| Extended Incident Handling Working Group | R. Danyliw |
| Internet-Draft | CERT |
| Obsoletes: 5070 (if approved) | P. W. Stoecker |
| Intended status: Informational | RSA |
| Expires: November 07, 2013 | May 06, 2013 |
The Incident Object Description Exchange Format
draft-ietf-mile-rfc5070-bis-00
The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document describes the information model for the IODEF and provides an associated data model specified with XML Schema.
The IETF has been notified of intellectual property rights claimed in regard to some or all of the specification contained in this document. For more information consult the online list of claimed rights.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 07, 2013.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Organizations require help from other parties to mitigate malicious activity targeting their network and to gain insight into potential threats. This coordination might entail working with an ISP to filter attack traffic, contacting a remote site to take down a bot-network, or sharing watch-lists of known malicious IP addresses in a consortium.
The Incident Object Description Exchange Format (IODEF) is a format for representing computer security information commonly exchanged between Computer Security Incident Response Teams (CSIRTs). It provides an XML representation for conveying incident information across administrative domains between parties that have an operational responsibility of remediation or a watch-and-warning over a defined constituency. The data model encodes information about hosts, networks, and the services running on these systems; attack methodology and associated forensic evidence; impact of the activity; and limited approaches for documenting workflow.
The overriding purpose of the IODEF is to enhance the operational capabilities of CSIRTs. Community adoption of the IODEF provides an improved ability to resolve incidents and convey situational awareness by simplifying collaboration and data sharing. This structured format provided by the IODEF allows for:
Coordinating with other CSIRTs is not strictly a technical problem. There are numerous procedural, trust, and legal considerations that might prevent an organization from sharing information. The IODEF does not attempt to address them. However, operational implementations of the IODEF will need to consider this broader context.
Sections 3 and 8 specify the IODEF data model with text and an XML schema. The types used by the data model are covered in Section 2. Processing considerations, the handling of extensions, and internationalization issues related to the data model are covered in Sections 4, 5, and 6, respectively. Examples are listed in Section 7. Section 1 provides the background for the IODEF, and Section 9 documents the security considerations.
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [refs.rfc2119].
Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [refs.requirements].
The normative IODEF data model is specified with the text in Section 3 and the XML schema in Section 8. To help in the understanding of the data elements, Section 3 also depicts the underlying information model using Unified Modeling Language (UML). This abstract presentation of the IODEF is not normative.
For clarity in this document, the term "XML document" will be used when referring generically to any instance of an XML document. The term "IODEF document" will be used to refer to specific elements and attributes of the IODEF schema. The terms "class" and "element" will be used interchangeably to reference either the corresponding data element in the information or data models, respectively.
The IODEF data model is a data representation that provides a framework for sharing information commonly exchanged by CSIRTs about computer security incidents. A number of considerations were made in the design of the data model.
Further discussion of the desirable properties for the IODEF can be found in the Requirements for the Format for Incident Information Exchange (FINE) [refs.requirements].
The IODEF implementation is specified as an Extensible Markup Language (XML) [refs.xml] Schema [refs.schema] in Section 8.
Implementing the IODEF in XML provides numerous advantages. Its extensibility makes it ideal for specifying a data encoding framework that supports various character encodings. Likewise, the abundance of related technologies (e.g., XSL, XPath, XML-Signature) makes for simplified manipulation. However, XML is fundamentally a text representation, which makes it inherently inefficient when binary data must be embedded or large volumes of data must be exchanged.
The various data elements of the IODEF data model are typed. This section discusses these data types. When possible, native Schema data types were adopted, but for more complicated formats, regular expressions (see Appendix F of [refs.schemadtypes]) or external standards were used.
An integer is represented by the INTEGER data type. Integer data MUST be encoded in Base 10.
The INTEGER data type is implemented as an "xs:integer" [refs.schemadtypes] in the schema.
Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10.
The REAL data type is implemented as an "xs:float" [refs.schemadtypes] in the schema.
A single character is represented by the CHARACTER data type. A character string is represented by the STRING data type. Special characters must be encoded using entity references. See Section 4.1.
The CHARACTER and STRING data types are implement as an "xs:string" [refs.schemadtypes] in the schema.
STRING data that represents multi-character attributes in a language different than the default encoding of the document is of the ML_STRING data type.
The ML_STRING data type is implemented as an "iodef:MLStringType" in the schema.
A binary octet is represented by the BYTE data type. A sequence of binary octets is represented by the BYTE[] data type. These octets are encoded using base64.
The BYTE data type is implemented as an "xs:base64Binary" [refs.schemadtypes] in the schema.
A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. This octet is encoded as a character tuple consisting of two hexadecimal digits.
The HEXBIN data type is implemented as an "xs:hexBinary" [refs.schemadtypes] in the schema.
Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values. Each value has a representative keyword. Within the IODEF schema, the enumerated type keywords are used as attribute values.
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the schema.
Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported.
Date-time strings are formatted according to a subset of ISO 8601:2000 [refs.iso8601] documented in RFC 3339 [refs.rfc3339].
The DATETIME data type is implemented as an "xs:dateTime" [refs.schemadtypes] in the schema.
A timezone offset from UTC is represented by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
The TIMEZONE data type is implemented as an "xs:string" with a regular expression constraint in the schema. This regular expression is identical to the timezone representation implemented in an "xs:dateTime".
A list of network ports are represented by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60".
The PORTLIST data type is implemented as an "xs:string" with a regular expression constraint in the schema.
A postal address is represented by the POSTAL data type. This data type is an ML_STRING whose format is documented in Section 2.23 of RFC 4519 [refs.rfc4519]. It defines a postal address as a free-form multi-line string separated by the "$" character.
The POSTAL data type is implemented as an "xs:string" in the schema.
The name of an individual or organization is represented by the NAME data type. This data type is an ML_STRING whose format is documented in Section 2.3 of RFC 4519 [refs.rfc4519].
The NAME data type is implemented as an "xs:string" in the schema.
A telephone or fax number is represented by the PHONE data type. The format of the PHONE data type is documented in Section 2.35 of RFC 4519 [refs.rfc4519].
The PHONE data type is implemented as an "xs:string" in the schema.
An email address is represented by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 RFC 2822 [refs.rfc2822]
The EMAIL data type is implemented as an "xs:string" in the schema.
A uniform resource locator (URL) is represented by the URL data type. The format of the URL data type is documented in RFC 2396 [refs.url].
The URL data type is implemented as an "xs:anyURI" in the schema.
In this section, the individual components of the IODEF data model will be discussed in detail. For each class, the semantics will be described and the relationship with other classes will be depicted with UML. When necessary, specific comments will be made about corresponding definition in the schema in Section 8
The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class.
+-----------------+
| IODEF-Document |
+-----------------+
| STRING version |<>--{1..*}--[ Incident ]
| ENUM lang |
| STRING formatid |
+-----------------+
Figure 1: IODEF-Document Class
The aggregate class that constitute IODEF-Document is:
The IODEF-Document class has three attributes:
Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data.
+--------------------+
| Incident |
+--------------------+
| ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM lang |<>--{0..1}--[ RelatedActivity ]
| ENUM restriction |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>----------[ ReportTime ]
| |<>--{0..*}--[ Description ]
| |<>--{1..*}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------+
Figure 2: The Incident Class
The aggregate classes that constitute Incident are:
The Incident class has five attributes:
The IncidentID class represents an incident tracking number that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF Document. This identifier would serve as an index into the CSIRT incident handling system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident.
+------------------+ | IncidentID | +------------------+ | STRING | | | | STRING name | | STRING instance | | ENUM restriction | +------------------+
Figure 3: The IncidentID Class
The IncidentID class has three attributes:
The AlternativeID class lists the incident tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by another CSIRT. The incident tracking numbers of the CSIRT that generated the IODEF document should never be considered an AlternativeID.
+------------------+
| AlternativeID |
+------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ]
| |
+------------------+
Figure 4: The AlternativeID Class
The aggregate class that constitutes AlternativeID is:
The AlternativeID class has one attribute:
The RelatedActivity class lists either incident tracking numbers of incidents or URLs (not both) that refer to activity related to the one described in the IODEF document. These references may be to local incident tracking numbers or to those of other CSIRTs.
The specifics of how a CSIRT comes to believe that two incidents are related are considered out of scope.
+------------------+
| RelatedActivity |
+------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ]
| |<>--{1..*}--[ URL ]
+------------------+
Figure 5: RelatedActivity Class
The aggregate classes that constitutes RelatedActivity are:
The RelatedActivity class has one attribute:
The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5.
Unlike XML, which is self-describing, atomic data must be documented to convey its meaning. This information is described in the 'meaning' attribute. Since these description are outside the scope of the specification, some additional coordination may be required to ensure that a recipient of a document using the AdditionalData classes can make sense of the custom extensions.
+------------------+ | AdditionalData | +------------------+ | ANY | | | | ENUM dtype | | STRING ext-dtype | | STRING meaning | | STRING formatid | | ENUM restriction | +------------------+
Figure 6: The AdditionalData Class
The AdditionalData class has five attributes:
The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident.
People and organizations are treated interchangeably as contacts; one can be associated with the other using the recursive definition of the class (the Contact class is aggregated into the Contact class). The 'type' attribute disambiguates the type of contact information being provided.
The inheriting definition of Contact provides a way to relate information without requiring the explicit use of identifiers in the classes or duplication of data. A complete point of contact is derived by a particular traversal from the root Contact class to the leaf Contact class. As such, multiple points of contact might be specified in a single instance of a Contact class. Each child Contact class logically inherits contact information from its ancestors.
+------------------+
| Contact |
+------------------+
| ENUM role |<>--{0..1}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ Description ]
| ENUM type |<>--{0..*}--[ RegistryHandle ]
| STRING ext-type |<>--{0..1}--[ PostalAddress ]
| ENUM restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Fax ]
| |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 7: The Contact Class
The aggregate classes that constitute the Contact class are:
At least one of the aggregate classes MUST be present in an instance of the Contact class. This is not enforced in the IODEF schema as there is no simple way to accomplish it.
The Contact class has five attributes:
The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database.
+---------------------+ | RegistryHandle | +---------------------+ | STRING | | | | ENUM registry | | STRING ext-registry | +---------------------+
Figure 8: The RegistryHandle Class
The RegistryHandle class has two attributes:
The PostalAddress class specifies a postal address formatted according to the POSTAL data type [dt_postal_address].
+---------------------+ | PostalAddress | +---------------------+ | POSTAL | | | | ENUM meaning | | ENUM lang | +---------------------+
Figure 9: The PostalAddress Class
The PostalAddress class has two attributes:
The Email class specifies an email address formatted according to EMAIL data type [dt_email].
+--------------+ | Email | +--------------+ | EMAIL | | | | ENUM meaning | +--------------+
Figure 10: The Email Class
The Email class has one attribute:
The Telephone and Fax classes specify a voice or fax telephone number respectively, and are formatted according to PHONE data type [dt_phone].
+--------------------+
| {Telephone | Fax } |
+--------------------+
| PHONE |
| |
| ENUM meaning |
+--------------------+
Figure 11: The Telephone and Fax Classes
The Telephone class has one attribute:
The data model uses five different classes to represent a timestamp. Their definition is identical, but each has a distinct name to convey a difference in semantics.
The element content of each class is a timestamp formatted according to the DATETIME data type (see Section 2.8).
+----------------------------------+
| {Start| End| Report| Detect}Time |
+----------------------------------+
| DATETIME |
+----------------------------------+
Figure 12: The Time Classes
The StartTime class represents the time the incident began.
The EndTime class represents the time the incident ended.
The DetectTime class represents the time the first activity of the incident was detected.
The ReportTime class represents the time the incident was reported. This timestamp SHOULD coincide to the time at which the IODEF document is generated.
The DateTime class is a generic representation of a timestamp. Its semantics should be inferred from the parent class in which it is aggregated.
+------------------+
| Method |
+------------------+
| ENUM restriction |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 13: The Method Class
The Method class describes the methodology used by the intruder to perpetrate the events of the incident. This class consists of a list of references describing the attack method and a free form description of the technique.
The Method class is composed of three aggregate classes.
Either an instance of the Reference or Description class MUST be present.
The Method class has one attribute:
+------------------+
| Reference |
+------------------+
| |<>----------[ ReferenceName ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+------------------+
Figure 14: The Reference Class
The Reference class is a reference to a vulnerability, IDS alert, malware sample, advisory, or attack technique. A reference consists of a name, a URL to this reference, and an optional description.
The aggregate classes that constitute Reference:
The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT's constituency.
This class was derived from the IDMEF[refs.IDMEF].
+------------------+
| Assessment |
+------------------+
| ENUM occurrence |<>--{0..*}--[ Impact ]
| ENUM restriction |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ Counter ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 15: Assessment Class
The aggregate classes that constitute Assessment are:
A least one instance of the possible three impact classes (i.e., Impact, TimeImpact, or MonetaryImpact) MUST be present.
The Assessment class has four attributes:
The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization.
This class is based on the IDMEF [refs.IDMEF].
+------------------+ | Impact | +------------------+ | ML_STRING | | | | ENUM lang | | ENUM severity | | ENUM completion | | ENUM type | | STRING ext-type | +------------------+
Figure 16: Impact Class
The element content will be a free-form textual description of the impact.
The Impact class has five attributes:
The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time.
+---------------------+
| TimeImpact |
+---------------------+
| REAL |
| |
| ENUM severity |
| ENUM metric |
| STRING ext-metric |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 17: TimeImpact Class
The element content is a positive, floating point (REAL) number specifying a unit of time. The duration and metric attributes will imply the semantics of the element content.
The TimeImpact class has five attributes:
The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities.
+------------------+
| MonetaryImpact |
+------------------+
| REAL |
| |
| ENUM severity |
| STRING currency |
+------------------+
Figure 18: MonetaryImpact Class
The element content is a positive, floating point number (REAL) specifying a unit of currency described in the currency attribute.
The MonetaryImpact class has two attributes:
The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation.
This class if based upon the IDMEF [refs.IDMEF]).
+------------------+
| Confidence |
+------------------+
| REAL |
| |
| ENUM rating |
+------------------+
Figure 19: Confidence Class
The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element should be empty.
The Confidence class has one attribute.
The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident.
The level of detail maintained in this log is left up to the discretion of those handling the incident.
+------------------+
| History |
+------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ]
| |
+------------------+
Figure 20: The History Class
The class that constitutes History is:
The History class has one attribute:
The HistoryItem class is an entry in the History [History] log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form description, but each can be categorized with the type attribute.
+-------------------+
| HistoryItem |
+-------------------+
| ENUM restriction |<>----------[ DateTime ]
| ENUM action |<>--{0..1}--[ IncidentId ]
| STRING ext-action |<>--{0..1}--[ Contact ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------+
Figure 21: HistoryItem Class
The aggregate classes that constitute HistoryItem are:
The HistoryItem class has five attributes:
The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered.
+------------------+
| EventData |
+------------------+
| ENUM restriction |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ DetectTime ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 22: The EventData Class
The aggregate classes that constitute EventData are:
At least one of the aggregate classes MUST be present in an instance of the EventData class. This is not enforced in the IODEF schema as there is no simple way to accomplish it.
The EventData class has two attributes:
There is substantial overlap in the Incident and EventData classes. Nevertheless, the semantics of these classes are quite different. The Incident class provides summary information about the entire incident, while the EventData class provides information about the individual events comprising the incident. In the most common case, the EventData class will provide more specific information for the general description provided in the Incident class. However, it may also be possible that the overall summarized information about the incident conflicts with some individual information in an EventData class when there is a substantial composition of various events in the incident. In such a case, the interpretation of the more specific EventData MUST supersede the more generic information provided in IncidentData.
The EventData class can be thought of as a container for the properties of an event in an incident. These properties include: the hosts involved, impact of the incident activity on the hosts, forensic logs, etc. With an instance of the EventData class, hosts (i.e., System class) are grouped around these common properties.
The recursive definition (or instance property inheritance) of the EventData class (the EventData class is aggregated into the EventData class) provides a way to related information without requiring the explicit use of unique attribute identifiers in the classes or duplicating information. Instead, the relative depth (nesting) of a class is used to group (relate) information.
For example, an EventData class might be used to describe two machines involved in an incident. This description can be achieved using multiple instances of the Flow class. It happens that there is a common technical contact (i.e., Contact class) for these two machines, but the impact (i.e., Assessment class) on them is different. A depiction of the representation for this situation can be found in Figure 23.
+------------------+ | EventData | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] +------------------+
Figure 23: Recursion in the EventData Class
+-------------------+
| Expectation |
+-------------------+
| ENUM restriction |<>--{0..*}--[ Description ]
| ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM action |<>--{0..1}--[ EndTime ]
| STRING ext-action |<>--{0..1}--[ Contact ]
+-------------------+
Figure 24: The Expectation Class
The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated.
The aggregate classes that constitute Expectation are:
The Expectations class has six attributes:
The Flow class groups related the source and target hosts.
+------------------+
| Flow |
+------------------+
| |<>--{1..*}--[ System ]
+------------------+
Figure 25: The Flow Class
The aggregate class that constitutes Flow is:
The Flow System class has no attributes.
+---------------------+
| System |
+---------------------+
| ENUM restriction |<>----------[ Node ]
| ENUM category |<>--{0..*}--[ Service ]
| STRING ext-category |<>--{0..*}--[ OperatingSystem ]
| STRING interface |<>--{0..*}--[ Counter ]
| ENUM spoofed |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------+
Figure 26: The System Class
The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.
The aggregate classes that constitute System are:
The System class has six attributes:
The Node class names a system (e.g., PC, router) or network.
This class was derived from the IDMEF [refs.IDMEF].
+---------------+
| Node |
+---------------+
| |<>--{0..*}--[ NodeName ]
| |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ Location ]
| |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ Counter ]
+---------------+
Figure 27: The Node Class
The aggregate classes that constitute Node are:
The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events).
The value of the counter is the element content with its units represented in the type attribute. A rate for a given feature can be expressed by setting the duration attribute. The complete semantics are entirely context dependant based on the class in which the Counter is aggregated.
+---------------------+ | Counter | +---------------------+ | REAL | | | | ENUM type | | STRING ext-type | | STRING meaning | | ENUM duration | | STRING ext-duration | +---------------------+
Figure 28: The Counter Class
The Counter class has three attribute:
The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.
This class was derived from the IDMEF [refs.IDMEF].
+---------------------+ | Address | +---------------------+ | ENUM category | | STRING ext-category | | STRING vlan-name | | INTEGER vlan-num | +---------------------+
Figure 29: The Address Class
The Address class has five attributes:
The NodeRole class describes the intended function performed by a particular host.
+---------------------+
| NodeRole |
+---------------------+
| ENUM category |
| STRING ext-category |
| ENUM lang |
+---------------------+
Figure 30: The NodeRole Class
The NodeRole class has three attributes:
The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.
This class was derived from the IDMEF [refs.IDMEF].
+---------------------+
| Service |
+---------------------+
| INTEGER ip_protocol |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ Application ]
+---------------------+
Figure 31: The Service Class
The aggregate classes that constitute Service are:
Either a Port or Portlist class MUST be specified for a given instance of a Service class.
For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.
The Service class has three attributes:
The Application class describes an application running on a System providing a Service.
+--------------------+
| Application |
+--------------------+
| STRING swid |<>--{0..1}--[ URL ]
| STRING configid |
| STRING vendor |
| STRING family |
| STRING name |
| STRING version |
| STRING patch |
+--------------------+
Figure 32: The Application Class
The aggregate class that constitute Application is:
The Application class has seven attributes:
The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class [Application].
The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document.
+------------------+
| Record |
+------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ]
+------------------+
Figure 33: Record Class
The aggregate class that constitutes Record is:
The Record class has one attribute:
The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output.
+------------------+
| RecordData |
+------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ]
| |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ]
| |<>--{0..1}--[ HashInformation ]
| |<>--{0..*}--[ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ AdditionalData ]
+------------------+
Figure 34: The RecordData Class
The aggregate classes that constitutes RecordData is:
The RecordData class has three attribute:
The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.
+-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+
Figure 35: The RecordPattern Class
The specific pattern to search with in the RecordItem is defined in the body of the element. It is further annotated by four attributes:
The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere.
This class is identical to AdditionalData class [AdditionalData].
The Registry Key Modified class represents operating system regsitry keys that have been modified as part and may constitue an indicator of compromise.
+-----------------------+ | Regsitry Key Modified | +-----------------------+ | |<>----------[ Key ] +-----------------------+
Figure 36: The Registry Key Modified Class
The aggregate class that constitutes the Registry Key Modified class is:
The Key class shows name and value pairs representing an operating system registry key and its value. The key and value are encoded as in Microsoft .reg files.
+--------------------------+
| Key |
+--------------------------+
| ENUM regsitryaction |<>--{0..*}--[ KeyName ]
| STRING ext-category |<>--{0..*}--[ Value ]
| ENUM type |
| STRING ext-type |
| STRING indicator-uid |
| STRING inidicator-set-id |
+--------------------------+
Figure 37: The Key Class
The aggregate classes that constitutes Key are:
The Key class has six attributes:
This class are the hash and signature details that are needed for providing context for indicators.
+--------------------------+
| HashSigDetails |
+--------------------------+
| ENUM type |<>--{0..*}--[ FileName ]
| STRING ext-category |<>--{0..*}--[ FileSize ]
| BOOL valid |<>--{0..*}--[ds:Signature]
| STRING indicator-uid |<>--{0..*}--[ds:KeyInfo]
| STRING inidicator-set-id |<>--{0..*}--[ds:Reference]
+--------------------------+
Figure 38: The Hash Sig Details Class
The aggregate classes that constitute HashSigDetails are:
The HashSigDetails class has five attributes:
This section defines additional requirements on creating and parsing IODEF documents.
Every IODEF document MUST begin with an XML declaration, and MUST specify the XML version used. If UTF-8 encoding is not used, the character encoding MUST also be explicitly specified. The IODEF conforms to all XML data encoding conventions and constraints.
The XML declaration with no character encoding will read as follows:
<?xml version="1.0" ?>
When a character encoding is specified, the XML declaration will read like the following:
<?xml version="1.0" encoding="charset" ?>
Where "charset" is the name of the character encoding as registered with the Internet Assigned Numbers Authority (IANA), see [refs.iana].
The following characters have special meaning in XML and MUST be escaped with their entity reference equivalent: "&", "<", ">", "\"" (double quotation mark), and "'" (apostrophe). These entity references are "&", "<", ">", """, and "'" respectively.
<IODEF-Document version="1.00" lang="en-US" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0"
The IODEF schema declares a namespace of "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [refs.xmlns]. Each IODEF document SHOULD include a valid reference to the IODEF schema using the "xsi:schemaLocation" attribute. An example of such a declaration would look as follows:
The IODEF documents MUST be well-formed XML and SHOULD be validated against the schema described in Section 8. However, mere conformance to the schema is not sufficient for a semantically valid IODEF document. There is additional specification in the text of Section 3 that cannot be readily encoded in the schema and it must also be considered by an IODEF parser. The following is a list of discrepancies in what is more strictly specified in the normative text (Section 3), but not enforced in the IODEF schema:
In order to support the changing activity of CSIRTS, the IODEF data model will need to evolve along with them. This section discusses how new data elements that have no current representation in the data model can be incorporated into the IODEF. These techniques are designed so that adding new data will not require a change to the IODEF schema. With proven value, well documented extensions can be incorporated into future versions of the specification. However, this approach also supports private extensions relevant only to a closed consortium.
The data model supports a means by which to add new enumerated values to an attribute. For each attribute that supports this extension technique, there is a corresponding attribute in the same element whose name is identical, less a prefix of "ext-". This special attribute is referred to as the extension attribute, and the attribute being extended is referred to as an extensible attribute. For example, an extensible attribute named "foo" will have a corresponding extension attribute named "ext-foo". An element may have many extensible, and therefore many extension, attributes.
In addition to a corresponding extension attribute, each extensible attribute has "ext-value" as one its possible values. This particular value serves as an escape sequence and has no valid meaning.
<Impact type="ext-value" ext-type="new-attack-type">
In order to add a new enumerated value to an extensible attribute, the value of this attribute MUST be set to "ext-value", and the new desired value MUST be set in the corresponding extension attribute. For example, an extended instance of the type attribute of the Impact class would look as follows:
A given extension attribute MUST NOT be set unless the corresponding extensible attribute has been set to "ext-value".
The classes of the data model can be extended only through the use of the AdditionalData and RecordItem classes. These container classes, collectively referred to as the extensible classes, are implemented with the iodef:ExtensionType data type in the schema. They provide the ability to have new atomic or XML-encoded data elements in all of the top-level classes of the Incident class and a few of the more complicated subordinate classes. As there are multiple instances of the extensible classes in the data model, there is discretion on where to add a new data element. It is RECOMMENDED that the extension be placed in the most closely related class to the new information.
Extensions using the atomic data types (i.e., all values of the dtype attributes other than "xml") MUST:
The following guidelines exist for extensions using XML:
The following schema and XML document excerpt provide a template for an extension schema and its use in the IODEF document.
<xs:schema
targetNamespace="iodef-extension1.xsd"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
attributeFormDefault="unqualified"
elementFormDefault="qualified">
<xs:import
namespace="urn:ietf:params:xml:ns:iodef-1.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:element name="newdata" type="xs:string" />
</xs:schema>
This example schema defines a namespace of "iodef-extension1" and a single element named "newdata".
<IODEF-Document
version="1.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting">
...
<AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata>
Field that could not be represented elsewhere
</iodef-extension1:newdata>
</AdditionalData>
</IODEF-Document
The following XML excerpt demonstrates the use of the above schema as an extension to the IODEF.
Internationalization and localization is of specific concern to the IODEF, since it is only through collaboration, often across language barriers, that certain incidents be resolved. The IODEF supports this goal by depending on XML constructs, and through explicit design choices in the data model.
Since IODEF is implemented as an XML Schema, it implicitly supports all the different character encodings, such as UTF-8 and UTF-16, possible with XML. Additionally, each IODEF document MUST specify the language in which their contents are encoded. The language can be specified with the attribute "xml:lang" (per Section 2.12 of [refs.xml]) in the top-level element (i.e., IODEF-Document@lang) and letting all other elements inherit that definition. All IODEF classes with a free-form text definition (i.e., all those defined of type iodef:MLStringType) can also specify a language different from the rest of the document. The valid language codes for the "xml:lang" attribute are described in RFC 4646 [refs.rfc4646].
The data model supports multiple translations of free-form text. In the places where free-text is used for descriptive purposes, the given class always has a one-to-many cardinality to its parent (e.g., Description class). The intent is to allow the identical text to be encoded in different instances of the same class, but each being in a different language. This approach allows an IODEF document author to send recipients speaking different languages an identical document. The IODEF parser SHOULD extract the appropriate language relevant to the recipient.
While the intent of the data model is to provide internationalization and localization, the intent is not to do so at the detriment of interoperability. While the IODEF does support different languages, the data model also relies heavily on standardized enumerated attributes that can crudely approximate the contents of the document. With this approach, a CSIRT should be able to make some sense of an IODEF document it receives even if the text based data elements are written in a language unfamiliar to the analyst.
This section provides examples of an incident encoded in the IODEF. These examples do not necessarily represent the only way to encode a particular incident.
An example of a CSIRT reporting an instance of the Code Red worm.
<?xml version="1.0" encoding="UTF-8"?>
<!-- This example demonstrates a report for a very
old worm (Code Red) -->
<IODEF-Document version="1.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting">
<IncidentID name="csirt.example.com">189493</IncidentID>
<ReportTime>2001-09-13T23:19:24+00:00</ReportTime>
<Description>Host sending out Code Red probes</Description>
<!-- An administrative privilege was attempted, but failed -->
<Assessment>
<Impact completion="failed" type="admin"/>
</Assessment>
<Contact role="creator" type="organization">
<ContactName>Example.com CSIRT</ContactName>
<RegistryHandle registry="arin">example-com</RegistryHandle>
<Email>contact@csirt.example.com</Email>
</Contact>
<EventData>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.200</Address>
<Counter type="event">57</Counter>
</Node>
</System>
<System category="target">
<Node>
<Address category="ipv4-net">192.0.2.16/28</Address>
</Node>
<Service ip_protocol="6">
<Port>80</Port>
</Service>
</System>
</Flow>
<Expectation action="block-host" />
<!-- <RecordItem> has an excerpt from a log -->
<Record>
<RecordData>
<DateTime>2001-09-13T18:11:21+02:00</DateTime>
<Description>Web-server logs</Description>
<RecordItem dtype="string">
192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</RecordItem>
<!-- Additional logs -->
<RecordItem dtype="url">
http://mylogs.example.com/logs/httpd_access</RecordItem>
</RecordData>
</Record>
</EventData>
<History>
<!-- Contact was previously made with the source network owner -->
<HistoryItem action="contact-source-site">
<DateTime>2001-09-14T08:19:01+00:00</DateTime>
<Description>Notification sent to
constituency-contact@192.0.2.200</Description>
</HistoryItem>
</History>
</Incident>
</IODEF-Document>
An example of a CSIRT reporting a scanning activity.
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This example describes reconnaissance activity: one-to-one and
one-to-many scanning -->
<IODEF-Document version="1.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting">
<IncidentID name="csirt.example.com">59334</IncidentID>
<ReportTime>2006-08-02T05:54:02-05:00</ReportTime>
<Assessment>
<Impact type="recon" completion="succeeded" />
</Assessment>
<Method>
<!-- Reference to the scanning tool "nmap" -->
<Reference>
<ReferenceName>nmap</ReferenceName>
<URL>http://nmap.toolsite.example.com</URL>
</Reference>
</Method>
<!-- Organizational contact and that for staff in that
organization -->
<Contact role="creator" type="organization">
<ContactName>CSIRT for example.com</ContactName>
<Email>contact@csirt.example.com</Email>
<Telephone>+1 412 555 12345</Telephone>
<!-- Since this <Contact> is nested, Joe Smith is part of the
CSIRT for example.com -->
<Contact role="tech" type="person" restriction="need-to-know">
<ContactName>Joe Smith</ContactName>
<Email>smith@csirt.example.com</Email>
</Contact>
</Contact>
<EventData>
<!-- Scanning activity as follows:
192.0.2.1:60524 >> 192.0.2.3:137
192.0.2.1:60526 >> 192.0.2.3:138
192.0.2.1:60527 >> 192.0.2.3:139
192.0.2.1:60531 >> 192.0.2.3:445
-->
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.200</Address>
</Node>
<Service ip_protocol="6">
<Portlist>60524,60526,60527,60531</Portlist>
</Service>
</System>
<System category="target">
<Node>
<Address category="ipv4-addr">192.0.2.201</Address>
</Node>
<Service ip_protocol="6">
<Portlist>137-139,445</Portlist>
</Service>
</System>
</Flow>
<!-- Scanning activity as follows:
192.0.2.2 >> 192.0.2.3/28:445 -->
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.240</Address>
</Node>
</System>
<System category="target">
<Node>
<Address category="ipv4-net">192.0.2.64/28</Address>
</Node>
<Service ip_protocol="6">
<Port>445</Port>
</Service>
</System>
</Flow>
</EventData>
</Incident>
</IODEF-Document>
An example of a CSIRT reporting a bot-network.
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This example describes a compromise and subsequent installation
of bots -->
<IODEF-Document version="1.00" lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="mitigation">
<IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-06-08T05:44:53-05:00</ReportTime>
<Description>Large bot-net</Description>
<Assessment>
<Impact type="dos" severity="high" completion="succeeded" />
</Assessment>
<Method>
<!-- References a given piece of malware, "GT Bot" -->
<Reference>
<ReferenceName>GT Bot</ReferenceName>
</Reference>
<!-- References the vulnerability used to compromise the
machines -->
<Reference>
<ReferenceName>CA-2003-22</ReferenceName>
<URL>http://www.cert.org/advisories/CA-2003-22.html</URL>
<Description>Root compromise via this IE vulnerability to
install the GT Bot</Description>
</Reference>
</Method>
<!-- A member of the CSIRT that is coordinating this
incident -->
<Contact type="person" role="irt">
<ContactName>Joe Smith</ContactName>
<Email>jsmith@csirt.example.com</Email>
</Contact>
<EventData>
<Description>These hosts are compromised and acting as bots
communicating with irc.example.com.</Description>
<Flow>
<!-- bot running on 192.0.2.1 and sending DoS traffic at
10,000 bytes/second -->
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.1</Address>
</Node>
<Counter type="byte" duration="second">10000</Counter>
<Description>bot</Description>
</System>
<!-- a second bot on 192.0.2.3 -->
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.3</Address>
</Node>
<Counter type="byte" duration="second">250000</Counter>
<Description>bot</Description>
</System>
<!-- Command-and-control IRC server for these bots-->
<System category="intermediate">
<Node>
<NodeName>irc.example.com</NodeName>
<Address category="ipv4-addr">192.0.2.20</Address>
<DateTime>2006-06-08T01:01:03-05:00</DateTime>
</Node>
<Description>IRC server on #give-me-cmd channel</Description>
</System>
</Flow>
<!-- Request to take these machines offline -->
<Expectation action="investigate">
<Description>Confirm the source and take machines off-line and
remediate</Description>
</Expectation>
</EventData>
</Incident>
</IODEF-Document>
An example of a CSIRT conveying a watch-list.
<?xml version="1.0" encoding="UTF-8" ?>
<!-- This example demonstrates a trivial IP watch-list -->
<!-- @formatid is set to "watch-list-043" to demonstrate how additional
semantics about this document could be conveyed assuming both
parties understood it-->
<IODEF-Document version="1.00" lang="en" formatid="watch-list-043"
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0">
<Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">908711</IncidentID>
<ReportTime>2006-08-01T00:00:00-05:00</ReportTime>
<Description>Watch-list of known bad IPs or networks</Description>
<Assessment>
<Impact type="admin" completion="succeeded" />
<Impact type="recon" completion="succeeded" />
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>contact@csirt.example.com</Email>
</Contact>
<!-- Separate <EventData> used to convey different <Expectation> -->
<EventData>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.53</Address>
</Node>
<Description>Source of numerous attacks</Description>
</System>
</Flow>
<!-- Expectation class indicating that sender of list would like
to be notified if activity from the host is seen -->
<Expectation action="contact-sender" />
</EventData>
<EventData>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-net">192.0.2.16/28</Address>
</Node>
<Description>
Source of heavy scanning over past 1-month
</Description>
</System>
</Flow>
<Flow>
<System category="source">
<Node>
<Address category="ipv4-addr">192.0.2.241</Address>
</Node>
<Description>C2 IRC server</Description>
</System>
</Flow>
<!-- Expectation class recommends that these networks
be filtered -->
<Expectation action="block-host" />
</EventData>
</Incident>
</IODEF-Document>
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-1.40"
xmlns="urn:ietf:params:xml:ns:iodef-1.40"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.40"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:annotation>
<xs:documentation>
Incident Object Description Exchange Format v1.11, RFC5070-bis
</xs:documentation>
</xs:annotation>
<!-- CHANGE: See above addition of xmlns:ds and import of same
namespace. This is to use the digital signature hash inclusion
of a file by referencing the existing standard as was done in
RFC5901, RFC3275 is the reference, see RFC5901 section 5.9.5.2
-->
<!--
====================================================================
=== List of changes ===
====================================================================
CHANGE - new indicator values in the schema
The purpose of the proposed changes is to include commonly shared
indicators in the base IODEF schema. This class will contain
indicators from the list below that are not represented elsewhere
in the schema. IODEF extensions or embedded schemas via the SCI
classes will be required to include additional data types.
A table could be maintained through IANA to extend or change this
class in between IODEF revisions.
RFC5901 provides a method to include an entire email, the following
included indicators are ones commonly used when you do not need the
entire email
The following are in the Service Class:
Email address
Email subject
X-Mailer
The following are in the Record class:
File Name
File Hash - 5.9.5.2 - using ds:reference
WindowsRegistryKey - using method from RFC5901
The following are now in the Node class as a proposed location.
URL
HTTPUserAgent is included as a SoftwareType
HTTP User Agent String
The following are already represented elsewhere in the schema (Node):
IP address
Network CIDR / ASN
Host Name
Domain Name (additional options for RFC5901 were not included in
this revision - can include point-in-time dig info)
-->
<!--
====================================================================
== IODEF-Document class ==
====================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version"
type="xs:string" fixed="1.00"/>
<xs:attribute name="lang"
type="xs:language" use="required"/>
<xs:attribute name="formatid"
type="xs:string"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Incident class ===
====================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:choice>
<xs:element ref="iodef:IncidentID"/>
<!-- CHANGE - the incidentID can still be used,
but when you have a set of indictaors or include
a watch list, a ReportID may be preferred. If
this is agreed upon, do we make them both unique
so the same key can be used in databases? This
should not be used as your index value unless you
are the issueing entity. -->
<xs:element ref="iodef:ReportID"/>
</xs:choice>
<xs:element ref="iodef:AlternativeID"
minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:ReportTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:History"
minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="lang"
type="xs:language"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"/>
<!-- CHANGE - adding an attribute to mark sets of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
== IncidentID class ==
====================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name"
type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="public"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
====================================================================
== ReportID class ==
====================================================================
-->
<xs:element name="ReportID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
== AlternativeID class ==
====================================================================
-->
<xs:element name="AlternativeID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
== RelatedActivity class ==
====================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:IncidentID"
maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== AdditionalData class ===
====================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<!--
====================================================================
=== Contact class ===
====================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Fax"
minOccurs="0"/>
<xs:element ref="iodef:Timezone"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!-- CHANGE - UML states the type disambiguates the type of Name
person or organization. Do we want this added to the schema? -->
<xs:element name="ContactName"
type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Email" type="iodef:ContactMeansType"/>
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
<xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
====================================================================
=== Time-based classes ===
====================================================================
-->
<xs:element name="DateTime"
type="xs:dateTime"/>
<xs:element name="ReportTime"
type="xs:dateTime"/>
<xs:element name="DetectTime"
type="xs:dateTime"/>
<xs:element name="StartTime"
type="xs:dateTime"/>
<xs:element name="EndTime"
type="xs:dateTime"/>
<xs:element name="Timezone"
type="iodef:TimezoneType"/>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
=== History class ===
====================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="default"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including an indicator set ID that may be used
to detail changes int he history class as it relates to
indicators or sets.
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Expectation class ===
====================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="default"/>
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<!-- CHANGE - adding indicator set id to connect the reference
to the appropriate set of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Method class ===
====================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/>
<xs:element ref="iodef:Description"/>
</xs:choice>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Reference class ===
====================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element name="ReferenceName"
type="iodef:MLStringType"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<!-- CHANGE: Do we want an indicator_set_id here to connect
data in the reference class to specific indicators?
is there a better way to do this?
Should the indicator_uid be used to mark data so that
you have a way to limit who you share that data with
in products?
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- Adding in Attack Type -->
<xs:attribute name="attacktype" type="att-type" use="optional"/>
<xs:attribute name="ext-attacktype"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Assessment class ===
====================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Impact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<!-- CHANGE: Including an indicator set ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations.
May need separate confidence ratings for different indicators.
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Impact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="completion">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type"
use="optional" default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<!-- CHANGE question: do we wnt to allow multiple values
to be selected in case it is a combination? -->
<xs:enumeration value="admin"/>
<xs:enumeration value="dos"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="file"/>
<xs:enumeration value="info-leak"/>
<xs:enumeration value="misconfiguration"/>
<xs:enumeration value="recon"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="social-engineering"/>
<xs:enumeration value="user"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="metric"
use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity"
type="iodef:severity-type"/>
<xs:attribute name="currency"
type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType mixed="true">
<xs:attribute name="rating" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== EventData class ===
====================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime"
minOccurs="0"/>
<xs:element ref="iodef:StartTime"
minOccurs="0"/>
<xs:element ref="iodef:EndTime"
minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record"
minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="default"/>
<!-- CHANGE - adding an attribute to mark sets of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Flow class ===
====================================================================
-->
<!-- Added System unbounded for use only when the source or target watchlist is in use, otherwise only one system entry is expected. -->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== System class ===
====================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<xs:attribute name="interface"
type="xs:string"/>
<xs:attribute name="category">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<!-- CHANGE - adding two new values to cover watchlist groups -->
<xs:enumeration value="watchlist-source"/>
<xs:enumeration value="watchlist-target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- CHANGE - adding an attribute to mark sets of indicators -->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="spoofed"
default="unknown">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="unknown"/>
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Node class ===
====================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element name="NodeName"
type="iodef:MLStringType" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
<!-- Proposed CHANGE: include a URI indicator.
Common complaint that URIs were only in the
IODEF schema as references and not part of the
incident or included indicators.
Included right now as an address type, below is a
second option for how to add it.
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
-->
</xs:choice>
<xs:element ref="iodef:Location"
minOccurs="0"/>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category" default="ipv4-addr">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<!-- CHANGE - added uri type for site url/uris -->
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name"
type="xs:string"/>
<xs:attribute name="vlan-num"
type="xs:integer"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:MLStringType">
<xs:attribute name="category" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="log"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="attacktype" type="att-type" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== Service Class ===
====================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:choice minOccurs="0">
<xs:element name="Port"
type="xs:integer"/>
<xs:element name="Portlist"
type="iodef:PortlistType"/>
</xs:choice>
<xs:element name="ProtoType"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoCode"
type="xs:integer" minOccurs="0"/>
<xs:element name="ProtoField"
type="xs:integer" minOccurs="0"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<!-- CHANGE - email from address indicator, may be better as a sub class?
CHANGED to a sub-class
Would only make sense with the service set to email ports
or none at all here or a new class. -->
<xs:element name="EmailInfo" type="EmailDetails" minOccurs="0"/>
<!-- CHANGE - added DomainData class and subclasses from RFC5901 -->
<xs:element ref="iodef:DomainData" minOccurs="0"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ip_protocol"
type="xs:integer" use="required"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including an indicator set ID that may be used
to detail changes int he history class as it relates to
indicators or sets.
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
=== Counter class ===
====================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:double">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration"
type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<!--
====================================================================
=== EMailDetails class ===
====================================================================
-->
<!-- CHANGE: added the email details in a subclass for use when you
do not need all of the email details provided in the RFC5901 or ARF
extensions. No extension mechanism here, is it needed?
Possible to create an IANA table to extend this class if needed
in the future outside of schema edit cycles -->
<xs:complexType name="EmailDetails">
<xs:sequence>
<!-- Email is the From email -->
<xs:element ref="Email" minOccurs="0"/>
<xs:element name="EmailSubject"
type="iodef:MLStringType" minOccurs="0"/>
<xs:element name="X-Mailer"
type="iodef:MLStringType" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
</xs:complexType>
<!--
====================================================================
=== DomainData class - from RFC5901 ===
====================================================================
-->
<xs:element name="DomainData">
<xs:complexType id="DomainData.type">
<xs:sequence>
<xs:element maxOccurs="1"
name="Name" type="iodef:MLStringType"/>
<xs:element maxOccurs="1" minOccurs="0"
name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="RegistrationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="1" minOccurs="0" name="ExpirationDate"
type="xs:dateTime"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/>
<xs:element maxOccurs="unbounded" minOccurs="0"
name="Nameservers">
<xs:complexType id="Nameservers.type">
<xs:sequence>
<xs:element name="Server" type="iodef:MLStringType"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:choice id="DomainContacts" maxOccurs="1" minOccurs="0">
<xs:element name="SameDomainContact"
type="iodef:MLStringType"/>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="iodef:Contact"/>
</xs:sequence>
</xs:choice>
</xs:sequence>
<xs:attribute name="SystemStatus">
<xs:simpleType id="SystemStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="DomainStatus">
<xs:simpleType id="DomainStatus.type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="RelatedDNS"
type="iodef:RelatedDNSEntryType"/>
<xs:complexType name="RelatedDNSEntryType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="RecordType" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="A"/>
<xs:enumeration value="AAAA"/>
<xs:enumeration value="AFSDB"/>
<xs:enumeration value="APL"/>
<xs:enumeration value="AXFR"/>
<xs:enumeration value="CAA"/>
<xs:enumeration value="CERT"/>
<xs:enumeration value="CNAME"/>
<xs:enumeration value="DHCID"/>
<xs:enumeration value="DLV"/>
<xs:enumeration value="DNAME"/>
<xs:enumeration value="DNSKEY"/>
<xs:enumeration value="DS"/>
<xs:enumeration value="HIP"/>
<xs:enumeration value="IXFR"/>
<xs:enumeration value="IPSECKEY"/>
<xs:enumeration value="LOC"/>
<xs:enumeration value="MX"/>
<xs:enumeration value="NAPTR"/>
<xs:enumeration value="NS"/>
<xs:enumeration value="NSEC"/>
<xs:enumeration value="NSEC3"/>
<xs:enumeration value="NSEC3PARAM"/>
<xs:enumeration value="OPT"/>
<xs:enumeration value="PTR"/>
<xs:enumeration value="RRSIG"/>
<xs:enumeration value="RP"/>
<xs:enumeration value="SIG"/>
<xs:enumeration value="SOA"/>
<xs:enumeration value="SPF"/>
<xs:enumeration value="SRV"/>
<xs:enumeration value="SSHFP"/>
<xs:enumeration value="TA"/>
<xs:enumeration value="TKEY"/>
<xs:enumeration value="TLSA"/>
<xs:enumeration value="TSIG"/>
<xs:enumeration value="TXT"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
====================================================================
=== Record class ===
====================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData"
maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"
minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application"
minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<!-- Added a minOccurs of 0 since you can just have HashInformation now -->
<xs:element ref="iodef:RecordItem" minOccurs="0"
maxOccurs="unbounded"/>
<!-- CHANGE: Class to represent file and hash or digital signature
information -->
<xs:element name="HashInformation" type="HashSigDetails"
minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Windows Registry Key Modifications:
Here, we include the classes from iodef-phish, to
prevent the need to pull in the full schema.
Ensure reference to RFC5901 Section 5.9.7 remains
included in UML description.
-->
<xs:element name="WindowsRegistryKeysModified" type="RegistryKeyModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
<!-- CHANGE: Including a unique ID for an indicator.
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for sets of indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type" use="required">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
use="optional" default="line">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="RecordItem"
type="iodef:ExtensionType"/>
<!--
====================================================================
=== Class to describe Windows Registry Keys ===
====================================================================
-->
<xs:complexType name="RegistryKeyModified">
<xs:sequence>
<xs:element name="Key" maxOccurs="unbounded">
<xs:complexType>
<xs:sequence>
<!-- Allows for the value to be optional for cases such as,
the registry key was deleted -->
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add_key"/>
<xs:enumeration value="add_value"/>
<xs:enumeration value="delete_key"/>
<xs:enumeration value="delete_value"/>
<xs:enumeration value="modify_key"/>
<xs:enumeration value="modify_value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- CHANGE: Including the ability to set the grouping as a watchlist. -->
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="watchlist"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<!-- CHANGE: Including a unique ID for indicators, may be
used to connect indicators in different representations
-->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<!-- CHANGE: Including an indicator set ID that may be used
to detail changes in the history class as it relates to
indicators or sets.
-->
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- CHANGE: Should this be broken out as another class
for WindowsRegistryKeyModified and add attributes
for indicator_ID and action - add_value, removes_value, etc.
as is demonstrated?
-->
<!--
====================================================================
=== Classes that describe hash types, file information ===
=== with certificate properties and digital signature info ===
=== provided through the W3C digital signature schema ===
=== so it does not need to be maintained here. ===
====================================================================
-->
<xs:complexType name="HashSigDetails">
<xs:sequence>
<xs:element name="FileName"
type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/>
<!-- QUESTION: For FileSize, need to specify the unit this is provided in
assume kb? -->
<xs:element name="FileSize"
type="xs:integer" minOccurs="0" maxOccurs="unbounded"/>
<!-- CHANGE: Represent file hash information via digsig schema
and the Reference class. You may need any of the other classes
and in particular the KeyInfo (see RFC3275 sect 4.4.4 and 4.4.5),
which has been added. KeyName, KeyValue, SignatureProperties
classes may be useful, so Signature was added, but you can use
KeyInfo and Reference directly to avoid some bloat. -->
<xs:element ref="ds:Signature" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:KeyInfo" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="ds:Reference" minOccurs="0" maxOccurs="unbounded"/>
<!-- QUESTION: Do we want an AdditionalData here? -->
</xs:sequence>
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<!-- W3C digsig should be used to denote PGP or PKI -->
<xs:enumeration value="PKI_email_ds"/>
<xs:enumeration value="PKI_file_ds"/>
<xs:enumeration value="PKI_email_ds_watchlist"/>
<xs:enumeration value="PKI_file_ds_watchlist"/>
<xs:enumeration value="PGP_email_ds"/>
<xs:enumeration value="PGP_file_ds"/>
<xs:enumeration value="PGP_email_ds_watchlist"/>
<xs:enumeration value="PGP_file_ds_watchlist"/>
<!-- hash of the file or email and not a digital signature hash -->
<xs:enumeration value="file_hash"/>
<xs:enumeration value="email_hash"/>
<xs:enumeration value="file_hash_watchlist"/>
<xs:enumeration value="email_hash_watchlist"/>
<!-- QUESTION: Are values needed to differentiate the key information
shared when the ds:KeyInfo class is referenced? -->
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<!-- Adding a boolean yes/no, 0/1option to indicate if the
signature or hash is valid -->
<xs:attribute name="valid" type="xs:boolean" use="optional"></xs:attribute>
<!-- Indicator-uid and indicator-set-id to connect to the related
file or email indicators outside of this class -->
<xs:attribute name="indicator-uid"
type="xs:string" use="optional"/>
<xs:attribute name="indicator-set-id"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<!--
====================================================================
=== Classes that describe software ===
====================================================================
-->
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:URL"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="swid"
type="xs:string" default="0"/>
<xs:attribute name="configid"
type="xs:string" default="0"/>
<xs:attribute name="vendor"
type="xs:string"/>
<xs:attribute name="family"
type="xs:string"/>
<xs:attribute name="name"
type="xs:string"/>
<!-- CHANGE: Should UserAgent or HTTPUserAgent fit in
SoftwareTypes? This is typically intended to mean
servers, but the category seems more appropriate
than others.
-->
<xs:attribute name="user-agent"
type="xs:string"/>
<xs:attribute name="version"
type="xs:string"/>
<xs:attribute name="patch"
type="xs:string"/>
</xs:complexType>
<xs:element name="Application"
type="iodef:SoftwareType"/>
<xs:element name="OperatingSystem"
type="iodef:SoftwareType"/>
<!--
====================================================================
=== Miscellaneous simple classes ===
====================================================================
-->
<xs:element name="Description"
type="iodef:MLStringType"/>
<xs:element name="URL"
type="xs:anyURI"/>
<!--
====================================================================
=== Data Types ===
====================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="lang"
type="xs:language" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string"/>
<xs:attribute name="formatid"
type="xs:string"/>
<xs:attribute name="restriction"
type="iodef:restriction-type"/>
</xs:complexType>
<!--
====================================================================
=== Global attribute type declarations ===
====================================================================
-->
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="att-type">
<xs:restriction base="xs:NMTOKEN">
<!-- CHANGE - added two values per July IETF discussion
adding command and control server and sink hole
bringing forward the 'FraudType' from RFC5901
-->
<xs:enumeration value="c2-server"/>
<xs:enumeration value="sink-hole"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="phishing"/>
<xs:enumeration value="spear-phishing"/>
<xs:enumeration value="recruiting"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="dns-spoof"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
The IODEF data model itself does not directly introduce security issues. Rather, it simply defines a representation for incident information. As the data encoded by the IODEF might be considered privacy sensitive by the parties exchanging the information or by those described by it, care needs to be taken in ensuring the appropriate disclosure during both document exchange and subsequent processing. The former must be handled by a messaging format, but the latter risk must be addressed by the systems that process, store, and archive IODEF documents and information derived from them.
The contents of an IODEF document may include a request for action or an IODEF parser may independently have logic to take certain actions based on information that it finds. For this reason, care must be taken by the parser to properly authenticate the recipient of the document and ascribe an appropriate confidence to the data prior to action.
The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter-network Defense (RID) protocol [refs.rid] and its associated transport binding IODEF/RID over SOAP [refs.ridsoap] provide such security.
In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it. The issue of enforcement is not a technical problem.
This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [refs.rfc3688]
Registration for the IODEF namespace:
Registration for the IODEF XML schema:
The following groups and individuals, listed alphabetically, contributed substantially to this document and should be recognized for their efforts.
| [1] | Keeni, G. M., Demchenko, Y. and R. Danyliw, "Requirements for the Format for Incident Information Exchange (FINE)", Work in Progress, June 2006. |
| [2] | Debar, H., Curry, D., Debar, H. and B. Feinstein, "Intrusion Detection Message Exchange Format", RFC 4765, March 2007. |
| [3] | Moriarty, K., "Real-time Inter-network Defense", Work in Progress, April 2007. |
| [4] | Moriarty, K. and B. Trammell, "IODEF/RID over SOAP", Work in Progress, April 2007. |
| [5] | Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) File ", RFC 4180, October 2005. |