view Side-By-Side changes
Network Working GroupJ.J.J. MeijerINTERNET-DRAFTInternet-Draft SURFnet bvExpires in six monthsExpires: September 29, 2003 R. Danyliw CERT Coordination Center Y. DemchenkoTERENA October 2002NLnet Labs March 31, 2003 The IncidentObject Description andData Exchange Format Data Model andExtensible Markup Language (XML) Document Type Definition <draft-ietf-inch-iodef-00.txt>XML Implementation draft-ietf-inch-iodef-01.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed athttp://www.ietf.org/1id-abstracts.htmlhttp:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed athttp://www.ietf.org/shadow.html Distribution of this memo is unlimited.http://www.ietf.org/shadow.html. ThisInternet Draft expires March,Internet-Draft will expire on September 29, 2003. Copyright Notice Copyright (C) The Internet Society(2001).(2003). All Rights Reserved. Abstract The purpose of the IncidentObject Description andData Exchange Format (IODEF) is to definea commondataformatformats fordescribing and exchanging incidentinformation related to computer security incidents typically exchanged between collaborating Computer Security Incident Response Teams (CSIRTs). Thespecific goals and requirements of theIODEFare described in [2]. One ofsatisfies thedesign principlesrequirements specified inthe IODEF is compatibility with the Intrusion Detection Message Exchange Format (IDMEF) [3] developed for intrusion detection systems. For this reason, IODEF is heavily based on the IDMEF and provides upward compatibility with it. Meijer, et al. Expires March 2003 [page 1] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002RFCXXX [1] ThisdocumentInternet-Draft describes a data model for representing commonly exchanged incident informationproduced byexported from incident handling systemsmanaging security incident data, and explains the rationale for using this model.managed by CSIRTs. An implementation of the data model in Meijer, et al. Expires September 29, 2003 [Page 1] Internet-Draft IODEF Data Model and Implementation March 2003 the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided.TABLE OF CONTENTSTable of Contents 1.Conventions Used in This Document................................4 2.Introduction....................................................4 2.1 IODEF Data MOdel Design principles...........................5 2.1.1 Problems Addressed by. . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 About the IODEF Data Model...................5 2.1.2. . . . . . . . . . . . . . . . 4 1.3.1 Issues with Representing Incident DataModel Design Goals ................................6 2.2 Using XML for. . . . . . . . . . 5 1.4 About the IODEF.....................................7 2.3 Relation between IODEF and IDMEF ............................8 3.Implementation . . . . . . . . . . . . . . 6 1.5 Related Work . . . . . . . . . . . . . . . . . . . . . . . 6 2. NotationalConventionsconventions andFormatting Issues ....................8 3.1 UML Conventions used for Data Model Description .............8 3.1.1 Relationships...........................................9 3.1.2 Occurrence Indicators..................................10 3.2 XML Document Type Definitions ..............................11 3.3formatting issues . . . . . . . 8 2.1 IODEF XML Documents..............................................11 3.3.1. . . . . . . . . . . . . . . . . . . 8 2.1.1 The Document Prolog...................................11 3.3.1.1 XML Declaration ..................................11 3.3.1.2 IODEF DTD Formal Public Identifier ...............12 3.3.1.3 IODEF DTD Document Type Declaration ..............12 3.3.2. . . . . . . . . . . . . . . . . . . 8 2.1.2 Character Data Processing inXML andthe IODEF............13 3.3.2.1 Character Entity References.......................13 3.3.2.2 Character Code References.........................14 3.3.2.3 White Space Processing............................14 3.3.3. . . . . . . . . . 9 2.1.3 Languages inXML andthe IODEF............................15 3.3.4 Inheritance and Aggregation ...........................12 3.4. . . . . . . . . . . . . . . . . . 10 2.2 IODEF Data Types............................................15 3.4.1. . . . . . . . . . . . . . . . . . . . . 11 2.2.1 Integers..............................................15 3.4.2. . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2 Real Numbers..........................................15 3.4.3. . . . . . . . . . . . . . . . . . . . . . . 11 2.2.3 Characters and Strings................................15 3.4.4. . . . . . . . . . . . . . . . . . 11 2.2.4 Bytes.................................................15 3.4.5. . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.5 Enumerated Types......................................18 3.4.6. . . . . . . . . . . . . . . . . . . . . 12 2.2.6 Date-Time Strings.....................................18 3.4.7. . . . . . . . . . . . . . . . . . . . 12 2.2.7 NTP Timestamps........................................20 3.4.8. . . . . . . . . . . . . . . . . . . . . . 12 2.2.8 Port Lists............................................20 3.4.9 Unique Identifiers ....................................21 3.4.10 Personal names........................................22 3.4.11 Organization name.....................................22 3.4.12. . . . . . . . . . . . . . . . . . . . . . . . 12 2.2.9 Postaladdress........................................22 Meijer, et al. Expires March 2003 [page 2] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 3.4.13Address . . . . . . . . . . . . . . . . . . . . . . 12 2.2.10 Person or Organization . . . . . . . . . . . . . . . . . . 13 2.2.11 Telephone and Faxnumbers.............................22 4. TheNumbers . . . . . . . . . . . . . . . . 13 2.2.12 Email string . . . . . . . . . . . . . . . . . . . . . . . 13 2.2.13 Uniform Resource Identifier strings . . . . . . . . . . . 13 2.2.14 Unique Identifiers . . . . . . . . . . . . . . . . . . . . 13 3. The IODEF Data Modeland XML DTD................................23 4.1 Data Model Overview.........................................23 4.2 The IODEF-Description Class.................................26 4.3 The. . . . . . . . . . . . . . . . . . . 14 3.1 IODEF-Document . . . . . . . . . . . . . . . . . . . . . . 14 3.2 IncidentClass..........................................26 4.4 The CorrelationIncident Class...............................30 4.4.1 The EventList Class....................................31 4.5 The IncidentAlert Class.....................................32 4.6 The Attack Class............................................33 4.6.1 The Source Class.......................................35 4.6.2 The Node Class.........................................38 4.6.2.1 The Address Class.................................39 4.6.2.2 The NodeRole Class................................41 4.6.3 The User Class.........................................43 4.6.3.1 The UserId Class..................................44 4.6.4 The Process Class......................................46 4.6.5 The Service Class......................................47 4.6.5.1 The WebService Class..............................49 4.6.5.2 The SNMPService Class.............................50 4.6.6 The Target Class.......................................51 4.6.7 The FileList Class.....................................53 4.6.7.1 The File Class....................................54 4.6.7.2 The FileAccess Class..............................57 4.6.7.3 The Linkage Class.................................58 4.6.7.4 The Inode Class...................................60 4.6.8 The Description Class..................................62 4.6.9 The DetectTime Class...................................62 4.6.10 Theclass . . . . . . . . . . . . . . . . . . . . . . 14 3.3 IncidentID class . . . . . . . . . . . . . . . . . . . . . 16 3.4 AlternativeID class . . . . . . . . . . . . . . . . . . . 17 3.5 RelatedActivity class . . . . . . . . . . . . . . . . . . 18 3.6 AdditionalData . . . . . . . . . . . . . . . . . . . . . . 19 3.7 IncidentData . . . . . . . . . . . . . . . . . . . . . . . 20 3.8 Contact class . . . . . . . . . . . . . . . . . . . . . . 22 3.8.1 RegistryHandle class . . . . . . . . . . . . . . . . . . . 25 3.9 Time classes . . . . . . . . . . . . . . . . . . . . . . . 26 3.9.1 StartTimeClass...................................62 4.6.10 The. . . . . . . . . . . . . . . . . . . . . . . . 26 3.9.2 EndTimeClass.....................................63 4.7 The Method Class............................................63 4.7.1 The Classification Class...............................64 4.8 The Attacker Class..........................................65 4.8.1 The Contact Class......................................67 4.8.2 The IRTcontact Class...................................68 4.9 The Victim Class............................................69 4.10 The Record Class...........................................70 4.10.1 The RecordData Class..................................71 4.10.2 The CorrRecord Class..................................72 4.10.3 The RecordDesc Class..................................73 4.10.4 The Analyzer Class....................................73 4.10.5 The RecordItem Class..................................75 4.11 The AdditionalData Class...................................76 4.12 The History Class..........................................78 4.12.1 The HistoryItem class.................................79 4.12.2 The. . . . . . . . . . . . . . . . . . . . . . . . . 26 3.9.3 DetectTime . . . . . . . . . . . . . . . . . . . . . . . . 26 3.9.4 ReportTime . . . . . . . . . . . . . . . . . . . . . . . . 27 3.9.5 DateTimeClass....................................80 4.13 The Assessment Class.......................................80 4.13.1 The Impact Class......................................81 4.13.2 The Action Class......................................83 4.13.3 The Confidence Class..................................84. . . . . . . . . . . . . . . . . . . . . . . . . 27 Meijer, et al. Expires September 29, 2003 [Page 2] Internet-Draft IODEF Data Model and Implementation March 2003[page 3] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4.14 The Authority Class........................................85 4.14.1 The Organization......................................86 5.3.10 Expectation class . . . . . . . . . . . . . . . . . . . . 27 3.11 Method class . . . . . . . . . . . . . . . . . . . . . . . 28 3.11.1 Classification class . . . . . . . . . . . . . . . . . . . 29 3.12 Assessment class . . . . . . . . . . . . . . . . . . . . . 30 3.12.1 Impact class . . . . . . . . . . . . . . . . . . . . . . . 31 3.12.2 TimeImpact class . . . . . . . . . . . . . . . . . . . . . 33 3.12.3 MonetaryImpact class . . . . . . . . . . . . . . . . . . . 34 3.12.4 LifeImpact class . . . . . . . . . . . . . . . . . . . . . 35 3.12.5 Confidence class . . . . . . . . . . . . . . . . . . . . . 36 3.13 History class . . . . . . . . . . . . . . . . . . . . . . 38 3.13.1 HistoryItem class . . . . . . . . . . . . . . . . . . . . 38 3.14 EventData class . . . . . . . . . . . . . . . . . . . . . 40 3.15 Relating the IncidentData and EventData classes . . . . . 42 3.16 Cardinality of EventData . . . . . . . . . . . . . . . . . 43 3.17 System class . . . . . . . . . . . . . . . . . . . . . . . 44 3.18 Node class . . . . . . . . . . . . . . . . . . . . . . . . 46 3.18.1 Address . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.18.2 NodeRole class . . . . . . . . . . . . . . . . . . . . . . 48 3.19 FileList class . . . . . . . . . . . . . . . . . . . . . . 50 3.20 User . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.21 Process . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.22 Service . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.23 Record class . . . . . . . . . . . . . . . . . . . . . . . 50 3.23.1 RecordData class . . . . . . . . . . . . . . . . . . . . . 51 4. Extending the IODEF............................................89 5.1. . . . . . . . . . . . . . . . . . . 55 4.1 Extending theData Model ...................................88 5.2data model . . . . . . . . . . . . . . . . . 55 4.2 Extending the XML DTD......................................88 6. Special. . . . . . . . . . . . . . . . . . 55 5. Processing Considerations.........................................90 6.1. . . . . . . . . . . . . . . . 58 5.1 XML Validity and Well-Formedness...........................90 6.2. . . . . . . . . . . . . 58 5.2 Unrecognized Data and XML Tags......................................91 6.3 Digital Signatures .........................................92. . . . . . . . . . . . . . 58 6. Internationalization issues . . . . . . . . . . . . . . . 60 7. Examples.......................................................92. . . . . . . . . . . . . . . . . . . . . . . . . 61 7.1 Code Red detection notification . . . . . . . . . . . . . 61 7.2 IODEF-Document with XML signature . . . . . . . . . . . . 63 7.3 IODEF-Document encrypted using XML encryption . . . . . . 63 7.4 IODEF-Document encrypted and signed using XML signature & encryption . . . . . . . . . . . . . . . . . . . . . . . 63 8. The IODEF Document Type Definition.............................93. . . . . . . . . . . . 64 9.References ....................................................112 10.SecurityConsiderations ......................................114 11.considerations . . . . . . . . . . . . . . . . . 77 10. IANAConsiderations ..........................................114 12. Acknowledgements .............................................114 13.considerations . . . . . . . . . . . . . . . . . . . 78 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . 79 Normative References . . . . . . . . . . . . . . . . . . . 80 Informative References . . . . . . . . . . . . . . . . . . 82 Authors' Addresses...........................................114 14. Full. . . . . . . . . . . . . . . . . . . . 82 Intellectual Property and CopyrightStatement .....................................115Statements . . . . . . 83 Meijer, et al. Expires September 29, 2003 [Page 3] Internet-Draft IODEF Data Model and Implementation March 2003 1.Conventions Used in This DocumentIntroduction 1.1 Terminology The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described inRFC 2119 [2]. Network and Computer Security relatedRFC2119 [5]. Definitions for some of the common computer security-related terminology used in thisdocuments isdocument can be found in Section 2 ofcommon use, however it contains some specific conventions described in [2] and [4]. 2. Introduction[1]. 1.2 Overview The IncidentObject Description andData Exchange Format (IODEF) is intended to be a standard format for computer security information exchanged by Computer Security Incident Response Teams(CSIRTs) to exchange operational(CSIRTs). The development andstatisticalsubsequent deployment of an incidentinformation among themselves, their constituency, and their collaborators. It can also providedata format that extends beyond a closed communities would improve thebasis foroperational capabilities of thedevelopmentCSIRTs. Assuming widespread adoption ofinteroperable tools and procedures for incident reporting. By usingthe IODEFin their workflow and incident handling system,by the community, an organization can potentially benefit from:+ a single data schema that can represent information from a varietyo the increased ease to collaborate with other CSIRTs, on behalf it its constituency, to resolve incidents; o increased automation in the processing ofsubordinate teams or CSIRTs; + a commonincidentdata format that facilities collaboration among affected members ofdata, since the commitment of securitycommunity (e.g. users, vendors, response teams, law enforcement); Meijer, et al. Expires March 2003 [page 4] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 + the simplificationanalysts to parse free-form textual document will be reduced; o decreased effort inbuilding annormalizing similar data (even when highly structured) from different sources; and o a common format on which to build inter-operable tools for incident handling, such as correlationand statistics systemsystems that processincident reportsdata from differentCSIRTs. The computer security related terminology used in this document is described in [1] and [4]. Specific terminology,sites. Terminology, notation, and conventions of the data model and XML DTD are presented in Sections3 and 4.2. The data model is described in Section5 with examples of its use3, and the implementation considerations are covered in Sections 4 through 6, and 9. Section8. Recognizing the potentially diverse user-base implementing the IODEF,7 provides several examples of IODEF documents for representative incidents. Section6 discusses8 formally specifies theability to extendXML DTD implementation of the data model.2.11.3 About the IODEF Data ModelDesign principlesThe IODEF data model is an object-oriented representation of informationreportedreported, maintained, andmaintainedexchanged by a CSIRT about a Meijer, et al. Expires September 29, 2003 [Page 4] Internet-Draft IODEF Data Model and Implementation March 2003 computer security incident.2.1.1 Problems Addressed by the1.3.1 Issues with Representing Incident DataModelThe IODEF data model addresses several problems in representing incident data:+ Incident datao There isinherently heterogeneous. It may encompass many functional purposes such as a description of intruder behavior orno precise, widely agreed upon definition for an incident. Therefore, the data model does not attempt to imply a definition through its implementation. Rather, a broad understanding is assumed that is flexible enough to encompass most of the CSIRT community. o Incident data is inherently heterogeneous. It may encompass many functional purposes such as a description of intruder behavior or an analysis process correlating related incidents.However, even in a single type of incident, seemingly disparate information from many sources may need to be represented. This representationAn object-oriented model provides extensibility via aggregation and sub-classing while preserving the consistency of the model. If the data model required modification, it isfurther complicated by the factextended with new classes. In implementations thatincidents may consistdo not recognize these extensions, the basic subset ofvaryingthe data model will still be understood. o Incidents have a life-cycle, which causes potentially different information or levels of detail to be present depending on their stage in thelifecycle.cycle. For example, newly reported incidents may only contain a short description of the involved parties. On the other hand, closed incidents can contain a full description complete with the associated evidence and annotation of actions taken by the CSIRT. The data model that represents this information must be flexible to accommodate different needs.An object-oriented model provides extensible via aggregationo Communication andsub-classing while preserving the consistency of the model. If the data model required modification, it is extended with new classes. In implementations that do not recognize these extensions, the basic subset of the data Meijer, et al. Expires March 2003 [page 5] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 model will still be understood. In order to address the various types of incidents, the IODEF data model creates top-level classes for each of the different incident profiles. Just as another other extensionscoordination are central to thedata model, creating new profiles is possible through sub-classing or aggregation based on the core and supportive classes. + From the purviewrole of aCSIRT,CSIRT. As a result of this activity, incident information can originate from a number of sources. Tracking the all the sources of data is key to managing this information. The data model defines support classes that accommodate the differences between incident reporters. This support includes various meta information to represent the reporter's identity as well as prescribe a confidence level to the submitted information.+ Incidentso Incident data may contain sensitive information. Such information should not be exposed to unauthorized parties during collaboration. The data model allows for ahighlygranularlevel oftagging in the individual classes to indication restrictions on the usage of the data. However, it is the role of the incident handling system implementing the data model to honor these labels.2.1.2Meijer, et al. Expires September 29, 2003 [Page 5] Internet-Draft IODEF Data ModelDesign Goals In addition to satisfying the explicit requirements found in RFCXXX [2], the IODEF data model is designed with the following goals: + The data model is content-driven. This design dictates that new representations are introduced only to accommodate new types of data, not semantic differences between incidents. + Since organizations may define an incident in different ways, the data model avoids implicitly relying on a single definition of an incident. Rather, it is designed to be flexible enough to accomodate a range of understandings in what constitutes incident activity. + Where security-related, XML work already exist (e.g., IDMEF [3]), the data model will provide support for them. Meijer, et al. Expires March 2003 [page 6] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 2.2 Using XML forand Implementation March 2003 1.4 About the IODEF Implementation The IODEF implementationis based onuses the Extensible Markup Language(XML).(XML) [2]. XML-basedapplicationsspecifications definetheir ownan XML DTD or Schema and register a specific XML namespace[6].[3]. The IODEF conforms to the IETF-defined procedure for registering an application-specific XML namespace [9].NOTE:For clarity in this document, we will use the terms "XML" and "XML documents" when speaking in the general case about the Extensible Markup Language (XML). The terms "IODEF description", "IODEF markup" and "IODEF document" will be used to refer to specific elements (tags) and attributes of the IODEF DTD. Furthermore, the terms "class" and "subclass" are synonymous to an element in the XML DTD. The implementation of the IODEF in XML has many benefits:+o XML provides all the necessary features to define a specific markup language for describing security incidents. It also defines a standard way to extend this language, either for later revisions ("standard" extensions), or forvendor-specificorganizational-specific use ("non-standard" extensions).+o Software tools for processing XML documents are widely available in commercial and open source forms.+o XML canprovide support for fullaid in implementing internationalization and localization since it is required (and therefore IODEF documents are required) to support both the UTF-8 and UTF-16 encodings of ISO/IEC 10646 (Universal Multiple-Octet Coded Character Set, "UCS") and Unicode. XML also provides support for specifying, on a per-element basis, the language in which the element's content is written, making the IODEF easy to adapt to the local languages in which a CSIRTs operates.+o XML coupled withXSL,XSL [4], a style language, allows IODEF documents to be aggregated, filtered, discarded, and rearranged.+o XML is free (no license, license fees or royalties).2.3 Relationship between the IODEF and the IDMEF1.5 Related Work The IODEF and the IDMEF[3][7] are complementary formats. The latter represents data generated by an intrusion detection system. SuchMeijer, et al. Expires March 2003 [page 7] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002event data is commonly used by a CSIRT as the basis for an incident report or investigation which is represented by the IODEF. Meijer, et al. Expires September 29, 2003 [Page 6] Internet-Draft IODEF Data Model and Implementation March 2003 The IODEF data model makes use of certain classes defined in the IDMEF, although the semantics of some of these classes has changed. Due to their related nature, the data in an IDMEF message can be easily represented in an IODEF document. Through various extension mechanisms, it is possible to include IDMEF messages outright in an IODEF document. Alternatively, the similarity in structure of the data model makes it possible to decompose the key IDMEF data and include it in the corresponding IODEF classes. However, this transformation may not preserve the original semantics of the data.3.Meijer, et al. Expires September 29, 2003 [Page 7] Internet-Draft IODEF Data Model and Implementation March 2003 2. NotationalConventionsconventions andFormatting Issuesformatting issues 2.1 IODEF XML Documents This document uses three notations: the Unified Modeling Language (UML) to describe the data model, an Extensible Markup Language (XML) Document Type Definition (DTD) to define the IODEF syntax, and IODEF XML markup conforming to the specified DTD to represent the incident data. This sectionbriefly introduces these notations,describes the XML notations and conventions used in this memo and explains particular issues related to using them to describe the IODEF data model and syntax. For readers unfamiliar with thesenotations, [3]notations [19] and[10][7] will provide a comprehensive reference.3.1 Unified Modeling Language conventions used for IODEF Data Model description2.1.1 TheIODEF data model is described using the Unified Modeling Language (UML) [10]. UML provides a simple framework to represent entities and their relationships. UML defines entities as classes. In thisDocument Prolog The "prolog" of an XML document,we have identified several classesthat part that precedes anything else, consists of the XML declaration andtheir associated attributes. The symbols used in thisthe documentto represent classes and attributes are shown in Figure 3.1. +-------------+ | Class Name | <----- Name of class +-------------+ | Attribute 1 | <----- Nametype declaration. 2.1.1.1 XML Declaration Every IODEF document starts with an XML declaration. The XML declaration specifies the version offirst attribute | ... | | Attribute N | <----- NameXML being used, and optionally the character encoding being used (see Section 2.1.2). The XML declaration looks like: <?xml version="1.0" ?> IODEF documents exchanged between applications MUST begin with an XML declaration and MUST specify the XML version in use. Specification ofnth attribute +-------------+the encoding in use is REQUIRED if UTF-8 encoding is not used. 2.1.1.2 IODEF DTD Formal Public Identifier The formal public identifier (FPI) for the IODEF Document Type Definition described in this document is: "-//IETF//DTD RFCxxxx IODEF v0.0//EN" NOTE: The "RFCxxxx" text in the FPI value will be replaced with the actual RFC number when this document is published as an RFC. This FPI MUST be used in the document type declaration within an XML document referencing the IODEF DTD defined by this document, as shown in Section 2.1.1.3. Meijer, et al. ExpiresMarchSeptember 29, 2003[page[Page 8]Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Figure 3.1 - Symbols representing classesInternet-Draft IODEF Data Model andattributes Note that the associated attributesImplementation March 2003 2.1.1.3 IODEF DTD Document Type Declaration The document type declaration fora class may not appear in all diagramsan XML document referencing the IODEF DTD will be specified inwhichtheclass is used. 3.1.1 Relationships Thefollowing ways: <!DOCTYPE IODEF-Document PUBLIC "-//IETF//DTD RFCxxxx IODEFmodel uses only twov0.0//EN"> The last component of theUML relationship types: inheritance and aggregation. Inheritance denotes a superclass/subclassdocument typeof relationship where the subclass inherits alldeclaration is theattributes, operations, and relationshipsFPI specified in Section 2.1.1.2. <!DOCTYPE IODEF-Document SYSTEM "/path/to/IODEF-Document.dtd"> The last component of thesuperclass. Subclasses may have additional attributes or operationsdocument type declaration is a URI thatapply onlypoints to a copy of thesubclass, and notDocument Type Definition. 2.1.2 Character Data Processing in the IODEF A document's XML declaration specifies the character encoding to be used in thesuperclass. In thisdocument,inheritanceas follows: <?xml version="1.0" encoding="charset" ?> where "charset" isdenoted bythe/_\ symbol. In Figure 3.2, we are showing that Book and Magazine are two typesname ofPublication. Book inherits alltheattributes of Publication, plus all of its own attributes (thus, it has four attributes in total);character encoding, asdoes Magazine (giving it three attributes in total). +-------------+ | Publication | +-------------+ | publisher | | pubDate | +-------------+ /_\ | +--------+--------+ | | +----------+ +----------+ | Magazine | | Book | +----------+ +----------+ | name | | title | | | | author | +----------+ +----------+ Figure 3.2 - Inheritance relationships Aggregation is a form of association in whichregistered with thewhole is related to its parts. In this case,Internet Assigned Numbers Authority (IANA), see [9]. The XML standard requires that XML processors support theaggregate class contains all of its own attributesUTF-8 andas manyUTF-16 encodings ofthe attributes associated with its parts as requiredISO/IEC 10646 (UCS) andMeijer, et al. Expires March 2003 [page 9] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 specified byUnicode, making all XML applications (and therefore, all IODEF-compliant applications) compatible with these common character encodings. While XML supports other character encodings (e.g., UTF-7, UTF-32), implementers should carefully consider theoccurrence indicators (see Section 3.1.2). In this document,portability implications of using character encodings other than UTF-8 and UTF-16. Consistent with thesymbol <>XML standard, if no encoding isused to indicate aggregation. Itspecified for an IODEF document, UTF-8 isplaced at the end of the association line closest toassumed. IODEF documents encoded in UTF-16 MUST begin with theaggregate (whole) class. In Figure 4.3, we are showing that a Book is made up of pieces called Preface, Chapter, Appendix, Bibliography, and Index. +----------+ | Book | +----------+ 0..1 +--------------+ | title |<>----------| Preface | | author | +--------------+ | | 1..* +--------------+ | |<>----------| Chapter | | | +--------------+ | | 0..* +--------------+ | |<>----------|Byte Order Mark described by ISO/IEC 10646 Annex E and Unicode Appendix| | | +--------------+ | | 0..1 +--------------+ | |<>----------| Bibliography | | | +--------------+ | | +--------------+ | |<>----------| Index | | | +--------------+ +----------+ Figure 3.3 - Aggregation relationships 3.1.2 Occurrence Indicators Occurrence indicators showB (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF). 2.1.2.1 Character Entity References Within XML documents, certain characters have special meanings in some contexts. To include thenumberactual character itself in one ofobjects withinthese contexts, aclass that are linked to one another byspecial escape sequence, called anaggregation relationship. They are placed at the end of the association line closestentity reference, must be used. The characters that sometimes need tothe part they refer to. Occurrence indicators, as used in this document, are: n exactly "n" (left blank if n=1) 0..* (in XML, *) zero or more 1..* (in XML, +) one or more 0..1 (in XML, ?) zero or one n..m between "n"be escaped, and"m" inclusive In Figure 3.3, the Book: + may have no Preface or one Preface; + must have at least one Chapter, but may have more;their entity Meijer, et al. Expires September 29, 2003 [Page 9] Internet-Draft IODEF Data Model and Implementation March 2003[page 10] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 + may havereferences, are: Character Entity Reference --------------------------------- & & < < > > " " ' ' Figure 1 It is RECOMMENDED that IODEF-compliant applications use the entity reference form whenever writing these characters in data, to avoid anynumberpossibility ofAppendixes;misinterpretation. 2.1.2.2 Character Code References Any character defined by the ISO/IEC 10646 and+ must have exactly one Index. 3.2 XML Document Type DefinitionsUnicode standards may be included in an XMLDocument Type Definitions (DTDs) are used to declare the syntax or markup fordocument by theIODEF. The different piecesuse ofinformation the XML document will contain are elements, the characteristics of that information are the attributes, and the relationship between the information is the content model. Section 8 of this document contains the complete IODEF DTD. 3.3 XML Documents This section describesanumber of XML document formatting rules; these rules apply to IODEF documents as well. 3.3.1 The Document Prolog The "prolog" of an XML document, that part that precedes anything else, consists ofcharacter reference. A character reference is started with theXML declarationcharacters '&' andthe document type declaration. 3.3.1.1 XML Declaration Every XML document (and therefore every IODEF document) starts'#', and ended withan XML declaration. The XML declaration specifiestheversion of XML being used; it may also specifycharacter ';'. Between these characters, the characterencoding being used. The XML declaration looks like: <?xml version="1.0" ?>code for the character inserted. Ifathe characterencodingcode isspecified, the declaration looks like: <?xml version="1.0" encoding="charset" ?> where "charset"preceded by an 'x' it isthe name of the character encodinginterpreted inuse (see Section 3.3.2). If no encodinghexadecimal (base 16), otherwise, it isspecified, UTF-8interpreted in decimal (base 10). For instance, the ampersand (&) isassumed. IODEF documents being exchanged between Meijer, et al. Expires March 2003 [page 11] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 IODEF-compliant applications MUST begin with an XML declaration,encoded as & or & andMUST specifytheXML versionless-than sign (<) is encoded as < or <. Any one-, two-, or four-byte character specified inuse. Specification oftheencodingISO/IEC 10646 and Unicode standards can be included inuse is RECOMMENDED. IODEF-compliant applications MAY choose to omita document using this technique. 2.1.2.3 White Space Processing All IODEF elements support theXML declaration internally"xml:space" attribute. If "xml:space" is set toconserve space, adding it only when"preserve," themessageIODEF processing application MUST treat all white space in the element's content as significant. If "xml:space" issent to another destination (e.g., a web browser). This practice"default," the application isNOT RECOMMENDED unlessfree to do whatever itcan be accomplished without loss of each message's version and encoding information. 3.3.1.2normally would with white space in the element's content. 2.1.3 Languages in the IODEFDTD Formal Public IdentifierAll IODEF tags support the "xml:lang" attribute thereby allowing each element to identify the language in which its content is. Theformal public identifier (FPI)valid language code for theIODEF Document Type Definition"xml:lang" attribute are described inthis document is: "-//IETF//DTD RFCxxxxRFC 3066 [6]. Meijer, et al. Expires September 29, 2003 [Page 10] Internet-Draft IODEFv0.0//EN" NOTE: The "RFCxxxx" textData Model and Implementation March 2003 IODEF messages SHOULD specify the language in which their contents are encoded. In general, theFPI value willlanguage can bereplacedspecified with theactual RFC number, if this document is published as an RFC. This FPI MUST be used"xml:lang" attribute in thedocument type declaration withintop-level element and letting all other elements "inherit" that definition. If no language is specified in anXML document referencing theIODEFDTD defined by thisdocument,as shown in the following section. 3.3.1.3English SHOULD be assumed. 2.2 IODEFDTD Document Type Declaration The document type declaration for an XML document referencingData Types 2.2.1 Integers Integer attributes are represented by theIODEF DTD will usuallyINTEGER data type. Integer data MUST bespecifiedencoded in Base 10 or Base 16. Base 10 integer encoding uses thefollowing ways: <!DOCTYPE IODEF-Description PUBLIC "-//IETF//DTD RFCxxxx IODEF v0.0//EN"> The last component ofdigits '0' through '9' and an optional sign ('+' or '-'). For example, "123", "-456". Base 16 integer encoding uses thedocument type declarationdigits '0' through '9' and 'a' through 'f' (or their upper case equivalents), and is preceded by theFPI specified incharacters "0x". For example, "0x1a2b". 2.2.2 Real Numbers Real (floating-point) attributes are represented by theprevious section. <!DOCTYPE IODEF-Description SYSTEM "/some/path/to/the/IODEF-Description.dtd"> The last componentREAL data type. Real data MUST be encoded in Base 10. Real encoding is that of thedocument type declaration isPOSIX "strtod" library function: an optional sign ('+' or '-') followed by aURI that points tonon-empty string of decimal digits, optionally containing acopyradix character, then an optional exponent part. An exponent part consists of an 'e' or 'E', followed by an optional sign, followed by one or more decimal digits. For example, "123.45e02", "-567,89e-03". IODEF-compliant applications MUST support both the '.' and ',' radix characters. 2.2.3 Characters and Strings Single-character attributes are represented by the CHARACTER data type. Multi-character attributes of known length are represented by theDocument Type Definition. In orderSTRING data type. Character and string data have no special formatting requirements, other than the need tobe validoccasionally use character references (see Section7.1), an XML document must contain a document type declaration. However, this requirement imposes a significant overhead on an2.1.2.1 and Section 2.1.2.2) to represent special characters. Meijer, et al. ExpiresMarchSeptember 29, 2003[page 12] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 IODEF-compliant application in bandwidth consumption and computation for the DTD may need to be downloaded[Page 11] Internet-Draft IODEF Data Model andparsed before useImplementation March 2003 2.2.4 Bytes Binary data is represented by theXML parser. Implementers MAY decide to have entities who regularly exchange IODEF message agree out-of-band on the particular document type definition they will be using to exchange messages (the standard one as defined here, or one with extensions), and then omit it from IODEF documents. However, the method for negotiating this agreement is outside the scope of this document. NOTE: Care must be taken in negotiating any such agreements, as each entities will have to keep state on this agreed upon document type definition. The management complexity of these negotiations grows more complex as entities make such arrangements with many collaborators. 3.3.2 Character Data Processing in XML and IODEF A document's XML declaration specifies the character encoding to be used in the document, as follows: <?xml version="1.0" encoding="charset" ?> where "charset" is the name of the character encoding, as registered with the Internet Assigned Numbers Authority (IANA), see [11]. The XML standard requires that XML processors support the UTF-8 and UTF-16 encodings of ISO/IEC 10646 (UCS) and Unicode, making all XML applications (and therefore, all IODEF-compliant applications) compatible with these common character encodings. While XML supports other character encodings (e.g., UTF-7, UTF-32), for portability reasons, IODEF documents SHOULD NOT be encoded in character encodings other than UTF-8 and UTF-16. Consistent with the XML standard, if no encoding is specified for an IODEF document, UTF-8 is assumed. Likewise, IODEF documents encoded in UTF-16 MUST begin with the Byte Order Mark described by ISO/IEC 10646 Annex E and Unicode Appendix B (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF). 3.3.2.1 Character Entity References Meijer, et al. Expires March 2003 [page 13] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Within XML documents, certain characters have special meanings in some contexts. To include the actual character itself in one of these contexts, a special escape sequence, called an entity reference, must be used. The characters that sometimes need to be escaped, and their entity references, are: Character Entity Reference --------------------------------- & & < < > > " " ' ' It is RECOMMENDED that IODEF-compliant applications use the entity reference form whenever writing these characters in data, to avoid any possibility of misinterpretation. 3.3.2.2 Character Code References Any character defined by the ISO/IEC 10646 and Unicode standards may be included in an XML document by the use of a character reference. A character reference is started with the characters '&' and '#', and ended with the character ';'. Between these characters, the character code for the character inserted. If the character code is preceded by an 'x' it is interpreted in hexadecimal (base 16), otherwise, it is interpreted in decimal (base 10). For instance, the ampersand (&) is encoded as & or & and the less-than sign (<) is encoded as < or <. Any one-, two-, or four-byte character specified in the ISO/IEC 10646 and Unicode standards can be included in a document using this technique. 3.3.2.3 White Space Processing All IODEF elements support the "xml:space" attribute. If "xml:space" is set to "preserve," the IODEF application MUST treat all white space in the element's content as significant. If "xml:space" is "default," the application is free to do whatever it normally would with white space Meijer, et al. Expires March 2003 [page 14] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 in the element's content. 3.3.3 Languages in XML and IODEF All IODEF tags support the "xml:lang" attribute whereby allowing each element to identify the language in which its content is. The valid language code for the "xml:lang" attribute are described in RFC 3066 [12]. IODEF documents SHOULD specify the language in which their contents are encoded. In general, the language can be specified with the "xml:lang" attribute in the top-level element and letting all other elements "inherit" that definition. If no language is specified in an IODEF document, English SHALL be assumed. 3.3.4 Inheritance and Aggregation XML DTDs do not support inheritance as used by the IODEF data model. This limitation does not present a major problem in practice because aggregation relationships can be used instead with little loss of functionality. As a note of interest, XML Schemas, recently approved by the W3C, will provide support for inheritance, stronger data typing and other useful features [7]. Future versions of the IODEF will probably use XML Schemas instead of DTDs. It was recognized that in the initial stage of the design of a new application, an XML DTD was useful since it provides a better human readable format for document and element descriptions. However, with further the development of applications and integration into IH systems a more detailed definition of data types and elements relations as provided by XML Schemas may be required. 3.4 IODEF Data Types XML DTDs do not support data types such as integer, real, string, and so on (more on this later). However, they do require some indication of the type(s) of content that an element will contain. There are several types available, but only two are used in the IODEF: Meijer, et al. Expires March 2003 [page 15] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 PCDATA An XML processor will find only text (parsed character data) in this element, no tags or entity references (see Section 3.2.4). This is the content type for all but one of the elements at the bottom of the IODEF document tree. ANY The element may contain anything -- text, other tags, entity references, etc. This is the content type for the AdditionalData element (see Section 4.2.4.5). In the case where declaring the data is essential, future implementations of the IODEF should use an XML Schema definition instead of currently used XML DTD. There are a variety of attribute content types defined, but only two are used in the IODEF: CDATA An attribute of this type contains character data (text). Tags and entity references (see Section 4.2.4) are not processed. [values] An attribute may also be declared with a list of acceptable values; this functions somewhat like an enumerated type. For example: <!ATTLIST Person gender "unknown | male | female" "unknown" > The gender attribute may have one of three values; if a Person tag appears without a gender attribute, the XML processor will behave as though it did have one, with value "unknown." Within an XML IODEF description, all data will be expressed as "text" (as opposed to "binary"), since XML is a text formatting language. We provide typing information for the attributes of the classes in the data model however, to convey to the reader the type of data the model expects for each attribute. Each data type in the model has specific formatting requirements in an XML IODEF description. These requirements are set forth in Meijer, et al. Expires March 2003 [page 16] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 this section. 3.4.1 Integers Integer attributes are represented by the INTEGER data type. Integer data MUST be encoded in Base 10 or Base 16. Base 10 integer encoding uses the digits '0' through '9' and an optional sign ('+' or '-'). For example, "123", "-456". Base 16 integer encoding uses the digits '0' through '9' and 'a' through 'f' (or their upper case equivalents), and is preceded by the characters "0x". For example, "0x1a2b". 3.4.2 Real Numbers Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10. Real encoding is that of the POSIX "strtod" library function: an optional sign ('+' or '-') followed by a non-empty string of decimal digits, optionally containing a radix character, then an optional exponent part. An exponent part consists of an 'e' or 'E', followed by an optional sign, followed by one or more decimal digits. For example, "123.45e02", "-567,89e-03". IODEF-compliant applications MUST support both the '.' and ',' radix characters. 3.4.3 Characters and Strings Single-character attributes are represented by the CHARACTER data type. Multi-character attributes of known length are represented by the STRING data type. Character and string data have no special formatting requirements, other than the need to occasionally use character references (see Sections 4.3.2.1 and 4.3.2.2) to represent special characters. 3.4.4 Bytes Binary data is represented by the BYTE (and BYTE[]) data type. Binary data MUST be encoded in its entirety using character Meijer, et al. Expires March 2003 [page 17] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 code references (see Section 4.3.2.2). 3.4.5 Enumerated Types Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values. Each value has a rank (number) and a representing keyword. Within an IODEF document, the enumerated type keywords are used as attribute values, and the ranks are ignored. However, those IODEF-compliant applications that choose to represent these values internally in a numeric format MUST use the rank values identified in this memo. 3.4.6 Date-Time Strings Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601:2000 [13], as show below. 1. Dates MUST be formatted as follows: YYYY-MM-DD where YYYY is the four- digit year, MM is the two-digit month (01-12), and DD is the two- digit day (01-31). (Section 5.2.1.1, "Complete representation -- Extended format" of [13]) 2. Times MUST be formatted as follows: hh:mm:ss where hh is the two-digit hour (00-24), mm is the two-digit minute (00-59), and ss is the two-digit second (00-60). (Section 5.3.1.1, "Complete representation -- Extended format." of [13]) Note that midnight has two representations, 00:00:00 and 24:00:00. Both representations MUST be supported by IODEF-compliant applications, however, the 00:00:00 representation SHOULD be used whenever possible. Note also that this format accounts for leap seconds. Positive leap seconds are inserted between 23:59:59Z and 24:00:00Z and Meijer, et al. Expires March 2003 [page 18] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 are represented as 23:59:60Z. Negative leap seconds are achieved by the omission of 23:59:59Z. IODEF-compliant applications MUST support leap seconds. 3. Times MAY be formatted to include a decimal fraction of seconds, as follows: hh:mm:ss.ss or hh:mm:ss,ss As many digits as necessary may follow the decimal sign (at least one digit must follow the decimal sign). Decimal fractions of hours and minutes are not supported. (Section 5.3.1.3, "Representation of decimal fractions." of [13]) IODEF-compliant applications MUST support the use of both decimal signs ('.' and ','). Note that the number of digits in the fraction part does not imply anything about accuracy -- i.e., "00.100000", "00,1000" and "00.1" are all equivalent. 4. Times MUST be formatted to include (a) an indication that the time is in Coordinated Universal Time (UTC), or (b) an indication of the difference between the specified time and Coordinated Universal Time. a. Times in UTC MUST be formatted by appending the letter 'Z' to the time string as follows: hh:mm:ssZ hh:mm:ss.ssZ hh:mm:ss,ssZ (Section 5.3.3, "Coordinated Universal Time (UTC) -- Extended format" of [13]) b. If the time is ahead of or equal to UTC, a '+' sign is appended to the time string; if the time is behind UTC, a '-' sign is appended. Following the sign, the number of hours and minutes representing the different from UTC is appended, as follows: hh:mm:ss+hh:mm hh:mm:ss-hh:mm hh:mm:ss.ss+hh:mm hh:mm:ss.ss-hh:mm hh:mm:ss,ss+hh:mm hh:mm:ss,ss-hh:mm Meijer, et al. Expires March 2003 [page 19] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The difference from UTC MUST be specified in both hours and minutes, even if the minutes component is 0. A "difference" of "+00:00" is equivalent to UTC. (Section 5.3.4.2, "Local time and the difference with Coordinated Universal Time -- Extended Format" of [13]) 5. Date-time strings are created by joining the date and time strings with the letter 'T', as shown below: YYYY-MM-DDThh:mm:ssZ YYYY-MM-DDThh:mm:ss.ssZ YYYY-MM-DDThh:mm:ss,ssZ YYYY-MM-DDThh:mm:ss+hh:mm YYYY-MM-DDThh:mm:ss-hh:mm YYYY-MM-DDThh:mm:ss.ss+hh:mm YYYY-MM-DDThh:mm:ss.ss-hh:mm YYYY-MM-DDThh:mm:ss,ss+hh:mm YYYY-MM-DDThh:mm:ss,ss-hh:mm (Section 5.4.1, "Complete representation -- Extended format" of [13]) In summary, IODEF date-time strings MUST adhere to one of the nine templates identified in Paragraph 5, above. 3.4.7 NTP Timestamps NTP timestamps are represented by the NTPSTAMP data type, and are described in detail in [14] and [15]. An NTP timestamp is a 64-bit unsigned fixed-point number. The integer part is in the first 32 bits, and the fraction part is in the last 32 bits. Within IODEF descriptions, NTP timestamps MUST be encoded as two 32-bit hexadecimal values, separated by a period ('.'). For example, "0x12345678.0x87654321". 3.4.8 Port Lists A list of network ports are represented by the PORTLIST data type, and consist of a comma-separated list of numbers (individual integers) and ranges (N-M means ports N through M, inclusive). Any combination of numbers and ranges may be used in a single list. For example, "5-25,37,42,43,53,69-119,123-514". Meijer, et al. Expires March 2003 [page 20] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 3.4.9 Unique Identifiers There are several types of unique identifiers used in this specification. All types are represented by the STRING data type. These identifiers are implemented as attributes in the relevant XML elements, and must have unique values as follows: 1. If specified, the attribute of the Authority class (Section 5.2.6.8) OrganizationID MUST have a value that is globally unique. It may be a combination of the Registry name and unique CSIRT ID in this Registry. FIRST or industry associations normally maintain registries. The default value is "unknown", which indicates that the authority or CISRT does not have unique identifiers. 2. The Incident, Attacker, Evidence, Victim, Source, Target, Node, User, Process, Service, Address, and UserID classes (see correspondent sections) are provided with "ident" attribute, which if specified, MUST have a value that is unique across all IODEF Descriptions created by the particular CSIRT or Authority. The "ident" attribute value MUST be unique for each particular combination of data identifying an object, not for each object. Objects may have more than one ident value associated with them. For example, an identification of a host by name would have one value, while an identification of that host by address would have another value, and an identification of that host by both name and address would have still another value. Furthermore, different analyzers may produce different values for the same information. The "ident" attribute by itself provides a unique identifier only among all the "ident" values created/stored by a particular CSIRT or IHS. But when combined with the unique "OrganizationID" value for the CSIRT, there is no requirement for global uniqueness. The default value is "0", which indicates that the CSIRT/IHS cannot generate unique identifiers. The specification of methods for creating the unique values contained in these attributes is outside the scope of this document. 3.4.10 Personal names Meijer, et al. Expires March 2003 [page 21] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The format for personal names is the same as in LDAP. Personal names will likely be obtained from the different directories used by a CSIRT. The suggested personal name formats are as follows: Name Surname Or Surname, Name It is also possible to use a personal handle from a registry database (e.g., RIPE NCC, InterNIC). In this case, the element's attribute will indicate the type of personal name used and indirectly point to the referenced registry. 3.4.11 Organization names Organization name can be in the form of a full name, short name or identification code retrieved from official Registries. It is possible to use an organization handle (or organization role from a registry (e.g., RIPE NCC, InterNIC). In this case, the element's attribute will indicate the type of organization name. 3.4.12 Postal addresses The format of postal address data is the same as in LDAP Postal addresses will likely be obtained directly from an incident report or from the different directories used by the CSIRT. Building, Street, Zip-code, City, Country Or Post Office Box, Zip-code, City, Country 3.4.13 Telephone and Fax numbers Telephone and fax numbers are expressed in the format recommended by ITU guidelines. + (international code) (local code) (tel. Number) Meijer, et al. Expires March 2003 [page 22] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4. The IODEF Data Model and XML DTD In this section, the individual components of the IODEF data model are explained in details. UML diagrams of the model are provided to illustrate the relationship between components. Likewise, relevant sections of the XML DTD are presented to describe how the model is translated into XML. 4.1 Data Model Overview The relationship between the principal components of the data model is shown in Figure 5.1 (cardinality and attributes are omitted). IODEF-Description is the top-level container class for all IODEF documents. Recognizing that incidents might require different types of data, sub-classes of this root class called incident descriptions are defined. There are presently two types of descriptions defined: the Incident class to describe an incident and the IncidentAlert class to allow seamless support for IODEF alerts. It is important to note that the data model does not define the events that constitute an incident. The notion of an incident is very site-specific. For example, a port scan may be identified by one CSIRT as a single incident with multiple victims. Another CSIRT might separate this activity as multiple incidents each from a single source to a single victim. Regardless, once the creator of the report has determined a logical grouping of events that constitute an incident, the data model dictates how that description should be formatted. +---------------------+ | IODEF-Description | +---------------------+ /_\ | +--------------------+---------------------+ | | | +-------+--------+ | | IncidentAlert | | +----------------+ | +----------+ +------------+ +----------------+ +----------+ | Incident |<>-| Attack |<>-| Source |<>-| Node | +----------+ +------------+ +----------------+ +----------+ Meijer, et al. Expires March 2003 [page 23] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | | | | | | +----------+ | | | | | |<>-| User | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Process | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Service | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Program | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| os | | | | | +----------------+ +----------+ | | | | +----------------+ +----------+ | | | |<>-| Target |<>-| Node | | | | | +----------------+ +----------+ | | | | | | +----------+ | | | | | |<>-| User | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Process | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Service | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| Program | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| os | | | | | | | +----------+ | | | | | | +----------+ | | | | | |<>-| FileList | | | | | +----------------+ +----------+ | | | | +----------------+ | | | |<>-| Description | | | | | +----------------+ | | | | +----------------+ | | | |<>-| DetectTime | | | | | +----------------+ | | | | +----------------+ | | | |<>-| StartTime | | | | | +----------------+ | | | | +----------------+ | | | |<>-| EndTime | | | +------------+ +----------------+ | | +------------+ +----------------+ Meijer, et al. Expires March 2003 [page 24] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | |<>-| Method |<>-| Classification | | | +------------+ +----------------+ | | | | +----------------+ | | | |<>-| Description | | | +------------+ +----------------+ | | +------------+ +----------------+ | |<>-| Attacker |<>-| Contact | | | +------------+ +----------------+ | | | | +----------------+ | | | |<>-| Location | | | | | +----------------+ | | | | +----------------+ | | | |<>-| IRTcontact | | | +------------+ +----------------+ | | +------------+ +----------------+ | |<>-| Victim |<>-| Contact | | | +------------+ +----------------+ | | | | +----------------+ | | | |<>-| Location | | | | | +----------------+ | | | | +----------------+ | | | |<>-| IRTcontact | | | +------------+ +----------------+ | | +------------+ +----------------+ | |<>-| Record |<>-| RecordData | | | +------------+ +----------------+ | | +----------------+ | |<>-| AdditionalData | | | +----------------+ | | +------------+ +----------------+ | |<>-| History |<>-| HistoryItem | | | +------------+ +----------------+ | | +------------+ +----------------+ | |<>-| Assessment |<>-| Impact | | | +------------+ +----------------+ | | | | +----------------+ | | | |<>-| Action | | | | | +----------------+ | | | | +----------------+ | | | |<>-| Convidence | | | +------------+ +----------------+ | | +------------+ +----------------+ | |<>-| Authority |<>-| Organization | | | +------------+ +----------------+ | | | | +----------------+ | | | |<>-| Contact | +----------+ +------------+ +----------------+ Figure 4.1 Data model overview Meijer, et al. Expires March 2003 [page 25] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The individual classes are described in the following sections. 4.2 The IODEF-Description Class IODEF-Description is the root container class of the IODEF data model. There are currently two main types (subclasses) of IODEF- Description: Incident and IncidentAlert. A third Experimental class is also included temporarily for testing. Since DTDs do not support subclassing (see Section 4.3.4), the inheritance relationship between the IODEF-Description and the Incident and IncidentAlert subclasses shown in Figure 5.1 has been replaced with an aggregate relationship. NOTE: The use of aggregation to implement an inheritance relationship is done throughout the data model. The IODEF-Description class is declared in the IODEF DTD as follows: <!ENTITY % attlist.IODEF " version CDATA #FIXED '0.0' "> <!ELEMENT IODEF-Description ( (Incident | IncidentAlert)* )> <!ATTLIST IODEF-Description %attlist.IODEF; > The IODEF-Description class has a single attribute: version The version of the IODEF-Description specification (this document) to which the document conforms. Applications specifying a value for this attribute MUST use the value "0.0". 4.3 The Incident Class For a given incident, the CSIRT will create an instance of the Incident class. The information used to populate this class will come from the reporting infrastructure that the CSIRT already has in place. Thus, direct reports from their constituency, IDS alert messages, or collaboration with other CSIRTS could serve as Meijer, et al. Expires March 2003 [page 26] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 potential input. An Incident description is composed of several aggregate classes, as shown in Figure 4.2. The aggregate classes themselves are described in Sections 4.2.4.1 - 4.2.4.10. +-------------------+ | Incident | +-------------------+ | STRING incidentID | 1..* +----------------+ +-------------+ | ENUM purpose |<>------| Attack |<>-| Source | | ENUM restriction | +----------------+ +-------------+ | | | | +-------------+ | | | |<>-| Target | | | | | +-------------+ | | | | +-------------+ | | | |<>-| Description | | | | | +-------------+ | | | | +-------------+ | | | |<>-| DetectTime | | | | | +-------------+ | | | | +-------------+ | | | |<>-| StartTime | | | | | +-------------+ | | | | +-------------+ | | | |<>-| EndTime | | | +----------------+ +-------------+ | | 0..* +----------------+ | |<>------| Attacker | | | +----------------+ | | 0..* +----------------+ | |<>------| Victim | | | +----------------+ | | 0..* +----------------+ | |<>------| Method | | | +----------------+ | | 0..1 +----------------+ | |<>------| Record | | | +----------------+ | | 0..1 +----------------+ | |<>------| AdditionalData | | | +----------------+ | | 0..1 +----------------+ | |<>------| History | | | +----------------+ | | 0..1 +----------------+ | |<>------| Assessment | | | +----------------+ Meijer, et al. Expires March 2003 [page 27] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | | +----------------+ | |<>------| Authority | +-------------------+ +----------------+ /_\ | | +----------+----------+ | CorrelationIncident | +---------------------+ Figure 4.2 The Incident Class The aggregate classes that constitute Incident are: Attack One or more. The security event(s) that compose the incident. Attacker Zero or more. The system(s) from which the Attack originated. Victim Zero or more. The system(s) at which the Attack was targeted. Method Zero or more. The actions taken by the Attacker in the incident. Evidence Zero or one. Container for the EvidenceData. Authority Exactly one. The CSIRT or authority that created the incident. History Zero or one. A log of the actions taken by the CSIRT(s) in the course of investigating the incident. AdditionalData Zero or more. Additional information about the incident included by CSIRT that cannot be readily expressed in the data model. The Incident class is represented in the XML DTD as follows: <!ENTITY % attvals.purpose " ( unknown | report | handling | communication | statistics | experimental ) Meijer, et al. Expires March 2003 [page 28] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 "> <!ENTITY % attvals.restriction " ( default | public | internal | restricted ) "> <!ELEMENT Incident ( Attack+, Attacker*, Victim*, Method*, Evidence?, CorrelationIncident?, Authority, History?, AdditionalData*)> <!ATTLIST Incident incidentID CDATA '0' purpose %attvals.purpose; 'experimental' restriction %attvals.restriction; 'default' > The Incident class has three attributes: IncidentID Required. A unique identifier for the Incident (see Section 3.4.9). purpose Optional. The purpose of the incident being reported to the CSIRT. Rank Keyword Description ---- ------- ----------- 0 unknown Purpose of the incident is unknown 1 report Incident report 2 handling Incident is being handled 3 communication Incident is being sent to another team 4 statistics Incident was reported for statistical purposes 5 experimental Experimental restriction Optional. Sets a restriction on the usage of the data in element. Rank Keyword Description ---- ------- ----------- 0 default Restriction level is defined by external policy applied to overall CSIRT process 1 public No restriction is applied to element 2 internal Data is for company's (or constituency) internal use 3 restricted Use strictly for Incident managers at CSIRT Meijer, et al. Expires March 2003 [page 29] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4.4 The CorrelationIncident Class The CorrelationIncident class represents information related to the correlation of current incident. It is intended as a way by which to logically group previously reported incidents as related. The CorrelationIncident class is composed of three aggregate classes, as shown in Figure 4.3. +---------------------+ | CorrelationIncident | +---------------------+ | ENUM restriction | 0..1 +----------------+ | |<>------| IncidentID | | | +----------------+ | | 0..* +----------------+ | |<>------| EvidenceDataID | | | +----------------+ | | 0..* +----------------+ | |<>------| EventList | +---------------------+ +----------------+ Figure 4.3 - The CorrelationIncident Class The aggregate classes that constitute CorrelationIncident are: IncidentID Zero or one. STRING. Identifier of current Incident. If not included into CorrelationIncident class, this value may be derived from the top class Incident attribute. EvidenceDataID Zero or more. Evidence data that are linked to current Incident. EventList One or more. Lists all events which are investigated together, or have another common denominator. This is represented in the XML DTD as follows: <!ELEMENT CorrelationIncident ( IncidentID?, EventList*, EvidenceDataID* )> <!ATTLIST CorrelationIncident Meijer, et al. Expires March 2003 [page 30] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 restriction %attvals.restriction; 'default' > The CorrelationIncident class has one attribute: restriction Optional. Sets a restriction on the usage of the data in element. 4.4.1 The EventList Class The EventList class contains information about events which are treated as correlated with respect to current incident. +---------------------+ | CorrelationIncident | +---------------------+ /_\ | +--------------+ | EventList | +--------------+ 0..1 +----------------+ | |<>----------| IncidentID | | | +----------------+ | | 0..* +----------------+ | |<>----------| EvidenceDataID | | | +----------------+ | | 0..1 +----------------+ | |<>----------| DateTime | | | +----------------+ +--------------+ Figure 4.27 The EventList Class The aggregate classes that constitute EventList are: IncidentID Zero or one. Identification number of the Incident. EvidenceDataID Zero or more. Identification number of the EvidenceData element related to referenced event or IncidentID. DateTime Zero or one. Date and time when the event occured. EventList is represented in the XML DTD as follows: Meijer, et al. Expires March 2003 [page 31] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ELEMENT EventList ( IncidentID?, EvidenceDataID?, DateTime?)> <!ATTLIST EventList ident ID #IMPLIED > The EventList class has one attributes: ident Optional. A unique identifier for the EventList element (see Section 3.4.9). 4.5 IncidentAlert Class The IncidentAlert class is used as a container for IDMEF Alert messages. +-------------------+ | IncidentAlert | +-------------------+ | STRING incidentID | +----------------+ | ENUM purpose |<>------| Authority | | ENUM restriction | +----------------+ | | 0..1 +----------------+ | |<>------| History | | | +----------------+ | | 0..* +----------------+ | |<>------| AdditionalData | +-------------------+ +----------------+ Figure 4.4 The IncidentAlert Class The aggregate classes that constitute IncidentAlert are: Authority Exactly one. The CSIRT or authority that created the incident. History Zero or one. A log of the actions taken by the CSIRT(s) in course of investigating the incident. AdditionalData Zero or more. A container for the IDMEF Alert message. This is represented in the XML DTD as follows: Meijer, et al. Expires March 2003 [page 32] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ELEMENT IncidentAlert ( Authority, History?, AdditionalData*)> <!ATTLIST Incident IncidentID ID #IMPLIED purpose %attvals.purpose; 'unknown' restriction %attvals.restriction; 'default' > The IncidentAlert class has three attributes: IncidentID Optional. A unique identifier for the alert, see Section 3.4.9. purpose Optional. The purpose of the incident being reported to the CSIRT. restriction Optional. Sets a restriction on the usage of the data in element. 4.6. The Attack Class The Attack class contains information about the security events that constitute the incident. +------------------+ 0..* +---------------+ +----------+ | Attack |<>------| Source |<>-| Node | +------------------+ +---------------+ +----------+ | STRING ident | | | +----------+ | | | |<>-| User | | ENUM restriction | | | +----------+ | | | | +----------+ | | | |<>-| process | | | | | +----------+ | | | | +----------+ | | | |<>-| service | | | | | +----------+ | | | | +----------+ | | | |<>-| program | | | | | +----------+ | | | | +----------+ | | | |<>-| os | | | +---------------+ +----------+ | | 0..* +---------------+ +----------+ | |<>------| Target |<>-| Node | | | +---------------+ +----------+ Meijer, et al. Expires March 2003 [page 33] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | | | | +----------+ | | | |<>-| User | | | | | +----------+ | | | | +----------+ | | | |<>-| process | | | | | +----------+ | | | | +----------+ | | | |<>-| service | | | | | +----------+ | | | | +----------+ | | | |<>-| program | | | | | +----------+ | | | | +----------+ | | | |<>-| os | | | | | +----------+ | | | | +----------+ | | | |<>-| FileList | | | +---------------+ +----------+ | | 0..* +---------------+ | |<>------| Description | | | +---------------+ | | 0..1 +---------------+ | |<>------| DetectTime | | | +---------------+ | | 0..1 +---------------+ | |<>------| StartTime | | | +---------------+ | | 0..1 +---------------+ | |<>------| EndTime | +------------------+ +---------------+ Figure 4.6 The Attack Class The aggregate classes that constitute Attack are: Source Zero or more. The source(s) of the event(s) causing the incident. Target Zero or more. The target(s) of the event(s) in the incident. Description Zero or more. A free-form textual description by the CSIRT or report of the incident events. DetectTime Meijer, et al. Expires March 2003 [page 34] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Zero or one. The time when the incident activity was first detected by the reporter. In the case of more than one event, the time the first event was detected. In some circumstances, this time may not be the same as the RegistrationTime used in the History class. StartTime Zero or one. The start time of the incident activity. EndTime Zero or one. The end time of the incident activity. This is represented in the XML DTD as follows: <!ELEMENT Attack ( Source*, Target*, Description*, DetectTime?, StartTime?, EndTime?)> <!ATTLIST Attack %attlist.global; restriction %attvals.restriction; 'default' ident CDATA #IMPLIED > The Attack class has two attributes: ident Optional. A unique identifier for this Attack class (see Section 3.4.9). restriction Optional. Sets a restriction on the usage of the data in element. 4.6.1 The Source Class The Source class contains information about the possible source(s) of the incident event(s). An event may have more than one source (e.g., in a distributed denial of service attack). For the purpose of compatibility, the Source class has been reused from the IDMEF. Hence, the Source class from an IDMEF message can be included unmodified into the IODEF-Description class with the same semantics. Likewise, the data in an IDMEF-originating Source class could be decomposed between the IODEF Source and Attack classes. The definition of the Source class in the IODEF data model is a Meijer, et al. Expires March 2003 [page 35] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 superset of the IDMEF definition. Two new classes have been added: os and program. The Source class is composed of four aggregate classes, as shown in Figure 4.7. +------------------+ | Source | +------------------+ 0..1 +---------+ | STRING ident |<>----------| Node | | ENUM spoofed | +---------+ | STRING interface | 0..1 +---------+ | |<>----------| User | | | +---------+ | | 0..1 +---------+ | |<>----------| Process | | | +---------+ | | 0..1 +---------+ | |<>----------| Service | | | +---------+ | | 0..1 +---------+ | |<>----------| os | | | +---------+ | | 0..1 +---------+ | |<>----------| Program | | | +---------+ +------------------+ Figure 4.7 The Source Class The aggregate classes that constitute Source are: Node Zero or one. Information about the host or device that appears to be causing the events (network address, network name, etc.). User Zero or one. Information about the user that appears to be causing the event(s). Process Zero or one. Information about the process that appears to be causing the event(s). Service Zero or one. Information about the network service involved in the event(s). Meijer, et al. Expires March 2003 [page 36] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 os Zero or one. The operation system running on the Node from which the Attack originated. program Zero or one. The program that caused the Attack, that is running in the Process. This is represented in the XML DTD as follows: <!ENTITY % attvals.yesno " ( unknown | yes | no ) "> <!ELEMENT Source ( Node?, User?, Process?, Service?, os?, program? )> <!ATTLIST Source ident CDATA '0' spoofed %attvals.yesno; 'unknown' interface CDATA #IMPLIED > The Source class has three attributes: ident Optional. A unique identifier for this Source class (see Section 3.4.9). spoofed Optional. An indication of confidence as to whether this is the true Attack source. The permitted values for this attribute are shown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Accuracy of source information unknown 1 yes Source is believed to be a decoy 2 no Source is believed to be "real" interface Optional. Specifies the interface on which the source of the event(s) was detected. 4.6.2 The Node Class Meijer, et al. Expires March 2003 [page 37] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The Node class is used to identify hosts and other network devices (routers, switches, etc.). The Node class is composed of five aggregate classes, as shown in Figure 4.16. +---------------+ | Node | +---------------+ 0..1 +----------+ | STRING ident |<>----------| Location | | ENUM category | +----------+ | | 0..1 +----------+ | |<>----------| name | | | +----------+ | | 0..* +----------+ | |<>----------| Address | | | +----------+ | | 0..1 +----------+ | |<>----------| DateTime | | | +----------+ | | 0..* +----------+ | |<>----------| NodeRole | | | +----------+ +---------------+ Figure 4.16 The Node Class The aggregate classes that constitute Node are: location Zero or one. STRING. The physical location of the equipment. name Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given. Address Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified. DateTime Zero or one. Date and time when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and name are given. Meijer, et al. Expires March 2003 [page 38] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 NodeRole Zero or more. The intended role of the node. This is represented in the XML DTD as follows: <!ENTITY % attvals.nodecat " ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos | nds | nis | nisplus | nt | wfw ) "> <!ELEMENT Node ( location?, (name | Address), Address*, DateTime?, NodeRole* )> <!ATTLIST Node ident CDATA '0' category %attvals.nodecat; 'unknown' > The Node class has two attributes: ident Optional. A unique identifier for the node, see Section 3.4.9. category Optional. The "domain" from which the name information obtained, if relevant. The permitted values for this attribute are shown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Domain unknown or not relevant 1 ads Windows 2000 Advanced Directory Services 2 afs Andrew File System (Transarc) 3 coda Coda Distributed File System 4 dfs Distributed File System (IBM) 5 dns Domain Name System 6 hosts Local hosts file 7 kerberos Kerberos realm 8 nds Novell Directory Services 9 nis Network Information Services (Sun) 10 nisplus Network Information Services Plus (Sun) 11 nt Windows NT domain 12 wfw Windows for Workgroups 4.6.2.1 The Address Class The Address class represents a network, hardware, or application address. Meijer, et al. Expires March 2003 [page 39] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The Address class is composed of two aggregate classes, as shown in Figure 4.17. +------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+ Figure 4.17 The Address Class The aggregate classes that constitute Address are: address Exactly one. STRING. The address whose format is governed by the category attribute. netmask Zero or one. STRING. The network mask for the address, if appropriate. This is represented in the XML DTD as follows: <!ENTITY % attvals.addrcat " ( unknown | atm | e-mail | lotus-notes | mac | sna | vm | ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask | ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask ) "> <!ELEMENT Address ( address, netmask? )> <!ATTLIST Address ident CDATA '0' category %attvals.addrcat; 'unknown' vlan-name CDATA #IMPLIED vlan-num CDATA #IMPLIED > The Address class has four attributes: ident Optional. A unique identifier for the address (see Section 3.4.9). Meijer, et al. Expires March 2003 [page 40] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 category Optional. The type of address represented. The permitted values for this attribute are shown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Address type unknown 1 atm Asynchronous Transfer Mode network address 2 e-mail Electronic mail address (RFC 822) 3 lotus-notes Lotus Notes e-mail address 4 mac Media Access Control (MAC) address 5 sna IBM Shared Network Architecture (SNA) address 6 vm IBM VM ("PROFS") e-mail address 7 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d) 8 ipv4-addr-hex IPv4 host address in hexadecimal notation 9 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn) 10 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z) 11 ipv6-addr IPv6 host address 12 ipv6-addr-hex IPv6 host address in hexadecimal notation 13 ipv6-net IPv6 network address, slash, significant bits 14 ipv6-net-mask IPv6 network address, slash, network mask vlan-name Optional. The name of the Virtual LAN to which the address belongs. vlan-num Optional. The number of the Virtual LAN to which the address belongs. 4.6.2.2 The NodeRole Class The NodeRole class is used to represent the intended role of a particular node. Meijer, et al. Expires March 2003 [page 41] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The NodeRole class is composed of a single attribute represented in the XML DTD as follows: <!ENTITY % attvals.noderolecat " ( unknown | client | server-internal | server-public | www | mail | messaging | streaming | voice | file | ftp | p2p | name | directory | credential | print | application | database | infra | log ) "> <!ELEMENT NodeRole ()> <!ATTLIST NodeRole category %attvals.noderolecat; 'unknown' > The NodeRole class has one attribute: category Optional. The intended role this Node is to fulfill. The permitted values for this attribute are shown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Unknown role 1 client Client computer 2 server-internal Server with internal services 3 server-public Server with public services 4 www WWW server 5 mail Mail server 6 messaging Messaging server (e.g. NNTP, IRC, instant) 7 streaming Streaming-media server 8 voice Voice server (e.g. SIP, H.323) 9 file File server (e.g. SMB, CVS, AFS) 10 ftp FTP server 11 p2p Peer-to-peer server (e.g. Napster) 12 name Name server (e.g. DNS, WINS) 13 directory Directory server (e.g. LDAP, finger, whois) 14 credential Credential server (e.g. domain controller, Kerberos) 16 print Print server 17 application Application server 18 database Database server 19 infra Infrastructure server (e.g. router, firewall, DHCP) Meijer, et al. Expires March 2003 [page 42] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 20 log Log server (e.g. syslog) 4.6.3 The User Class The User class describes a user account on a system. It is primarily used as a "container" class for the UserId aggregate class, as shown in Figure 4.18. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. +---------------+ | User | +---------------+ 1..* +--------+ | STRING ident |<>----------| UserId | | ENUM category | +--------+ +---------------+ Figure 4.18 The User Class The aggregate class contained in User is: UserId One or more. The user. This is represented in the XML DTD as follows: <!ENTITY % attvals.usercat " ( unknown | application | os-device ) "> <!ELEMENT User ( UserId+ )> <!ATTLIST User ident CDATA '0' category %attvals.usercat; 'unknown' > The User class has two attributes: ident Optional. A unique identifier for the user (see Section 3.4.9). category Meijer, et al. Expires March 2003 [page 43] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Optional. The type of user represented. The permitted values for this attribute are shown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown User type unknown 1 application An application user 2 os-device An operating system or device user 4.6.3.1 The UserId Class The UserId class describes a specific user account on a system. The UserId class is composed of two aggregate classes, as shown in Figure 4.19. +--------------+ | UserId | +--------------+ 0..1 +--------+ | STRING ident |<>----------| name | | ENUM type | +--------+ | | 0..1 +--------+ | |<>----------| number | | | +--------+ +--------------+ Figure 4.19 The UserId Class The aggregate classes that constitute UserId are: name Zero or one. STRING. A user or group name. number Zero or one. INTEGER. A user or group number. This is represented in the XML DTD as follows: <!ENTITY % attvals.idtype " ( current-user | original-user | target-user | user-privs | current-group | group-privs | other-privs) "> <!ELEMENT UserId ( name | number | (name, number) )> Meijer, et al. Expires March 2003 [page 44] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ATTLIST UserID ident CDATA '0' type %attvals.idtype; 'original-user' > The UserId class has two attributes: ident Optional. A unique identifier for the user id (see Section 3.4.9). type Optional. The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". Rank Keyword Description ---- ------- ----------- 0 current-user The current user id being used by the user or process. On Unix systems, this would be the "real" user id. 1 original-user The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used. 2 target-user The user id the user or process is attempting to become. For example, on Unix systems when the user attempts to use "su," "rlogin," "telnet," etc. 3 user-privs Another user id the user or process has the ability to use. On Unix systems, this would be the "effective" user id. Multiple UserId elements of this type may be used to specify a list of privileges. 4 current-group The current group id (if applicable) being used by the user or process. On Unix systems, this would be the "real" group id. 5 group-privs Another group id the group or process has the ability to use. On Unix systems, this would be the "effective" group id. On BSD-derived Unix Meijer, et al. Expires March 2003 [page 45] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 systems, multiple UserId elements of this type would be used to include all the group ids on the "group list." 6 other-privs Not used in a user, group, or process context, only used in the file context. The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions. 4.6.4 The Process Class The Process class describes a process being executed on a system. The Process class is composed of five aggregate classes, as shown in Figure 4.20. +--------------+ | Process | +--------------+ +------+ | STRING ident |<>----------| name | | | +------+ | | 0..1 +------+ | |<>----------| pid | | | +------+ | | 0..1 +------+ | |<>----------| path | | | +------+ | | 0..* +------+ | |<>----------| arg | | | +------+ | | 0..* +------+ | |<>----------| env | | | +------+ +--------------+ Figure 4.20 The Process Class The aggregate classes that constitute Process are: name Exactly one. STRING. The filename of the program being executed. This is a short name; path and argument information are provided elsewhere. pid Meijer, et al. Expires March 2003 [page 46] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Zero or one. INTEGER. The process identifier of the process. path Zero or one. STRING. The full path of the program being executed. arg Zero or more. STRING. A command-line argument to the program. Multiple arguments mayBYTE (and BYTE[]) data type. Binary data MUST bespecified (they are assumed to have occurredencoded inthe same order theyits entirety using character code references (see ). 2.2.5 Enumerated Types Enumerated types areprovided) with multiple uses of arg. env Zero or more. STRING. An environment string associated withrepresented by theprocess; generallyENUM data type, and consist ofthe format "VARIABLE=value". Multiple environment strings may be specified with multiple usesan ordered list ofenv. This is represented in the XML DTD as follows: <!ELEMENT Process ( name, pid?, path?, arg*, env* )> <!ATTLIST Process ident CDATA '0' > The Process classacceptable values. Each value hasone attribute: ident Optional. A unique identifier for the process (see Section 3.4.9). 4.6.5 The Service Class The Service class describesanetwork service. It can identify services by name, port, and protocol. When Service occurs asrepresentative keyword. Within anaggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" toIODEF document, theNode, Process, and User information also contained in Source. Likewise, when Service occursenumerated type keywords are used asan aggregate class of Target, it is understood thatattribute values 2.2.6 Date-Time Strings Date-time strings are represented by theservice is oneDATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according towhich activitya subset ofinterest is being directed; and that the service is "attached" toISO 8601:2000 [15] documented in RFC 3339 [14]. 2.2.7 NTP Timestamps NTP timestamps are represented by theNode, Process,NTPSTAMP data type, andUser information also containedare described inTarget. Meijer, et al. Expires March 2003 [page 47] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002detail in RFC 1305 [10] and RFC 2030 [11]. An NTP timestamp is a 64-bit unsigned fixed-point number. TheService classinteger part iscomposed of four aggregate classes, as showninFigure 4.21. +--------------+ | Service | +--------------+ 0..1 +----------+ | STRING ident |<>----------| name | | | +----------+ | | 0..1 +----------+ | |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +--------------+ /_\ | +------------+ | +-------------+ | +-------------+ | SNMPService |--+--| WebService | +-------------+ +-------------+ Figure 4.21 - The Service Class The aggregate classes that constitute Service are: name Zero or one. STRING. The name oftheservice. Whenever possible,first 32 bits, and thename fromfraction part is in theIANAlast 32 bits. IODEF documents MUST encode NTP timestamps as two 32-bit hexadecimal values, separated by a period ('.'). For example, "0x12345678.0x87654321". 2.2.8 Port Lists A list ofwell-knownnetwork portsSHOULD be used. port Zero or one. INTEGER. The port number being used. portlist Zero or one. PORTLIST. Aare represented by the PORTLIST data type, and consist of a comma-separated list ofportnumbersbeing used; see Section 3.4.8 for formatting rules. protocol Zero or one. STRING. The protocol being used. A Service MUST be specified as either (a) a name, (b) a port, (c) a name(individual integers) and ranges (N-M means ports N through M, inclusive). Any combination of numbers and ranges may be used in aport, or (d) a portlist.single list. For example, "5-25,37,42,43,53,69-119,123-514". 2.2.9 Postal Address A postal address is represented by the POSTAL data type. Theprotocolformat of this address data is the documented in Sections 5.17 - 5.19 of RFC 2256 [12]. Meijer, et al. Expires September 29, 2003 [Page 12] Internet-Draft IODEF Data Model and Implementation March 2003[page 48] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 optional2.2.10 Person or Organization The name of an individual or organization is represented by the NAME data type. The format of the NAME data type is documented inall cases, but no other combinations are permitted. Because DTDs do not support subclassing (seeSection4.3.4), the inheritance relationship between Service5.4 of RFC 2256 [12]. 2.2.11 Telephone and Fax Numbers A telephone number is represented by theSNMPService and WebService subclasses shownPHONE data type. The format of the PHONE data type is documented inFigure 5.17 has been replaced with an aggregate relationship. ServiceSection 5.21 of RFC 2256 [12]. 2.2.12 Email string An email address is represented by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 RFC 2822 [13] 2.2.13 Uniform Resource Identifier strings A uniform resource identifier (URI) is represented by theXML DTD as follows: <!ELEMENT Service ( ((name | port | (name, port)) | portlist), protocol?, SNMPService?, WebService? )> <!ATTLIST Service ident CDATA '0' >URI data type. TheService class has one attribute: ident Optional.format of the URI data type is documented in RFC 2396 [8]. 2.2.14 Unique Identifiers A unique identifierforin theservice, see Section 3.4.9. 4.6.5.1context of particular creator of IODEF documents (e.g., a CSIRT) is represented by the UID data type. A globally unique identifier is represented by the GUID data type. TheWebService ClassUID and GUID data types are constructed from alphanumeric strings. Meijer, et al. Expires September 29, 2003 [Page 13] Internet-Draft IODEF Data Model and Implementation March 2003 3. TheWebService class augmentsIODEF Data Model In this section, the individual components of the IODEF data model will be discussed in detail. For each class, theService classsemantics withadditional information related to web traffic.be documented and the relationship between other classes with be presented with an UML diagram. 3.1 IODEF-Document TheWebServiceIODEF-Document class iscomposed of four aggregate classes, as shownthe top level class inFigure 4.22. +-------------+ | Service | +-------------+ /_\ | +-------------+ | WebService | +-------------+ +-------------+ | |<>----------| url | | | +-------------+ | | 0..1 +-------------+ | |<>----------| cgi | | | +-------------+ | | 0..1 +-------------+ | |<>----------| http-method | | | +-------------+ |the IODEF data model and the DTD. All IODEF documents are instances of the IODEF-Documents class. +-----------------+ |0..* +-------------+IODEF-Document ||<>----------| arg+-----------------+ |Meijer, et al. Expires March 2003 [page 49] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002STRING version |<>--{1..*}--[ Incident ] | |+-------------+ +-------------++-----------------+ Figure4.22 The WebService Class2: IODEF-Document class The aggregateclassesclass thatconstitute WebService are: url Exactly one. STRING.constitutes IODEF-Document is: Incident One. TheURL inIncident class contains all therequest. cgi Zero or one. STRING.incident-related information. TheCGI script in the request, without arguments. http-method Zero or one.IODEF-Document class has one attribute: version Required. STRING. TheHTTP method (PUT, GET) used inversion of therequest. arg Zero or more. STRING. The argumentsIODEF specification to which theCGI script. This is represented in the XML DTD as follows: <!ELEMENT WebService ( url, cgi?, http-method?, arg* )> 4.6.5.2 The SNMPService ClassIODEF document conforms. TheSNMPService class augments the Servicevalue of this attribute MUST be 1.0 3.2 Incident classwith additional information relatedEvery incident reported toSNMP traffic. The SNMPService classor handled by a CSIRT iscomposedrepresented by an instance ofthree aggregate classes, as shown in Figure 4.23. +-------------+ | Service | +-------------+ /_\ | +-------------+ | SNMPService | +-------------+ 0..1 +-----------+ | |<>----------| oidthe Incident class. This class provides a standardized representation for commonly exchanged incident data and associates a unique identifier with the described activity. Meijer, et al. Expires September 29, 2003 [Page 14] Internet-Draft IODEF Data Model and Implementation March 2003 +-------------------+ | Incident | +-------------------+ |+-----------+ENUM purpose |<>----------[ IncidentID ] | ENUM restriction |0..1 +-----------+||<>----------| community|<>--{0..1}--[ AlternativeIDs ] | | |+-----------+ Meijer, et al. Expires March 2003 [page 50] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002|<>----------[ IncidentData ] | |0..1 +-----------+||<>----------| command|<>--{0..1}--[ RelatedActivity ] | | |+-----------+ +-------------+|<>--{0..*}--[ AdditionalData ] +-------------------+ Figure4.23 The SNMPService Class3: the Incident class The aggregate classes that constituteSNMPServiceIncident are:oidIncidentID One. The incident tracking number or unique identifier assigned to this incident by the party that generated the document. AlternativeIDs Zero or one.STRING. The object identifierA list of incident tracking numbers used by other CSIRTs to refer to same activity as described in therequest. communitydocument. RelatedActivity Zero or one.STRING.A list of incident tracking numbers referencing related incidents. IncidentData Zero or more. Theobject's community string. commandevent(s) that constitute the incident about which the IODEF-Document conveys information. AdditionalData Zero orone. STRING.more. Extension area for data that cannot be represented anywhere else. Thecommand sent toIncident class has two attributes: purpose Required. ENUM. The purpose of theSNMP server (GET, SET. etc.).IODEF document. This attribute isrepresented in the XML DTDdefined asfollows: <!ELEMENT SNMPService ( oid?, community?, command? )> 4.6.6an enumerated list: 1. handling. TheTarget ClassIODEF-Document was sent for incident-handling purposes; 2. statistics. TheTarget class contains information aboutIODEF-Document was sent to be included in a Meijer, et al. Expires September 29, 2003 [Page 15] Internet-Draft IODEF Data Model and Implementation March 2003 data-repository for statistical purposes; 3. warning. The IODEF-Document was sent as a warning; 4. other. The IODEF-Document was sent for purposes specified in thepossible target(s) ofAdditionalData element. restriction Optional. ENUM. This attribute indicates theincident event(s). An event may have more than one target (e.g., indisclosure guidelines to which thecasesender expects the recipient ofa port sweep). ForthepurposeIODEF-Document to adhere. However, it is the choice ofcompatibility,theTarget class has been reused fromrecipient of theIDMEF. Hence,document to honor this guideline. The value of this attribute is logically inherited by theTarget class from an IDMEF message can be included unmodified intochildren of this class. That is to say, theIODEF-Description class withdisclosure rules applied to this class, also apply to its children. It is possible to set a granular disclosure policy, since many of thesame semantics. Likewise,high-level classes have a restriction attribute. Therefore, a child can override thedata in an IDMEF-originating Source class couldguidelines of a parent class, bedecomposed betweenit to tighten or relax theIODEF Targetdisclosure rules (i.e., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, andAttack classes.the children selectively apply more rigid controls). Thedefinitionimplicit value of theTargetrestriction attribute for a class that did not specify one can be found in theIODEF data modelclosest ancestor that did specify a value. This attribute is defined as an enumerated value with asupersetdefault value of "private". 1. public. There is no restriction level applied to theIDMEF definition. Two new classes have been added: os and program.information; 2. need-to-know. TheTarget class is composed of four aggregate classes, as showninformation may be shared with other parties that are involved inFigure 4.8. Meijer, et al. Expires March 2003 [page 51] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 +------------------+ | Target | +------------------+ 0..1 +----------+ | STRING ident |<>----------| Node | | ENUM spoofed | +----------+ | STRING interface | 0..1 +----------+ | |<>----------| User | | | +----------+ | | 0..1 +----------+ | |<>----------| Process | | | +----------+ | | 0..1 +----------+ | |<>----------| Service | | | +----------+ | | 0..1 +----------+ | |<>----------| FileList | | | +----------+ | | 0..1 +----------+ | |<>----------| os | | | +----------+ | | 0..1 +----------+ | |<>----------| Program | | | +----------+ +------------------+ Figure 4.8the incident (e.g., multiple victim sites can be informed of each other); 3. private. TheTarget Classinformation may not be shared. 4. default. Theaggregate classes that constitute Target are: Node Zero or one. Information about the host or device at which the event(s) (network address, network name, etc.) is being directed. User Zero or one. Information about the user at which the event(s) is being directed. Process Zero or one. Information about the process at which the event(s) is being directed. Service Zero or one. Information aboutinformation can be shared according to an information disclosure policy pre-arranged by thenetwork service involved incommunicating parties. 3.3 IncidentID class The IncidentID class represents theevent(s). FileList Zeroincident tracking number orone. Information about file(s) involved in theMeijer, et al. Expires September 29, 2003 [Page 16] Internet-Draft IODEF Data Model and Implementation March 2003[page 52] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 event(s). os Zero or one. The operation system running on the targeted Node. program Zeroidentifier used by a CSIRT orone. The program running asreporter to uniquely identify (in their organization) theProcess, which was targetedactivity characterized in this IODEF-Document. +------------------+ | IncidentID | +------------------+ | UID | | | | GUID name | +------------------+ Figure 4: theAttack. ThisIncidentID class The element content represents an incident tracking number (UID) that isrepresentedunique in theXML DTD as follows: <!ENTITY % attvals.yesno " ( unknown | yes | no ) "> <!ELEMENT Target ( Node?, User?, Process?, Service?, FileList?, os?, program? )> <!ATTLIST Target ident CDATA '0' decoy %attvals.yesno; 'unknown' interface CDATA #IMPLIED >context of the CSIRT. TheTargetIncidentID class hasthree attributes: ident Optional. A uniqueone attribute: name Required. GUID. An identifier forthis Target class (see Section 3.4.9). spoofed Optional. An indication of confidence as to whether this isthetrue Attack target.CSIRT that created the IODEF-Document. 3.4 AlternativeID class Thepermitted values forAlternativeID class references the incident tracking numbers or unique identifiers used by other entities (e.g., CSIRTs) to refer to activity identical to that characterized in thisattributeIODEF-Document. Thus, tracking numbers listed as an AlternativeID areshown below. The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Accuracy of target information unknown 1 yes Target is believed to bethe same events detected by another CSIRT, but seem from adecoy 2 no Target is believed todifferent perspective. It follows, the incident tracking numbers of the organization that generated the IODEF-Document should never be"real" interface Optional. Specifiesconsidered an AlternativeID. If theinterface on whichincident is not theevent(s) againstidentical activity, but is related (e.g., same methodology or intruder), then its incident tracking number should instead be represented in theTarget were detected. 4.6.7 The FileList ClassRelatedActivity (Section 3.5) class. Meijer, et al. ExpiresMarchSeptember 29, 2003[page 53] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The FileList class describes files[Page 17] Internet-Draft IODEF Data Model andother file-like objects on targets. It is primarily used as a "container"Implementation March 2003 +------------------+ | AlternativeID | +------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | | +------------------+ Figure 5: the AlternativeID class The aggregate classes that constitute AlternativeID are: IncidentID One or more. Unique identifiers assigned by another entity for theFile aggregate class, as shownidentical activity characterized inFigure 5.33. ForthepurposeIODEF-Document. The AlternativeID class has one attribute: restriction Optional. ENUM. This attribute has been defined in Section 3.2. 3.5 RelatedActivity class The RelatedActivity class references the incident tracking numbers or unique identifiers ofcompatibilityincidents that are related to theFileList Class is reused fromone described in theIDMEF. +--------------+ | FileListIODEF document. These references may to local incident tracking numbers, as well as, to those of other CSIRTs. The specifics of how a CSIRT came to believe that two incidents are related is considered out of scope. +------------------+ |+--------------+ 1..* +------+RelatedActivity ||<>----------| File+------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | |+------+ +--------------++------------------+ Figure4.33 The FileList Class6: RelatedActivity class The aggregateclass contained in FileList is: Fileclasses that constitute RelatedActivity are: IncidentID One or more.Information about an individual file, as indicatedUnique identifiers assigned byits "category"the CSIRT. The RelatedActivity class has one attribute: Meijer, et al. Expires September 29, 2003 [Page 18] Internet-Draft IODEF Data Model and"fstype" attributes (see Section 4.8.13.1).Implementation March 2003 restriction Optional. ENUM. Thisis representedattribute has been defined inthe XML DTD as follows: <!ELEMENT FileList ( File+ )> 4.6.7.1 The File ClassSection 3.2. 3.6 AdditionalData TheFileAdditionalData classprovides specificserves as an extension mechanism for informationabout a file or other file-like object that has been created, deleted, or modified on the target. More than one File can be used withinnot otherwise represented in theFileList classdata model. For relatively simple information, atomic data (integers, strings, etc.) types are provided with a mechanism toprovide information about more than one file.annotate their meaning. Thedescriptionclass canprovide eitheralso be used to extend thefile settings priordata model and the DTD to support proprietary extensions by encapsulating entire XML documents conforming to another DTD (e.g., IDMEF). A detailed discussion for extending theevent ordata model and thefile settings atDTD can be found in Section 4. Unlike XML, which is self-describing, atomic data must typically be documented to convey its meaning. This information is described in thetime'meaning' attribute. Since these description are outside the scope of theevent, as specifiedspecification, some additional coordination may be required to ensure that a recipient of a document using the"category" attribute. The File class is composedAdditionalData classes can make sense often aggregate classes, as shown in Figure 4.34. +--------------+ | File | +--------------+ +-------------+ | |<>----------| name | | | +-------------+ Meijer, et al. Expires March 2003 [page 54] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | | +-------------+ | |<>----------| path | | | +-------------+ | | 0..1 +-------------+ | |<>----------| create-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| modify-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| access-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| data-size | | | +-------------+ | | 0..1 +-------------+ | |<>----------| disk-size | | | +-------------+ | | 0..* +-------------+ | |<>----------| FileAccess | | | +-------------+the custom extensions. +------------------+ | AdditionalData |0..* +-------------++------------------+ ||<>----------| LinkageANY | | |+-------------+| ENUM restriction |0..1 +-------------+||<>----------| InodeENUM type | | STRING meaning |+-------------+ +--------------++------------------+ Figure4.34 The File Class The aggregate classes that make up File are: name Exactly one. STRING. The name of the file to which the alert applies, not including the path to the file. path Exactly one. STRING. The full path to the file, including7: thename.AdditionalData class Thepath name should be representedAdditionalData class has three attributes: restriction Optional. ENUM. This attribute has been defined inas "universal" a manner as possible, to facilitate processingSection 3.2. type Required. ENUM. The data type of thealert. For Windows systems, the path should be specified using the Universal Naming Convention (UNC)element content. The permitted values forremote files, and usingthis attribute are shown below. The default value is "string". 1. boolean. The element contains adrive letter for local files (e.g., "C:\boot.ini"). For Unix systems, paths on network file systems should use the name ofboolean value, i.e., themounted resourcestrings "true" or "false" Meijer, et al. Expires September 29, 2003 [Page 19] Internet-Draft IODEF Data Model and Implementation March 2003[page 55] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 instead of the local mount point (e.g., "fileserver:/usr/local/bin/foo").2. byte. Themount point can be provided using the <Linkage> element. create-time Zero or one. DATETIME. Time the file was created. Note that thiselement content is*not* the Unix "st_ctime" file attribute (whicha single 8-bit byte (see Section 2.2.4); 3. character. The element content isnot file creation time).a single character (see Section 2.2.3); 4. date-time. TheUnix "st_ctime" attributeelement content iscontained ina date-time string (see Section 2.2.6); 5. integer. The element content is an integer (see Section 2.2.1); 6. ntpstamp. The element content is a NTP timestamp (see Section 2.2.7); 7. portlist. The element content is a port list (see Section 2.2.8); 8. real. The element content is a real number (see xref target="dt_real_numbers" />); 9. string. The element content is a string (see Section 2.2.3); 10. xml. The element content is XML-tagged data (see Section 4). meaning Optional. STRING. A description of the semantics of the"Inode"custom data in this class.modify-time Zero or one. DATETIME. Time3.7 IncidentData The IncidentData class summarizes thefile was last modified. access-time Zero or one. DATETIME. Timedetails of thefile was last accessed. data-size Zero or one. INTEGER. The sizeincident activity and a CSIRT's handling of thedata,information, as well as, groups the security events that constitute the incident. Many of the aggregated classes of IncidentData are also found inbytes. Typically whatEventData, albeit with different occurrence indicators. However, the semantics of these classes ismeant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corres- ponds to VDL. disk-size Zero or one. INTEGER.quite different. Thephysical space on disk consumed byclasses of IncidentData reflect information relevant across thefile, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value correspondsentire incident, while the classes of EventData provide information only relevant toEOF. FileAccess Zero or more. Access permissions onthefile. Linkage Zerogiven event ormore. Filesystemobjects to which this file is linked (other references fornode being described. The relationship between thefile). Inode Zero or one. Inode information for this file (relevant to Unix). ThisIncidentData and EventData classes isrepresented incomplementary. The latter provides summary information, while theXML DTD as follows: <!ENTITY % attvals.filecat " ( current | original ) "> <!ELEMENT File ( name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode? )>former provides more specific details. For example, the overall impact of the incident (represented in IncidentData) might be denial of service, but it might be worth mentioning that there were specific machines (represented in EventData) which also suffered a root compromise. In Meijer, et al. Expires September 29, 2003 [Page 20] Internet-Draft IODEF Data Model and Implementation March 2003[page 56] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ATTLIST File ident CDATA '0' category %attvals.filecat; #REQUIRED fstype CDATA #REQUIRED %attlist.global; > The File class has three attributes: ident Optional. A unique identifier for this file, see Section 3.4.9. category Required. The context for the information being provided. The permitted values are shown below. There is no default value. Rank Keyword Description ---- ------- ----------- 0 current The file information is from after the reported change 1 original The file information is from before the reported change fstype Required. The type of file systemanother example, an organizational contact can be provided in IncidentData class, while more specific contacts for thefile resides on. The name shouldindividual hosts can bespecified using a standard abbreviation, e.g., "ufs", "nfs", "afs", "ntfs", "fat16", "fat32", "pcfs", "joliet", "cdfs", etc. This attribute governs how path names and other attributes are interpreted. 4.6.7.2 The FileAccess Class The FileAccess class representsin theaccess permissions on a file. The representation is intended toEventData class. IncidentData also ensures that certain mandatory information will beusefule across operating systems. The FileAccess class is composed of two aggregate classes, as shownpresent inFigure 4.35. +--------------+the data model. +------------------+ |FileAccessIncidentData |+--------------+ +------------++------------------+ ||<>----------| UserIdENUM restriction |<>--{0..*}--[ Description ] | | |+------------+|<>--{1..*}--[ Assessment ] | |1..* +------------+||<>----------| permission|<>--{0..*}--[ Method ] | | | |<>--{0..1}--[ DetectTime ] | | | |<>--{0..1}--[ StartTime ] | | | |<>--{0..1}--[ EndTime ] | | | |<>----------[ ReportTime ] | | | |<>--{1..*}--[ Contact ] | | |+------------+|<>--{0..*}--[ Expectation ] | | | |<>--{0..1}--[ History ] | | | |<>--{0..*}--[ EventData ] | | | |<>--{0..*}--[ AdditionalData ] +------------------+ Figure 8: the IncidentData class The aggregate classes that constitute IncidentData are: Description Zero or more. STRING. A free-form textual description of the incident activity Assessment One or more. A characterization of the impact the incident activity. Meijer, et al. Expires September 29, 2003 [Page 21] Internet-Draft IODEF Data Model and Implementation March 2003[page 57] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 +--------------+ Figure 4.35Method Zero or more. TheFileAccess Classtechniques (e.g., tools, vulnerabilities) used by the intruder. DetectTime Zero or one. Theaggregate classes that make up FileAccess are: UserId Exactlytime the incident activity was first detected. StartTime Zero or one. Theuser (or group)time the incident activity started. EndTime Zero or one. The time the incident activity ended. ReportTime One. The time the incident activity was reported. Contact One or more. Contact information for the parties involved in the incident. Expectation Zero or more. Expected action to be performed by the recipient of the document. History Zero or one. Documents significant events or actions that occurred during the course of handling the incident. EventData Zero or more. Details on the Data on the (security) events that lead towhich these permissions apply. The value ofthe"type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context. permission Oneincident. AdditionalData Zero or more.STRING. Level of access allowed. Recommended values are "noAccess", "read", "write", "execute", "delete", "executeAs", "changePermissions", and "takeOwnership". The "changePermissions" and "takeOwnership" strings represent those concepts in Windows. On Unix, the owner ofAn area to extend thefile always has "changePermissions" access, even if no other access is allowed fordata model with information thatuser. "Full Control" in Windows iscan not be representedby enumerating the permissions it contains.elsewhere. The"executeAs" string represents the set-user-id and set-group-id features in Unix.IncidentData class has one attribute: restriction Optional. ENUM. This attribute isrepresenteddefined inthe XML DTD as follows: <!ELEMENT FileAccess ( UserId, permission+ )> 4.6.7.3 The Linkage ClassSection 3.2. 3.8 Contact class TheLinkageContact classrepresents file system connections between the file describeddescribes contact information for organizations and personnel involved in the<File> elementincident. This class encapsulates naming the involved party, specifying contact information to reach them, andother objectsidentifying their role in thefile system. For example, if the <File> element is a symbolic link or shortcut, thenincident. Meijer, et al. Expires September 29, 2003 [Page 22] Internet-Draft IODEF Data Model and Implementation March 2003 People and organizations are treated interchangeably as contacts; one can be associated with the<Linkage> element should containother using thenamerecursive definition of theobjectclass. The 'type' attribute determines thelink points to. Furthertype of contact informationcan be provided about the object in the <Linkage> element with another <File> element, if appropriate.being provided. TheLinkagerecursive definition of this class (the Contact class iscomposedaggregated into the Contact class) provides a way to relate information without requiring the explicit use ofthree aggregate classes, as shownidentifiers inFigure 4.36. +--------------+the classes. When grouping people into organizations it is RECOMMENDED to nest the persons instances into an organization instance of this class. +------------------+ | Contact | +------------------+ | ENUM restriction |<>--{0..1}--[ name ] | ENUM role | | ENUM type |<>--{0..*}--[ Description ] |Linkage|Meijer, et al. Expires March 2003 [page 58] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 +--------------+ +------+||<>----------| name|<>--{0..*}--[ RegistryHandle ] | | |+------+|<>--{0..1}--[ PostalAddress ] | |+------+||<>----------| path|<>--{0..*}--[ Email ] | | | |<>--{0..*}--[ Telephone ] | |+------+| |<>--{0..1}--[ Fax ] |+------+||<>----------| File| |<>--{0..1}--[ Timezone ] | |+------+ +--------------+| |<>--{0..*}--[ Contact ] +------------------+ Figure4.36 The Linkage Class9: the Contact class The aggregate classes thatmake up Linkageconstitute the Contact class are: nameExactlyZero or one.STRING.NAME. The name of thefile system object not including the path. path Exactly one. STRING. The full path to the file system object, including the name.contact. Thepath name shouldcontact may either berepresented in as "universal"an organization or amanner as possible, to facilitate processing ofperson. The type attribute dictates thealert. File Exactlysemantics (organization or person). Description Zero or one.A <File> element may be used in placeSTRING. Free-form description of the<name> and <path> elements if additional information aboutthis contact. In thefile is to be included. Thecase of a person, this isrepresented inoften theXML DTD as follows: <!ENTITY % attvals.linkcat " ( hard-link | mount-point | reparse-point | shortcut | stream | symbolic-link ) "> <!ELEMENT Linkage ( (name, path) | File )> <!ATTLIST Linkage category %attvals.linkcat; #REQUIRED > The Linkage class has one attribute: category The typeorganizational title ofobject thatthelink describes. The permitted values are shown below. There is no default value.individual. Meijer, et al. Expires September 29, 2003 [Page 23] Internet-Draft IODEF Data Model and Implementation March 2003[page 59] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Rank Keyword Description ---- ------- ----------- 0 hard-linkRegistryHandle Zero or many. The<name> element represents anotherhandle namefor this file. This information mayin a registry. Care must bemore easily obtainable on NTFS file systems than others. 1 mount-point An aliastaken to ensure that a handle is meaningful to the recipient. Intra-organizational handles are of not much use for extra-organizational communication. PostalAddress Zero or one. POSTAL. The postal address of thedirectory specified bycontact formatted according to Section 2.2.9. Email Zero or many. EMAIL. The email address of theparent's <name> and <path> elements. 2 reparse-point Applies onlycontact formatted according toWindows; excludes symbolic links and mount points, which are specific typesSection 2.2.12. Telephone Zero or many. PHONE. The telephone number ofreparse points. 3 shortcutthe contact formatted according to . Fax Zero or one. PHONE. Thefile represented by a Windows "shortcut." A shortcut is distinguished from a symbolic link becausefacsimile telephone number of thedifferencecontact formatted according to . Timezone Zero or one. STRING. The timezone intheir contents,whichmay be of importance tothemanager. 4 streamcontact resides. Contact Zero or many. Recursive definition of Contact, allowing for grouping of data. AnAlternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity thatexample of this isconsideredanextension of the main <File>. 5 symbolic-linkorganization with multiple contact persons. The<name> element representsContact class has three attributes: restriction Optional. ENUM. This attribute is defined in Section 3.2. role Required. ENUM. Indicates thefile to whichrole thelink points. 4.6.7.4 The Inode Class The Inode classContact fulfills. This attribute isused to representdefined as an enumerated list: 1. creator. The entity that generate theadditional information contained inIODEF document. 2. admin. An administrative contact for aUnix file system i-node.host or network. 3. tech. A technical contact for a host or network. 4. irt. TheInode class is composed of six aggregate classes, as shownCSIRT involved inFigure 4.37. +--------------+ | Inode | +--------------+ +----------------+ | |<>----------| change-time | | | +----------------+ | | +----------------+ | |<>----------| number | | | +----------------+ | | +----------------+ | |<>----------| major-device | | | +----------------+ | | +----------------+ | |<>----------| minor-device |handling the incident. 5. cc. An entity that is to be kept informed about the the Meijer, et al. Expires September 29, 2003 [Page 24] Internet-Draft IODEF Data Model and Implementation March 2003[page 60]handling of the incident. type Required. ENUM. Indicates the type of Contact being provided. This attribute is defined as an enumerated list: 1. person. 2. organization. 3.8.1 RegistryHandle class The RegistryHandle class represents a handle to an InternetDraft draft-ietf-inch-iodef-00.txt Apr 2002 | | +----------------+ | | +----------------+ | |<>----------| c-major-device |registry or community-specific database. A handle consists of a name specified in the element content, and the database to which it belongs specified in the type attribute. +------------------+ | RegistryHandle |+----------------++------------------+ | STRING |+----------------+||<>----------| c-minor-device| | ENUM type |+----------------+ +--------------++------------------+ Figure4.37 The Inode Class The aggregate classes that make up Inode are: change-time Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat". number Zero or one. INTEGER.10: Theinode number. major-device Zero or one. INTEGER.RegistryHandle class Themajor device number of the device the file resides on. minor-device Zero or one. INTEGER.RegistryHandle class has one attribute: type Required. ENUM. Theminor device number of the devicedatabase to which thefile resides on. c-major-device Zero or one. INTEGER.handle belongs. Themajor device of the file itself, if itdefault value isa character special device. c-minor-device Zero or one. INTEGER.'local'. Theminor device of the file itself, if it is a character special device. Note that <number>, <major-device>, and <minor-device> must be given together, and the <c-major-device>possible values are: 1. internic. Internet Network Information Center 2. apnic. Asia Pacific Network Information Center 3. arin. American Registry for Internet Numbers 4. lacnic. Regional Latin-American and<c-minor-device> must be given together. This is represented in the XML DTD as follows: <!ELEMENT Inode ( change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)? )>Caribbean IP Address Registry 5. ripe. Reseaux IP Europeens 6. ti. TERNEA Trusted Introducer Meijer, et al. Expires September 29, 2003 [Page 25] Internet-Draft IODEF Data Model and Implementation March 2003[page 61] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4.6.8 The Description Class7. local. A database local to the CSIRT. 3.9 Time classes TheDescription class is a general-purpose classdata model uses forany natural language free-form text. Using the XML language attribute, it is reasonabledifferent classes toinclude text inrepresent anumber of different languages in different instances of the Description class. For details on declaring language attribute see section 3.3.3. <!ELEMENT Description xml:lang="langcode"> 4.6.9 The DetectTime Class The time when the incident activity was first detected by the reporter. Ittimestamp. Their definition isrepresented in the XML DTD as follows: <!ELEMENT DetectTime (#PCDATA) > <!ATTLIST DetectTime ntpstamp CDATA #REQUIRED >identical, but each is named differently to convey a semantic difference. TheDATETIME format of the <DetectTime>element content of each class isdescribed ina timestamp formated according to the DATETIME data type (see Section3.4.6.2.2.6). +----------------------------------+ | {Start| End| Report| Detect}Time | +----------------------------------+ | DATETIME | | | | NTPSTAMP ntpstamp | +----------------------------------+ Figure 11: the Time classes TheDetectTime class hasTime classes have one attribute: ntpstampRequired.Optional. NTPTIMESTAMP. The NTP timestamp representing thesame date and time astimestamp in the element content. The NTPSTAMP format of this attribute's value is described in Section3.4.7. If2.2.7. The use of thedate and time represented byntpstamp attribute is optional since it is redundant. However, it has been maintained to ensure compatibility with the IDMEF [7]. Representing a timestamp in both the element content and attribute is NOT RECOMMENDED. However, if both are used, their values MUST be identical. 3.9.1 StartTime The StartTime class represents timestamp for the start of an activity. 3.9.2 EndTime The EndTime class represents theNTPtimestampdiffer (should "never" happen),for thevalue inend of an activity. 3.9.3 DetectTime Meijer, et al. Expires September 29, 2003 [Page 26] Internet-Draft IODEF Data Model and Implementation March 2003 The DetectTime class represents theNTPtimestampMUSTof when an activity was first detected. 3.9.4 ReportTime The ReportTime class represents the timestamp of when a detected activity was reported. 3.9.5 DateTime The DateTime class is a generic representation of a timestamp. Its semantics should beused. 4.6.10inferred from the parent class into which it is aggregated. 3.10 Expectation class The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. +------------------+ | Expectation | +------------------+ | ENUM restriction |<>--{1..*}--[ Description ] | ENUM priority | | ENUM category |<>--{0..1}--[ StartTime ] | | | |<>--{0..1}--[ EndTime ] | | | |<>--{0..1}--[ Contact ] +------------------+ Figure 12: the Expectation class The aggregate classes that constitute Expectation are: Description One or many. STRING. A free-form description of the desired action(s). StartTimeClassZero or one. Thestarttimeofat which theincident activity. Itaction should be performed. A timestamp that isrepresentedearlier than the ReportTime specified in theXML DTDIncidentData class denotes that the expectation should be fulfilled asfollows: <!ELEMENT StartTime (#PCDATA) >soon as possible. TheDATETIME formatabsence ofthe <StartTime>this elementcontent isleaves the execution of the expectation to the discretion of the recipient. Meijer, et al. Expires September 29, 2003 [Page 27] Internet-Draft IODEF Data Model and Implementation March 2003[page 62] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 described in Section 3.4.6. 4.6.11 TheEndTimeClassZero or one. Theendtimeofby which theincident activity. Itaction should be completed. If the action isrepresented innot carried out by this time, it should no longer be performed. Contact Zero or one. The expected actor for theXML DTD as follows: <!ELEMENT EndTime (#PCDATA) >action. TheDATETIME format'role' attribute of the<StartTime> element contentContact MUST be set to "actor". The Expectations class has three attributes: restriction Optional. ENUM. This attribute isdescribeddefined in Section3.4.6. 4.7 The3.2. priority Optional. ENUM. Indicates the desired priority of the action. This attribute is an enumerated list with no default value. 1. low. Low priority 2. medium. Medium priority 3. high. High priority category Optional. ENUM. Classifies the type of action requested. This attribute is an enumerated list with no default value. 1. nothing. No action is requested. Do nothing with the information. 2. contact-site. Contact the listed site in the recipient's constituency. 3. contact-me. Contact the originator of the document. 4. block. Block or investigate machines listed in the document in the recipient's constituency. 3.11 MethodClassclass The Method class provides information about themethodmethodology used by theAttacker inintruder to perpetrate the events of the incident. This class can reference well-known vulnerability or exploit databases,as well as allowlist the intruder tools used in the attack, and provide for a free-form description of the activity.The Method class is composed of two aggregate classes, as shown in Figure 4.9.Meijer, et al. Expires September 29, 2003 [Page 28] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ | Method | +------------------+ |STRING ident | 0..* +----------------+ |ENUM restriction|<>------||<>--{0..*}--[ Classification ] | | |+----------------+ | | 0..* +----------------+ | |<>------||<>--{0..*}--[ Description|] +------------------++----------------+Figure4.913: The MethodClassclass Theaggregate classes that constituteMethodare:class is composed of two aggregate classes. Classification Zero ormore.many. A reference to a well-known vulnerability or exploit databases. Description Zero ormore.many. STRING A free-form text descriptionof the attack. Meijer, et al. Expires March 2003 [page 63] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 This is representedof the methodology used in theXML DTD as follows: <!ELEMENT Method ( Classification*, Description*)> <!ATTLIST Method ident ID #IMPLIED restriction %attvals.restriction; 'default' >incident. The Method class hastwo attributes: ident Optional. A unique identifier for the element (see Section 3.4.9).one attribute: restriction Optional.Sets a restriction on the usage of the dataENUM. This attribute is defined inelement. 4.7.1 TheSection 3.2. 3.11.1 ClassificationClassclass The Classification classprovidesis away toreference to an externalvulnerability, exposure,database of computer vulnerabilities, exposures, orvirus database. The Classification class is composedviruses. A reference consists oftwo aggregate classes, as shownthe database name, the entry inFigure 4.24. +----------------+the database, and the URI to this entry. +------------------+ | Classification |+----------------+ +---------++------------------+ |STRING origin |<>------|ENUM restriction |<>----------[ name ] | ENUM origin | |+---------+ | | +---------+ | |<>------||<>----------[ url| | | +---------+ +----------------+] +------------------+ Figure4.2414: The ClassificationClassclass The aggregate classes that constituteClassification are:Classification: nameExactly one.One. STRING. The name of theVulnerability, Exposure or Virus (from one of the origins listed below) used by Attackerreference tocause Incident. url Exactly one. STRING. A URL at whichthemanager can finddatabase specified in the origin attribute. Meijer, et al. Expires September 29, 2003 [Page 29] Internet-Draft IODEF Data Model and Implementation March 2003[page 64] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002url One. URI. A URL to additional information aboutclassified method. The document pointed to by the URL may include an in-depth description oftheattack, appropriate countermeasures,vulnerability orother information deemed relevantexposure referenced by thevendor. This is represented in the XML DTD as follows: <!ENTITY % attvals.origin " ( unknown | bugtraqid | cve | vendor-specific ) "> <!ELEMENT Classification ( name, url )> <!ATTLIST Classification origin %attvals.origin; 'unknown' >name. The Classification class hasonetwo attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2. origin Required. ENUM. Thesource from which thename of thealert originates.database to which the reference is being made. The permitted valuesfor this attributeare shown below.The default value is "unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Origin of the name is not known 1 bugtraqid The SecurityFocus.com ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/vdb) 2 cve The1. bugtraqid. Bugtraq 2. cve. Common Vulnerabilitiesandor Exposures(CVE) name (http://www.cve.mitre.org/) 3 vendor-specific3. certcc. CERT Coordination Center Vulnerability Catalog 4. vendor. Avendor-specific name (and hence, URL); this canproduct vendor whose name should beused to provide product-specific information 4.8 The Attacker Class The Attacker class augments information foundspecified in theSourcename classwith further details related to the entity(ies)/person(s) identified as5. local. A local database. 6. other. 3.12 Assessment class The Assessment class describes thesource(s)technical and non-technical repercussions of the incident activity.NOTE: Information found inNote: The IODEF definition of theAttackerAssessment classmight be derived based on address and network information found inreuses theSource class. However, particular algorithm or procedure is defined by Incident Handling SystemIDMEF definition (see Section 4.2.4.5 of [7]), but also extends it. Meijer, et al. Expires September 29, 2003 [Page 30] Internet-Draft IODEF Data Model and Implementation March 2003[page 65] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002+------------------+ |AttackerAssessment | +------------------+ |STRING ident | 0..1 +---------------+ |ENUM restriction|<>------| Contact ||<>--{0..*}--[ Impact ] | |+---------------+| |<>--{0..*}--[ TimeImpact ] |0..1 +---------------+||<>------| IRTcontact| |<>--{0..*}--[ MonetaryImpact ] | |+---------------+| |<>--{0..*}--[ LifeImpact ] |0..1 +---------------+||<>------| Location| |<>--{0..1}--[ Confidence ] +------------------++---------------+Figure4.10 The Attacker Class15: Assessment class The aggregate classes that constituteAttackerAssessment are:Contact Zero or one. Contact information for the entity/person identified as an Attacker. LocationImpact Zero orone. Location of Attacker's node or system. This is a general definitionmany. Technical impact oflocation that may depend on network structure or company's geographical distribution. IRTcontact Zero or one. Contact information for the CSIRT or Network Security manager serving the NodeÆs network. Attacker is represented in the XML DTD as follows: <!ELEMENT Attacker ( Contact?, Location?, IRTcontact?)> <!ATTLIST Attacker ident ID #IMPLIED restriction %attvals.restriction; 'default' > The Attacker class has two attributes: ident Optional. A unique identifier fortheAttacker, see Section 4.4.9. restriction Meijer, et al. Expires March 2003 [page 66] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Optional. Sets a restrictionactivity on theusage of the data in element. 4.8.1 The Contact Class The Contact Class contains contact information for a person or role in a CSIRT handling an incident. +--------------+ | Authority | +--------------+ /_\ | +--------------+ | Contact | +--------------+ 0..1 +----------------+ | STRING ident |<>----------| PersonName | | | +----------------+ | | 0..1 +----------------+ | |<>----------| PostalAddress | | | +----------------+ | | 0..1 +----------------+ | |<>----------| ContactHandle | | | +----------------+ +--------------+ Figure 4.29 Contact Class The aggregate classes that constitute Contact class are: PersonNamecomputers and networks. TimeImpact Zero orone. Namemany. Impact of theperson responsible for handling the current incident. ContactHandleactivity measured with respect to time. MonetaryImpact Zero orone. Identification number (or handle) usedmany. Impact of the activity measured with respect torefermoney. LifeImpact Zero or many. Impact of the activity measured with respect topersonal (or role) information in different Registries. PostalAddresshuman life. Confidence Zero or one.Postal AddressAn estimate ofthe person identified by PersonName. Contact is representedconfidence in theXML DTD as follows: Meijer, et al. Expires March 2003 [page 67] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ELEMENT Contact ( PersonName?, ContactHandle?, PersonAddress?)> <!ATTLIST Contact ident ID #IMPLIED >assessment. TheContactAssessment class has one attribute:identrestriction Optional.A unique identifier for the Contact element (seeENUM. This attribute is defined in Section3.4.9). 4.8.2 The IRTcontact Class3.2. 3.12.1 Impact class TheIRTcontactImpact classcontains an IRTcontact handle to a public registry (e.g., RIPE NCC database [18], Trusted Introducer database [19]) that references contact informationallows for classifying as well as providing a description of theCSIRT or network security manager servingtechnical impact due to the incident activity on the computers and networksreferenced inof an organization. Meijer, et al. Expires September 29, 2003 [Page 31] Internet-Draft IODEF Data Model and Implementation March 2003 Attributes allow theAttacker or Victim class. Thisimpact to be classified according to the consequences on the host and the severity of these consequences. The element content isrepresented inused for theXML DTD as follows: <!ENTITY % attvals.originIRT " ( unknowndescription. Note: The IODEF definition of the Impact class reuses the IDMEF definition (see Section 4.2.6.1 of [7]), but also extends it and alters the semantics. +------------------+ |ripenccImpact |ti+------------------+ |arinSTRING |apnic|afnic|local ) "> <!ELEMENT IRTcontact > <!ATTLIST IRTcontact originIRT %attvals.originirt; 'unknown' > IRTcontact| ENUM restriction | | ENUM severity | | ENUM completion | | ENUM type | +------------------+ Figure 16: Impact class The element content may be empty, or contain a free-form description (STRING) of the technical impact. The Impact class hasone attribute: originIRT Required. The registry whichfour attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. severity Optional. ENUM. An estimate of theIRTcontact handle references.relative severity of the activity. The permitted valuesfor this attributeare shown below.The default valueThere is"unknown". Rank Keyword Description ---- ------- ----------- 0 unknown Originno default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity completion Optional. ENUM. An indication of whether thenamecreator of the IODEF document believes the activity was successful. The permitted values are shown below. There is no default value. 1. failed. The attempt was notknown 1 ripencc RIPE NCC database 2 ti Trusted Introducer database of CSIRTs 3 arin ARIN database 4 apnic APNIC database 5 afnic AFNIC database 6 local Name of IRT as it used by Incident object creatorsuccessful 2. succeeded. The attempt succeeded Meijer, et al. Expires September 29, 2003 [Page 32] Internet-Draft IODEF Data Model and Implementation March 2003[page 68] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4.9type Required. ENUM. TheVictim Classtype of impact in relatively broad categories. TheVictim class augments information foundpermitted values are shown below. The default value is "unknown." 1. admin. Administrative privileges were attempted or obtained 2. dos. A denial of service was attempted or completed 3. file. An action on a file was attempted or completed 4. recon. A reconnaissance probe was attempted or completed 5. user. User privileges were attempted or obtained 6. none. The activity did not have any (technical) impact 7. unknown. The impact of the activity is unknown 8. other. Anything not in one of theTargetabove categories 3.12.2 TimeImpact classwith further details related to the entity(ies)/person(s) identified asThe TimeImpact class describes thetarget(s)non-technical impact of theincident activity. NOTE: Information found in the Victim class might be derived basedactivity onaddress and network information found in the Target class. However, particular algorithm or procedure is defined by Incident Handling System.an organization as a function of time. Different types of time calculations and well as units can be used. +------------------+ |VictimTimeImpact | +------------------+ |STRING ident | 0..1 +---------------+ | ENUM restriction |<>------| Contact | |REAL |+---------------+| |0..1 +---------------+||<>------| IRTcontactENUM restriction | | ENUM severity |+---------------+| ENUM metric |0..1 +---------------+||<>------| LocationENUM units | +------------------++---------------+Figure4.11 The Victim Class17: TimeImpact class Theaggregate classes that constitute Victim are: Contact Zero or one. Contact information forelement content will be a numeric value (REAL) specifying theentity/person identifiedimpact as aVictim. Location Zero or one. Location of VictimÆs node or system. This is a general definitionfunction oflocation that may depend on network structure or companyÆs geographical distribution. IRTcontact Zero or one. Contact information for the CSIRT or Network Security manager serving the NodeÆs network. Victim is represented intime. The attributes represent theXML DTD as follows: <!ELEMENT Victim ( Contact?, Location?, IRTconact?)> <!ATTLIST Victimspecific units and metric. The TimeImpact class has four attributes: Meijer, et al. Expires September 29, 2003 [Page 33] Internet-Draft IODEF Data Model and Implementation March 2003[page 69] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 ident ID #IMPLIEDrestriction%attvals.restriction; 'default' > The Victim class has two attributes: identOptional.A unique identifier for the Victim element, seeENUM. This attribute has been defined in Section4.4.9. restriction3.2. severity Optional.Sets a restriction onENUM. An estimate of theusagerelative severity of thedata in element. 4.10activity. TheRecord Classpermitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity metric Required. ENUM. Defines the metric in which the time is expressed. TheRecord class contains supportive data that provides a recordpermitted values are shown below. There is no default value. 1. labor. Total staff-time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours) 2. elapsed. Elapsed time from the beginning ofincident activity.the recovery to its completion. 3. downtime. Duration of time for which some provided service(s) was not available. units Required. ENUM. Defines the units in which the metric is expressed. The permitted values are shown below. The default value is "hours". 1. seconds. Seconds 2. minutes. Minutes 3. hours. Hours 4. days. Days 3.12.3 MonetaryImpact class ThesourceMonetaryImpact class describes the financial impact ofthisthe activityrecord will be typically data exported from a monitoring tool oron an organization. For example, this impact may consider loss due to theresultscost ofa computer forensics investigation. The record data can consistthe investigation or recovery, diminished productivity ofboth datathe staff, or a tarnished reputation that will affect Meijer, et al. Expires September 29, 2003 [Page 34] Internet-Draft IODEF Data Model andtextual informationImplementation March 2003 future opportunities. +------------------+ |RecordMonetaryImpact | +------------------+ |STRING identREAL | | |0..* +-------------+| ENUM restriction|<>------| RecordData| | ENUM severity | | ENUM metric | | STRING currency | +------------------++-------------+Figure4.12 The Record Class The aggregate18: MonetaryImpact classthat constitutes Record is: RecordData Zero or more. Container for record data related to the current incident. Record is represented inThe element content will be a numeric value (REAL) specifying theXML DTDimpact asfollows: <!ELEMENT Record ( RecordData*)> <!ATTLIST Record ident ID #IMPLIED restriction %attvals.restriction; 'default' > Meijer, et al. Expires March 2003 [page 70] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002a function of money. TheRecordattributes represent the specific currency and metric. The MonetaryImpact class hastwofour attributes: restriction Optional.Sets a restriction onENUM. This attribute has been defined in Section 3.2. severity Optional. ENUM. An estimate of theusagerelative severity of thedataactivity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity currency Required. ENUM. Defines the currency inelement. ident Optional. A unique identifier forwhich theRecord element, see Section 4.4.9. 4.10.1monetary impact is expressed. TheRecordData Classpermitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds [18]. There is no default value. 3.12.4 LifeImpact class TheRecordDataLifeImpact classcontains textual (e.g., logfiles, malicious scripts, listdescribes the loss ofchanges if file system, etc.) and binary (e.g., disc images) suportive datahuman life or injury due to an incident. Meijer, et al. Expires September 29, 2003 [Page 35] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ |Record | +------------------+ /_\LifeImpact | +------------------+ |RecordDataINTEGER |+------------------+ 0..* +--------------+|STRING ident |<>----------| CorrRecord| | ENUM restriction |+--------------+ | | 0..1 +--------------+ | |<>----------| RecordDesc ||| +--------------+ | | 0..1 +--------------+ | |<>----------| RecordItemENUM severity | | ENUM metric |+--------------++------------------+ Figure4.25 The RecordData Class19: LifeImpact class Theaggregate classes that constitute RecordData are: CorrRecord Zero or more. RecordDataelement content will be a numeric value (INTEGER) specifying the impact as a function of human life. The attributes represent theRecordspecific metric. The LifeImpact classthat contains Record data correlated with current Record data. RecordDesc Zero or one. Descriptionhas three attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. severity Optional. ENUM. An estimate of the relative severity of thesupportive datafoundactivity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity metric Required. ENUM. Defines the metric in which theRecordItem class. RecordItemLifeImpact is expressed. The permitted values are shown below. There is no default value. 1. Deaths 2. Injuries 3.12.5 Confidence class The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.12) of the incident activity. This estimate can be expressed as a category, or a numeric calculation. Meijer, et al. Expires September 29, 2003 [Page 36] Internet-Draft IODEF Data Model and Implementation March 2003[page 71] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Zero or one. Container for a particular pieceNote: The IODEF definition ofrecord data. This is represented intheXML DTD as follows: <!ENTITY % attvals.restriction " ( defaultConfidence class reuses the IDMEF definition (see Section 4.2.6.3 of [7]), but also extends it and alters the semantics. The Confidence class has been reused from the IDMEF [7], it has been extended and has been altered. +------------------+ |publicConfidence |internal+------------------+ |restricted ) "> <!ELEMENT RecordData ( CorrRecord*, RecordDesc?, RecordItem? )> <!ATTLIST RecordData ident CDATA #IMPLIEDREAL | | | | ENUM restriction%attvals.restriction; #IMPLIED >| | ENUM rating | +------------------+ Figure 20: Confidence class TheRecordDataelement content may be empty if the rating attribute is not set to "numeric". Otherwise, a confidence value (REAL) must be provided. The Confidence class has two attributes:ident Optional. A unique identifier for this RecordData (see Section 3.4.9).restriction Optional.Sets a restriction on the usage of the data in element. 4.10.2 The CorrRecord Class The CorrRecord class references the ID of other related RecordData for correlation.ENUM. Thisis representedattribute has been defined in Section 3.2. rating Required. ENUM. Indicates theXML DTD as follows: <!ELEMENT CorrRecord ( CorrRecordID )> <!ATTLIST CorrRecord IncidentID ID #IMPLIED > The CorrRecord classconfidence the CSIRT hasone attribute: IncidentID Optional. The type of data includedinthe element content.its assessment. The permitted valuesfor this attributeare shown below. The default value is"string"."numeric." 1. low 2. medium 3. high 4. numeric. The CSIRT has provided a probability value indicating its confidence in its assessment. 5. unknown This element SHOULD only be used when the CSIRT can produce meaningful information. When only a rough estimate is possible "low", "medium", or "high" SHOULD be used as the rating value. When a reasonable probability estimate is possible "numeric" SHOULD Meijer, et al. Expires September 29, 2003 [Page 37] Internet-Draft IODEF Data Model and Implementation March 2003[page 72] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 4.10.3be used as the rating value and include a numeric confidence value in the element content. This numeric value is a floating point number between 0.0 and 1.0, inclusive. Different CSIRTs may compute and represent confidence values in different ways. Care should be taken to take proper notice of the exact meaning of the confidence values of different CSIRTs when comparing confidence values. 3.13 History class TheRecordDesc ClassHistory class is a log or diary of the significant events that occurred or actions performed by the involved parties (e.g., initial reporter, investigating CSIRT, or involved system administrators) during the course of handling the incident. TheRecordDesc class contains meta-information about supportive datalevel of detail maintained in this log is left up to theReportItem class. +----------------+ | RecordDesc | +----------------+ 0..1 +----------------+ | |------------| DetectTime | | | +----------------+ | | 0..1 +----------------+ | |<>----------| Analyzer | | | +----------------+ |discretion of those handling the incident. +------------------+ |0..1 +----------------+History ||<>----------| Description+------------------+ | ENUM restriction |<>--{1..*}--[ HistoryItem ] | |+----------------+ +----------------++------------------+ Figure4.2621: TheRecordDesc ClassHistory class Theaggregate classesclass that constituteRecordDescHistory are:DetectTime ZeroHistoryItem One orone. Timestamp of the supportive data. This data MUST be present if it is not already representedmany. Entries in theEvidenceItem class. Analyzer Zero or one. The facility used to gather the supportive data. The analyzer SHOULD define the namehistory log ofthe format, facility, tool, or device used to generate the supportive data if it is not self-describing (e.g. xml). Likewise, the analyzer SHOULD define the Node which detected the supportive data or from which it was extracted if this information is not represented elsewhere. Description Zero or one. Free-form text to make comments onsignificant events orannotateactions performed by thesupportive data.involved parties. The History class has one attribute: restriction Optional. ENUM. This attribute isrepresenteddefined inthe XML DTD as follows: <!ELEMENT RecordDesc ( DetectTime?, Analyzer?, description? )> 4.10.4 The Analyzer Class Meijer, et al. Expires March 2003 [page 73] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The AnalyzerSection 3.2. 3.13.1 HistoryItem classidentifies the facility used to gather the evidence or tool generated Incident Alert. In case when Initial Incident registration is produced from the IDMEF message the Analyzer description may be taken from the IDMEF message where the Analyzer Class is mandatory and only one.Theanalyzer SHOULD define the name of the format, facility, tool, or device used to generate the evidence if itHistoryItem class isnot self-describing (e.g. xml). Likewise, the analyzer SHOULD define the Node which detecteda particular entry in theevidenceHistory (Section 3.13) log that documents a particular significant action orfrom which it was extracted if this information is not represented elsewhere. Forevent that occurred in thepurposecourse ofcompatibility the Analyzer Class is reused fromhandling theIDMEF. The Analyzer class is composedcurrent incident. This details oftwo aggregate classes, as shownthe entry inFigure 4.38. +---------------------+ | Analyzer | +---------------------+ 0..1 +---------+ | STRING analyzerid |<>----------| Node | | STRING manufacturer | +---------+ | STRING modelthis log are a free-form description, but each can also be categorized. Meijer, et al. Expires September 29, 2003 [Page 38] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ |0..1 +---------+HistoryItem |STRING version |<>----------| Process+------------------+ | ENUM restriction |<>--{0..1}--[ IncidentID ] |STRING classENUM type |+---------+|STRING ostype|<>----------[ DateTime ] | |STRING osversion|+---------------------+|<>--{1..*}--[ Description ] +------------------+ Figure4.38 The Analyzer Class22: HistoryItem class The aggregate classes thatmake up Analyzerconstitute HistoryItem are:NodeIncidentID Zero orone. Information aboutOne. In history logs created by multiple parties, thehost or device onIncidentID provides a way specify which CSIRT created theanalyzer resides (network address, network name, etc.). Process Zeroparticular entry and reference this organizations local incident tracking number for this activity. When a single organization is maintaining the history log, this class can be ignored. DateTime One. Timestamp of the this entry in the history log (e.g., when the action described in the Description was taken). Description One orone. Information aboutmany. STRING. A free-form textual description of theprocessaction or event to be document in the history log. The HistoryItem class has two attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. type Optional. ENUM. Classifies the type of activity or event being document in this history log entry. The particular details of the entry are a free-form description documented inwhichtheanalyzer is executing. ThisDescription class. Possible values are an enumerated list whose default value isrepresented"other": 1. triaged. The incident data was received and processed by an IHS 2. notification. Notification to an involved party in theXML DTD as follows: <!ELEMENT Analyzer ( Node?, Process? )>incident was sent (e.g., a CSIRT sending a message to the attacking site). Meijer, et al. Expires September 29, 2003 [Page 39] Internet-Draft IODEF Data Model and Implementation March 2003[page 74] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ATTLIST Analyzer analyzerid CDATA '0' manufacturer CDATA #IMPLIED model CDATA #IMPLIED version CDATA #IMPLIED class CDATA #IMPLIED ostype CDATA #IMPLIED osversion CDATA #IMPLIED >3. shared-info. Information about this incident was shared with party not directly involved. 4. received-info. Additional information about the incident was received 5. remediation. TheAnalyzer classincident hasseven attributes: analyzerid Optional. The attributebeen resolved; a short description may betaken from the IDMEF message generated by Analyzer/IDS. For details see [IDMEF]. manufacturer Optional.included. 6. other. 3.14 EventData class Themanufacturer ofEventData class describes theanalyzer software and/or hardware. model Optional. The model name/numberevents of theanalyzer software and/or hardware. version Optional. The version numberincident surrounding a particular set of hosts or networks. This description includes theanalyzer software and/or hardware. class Optional. The classsystems from which the activity originated and those targeted, an assessment ofanalyzer software and/or hardware. ostype Optional. Operating system name. On POSIX systems, this isthevalue returned in utsname.sysnametechniques used by theuname() system call, orintruder, theoutputimpact of the"uname -s" command. osversion Optional. Operating system version. On POSIX systems, this is the value returned in utsname.release by the uname() system call, oractivity on theoutputorganization, a list ofthe "uname -r" command. The "manufacturer", "model", "version",incident handling tasks performed, and"class" attributes' contents are vendor-specific, but may be used together to identify different types of analyzers. 4.10.5 The RecordItem Class The RecordItem class is a container for the arbitraryand any forensic evidence discovered. Meijer, et al. ExpiresMarch 2003 [page 75] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 supportive data. This is represented in the XML DTD as follows: <!ENTITY % attvals.dtype " ( booleanSeptember 29, 2003 [Page 40] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ |byteEventData |character+------------------+ |stringENUM restriction |<>--{0..*}--[ Description ] |binary|xml|file|<>--{0..1}--[ Assessment ] |path|url ) "> <!ELEMENT RecordItem ANY > <!ATTLIST RecordItem dtype %attvals.dtype; 'string' >| |<>--{0..*}--[ Method ] | | | |<>--{0..1}--[ DetectTime ] | | | |<>--{0..1}--[ StartTime ] | | | |<>--{0..1}--[ EndTime ] | | | |<>--{0..*}--[ Contact ] | | | |<>--{0..1}--[ History ] | | | |<>--{0..*}--[ System ] | | | |<>--{0..1}--[ Record ] | | | |<>--{0..*}--[ EventData ] | | | |<>--{0..*}--[ AdditionalData ] +------------------+ Figure 23: TheRecordItemEventData classhas one attribute: dtype Required. The type of data included in the element content. The permitted values for this attribute are shown below.Thedefault value is "string". Rank Keywordaggregate classes that constitute EventData are: Description---- ------- ----------- 0 boolean The element contains a boolean value, i.e., the strings "true"Zero or"false" 1 byte The element content is a single 8-bit byte (see Section 3.4.4) 2 character The element content is a single character (see Section 3.4.3) 3 integer The element content is an integer (see Section 3.4.1) 4 string The element content is a string (see Section 3.4.3) 5 binary The element content is base-64 encoded binary data. 6 xml The element content is XML-tagged data (see Section 5.2) 7 file The element contains a namemore. STRING. A free-form textual description offile that may be stored on any media, this information should be necessary for CSIRT 8 path The element content is a path to a file location on IHS system 9 url The element content is a URL tothedata 4.11 The AdditionalData Classevent. System Zero or more. TheAdditionalData class is used to provide information that cannot be representedsystems (nodes, networks) involved in the event as either sources, targets or intermediaries. Method Zero or more. The methods by which the event was staged. Information about tools used and vulnerabilities exploited. Record Zero or one. Support datamodel. AdditionalData can be(e.g., log files) that provides information on the events. Meijer, et al. Expires September 29, 2003 [Page 41] Internet-Draft IODEF Data Model and Implementation March 2003[page 76] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 used to provide atomic data (integers, strings, etc.)StartTime Zero or one. The time the event started. EndTime Zero or one. The time the event ended. DetectTime Zero or one. The time the event was detected. Contact Zero or more. The different parties involved incases where only small amountsthe incident Assessment Zero or one. Indicates the impact ofadditional information needed to be represented. However,theclassincident on the target and the actions taken. AdditionalData Zero or one. Anything that canalsonot beused to extendput in one of the other elements Event Zero or more. Recursive definition of Event, allowing for grouping of datamodelThe EventData class has one attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2. 3.15 Relating the IncidentData and EventData classes At first glance, theDTD to support proprietary IODEF extensions or for encapsulating external XML document such as IDMEF messages. Detailed instructions for extendingduplication in thedata modelaggregate classes of IncidentData and EventData are obvious. However, theDTDsemantics of these classes areprovided in Section 5. The AdditionalData element is declared inquite different. IncidentData provides summary information about theXML DTD as follows: <!ENTITY % attvals.adtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | xml ) "> <!ELEMENT AdditionalData ANY > <!ATTLIST AdditionalData type %attvals.adtype; 'string' local CDATA #IMPLIED > The AdditionalDataentire incident, while EventData provides information about a subset of the incident. For example, note that the Assessment class is aggregated in both classes. Consider a case where IncidentData:Assessment:MonetaryImpact hastwo attributes: type Required. The typebeen assigned a value ofdata includedx. Now, consider a value of y (where y < x) being assigned to a given MonetaryImpact class that is aggregated in theelement content.EventData class. Thepermittedsemantics of these two valuesfor this attribute are shown below. The default valueis"string". Rank Keyword Description ---- ------- ----------- 0 boolean The element contains a boolean value, i.e.,some monetary loss. In thestrings "true" or "false" 1 byte The element contentcase of the figure in the IncidentData class, this loss isa single 8-bit byte (see Section 3.4.4) 2 characterincident-wide. Theelement contentfigure in EventData is asingle character (see Section 3.4.3) 3 date-time The element content issubset of this overall loss, and allows one to associate adate-time string (see Section 3.4.6) 4 integer The element content is an integer (see Section 3.4.1) 5 ntpstamp The element content is an NTP timestamp (see Section 3.4.7) 6 portlist The element content isparticular loss with alistgiven subset ofports (see Section 3.4.8) 7 real The element content is a real number (see Section 3.4.2) 8 string The element content isevents that constitute the incident. It effectively provides astring (see Section 3.4.3) 9 xml The element content is XML-tagged data (see Section 5.2)breakdown (or more specific description) of Meijer, et al. Expires September 29, 2003 [Page 42] Internet-Draft IODEF Data Model and Implementation March 2003[page 77] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 local Optional. A string describingthemeaningoverall loss previously specified in the IncidentData class. 3.16 Cardinality of EventData The recursive definition of this class (the EventData class is aggregated into theelement content if used by CSIRT forEventData class) provides apurpose not described in this document. These values will be vendor/implementation dependent. The method for ensuring that managers understandway to related information without requiring thestring is outsideexplicit use of unique attribute identifiers in thescope of this specification. 4.12classes. TheHistory Classdepth of an element in the XML tree is used to related information. TheHistoryEventData classcontainscan be thought of as alogcontainer describing the properties of an event in an incident. These properties include: thesignificant events that occurred or actions performed byhosts involved, impact of theinvolved parties (e.g., initial reporter, investigating CSIRT, or involved system administrators) duringincident activity on thecoursehosts, forensic logs, etc. One groups (via an instance ofhandlingtheincident. The levelEventData class) hosts (i.e., System class) around these common properties. A child EventData class (and all its siblings) logically "inherits" the aggregated classes ofdetail maintained in this log is left upa parent EventData class. However, the presence of sibling EventData classes (it "never" makes sense to have only one EventData child in an EventData class) means that there are some disjoin properties of thediscretionevent. These children ofthose handlingtheincident. The History class +------------------+ | History | +------------------+ | | 0..* +-------------+ | ENUM restriction |<>------| HistoryItem | +------------------+ +-------------+ Figure 4.15 The History class The aggregateparent EventData classthat constitutes History is: HistoryItem Zero or more. Describesrepresent these differences, while still retaining aparticular event or action relatedway to represent thecurrent incident. History is represented incommon properties (i.e., theXML DTD as follows: <!ELEMENT History ( HistoryData* )> <!ATTLIST History restriction %attvals.restriction; 'default' > The Historyparent-child relationship). For example, an EventData classhas one attribute: restriction Meijer, et al. Expires March 2003 [page 78] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Optional. Sets a restriction on the usagemight be used to describe two machines involved in an incident. This description can be achieved using multiple instances of thedata inSystem class. It happens that theelement 4.12.1 The HistoryItem classtechnical contact (i.e., Contact class) for these two machines is identical, but the impact (i.e., Assessment class) is different. TheHistoryItem class documentsproblem lies in representing two hosts with aparticular significant action orcommon contact, but different impacts without duplicating any information. This eventthat occurred in the course of handlingcan be represent with thecurrent incident. +--------------------+following design represented in Figure 24. Meijer, et al. Expires September 29, 2003 [Page 43] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ |HistoryItemEventData |+--------------------++------------------+ |STRING IncidentID|<>----[ Contact ] |0..1 +-------------+|STRING AuthorityID |<>----------| DateTime| |<>----[ EventData ]<>----[ System ] |ENUM restriction|+-------------+[ ]<>----[ Assessment ] | |ENUM type|0..1 +-------------+|<>----[ EventData ]<>----[ System ] ||<>----------| Description|+--------------------+ +-------------+[ ]<>----[ Assessment ] +------------------+ Figure4.xx HistoryItem class The aggregate classes that constitute HistoryItem are: DateTime Zero or one. A timestamp of when the action or event occurred. Description Zero or one. A description of the action or event. HistoryDataItem is represented24: Recursion in theXML DTD as follows: <!ELEMENT HistoryDataItem ( DateTime?, Description?)> <!ATTLIST HistoryDataItem IncidentID PCDATA #IMPLIED AuthorityID PCDATA #REQUIRED restriction %attvals.restriction; #IMPLIED type %attvals.history; #IMPLIED >EventData class 3.17 System class TheHistoryDataItemSystem classhas four attributes: IncidentID Optional. Identifies the incident ID associated with this history entry. AuthorityID Required. Identifies the the entity that made this history Meijer, et al. Expires March 2003 [page 79] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 entry. restriction Optional. Sets a restriction on the usage of the data in element. type Required. Categorizes the type of event or action taken when handling the incident. Rank Keyword Description ---- ------- ----------- 0 unknown An uncategorized history entry 1 triaged This incident has been received and processed by a given incident handling system 2 acked-reporter Acknowledgment of incident information was sent to a reporter 3 notification Based onrepresents theincident data, notification of their involvement was sent to an entity 4 request-info A request for further information from an involved party was made 5 got-info Additional information about this incident was either received or produced 6 remediation The incident has been resolved; a short description may be included 7 shared-info Information about this incident was shared with another party 4.12.2 The DateTime Classtechnical information for a given computer or network involved in the incident. Thesupportivesystems represented by this class are categorized according tomark up date and time information. It is representedthe role they played in theXML DTD as follows: <!ELEMENT DateTime (#PCDATA) >incident via through the category attribute. TheDATETIME formatvalue of this category attribute dictates the<DateTime> element content is describedsemantics of the aggregated classes inSection 3.4.6. 4.13 The Assessment Classthe System class. TheAssessmentmeaning of the Node, User, Process, and Service classis used to providedepend on theCSIRT's assessmentvalue ofan event - its impact, actions taken in response, and confidence. Forthepurposecategory attribute ofcompatibilitytheAssessment ClassSystem class. If the System class category attribute isreused'source', then the described aggregated classes denote the machine, user, process, or service from which the activity is originating. With a category attribute value of 'target' or 'intermediary', then the described machine, user, process, or service is the one targeted in the activity. Meijer, et al. Expires September 29, 2003 [Page 44] Internet-Draft IODEF Data Model and Implementation March 2003[page 80] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 from the IDMEF. The Assessment class is composed of three aggregate classes, as shown in Figure 4.13.+------------------+ |AssessmentSystem | +------------------+0..1 +------------+| ENUM restriction|<>----------| Impact | | | +------------+|<>----------[ Node ] | ENUM category |0..* +------------+||<>----------| ActionSTRING interface |<>--{0..*}--[ User ] | ENUM spoofed | |+------------+|<>--{0..*}--[ Process ] | |0..1 +------------+||<>----------| Confidence|<>--{0..*}--[ Service ] | | |+------------+|<>--{0..1}--[ FileList ] +------------------+ Figure4.13 - The Assessment Class25: the System class The aggregate classes thatmake up Assessmentconstitute System are:ImpactNode One. A host or network involved in the incident activity. User Zero orone.more. TheCSIRT's assessment ofapplication or operating system user running on theimpactspecified host that was involved in the incident. Process Zero or more. The process targeted or the source of theeventattack on thetarget(s). Actionspecified host, Service Zero ormore.one. Theaction(s) taken bynetwork service targeted on theCSIRThost specified inresponse to the event. Confidence A measurement ofNode. FileList Zero or one. Information about theconfidencefiles on theCSIRT hashost involved inits evaluation oftheevent.incident. The System class has four attribute: restriction Optional. ENUM. This attribute isrepresenteddefined in Section 3.2. category Required. ENUM. Classifies theXML DTD as follows: <!ELEMENT Assessment ( Impact?, Action*, Confidence? )> <!ATTLIST Assessment restriction %attvals.restriction; 'default' %attlist.global; > 4.13.1role the System played in the incident activity. TheImpact Classpossible values are: 1. source. TheImpact class is used to provide the CSIRT's assessment ofSystem was theimpactsource of theevent on the target(s). It is represented inattack Meijer, et al. Expires September 29, 2003 [Page 45] Internet-Draft IODEF Data Model and Implementation March 2003[page 81] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 the XML DTD as follows: <!ENTITY % attvals.severity " ( low | medium | high ) "> <!ENTITY % attvals.completion " ( failed | succeeded ) "> <!ENTITY % attvals.impacttype " ( admin | dos | file | recon | user | other ) "> <!ELEMENT Impact (#PCDATA | EMPTY)* > <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; 'other' %attlist.global; >2. target. TheImpact class has three attributes: severity An estimate ofSystem was therelative severitytarget of theevent.attack 3. intermediate. Thepermitted values are shown below. There is no default value. Rank Keyword Description ---- ------- ----------- 0 low Low severity 1 medium Medium severity 2 high High severity completion An indication of whetherSystem was an intermediate machine used in theCSIRT believesattack. interface Optional. STRING. Specifies theattempt thatinterface on which theevent describes was successful or not. The permitted values are shown below. There is no default value. Rank Keyword Description ---- ------- ----------- 0 failed The attempt was not successful 1 succeeded The attempt succeeded type The type of attempt represented byevent(s) on this System originated. spoofed Optional. ENUM. An indication of confidence as to whether thisevent, in relatively broad categories.System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is"other." Rank Keyword Description ---- ------- -----------"unknown". 1. unknown. The accuracy of the category information is unknown 2. yes. The category value classifying the host or network as an source or target is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim. 3. no. The category value classifying the host or network as a source or target is believed to be correct. 3.18 Node class The Node class is used to identify a host or network device (e.g., routers, switches). The base definition of the class is reused from the IDMEF specification, see Section 4.2.7.1 of [7]. However, the class has been extended by adding the NodeRole class. Meijer, et al. Expires September 29, 2003 [Page 46] Internet-Draft IODEF Data Model and Implementation March 2003[page 82] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 0 admin Administrative privileges were attempted+---------------+ | Node | +---------------+ | ENUM category |<>--{0..1}--[ Location ] | | | |<>--{0..1}--[ name ] | | | |<>--{0..*}--[ Address ] | | | |<>--{0..1}--[ DateTime ] | | | |<>--{0..*}--[ NodeRole ] +---------------+ Figure 26: The Node class The aggregate classes that constitute Node are: Location Zero orobtained 1 dos A denialone. STRING. The physical location ofservice was attempted or completed 2 file An action on a file was attemptedthe equipment. name Zero orcompleted 3 recon A reconnaissance probe was attemptedone. STRING. The name of the equipment (e.g., fully qualified domain name). This information MUST be provided if no Address information is given. Address Zero orcompleted 4 user User privileges were attemptedmore. The network orobtained 5 other Anything not inhardware address of the equipment. Unless a name is provided, at least oneof the above categories All three attributes are optional. The element itself mayaddress must beempty,specified. DateTime Zero ormay contain a textual descriptionone. A timestamp of when theimpact, ifresolution between theCSIRT is able to provide additional details. 4.13.2 The Action Classname and address was performed. This information SHOULD be provided if both an Address and name are given. NodeRole Zero or more. TheAction class is used to describe any actions taken by the CSIRT owning current Incident Object in courseintended purpose ofits handling or investigating. It is represented intheXML DTD as follows: <!ENTITY % attvals.actioncat " ( block-installed | notification-sent | taken-offline | other ) "> <!ELEMENT Action (#PCDATA | EMPTY)* > <!ATTLIST Action category %attvals.actioncat; 'other' %attlist.global; > Actionequipment. The Node class has one attribute: category Optional. ENUM. Thetype of action taken by CSIRT or automatic Intrusion detection tools.context in which the Address and name classes should be considered, if relevant. The permitted values for this attribute are shown below. The default value is"other." Rank Keyword Description ---- ------- ----------- 0 block-installed A block of some sort was installed to prevent an attack from reaching its destination."unknown". 1. unknown. Domain unknown or not relevant Meijer, et al. Expires September 29, 2003 [Page 47] Internet-Draft IODEF Data Model and Implementation March 2003 2. ads. Windows 2000 Advanced Directory Services 3. afs. Andrew File System (Transarc) 4. coda. Coda Distributed File System 5. dfs. Distributed File System (IBM) 6. dns. Domain Name System 7. hosts. Local hosts file 8. kerberos. Kerberos realm 9. nds. Novell Directory Services 10. nis. Network Information Services (Sun) 11. nisplus. Network Information Services Plus (Sun) 12. nt. Windows NT domain 13. wfw. Windows for Workgroups 3.18.1 Address Theblock could beAddress class represents aport block, address block, etc., or disablingnetwork, hardware, and application address. This class is reused outright from the IDMEF specification, see Section 4.2.7.1.1 of [7]. 3.18.2 NodeRole class The NodeRole class describes (based on auser account. 1 notification-sent A notification message of somepre-defined list) the function performed by a particular host. Meijer, et al. Expires September 29, 2003 [Page 48] Internet-Draft IODEF Data Model and Implementation March 2003[page 83] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 sort was sent out-of-band (via pager, e-mail, etc.). Does not include the transmission of this alert. 2 taken-offline A system, computer, or user was taken offline, as when the computer is shut down or a user is logged off. 3 other Anything not in one of the above categories.+---------------+ | NodeRole | +---------------+ | STRING | | | | ENUM category | +---------------+ Figure 27: The NodeRole class The elementitself may be empty, or may contain a textual description of the action, if the description of the taken actions needs tocontent should beexpressedempty infree language. 4.13.3 The Confidence Class The Confidence class is used to represent the CSIRT's best estimate ofall cases other than when thevalidity of its Incident Assessment. Itcategory attribute isrepresented in the XML DTD as follows: <!ENTITY % attvals.rating " ( low | medium | high | numeric ) "> <!ELEMENT Confidence (#PCDATA | EMPTY)* > <!ATTLIST Confidence rating %attvals.rating; 'numeric' %attlist.global; >set to "other". TheConfidenceNodeRole class has oneattribute: rating The CSIRT's rating of its assessment validity. The permitted values are shown below. The defaultattributes: category Required. Functionality provided by a node. If a value of "other" is"numeric." Rank Keyword Description ---- ------- ----------- 0 low The CSIRT/triage has little confidence in its validity 1 medium The CSIRT/triage has average confidence in its validity 2 high The CSIRT/triage has high confidencespecified, a description SHOULD be provided inits validity 3 numericthe element's content. TheCSIRT/triage has provided a posterior probabilitydefault valueindicating its confidence inis "other". 1. client. Client computer 2. server-internal. Server with internal services 3. server-public. Server with public services 4. www. WWW server 5. mail. Mail server 6. messaging. Messaging server (e.g. NNTP, IRC, IM) 7. streaming. Streaming-media server 8. voice. Voice server (e.g. SIP, H.323) 9. file. File server (e.g. SMB, CVS, AFS) 10. ftp. FTP server 11. p2p. Peer-to-peer node 12. name. Name server (e.g. DNS, WINS) 13. directory. Directory server (e.g. LDAP, finger, whois) 14. credential. Credential server (e.g. domain controller, Kerberos) Meijer, et al. Expires September 29, 2003 [Page 49] Internet-Draft IODEF Data Model and Implementation March 2003[page 84] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 its validity15. print. Print server 16. application. Application server 17. database. Database server 18. infra. Infrastructure server (e.g. router, firewall, DHCP) 19. log. Logserver 20. other. other role not in this list 3.19 FileList class The FileList class describes files and other file-like objects on hosts involved in an incident. Thiselement should be used only whenclass is reused outright from theCSIRT/triage can produce meaningful information. Systems that can output only a rough heuristic should use "low", "medium",IDMEF specification, see Section 4.2.7.5 of [7]. 3.20 User The User class describes an application or"high" as the rating value. In this case,operating system user account involved in an incident. This class is reused outright from theelement content should be omitted. Systems capableIDMEF specification, see Section 4.2.7.2 ofproducing reasonable probability estimates should use "numeric" as the rating value and include[7]. 3.21 Process The Process class describes anumeric confidence value in the element content. This numeric value should reflectrunning program on aposterior probability (the probability that an attack has occurredgiven host involved in an incident. This class is reused outright from thedata seen by the detection system and the model used by the system). ItIDMEF specification, see Section 4.2.7.3 of [7]. 3.22 Service The Service class describes a network service of a host. This class is reused outright from the IDMEF specification, see Section 4.2.7.4 of [7]. 3.23 Record class The Record class groups log or audit data that provides afloating point number between 0.0 and 1.0, inclusive.record of the incident activity. Thenumbersource ofdigits shouldthis data will typically belimited to those representablethe output of monitoring tools (e.g., IDMEF messages generated by an IDS, connection logs from asingle precision floating point value, and may be represented as described in Section 3.4.2. NOTE: It should be noted that different types of Incident handling Systems may compute confidence values in different ways andweb server) thatin many cases, confidence values from different CSIRTs should not be compared (for example, ifwere used to uncover theCSIRTs use different methods of computing or representing confidence, or are of different types or configurations). Caremalicious activity. These logs shouldbe taken when implementing systems that process confidence values (suchprovide evidence asevent correlators) nottomake comparisons or assumptionswhy a reporter to CSIRT believes an incident has occurred. Meijer, et al. Expires September 29, 2003 [Page 50] Internet-Draft IODEF Data Model and Implementation March 2003 +------------------+ | Record | +------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] +------------------+ Figure 28: Record class The aggregate class thatcannot be supportedconstitutes Record is: RecordData One or more. Log or audit data generated bythe system's knowledgea particular type ofthe environment in which it is working. 4.14sensor. TheAuthority ClassRecord class has one attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. 3.23.1 RecordData class TheAuthorityRecordData classnamesgroups log or audit data from a given sensor (e.g., IDS, firewall log) and providescontact information for the CSIRT who created and is handlinga way to annotate theincident.output. +------------------+ |AuthorityRecordData | +------------------+ |STRING ident | +---------------+ |ENUM restriction|<>------| Organization|<>--{0..1}--[ DateTime ] | | |+---------------+|<>--{0..*}--[ Description ] | |0..1 +---------------+||<>------| Contact|<>--{0..1}--[ Analyzer ] | | | |<>--{1..*}--[ RecordItem ] +------------------++---------------+Figure4.1429: TheAuthority ClassRecordData class The aggregate classes that constitutes RecordData is: DateTime Zero or one. Timestamp information for the RecordItem data. Description Zero or more. STRING. Free-form textual description of the provided RecordItem data. At minimum, this description should Meijer, et al. Expires September 29, 2003 [Page 51] Internet-Draft IODEF Data Model and Implementation March 2003[page 85] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 The aggregate classes that constitute Authority are: Organization Exactly one. Name or organization handlingconvey thecurrent incident. Contactsignificance of the provided RecordItem data. Analyzer Zero or one.Contact information for the Organization handlingInformation about theincident. Authority is represented insensor used to generate theXML DTD as follows: <!ELEMENT Authority ( Organization, Contact? )> <!ATTLIST Authority ident ID #IMPLIED restriction %attvals.restriction; 'default' >RecordItem data. RecordItem One or more. Log, audit, or forensic data. TheAuthorityRecordData class hastwoone attributes:identrestriction Optional.A unique identifier for the Authority element (seeENUM. This attribute has been defined in Section3.4.9). 4.14.13.2. 3.23.1.1 Analyzer class TheOrganization ClassAnalyzer class identifies the sensor (e.g., IDS, firewall, web server) used to generate particular log or audit data. TheOrganizationdefinition of the classdescribes a CSIRT involvedis reused from the IDMEF specification, see Section 4.2.7.3 of [7]. However, inincident handling. This classthis context, the definition of an analyzer is expanded beyond merely an IDS. 3.23.1.2 RecordItem class The RecordItem class provides amandatory subordinate elementway to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing themandatory Authorityincident. This data can be directly encapsulated as part of this document, or can be referenced whereby using this class as merely a pointer to the relevant information. The dtype attribute will dictate the type of log data that will be found in this class.+--------------+ | Authority | +--------------+ /_\ | +--------------+ | Organization | +--------------+ 0..1 +----------------+ | STRING ident |<>----------| OrganizationID | | | +----------------+ | | 0..1 +----------------+ | |<>----------| OrgName | | | +----------------+This class is very similar to the AdditionalData class (Section 3.6) in that it is essentially an extension class that can support proprietary representations of security event data, not all of which is necessarily in XML. Meijer, et al. Expires September 29, 2003 [Page 52] Internet-Draft IODEF Data Model and Implementation March 2003[page 86] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | | 0..1 +----------------+ | |<>----------| PostalAddress | | | +----------------+ | | 0..1 +----------------+ | |<>----------| Email | | | +----------------+ | | 0..1 +----------------+ | |<>----------| Telephone |+------------------+ | RecordItem |+----------------++------------------+ | ANY |0..1 +----------------+||<>----------| Fax| | ENUM type |+----------------+ +--------------++------------------+ Figure4.28 Organization Class30: Theaggregate classes that constitute the OrganizationRecordItem classare: OrganizationID Zero or one.Theidentification number of the Organization.Recorditem class has one attribute: type Required. TheID can be derived from known registries such as RIPE NCC, TI, etc. OrgName Zero or one. Nametype ofthe organization as it useddata included inofficial post address. PostalAddress Zero or one. Postal Address of the organization. Email Zero or one. Email address oftheorganization. Telephone Zero or one. Telephone number ofelement content. The permitted values for this attribute are shown below. The default value is "string". 1. boolean. The element contains a boolean value, i.e., theorganization. Fax Zerostrings "true" orone. Fax"false" 2. byte. The element content is a single 8-bit byte (see Section 2.2.4); 3. character. The element content is a single character (see Section 2.2.3); 4. date-time. The element content is a date-time string (see Section 2.2.6); 5. integer. The element content is an integer (see Section 2.2.1); 6. ntpstamp. The element content is a NTP timestamp (see Section 2.2.7); 7. portlist. The element content is a port list (see Section 2.2.8); 8. real. The element content is a real numberof the organization. At(see xref target="dt_real_numbers" />); 9. string. The element content is aminimum, the Organization class MUST have eitherstring (see Section 2.2.3); 10. file. The element content is a base64 encoded binary file; 11. path. The element content is aan OrgName or OrganizationID. Organizationfilesystem path; 12. url. The element content isrepresented in the XML DTD as follows: <!ELEMENT Organization ( (OrganizationID? | OrgName?), PostalAddress?, Email?, Telephone?, Fax? )>a URL (see Section 2.2.13;) Meijer, et al. Expires September 29, 2003 [Page 53] Internet-Draft IODEF Data Model and Implementation March 2003[page 87] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ATTLIST Organization ident ID #IMPLIED >13. xml. TheOrganization class has one attributes: ident Optional. A unique identifier for the Organizationelement content is XML-tagged data (see Section3.4.9). 5.4). Meijer, et al. Expires September 29, 2003 [Page 54] Internet-Draft IODEF Data Model and Implementation March 2003 4. Extending the IODEF In order to support the changing activity of CSIRTS, the IODEF data model and DTD will need to evolve along with them. To allow new features to be added, both the data model and the DTD can be extended as described in this section. As these extensions mature, they can then be incorporated into future versions of thespecification. 5.1specification or published separately. 4.1 Extending theData Modeldata model There are two mechanisms for extending the IODEF data model: inheritance andaggregation (see Section 3.1.1). +aggregation. o By using inheritance, new subclasses may be derived and given additional attributes or operations not found in the superclass.+o Aggregation allows for entirely new, self-contained classes to be created and associated with a parent class. Of the two extension mechanisms, inheritance is preferred, because it preserves the existing data model and the operations (methods) executed on the classes of the model. There are explicit guidelines for extending the XML DTD (see Section5.2)4.2) which set limits on where extensions to the data model may be made.5.24.2 Extending the XML DTD There are two ways to extend the IODEF XML DTD: 1. The AdditionalDataclass(see Section4.2.4.5) allows3.6) and RecordItem (see Section 3.23.1.2) classes allow implementers to include arbitrary "atomic"data items (integers, strings, etc.) in an Incident or IncidentAlert class.data. (e.g., integers, strings). This approach SHOULD be used whenever possible.Meijer, et al. Expires March 2003 [page 88] Internet Draft draft-ietf-inch-iodef-00.txt Apr 20022. The AdditionalDataclass allowsand RecordItem classes allow implementers to extend the IODEF XML DTD with additionalDTD "modules"DTDs that describe arbitrarily complex data types and relationships.To extendThe following guidelines MUST be followed when extending the IODEF DTD witha newanother DTD"module," these guidelines MUST be followed:in the extension classes: 1. The IODEF description MUST include a document type declaration (see Section3.3.1.3).2.1.1.3); 2. The document type declaration MUST define a parameter entity(see Section 3.2.4)that contains the location of the extension DTD, and then reference Meijer, et al. Expires September 29, 2003 [Page 55] Internet-Draft IODEF Data Model and Implementation March 2003 that entity: <!DOCTYPEIODEF-DescriptionIODEF-Document SYSTEM"/path/to/IODEF-Description.dtd""/path/to/IODEF-Document.dtd" [ <!ENTITY % x-extension SYSTEM "/path/to/extension.dtd">%x-extension;% x-extension; ]> In this example, the "x-extension" parameter entity is defined and then referenced, causing the DTD for the extension to be read by the XML parser. The name of the parameter entity defined for this purpose MUST be a string beginning with "x-"; there are no other restrictions on the name (other than those imposed on all entity names by XML). Multiple extensions may be included by defining multiple entities and referencing them. For example: <!DOCTYPEIODEF-DescriptionIODEF-Document SYSTEM"/path/to/IODEF-Description.dtd""/path/to/IODEF-Document.dtd" [ <!ENTITY % x-extension SYSTEM "/path/to/extension.dtd"> <!ENTITY % x-another SYSTEM "/path/to/another.dtd"> %x-extension; %x-another; ]> 3. Extension DTDs MUST declare all of their elements and attributes in a separate XML namespace. Extension DTDs MUST NOT declare any elements or attributes in the "IODEF" or default namespaces. For example, the "test" extension might be declared as follows:Meijer, et al. Expires March 2003 [page 89] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!ELEMENT test:test ( test:a, test:b, test:c )> <!ATTLIST test:test xmlns CDATA #IMPLIED xmlns:test CDATA #IMPLIED > <!ELEMENT test:a (#PCDATA)> <!ATTLIST test:a test:attr CDATA #IMPLIED > <!ELEMENT test:b (#PCDATA)> <!ELEMENT test:c (#PCDATA)> 4. Extensions MUST only be included in the AdditionalData class of the Incident class whose "type" attribute is "xml". For example:<IODEF-DescriptionMeijer, et al. Expires September 29, 2003 [Page 56] Internet-Draft IODEF Data Model and Implementation March 2003 <IODEF-Document version="0.0"> <Incident ident="..."> ... <AdditionalData type="xml"> <test:test xmlns:test="http://www.ietf.org/iodef/test.html" xmlns="http://www.ietf.org/iodef/test.html"> <test:a test:attr="...">...</test:a> <test:b>...</test:b> <test:c>...</test:c> </test:test> </AdditionalData> </Incident></IODEF-Description> 6. Special</IODEF-Document> Meijer, et al. Expires September 29, 2003 [Page 57] Internet-Draft IODEF Data Model and Implementation March 2003 5. Processing Considerations This section discusses some of the special considerations that must be taken into account by implementers of the IODEF.6.15.1 XML Validity and Well-FormednessIt is expected that IODEF-compliant applications will normally not include the IODEF DTD in their communications. Instead, the DTD will be referenced in the document type declaration of the IODEF document rsee Section 3.3.1). SuchThe IODEF documentswillMUST beMeijer, et al. Expires March 2003 [page 90] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 well-formedwell-formed, andvalid as defined in [5]. Other IODEFwhen possible and practical the documentswillSHOULD also bespecifiedvalid. It is expected thatdoIODEF-compliant applications will normally not include thedocument prolog (e.g., entries in an IODEF-format database). SuchIODEFdocumentsDTD in their communications. Instead, the DTD will bewell-formed but not valid. Generally, well-formedness implies that a document has a single element that contains everything else (e.g., "<Book>"), and that all the other elements nest nicely within each other without any overlapping (e.g., a "chapter" does not startreferenced in themiddledocument type declaration section ofanother "chapter"). Validity further implies that not only isthe IODEF documentwell-formed, but it also follows specific rules (contained in the Document Type Definition) about which elements are "legal"(see Section 2.1.1.3. While an XML document SHOULD contain a document type declaration. This requirement imposes a significant overhead on an IODEF-compliant application in bandwidth consumption and computation for thedocument, how those elements nest within other elements,DTD may need to be downloaded andsoparsed before use by the XML parser. Implementers MAY decide to have entities who regularly exchange IODEF message agree out-of-band on(e.g., a "chapter" does not begin inthemiddle of a "title"). Aparticular documentcannottype definition they will bevalid unless it references a DTD. XML processors are requiredusing toparse any well-formed document, validexchange messages (the standard one as defined here, ornot.one with extensions), and then omit it from IODEF documents. Thepurpose of validationmethod for negotiating this agreement isto makeoutside theprocessingscope ofthe document (what's done with the data after it's parsed) easier. Without validation, a document may contain elements in nonsense order, elements "invented" by the author that the processing application doesn't understand, and so on. IODEF documents MUST be well-formed. IODEF documents SHOULDthis document. NOTE: Care must bevalid whenever both possible and practical. 6.2taken in negotiating any such agreements, as each entities will have to keep state on this agreed upon document type definition. The management complexity of these negotiations grows more complex as entities make such arrangements with many collaborators. 5.2 Unrecognized Data and XML Tags On occasion, an IODEF-compliant application may receive a well- formed, orevenwell-formed andvalid,valid IODEF document containing tags or content in the tags thatit doesare notunderstand. Theexpected. These spurious conditions might include: o Unrecognized tagsmay be either: + Recognized as "legitimate" (a valid document), but the application does not knowused in one of thesemantic meaningextension classes (i.e., AdditionalData or RecordItem); o Unrecognized tags outside of theelement's content;extension classes; or+ Not recognized at all.o Well-formed and validate document where element or attribute values to not conform to the expected values identified by an enumerated list; Meijer, et al. Expires September 29, 2003 [Page 58] Internet-Draft IODEF Data Model and Implementation March 2003 IODEF-compliant applications MUST continue to process IODEF documents that contain unknown tags, provided that these documents arewell- formed (see Section 6.1).well-formed. It is up to the individual application to decide how to process(or ignore)any content from the unknowntag(s). Special issue is related to inheritance relation betweentag. Meijer, et al. Expires September 29, 2003 [Page 59] Internet-Draft IODEF Data Model and Implementation March 2003[page 91] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 Incident/Attacker related classes IDMEF6. Internationalization issues Internationalization andIODEF, e.g. IODEF message may be simply wrap up into IDMEF container for the IncidentAlert class. In particular caselocalization is ofrelations between IODEF and IDMEF,specific concern to theIODEF mayIODEF. It is only through collaboration, often across language barriers, that certain incidents betreated as IDMEF extension applying inheritanceresolved. XML already supports different character encodings. This flexibility will allow information encoded in the IODEF toincorporate Alert/IDMEF data structure into Attack Classbe in most written languages. Furthermore, XML also provides the xml:lang attribute through which the type ofIODEF. When Incident description is producedlanguage being used in a given element can be specified. By including this attribute in the %attlist.global entity found in all elements, users ofIDMEF message,the IODEFmaycan usedirectly relateddifferent languages in the same document. The dataclasses from IDMEF. In this context it is recommendedmodel ensures thatIHS understands both format - IODEF and IDMEF. This may be achieved by mapping partthe cardinality ofIDMEF classes (XML tags) relatedthe Description class is always one-to-many with its parent. One of the intents for this design was toAttackallow the same descriptioninto IODEF classes. This isto benot difficult task becauserepeated in another instance ofinitial approach to match IODEF and IDMEF XML namespaces. Otherwise IODEF parser will still be able to parser well- formed IDMEF document and recognize important XML tags, which meaningthe Description class, but in a different language. Parsers of the IODEFis inherited from IDMEF. 6.3 Digital Signatures The joint IETF/W3C XML Signature Working Group is currently workingdocument, could extract only the elements with the relevant language. Supporting different languages allows CSIRTs tospecify XML digital signature processing rules and syntax [16]. XML Signatures provide integrity, message authentication, and/or signer authentication services forlocalize the IODEF. However, it does not aid data interchange if the recipient ofany type, whether located withina document does not understand theXMLunderlying language. In order to ensure thatincludesthesignature or elsewhere. The IODEF requirements [2] recommend thatrecipient can at least crudely approximate the contents of the document, the data model relies on enumerated attributes that are standardized to convey meaning (e.g., %attlist.purpose). Meijer, et al. Expires September 29, 2003 [Page 60] Internet-Draft IODEFshould support content confidentiality, integrity, authenticationData Model andnon- repudiation.Implementation March 2003 7. Examples Theserequirementsexamples provide an idea of what IODEF-Documents can look like. It must beachieved by the inclusion of digital signatures within anstressed that as IODEFdocument. Additional security considerations may be applied to the communications methodsis a data-exchange-format, it does not specify detailed rules on which elements andprotocols used for IODEF documents exchange. Specifications for theattributes to use under all imaginable circumstances. 7.1 Code Red detection notification The following message is a typical example ofdigital signatures within IODEF documents are outside the scope of this document. If such functionalityan incident where one host is infected with a worm. The initial report isneeded,sent in by email, theuse ofsubsequently shown IODEF-Document illustrates the communication between theXML Signature standard is RECOMMENDED. 7. Experimental implementationresponsible CSIRT andexamples Thereits constituent. The constituent isan ongoing effort amongafew European CSIRTscontact for the CSIRT and responsible for coordinating the required actions at his site. From e-citizen@hisdomain.de Date: 13 Sep 2001 23:19:24 -0000 From: e-citizen@hisdomain.de To: cert-for-ourdomain.pl@ourdomain.pl Subject: 10.1.1.2 - Code Red Virus detected Automated message, you don't have to reply toimplement IODEF in their daily incident handling work [17]. The resultsthisproject shouldemail. Your system with the IP number 10.1.1.2 seems to beavailable in late 2001. This section provides examples ofinfected with the Code Red virus. For more information see http://www.incidents.org/react/code_redII.php Please fix the problem or inform a person who is responsible for that machine to do so. >From our web server logs (Port 80): 10.1.1.2 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Figure 35: Code Red detection notification: initial report <IODEF-Document version="1.0"> <Incident restriction="need-to-know" purpose="handling"> <IncidentID name="CERT-FOR-OUR-DOMAIN.PL">CERT-FOR-OUR-DOMAIN.PL#189</IncidentID> Meijer, et al. Expires September 29, 2003 [Page 61] Internet-Draft IODEFencoded Incident data. TheData Model and Implementation March 2003 <IncidentData> <Description>Host sending out Code Red probes</Description> <ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <Expectation category="other"> <Description>Track and clean host</Description> </Expectation> <Assessment> <Impact severity="low" completion="failed" type="none"></Impact> </Assessment> <Contact role="creator" role="irt" type="organization"> <name>CERT-FOR-OUR-DOMAIN.PL</name> <Email>cert-for-our-domain.pl@ourdomain.pl</Email> </Contact> <Contact role="tech" type="organization"> <name>Constituency-contact for 10.1.1.2</name> <Email>Constituency-contact@10.1.1.2.pl</Email> </Contact> <History> <HistoryItem type="notification"> <IncidentID name="CERT-FOR-OUR-DOMAIN.PL">CERT-FOR-OUR-DOMAIN.PL#189</IncidentID> <Description>Notification sent to Constituency-contact@10.1.1.2.pl</Description> <DateTime>2001-09-14T08:19:01+00:00</DateTime> </HistoryItem> </History> <EventData> <System category="source"> <Node> <Address category="ipv4-addr">10.1.1.2</Address> </Node> </System> <System category="target"> <Service> <port>80</port> </Service> </System> <Record> <RecordData> <DateTime>2001-09-13T18:11:21+02:00</DateTime> <Description>Web-server logs</Description> <RecordItem> 10.1.1.2 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX </RecordItem> Meijer, et al. Expires September 29, 2003 [Page 62] Internet-Draft IODEF Data Model and Implementation March 2003[page 92] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 examples are provided for illustrative purposes only</RecordData> </Record> </EventData> </IncidentData> </Incident> </IODEF-Document> Figure 36: Code Red detection notification: CSIRT response 7.2 IODEF-Document with XML signature 7.3 IODEF-Document encrypted using XML encryption 7.4 IODEF-Document encrypted anddo not necessarily represent the only (or even the "best") way to encode these particular incidents.signed using XML signature & encryption Meijer, et al. Expires September 29, 2003 [Page 63] Internet-Draft IODEF Data Model and Implementation March 2003 8. The IODEF Document TypeDefinition <?xml version="1.0" encoding="UTF-8"?> <!-- ******************************************************************** ******************************************************************** *** Incident Object Description and Exchange Format XML DTD *** *** Version 00, October 2002 *** *** *** ******************************************************************** ******************************************************************** --> <!-- ==================================================================== === SECTION 1. Imported Names === ==================================================================== --> <!-- | Media type, as per [RFC2045] --> <!ENTITY % ContentType "CDATA"> <!-- | comma-separated list of media types, as per [RFC2045] --> <!ENTITY % ContentTypes "CDATA"> <!-- | Character encoding, as per [RFC2045] --> <!ENTITY % Charset "CDATA"> <!-- | A space separated list of character encodings, as per [RFC2045] --> <!ENTITY % Charsets "CDATA"> <!-- | Language code, as per [RFC1766] --> <!ENTITY % LanguageCode "NMTOKEN"> <!-- | A single character from [ISO10646] --> <!ENTITY % Character "CDATA">Definition <?xml version="1.0" encoding="UTF-8"?> <!--Meijer, et al. Expires******************************************************************** ******************************************************************** *** IncidentData Exchange Format XML DTD *** *** Version 01, March 2003[page 93] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 | Date and time information. ISO date format*** ******************************************************************** ******************************************************************** --><!ENTITY % Datetime "CDATA"><!-- ==================================================================== === SECTION2.1. Attribute list declarations. === ==================================================================== --> <!-- | Attributes of the IODEF element. In general, the fixed value | of this attribute will change each time a new version of | the DTD is released. --> <!ENTITY % attlist.iodef " version CDATA #FIXED'0.05' "> <!-- | Attributes of all elements. These are the "XML" attributes | that every element should have. Space handling, name space, and | language. --> <!ENTITY % attlist.global " xmlns:iodef CDATA #FIXED 'urn:iana:xml:ns:iodef' xmlns CDATA #FIXED 'urn:iana:xml:ns:iodef' xml:space (default | preserve) 'default' xml:lang %LanguageCode; #IMPLIED'0.10' "> <!-- ==================================================================== === SECTION3.2. Attribute value declarations. Enumerated values === === for the many element-specific attribute lists. === ==================================================================== --> <!-- |Values for the Address.category attribute. --> <!ENTITY % attvals.addrcat " ( unknown | atm | e-mail | lotus-notes | mac | sna | vm | ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask | ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask ) "> <!-- | Values for the AdditionalData.type attribute. --> <!ENTITY % attvals.adtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | xml ) Meijer, et al. Expires March 2003 [page 94] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 "> <!-- | Values for the Data.type attribute used in EvidenceItem. --> <!ENTITY % attvals.dtype " ( boolean | byte | character | string | binary | xml | file | path | url ) "> <!-- | Values forDefines purpose of theId.type attribute.Incident --> <!ENTITY %attvals.idtypeattvals.purpose " (current-user | original-user | target-userhandling |user-privsstatistics |current-groupwarning |group-privsother ) "> <!-- |Values for the Impact.completion attribute.Defines restriction on access to an element's content --> <!ENTITY %attvals.completionattvals.restriction " (faileddefault |succeeded ) "> <!--public |Values for the File.category attribute. --> <!ENTITY % attvals.filecat " ( currentneed-to-know |originalprivate ) "> <!-- | Values for theImpact.type attribute.Expectation.category attributes --> <!ENTITY %attvals.impacttypeattvals.expectations " (admin | dosnothing |filecontact-site |reconcontact-me |userblock | other ) Meijer, et al. Expires September 29, 2003 [Page 64] Internet-Draft IODEF Data Model and Implementation March 2003 "> <!-- | Values for theLinkage.categoryAdditionalData.type attribute. --> <!ENTITY %attvals.linkcatattvals.adtype " (hard-linkboolean |mount-pointbyte |reparse-pointcharacter |shortcutdate-time |streaminteger |symbolic-linkntpstamp | portlist | real | string | xml ) "> <!-- | Values for theConfidence.rating attribute.RecordItem.type attribute --> <!ENTITY %attvals.ratingattvals.dtype " (lowboolean |mediumbyte |highcharacter |numericdate-time | integer | ntpstamp | portlist | real | string | file | path | url | xml ) "> <!-- | Values for theImpact.severityHistory.type attribute. -->Meijer, et al. Expires March 2003 [page 95] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!ENTITY %attvals.severityattvals.historycat " (lowtriaged |mediumnotification |highshared-info | received-info | remediation | other ) "> <!-- | Values for theNode.categoryAddress.category attribute. --> <!ENTITY %attvals.nodecatattvals.addrcat " ( unknown |adsatm |afse-mail |codalotus-notes |dfsmac |dnssna |kerberosvm |ndsipv4-addr |nisipv4-addr-hex |nisplusipv4-net |ntipv4-net-mask |wfwipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask ) "> <!-- | Values for theNodeRole.categoryId.type attribute. --> <!ENTITY %attvals.noderolecatattvals.idtype " (unknown | client | server-internal | server-public | www | mail | messaging | streaming | voice | file | ftp | p2p | name | directory | credentialcurrent-user |applicationtarget-user |databaseuser-privs |infracurrent-group |loggroup-privs ) "> <!-- | Values for theClassification.originImpact.completion attribute. --> <!ENTITY %attvals.originattvals.completion " (unknown | bugtraqidfailed |cvesucceeded ) "> <!-- |vendor-specificValues for the File.category attribute. --> <!ENTITY % attvals.filecat " Meijer, et al. Expires September 29, 2003 [Page 65] Internet-Draft IODEF Data Model and Implementation March 2003 ( current |irt-localoriginal ) "> <!-- | Values for theIRTcontact.originIRT attributeImpact.type attribute. --> <!ENTITY %attvals.originIRTattvals.impacttype " (unknownnone |ripenccadmin |tidos |arinfile |apnicrecon |afnicuser |localunknown | other ) "> <!-- |Defines purpose ofValues for theIODEF ObjectLinkage.category attribute. --> <!ENTITY %attvals.purposeattvals.linkcat " (unknownhard-link |reportmount-point |handlingreparse-point |communicationshortcut |statisticsstream |experimentalsymbolic-link ) "> <!-- |Defines restriction on access to an element's contentValues for the RegistryHandle.type attribute. --> <!ENTITY %attvals.restrictionattvals.registrytype "(default( internic |publicapnic |internalarin | lacnic | ripe | ti |restrictedlocal ) "> <!-- | Values for theUser.categoryConfidence.rating attribute. --> <!ENTITY %attvals.usercatattvals.rating " (unknownlow |applicationmedium |os-devicehigh | numeric | unknown ) ">Meijer, et al. Expires March 2003 [page 96] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!-- | Values foryes/no attributes such as Source.spoofed and | Target.decoy.the Impact.severity attribute. --> <!ENTITY %attvals.yesnoattvals.severity " (unknownlow |yesmedium |nohigh ) "> <!--==================================================================== == Section 4.2 The IODEF-Description class == ==================================================================== --> <!ELEMENT IODEF-Description ((Incident | IncidentAlert)*)> <!ATTLIST IODEF-Description %attlist.iodef; %attlist.global; > <!-- ==================================================================== == Section 4.3 The Incident class == ==================================================================== --> <!ELEMENT Incident (Attack+, Attacker*, Victim*, Method*, Evidence?, CorrelationIncident?, Authority, History?, AdditionalData*)> <!ATTLIST Incident incidentID CDATA #IMPLIED restriction %attvals.restriction; #IMPLIED purpose %attvals.purpose; #REQUIRED %attlist.global; > <!-- ==================================================================== == Section 4.4 The CorrelationIncident class == ==================================================================== --> <!ELEMENT CorrelationIncident (EventList, IncidentID, EvidenceDataID)> <!ATTLIST CorrelationIncident restriction %attvals.restriction; #IMPLIED %attlist.global; > <!-- ==================================================================== == Section 4.4.1 The EventList class == ==================================================================== Meijer, et al. Expires March 2003 [page 97] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 --> <!ELEMENT EventList ((IncidentID?, EvidenceDataID*, datetime?)*)> <!ATTLIST EventList %attlist.global; > <!-- ==================================================================== == Section 4.5 The IncidentAlert class == ==================================================================== --> <!ELEMENT IncidentAlert (History?, Authority, AdditionalData+)> <!ATTLIST IncidentAlert incidentID CDATA #IMPLIED %attlist.global; restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== === Section 4.6 The Attack class === ==================================================================== --> <!ELEMENT Attack (Target*, Source*, Description*, DetectTime?, StartTime?, EndTime?)> <!ATTLIST Attack ident CDATA "0" restriction %attvals.restriction; #IMPLIED %attlist.global; > <!-- ==================================================================== === Section 4.6.1 The Source class === ==================================================================== --> <!-- Elements Target and Source of IODEF are re-used from IDMEF--> <!ELEMENT Source (Node?, User?, Process?, Service?, program?, os?)> <!ATTLIST Source ident CDATA "0" spoofed %attvals.yesno; "unknown" interface CDATA #IMPLIED %attlist.global; > <!-- ==================================================================== === Section 4.6.2 The Node class === ==================================================================== --> Meijer, et al. Expires March 2003 [page 98] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ELEMENT Node (((name | Address), Address*), datetime?, name?, Address*, Location?, NodeRole*)> <!ATTLIST Node ident CDATA "0" category %attvals.nodecat; "unknown" %attlist.global; > <!-- ==================================================================== === Section 4.6.2.1 The Address class === ==================================================================== --> <!ELEMENT Address (address, netmask?)> <!ATTLIST Address ident CDATA "0" category %attvals.addrcat; "unknown" vlan-name CDATA #IMPLIED vlan-num CDATA #IMPLIED %attlist.global; > <!-- ==================================================================== === Section 4.6.2.2 The NodeRole class === ====================================================================| Values for the Node.category attribute. --><!ELEMENT NodeRole EMPTY> <!ATTLIST NodeRole category %attvals.noderolecat; "unknown" ><!ENTITY % attvals.nodecat " ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos | nds | nis | nisplus | nt | wfw ) "> <!--==================================================================== === Section 4.6.3 The User class === ====================================================================| Values for the NodeRole.category attribute. --><!ELEMENT User (UserId+)> <!ATTLIST User ident CDATA "0" category %attvals.usercat; "unknown" %attlist.global; > <!-- ==================================================================== === Section 4.6.3.1 The UserId class === ====================================================================<!ENTITY % attvals.noderolecat " ( client | server-internal | server-public | www | mail | messaging | streaming | voice | file | ftp | p2p | name | directory | credential | print | application | database | Meijer, et al. Expires September 29, 2003 [Page 66] Internet-Draft IODEF Data Model and Implementation March 2003[page 99] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002infra | log | other ) "> <!-- | Values for the Classification.origin attribute. --><!ELEMENT UserId (name<!ENTITY % attvals.origin " ( bugtraqid |numbercve |(name, number))> <!ATTLIST UserId ident CDATA "0" type %attvals.idtype; "original-user" %attlist.global; >certcc | vendor | local | other) "> <!--==================================================================== === Section 4.6.4 The Process class === ====================================================================| Values for the User.category attribute. --><!ELEMENT Process (name, pid?, path?, arg*, env*)> <!ATTLIST Process ident CDATA "0" %attlist.global; ><!ENTITY % attvals.usercat " ( unknown | application | os-device ) "> <!--==================================================================== === Section 4.6.5 The Service Class === ====================================================================| Values for the System.spoofed and System.decoy attributes --><!ELEMENT Service (((name<!ENTITY % attvals.yesno " ( unknown |portyes | no ) "> <!-- | Values for the System.category attribute --> <!ENTITY % attvals.systemcat " ( source |(name, port))target |portlist), protocol?, SNMPService?, WebService?)> <!ATTLIST Service ident CDATA "0" %attlist.global; >intermediate ) "> <!-- ======================================================================= Section 4.6.5.1 The WebService Class ===== Element definitions == ==================================================================== --> <!-- ==================================================================== == IODEF-Document class == ==================================================================== --> <!ELEMENTWebService (url, cgi?, http-method?, arg*)>IODEF-Document (Incident+)> <!ATTLISTWebService %attlist.global;IODEF-Document %attlist.iodef; xmlns:iodef CDATA #FIXED 'urn:iana:xml:ns:iodef' > <!-- ======================================================================= Section 4.6.5.2 The SNMPService Class ===== Incident class == ==================================================================== --> <!ELEMENTSNMPService (oid?, community?, command?)> <!ATTLIST SNMPService %attlist.global;Incident (IncidentID, AlternativeID?, RelatedActivity?, IncidentData, AdditionalData*)> Meijer, et al. Expires September 29, 2003 [Page 67] Internet-Draft IODEF Data Model and Implementation March 2003[page 100] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!ATTLIST Incident restriction %attvals.restriction; "private" purpose %attvals.purpose; #REQUIRED > <!-- ======================================================================= Section 4.6.6 The Target== IncidentID class===== ==================================================================== --> <!ELEMENTTarget (Node?, User?, Process?, Service?, program?, os?, FileList?)>IncidentID (#PCDATA)> <!ATTLISTTarget ident CDATA "0" decoy %attvals.yesno; "unknown" interfaceIncidentID name CDATA #IMPLIED%attlist.global;restriction %attvals.restriction; #IMPLIED > <!-- ======================================================================= Section 4.6.7 The FileList== AlternativeID class===== ==================================================================== --><!--Elements FileList with respective subelements of IODEF are re-used from IDMEF--><!ELEMENTFileList (File+)>AlternativeID (IncidentID+)> <!ATTLISTFileList %attlist.global;AlternativeID restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== == RelatedActivity class == ==================================================================== --> <!ELEMENT RelatedActivity (IncidentID+)> <!ATTLIST RelatedActivity restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Section 4.6.7.1 The FileAdditionalData class === ==================================================================== --> <!ELEMENTFile (name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?)>AdditionalData ANY> <!ATTLISTFile ident CDATA "0" category %attvals.filecat;AdditionalData restriction %attvals.restriction; #IMPLIED type %attvals.adtype; #REQUIREDfstypemeaning CDATA#REQUIRED %attlist.global;#IMPLIED > <!-- ==================================================================== ===Section 4.6.7.2 The FileAccessIncidentData class === ==================================================================== --> Meijer, et al. Expires September 29, 2003 [Page 68] Internet-Draft IODEF Data Model and Implementation March 2003[page 101] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!ELEMENTFileAccess (UserId, permission+)>IncidentData (Description*, Contact+, ReportTime, DetectTime?, StartTime?, EndTime?, Expectation*, Method*, Assessment+, EventData*, History?, AdditionalData*)> <!ATTLISTFileAccess %attlist.global;IncidentData restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Section 4.6.7.3 The LinkageContact class === === - RegistryHandle === - PostalAddress === - Email === - Telephone === - Fax ==================================================================== --> <!ELEMENTLinkage ((name, path) | File)>Contact (name?, Description*, RegistryHandle*, PostalAddress?, Email*, Telephone*, Fax?, Contact*)> <!ATTLISTLinkage category %attvals.linkcat;Contact role (creator | admin | tech | irt | cc) #REQUIRED type (person | organization) #REQUIRED%attlist.global;restriction %attvals.restriction; #IMPLIED ><!-- ==================================================================== === Section 4.6.7.4 The Inode class === ==================================================================== --><!ELEMENTInode (change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)?)>RegistryHandle (#PCDATA)> <!ATTLIST RegistryHandle type %attvals.registrytype; "local" > <!ELEMENT PostalAddress (#PCDATA)> <!ATTLISTInode %attlist.global;PostalAddress lang NMTOKEN #IMPLIED > <!ELEMENT Email (#PCDATA)> <!ELEMENT Telephone (#PCDATA)> <!ELEMENT Fax (#PCDATA)> <!-- ==================================================================== ===Section 4.6.8 The Description classTime-based classes ======================================================================= --> <!ELEMENT Description ANY> <!ATTLIST Description %attlist.global; > <!-- =======================================================================Section 4.6.9 The- DateTime === - ReportTime === - DetectTimeclass=== - StartTime === - EndTime ==================================================================== --> <!ELEMENTDetectTimeDateTime (#PCDATA)> <!ATTLISTDetectTime ntpstamp CDATA #REQUIRED %attlist.global; >DateTime Meijer, et al. Expires September 29, 2003 [Page 69] Internet-Draft IODEF Data Model and Implementation March 2003[page 102] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002ntpstamp CDATA #IMPLIED > <!ELEMENT ReportTime (#PCDATA)> <!ATTLIST ReportTime ntpstamp CDATA #IMPLIED > <!ELEMENT DetectTime (#PCDATA)> <!ATTLIST DetectTime ntpstamp CDATA #IMPLIED > <!ELEMENT StartTime (#PCDATA)> <!ATTLIST StartTime ntpstamp CDATA #IMPLIED > <!ELEMENT EndTime (#PCDATA)> <!ATTLIST EndTime ntpstamp CDATA #IMPLIED > <!-- ==================================================================== ===Section 4.6.10 The StartTimeHistory class === === - HistoryItem ==================================================================== --> <!ELEMENTStartTime (#PCDATA)>History (HistoryItem+)> <!ATTLISTStartTime %attlist.global;History restriction %attvals.restriction; #IMPLIED > <!ELEMENT HistoryItem (DateTime, IncidentID?, Description+)> <!ATTLIST HistoryItem type %attvals.historycat; #IMPLIED restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Section 4.6.11 The EndTimeExpectation class === ==================================================================== --> <!ELEMENTEndTime (#PCDATA)>Expectation (Description+, Contact?, StartTime?, EndTime?)> <!ATTLISTEndTime %attlist.global;Expectation priority %attvals.severity; #IMPLIED restriction %attvals.restriction; #IMPLIED category %attvals.expectations; #IMPLIED > <!-- ==================================================================== ===Section 4.7 TheMethod class === === - Classification Meijer, et al. Expires September 29, 2003 [Page 70] Internet-Draft IODEF Data Model and Implementation March 2003 ==================================================================== --> <!ELEMENT Method (Classification*, Description*)> <!ATTLIST Method%attlist.global; ident CDATA "0"restriction %attvals.restriction; #IMPLIED ><!-- ==================================================================== === Section 4.7.1 The Classification class === ==================================================================== --><!ELEMENT Classification (name, url)> <!ATTLIST Classification restriction %attvals.restriction; #IMPLIED origin %attvals.origin;"unknown" %attlist.global;"other" > <!-- ==================================================================== ===Section 4.8 The AttackerAssessment class === === - Impact === - TimeImpact === - MonetaryImpact === - LifeImpact === - Confidence ==================================================================== --> <!ELEMENTAttacker (Contact?, Location?, IRTcontact?)> Meijer, et al. Expires March 2003 [page 103] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002Assessment (Impact*, TimeImpact*, MonetaryImpact*, LifeImpact*, Confidence?)> <!ATTLISTAttacker %attlist.global; ident CDATA "0"Assessment restriction %attvals.restriction; #IMPLIEDspoofed %attvals.yesno; "unknown"><!-- ==================================================================== === Section 4.8.1 The Contact class === ==================================================================== --><!ELEMENTContact (PersonName?, PostalAddress?, ContactHandle?)>Impact (#PCDATA)> <!ATTLISTContact %attlist.global;Impact restriction %attvals.restriction; #IMPLIED severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; "unknown" lang NMTOKEN #IMPLIED ><!-- ==================================================================== === Section 4.8.2 The IRTContact class === ==================================================================== --> <!ENTITY % attvals.originIRT " ( unknown | ripencc<!ELEMENT TimeImpact (#PCDATA)> <!ATTLIST TimeImpact restriction %attvals.restriction; #IMPLIED severity %attvals.severity; #IMPLIED unit (labor |tielapsed |arindowntime) #REQUIRED metric (days |apnichours |afnicminutes |local ) "> <!ELEMENT IRTcontact > <!ATTLIST IRTcontact originIRT %attvals.originIRT; 'unknown'seconds) "hours" ><!-- ==================================================================== === Section 4.9 The Victim class === ==================================================================== --><!ELEMENTVictim (Contact?, Location?, IRTcontact?)>MonetaryImpact (#PCDATA)> <!ATTLISTVictimMonetaryImpact restriction %attvals.restriction; #IMPLIED%attlist.global;severity %attvals.severity; #IMPLIED currency CDATA #REQUIRED ><!-- ==================================================================== === Section 4.10 The Record class === ==================================================================== --><!ELEMENTRecord (RecordData)>LifeImpact (#PCDATA)> Meijer, et al. Expires September 29, 2003 [Page 71] Internet-Draft IODEF Data Model and Implementation March 2003[page 104] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002<!ATTLISTRecordLifeImpact restriction %attvals.restriction; #IMPLIED%attlist.global;severity %attvals.severity; #IMPLIED metric (deaths | injuries) #REQUIRED > <!ELEMENT Confidence EMPTY> <!ATTLIST Confidence rating %attvals.rating; #REQUIRED > <!-- ==================================================================== ===Section 4.10.1 The RecordDataEventData class === ==================================================================== --> <!ELEMENTRecordData (CorrRecord*, RecordDesc?, RecordItem?)>EventData (Description*, Contact*, ReportTime?, DetectTime?, StartTime?, EndTime?, Expectation?, System*, Method*, Assessment?, EventData*, History?, Record?, AdditionalData*)> <!ATTLISTRecordData %attlist.global; ident CDATA "0"EventData restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Section 4.10.2 The CorrRecordSystem class === ==================================================================== --> <!ELEMENTCorrRecord (CorrRecordID)>System (Node, User*, Process*, Service*, FileList?)> <!ATTLISTCorrRecord IncidentIDSystem category %attvals.systemcat; #IMPLIED spoofed %attvals.yesno; "unknown" interface CDATA #IMPLIED restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Section 4.10.3 The RecordDescFileList class === === - File === - access-time === - change-time === - create-time === - modify-time === - c-major-device === - c-minor-device === - data-size === - disk-size ==================================================================== --> Meijer, et al. Expires September 29, 2003 [Page 72] Internet-Draft IODEF Data Model and Implementation March 2003 <!ELEMENTRecordDesc (DetectTime?, Analyzer?, Description?)>FileList (File+)> <!ENTITY % attvals.filecat " ( current | original ) "> <!ELEMENT File (name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode)> <!ATTLIST File ident CDATA "0" category %attvals.filecat; #REQUIRED fstype CDATA #REQUIRED > <!ELEMENT access-time (#PCDATA)> <!ELEMENT change-time (#PCDATA)> <!ELEMENT create-time (#PCDATA)> <!ELEMENT modify-time (#PCDATA)> <!ELEMENT c-major-device (#PCDATA)> <!ELEMENT c-minor-device (#PCDATA)> <!ELEMENT data-size (#PCDATA)> <!ELEMENT disk-size (#PCDATA)> <!ELEMENT major-device (#PCDATA)> <!ELEMENT minor-device (#PCDATA)> <!ELEMENT Linkage ((name, path) | File)> <!ATTLISTRecordDesc %attlist.global;Linkage category %attvals.linkcat; #REQUIRED > <!ELEMENT FileAccess (UserId, permission+)> <!ELEMENT Inode (change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)?)> <!-- ==================================================================== ===Section 4.10.4 The AnalyzerFileList class === === - NodeRole === - Location === - name ==================================================================== --><!--Element Analyzer of IODEF is re-used from IDMEF--><!ELEMENTAnalyzer (Node?, Process?)>Node (((name | Address), Address*), DateTime?, name?, Address*, Location?, NodeRole*)> <!ATTLIST Node category %attvals.nodecat; "unknown" > <!ELEMENT Address (address, netmask?)> <!ATTLISTAnalyzer analyzeridAddress ident CDATA "0"manufacturer CDATA #IMPLIED modelcategory %attvals.addrcat; "unknown" vlan-name CDATA #IMPLIED Meijer, et al. Expires September 29, 2003 [Page 73] Internet-Draft IODEF Data Model and Implementation March 2003[page 105] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 version CDATA #IMPLIED classvlan-num CDATA #IMPLIEDostype CDATA> <!ELEMENT address (#PCDATA)> <!ELEMENT netmask (#PCDATA)> <!ELEMENT Location (#PCDATA)> <!ATTLIST Location lang NMTOKEN #IMPLIEDosversion CDATA> <!ELEMENT NodeRole (#PCDATA)> <!ATTLIST NodeRole category %attvals.noderolecat; "other" lang NMTOKEN #IMPLIED%attlist.global;> <!-- ==================================================================== ===Section 4.10.5 The RecordItemUser class === === - UserID ==================================================================== --> <!ELEMENTRecordItem ANY>User (UserId+)> <!ATTLISTRecordItem dtype %attvals.dtype; "string"User ident CDATA "0" category %attvals.usercat; "unknown" ><!-- ==================================================================== === Section 4.11 The AdditionalData class === ==================================================================== --><!ELEMENTAdditionalData ANY>UserId (name | number | (name, number))> <!ATTLISTAdditionalData type %attvals.adtype; "string" %ContentType;UserId ident CDATA#IMPLIED %attlist.global;"0" type %attvals.idtype; "original-user" > <!ELEMENT number (#PCDATA)> <!-- ==================================================================== ===Section 4.12 The HistoryProcess class === ==================================================================== --> <!ELEMENTHistory (HistoryData* )>Process (name, pid?, path?, arg*, env*)> <!ATTLISTHistory restriction %attvals.restriction; 'default'Process ident CDATA "0" > <!ELEMENT env (#PCDATA)> <!ELEMENT pid (#PCDATA)> <!-- ==================================================================== ===Section 4.12.1 The HistoryItem classService Class ======================================================================= --> <!ELEMENT HistoryDataItem ( DateTime?, Description?)> <!ATTLIST HistoryDataItem IncidentID PCDATA #IMPLIED AuthorityID PCDATA #REQUIRED=== - port Meijer, et al. Expires September 29, 2003 [Page 74] Internet-Draft IODEF Data Model and Implementation March 2003[page 106] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 restriction %attvals.restriction; #IMPLIED type %attvals.history; #IMPLIED > <!-- ==================================================================== === Section 4.12.2 The DateTime class======================================================================= --> <!ELEMENT DateTime (#PCDATA)> <!ATTLIST DateTime %DateTime; timestamp $DateTime; #IMPLIED %attlist.global; > <!-- ====================================================================- portlist ===Section 4.13 The Assessment class- protocol ======================================================================= --> <!ELEMENT Assessment (Impact?, Action*, Confidence?)> <!ATTLIST Assessment restriction %attvals.restriction; #IMPLIED %attlist.global; > <!-- ====================================================================- SNMPService ===Section 4.13.1 The Impact class- WebService ======================================================================= --> <!ELEMENT Impact EMPTY> <!ATTLIST Impact severity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; "other" %attlist.global; > <!-- ====================================================================- url, cgi, arg, http-method ===Section 4.13.2 The Action class- SNMPService === - oid, community, command ==================================================================== --><!ENTITY % attvals.actioncat "( block-installed<!ELEMENT Service (((name |notification-sentport |taken-offline(name, port)) |other ) "> <!ELEMENT Action (#PCDATA)> Meijer, et al. Expires March 2003 [page 107] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002portlist), protocol?, SNMPService?, WebService?)> <!ATTLISTAction %attlist.global;Service ident CDATA "0" > <!ELEMENT port (#PCDATA)> <!ELEMENT portlist (#PCDATA)> <!ELEMENT protocol (#PCDATA)> <!--==================================================================== === Section 4.13.3 The Confidence class === ========================================================================== Web Service ====== --> <!ELEMENTConfidence EMPTY> <!ATTLIST Confidence rating %attvals.rating; "numeric" %attlist.global; >WebService (url, cgi?, http-method?, arg*)> <!ELEMENT cgi (#PCDATA)> <!ELEMENT arg (#PCDATA)> <!ELEMENT http-method (#PCDATA)> <!--==================================================================== === Section 4.14 The Authority class === ========================================================================== SNMPService ====== --> <!ELEMENTAuthority (Organization, Contact*)> <!ATTLIST Authority restriction %attvals.restriction; #IMPLIED %attlist.global; >SNMPService (oid?, community?, command?)> <!ELEMENT oid (#PCDATA)> <!ELEMENT community (#PCDATA)> <!ELEMENT command (#PCDATA)> <!-- ==================================================================== ===Section 4.14.1 The OrganizationRecord class ======================================================================= --> <!ELEMENT Organization (OrganizationID?, OrgName?, PostalAddress?, Email?, Telephone?, Fax?)> <!ATTLIST Organization %attlist.global; > <!-- =======================================================================Simple elements with sub-elements or attributes.- RecordData === - Analyzer === - RecordItem ==================================================================== --> <!ELEMENTContactHandle (#PCDATA)>Record (RecordData+)> <!ATTLISTContactHandle originIRT %attvals.originIRT; #REQUIRED %attlist.global;Record restriction %attvals.restriction; #IMPLIED > <!ELEMENTPersonName (#PCDATA)>RecordData (Description*, DateTime?, Analyzer?, RecordItem?)> <!ATTLISTPersonNameRecordData ident CDATA "0" restriction %attvals.restriction; #IMPLIED Meijer, et al. Expires September 29, 2003 [Page 75] Internet-Draft IODEF Data Model and Implementation March 2003[page 108] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 nametype CDATA #IMPLIED %attlist.global; > <!ELEMENT PostalAddress (#PCDATA)> <!ATTLIST PostalAddress %attlist.global; > <!ELEMENT Email (#PCDATA)> <!ATTLIST Email %attlist.global; > <!ELEMENT Telephone (#PCDATA)> <!ATTLIST Telephone %attlist.global; > <!ELEMENT Fax (#PCDATA)> <!ATTLIST Fax %attlist.global;> <!--ElementDescription may contain arbitrary description in any/local language used by CSIRT (or IODEF object owner). Language should be indicated in the xml:lang attribute of the %attlist.global; UseAnalyzer ofdifferent charsets/encodings for the same language should considered.-->IODEF is re-used from IDMEF--> <!ELEMENTAction (#PCDATA)>Analyzer (Node?, Process?)> <!ATTLISTAction %attlist.global;Analyzer analyzerid CDATA "0" manufacturer CDATA #IMPLIED model CDATA #IMPLIED version CDATA #IMPLIED class CDATA #IMPLIED ostype CDATA #IMPLIED osversion CDATA #IMPLIED > <!ELEMENTDescriptionRecordItem ANY> <!ATTLISTDescription %attlist.global;RecordItem dtype %attvals.dtype; #REQUIRED > <!-- ==================================================================== ===SECTION 10. Simple elements with no sub-elements orMiscellaneous simple classes === === - Description === - name ===attributes.- path === - url ==================================================================== --> <!ELEMENTIncidentID (#PCDATA)>Description ANY> <!ATTLISTIncidentID %attlist.global;Description lang NMTOKEN #IMPLIED > <!ELEMENTattackIDname (#PCDATA)> <!ATTLISTattackID %attlist.global;name lang NMTOKEN #IMPLIED > <!ELEMENTAuthorityIDpath (#PCDATA)> <!ELEMENT url (#PCDATA)> Meijer, et al. Expires September 29, 2003 [Page 76] Internet-Draft IODEF Data Model and Implementation March 2003[page 109] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 <!ATTLIST AuthorityID %attlist.global; > <!ELEMENT MessageID (#PCDATA)> <!ATTLIST MessageID %attlist.global; > <!ELEMENT EvidenceDataID (#PCDATA)> <!ATTLIST EvidenceDataID %attlist.global; > <!ELEMENT CorrEvidenceID (#PCDATA)> <!ATTLIST CorrEvidenceID %attlist.global; > <!ELEMENT OrganizationID (#PCDATA)> <!ATTLIST OrganizationID %attlist.global; > <!ELEMENT access-time (#PCDATA)> <!ATTLIST access-time %attlist.global; > <!ELEMENT change-time (#PCDATA)> <!ATTLIST change-time %attlist.global; > <!ELEMENT create-time (#PCDATA)> <!ATTLIST create-time %attlist.global; > <!ELEMENT modify-time (#PCDATA)> <!ATTLIST modify-time %attlist.global; > <!ELEMENT c-major-device (#PCDATA)> <!ATTLIST c-major-device %attlist.global; > <!ELEMENT c-minor-device (#PCDATA)> <!ATTLIST c-minor-device %attlist.global; > <!ELEMENT data-size (#PCDATA)> <!ATTLIST data-size %attlist.global; > <!ELEMENT disk-size (#PCDATA)> <!ATTLIST disk-size9. Security considerations Due to the sensitive nature of some of the data that might be represented in the IODEF, the integrity, confidentiality, and non-repudiation of these documents in transit SHOULD be ensured. Although this protection can be provided by the transport mechanism, applying this security to an instance of the IODEF itself is RECOMMENDED. However, the specific protective measures applied to an IODEF document (be in through XML or the underlying transport protocol) should be driven by the requirements of the collaborators. The applied protective measures MUST use cryptographic techniques. XML Digital Signatures [16] SHOULD be used for ensuring integrity and non-repudiation, and XML Encryption [17] SHOULD be used to ensure the confidentiality of an IODEF document. Examples using signatures and encryption on an IODEF document can be found in the Examples chapter (Section 7): o IODEF-Document with XML signature (Section 7.2) o IODEF-Document encrypted using XML encryption (Section 7.3) o IODEF-Document encrypted and signed using XML signature & encryption (Section 7.4) Information on the implementation-specifics of applying XML Digital Signatures and XML Encryption to an IODEF-Document can be found in the IODEF Implementation Guide [20]. When using cryptographic techniques the issue of key management (whether symmetric or public key cryptography is used) must be addressed. Overall security measures must be applied to secure the IODEF-Document processing environment. The definition of these measures is outside the scope of this memo. Meijer, et al. ExpiresMarchSeptember 29, 2003[page 110] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 %attlist.global; > <!ELEMENT major-device (#PCDATA)> <!ATTLIST major-device %attlist.global; > <!ELEMENT minor-device (#PCDATA)> <!ATTLIST minor-device %attlist.global; > <!ELEMENT permission (#PCDATA)> <!ATTLIST permission %attlist.global; > <!ELEMENT cgi (#PCDATA)> <!ATTLIST cgi %attlist.global; > <!ELEMENT command (#PCDATA)> <!ATTLIST command %attlist.global; > <!ELEMENT env (#PCDATA)> <!ATTLIST env %attlist.global; > <!ELEMENT netmask (#PCDATA)> <!ATTLIST netmask %attlist.global; > <!ELEMENT community (#PCDATA)> <!ATTLIST community %attlist.global; > <!ELEMENT Location (#PCDATA)> <!ATTLIST Location %attlist.global; > <!ELEMENT http-method (#PCDATA)> <!ATTLIST http-method %attlist.global; > <!ELEMENT name (#PCDATA)> <!ATTLIST name %attlist.global; > <!ELEMENT number (#PCDATA)> <!ATTLIST number %attlist.global; Meijer, et al. Expires[Page 77] Internet-Draft IODEF Data Model and Implementation March 2003[page 111] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 > <!ELEMENT url (#PCDATA)> <!ATTLIST url %attlist.global; > <!ELEMENT os (#PCDATA)> <!ATTLIST os %attlist.global; > <!ELEMENT arg (#PCDATA)> <!ATTLIST arg %attlist.global; > <!ELEMENT oid (#PCDATA)> <!ATTLIST oid %attlist.global; > <!ELEMENT path (#PCDATA)> <!ATTLIST path %attlist.global; > <!ELEMENT pid (#PCDATA)> <!ATTLIST pid %attlist.global; > <!ELEMENT port (#PCDATA)> <!ATTLIST port %attlist.global; > <!ELEMENT portlist (#PCDATA)> <!ATTLIST portlist %attlist.global; > <!ELEMENT program (#PCDATA)> <!ATTLIST program %attlist.global; > <!ELEMENT protocol (#PCDATA)> <!ATTLIST protocol %attlist.global; > <!ELEMENT size (#PCDATA)> <!ATTLIST size %attlist.global; > 9. References10. IANA considerations Meijer, et al. Expires September 29, 2003 [Page 78] Internet-Draft IODEF Data Model and Implementation March 2003[page 112] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 [1] Bradner, S., "Key words for use in RFCs11. Acknowledgments The following groups contributed substantially toIndicate Requirement Levels", BCP 14, RFC 2119, March 1997 [2] Arvidsson, J., Cormack, A., Demchenko, Y., Meijer J. "TERENA'sthis document and should be recognized for their efforts. This document would not exist without their help: o the Incident Object Description and Exchange FormatRequirements", RFC 3067, February 2001 [3] Intrusion Detection Message Exchange Format Extensible Markup Language (XML) Document Type Definition by D. Curry - September 2001 - http://www.ietf.org/internet-drafts/draft-ietf-idwg- idmef-xml-06.txt - work in progress. [4] TaxonomyWorking-Group of theComputer SecurityTERENA task-force (TF-CSIRT) o the eCSIRT.net project Meijer, et al. Expires September 29, 2003 [Page 79] Internet-Draft IODEF Data Model and Implementation March 2003 Normative References [1] Demchenko, Y., Hiroyuki, H. and G. Keeni, "Requirements for Format for Incidentrelated terminology - http://www.terena.nl/task-forces/tf-csirt/i-taxonomy/docs/ i-taxonomy_terms.html [5]Report Exchange", RFC XXX, September 2003. [2] World Wide WebConsortium (W3C),Consortium, "Extensible Markup Language (XML) 1.0 (SecondEdition)," W3C Recommendation,Edition)", , October6, 2000. http://www.w3.org/TR/2000/REC-xml-20001006. [6]2000, <http://www.w3.org/TR/ 2000/REC-xml-20001006>. [3] World Wide WebConsortium (W3C),Consortium, "Namespaces inXML," W3C Recommendation,XML", , January 1999, <http://www.w3.org/TR/REC-xml-names/>. [4] World Wide Web Consortium, "Extensible Stylesheet Language (XSL) Version 1.0", , October 2001, <http://www.w3.org/TR/xsl/ >. [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [6] Alvestrand, H., "Tags for the Identification of Languages", RFC 3066, January14, 1999. http://www.w3.org/TR/1999/ REC-xml-names-19990114. [7] XML Schema Part 0: Primer, W3C Recommendation, 2 May2001.http://www.w3.org/TR/xmlschema-0/[7] Curry, D. and H. Debar, "Intrusion Detection Message Exchange Format", RFC XXX, January 2003. [8] Berners-Lee, T., Fielding,R.T.,R. and L. Masinter, "Uniform Resource Identifiers (URI): GenericSyntax,"Syntax", RFC 2396, August 1998. [9]Mealling, M., "The IANA XML Registry," draft-mealling-iana- xmlns-registry-00.txt, November 17, 2000, work in progress. [10] Rumbaugh, J., Jacobson, I., and G. Booch, "The Unified Modeling Language Reference Model," ISBN 020130998X, Addison-Wesley, 1998. [11]Freed, N., "IANA Charset RegistrationProcedures,"Procedures", BCP19, RFC2278, January 1998.[12] Alvestrand, H., "Tags[10] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation, and Analysis", BCP 2278, March 1992. [11] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 forthe IdentificationIPv4, IPv6 and OSI", RFC 2030, October 1996. [12] Wahl, M., "A Summary ofLanguages,"the X.500(96) User Schema for use with LDAPv3", RFC3066, BCP 47, January 2001.2256, December 1997. [13] Resnick, P., "Internet Message Format", RFC 2822, April 2001. [14] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002. [15] International Organization forStandardization (ISO),Standardization, "International Standard: Data elements and interchange formats - Information Meijer, et al. Expires September 29, 2003 [Page 80] Internet-Draft IODEF Data Model and Implementation March 2003 interchange - Representation of dates andtimes,"times", ISO 8601, Second Edition, December15,2000. [16] Eastlake 3rd, D., Reagle, J. and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [17] Imamura, T., Dillaway, B. and E. Simon, "XML Encryption Syntax and Processing, W3C Recommendation", December 2002, <http:// www.w3.org/TR/2002/REC-xmlenc-core-20021210/>. [18] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. Meijer, et al. ExpiresMarchSeptember 29, 2003[page 113] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002 [14] Mills, D., "Network Time Protocol (Version 3) Specification, Implementation,[Page 81] Internet-Draft IODEF Data Model andAnalysis," RFC 1305,Implementation March1992. [15] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI," RFC 2030, October 1996. [16] Eastlake, D., Reagle,2003 Informative References [19] Rumbaugh, J., Jacobson, I. andD. Solo, "XML-Signature Syntax and Processing," draft-ietf-xmldsig-core-11.txt, November 1, 2000, work in progress. [17] Incident Object DescriptionG. Booch, "The Unified Modeling Language Reference Model, ISBN 020130998X, Addison-Wesley", 1998. [20] Helme, A. andExchange Format Working Group - http://www.terena.nl/task-forces/tf-csirt/iodef/ [18] RIPE NCC Database - http://www.ripe.net/ripe/wg/db/ [19] Trusted Introducer Service - http://www.ti.terena.nl/ 10. Security Considerations 11. IANA Considerations 12. Acknowledgements ThisR. Danyliw, "The IODEF Implementation Guide, documentwas built on the work doneto be created by theIncident Object Description and Exchange Format Working-Group of the TERENA task-force TF-CSIRT. 13.INCH WG", 2003. Authors'Addresses:Addresses Jan Meijer SURFnetRadboudburcht 273bv P.O. Box 19035 UtrechtTheNL-3501 DA Netherlands Phone: +31 302 305 305Email:EMail: jan.meijer@surfnet.nlMeijer, et al. Expires March 2003 [page 114] Internet Draft draft-ietf-inch-iodef-00.txt Apr 2002Roman Danyliw CERT Coordination Center 4500 Fifth Ave.PittsburghPittsburgh, PA 15213 USA Phone: +1 412 268 7090Email:EMail: rdd@cert.org Yuri DemchenkoTERENA Singel 468 D 1017 AW Amsterdam TheNLnet Labs NetherlandsPhone: +31 205 304 488 Email: demch@terena.nl 14.EMail: demch@chello.nl Meijer, et al. Expires September 29, 2003 [Page 82] Internet-Draft IODEF Data Model and Implementation March 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society(2002).(2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors orassigns.assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Meijer, et al. Expires September 29, 2003 [Page 83] Internet-Draft IODEF Data Model and Implementation March 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE."PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Meijer, et al. Expires September 29, 2003 [Page 84] ----