attribute. See Section 5.1.1. 2442 observable-id 2443 Optional. ID. See Section 3.3.2. 2445 3.16.1. Relating the Incident and EventData Classes 2447 There is substantial overlap in the Incident and EventData classes. 2448 Nevertheless, the semantics of these classes are quite different. 2449 The Incident class provides summary information about the entire 2450 incident, while the EventData class provides information about the 2451 individual events comprising the incident. In the most common case, 2452 the EventData class will provide more specific information for the 2453 general description provided in the Incident class. However, it may 2454 also be possible that the overall summarized information about the 2455 incident conflicts with some individual information in an EventData 2456 class when there is a substantial composition of various events in 2457 the incident. In such a case, the interpretation of the more 2458 specific EventData MUST supersede the more generic information 2459 provided in Incident. 2461 3.16.2. Cardinality of EventData 2463 The EventData class can be thought of as a container for the 2464 properties of an event in an incident. These properties include: the 2465 hosts involved, impact of the incident activity on the hosts, 2466 forensic logs, etc. With an instance of the EventData class, hosts 2467 (i.e., System class) are grouped around these common properties. 2469 The recursive definition (or instance property inheritance) of the 2470 EventData class (the EventData class is aggregated into the EventData 2471 class) provides a way to relate information without requiring the 2472 explicit use of unique attribute identifiers in the classes or 2473 duplicating information. Instead, the relative depth (nesting) of a 2474 class is used to group (relate) information. 2476 For example, an EventData class might be used to describe two 2477 machines involved in an incident. This description can be achieved 2478 using multiple instances of the Flow class. It happens that there is 2479 a common technical contact (i.e., Contact class) for these two 2480 machines, but the impact (i.e., Assessment class) on them is 2481 different. A depiction of the representation for this situation can 2482 be found in Figure 29. 2484 +------------------+ 2485 | EventData | 2486 +------------------+ 2487 | |<>----[ Contact ] 2488 | | 2489 | |<>----[ EventData ]<>----[ Flow ] 2490 | | [ ]<>----[ Assessment ] 2491 | | 2492 | |<>----[ EventData ]<>----[ Flow ] 2493 | | [ ]<>----[ Assessment ] 2494 +------------------+ 2496 Figure 29: Recursion in the EventData Class 2498 3.17. Expectation Class 2500 The Expectation class conveys to the recipient of the IODEF document 2501 the actions the sender is requesting. The scope of the requested 2502 action is limited to purview of the EventData class in which this 2503 class is aggregated. 2505 +-------------------------+ 2506 | Expectation | 2507 +-------------------------+ 2508 | ENUM restriction |<>--{0..*}--[ Description ] 2509 | STRING ext-restriction |<>--{0..*}--[ DefinedCOA ] 2510 | ENUM severity |<>--{0..1}--[ StartTime ] 2511 | ENUM action |<>--{0..1}--[ EndTime ] 2512 | STRING ext-action |<>--{0..1}--[ Contact ] 2513 | ID observable-id | 2514 | | 2515 +-------------------------+ 2517 Figure 30: The Expectation Class 2519 The aggregate classes that constitute Expectation are: 2521 Description 2522 Zero or more. ML_STRING. A free-form description of the desired 2523 action(s). 2525 DefinedCOA 2526 Zero or more. ML_STRING. A unique identifier meaningful to the 2527 sender and recipient of this document that references a course of 2528 action. This class MUST be present if the action attribute is set 2529 to "defined-coa". 2531 StartTime 2532 Zero or one. The time at which the sender would like the action 2533 performed. A timestamp that is earlier than the ReportTime 2534 specified in the Incident class denotes that the sender would like 2535 the action performed as soon as possible. The absence of this 2536 element indicates no expectations of when the recipient would like 2537 the action performed. 2539 EndTime 2540 Zero or one. The time by which the sender expects the recipient 2541 to complete the action. If the recipient cannot complete the 2542 action before EndTime, the recipient MUST NOT carry out the 2543 action. Because of transit delays, clock drift, and so on, the 2544 sender MUST be prepared for the recipient to have carried out the 2545 action, even if it completes past EndTime. 2547 Contact 2548 Zero or one. The expected actor for the action. 2550 The Expectations class has six attributes: 2552 restriction 2553 Optional. ENUM. See Section 3.3.1. The default value is 2554 "default". 2556 ext-restriction 2557 Optional. STRING. A means by which to extend the restriction 2558 attribute. See Section 5.1.1. 2560 severity 2561 Optional. ENUM. Indicates the desired priority of the action. 2562 This attribute is an enumerated list with no default value, and 2563 the semantics of these relative measures are context dependent. 2565 1. low. Low priority 2567 2. medium. Medium priority 2569 3. high. High priority 2571 action 2572 Optional. ENUM. Classifies the type of action requested. This 2573 attribute is an enumerated list with a default value of "other". 2574 These values are maintained in the "Expectation-action" IANA 2575 registry per Table 1. 2577 1. nothing. No action is requested. Do nothing with the 2578 information. 2580 2. contact-source-site. Contact the site(s) identified as the 2581 source of the activity. 2583 3. contact-target-site. Contact the site(s) identified as the 2584 target of the activity. 2586 4. contact-sender. Contact the originator of the document. 2588 5. investigate. Investigate the systems(s) listed in the event. 2590 6. block-host. Block traffic from the machine(s) listed as 2591 sources the event. 2593 7. block-network. Block traffic from the network(s) lists as 2594 sources in the event. 2596 8. block-port. Block the port listed as sources in the event. 2598 9. rate-limit-host. Rate-limit the traffic from the machine(s) 2599 listed as sources in the event. 2601 10. rate-limit-network. Rate-limit the traffic from the 2602 network(s) lists as sources in the event. 2604 11. rate-limit-port. Rate-limit the port(s) listed as sources in 2605 the event. 2607 12. redirect-traffic. Redirect traffic from intended recipient 2608 for further analysis. 2610 13. honeypot. Redirect traffic to a honeypot for further 2611 analysis. 2613 14. upgrade-software. Upgrade or patch the software or firmware 2614 on an asset. 2616 15. rebuild-asset. Reinstall the operating system or 2617 applications on an asset. 2619 16. harden-asset. Change the configuration an asset (e.g., 2620 reduce the number of services or user accounts) to reduce the 2621 attack surface. 2623 17. remediate-other. Remediate the activity in a way other than 2624 by rate limiting or blocking. 2626 18. status-triage. Conveys receipts and the triaging of an 2627 incident. 2629 19. status-new-info. Conveys that new information was received 2630 for this incident. 2632 20. watch-and-report. Watch for the described activity and share 2633 if seen. 2635 21. training. Train user to identify or mitigate a threat. 2637 22. defined-coa. Perform a predefined course of action (COA). 2638 The COA is named in the DefinedCOA class. 2640 23. other. Perform some custom action described in the 2641 Description class. 2643 24. ext-value. An escape value used to extend this attribute. 2644 See Section 5.1.1. 2646 ext-action 2647 Optional. STRING. A means by which to extend the action 2648 attribute. See Section 5.1.1. 2650 observable-id 2651 Optional. ID. See Section 3.3.2. 2653 3.18. Flow Class 2655 The Flow class groups related the source and target hosts. 2657 +------------------+ 2658 | Flow | 2659 +------------------+ 2660 | |<>--{1..*}--[ System ] 2661 +------------------+ 2663 Figure 31: The Flow Class 2665 The aggregate class that constitutes Flow is: 2667 System 2668 One or More. A host or network involved in an event. 2670 The Flow class has no attributes. 2672 3.19. System Class 2674 The System class describes a system or network involved in an event. 2675 The systems or networks represented by this class are categorized 2676 according to the role they played in the incident through the 2677 category attribute. The value of this category attribute dictates 2678 the semantics of the aggregated classes in the System class. If the 2679 category attribute has a value of "source", then the aggregated 2680 classes denote the machine and service from which the activity is 2681 originating. With a category attribute value of "target" or 2682 "intermediary", then the machine or service is the one targeted in 2683 the activity. A value of "sensor" dictates that this System was part 2684 of an instrumentation to monitor the network. 2686 +------------------------+ 2687 | System | 2688 +------------------------+ 2689 | ENUM restriction |<>----------[ Node ] 2690 | STRING ext-restriction |<>--{0..*}--[ NodeRole ] 2691 | ENUM category |<>--{0..*}--[ Service ] 2692 | STRING ext-category |<>--{0..*}--[ OperatingSystem ] 2693 | STRING interface |<>--{0..*}--[ Counter ] 2694 | ENUM spoofed |<>--{0..*}--[ AssetID ] 2695 | ENUM virtual |<>--{0..*}--[ Description ] 2696 | ENUM ownership |<>--{0..*}--[ AdditionalData ] 2697 | STRING ext-ownership | 2698 | | 2699 +------------------------+ 2701 Figure 32: The System Class 2703 The aggregate classes that constitute System are: 2705 Node 2706 One. A host or network involved in the incident. 2708 NodeRole 2709 Zero or more. The intended purpose of the system. 2711 Service 2712 Zero or more. A network service running on the system. 2714 OperatingSystem 2715 Zero or more. The operating system running on the system. 2717 Counter 2718 Zero or more. A counter with which to summarize properties of 2719 this host or network. 2721 AssetID 2722 Zero or more. An asset identifier for the System. 2724 Description 2725 Zero or more. ML_STRING. A free-form text description of the 2726 System. 2728 AdditionalData 2729 Zero or more. A mechanism by which to extend the data model. 2731 The System class has nine attributes: 2733 restriction 2734 Optional. ENUM. See Section 3.3.1. 2736 ext-restriction 2737 Optional. STRING. A means by which to extend the restriction 2738 attribute. See Section 5.1.1. 2740 category 2741 Optional. ENUM. Classifies the role the host or network played 2742 in the incident. These values are maintained in the "System- 2743 category" IANA registry per Table 1. The possible values are: 2745 1. source. The System was the source of the event. 2747 2. target. The System was the target of the event. 2749 3. intermediate. The System was an intermediary in the event. 2751 4. sensor. The System was a sensor monitoring the event. 2753 5. infrastructure. The System was an infrastructure node of 2754 IODEF document exchange. 2756 6. ext-value. An escape value used to extend this attribute. 2757 See Section 5.1.1. 2759 ext-category 2760 Optional. STRING. A means by which to extend the category 2761 attribute. See Section 5.1.1. 2763 interface 2764 Optional. STRING. Specifies the interface on which the event(s) 2765 on this System originated. If the Node class specifies a network 2766 rather than a host, this attribute has no meaning. 2768 spoofed 2769 Optional. ENUM. An indication of confidence in whether this 2770 System was the true target or attacking host. The permitted 2771 values for this attribute are shown below. The default value is 2772 "unknown". 2774 1. unknown. The accuracy of the category attribute value is 2775 unknown. 2777 2. yes. The category attribute value is probably incorrect. In 2778 the case of a source, the System is likely a decoy; with a 2779 target, the System was likely not the intended victim. 2781 3. no. The category attribute value is believed to be correct. 2783 virtual 2784 Optional. ENUM. Indicates whether this System is a virtual or 2785 physical device. The default value is "unknown". The possible 2786 values are: 2788 1. yes. The System is a virtual device. 2790 2. no. The System is a physical device. 2792 3. unknown. It is not known if the System is virtual. 2794 ownership 2795 Optional. ENUM. Describes the ownership of this System relative 2796 to the sender of the IODEF document. These values are maintained 2797 in the "System-ownership" IANA registry per Table 1. The possible 2798 values are: 2800 1. organization. The System is owned by the organization. 2802 2. personal. The System is owned by employee or affiliate of the 2803 organization. 2805 3. partner. The System is owned by a partner of the 2806 organization. 2808 4. customer. The System is owned by a customer of the 2809 organization. 2811 5. no-relationship. The System is owned by an entity that has no 2812 known relationship with the organization. 2814 6. unknown. The ownership of the System is unknown. 2816 7. ext-value. An escape value used to extend this attribute. 2817 See Section 5.1.1. 2819 ext-ownership 2820 Optional. STRING. A means by which to extend the ownership 2821 attribute. See Section 5.1.1. 2823 3.20. Node Class 2825 The Node class names an asset or network. 2827 This class was derived from [RFC4765]. 2829 +---------------+ 2830 | Node | 2831 +---------------+ 2832 | |<>--{0..*}--[ DomainData ] 2833 | |<>--{0..*}--[ Address ] 2834 | |<>--{0..1}--[ PostalAddress ] 2835 | |<>--{0..*}--[ Location ] 2836 | |<>--{0..1}--[ DateTime ] 2837 | |<>--{0..*}--[ Counter ] 2838 +---------------+ 2840 Figure 33: The Node Class 2842 The aggregate classes that constitute Node are: 2844 DomainData 2845 Zero or more. The detailed domain (DNS) information associated 2846 with this Node. If an Address is not provided, at least one 2847 DomainData MUST be specified. 2849 Address 2850 Zero or more. The hardware, network, or application address of 2851 the Node. If a DomainData is not provided, at least one Address 2852 MUST be specified. 2854 PostalAddress 2855 Zero or one. The postal address of the asset. 2857 Location 2858 Zero or more. ML_STRING. A free-from description of the physical 2859 location of the Node. This description may provide a more 2860 detailed description of where in the PostalAddress this Node is 2861 found (e.g., room number, rack number, slot number in a chassis). 2863 Counter 2864 Zero or more. A counter with which to summarizes properties of 2865 this host or network. 2867 The Node class has no attributes. 2869 3.20.1. Address Class 2871 The Address class represents a hardware (layer-2), network (layer-3), 2872 or application (layer-7) address. 2874 This class was derived from [RFC4765]. 2876 +-------------------------+ 2877 | Address | 2878 +-------------------------+ 2879 | ENUM category | 2880 | STRING ext-category | 2881 | STRING vlan-name | 2882 | INTEGER vlan-num | 2883 | ID observable-id | 2884 +-------------------------+ 2886 Figure 34: The Address Class 2888 The Address class has five attributes: 2890 category 2891 Optional. ENUM. The type of address represented. The permitted 2892 values for this attribute are shown below. The default value is 2893 "ipv4-addr". These values are maintained in the "Address- 2894 category" IANA registry per Table 1. 2896 1. asn. Autonomous System Number 2898 2. atm. Asynchronous Transfer Mode (ATM) address 2900 3. e-mail. Electronic mail address (RFC 822) 2902 4. ipv4-addr. IPv4 host address in dotted-decimal notation 2903 (a.b.c.d) 2905 5. ipv4-net. IPv4 network address in dotted-decimal notation, 2906 slash, significant bits (a.b.c.d/nn) 2908 6. ipv4-net-mask. IPv4 network address in dotted-decimal 2909 notation, slash, network mask in dotted-decimal notation 2910 (a.b.c.d/w.x.y.z) 2912 7. ipv6-addr. IPv6 host address 2914 8. ipv6-net. IPv6 network address, slash, significant bits 2916 9. ipv6-net-mask. IPv6 network address, slash, network mask 2918 10. mac. Media Access Control (MAC) address 2920 11. site-uri. A URL or URI for a resource. 2922 12. ext-value. An escape value used to extend this attribute. 2923 See Section 5.1.1. 2925 ext-category 2926 Optional. STRING. A means by which to extend the category 2927 attribute. See Section 5.1.1. 2929 vlan-name 2930 Optional. STRING. The name of the Virtual LAN to which the 2931 address belongs. 2933 vlan-num 2934 Optional. STRING. The number of the Virtual LAN to which the 2935 address belongs. 2937 observable-id 2938 Optional. ID. See Section 3.3.2. 2940 3.20.2. NodeRole Class 2942 The NodeRole class describes the function performed by a particular . 2944 +---------------------+ 2945 | NodeRole | 2946 +---------------------+ 2947 | ENUM category | 2948 | STRING ext-category | 2949 | ENUM xml:lang | 2950 +---------------------+ 2952 Figure 35: The NodeRole Class 2954 The NodeRole class has three attributes: 2956 category 2957 Required. ENUM. Functionality provided by a node. These values 2958 are maintained in the "NodeRole-category" IANA registry per 2959 Table 1. 2961 1. client. Client computer 2963 2. client-enterprise. Client computer on the enterprise network 2965 3. client-partner. Client computer on network of a partner 2967 4. client-remote. Client computer remotely connected to the 2968 enterprise network 2970 5. client-kiosk. Client computer is serves as a kiosk 2972 6. client-mobile. Client is a mobile device 2974 7. server-internal. Server with internal services 2976 8. server-public. Server with public services 2978 9. www. WWW server 2980 10. mail. Mail server 2982 11. webmail. Web mail server 2984 12. messaging. Messaging server (e.g., NNTP, IRC, IM) 2986 13. streaming. Streaming-media server 2988 14. voice. Voice server (e.g., SIP, H.323) 2990 15. file. File server (e.g., SMB, CVS, AFS) 2992 16. ftp. FTP server 2994 17. p2p. Peer-to-peer node 2996 18. name. Name server (e.g., DNS, WINS) 2998 19. directory. Directory server (e.g., LDAP, finger, whois) 3000 20. credential. Credential server (e.g., domain controller, 3001 Kerberos) 3003 21. print. Print server 3005 22. application. Application server 3007 23. database. Database server 3009 24. backup. Backup server 3011 25. dhcp. DHCP server 3013 26. assessment. Assessment server (e.g., vulnerability scanner, 3014 end-point assessment) 3016 27. source-control. Source code control server 3018 28. config-management. Configuration management server 3020 29. monitoring. Security monitoring server (e.g., IDS) 3022 30. infra. Infrastructure server (e.g., router, firewall, DHCP) 3024 31. infra-firewall. Firewall 3026 32. infra-router. Router 3028 33. infra-switch. Switch 3030 34. camera. Camera and video system 3032 35. proxy. Proxy server 3034 36. remote-access. Remote access server 3036 37. log. Log server (e.g., syslog) 3038 38. virtualization. Server running virtual machines 3040 39. pos. Point-of-sale device 3042 40. scada. Supervisory control and data acquisition system 3044 41. scada-supervisory. Supervisory system for a SCADA 3046 42. sinkhole. Traffic sinkhole destination 3048 43. honeypot. Honeypot server 3050 44. anonymization. Anonymization server (e.g., Tor node) 3051 45. c2. Malicious command and control server 3053 46. malware-distribution. Server that distributes malware 3055 47. drop-server. Server to which exfiltrated content is 3056 uploaded. 3058 48. hop-point. Intermediary server used to get to a victim. 3060 49. reflector. A system used in a reflector attacker. 3062 50. phishing-site. Site hosting phishing content 3064 51. spear-phishing-site. Site hosting spear-phishing content 3066 52. recruiting-site. Site to recruit 3068 53. fraudulent-site. Fraudulent site. 3070 54. ext-value. An escape value used to extend this attribute. 3071 See Section 5.1.1. 3073 ext-category 3074 Optional. STRING. A means by which to extend the category 3075 attribute. See Section 5.1.1. 3077 xml:lang 3078 Optional. ENUM. A language identifier per Section 2.12 of 3079 [W3C.XML] whose values and form are described in [RFC5646]. The 3080 interpretation of this code is described in Section 6. 3082 3.20.3. Counter Class 3084 The Counter class summarize multiple occurrences of some event, or 3085 conveys counts or rates on various features (e.g., packets, sessions, 3086 events). 3088 The value of the counter is the element content with its units 3089 represented in the type attribute. A rate for a given feature can be 3090 expressed by setting the duration attribute. The complete semantics 3091 are entirely context dependent based on the class in which the 3092 Counter is aggregated. 3094 +---------------------+ 3095 | Counter | 3096 +---------------------+ 3097 | REAL | 3098 | | 3099 | ENUM type | 3100 | STRING ext-type | 3101 | STRING meaning | 3102 | ENUM duration | 3103 | STRING ext-duration | 3104 +---------------------+ 3106 Figure 36: The Counter Class 3108 The Counter class has five attribute: 3110 type 3111 Required. ENUM. Specifies the units of the element content. 3112 These values are maintained in the "Counter-type" IANA registry 3113 per Table 1. 3115 1. byte. Count of bytes. 3117 2. packet. Count of packets. 3119 3. flow. Count of network flow records. 3121 4. session. Count of sessions. 3123 5. alert. Count of notifications generated by another system 3124 (e.g., IDS or SIM). 3126 6. message. Count of messages (e.g., mail messages). 3128 7. event. Count of events. 3130 8. host. Count of hosts. 3132 9. site. Count of site. 3134 10. organization. Count of organizations. 3136 11. ext-value. An escape value used to extend this attribute. 3137 See Section 5.1.1. 3139 ext-type 3140 Optional. STRING. A means by which to extend the type attribute. 3141 See Section 5.1.1. 3143 meaning 3144 Optional. STRING. A free-form description of the metric 3145 represented by the Counter. 3147 duration 3148 Optional. ENUM. If present, the Counter class represents a rate 3149 rather than a count over the entire event. In that case, this 3150 attribute specifies the denominator of the rate (where the type 3151 attribute specified the nominator). The possible values of this 3152 attribute are defined in Section 3.14.3 3154 ext-duration 3155 Optional. STRING. A means by which to extend the duration 3156 attribute. See Section 5.1.1. 3158 3.21. DomainData Class 3160 The DomainData class describes a domain name and meta-data associated 3161 with this domain. 3163 +--------------------------+ 3164 | DomainData | 3165 +--------------------------+ 3166 | ENUM system-status |<>----------[ Name ] 3167 | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] 3168 | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] 3169 | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] 3170 | ID observable-id |<>--{0..*}--[ RelatedDNS ] 3171 | |<>--{0..*}--[ Nameservers ] 3172 | |<>--{0..1}--[ DomainContacts ] 3173 | | 3174 +--------------------------+ 3176 Figure 37: The DomainData Class 3178 The aggregate classes that constitute DomainData are: 3180 Name 3181 One. STRING. The domain name of the Node (e.g., fully qualified 3182 domain name). 3184 DateDomainWasChecked 3185 Zero or one. DATETIME. A timestamp of when the Name was 3186 resolved. 3188 RegistrationDate 3189 Zero or one. DATETIME. A timestamp of when domain listed in Name 3190 was registered. 3192 ExpirationDate 3193 Zero or one. DATETIME. A timestamp of when the domain listed in 3194 Name is set to expire. 3196 RelatedDNS 3197 Zero or more. Additional DNS records associated with this domain. 3199 Nameservers 3200 Zero or more. The name servers identified for the domain listed 3201 in Name. 3203 DomainContacts 3204 Zero or one. Contact information for the domain listed in Name 3205 supplied by the registrar or through a whois query. 3207 The DomainData class has five attribute: 3209 system-status 3210 Required. ENUM. Assesses the domain's involvement in the event. 3211 These values are maintained in the "DomainData-system-status" IANA 3212 registry per Table 1. 3214 1. spoofed. This domain was spoofed. 3216 2. fraudulent. This domain was operated with fraudulent 3217 intentions. 3219 3. innocent-hacked. This domain was compromised by a third 3220 party. 3222 4. innocent-hijacked. This domain was deliberately hijacked. 3224 5. unknown. No categorization for this domain known. 3226 6. ext-value. An escape value used to extend this attribute. 3227 See Section 5.1.1. 3229 ext-system-status 3230 Optional. STRING. A means by which to extend the system-status 3231 attribute. See Section 5.1.1. 3233 domain-status 3234 Required. ENUM. Categorizes the registry status of the domain at 3235 the time the document was generated. These values and their 3236 associated descriptions are derived from Section 3.2.2 of 3237 [RFC3982]. These values are maintained in the "DomainData-domain- 3238 status" IANA registry per Table 1. 3240 1. reservedDelegation. The domain is permanently inactive. 3242 2. assignedAndActive. The domain is in a normal state. 3244 3. assignedAndInactive. The domain has an assigned registration 3245 but the delegation is inactive. 3247 4. assignedAndOnHold. The domain is under dispute. 3249 5. revoked. The domain is in the process of being purged from 3250 the database. 3252 6. transferPending. The domain is pending a change in 3253 authority. 3255 7. registryLock. The domain is on hold by the registry. 3257 8. registrarLock. Same as "registryLock". 3259 9. other. The domain has a known status but it is not one of 3260 the redefined enumerated values. 3262 10. unknown. The domain has an unknown status. 3264 11. ext-value. An escape value used to extend this attribute. 3265 See Section 5.1.1. 3267 ext-domain-status 3268 Optional. STRING. A means by which to extend the domain-status 3269 attribute. See Section 5.1.1. 3271 observable-id 3272 Optional. ID. See Section 3.3.2. 3274 3.21.1. RelatedDNS 3276 The RelatedDNS class describes additional record types associated 3277 with a given domain name. The record type is described in the 3278 record-type attribute and the value of the record is the element 3279 content. ... TODO Issue #39 ... 3281 +----------------------+ 3282 | RelatedDNS | 3283 +----------------------+ 3284 | STRING | 3285 | | 3286 | ENUM record-type | 3287 +----------------------+ 3289 Figure 38: The RelatedDNS Class 3291 The RelatedDNS class has one attribute: 3293 record-type 3294 Required. ENUM. The DNS record type. ... TODO values need to be 3295 listed ... 3297 3.21.2. Nameservers Class 3299 The Nameservers class describes the name servers associated with a 3300 given domain. 3302 +--------------------+ 3303 | Nameservers | 3304 +--------------------+ 3305 | |<>----------[ Server ] 3306 | |<>--{1..*}--[ Address ] 3307 +--------------------+ 3309 Figure 39: The Nameservers Class 3311 The aggregate classes that constitute Nameservers are: 3313 Server 3314 One. STRING. The domain name of the name server. 3316 Address 3317 One or more. The address of the name server. See Section 3.20.1. 3319 3.21.3. DomainContacts Class 3321 The DomainContacts class describes the contact information for a 3322 given domain provided either by the registrar or through a whois 3323 query. 3325 This contact information can be explicitly described through a 3326 Contact class or a reference can be provided to a domain with 3327 identical contact information. Either a single SameDomainContact 3328 MUST be present or one or many Contact classes. 3330 +--------------------+ 3331 | DomainContacts | 3332 +--------------------+ 3333 | |<>--{0..1}--[ SameDomainContact ] 3334 | |<>--{1..*}--[ Contact ] 3335 +--------------------+ 3337 Figure 40: The DomainContacts Class 3339 The aggregate classes that constitute DomainContacts are: 3341 SameDomainContact 3342 Zero or one. STRING. A domain name already cited in this 3343 document or through previous exchange that contains the identical 3344 contact information as the domain name in question. The domain 3345 contact information associated with this domain should be used in 3346 lieu of explicit definition with the Contact class. 3348 Contact 3349 One or more. Contact information for the domain. See 3350 Section 3.10. 3352 3.22. Service Class 3354 The Service class describes a network service of a host or network. 3355 The service is identified by specific port or list of ports, along 3356 with the application listening on that port. 3358 When Service occurs as an aggregate class of a System that is a 3359 source, then this service is the one from which activity of interest 3360 is originating. Conversely, when Service occurs as an aggregate 3361 class of a System that is a target, then that service is the one to 3362 which activity of interest is directed. 3364 This class was derived from [RFC4765]. 3366 +-------------------------+ 3367 | Service | 3368 +-------------------------+ 3369 | INTEGER ip-protocol |<>--{0..1}--[ Port ] 3370 | ID observable-id |<>--{0..1}--[ Portlist ] 3371 | |<>--{0..1}--[ ProtoCode ] 3372 | |<>--{0..1}--[ ProtoType ] 3373 | |<>--{0..1}--[ ProtoField ] 3374 | |<>--{0..*}--[ ApplicationHeader ] 3375 | |<>--{0..1}--[ EmailData ] 3376 | |<>--{0..1}--[ Application ] 3377 +-------------------------+ 3379 Figure 41: The Service Class 3381 The aggregate classes that constitute Service are: 3383 Port 3384 Zero or one. INTEGER. A port number. 3386 Portlist 3387 Zero or one. PORTLIST. A list of port numbers formatted 3388 according to Section 2.10. 3390 ProtoCode 3391 Zero or one. INTEGER. A transport layer (layer 4) protocol- 3392 specific code field (e.g., ICMP code field). 3394 ProtoType 3395 Zero or one. INTEGER. A transport layer (layer 4) protocol 3396 specific type field (e.g., ICMP type field). 3398 ProtoField 3399 Zero or one. INTEGER. A transport layer (layer 4) protocol 3400 specific flag field (e.g., TCP flag field). 3402 ApplicationHeader 3403 Zero or more. An application layer (layer 7) protocol header. 3404 See Section 3.22.1. 3406 EmailData 3407 Zero or one. Headers associated with an email. See Section 3.24. 3409 Application 3410 Zero or one. The application bound to the specified Port or 3411 Portlist. See Section 3.22.2. 3413 Either a Port or Portlist class MUST be specified for a given 3414 instance of a Service class. 3416 When a given System classes with category="source" and another with 3417 category="target" are aggregated into a single Flow class, and each 3418 of these System classes has a Service and Portlist class, an implicit 3419 relationship between these Portlists exists. If N ports are listed 3420 for a System@category="source", and M ports are listed for 3421 System@category="target", the number of ports in N must be equal to 3422 M. Likewise, the ports MUST be listed in an identical sequence such 3423 that the n-th port in the source corresponds to the n-th port of the 3424 target. If N is greater than 1, a given instance of a Flow class 3425 MUST only have a single instance of a System@category="source" and 3426 System@category="target". 3428 The Service class has two attributes: 3430 ip-protocol 3431 Required. INTEGER. The IANA assigned IP protocol number per 3432 [IANA.Protocols]. 3434 observable-id 3435 Optional. ID. See Section 3.3.2. 3437 3.22.1. ApplicationHeader Class 3439 The ApplicationHeader class allows the representation of arbitrary 3440 fields from an application layer protocol header and its 3441 corresponding value. 3443 +--------------------------+ 3444 | ApplicationHeader | 3445 +--------------------------+ 3446 | ANY | 3447 | | 3448 | INTEGER proto | 3449 | STRING field | 3450 | ENUM dtype | 3451 | STRING ext-dtype | 3452 | ID observable-id | 3453 +--------------------------+ 3455 Figure 42: The ApplicationHeader Class 3457 The ApplicationHeader class has four attributes: 3459 proto 3460 Required. INTEGER. The IANA assigned port number per 3461 [IANA.Ports] corresponding to the application layer protocol whose 3462 field will be represented. 3464 field 3465 Required. STRING. The name of the protocol field whose value 3466 will be found in the element body. 3468 dtype 3469 Required. ENUM. The data type of the element content. The 3470 permitted values for this attribute are shown below. The default 3471 value is "string". 3473 1. boolean. The element content is of type BOOLEAN. 3475 2. byte. The element content is of type BYTE. 3477 3. bytes. The element content is of type HEXBIN. 3479 4. character. The element content is of type CHARACTER. 3481 5. date-time. The element content is of type DATETIME. 3483 6. integer. The element content is of type INTEGER. 3485 7. portlist. The element content is of type PORTLIST. 3487 8. real. The element content is of type REAL. 3489 9. string. The element content is of type STRING. 3491 10. file. The element content is a base64 encoded binary file 3492 encoded as a BYTE[] type. 3494 11. path. The element content is a file-system path encoded as a 3495 STRING type. 3497 12. xml. The element content is XML. See Section 5. 3499 13. ext-value. An escape value used to extend this attribute. 3500 See Section 5.1.1. 3502 ext-dtype 3503 Optional. STRING. A means by which to extend the dtype 3504 attribute. See Section 5.1.1. 3506 observable-id 3507 Optional. ID. See Section 3.3.2. 3509 3.22.2. Application Class 3511 The Application class describes an application running on a System 3512 providing a Service. 3514 +--------------------+ 3515 | Application | 3516 +--------------------+ 3517 | STRING swid |<>--{0..1}--[ URL ] 3518 | STRING configid | 3519 | STRING vendor | 3520 | STRING family | 3521 | STRING name | 3522 | STRING version | 3523 | STRING patch | 3524 +--------------------+ 3526 Figure 43: The Application Class 3528 The aggregate class that constitute Application is: 3530 URL 3531 Zero or one. URL. A URL describing the application. 3533 The Application class has seven attributes: 3535 swid 3536 Optional. STRING. An identifier that can be used to reference 3537 this software, where the default value is "0". 3539 configid 3540 Optional. STRING. An identifier that can be used to reference a 3541 particular configuration of this software, where the default value 3542 is "0". 3544 vendor 3545 Optional. STRING. Vendor name of the software. 3547 family 3548 Optional. STRING. Family of the software. 3550 name 3551 Optional. STRING. Name of the software. 3553 version 3554 Optional. STRING. Version of the software. 3556 patch 3557 Optional. STRING. Patch or service pack level of the software. 3559 3.23. OperatingSystem Class 3561 The OperatingSystem class describes the operating system running on a 3562 System. The definition is identical to the Application class 3563 (Section 3.22.2). 3565 3.24. EmailData Class 3567 The EmailData class describes headers from an email message. Common 3568 headers have dedicated classes, but arbitrary headers can also be 3569 described. 3571 +-------------------------+ 3572 | EmailData | 3573 +-------------------------+ 3574 | ID observable-id |<>--{0..1}--[ EmailFrom ] 3575 | |<>--{0..1}--[ EmailSubject ] 3576 | |<>--{0..1}--[ EmailX-Mailer ] 3577 | |<>--{0..*}--[ EmailHeaderField ] 3578 | |<>--{0..*}--[ HashData ] 3579 | |<>--{0..*}--[ SignatureData ] 3580 +-------------------------+ 3582 Figure 44: EmailData Class 3584 The aggregate class that constitutes EmailData are: 3586 EmailFrom 3587 Zero or one. The value of the "From:" header field in an email. 3588 See Section 3.6.2 of [RFC5322]. 3590 EmailSubject 3591 Zero or one. The value of the "Subject:" header field in an 3592 email. See Section 3.6.4 of [RFC5322]. 3594 EmailX-Mailer 3595 Zero or one. The value of the "X-Mailer:" header field in an 3596 email. 3598 EmailHeaderField 3599 Zero or one. The value of an arbitrary header field in the email. 3600 See Section 3.22.1. The attributes of EmailHeaderField MUST be 3601 set as follows: proto="25" and dtype="string". The name of the 3602 email header field MUST be set in the field attribute. 3604 HashData 3605 Zero or One. Hash(es) associated with this email. 3607 SignatureData 3608 Zero or One. Signature(s) associated with this email. 3610 The EmailData class has one attribute: 3612 observable-id 3613 Optional. ID. See Section 3.3.2. 3615 3.25. Record Class 3617 The Record class is a container class for log and audit data that 3618 provides supportive information about the incident. The source of 3619 this data will often be the output of monitoring tools. These logs 3620 substantiate the activity described in the document. 3622 +------------------------+ 3623 | Record | 3624 +------------------------+ 3625 | ENUM restriction |<>--{1..*}--[ RecordData ] 3626 | STRING ext-restriction | 3627 +------------------------+ 3629 Figure 45: Record Class 3631 The aggregate class that constitutes Record is: 3633 RecordData 3634 One or more. Log or audit data generated by a particular type of 3635 sensor. Separate instances of the RecordData class SHOULD be used 3636 for each sensor type. 3638 The Record class has two attributes: 3640 restriction 3641 Optional. ENUM. See Section 3.3.1. 3643 ext-restriction 3644 Optional. STRING. A means by which to extend the restriction 3645 attribute. See Section 5.1.1. 3647 3.25.1. RecordData Class 3649 The RecordData class groups log or audit data from a given sensor 3650 (e.g., IDS, firewall log) and provides a way to annotate the output. 3652 +------------------------+ 3653 | RecordData | 3654 +------------------------+ 3655 | ENUM restriction |<>--{0..1}--[ DateTime ] 3656 | STRING ext-restriction |<>--{0..*}--[ Description ] 3657 | ID observable-id |<>--{0..1}--[ Application ] 3658 | |<>--{0..*}--[ RecordPattern ] 3659 | |<>--{0..*}--[ RecordItem ] 3660 | |<>--{0..*}--[ FileData ] 3661 | |<>--{0..*}--[ CertificateData ] 3662 | |<>--{0..*}-- 3663 | | [ WindowsRegistryKeysModified ] 3664 | |<>--{0..*}--[ AdditionalData ] 3665 +------------------------+ 3667 Figure 46: The RecordData Class 3669 The aggregate classes that constitutes RecordData is: 3671 DateTime 3672 Zero or one. Timestamp of the RecordItem data. 3674 Description 3675 Zero or more. ML_STRING. Free-form textual description of the 3676 provided RecordItem data. At minimum, this description should 3677 convey the significance of the provided RecordItem data. 3679 Application 3680 Zero or one. Information about the sensor used to generate the 3681 RecordItem data. 3683 RecordPattern 3684 Zero or more. A search string to precisely find the relevant data 3685 in a RecordItem. 3687 RecordItem 3688 Zero or more. Log, audit, or forensic data. 3690 FileData 3691 Zero or one. The file name and hash of a file indicator. 3693 WindowsRegistryKeysModified 3694 Zero or more. The registry keys that were modified that are 3695 indicator(s). 3697 AdditionalData 3698 Zero or more. An extension mechanism for data not explicitly 3699 represented in the data model. 3701 The RecordData class has three attributes: 3703 restriction 3704 Optional. ENUM. See Section 3.3.1. 3706 ext-restriction 3707 Optional. STRING. A means by which to extend the restriction 3708 attribute. See Section 5.1.1. 3710 observable-id 3711 Optional. ID. See Section 3.3.2. 3713 3.25.2. RecordPattern Class 3715 The RecordPattern class describes where in the content of the 3716 RecordItem relevant information can be found. It provides a way to 3717 reference subsets of information, identified by a pattern, in a large 3718 log file, audit trail, or forensic data. 3720 +-----------------------+ 3721 | RecordPattern | 3722 +-----------------------+ 3723 | STRING | 3724 | | 3725 | ENUM type | 3726 | STRING ext-type | 3727 | INTEGER offset | 3728 | ENUM offsetunit | 3729 | STRING ext-offsetunit | 3730 | INTEGER instance | 3731 +-----------------------+ 3733 Figure 47: The RecordPattern Class 3735 The specific pattern to search with in the RecordItem is defined in 3736 the body of the element. It is further annotated by six attributes: 3738 type 3739 Required. ENUM. Describes the type of pattern being specified in 3740 the element content. The default is "regex". These values are 3741 maintained in the "RecordPattern-type" IANA registry per Table 1. 3743 1. regex. regular expression as defined by POSIX Extended 3744 Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 3746 2. binary. Binhex encoded binary pattern, per the HEXBIN data 3747 type. 3749 3. xpath. XML Path (XPath) [W3C.XPATH] 3751 4. ext-value. An escape value used to extend this attribute. 3752 See Section 5.1.1. 3754 ext-type 3755 Optional. STRING. A means by which to extend the type attribute. 3756 See Section 5.1.1. 3758 offset 3759 Optional. INTEGER. Amount of units (determined by the offsetunit 3760 attribute) to seek into the RecordItem data before matching the 3761 pattern. 3763 offsetunit 3764 Optional. ENUM. Describes the units of the offset attribute. 3765 The default is "line". These values are maintained in the 3766 "RecordPattern-offsetunit" IANA registry per Table 1. 3768 1. line. Offset is a count of lines. 3770 2. byte. Offset is a count of bytes. 3772 3. ext-value. An escape value used to extend this attribute. 3773 See Section 5.1.1. 3775 ext-offsetunit 3776 Optional. STRING. A means by which to extend the offsetunit 3777 attribute. See Section 5.1.1. 3779 instance 3780 Optional. INTEGER. Number of types to apply the specified 3781 pattern. 3783 3.25.3. RecordItem Class 3785 The RecordItem class provides a way to incorporate relevant logs, 3786 audit trails, or forensic data to support the conclusions made during 3787 the course of analyzing the incident. The class supports both the 3788 direct encapsulation of the data, as well as, provides primitives to 3789 reference data stored elsewhere. 3791 This class is identical to AdditionalData class (Section 3.9). 3793 3.26. WindowsRegistryKeysModified Class 3795 The WindowsRegistryKeysModified class describes Windows operating 3796 system registry keys and the operations that were performed on them. 3797 This class was derived from [RFC5901]. 3799 +-----------------------------+ 3800 | WindowsRegistryKeysModified | 3801 +-----------------------------+ 3802 | ID observable-id |<>--{1..*}--[ Key ] 3803 +-----------------------------+ 3805 Figure 48: The WindowsRegistryKeysModified Class 3807 The aggregate class that constitutes the WindowsRegistryKeysModified 3808 class is: 3810 Key 3811 One or many. The Window registry key. 3813 The WindowsRegistryKeysModified class has one attribute: 3815 observable-id 3816 Optional. ID. See Section 3.3.2. 3818 3.26.1. Key Class 3820 The Key class describes a particular Windows operating system 3821 registry key name and value pair, and the operation performed on it. 3823 +---------------------------+ 3824 | Key | 3825 +---------------------------+ 3826 | ENUM registryaction |<>----------[ KeyName ] 3827 | STRING ext-registryaction |<>--{0..1}--[ KeyValue ] 3828 | ID observable-id | 3829 +---------------------------+ 3831 Figure 49: The Key Class 3833 The aggregate classes that constitutes Key are: 3835 KeyName 3836 One. STRING. The name of the Windows operating system registry 3837 key (e.g.,[HKEY_LOCAL_MACHINE\Software\Test\KeyName]) 3839 KeyValue 3840 Zero or one. STRING. The value of the associated registry key 3841 encoded as in Microsoft .reg files [KB310516]. 3843 The Key class has three attributes: 3845 registryaction 3846 Optional. ENUM. The type of action taken on the registry key. 3847 These values are maintained in the "Key-registryaction" IANA 3848 registry per Table 1. 3850 1. add-key. Registry key added. 3852 2. add-value. Value added to registry key. 3854 3. delete-key. Registry key deleted. 3856 4. delete-value. Value deleted from registry key. 3858 5. modify-key. Registry key modified. 3860 6. modify-value. Value modified for registry key. 3862 7. ext-value. An escape value used to extend this attribute. 3863 See Section 5.1.1. 3865 ext-registryaction 3866 Optional. STRING. A means by which to extend the registryaction 3867 attribute. See Section 5.1.1. 3869 observable-id 3870 Optional. ID. See Section 3.3.2. 3872 3.27. CertificateData Class 3874 The CertificateData class describes X.509 certificates. 3876 +------------------------+ 3877 | CertificateData | 3878 +------------------------+ 3879 | ID observable-id |<>--{1..*}--[ Certificate ] 3880 | ENUM restriction | 3881 | STRING ext-restriction | 3882 +------------------------+ 3884 Figure 50: The CertificateData Class 3886 The aggregate classes that constitutes CertificateData are: 3888 Certificate 3889 One or more. A certificate. 3891 The CertificateData class has three attributes: 3893 observable-id 3894 Optional. ID. See Section 3.3.2. 3896 restriction 3897 Optional. ENUM. See Section 3.3.1. 3899 ext-restriction 3900 Optional. STRING. A means by which to extend the restriction 3901 attribute. See Section 5.1.1. 3903 3.27.1. Certificate Class 3905 The Certificate class describes a given X.509 certificate or 3906 certificate chain. 3908 +--------------------------+ 3909 | Certificate | 3910 +--------------------------+ 3911 | ENUM valid |<>----------[ ds: X509Data ] 3912 | ID observable-id | 3913 +--------------------------+ 3915 Figure 51: The Certificate Class 3917 The aggregate classes that constitutes Certificate are: 3919 ds:X509Data 3920 One. A given X.509 certificate or chain. See Section 4.4.4 of 3921 [W3C.XMLSIG]. 3923 The Certificate class has one attribute: 3925 valid 3926 Optional. Indicates whether a given certificate has a valid 3927 signature. An invalid signature may be due to an invalid 3928 certificate chain, a signature not decoding properly, or a 3929 certificate contents not matching the hash. 3931 1. yes. The certificate is valid. 3933 2. no. The certificate is not valid. 3935 observable-id 3936 Optional. ID. See Section 3.3.2. 3938 3.28. FileData Class 3940 The FileData class describes files of interest identified during the 3941 analysis of an incident. 3943 +------------------------+ 3944 | FileData | 3945 +------------------------+ 3946 | ID observable-id |<>--{1..*}--[ File ] 3947 | ENUM restriction | 3948 | STRING ext-restriction | 3949 +------------------------+ 3951 Figure 52: The FileData Class 3953 The aggregate class that constitutes FileData is: 3955 File 3956 One or more. A description of a file. 3958 The FileData class has three attributes: 3960 observable-id 3961 Optional. ID. See Section 3.3.2. 3963 restriction 3964 Optional. ENUM. See Section 3.3.1. 3966 ext-restriction 3967 Optional. STRING. A means by which to extend the restriction 3968 attribute. See Section 5.1.1. 3970 3.28.1. File Class 3972 The File class describes a file and its associated meta data. 3974 +--------------------------+ 3975 | File | 3976 +--------------------------+ 3977 | ID observable-id |<>--{0..1}--[ FileName ] 3978 | |<>--{0..1}--[ FileSize ] 3979 | |<>--{0..1}--[ FileType ] 3980 | |<>--{0..*}--[ URL ] 3981 | |<>--{0..1}--[ HashData ] 3982 | |<>--{0..1}--[ SignatureData ] 3983 | |<>--{0..*}--[ FileProperties ] 3984 +--------------------------+ 3986 Figure 53: The File Class 3988 The aggregate classes that constitutes File are: 3990 FileName 3991 Zero or One. STRING. The name of the file. 3993 FileSize 3994 Zero or One. INTEGER. The size of the file in bytes. 3996 FileType 3997 Zero or One. STRING. The type of file per the IANA Media Types 3998 Registry [IANA.Media]. Valid values correspond to the text in the 3999 "Template" column (e.g., "application/pdf"). 4001 URL 4002 Zero or more. A reference to the file. 4004 HashData 4005 Zero or One. Hash(es) associated with this file. 4007 SignatureData 4008 Zero or One. Signature(s) associated with this file. 4010 FileProperties 4011 Zero or more. Mechanism by which to extend the data model to 4012 describe properties of the file. See Section 3.9. 4014 The File class has one attribute: 4016 observable-id 4017 Optional. ID. See Section 3.3.2. 4019 3.29. HashData Class 4021 The HashData class describes different types of hashes on an given 4022 object (e.g., file, part of a file, email). 4024 +--------------------------+ 4025 | HashData | 4026 +--------------------------+ 4027 | ENUM scope |<>--{0..1}--[ HashTarget ] 4028 | |<>--{0..*}--[ Hash ] 4029 | |<>--{0..*}--[ FuzzyHash ] 4030 +--------------------------+ 4032 Figure 54: The HashData Class 4034 The aggregate classes that constitutes HashData are: 4036 HashTarget 4037 Zero or One. An identifier that references a a subset of the 4038 object per the @scope attribute. 4040 Hash 4041 Zero or more. The hash generated on the object. 4043 FuzzyHash 4044 Zero or more. The fuzzy hash of the object. 4046 A single instance of Hash or FuzzyHash MUST be present. 4048 The HashData class has one attribute: 4050 scope 4051 Required. ENUM. Describes the scope of the hash on a type of 4052 object. These values are maintained in the "HashData-scope" IANA 4053 registry per Table 1. 4055 1. file-contents. A hash computed over the entire contents of a 4056 file. 4058 2. file-pe-section. A hash computed on a given section of a 4059 Windows Portable Executable (PE) file. If set to this value, 4060 the HashTargetId class MUST identify the section being hashed. 4061 This section is identified by an ordinal number (starting at 4062 1) corresponding to the the order in which the given section 4063 header was defined in the Section Table of the PE file header. 4065 3. file-pe-iat. A hash computed on the Import Address 4066 Table (IAT) of a PE file. As IAT hashes are often tool 4067 dependent, if this value is set, the HashTargetId class MUST 4068 specify the tool used to generate the hash. 4070 4. file-pe-resource. A hash computed on a given resource in a PE 4071 file. If set to this value, the HashTargetId class MUST 4072 identify the resource being hashed. This resource is 4073 identified by an ordinal number (starting at 1) corresponding 4074 to the oder in which the given resource is declared in the 4075 Resource Directory of the Data Dictionary in the PE file 4076 header. 4078 5. file-pdf-object. A hash computed on a given object in a 4079 Portable Document Format (PDF) file. If set to this value, 4080 the HashTargetId class MUST identify the object being hashed. 4081 This object is identified by its offset in the PDF file. 4083 6. email-hash. A hash computed over the headers and body of an 4084 email message. 4086 7. email-headers-hash. A hash computed over all of the headers 4087 of an email message. 4089 8. email-body-hash. A hash computed over the body of an email 4090 message. 4092 9. ext-value. An escape value used to extend this attribute. 4093 See Section 5.1.1. 4095 ext-scope 4096 Optional. STRING. A means by which to extend the scope 4097 attribute. See Section 5.1.1. 4099 3.29.1. Hash Class 4101 The Hash class describes a specific hash value, algorithm, and an 4102 application used to generate it. 4104 +----------------+ 4105 | Hash | 4106 +----------------+ 4107 | |<>----------[ ds:DigestMethod ] 4108 | |<>----------[ ds:DigestValue ] 4109 | |<>--{0..1}--[ ds:CannonicalizationMethod ] 4110 | |<>--{0..1}--[ Application ] 4111 +----------------+ 4113 Figure 55: The Hash Class 4115 The aggregate classes that constitutes Hash are: 4117 ds:DigestMethod 4118 One. The hash algorithm used to generate the hash. See 4119 Section 4.3.3.5 of [W3C.XMLSIG] 4121 ds:DigestValue 4122 One. The computed hash value. See Section 4.3.3.6 of 4123 [W3C.XMLSIG]. 4125 ds:CannonicalizationMethod 4126 Zero or one. The cannonicalization method used for the has. See 4127 Section 4.3.1 of [W3C.XMLSIG]. 4129 Application 4130 Zero or One. The application used to calculate the hash. 4132 The HashData class has no attribute: 4134 3.29.2. FuzzyHash Class 4136 The FuzzyHash class describes a fuzzy hash (in an extensible way) and 4137 the application used to generate it. 4139 +--------------------------+ 4140 | FuzzyHash | 4141 +--------------------------+ 4142 | |<>--{0..*}--[ AdditionalData ] 4143 | |<>--{0..1}--[ Application ] 4144 +--------------------------+ 4146 Figure 56: The FuzzyHash Class 4148 The aggregate classes that constitutes FuzzyHash are: 4150 AdditionalData 4151 Zero or more. Mechanism by which to extend the data model. See 4152 Section 3.9. 4154 Application 4155 Zero or One. The application used to calculate the hash. 4157 The FuzzyData class has no attribute: 4159 3.30. SignatureData Class 4161 The SignatureData class describes different signatures on an given 4162 object. 4164 +--------------------------+ 4165 | SignatureData | 4166 +--------------------------+ 4167 | |<>--{1..*}--[ ds:Signature ] 4168 +--------------------------+ 4170 Figure 57: The SignatureData Class 4172 The aggregate classes that constitutes SignatureData are: 4174 Signature 4175 One or more. An given signature. See Section 4.2 of [W3C.XMLSIG] 4177 The SignatureData class has no attribute: 4179 3.31. IndicatorData Class 4181 The IndicatorData class describes the indicators identified from 4182 analysis of an incident. 4184 +--------------------------+ 4185 | IndicatorData | 4186 +--------------------------+ 4187 | |<>--{1..*}--[ Indicator ] 4188 +--------------------------+ 4190 Figure 58: The IndicatorData Class 4192 The aggregate class that constitutes IndicatorData is: 4194 Indicator 4195 One or more. An indicator from the incident. 4197 The IndicatorData class has no attributes. 4199 3.32. Indicator Class 4201 The Indicator class describes a cyber indicator. An indicator 4202 consists of observable features and phenomenon that aid in the 4203 forensic or proactive detection of malicious activity, and associated 4204 meta-data. This indicator can be described outright or reference 4205 observable features and phenomenon described elsewhere in the 4206 incident information. Portions of an incident description can be 4207 composed to define an indicator, as can the indicators themselves. 4209 +------------------------+ 4210 | Indicator | 4211 +------------------------+ 4212 | ENUM restriction |<>----------[ IndicatorID ] 4213 | STRING ext-restriction |<>--{0..1}--[ AlternativeIndicatorID ] 4214 | |<>--{0..*}--[ Description ] 4215 | |<>--{0..1}--[ StartTime ] 4216 | |<>--{0..1}--[ EndTime ] 4217 | |<>--{0..1}--[ Confidence ] 4218 | |<>--{0..*}--[ Contact ] 4219 | |<>--{0..1}--[ Observable ] 4220 | |<>--{0..1}--[ ObservableReference ] 4221 | |<>--{0..1}--[ IndicatorExpression ] 4222 | |<>--{0..1}--[ IndicatorReference ] 4223 | |<>--{0..*}--[ AdditionalData ] 4224 +------------------------+ 4226 Figure 59: The Indicator Class 4228 The aggregate classes that constitute Indicator are: 4230 IndicatorID 4231 One. An identifier for this indicator. See Section 3.32.1 4233 AlternativeIndicatorID 4234 Zero or one. An alternative identifier for this indicator. See 4235 Section 3.32.2 4237 Description 4238 Zero or more. ML_STRING. A free-form textual description of the 4239 indicator. 4241 StartTime 4242 Zero or one. DATETIME. A timestamp of the start of the time 4243 period during which this indicator is valid. 4245 EndTime 4246 Zero or one. DATETIME. A timestamp of the end of the time period 4247 during which this indicator is valid. 4249 Confidence 4250 Zero or one. An estimate of the confidence in the quality of the 4251 indicator. See Section 3.14.5. 4253 Contact 4254 Zero or more. Contact information for this indicator. See 4255 Section 3.10. 4257 Observable 4258 Zero or one. An observable feature or phenomenon of this 4259 indicator. See Section 3.32.3. 4261 ObservableReference 4262 Zero or one. A reference to a feature or phenomenon defined 4263 elsewhere in the document. See Section 3.32.5. 4265 IndicatorExpression 4266 Zero or one. A composition of observables. See Section 3.32.4. 4268 IndicatorReference 4269 Zero or one. A reference to an indicator. 4271 AdditionalData 4272 Zero or more. Mechanism by which to extend the data model. See 4273 Section 3.9 4275 The Indicator class MUST have exactly one instance of an Observable, 4276 IndicatorExpression, ObservableReference, or IndicatorReference 4277 class. 4279 The StartTime and EndTime classes can be used to define an interval 4280 during which the indicator is valid. If both classes are present, 4281 the indicator is consider valid only during the described interval. 4282 If neither class is provided, the indicator is considered valid 4283 during any time interval. If only a StartTime is provided, the 4284 indicator is valid anytime after this timestamp. If only an EndTime 4285 is provided, the indicator is valid anytime prior to this timestamp. 4287 The Indicator class has two attributes: 4289 restriction 4290 Optional. ENUM. See Section 3.3.1. 4292 ext-restriction 4293 Optional. STRING. A means by which to extend the restriction 4294 attribute. See Section 5.1.1. 4296 3.32.1. IndicatorID Class 4298 The IndicatorID class identifies an indicator with a globally unique 4299 identifier. The combination of the name and version attributes, and 4300 the element content form this identifier. Indicators generated by 4301 given CSIRT MUST NOT reuse the same value unless they are referencing 4302 the same indicator. 4304 +------------------+ 4305 | IndicatorID | 4306 +------------------+ 4307 | ID | 4308 | | 4309 | STRING name | 4310 | STRING version | 4311 +------------------+ 4313 Figure 60: The IndicatorID Class 4315 The IndicatorID class has two attributes: 4317 name 4318 Required. STRING. An identifier describing the CSIRT that 4319 created the indicator. In order to have a globally unique CSIRT 4320 name, the fully qualified domain name associated with the CSIRT 4321 MUST be used. This format is identical to the IncidentID@name 4322 attribute in Section 3.4. 4324 version 4325 Required. STRING. A version number of an indicator. 4327 3.32.2. AlternativeIndicatorID Class 4329 The AlternativeIndicatorID class lists alternative identifiers for an 4330 indicator. 4332 +-------------------------+ 4333 | AlternativeIndicatorID | 4334 +-------------------------+ 4335 | ENUM restriction |<>--{1..*}--[ IndicatorReference ] 4336 | STRING ext-restriction | 4337 +-------------------------+ 4339 Figure 61: The AlternativeIndicatorID Class 4341 The aggregate class that constitutes AlternativeIndicatorID is: 4343 IndicatorReference 4344 One or more. A reference to an indicator. 4346 The AlternativeIndicatorID class has two attributes: 4348 restriction 4349 Optional. ENUM. See Section 3.3.1. 4351 ext-restriction 4352 Optional. STRING. A means by which to extend the restriction 4353 attribute. See Section 5.1.1. 4355 3.32.3. Observable Class 4357 The Observable class describes a feature and phenomenon that can be 4358 observed or measured for the purposes of detecting malicious 4359 behavior. 4361 +-------------------+ 4362 | Observable | 4363 +-------------------+ 4364 | |<>--{0..1}--[ Address ] 4365 | |<>--{0..1}--[ DomainData ] 4366 | |<>--{0..1}--[ Service ] 4367 | |<>--{0..1}--[ EmailData ] 4368 | |<>--{0..1}--[ ApplicationHeader ] 4369 | |<>--{0..1}--[ WindowsRegistryKeysModified ] 4370 | |<>--{0..1}--[ FileData ] 4371 | |<>--{0..1}--[ CertificateData ] 4372 | |<>--{0..1}--[ RecordData ] 4373 | |<>--{0..1}--[ EventData ] 4374 | |<>--{0..1}--[ Incident ] 4375 | |<>--{0..*}--[ Expectation ] 4376 | |<>--{0..*}--[ Reference ] 4377 | |<>--{0..1}--[ Assessment ] 4378 | |<>--{0..1}--[ HistoryItem ] 4379 | |<>--{0..*}--[ AdditionalData ] 4380 +-------------------+ 4382 Figure 62: The Observable Class 4384 The aggregate classes that constitute Observable are: 4386 Address 4387 Zero or One. An Address observable. See Section 3.20.1. 4389 DomainData 4390 Zero or One. A DomainData observable. See Section 3.21. 4392 Service 4393 Zero or One. A Service observable. See Section 3.22. 4395 EmailData 4396 Zero or One. A EmailData observable. See Section 3.24. 4398 ApplicationHeader 4399 Zero or One. An ApplicationHeader observable. See 4400 Section 3.22.1. 4402 WindowsRegistryKeysModified 4403 Zero or One. A WindowsRegistryKeysModified observable. See 4404 Section 3.26. 4406 FileData 4407 Zero or One. A FileData observable. See Section 3.28. 4409 CertificateData 4410 Zero or One. A CertificateData observable. See Section 3.27. 4412 RecordData 4413 Zero or One. A RecordData observable. See Section 3.25.1. 4415 EventData 4416 Zero or One. An EventData observable. See Section 3.16. 4418 Incident 4419 Zero or One. An Incident observable. See Section 3.2. 4421 EventData 4422 Zero or One. An EventData observable. See Section 3.16. 4424 Expectation 4425 Zero or One. An Expectation observable. See Section 3.17. 4427 Reference 4428 Zero or One. A Reference observable. See Section 3.13.1. 4430 Assessment 4431 Zero or One. An Assessment observable. See Section 3.14. 4433 HistoryItem 4434 Zero or One. A HistoryItem observable. See Section 3.15.1. 4436 AdditionalData 4437 Zero or more. Mechanism by which to extend the data model. See 4438 Section 3.9. 4440 The Observable class MUST have exactly one of the possible child 4441 classes. 4443 The Observable class has no attributes. 4445 3.32.4. IndicatorExpression Class 4447 The IndicatorExpression describes an expression composed of observed 4448 phenomenon or features, or indicators. Elements of the expression 4449 can be described directly, reference relevant data from other parts 4450 of a given IODEF document, or reference previously defined 4451 indicators. 4453 All child classes of a given instance of IndicatorExpression form a 4454 boolean algebraic expression where the operator between them is 4455 determined by the operator attribute. Nesting an IndicatorExpression 4456 in itself is akin to a parenthesis in the expression. 4458 +--------------------------+ 4459 | IndicatorExpression | 4460 +--------------------------+ 4461 | ENUM operator |<>--{0..*}--[ IndicatorExpression ] 4462 | |<>--{0..*}--[ Observable ] 4463 | |<>--{0..*}--[ ObservableReference ] 4464 | |<>--{0..*}--[ IndicatorReference ] 4465 | |<>--{0..*}--[ AdditionalData ] 4466 +--------------------------+ 4468 Figure 63: The IndicatorExpression Class 4470 The aggregate classes that constitute IndicatorExpression are: 4472 IndicatorExpression 4473 Zero or more. An expression composed of other observables or 4474 indicators. 4476 Observable 4477 Zero or more. A description of an observable. 4479 ObservableReference 4480 Zero or more. A reference to another observable. 4482 IndicatorReference 4483 Zero or more. A reference to another indicator. 4485 AdditionalData 4486 Zero or more. Mechanism by which to extend the data model. See 4487 Section 3.9 4489 ... TODO Additional text is required to describe the valid 4490 combinations of classes and how the operator class should be applied 4491 ... 4493 The IndicatorExpression class has one attributes: 4495 operator 4496 Optional. ENUM. The operator to be applied between the child 4497 elements. 4499 1. not. negation operator. 4501 2. and. conjunction operator. 4503 3. or. disjunction operator. 4505 4. xor. exclusive disjunction operator. 4507 3.32.5. ObservableReference Class 4509 The ObservableReference describes a reference to an observable 4510 feature or phenomenon described elsewhere in the document. 4512 This class has no content. 4514 +-------------------------+ 4515 | ObservableReference | 4516 +-------------------------+ 4517 | EMPTY | 4518 | | 4519 | IDREF uid-ref | 4520 +-------------------------+ 4522 Figure 64: The ObservableReference Class 4524 The ObservableReference class has one attributes: 4526 uid-ref 4527 Required. IDREF. An identifier that serves as a reference to a 4528 class in the IODEF document. The referenced class will have this 4529 identifier set in the observable-id attribute. 4531 3.32.6. IndicatorReference Class 4533 The IndicatorReference describes a reference to an indicator. This 4534 reference may be to an indicator described in the IODEF document or 4535 in a previously exchanged IODEF document. 4537 +--------------------------+ 4538 | IndicatorReference | 4539 +--------------------------+ 4540 | EMPTY | 4541 | | 4542 | IDREF uid-ref | 4543 | STRING euid-ref | 4544 | STRING version | 4545 +--------------------------+ 4547 Figure 65: The IndicatorReference Class 4549 The IndicatorReference class has one attributes: 4551 uid-ref 4552 Optional. IDREF. An identifier that serves as a reference to an 4553 Indicator class in the IODEF document. The referenced Indicator 4554 class will have this identifier set in the IndicatorID class. 4556 euid-ref 4557 Optional. STRING. An identifier that references an IndicatorID 4558 not in this IODEF document. 4560 version 4561 Optional. STRING. A version number of an indicator. 4563 Either the uid-ref or the euid-ref attribute MUST be set. 4565 4. Processing Considerations 4567 This section defines additional requirements on creating and parsing 4568 IODEF documents. 4570 4.1. Encoding 4572 Every IODEF document MUST begin with an XML declaration, and MUST 4573 specify the XML version used. The character encoding MUST also be 4574 explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 4575 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD 4576 NOT be used. The IODEF conforms to all XML data encoding conventions 4577 and constraints. 4579 The XML declaration with no character encoding will read as follows: 4581 4583 When a character encoding is specified, the XML declaration will read 4584 like the following: 4586 4588 Where "charset" is the name of the character encoding as registered 4589 with the Internet Assigned Numbers Authority (IANA), see [RFC2978]. 4591 The following characters have special meaning in XML and MUST be 4592 escaped with their entity reference equivalent: "&", "<", ">", "\"" 4593 (double quotation mark), and "'" (apostrophe). These entity 4594 references are "&", "<", ">", """, and "'" 4595 respectively. 4597 4.2. IODEF Namespace 4599 The IODEF schema declares a namespace of 4600 "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. 4601 Each IODEF document MUST include a valid reference to the IODEF 4602 schema using the "xsi:schemaLocation" attribute. An example of such 4603 a declaration would look as follows: 4605 4742 A given extension attribute MUST NOT be set unless the corresponding 4743 extensible attribute has been set to "ext-value". 4745 5.1.2. Public Extension of Enumerated Values 4747 Select enumerated value of the attributes defined in the data model 4748 can be extended by adding entries to the corresponding IANA registry. 4749 Table 1 enumerates these registries. Section 4.3 discusses the XML 4750 Validation implications of these types of extensions. 4752 5.2. Extending Classes 4754 The classes of the data model can be extended only through the use of 4755 the AdditionalData and RecordItem classes. These container classes, 4756 collectively referred to as the extensible classes, are implemented 4757 with the iodef:ExtensionType data type in the schema. They provide 4758 the ability to have new atomic or XML-encoded data elements in all of 4759 the top-level classes of the Incident class and a few of the more 4760 complicated subordinate classes. As there are multiple instances of 4761 the extensible classes in the data model, there is discretion on 4762 where to add a new data element. It is RECOMMENDED that the 4763 extension be placed in the most closely related class to the new 4764 information. 4766 Extensions using the atomic data types (i.e., all values of the dtype 4767 attributes other than "xml") MUST: 4769 1. Set the element content of extensible class to the desired value, 4770 and 4772 2. Set the dtype attribute to correspond to the data type of the 4773 element content. 4775 The following guidelines exist for extensions using XML: 4777 1. The element content of the extensible class MUST be set to the 4778 desired value and the dtype attribute MUST be set to "xml". 4780 2. The extension schema MUST declare a separate namespace. It is 4781 RECOMMENDED that these extensions have the prefix "iodef-". This 4782 recommendation makes readability of the document easier by 4783 allowing the reader to infer which namespaces relate to IODEF by 4784 inspection. 4786 3. It is RECOMMENDED that extension schemas follow the naming 4787 convention of the IODEF data model. This makes reading an 4788 extended IODEF document look like any other IODEF document. The 4789 names of all elements are capitalized. For elements with 4790 composed names, a capital letter is used for each word. 4791 Attribute names are lower case. Attributes with composed names 4792 are separated by a hyphen. 4794 4. Parsers that encounter an unrecognized element in a namespace 4795 that they do support MUST reject the document as a syntax error. 4797 5. There are security and performance implications in requiring 4798 implementations to dynamically download schemas at run time. 4799 Thus, implementations SHOULD NOT download schemas at runtime, 4800 unless implementations take appropriate precautions and are 4801 prepared for potentially significant network, processing, and 4802 time-out demands. 4804 6. Some users of the IODEF may have private schema definitions that 4805 might not be available on the Internet. In this situation, if a 4806 IODEF document leaks out of the private use space, references to 4807 some of those document schemas may not be resolvable. This has 4808 two implications. First, references to private schemas may never 4809 resolve. As such, in addition to the suggestion that 4810 implementations do not download schemas at runtime mentioned 4811 above, recipients MUST be prepared for a schema definition in an 4812 IODEF document never to resolve. 4814 The following schema and XML document excerpt provide a template for 4815 an extension schema and its use in the IODEF document. 4817 This example schema defines a namespace of "iodef-extension1" and a 4818 single element named "newdata". 4820 4824 attributeFormDefault="unqualified" 4825 elementFormDefault="qualified"> 4826 4830 4831 4833 The following XML excerpt demonstrates the use of the above schema as 4834 an extension to the IODEF. 4836 4843 4844 ... 4845 4846 4847 Field that could not be represented elsewhere 4848 4849 4850 4893 ... 4894 English 4896 Englisch 4898 Anglais 4901 While the intent of the data model is to provide internationalization 4902 and localization, the intent is not to do so at the detriment of 4903 interoperability. While the IODEF does support different languages, 4904 the data model also relies heavily on standardized enumerated 4905 attributes that can crudely approximate the contents of the document. 4906 With this approach, a CSIRT should be able to make some sense of an 4907 IODEF document it receives even if the text based data elements are 4908 written in a language unfamiliar to the analyst. 4910 7. Examples 4912 This section provides examples of an incident encoded in the IODEF. 4913 These examples do not necessarily represent the only way to encode a 4914 particular incident. 4916 7.1. Worm 4918 An example of a CSIRT reporting an instance of the Code Red worm. 4920 4921 4923 4927 4928 189493 4929 2001-09-13T23:19:24+00:00 4930 Host sending out Code Red probes 4931 4932 4933 4934 4935 4936 Example.com CSIRT 4937 example-com 4938 contact@csirt.example.com 4939 4940 4941 4942 4943 4944
192.0.2.200
4945 57 4946
4947
4948 4949 4950
192.0.2.16/28
4951
4952 4953 80 4954 4955
4956
4957 4958 4959 4960 4961 2001-09-13T18:11:21+02:00 4962 Web-server logs 4963 4964 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? 4965 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4966 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4967 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4968 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 4969 4970 4971 4972 http://mylogs.example.com/logs/httpd_access 4973 4974 4975
4976 4977 4979 4980 2001-09-14T08:19:01+00:00 4981 Notification sent to 4982 constituency-contact@192.0.2.200 4983 4984 4985
4986
4988 7.2. Reconnaissance 4990 An example of a CSIRT reporting a scanning activity. 4992 4993 4995 4999 5000 59334 5001 2006-08-02T05:54:02-05:00 5002 5003 5004 5005 5006 5007 5008 nmap 5009 http://nmap.toolsite.example.com 5010 5011 5012 5014 5015 CSIRT for example.com 5016 contact@csirt.example.com 5017 +1 412 555 12345 5018 5020 5021 Joe Smith 5022 smith@csirt.example.com 5023 5024 5025 5026 5032 5033 5034 5035
192.0.2.200
5036
5037 5038 60524,60526,60527,60531 5039 5040
5041 5042 5043
192.0.2.201
5044
5045 5046 137-139,445 5047 5048
5049
5050 5052 5053 5054 5055
192.0.2.240
5056
5058
5059 5060 5061
192.0.2.64/28
5062
5063 5064 445 5065 5066
5067
5068
5069
5070
5072 7.3. Bot-Net Reporting 5074 An example of a CSIRT reporting a bot-network. 5076 5077 5079 5083 5084 908711 5085 2006-06-08T05:44:53-05:00 5086 Large bot-net 5087 5088 5089 5090 5091 5092 5093 GT Bot 5094 5095 5097 5098 CA-2003-22 5099 http://www.cert.org/advisories/CA-2003-22.html 5100 Root compromise via this IE vulnerability to 5101 install the GT Bot 5102 5103 5104 5106 5107 Joe Smith 5108 jsmith@csirt.example.com 5109 5110 5111 These hosts are compromised and acting as bots 5112 communicating with irc.example.com. 5113 5114 5116 5117 5118
192.0.2.1
5119
5120 10000 5121 bot 5122
5123 5124 5125 5126
192.0.2.3
5127
5128 250000 5129 bot 5130
5131 5132 5133 5134 irc.example.com 5135
192.0.2.20
5136 2006-06-08T01:01:03-05:00 5137
5138 5139 IRC server on #give-me-cmd channel 5140 5141
5142
5143 5144 5145 5146 Confirm the source and take machines off-line and 5147 remediate 5148 5149 5150
5151
5153
5155 7.4. Watch List 5157 An example of a CSIRT conveying a watch-list. 5159 5160 5161 5164 5168 5169 908711 5170 2006-08-01T00:00:00-05:00 5171 5172 Watch-list of known bad IPs or networks 5173 5174 5175 5176 5177 5178 5179 CSIRT for example.com 5180 contact@csirt.example.com 5181 5182 5184 5185 5186 5187 5188
192.0.2.53
5189
5190 Source of numerous attacks 5191
5192
5193 5195 5196
5197 5198 5199 5200 5201
192.0.2.16/28
5202
5203 5204 Source of heavy scanning over past 1-month 5205 5206
5207
5208 5209 5210 5211
192.0.2.241
5212
5213 C2 IRC server 5214
5215
5216 5218 5219
5220
5221
5223 8. The IODEF Schema 5225 5233 5236 5238 5239 5240 Incident Object Description Exchange Format v2.0, RFC5070-bis 5241 5242 5244 5249 5250 5251 5252 5254 5256 5257 5259 5261 5262 5263 5268 5269 5270 5271 5272 5274 5276 5278 5280 5282 5284 5285 5287 5289 5291 5293 5295 5297 5299 5301 5303 5304 5305 5306 5307 5308 5309 5310 5311 5312 5313 5314 5315 5316 5318 5319 5320 5321 5322 5323 5324 5325 5326 5327 5328 5329 5330 5332 5335 5337 5339 5340 5341 5346 5347 5348 5349 5350 5352 5354 5357 5359 5360 5361 5363 5368 5369 5370 5371 5373 5374 5376 5378 5379 5380 5385 5386 5387 5388 5389 5391 5393 5395 5397 5398 5400 5402 5404 5405 5407 5409 5410 5412 5417 5418 5419 5420 5421 5422 5423 5425 5426 5428 5429 5431 5432 5434 5436 5437 5438 5440 5445 5446 5447 5448 5449 5450 5451 5453 5454 5456 5457 5459 5460 5462 5464 5465 5466 5468 5473 5474 5479 5480 5481 5482 5484 5487 5489 5491 5493 5495 5497 5499 5501 5503 5505 5506 5507 5508 5509 5510 5511 5512 5513 5514 5515 5516 5517 5518 5519 5520 5521 5522 5523 5524 5525 5526 5527 5528 5529 5530 5531 5533 5534 5535 5536 5537 5538 5539 5540 5541 5542 5544 5546 5548 5549 5550 5552 5554 5555 5556 5557 5558 5559 5560 5561 5562 5563 5564 5565 5566 5567 5568 5569 5570 5571 5572 5574 5575 5576 5577 5579 5580 5581 5582 5583 5585 5586 5587 5588 5589 5590 5591 5593 5594 5595 5596 5598 5599 5600 5602 5607 5609 5611 5613 5615 5617 5619 5621 5623 5624 5625 5626 5627 5628 5633 5634 5635 5636 5638 5639 5642 5644 5645 5646 5647 5648 5649 5650 5652 5654 5656 5659 5661 5662 5664 5666 5668 5670 5672 5673 5674 5679 5680 5681 5682 5684 5687 5689 5691 5693 5694 5697 5699 5701 5703 5705 5707 5708 5710 5715 5716 5717 5718 5720 5722 5724 5725 5728 5729 5730 5731 5732 5733 5734 5735 5736 5737 5738 5739 5740 5741 5742 5743 5744 5745 5746 5747 5748 5749 5750 5751 5752 5753 5755 5757 5760 5761 5763 5764 5765 5766 5767 5769 5772 5773 5775 5777 5778 5780 5785 5786 5787 5788 5789 5790 5791 5792 5794 5795 5797 5799 5800 5802 5807 5808 5809 5810 5812 5814 5816 5817 5819 5820 5822 5827 5828 5829 5830 5833 5834 5835 5837 5838 5839 5841 5842 5844 5847 5848 5850 5851 5852 5853 5854 5855 5856 5857 5858 5859 5861 5863 5865 5866 5868 5869 5870 5871 5872 5874 5875 5876 5877 5878 5879 5880 5881 5882 5884 5885 5886 5887 5888 5889 5890 5891 5892 5893 5894 5895 5896 5897 5898 5899 5900 5901 5902 5903 5904 5905 5906 5907 5908 5909 5910 5911 5912 5913 5915 5916 5917 5918 5919 5920 5921 5922 5924 5925 5926 5927 5928 5929 5930 5931 5932 5933 5934 5935 5937 5939 5940 5941 5942 5943 5944 5945 5946 5947 5948 5949 5950 5951 5952 5953 5954 5955 5956 5957 5959 5960 5961 5963 5964 5965 5966 5967 5969 5971 5972 5973 5974 5975 5976 5977 5978 5979 5980 5982 5983 5984 5985 5986 5987 5988 5989 5990 5992 5994 5995 5996 5997 5999 6000 6001 6002 6003 6004 6005 6006 6007 6008 6009 6010 6011 6012 6013 6014 6019 6020 6021 6022 6024 6026 6028 6030 6032 6034 6036 6038 6040 6042 6044 6046 6048 6050 6052 6053 6056 6058 6060 6061 6062 6067 6071 6072 6073 6074 6076 6077 6078 6079 6084 6085 6086 6087 6088 6090 6092 6094 6096 6098 6100 6102 6103 6105 6107 6108 6109 6110 6111 6112 6113 6114 6115 6116 6117 6118 6119 6121 6123 6125 6127 6128 6129 6130 6131 6132 6133 6134 6135 6136 6137 6138 6139 6140 6142 6143 6144 6149 6150 6151 6152 6153 6155 6157 6158 6161 6163 6165 6167 6168 6169 6170 6171 6172 6173 6174 6175 6176 6177 6178 6179 6180 6181 6182 6183 6184 6185 6186 6187 6188 6189 6190 6191 6192 6194 6196 6198 6200 6201 6202 6203 6205 6207 6208 6209 6210 6211 6212 6213 6214 6215 6216 6217 6218 6219 6220 6221 6222 6223 6224 6225 6226 6227 6228 6229 6230 6231 6232 6233 6234 6235 6236 6237 6238 6239 6240 6241 6242 6243 6244 6245 6246 6247 6248 6249 6250 6251 6252 6253 6254 6255 6256 6257 6258 6259 6260 6261 6262 6263 6264 6265 6266 6267 6268 6269 6270 6271 6273 6274 6275 6276 6278 6283 6284 6285 6286 6287 6289 6291 6292 6294 6296 6298 6301 6302 6304 6305 6307 6309 6310 6311 6312 6313 6314 6315 6316 6321 6322 6323 6324 6325 6326 6327 6328 6329 6330 6331 6332 6333 6334 6335 6336 6337 6338 6339 6340 6341 6342 6344 6346 6348 6350 6351 6352 6354 6356 6361 6362 6363 6364 6366 6368 6370 6373 6375 6377 6378 6380 6381 6383 6388 6389 6390 6391 6393 6396 6399 6403 6406 6408 6410 6412 6413 6414 6415 6416 6417 6418 6419 6420 6421 6422 6423 6424 6426 6427 6428 6429 6430 6431 6432 6433 6434 6435 6436 6437 6438 6439 6440 6441 6442 6443 6445 6447 6448 6450 6452 6453 6454 6455 6456 6457 6458 6459 6460 6461 6462 6463 6464 6465 6466 6467 6468 6469 6470 6471 6472 6473 6474 6475 6476 6477 6478 6479 6480 6481 6482 6483 6484 6485 6486 6487 6488 6489 6490 6491 6492 6493 6494 6495 6496 6497 6498 6500 6501 6503 6504 6505 6506 6507 6508 6509 6510 6512 6513 6514 6515 6517 6519 6520 6521 6523 6528 6529 6530 6531 6533 6534 6536 6538 6539 6540 6541 6542 6543 6545 6548 6550 6552 6554 6556 6558 6560 6562 6563 6565 6567 6569 6570 6572 6573 6574 6575 6576 6577 6578 6579 6580 6581 6582 6583 6584 6585 6586 6588 6590 6592 6593 6594 6595 6596 6597 6598 6599 6600 6602 6604 6605 6606 6607 6608 6610 6615 6616 6617 6618 6619 6620 6621 6622 6624 6625 6626 6627 6628 6629 6630 6631 6632 6633 6634 6635 6636 6637 6638 6640 6641 6642 6643 6645 6646 6648 6654 6655 6656 6657 6659 6660 6662 6664 6666 6667 6669 6670 6671 6672 6674 6676 6678 6680 6682 6684 6686 6687 6689 6690 6691 6694 6700 6701 6702 6703 6705 6707 6709 6710 6711 6712 6713 6714 6715 6716 6717 6718 6719 6720 6721 6722 6723 6724 6725 6727 6728 6730 6731 6732 6733 6734 6735 6736 6738 6740 6741 6743 6744 6745 6746 6747 6749 6750 6751 6753 6759 6760 6761 6762 6764 6765 6766 6768 6774 6775 6776 6777 6779 6780 6782 6784 6786 6787 6789 6790 6791 6792 6793 6794 6796 6797 6799 6804 6805 6806 6808 6809 6811 6813 6815 6817 6819 6821 6823 6824 6826 6829 6834 6835 6836 6837 6839 6840 6841 6843 6844 6845 6846 6847 6849 6851 6853 6855 6857 6859 6860 6861 6862 6863 6864 6865 6866 6868 6870 6871 6873 6874 6875 6876 6877 6879 6881 6882 6883 6884 6885 6886 6887 6888 6890 6891 6893 6895 6896 6898 6899 6900 6901 6903 6905 6907 6910 6912 6914 6916 6918 6920 6922 6924 6926 6928 6930 6931 6934 6936 6937 6939 6940 6941 6942 6943 6945 6947 6949 6951 6952 6954 6955 6956 6957 6958 6959 6960 6961 6962 6963 6964 6965 6966 6968 6969 6970 6972 6973 6975 6976 6977 6979 6981 6983 6984 6985 6990 6992 6994 6999 7000 7001 7002 7003 7005 7006 7007 7008 7010 7011 7012 7014 7015 7016 7018 7019 7021 7023 7025 7027 7029 7030 7031 7032 7034 7035 7037 7039 7042 7044 7046 7051 7052 7053 7054 7055 7056 7058 7059 7060 7061 7062 7063 7064 7066 7067 7068 7069 7070 7071 7072 7073 7074 7075 7076 7077 7079 7080 7082 7083 7084 7085 7086 7087 7088 7089 7090 7091 7092 7093 7094 7095 7096 7097 7098 7099 7100 7102 7103 7104 7105 7106 7107 7108 7109 7110 7111 7112 7113 7114 7115 7116 7117 7118 7119 7120 7121 7122 7123 7124 7125 7126 7128 7129 7131 7132 7133 7134 7135 7136 7137 7138 7139 7140 7141 7142 7143 7144 7145 7146 7147 7148 7149 7150 7151 7152 7153 7154 7155 7157 7158 7159 7160 7161 7162 7163 7164 7165 7166 7167 7168 7169 7170 7171 7172 9. Security Considerations 7174 The IODEF data model itself does not directly introduce security 7175 issues. Rather, it simply defines a representation for incident 7176 information. As the data encoded by the IODEF might be considered 7177 privacy sensitive by the parties exchanging the information or by 7178 those described by it, care needs to be taken in ensuring the 7179 appropriate disclosure during both document exchange and subsequent 7180 processing. The former must be handled by a messaging format, but 7181 the latter risk must be addressed by the systems that process, store, 7182 and archive IODEF documents and information derived from them. 7184 Executable content could be embedded into the IODEF document directly 7185 or through an extension. The IODEF parser should handle this content 7186 with care to prevent unintentional automated execution. 7188 The contents of an IODEF document may include a request for action or 7189 an IODEF parser may independently have logic to take certain actions 7190 based on information that it finds. For this reason, care must be 7191 taken by the parser to properly authenticate the recipient of the 7192 document and ascribe an appropriate confidence to the data prior to 7193 action. 7195 The underlying messaging format and protocol used to exchange 7196 instances of the IODEF MUST provide appropriate guarantees of 7197 confidentiality, integrity, and authenticity. The use of a 7198 standardized security protocol is encouraged. The Real-time Inter- 7199 network Defense (RID) protocol [RFC6545] and its associated transport 7200 binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. 7202 In order to suggest data processing and handling guidelines of the 7203 encoded information, the IODEF allows a document sender to convey a 7204 privacy policy using the restriction attribute. The various 7205 instances of this attribute allow different data elements of the 7206 document to be covered by dissimilar policies. While flexible, it 7207 must be stressed that this approach only serves as a guideline from 7208 the sender, as the recipient is free to ignore it. The issue of 7209 enforcement is not a technical problem. 7211 10. IANA Considerations 7213 This document registers a namespace, XML schema, and a number of 7214 registries that map to enumerated values defined in the schema. 7216 10.1. Namespace and Schema 7218 This document uses URNs to describe an XML namespace and schema 7219 conforming to a registry mechanism described in [RFC3688] 7221 Registration for the IODEF namespace: 7223 o URI: urn:ietf:params:xml:ns:iodef-2.0 7225 o Registrant Contact: See the first author of the "Author's Address" 7226 section of this document. 7228 o XML: None. Namespace URIs do not represent an XML specification. 7230 Registration for the IODEF XML schema: 7232 o URI: urn:ietf:params:xml:schema:iodef-2.0 7234 o Registrant Contact: See the first author of the "Author's Address" 7235 section of this document. 7237 o XML: See the "IODEF Schema" in Section 8 of this document. 7239 10.2. Enumerated Value Registries 7241 This document creates xx identically structured registries to be 7242 managed by IANA: 7244 o Name of the parent registry: "Incident Object Description Exchange 7245 Format v2 (IODEF)" 7247 o URL of the registry: http://www.iana.org/assignments/iodef2 7249 o Namespace format: A registry entry consists of: 7251 * Value. An enumerated value for a given IODEF attribute. 7253 * Description. A short description of the enumerated value. 7255 * Reference. An optional list of URIs to further describe the 7256 value. 7258 o Allocation policy: Expert Review per [RFC5226] 7260 The registries to be created are named in the table below in the 7261 "Registry Name" column. The initial values for the Value and 7262 Description fields of a given registry are listed in the "IV (Value)" 7263 and "IV (Description)" columns respectively. The "IV (Value)" points 7264 to a given schema attribute or type per Section 8. Each enumerated 7265 value in the schema gets a corresponding entry in a given registry. 7266 The "IV (Description)" points to a section in the text of this 7267 document. The initial value of the Reference field of every registry 7268 entry described below should be this document. 7270 +--------------------------+------------------------+---------------+ 7271 | Registry Name | IV (Value) | IV | 7272 | | | (Description) | 7273 +--------------------------+------------------------+---------------+ 7274 | Restriction | iodef-restriction-type | Section 3.3.1 | 7275 | | | | 7276 | Incident-purpose | Incident@purpose | Section 3.2 | 7277 | | | | 7278 | Incident-status | Incident@status | Section 3.2 | 7279 | | | | 7280 | Contact-role | Contact@role | Section 3.10 | 7281 | | | | 7282 | Contact-type | Contact@type | Section 3.10 | 7283 | | | | 7284 | RegistryHandle-registry | RegistryHandle@registr | Section | 7285 | | y | 3.10.1 | 7286 | | | | 7287 | Expectation-action | iodef:action-type | Section 3.17 | 7288 | | | | 7289 | Discovery-source | Discovery@source | Section 3.12 | 7290 | | | | 7291 | SystemImpact-type | SystemImpact@type | Section | 7292 | | | 3.14.1 | 7293 | | | | 7294 | BusinessImpact-severity | BusinessImpact@severit | Section | 7295 | | y | 3.14.2 | 7296 | | | | 7297 | BusinessImpact-type | BusinessImpact@type | Section | 7298 | | | 3.14.2 | 7299 | | | | 7300 | TimeImpact-metrics | TimeImpact@metric | Section | 7301 | | | 3.14.3 | 7302 | | | | 7303 | TimeImpact-duration | iodef:duration-type | Section | 7304 | | | 3.14.3 | 7305 | | | | 7306 | NodeRole-category | NodeRole@category | Section | 7307 | | | 3.20.2 | 7308 | | | | 7309 | System-category | System@category | Section 3.19 | 7310 | | | | 7311 | System-ownership | System@ownership | Section 3.19 | 7312 | | | | 7313 | Address-category | Address@category | Section | 7314 | | | 3.20.1 | 7315 | | | | 7316 | Counter-type | Counter@type | Section | 7317 | | | 3.20.3 | 7318 | | | | 7319 | DomainData-system-status | DomainData@system- | Section 3.21 | 7320 | | status | | 7321 | | | | 7322 | DomainData-domain-status | DomainData@domain- | Section 3.21 | 7323 | | status | | 7324 | | | | 7325 | RelatedDNS-record-type | RelatedDNS@record-type | Section | 7326 | | | 3.21.1 | 7327 | | | | 7328 | RecordPattern-type | RecordPattern@type | Section | 7329 | | | 3.25.2 | 7330 | | | | 7331 | RecordPattern-offsetunit | RecordPattern@offsetun | Section | 7332 | | it | 3.25.2 | 7333 | | | | 7334 | Key-registryaction | Key@registryaction | Section | 7335 | | | 3.26.1 | 7336 | | | | 7337 | HashData-scope | HashData@scope | Section 3.29 | 7338 | | | | 7339 | AdditionalData-dtype | iodef:dtype-type | Section 3.9 | 7340 | | | | 7341 | EmailHeaderField-proto- | iodef:proto-dtype-type | Section | 7342 | dtype | | 3.22.1 | 7343 +--------------------------+------------------------+---------------+ 7345 Table 1: IANA Enumerated Value Registries 7347 11. Acknowledgments 7349 The following groups and individuals, listed alphabetically, 7350 contributed substantially to this document and should be recognized 7351 for their efforts. 7353 o Kathleen Moriarty, EMC Corporation 7355 o Brian Trammell, ETH Zurich 7357 o Patrick Cain, Cooper-Cain Group, Inc. 7359 o ... TODO many more to add ... 7361 12. References 7363 12.1. Normative References 7365 [W3C.XML] World Wide Web Consortium, "Extensible Markup Language 7366 (XML) 1.0 (Second Edition)", W3C Recommendation , October 7367 2000, . 7369 [W3C.SCHEMA] 7370 World Wide Web Consortium, "XML XML Schema Part 1: 7371 Structures Second Edition", W3C Recommendation , October 7372 2004, . 7374 [W3C.SCHEMA.DTYPES] 7375 World Wide Web Consortium, "XML Schema Part 2: Datatypes 7376 Second Edition", W3C Recommendation , October 2004, 7377 . 7379 [W3C.XMLNS] 7380 World Wide Web Consortium, "Namespaces in XML", W3C 7381 Recommendation , January 1999, 7382 . 7384 [W3C.XPATH] 7385 World Wide Web Consortium, "XML Path Language (XPath) 7386 2.0", W3C Candidate Recommendation , June 2006, 7387 . 7389 [W3C.XMLSIG] 7390 World Wide Web Consortium, "XML Signature Syntax and 7391 Processing 2.0", W3C Candidate Recommendation , June 2008, 7392 . 7394 [IEEE.POSIX] 7395 Institute of Electrical and Electronics Engineers, 7396 "Information Technology - Portable Operating System 7397 Interface (POSIX) - Part 1: Base Definitions", IEEE 7398 1003.1, June 2001. 7400 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7401 Requirement Levels", RFC 2119, March 1997. 7403 [RFC5646] Philips, A. and M. Davis, "Tags for Identifying of 7404 Languages", RFC 5646, September 2009. 7406 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7407 Resource Identifiers (URI): Generic Syntax", RFC 3986, 7408 January 2005`. 7410 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7411 Procedures", BCP 2978, October 2000. 7413 [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, 7414 June 2006. 7416 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 7417 2008. 7419 [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: 7420 Timestamps", RFC 3339, July 2002. 7422 [RFC-ENUM] 7423 Montville, A. and D. Black, "IODEF Enumeration Reference 7424 Format", RFC ENUM, January 2015. 7426 [ISO8601] International Organization for Standardization, 7427 "International Standard: Data elements and interchange 7428 formats - Information interchange - Representation of 7429 dates and times", ISO 8601, Second Edition, December 2000. 7431 [ISO4217] International Organization for Standardization, 7432 "International Standard: Codes for the representation of 7433 currencies and funds, ISO 4217:2001", ISO 4217:2001, 7434 August 2001. 7436 [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 7437 2004. 7439 [IANA.Ports] 7440 Internet Assigned Numbers Authority, "Service Name and 7441 Transport Protocol Port Number Registry", January 2014, 7442 . 7445 [IANA.Protocols] 7446 Internet Assigned Numbers Authority, "Assigned Internet 7447 Protocol Numbers", January 2014, 7448 . 7451 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 7452 10646", RFC 3629, November 2003. 7454 [RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 7455 10646", RFC 2781, February 2000. 7457 [IANA.Media] 7458 Internet Assigned Numbers Authority, "Media Types", March 7459 2015, . 7462 12.2. Informative References 7464 [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident 7465 Object Description Exchange Format", RFC 5070, December 7466 2007. 7468 [refs.requirements] 7469 Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements 7470 for the Format for Incident Information Exchange (FINE)", 7471 Work in Progress, June 2006. 7473 [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, 7474 "Intrusion Detection Message Exchange Format", RFC 4765, 7475 March 2007. 7477 [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 7478 6545, April 2012. 7480 [RFC6546] Trammell, B., "Transport of Real-time Inter-network 7481 Defense (RID) Messages over HTTP/TLS", RFC 6546, April 7482 2012. 7484 [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document 7485 Class for Reporting Phishing", RFC 5901, July 2010. 7487 [NIST800.61rev2] 7488 Cichonski, P., Millar, T., Grance, T., and K. Scarfone, 7489 "NIST Special Publication 800-61 Revision 2: Computer 7490 Security Incident Handling Guide", January 2012, 7491 . 7494 [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) 7495 Type for the Internet Registry Information Service 7496 (IRIS)", RFC 3982, January 2005. 7498 [KB310516] 7499 Microsoft Corporation, "How to add, modify, or delete 7500 registry subkeys and values by using a registration 7501 entries (.reg) file", December 2007. 7503 [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- 7504 Separated Values (CSV) File", RFC 4180, October 2005. 7506 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an 7507 IANA Considerations Section in RFCs", RFC 5226, May 2008. 7509 Authors' Addresses 7511 Roman Danyliw 7512 CERT - Software Engineering Institute 7513 Pittsburgh, PA 7514 USA 7516 EMail: rdd@cert.org 7518 Paul Stoecker 7519 RSA 7520 Reston, VA 7521 USA 7523 EMail: paul.stoecker@rsa.com