view Side-By-Side changes
NetworkINCH Working Group J. MeijerInternet-DraftDraft-ietf-inch-iodef-03.txt SURFnet bv Expires:March 29, 2004May 10, 2005 R. Danyliw CERT Coordination Center Y. Demchenko NLnet LabsSeptember 29, 2003November 9, 2004 The IncidentDataObject Description Exchange Format Data Model and XML Implementationdraft-ietf-inch-iodef-02.txtdraft-ietf-inch-iodef-03.txt Status of this Memo By submitting this Internet-Draft, I certify that any applicable patent or other IPR claims of which I am aware have been disclosed, or will be disclosed, and any of which I become aware will be disclosed, in accordance with RFC 3668. This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed athttp:// www.ietf.org/ietf/1id-abstracts.txt.http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onMarch 29, 2004. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved.May 10, 2005. Abstract The purpose of the IncidentDataObject Description Exchange Format (IODEF) is to define a dataformatsrepresentation that provides a framework for sharing informationrelated to computer security incidents typicallycommonly exchangedbetween collaboratingby Computer Security Incident Response Teams(CSIRTs).(CSIRTs) about computer security incidents. The IODEF satisfies the requirements specified in RFCXXX [1] This Internet-Draft describes a data model for representingcommonly exchangedincident Meijer, et al. Expires May 10, 2005 [Page 1] Internet-Draft IODEF Data Model and Implementation November 2004 information exported from incident handling systems managed by CSIRTs. An implementation of the data model inMeijer, et al. Expires March 29, 2004 [Page 1] Internet-Draft IODEF Data Model and Implementation September 2003the Extensible Markup Language (XML) is presented, an XML Document Type Definition is developed, and examples are provided. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 About the IODEF Data Model . . . . . . . . . . . . . . . . 41.3.1 Issues with Representing Incident Data1.4 About the IODEF Implementation . . . . . . . . . . . . . . 51.41.5 About theIODEF ImplementationTransport Protocol . . . . . . . . . . . . . . . 61.51.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . 6 2.Notational conventions and formatting issuesFormatting Issues . . . . . . . . . . . . . . . . . . . . . 8 2.1 IODEF XML Documents . . . . . . . . . . . . . . . . . . . 8 2.1.1 The Document Prolog . . . . . . . . . . . . . . . . .. .8 2.1.2Character DataWhite Space Processingin the IODEF. . . . . . . . . . . . . . . . 9 2.1.3 Languages in the IODEF . . . . . . . . . . . . . . . .. . 109 2.2 IODEF Data Types . . . . . . . . . . . . . . . . . . . . .119 2.2.1 Integers . . . . . . . . . . . . . . . . . . . . . . .. . 1110 2.2.2 Real Numbers . . . . . . . . . . . . . . . . . . . . .. . 1110 2.2.3 Characters and Strings . . . . . . . . . . . . . . . .. . 1110 2.2.4 Bytes . . . . . . . . . . . . . . . . . . . . . . . .. . 1210 2.2.5 Enumerated Types . . . . . . . . . . . . . . . . . . .. . 1210 2.2.6 Date-Time Strings . . . . . . . . . . . . . . . . . .. . 1211 2.2.7NTP TimestampsPort Lists . . . . . . . . . . . . . . . . . . . . . .1211 2.2.8Port Lists . . . .Postal Address . . . . . . . . . . . . . . . . . . . .1211 2.2.9Postal Address . . . . . .Person or Organization . . . . . . . . . . . . . . . .1211 2.2.10Person or Organization . . . . .Telephone and Fax Numbers . . . . . . . . . . . . .1311 2.2.11Telephone and Fax Numbers . . . .Email string . . . . . . . . . . . .13 2.2.12 Email string. . . . . . . . 11 2.2.12 Uniform Resource Identifier strings . . . . . . . . 11 2.2.13 Timezone string . . . . . . .13 2.2.13 Uniform Resource Identifier strings. . . . . . . . . . .1312 2.2.14 Unique Identifiers . . . . . . . . . . . . . . . . .. . . 1312 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . .14. 13 3.1 IODEF-Document class . . . . . . . . . . . . . . . . . . .1413 3.2 Incident class . . . . . . . . . . . . . . . . . . . . . .1413 3.3 IncidentID class . . . . . . . . . . . . . . . . . . . . .1716 3.4 AlternativeID class . . . . . . . . . . . . . . . . . . . 17 3.5 RelatedActivity class . . . . . . . . . . . . . . . . . . 18 3.6 AdditionalData . . . . . . . . . . . . . . . . . . . . . .1918 3.7IncidentData . . . . . . . . . . . . . . . . . . . . . . . 20 3.8Contact class . . . . . . . . . . . . . . . . . . . . . .22 3.8.120 3.7.1 RegistryHandle class . . . . . . . . . . . . . . . . .. . 25 3.922 3.8 Time classes . . . . . . . . . . . . . . . . . . . . . . .26 3.9.123 3.8.1 StartTime . . . . . . . . . . . . . . . . . . . . . .. . 26 3.9.223 3.8.2 EndTime . . . . . . . . . . . . . . . . . . . . . . .. . 26 3.9.323 3.8.3 DetectTime . . . . . . . . . . . . . . . . . . . . . .. . 26 3.9.423 3.8.4 ReportTime . . . . . . . . . . . . . . . . . . . . . .. . 27 3.9.5 DateTime . . . . . . . . . . . . . . . . . . . . . . . . . 2723 Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 2] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 3.10 Expectation classNovember 2004 3.8.5 DateTime . . . . . . . . . . . . . . . . . . . .27 3.11 Method class. . . 23 3.9 Expectation class . . . . . . . . . . . . . . . . . . . .28 3.11.1 Classification23 3.10 Method class . . . . . . . . . . . . . . . . . . .29 3.12 Assessment class . .. . . 25 3.10.1 Classification class . . . . . . . . . . . . . . . .30 3.12.1 Impact26 3.11 Assessment class . . . . . . . . . . . . . . . . . . . .. . . 31 3.12.2 TimeImpact27 3.11.1 Impact class . . . . . . . . . . . . . . . . . . . .. 33 3.12.3 MonetaryImpact28 3.11.2 TimeImpact class . . . . . . . . . . . . . . . . . .. 34 3.12.4 LifeImpact28 3.11.3 MonetaryImpact class . . . . . . . . . . . . . . . .. . . . . 35 3.12.529 3.11.4 Confidence class . . . . . . . . . . . . . . . . . .. . . 36 3.1330 3.12 History class . . . . . . . . . . . . . . . . . . . . .. 38 3.13.130 3.12.1 HistoryItem class . . . . . . . . . . . . . . . . .. . . 38 3.1431 3.13 EventData class . . . . . . . . . . . . . . . . . . . .. 40 3.1533 3.13.1 Relating theIncidentDataIncident and EventData classes . . . .. 42 3.1634 3.13.2 Cardinality of EventData . . . . . . . . . . . . . . 35 3.14 Flow class . . .43 3.17 System class. . . . . . . . . . . . . . . . . . . . 36 3.15 System class . . . .44 3.18 Node class. . . . . . . . . . . . . . . . . . 36 3.16 Node class . . . . . .46 3.18.1 Address. . . . . . . . . . . . . . . . . 38 3.16.1 Counter class . . . . . . . .48 3.18.2 NodeRole class. . . . . . . . . . . 40 3.16.2 Address . . . . . . . . . . .48 3.19 FileList class. . . . . . . . . . . 40 3.16.3 NodeRole class . . . . . . . . . . .50 3.20 User. . . . . . . . 42 3.17 Process class . . . . . . . . . . . . . . . . . . .50 3.21 Process. . 43 3.18 Service class . . . . . . . . . . . . . . . . . . . . . 43 3.19 Record class . .50 3.22 Service. . . . . . . . . . . . . . . . . . . . 44 3.19.1 RecordData class . . . . .50 3.23 Record class. . . . . . . . . . . . . 45 3.19.2 Analyzer class . . . . . . . . . . . . .50 3.23.1 RecordData class. . . . . . 46 3.19.3 RecordItem class . . . . . . . . . . . . . . .51. . . 46 4. Extending the IODEF . . . . . . . . . . . . . . . . . . .55. 48 4.1 Extending the data model . . . . . . . . . . . . . . . . .5548 4.2 Extending the XML DTD . . . . . . . . . . . . . . . . . .5548 5. Processing Considerations . . . . . . . . . . . . . . . .58 5.1 XML Validity and Well-Formedness. 51 6. Internationalization issues . . . . . . . . . . . .58 5.2 Unrecognized Data and XML Tags . . . . . . . . . . . . . . 58 6. Internationalization issues . . . . . .. . . .. . . . . 6052 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . .61. 53 7.1 Code Red detection notification . . . . . . . . . . . . .6153 7.2 IODEF-Document with XML signature . . . . . . . . . . . .6355 7.3 IODEF-Document encrypted using XML encryption . . . . . .6355 7.4 IODEF-Document encrypted and signed using XML signature & encryption . . . . . . . . . . . . . . . . . . . . . . .6355 8. The IODEF Document Type Definition . . . . . . . . . . . .64. 56 9. Security considerations . . . . . . . . . . . . . . . . .78. 67 10. IANA considerations . . . . . . . . . . . . . . . . . . .79. 68 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . .80. 69 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 70 12.1 Normative References . . . . . . . . . . . . . . . . . . .8170 12.2 Informative References . . . . . . . . . . . . . . . . . .8371 Authors' Addresses . . . . . . . . . . . . . . . . . . . .83. 71 Intellectual Property and Copyright Statements . . . . . .84. 72 Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 3] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 1. Introduction 1.1 Terminology The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [5]. Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [1]. 1.2 Overview The IncidentDataObject Description Exchange Format (IODEF) isintended to beastandardformat for representing computer security information exchangedbybetween Computer Security Incident Response Teams (CSIRTs). It provides a transport representation conforming to the requirements specified in [1], Requirements for Format for Incident Report Exchange. Thedevelopment and subsequent deploymentoverriding purpose ofan incident data format that extends beyond a closed communities would improvethe IODEF is to expand and enhance the operational capabilities oftheCSIRTs.Assuming widespreadCommunity adoption of the IODEFby the community,provides anorganization can potentially benefit from: o the increased ease to collaborate with other CSIRTs, on behalf it its constituency,improved ability to resolveincidents;incidents by simplifying collaboration and data sharing. This structured format provided by the IODEF allows for: o increased automation intheprocessing of incident data, since thecommitmentresources of security analysts to parse free-form textualdocumentdocuments will be reduced; o decreased effort in normalizing similar data (even when highly structured) from different sources; and o a common format on which to buildinter-operableinteroperable tools for incident handling, such as correlation systems that process data from different sites. Terminology, notation, and conventions of the data model and XML DTD are presented in Sections 2. The data model is described in Section 3, and the implementation considerations are covered in Sections 4 through6, and 9.6. Section 7 provides several examples of IODEFdocuments for representative incidents.documents. Section 8 formally specifies the XML DTD implementation of the data model. Sections 9 and 10 address the security and IANA considerations, respectively. 1.3 About the IODEF Data Model The IODEF data model isan object-orienteda data representationofthat provides a framework for sharing informationreported, maintained, andcommonly exchanged bya CSIRTCSIRTs aboutaMeijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 4] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 computer securityincident. 1.3.1 Issues with Representing Incident Dataincidents. A number of considerations were made in the design of the data model. o TheIODEFintent of the data modeladdresses several problems in representingis to support the automated processing of incident data. Hence, little consideration was made to ensure human-readability. Despite the still prevalent practice of manual incidentdata:report generation, this model is sufficiently complex that it will be unwieldy to create and process without software. oThereThe data model serves as a transport format. Therefore, its specific representation is not the optimal representation for on-disk storage, long-term archiving, or in-memory processing. o Since there is no precise, widely agreed upon definition for anincident. Therefore,incident, the data model does not attempt toimply a definitiondictate one through its implementation. Rather, a broad understanding is assumed that is flexible enough to encompass most of the CSIRT community. oIncident data is inherently heterogeneous. It may encompass many functional purposes such as a description of intruder behavior orDescribing ananalysis process correlating related incidents. An object-oriented model provides extensibility via aggregation and sub-classing while preserving the consistency of theincident for all definitions would require an incredibly complex data model.IfTherefore, the IODEF data modelrequired modification,only intends to be a framework to convey commonly exchanged incident information. However, itis extended with new classes. In implementationsensures thatdo not recognize these extensions, the basic subsetthere are ample mechanisms for extensibility to support organization-specific information, and techniques to reference information kept outside of the explicit datamodel will still be understood.model. o Incidents have alife-cycle, which causes potentially different information or levels oflife-cycle that dictates the exact type, quantity, and detailtoof the data that will be presentdepending on their stage in the cycle. For example,at a given time (e.g., newly reported incidents may only containa short description of the involved parties. Ontheother hand,most rudimentary details, but closed incidentscanmay contain afull description complete with the associated evidence and annotation of actions taken by the CSIRT.detailed analysis). The data modelthat representsdeals with thisinformation must be flexible to accommodate different needs.situation. o Communication and coordination are central to the role of a CSIRT.As a result of this activity, incident information can originate from a number of sources. Tracking the allHence, tracking thesourcessource of all data iskey to managing this information. The data model defines support classes that accommodate the differences between incident reporters. This support includes various meta informationcentral torepresenthandling thereporter's identity as well as prescribe a confidence level toincident. Therefore, thesubmitted information. o Incidentdatamay contain sensitive information. Suchmodel provides ways to explicitly bind informationshould not be exposedtounauthorized parties during collaboration. The data model allows foragranular taggingsource, and accommodates differences in theindividual classes to indication restrictions on the usage of the data. However, it is the roletypes of parties involved in the incidenthandling system implementing the(e.g., varying levels of confidence in information, different datamodel to honor these labels. Meijer, et al. Expires March 29, 2004 [Page 5] Internet-Draft IODEF Data Model and Implementation September 2003sharing arrangements). 1.4 About the IODEF Implementation The IODEF implementation uses the Extensible Markup Language (XML)[2]. XML-based specifications define[2], specifies an XMLDTD or SchemaDocument Type Definition (DTD), andregister a specific XML namespace [3]. The IODEF conforms to the IETF-defined procedure for registeringregisters an application-specificXMLnamespace[9].[3]. For clarity in this document,we will usethe terms "XML" and "XML documents" Meijer, et al. Expires May 10, 2005 [Page 5] Internet-Draft IODEF Data Model and Implementation November 2004 will be used whenspeaking in the general case aboutreferring to the Extensible Markup Language (XML). The terms "IODEF description", "IODEF markup" and "IODEF document" will be used to refer to specific elements (tags) and attributes of the IODEF DTD.Furthermore,Finally, the terms "class" and "subclass"are synonymous towill be used as synonyms for anelement in theXMLDTD.element. Theimplementation ofchoice to implement the IODEF in XMLhas many benefits:was made because it provides: oXML providesall the necessary features to define and extend a specific markup language for describing securityincidents. It also defines a standard way to extend this language, either for later revisions ("standard" extensions), or for organizational-specific use ("non-standard" extensions).incidents; oSoftware toolsa well understood technique forprocessing XML documents are widely available in commercialsupporting internationalization andopen source forms.localization; oXML cana base of related technologies such as XSL [4], XPATH, and XML-SIG that the aid inimplementing internationalization and localization since it is required (and therefore IODEF documents are required) to support boththeUTF-8manipulation andUTF-16 encodingsuse ofISO/IEC 10646 (Universal Multiple-Octet Coded Character Set, "UCS")the incident data; andUnicode.o a broad community of developers who already understand how to build systems around data exchanged in this format. While XMLalsoprovidessupport for specifying, onaper-element basis, theuseful implementation languagein which the element's contentfor IODEF, this implementation also dictates several limitations. o XML iswritten,a text representation making it inherently inefficient either when binary data must be embedded, or very large volumes of data must be exchanged. o The data model is designed as a transport representation, and the use of XML further reinforces the inefficiency of using the IODEFeasy to adaptfor other purposes. Due to thelocal languages in which a CSIRTs operates. ooverhead of the parser, XMLcoupled with XSL [4], a style language, allows IODEF documents to be aggregated, filtered, discarded,is not an optimal in-memory representation. Furthermore, storing, searching, andrearranged. oretrieving native XML documents isfree (no license, license fees or royalties). 1.5 Related Work The IODEFproblematic on a large scale dictating that this format is also a poor choice as a storage and archive format. 1.5 About theIDMEF [7] are complementary formats.Transport Protocol Currently, there is no transport protocol specified for exchanging IODEF documents. Thelatter represents data generated byworking group has realized that this omission is anintrusion detection system. Such event datainpediment to interoperability, and iscommonlyworking on identifying candidate protocols. It is likely that SOAP will be usedby a CSIRTas thebasis for an incident report or investigation which is represented bymessaging envelope, and HTTP will be theIODEF.underlying transport. 1.6 Related Work The IODEF is only one of several security relevant data Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 6] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 The IODEF data model makes use of certain classes defined in the IDMEF, althoughNovember 2004 representations being standardized. Specifically, thesemantics of somecomplementary nature ofthese classes has changed. Due to their related nature,thedata in an IDMEF message can be easilyIntrusion Detection Message Exchange Format [7] bears mention given that many incidents represented inan IODEF document. Through various extension mechanisms, it is possible to include IDMEF messages outright in anthe IODEFdocument. Alternatively,may have first been discovered through thesimilarity in structureuse of intrusion detection system output formatted according to the IDMEF. Given this relationship, the IODEF data model makesit possible to decomposeuse of certain classes defined in thekeyIDMEF dataand include it in the corresponding IODEF classes. However, this transformation may not preserve the original semantics of the data.model. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 7] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 2.Notational conventions and formatting issuesFormatting Issues 2.1 IODEF XML Documents This document uses three notations: the Unified Modeling Language (UML) to describe the data model, anExtensible Markup Language (XML)XML Document Type Definition (DTD) to define the IODEF syntax, and IODEF XML markup conforming to the specified DTD to represent the incident data. This section describes the XML notations and conventions used in thismemodocument and explains particular issues related to using them to describe the IODEF data model and syntax. For readers unfamiliar with these notations[19][17] and [7] will provide a comprehensive reference. 2.1.1 The Document Prolog The "prolog" of an XML document, that part that precedes anything else, consists of the XML declaration and the document type declaration. 2.1.1.1 XML Declaration Every IODEF documentstartsMUST begin with an XMLdeclaration. The XML declaration specifiesdeclaration, and MUST specify theversion ofXMLbeingversion used. If UTF-8 encoded is not used,and optionallythe character encodingbeing used (see Section 2.1.2).MUST also be explicitly specified. The XML declarationlooks like:with no character encoding will read as follows: <?xml version="1.0" ?>IODEF documents exchanged between applications MUST begin with anWhen a character encoding is specified, the XML declarationand MUST specifywill read like theXML version in use. Specificationfollowing: <?xml version="1.0" encoding="charset" ?> where "charset" is the name of the character encodingin use is REQUIREDas registered with the Internet Assigned Numbers Authority (IANA), see [9]. Consistent with the XML standard, ifUTF-8no encoding isnot used.specified for an IODEF document, UTF-8 is assumed. IODEF documents encoded in UTF-16 MUST begin with the Byte Order Mark described by ISO/IEC 10646 Annex E and Unicode Appendix B (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF). 2.1.1.2 IODEF DTD Formal Public Identifier The formal public identifier (FPI) for the IODEF Document Type Meijer, et al. Expires May 10, 2005 [Page 8] Internet-Draft IODEF Data Model and Implementation November 2004 Definition described in this document is: "-//IETF//DTD RFCxxxx IODEF v0.0//EN" NOTE: The "RFCxxxx" text in the FPI value will be replaced with the actual RFC number when this document is published as an RFC. This FPI MUST be used in the document type declaration within an XML document referencing the IODEF DTDdefined by this document,as shown in Section 2.1.1.3.Meijer, et al. Expires March 29, 2004 [Page 8] Internet-Draft IODEF Data Model and Implementation September 20032.1.1.3 IODEF DTD Document Type Declaration The document type declaration for an XML document referencing the IODEF DTDwillMUST be specifiedineither by referencing thefollowing ways:FPI (see Section 2.1.1.2) as follows: <!DOCTYPE IODEF-Document PUBLIC "-//IETF//DTD RFCxxxx IODEF v0.0//EN">The last component of the document type declaration is the FPI specified in Section 2.1.1.2. <!DOCTYPE IODEF-Document SYSTEM "/path/to/IODEF-Document.dtd"> The last component of the document type declaration isor by providing a URI thatpoints toreferences a copy of theDocument Type Definition.DTD as follows: <!DOCTYPE IODEF-Document SYSTEM "/path/to/IODEF-Document.dtd"> 2.1.2Character DataWhite Space Processingin theAll IODEFA document's XML declaration specifieselements support thecharacter encoding"xml:space" attribute. If "xml:space" is set tobe used"preserve," the IODEF processing application MUST treat all white space in thedocument,element's content asfollows: <?xml version="1.0" encoding="charset" ?> where "charset"significant. If "xml:space" is set to "default," thenameapplication is free to decide on the handling of thecharacter encoding, as registered withwhitepace. 2.1.3 Languages in theInternet Assigned Numbers Authority (IANA), see [9]. The XML standard requiresIODEF For the IODEF elements thatXML processorssupport free-form text, theUTF-8 and UTF-16 encodings of ISO/IEC 10646 (UCS) and Unicode, making all XML applications (and therefore, all IODEF-compliant applications) compatible with these common character encodings. While XML supports other character encodings (e.g., UTF-7, UTF-32), implementers should carefully consider"xml:lang" attribute can be used to identify theportability implicationslanguage ofusing character encodings other than UTF-8 and UTF-16. Consistent with the XML standard, if no encoding is specifiedits contents. The valid language codes foran IODEF document, UTF-8 is assumed. IODEF documents encoded in UTF-16 MUST begin withtheByte Order Mark"xml:lang" attribute are describedby ISO/IEC 10646 Annex E and Unicode Appendix B (the "ZERO WIDTH NO-BREAK SPACE" character, #xFEFF). 2.1.2.1 Character Entity References Within XML documents, certain characters have special meaningsinsome contexts. To includeRFC 3066 [6]. IODEF messages SHOULD specify theactual character itselflanguage inone of these contexts, a special escape sequence, called an entity reference, mustwhich their contents are encoded. In general, the language can beused. The charactersspecified with the "xml:lang" attribute in the top-level element and letting all other elements "inherit" thatsometimes need todefinition. If no language is specified, English SHOULD beescaped, and their entityassumed. 2.2 IODEF Data Types The IODEF data model defines a number of data types. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page 9] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 references, are: Character Entity Reference --------------------------------- & & < < > > " " ' ' Figure 1 It is RECOMMENDED that IODEF-compliant applications use the entity reference form whenever writing these characters in data, to avoid any possibility of misinterpretation. 2.1.2.2 Character Code References Any character definedNovember 2004 2.2.1 Integers Integer attributes are represented by theISO/IEC 10646 and Unicode standards mayINTEGER data type. Integer data MUST beincludedencoded inan XML document by the use of a character reference. A character reference is started withBase 10 or Base 16. Base 10 integer encoding uses thecharacters '&' and '#', and ended with the character ';'. Between these characters, the character code for the character inserted. If the character code is preceded by an 'x' it is interpreted in hexadecimal (base 16), otherwise, it is interpreted in decimal (base 10). For instance, the ampersand (&) is encoded as & or & and the less-than sign (<) is encoded as < or <. Any one-, two-, or four-byte character specified in the ISO/IEC 10646 and Unicode standards can be included in a document using this technique. 2.1.2.3 White Space Processing All IODEF elements support the "xml:space" attribute. If "xml:space" is set to "preserve," the IODEF processing application MUST treat all white space in the element's content as significant. If "xml:space" is "default," the application is free to do whatever it normally would with white space in the element's content. 2.1.3 Languages in the IODEF All IODEF tags support the "xml:lang" attribute thereby allowing each element to identify the language in which its content is. The valid language code for the "xml:lang" attribute are described in RFC 3066 [6]. Meijer, et al. Expires March 29, 2004 [Page 10] Internet-Draft IODEF Data Model and Implementation September 2003 IODEF messages SHOULD specify the language in which their contents are encoded. In general, the language can be specified with the "xml:lang" attribute in the top-level element and letting all other elements "inherit" that definition. If no language is specified in an IODEF document, English SHOULD be assumed. 2.2 IODEF Data Types 2.2.1 Integers Integer attributes are represented by the INTEGER data type. Integer data MUST be encoded in Base 10 or Base 16. Base 10 integer encoding uses the digits '0' through '9'digits '0' through '9' and an optional sign ('+' or '-'). For example, "123", "-456". Base 16 integer encoding uses the digits '0' through '9' and 'a' through 'f' (or their upper case equivalents), and is preceded by the characters "0x". For example, "0x1a2b". 2.2.2 Real Numbers Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10. Real encoding is that of the POSIX "strtod" library function: an optional sign ('+' or '-') followed by a non-empty string of decimal digits, optionally containing a radix character, then an optional exponent part. An exponent part consists of an 'e' or 'E', followed by an optional sign, followed by one or more decimal digits. For example, "123.45e02", "-567,89e-03". IODEF-compliant applications MUST support both the '.' and ',' radix characters. 2.2.3 Characters and Strings Single-character attributes are represented by the CHARACTER data type. Multi-character attributes of known length are represented by the STRING data type. Character and string data have no special formatting requirements, other than the need to occasionally use character references(see Section 2.1.2.1 and Section 2.1.2.2)to represent special characters.Meijer, et al. Expires March 29, 2004 [Page 11] Internet-Draft IODEF Data Model and Implementation September 20032.2.4 Bytes Binary data is represented by the BYTE (and BYTE[]) data type. Binary data MUST be encoded in its entirety using character code references (see ). 2.2.5 Enumerated Types Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values. Each value has a Meijer, et al. Expires May 10, 2005 [Page 10] Internet-Draft IODEF Data Model and Implementation November 2004 representative keyword. Within an IODEFdocument,DTD, the enumerated type keywords are used as attributevaluesvalues. 2.2.6 Date-Time Strings Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported. Date-time strings are formatted according to a subset of ISO 8601:2000[15][13] documented in RFC 3339[14].[12]. 2.2.7NTP Timestamps NTP timestamps are represented by the NTPSTAMP data type, and are described in detail in RFC 1305 [10] and RFC 2030 [11]. An NTP timestamp is a 64-bit unsigned fixed-point number. The integer part is in the first 32 bits, and the fraction part is in the last 32 bits. IODEF documents MUST encode NTP timestamps as two 32-bit hexadecimal values, separated by a period ('.'). For example, "0x12345678.0x87654321". 2.2.8Port Lists A list of network ports are represented by the PORTLIST data type, and consist of a comma-separated list of numbers (individual integers) and ranges (N-M means ports N through M, inclusive). Any combination of numbers and ranges may be used in a single list. For example, "5-25,37,42,43,53,69-119,123-514".2.2.92.2.8 Postal Address A postal address is represented by the POSTAL data type. The format of this address data isthedocumented in Sections 5.17 - 5.19 of RFC 2256[12]. Meijer, et al. Expires March 29, 2004 [Page 12] Internet-Draft IODEF Data Model and Implementation September 2003 2.2.10[10]. 2.2.9 Person or Organization The name of an individual or organization is represented by the NAME data type. The format of the NAME data type is documented in Section 5.4 of RFC 2256[12]. 2.2.11[10]. 2.2.10 Telephone and Fax Numbers A telephone number is represented by the PHONE data type. The format of the PHONE data type is documented in Section 5.21 of RFC 2256[12]. 2.2.12[10]. 2.2.11 Email string An email address is represented by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 RFC 2822[13] 2.2.13[11] 2.2.12 Uniform Resource Identifier strings A uniform resource identifier (URI) is represented by the URI data type. The format of the URI data type is documented in RFC 2396 [8]. Meijer, et al. Expires May 10, 2005 [Page 11] Internet-Draft IODEF Data Model and Implementation November 2004 2.2.13 Timezone string A timezone is represented by the TIMEZONE data type. Its format is yet to be specified. 2.2.14 Unique Identifiers A unique identifier in the context of particular creator of IODEF documents (e.g., a CSIRT) is represented by the UID data type. A globally unique identifier is represented by the GUID data type. The UID and GUID data types are constructed from alphanumeric strings. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page13]12] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 3. The IODEF Data Model In this section, the individual components of the IODEF data model will be discussed in detail. For each class, the semanticswithwill be documented and the relationshipbetweenwith other classes with bepresenteddepicted withan UML diagram.UML. 3.1 IODEF-Document class The IODEF-Document class is the top level class in the IODEF datamodel and the DTD.model. All IODEF documents areinstancesan instance ofthe IODEF-Documentthis class. +-----------------+ | IODEF-Document | +-----------------+ | STRING version |<>--{1..*}--[ Incident ] | | +-----------------+ Figure2:1: IODEF-Document class The aggregate class that constitutes IODEF-Document is: IncidentOne.One or more. TheIncident class contains all the incident-related information.information related to a single incident. The IODEF-Document class has one attribute: version Required. STRING. Theversion of theIODEF specification version number to which the IODEF document conforms. The value of this attribute MUST be 1.0 3.2 Incident classIn each exchange ofEvery incidentrelated data this datais represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data and associates a CSIRT assigned unique identifier with the described activity. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page14]13] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 +-------------------+ | Incident | +-------------------+ | ENUM purpose |<>----------[ IncidentID ] | ENUM restriction |<>--{0..1}--[ AlternativeID ] | |<>--{0..1}--[ RelatedActivity ] | |<>--{0..*}--[ Description ] | |<>--{1..*}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{0..1}--[AlternativeIDDetectTime ] | |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>----------[IncidentDataReportTime ] | |<>--{1..*}--[ Contact ] | |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[RelatedActivityHistory ] |||<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +-------------------+ Figure3:2: the Incident class The aggregate classes that constitute Incident are: IncidentID One. An incident tracking number assigned to this incident by thepartyCSIRT that generated the IODEF document. AlternativeID Zero or one. A list of incident tracking numbers used by other CSIRTs to refer tosame activity asthe incident described in the document. RelatedActivity Zero or one. A list of incident tracking numbersreferencingof related incidents.IncidentDataDescription Zero or more.The event(s) that constitute the incident about whichSTRING. A free-form textual description of theIODEF-Document conveys information. AdditionalDataincident. Assessment One or more. A characterization of the impact of the incident. Method Zero or more.Extension areaThe techniques used by the intruder in the incident. Meijer, et al. Expires May 10, 2005 [Page 14] Internet-Draft IODEF Data Model and Implementation November 2004 DetectTime Zero or one. The time the incident was first detected. StartTime Zero or one. The time the incident started. EndTime Zero or one. The time the incident ended. ReportTime One. The time the incident was reported. Contact One or more. Contact information fordata that cannotthe parties involved in the incident. Expectation Zero or more. Expected action to berepresented anywhere else.performed by the recipient of the document. History Zero or one. A log of significant events or actions that occurred during the course of handling the incident. EventData Zero or more. Description of the events comprising the incident, AdditionalData Zero or more. Mechanism by which to extend the data model. The Incident class has two attributes: purpose Required. ENUM. The purposeofattribute represents theIODEF-Document.reason why the IODEF document was created. It is closely related to the Expectation class (Section 3.9). This attribute is defined as an enumerated list: 1. handling. TheIODEF-Documentdocument was sent for incident-handling purposes; 2. statistics. TheIODEF-Documentdocument was sent to be included in aMeijer, et al. Expires March 29, 2004 [Page 15] Internet-Draft IODEF Data Model and Implementation September 2003data-repository for statistical purposes; 3. warning. TheIODEF-Documentdocument was sent as a warning; 4. other. TheIODEF-Documentdocument was sent for purposes specified in the Expectation element. Meijer, et al. Expires May 10, 2005 [Page 15] Internet-Draft IODEF Data Model and Implementation November 2004 restriction Optional. ENUM. This attribute indicates the disclosure guidelines to which the sender expects the recipient of the IODEF-Document to adhere.However,Naturally, this provides no real security since it is the choice of the recipient of the document to honor this guideline. The value of this attribute is logically inherited by the children of this class. That is to say, the disclosure rules applied to this class, also apply to its children. It is possible to set a granular disclosure policy, since all of the high-level classes (i.e., children of the Incident class) have a restriction attribute. Therefore, a child can override the guidelines of a parent class, be it totightenrestrict or relax the disclosure rules (i.e., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, and the children selectively apply more rigid controls). The implicit value of the restriction attribute for a class that did not specify one can be found in the closest ancestor that did specify a value. This attribute is defined as an enumerated value with a default value of "private".Note:Note that the default value of the restriction attribute is only defined in the context of the Incident class. In other classes where this attribute isusedused, no default is specified. 1. public. Thereisare norestriction level applied torestrictions placed in the information; 2. need-to-know. The information may be shared with other parties that are involved in the incident (e.g., multiple victim sites can be informed of each other); 3. private. The information may not be shared. 4. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties.Meijer, et al. Expires March 29, 2004 [Page 16] Internet-Draft IODEF Data Model and Implementation September 20033.3 IncidentID class The IncidentID class represents an incident tracking number (UID) that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF-Document. Meijer, et al. Expires May 10, 2005 [Page 16] Internet-Draft IODEF Data Model and Implementation November 2004 +------------------+ | IncidentID | +------------------+ | UID | | | | GUID name | +------------------+ Figure4:3: the IncidentID class The IncidentID class has one attribute: name Required. GUID. An identifier for the CSIRT that created the IODEF-Document.An implementation strategy for the GUID name attribute would be to use global or regional CSIRT registries such as FIRST or the European Trusted Introducer.3.4 AlternativeID class The AlternativeID classreferenceslists the incident tracking numbersor unique identifiersused by otherentities (e.g., CSIRTs)CSIRTs to refer to activityidentical to that characterizeddescribed in thisIODEF-Document.IODEF document. Thus, a trackingnumbersnumber listed as an AlternativeIDarereferences the sameeventsincident detected by anotherCSIRT, but seem from a different perspective. It follows, theCSIRT. The incident tracking numbers of theorganizationCSIRT that generated theIODEF-DocumentIODEF document should never be considered an AlternativeID.If the incident is not the identical activity, but is related (e.g., same methodology or intruder), then its incident tracking number should instead be represented in the RelatedActivity (Section 3.5) class. Meijer, et al. Expires March 29, 2004 [Page 17] Internet-Draft IODEF Data Model and Implementation September 2003+------------------+ | AlternativeID | +------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | | +------------------+ Figure5:4: the AlternativeID class The aggregateclassesclass thatconstituteconstitutes AlternativeIDare:is: IncidentID One or more.Unique identifiers assigned byThe incident tracking number of anotherentity for the identical activity characterized in the IODEF-Document.CSIRT. The AlternativeID class has one attribute: restriction Optional. ENUM. This attribute has been defined in Section 3.2. Meijer, et al. Expires May 10, 2005 [Page 17] Internet-Draft IODEF Data Model and Implementation November 2004 3.5 RelatedActivity class The RelatedActivity classreferenceslists the incident tracking numbersor unique identifiersof incidents that are related to the one described in the IODEF document. These references may be to local incident tracking numbers, as well as, to those of other CSIRTs. The specifics of how a CSIRT came to believe that two incidents are related is considered out of scope. +------------------+ | RelatedActivity | +------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | | +------------------+ Figure6:5: RelatedActivity class The aggregateclassesclass thatconstituteconstitutes RelatedActivityare:is: IncidentID One or more.Unique identifiers assigned by the CSIRT.The incident tracking number of a related incident. The RelatedActivity class has one attribute:Meijer, et al. Expires March 29, 2004 [Page 18] Internet-Draft IODEF Data Model and Implementation September 2003restriction Optional. ENUM. This attribute has been defined in Section 3.2. 3.6 AdditionalData The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data(integers, strings, etc.)types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model and the DTD to support proprietary extensions by encapsulating entire XML documents conforming to another DTD (e.g., IDMEF). A detailed discussion for extending the data model and the DTD can be found in Section 4. Unlike XML, which is self-describing, atomic data musttypicallybe documented to convey its meaning. This information is described in the 'meaning' attribute. Since these description are outside the scope of the specification, some additional coordination may be required to ensure that a recipient of a document using the AdditionalData classes can make sense of the custom extensions. Meijer, et al. Expires May 10, 2005 [Page 18] Internet-Draft IODEF Data Model and Implementation November 2004 +------------------+ | AdditionalData | +------------------+ | ANY | | | | ENUM restriction | | ENUM type | | STRING meaning | +------------------+ Figure7:6: the AdditionalData class The AdditionalData class has three attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. type Required. ENUM. The data type of the element content. The permitted values for this attribute are shown below. The default value is "string". 1. boolean. The element contains a boolean value, i.e., the strings "true" or "false"Meijer, et al. Expires March 29, 2004 [Page 19] Internet-Draft IODEF Data Model and Implementation September 20032. byte. The element content is a single 8-bit byte (see Section 2.2.4); 3. character. The element content is a single character (see Section 2.2.3); 4. date-time. The element content is a date-time string (see Section 2.2.6); 5. integer. The element content is an integer (see Section 2.2.1); 6.ntpstamp. The element content is a NTP timestamp (see Section 2.2.7); 7.portlist. The element content is a port list (see Section2.2.8); 8.2.2.7); 7. real. The element content is a real number (see Section 2.2.2);9.8. string. The element content is a string (see Section 2.2.3);10.9. xml. The element content is XML-tagged data (see Section 4). Meijer, et al. Expires May 10, 2005 [Page 19] Internet-Draft IODEF Data Model and Implementation November 2004 meaning Optional. STRING. A description of the semantics of the custom data in this class. 3.7IncidentDataContact class TheIncidentDataContact classsummarizesdescribes contact information for organizations and personnel involved in thedetailsincident. This class allows for the naming of theincident activity and a CSIRT's handling ofinvolved party, specifying contact information for them, and identifying their role in theinformation,incident. People and organizations are treated interchangeably aswell as, groupscontacts; one can be associated with thesecurity events that constituteother using theincident. Manyrecursive definition of the class (the Contact class is aggregatedclasses of IncidentData are also found in EventData, albeit with different occurrence indicators. However,into thesemantics of these classes is quite different.Contact class). Theclasses of IncidentData reflect information relevant across the entire incident, while'type' attribute disambiguates theclassestype ofEventData providecontact informationonly relevant to the given event or system nodebeingdescribed. The relationship between the IncidentData and EventData classes is complementary. The latter provides summary information, while the formerprovided. This recursive definition providesmore specific details. For example, the overall impact ofa way to relate information without requiring theincident (represented in IncidentData) might be denialexplicit use ofservice, but it might be worth mentioning that there were specific machines (representedidentifiers inEventData) which also suffered a root compromise. In Meijer, et al. Expires March 29, 2004 [Page 20] Internet-Draft IODEF Data Model and Implementation September 2003 anotherthe classes. For example,an organizationalseperate contactcan be provided in IncidentData class, while more specific contactsinformation for two individuals from theindividual hosts can be in the EventData class. IncidentData also ensures that certain mandatory information will be present insame organization would not require duplicating thedata model.organization information. +------------------+ |IncidentDataContact | +------------------+ | ENUM restriction|<>--{0..*}--[ Description|<>--{0..1}--[ name ] || | |<>--{1..*}--[ AssessmentENUM role |<>--{0..*}--[ Description ] || |ENUM type |<>--{0..*}--[MethodRegistryHandle ] || ||<>--{0..1}--[DetectTimePostalAddress ] || | |<>--{0..1}--[ StartTime|<>--{0..*}--[ Email ] || | |<>--{0..1}--[ EndTime|<>--{0..*}--[ Telephone ] || | |<>----------[ ReportTime|<>--{0..1}--[ Fax ] || | |<>--{1..*}--[ Contact|<>--{0..1}--[ Timezone ] || ||<>--{0..*}--[Expectation ] | | | |<>--{0..1}--[ History ] | | | |<>--{0..*}--[ EventData ] | | | |<>--{0..*}--[ AdditionalDataContact ] +------------------+ Figure8:7: theIncidentDataContact class The aggregate classes that constituteIncidentDatathe Contact class are:Descriptionname Zero ormore. STRING. A free-form textual descriptionone. NAME. The name of theincident activity Assessment Onecontact. The contact may either be an organization ormore. A characterization of the impacta person. The type attribute disambiguates theincident activity.semantics. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page21]20] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 MethodNovember 2004 Description Zero ormore. The techniques (e.g., tools, vulnerabilities) used byone. STRING. Free-form description of theintruder. DetectTimethis contact. In the case of a person, this is often the organizational title of the individual. RegistryHandle Zero orone. The time the incident activity was first detected. StartTimemany. A handle name in a registry. PostalAddress Zero or one. POSTAL. Thetimepostal address of theincident activity started. EndTimecontact formatted according to Section 2.2.8. Email Zero orone. The time the incident activity ended. ReportTime One.many. EMAIL. Thetime the incident activity was reported. Contact One or more. Contact information for the parties involved inemail address of theincident. Expectationcontact formatted according to Section 2.2.11. Telephone Zero ormore. Expected action to be performed by the recipientmany. PHONE. The telephone number of thedocument. Historycontact formatted according to Section 2.2.10. Fax Zero or one.Documents significant events or actions that occurred during the coursePHONE. The facsimile telephone number ofhandlingtheincident. EventDatacontact formatted according to Section 2.2.10. Timezone Zero ormore. Details on the Data onone. TIMEZONE. The timezone in which the(security) events that leadcontact resides formatted according tothe incident. AdditionalDataSection 2.2.13. Contact Zero ormore. An area to extendmany. Recursive definition of Contact allowing for thedata model with information that can not be represented elsewhere. The IncidentDatagrouping of information. The Contact class hasone attribute:three attributes: restriction Optional. ENUM. This attribute is defined in Section 3.2.3.8 Contact class The Contact class describes contact information for organizations and personnel involved inrole Required. ENUM. Indicates theincident.role the contact fulfills. Thisclass encapsulates namingattribute is defined as an enumerated list: 1. creator. The entity that generate theinvolved party, specifyingIODEF document. 2. admin. An administrative contactinformation to reach them, and identifying their rolefor a host or network. 3. tech. A technical contact for a host or network. 4. irt. The CSIRT involved in handling the incident. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page22]21] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 People and organizations are treated interchangeably as contacts; one canNovember 2004 5. cc. An entity that is to beassociated with the other usingkept informed about therecursive definitionhandling of theclass. The 'type' attribute determinesincident. type Required. ENUM. Indicates the type of contactinformationbeingprovided. The recursive definition of thisdescribed. This attribute is defined as an enumerated list: 1. person. 2. organization. 3.7.1 RegistryHandle class(the ContactThe RegistryHandle classis aggregated into the Contact class) providesrepresents awayhandle torelate information without requiring the explicit usean Internet registry or community-specific database. A handle consists ofidentifiersa name specified in theclasses. When grouping people into organizations it is RECOMMENDEDelement content, and the database tonestwhich it belongs specified in thepersons instances into an organization instance of this class.type attribute. +------------------+ |ContactRegistryHandle | +------------------+ |ENUM restriction |<>--{0..1}--[ name ]STRING | |ENUM role| | ENUM type|<>--{0..*}--[ Description ] ||| |<>--{0..*}--[+------------------+ Figure 8: The RegistryHandle] | | | |<>--{0..1}--[ PostalAddress ] | | | |<>--{0..*}--[ Email ] | | | |<>--{0..*}--[ Telephone ] | | | |<>--{0..1}--[ Fax ] | | | |<>--{0..1}--[ Timezone ] | | | |<>--{0..*}--[ Contact ] +------------------+ Figure 9: the Contactclass Theaggregate classes that constitute the ContactRegistryHandle classare: name Zero or one. NAME.has one attribute: type Required. ENUM. Thename ofdatabase to which thecontact. The contact may either be an organization or a person.handle belongs. Thetype attribute dictates the semantics (organization or person). Description Zero or one. STRING. Free-form description of the this contact. In the case of a person, thisdefault value isoften the organizational title of'local'. The possible values are: 1. internic. Internet Network Information Center 2. apnic. Asia Pacific Network Information Center 3. arin. American Registry for Internet Numbers 4. lacnic. Regional Latin-American and Caribbean IP Address Registry 5. ripe. Reseaux IP Europeens 6. local. A database local to theindividual.CSIRT. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page23]22] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 RegistryHandle Zero or many.November 2004 3.8 Time classes Thehandle name in a registry. Care must be takendata model uses five different classes toensure thatrepresent ahandletimestamp. Their definition ismeaningfulidentical, but each has a distinct name tothe recipient. Intra-organizational handles are of not much use for extra-organizational communication. PostalAddress Zero or one. POSTAL.convey a difference in semantics. Thepostal addresselement content ofthe contact formattedeach class is a timestamp formated according to the DATETIME data type (see Section2.2.9. Email Zero or many. EMAIL.2.2.6). +----------------------------------+ | {Start| End| Report| Detect}Time | +----------------------------------+ | DATETIME | +----------------------------------+ Figure 9: the Time classes 3.8.1 StartTime Theemail address ofStartTime class represents thecontact formatted according to Section 2.2.12. Telephone Zero or many. PHONE.time the incident began. 3.8.2 EndTime Thetelephone number ofEndTime class represents thecontact formatted according to . Fax Zero or one. PHONE. The facsimile telephone number oftime thecontact formatted according to . Timezone Zero or one. STRING.incident ended. 3.8.3 DetectTime Thetimezone in whichDetectTime class represents thecontact resides. Contact Zero or many. Recursive definition of Contact, allowing for grouping of data. An exampletime the first activity ofthis is an organization with multiple contact persons.the incident was detected. 3.8.4 ReportTime TheContactReportTime classhas three attributes: restriction Optional. ENUM. This attribute is defined in Section 3.2. role Required. ENUM. Indicatesrepresents theroletime theContact fulfills.incident was reported. Thisattribute is defined as an enumerated list: 1. creator. The entity that generatetimestamp SHOULD coincide to the time at which the IODEFdocument. 2. admin. An administrative contact fordocument is generated. 3.8.5 DateTime The DateTime class is ahost or network. 3. tech. A technical contact forgeneric representation of ahost or network. 4. irt. The CSIRT involved in handlingtimestamp. Its semantics should be inferred from theincident. 5. cc. An entity thatparent class into which it is aggregated. 3.9 Expectation class The Expectation class conveys tobe kept informed aboutthe recipient of the IODEF document the actions the sender is requesting. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page24]23] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 handling of the incident. type Required. ENUM. Indicates the type ofNovember 2004 +------------------+ | Expectation | +------------------+ | ENUM restriction |<>--{1..*}--[ Description ] | ENUM priority |<>--{0..1}--[ StartTime ] | ENUM category |<>--{0..1}--[ EndTime ] | |<>--{0..1}--[ Contactbeing provided. This attribute is defined as an enumerated list: 1. person. 2. organization. 3.8.1 RegistryHandle] +------------------+ Figure 10: the Expectation class TheRegistryHandle class represents a handle to an Internet registryaggregate classes that constitute Expectation are: Description One orcommunity-specific database.many. STRING. Ahandle consistsfree-form description ofa namethe desired action(s). StartTime Zero or one. The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this elementcontent, andleaves thedatabaseexecution of the expectation to the discretion of the recipient. EndTime Zero or one. The time by whichit belongs specified inthetype attribute. +------------------+ | RegistryHandle | +------------------+ | STRING | | | | ENUM type | +------------------+ Figure 10:action should be completed. If the action is not carried out by this time, it should no longer be performed. Contact Zero or one. TheRegistryHandle classexpected actor for the action. TheRegistryHandleExpectations class hasone attribute: type Required.three attributes: restriction Optional. ENUM.The database to whichThis attribute is defined in Section 3.2. priority Optional. ENUM. Indicates thehandle belongs. The default valuedesired priority of the action. This attribute is'local'. The possible values are:an enumerated list with no default value. 1.internic. Internet Network Information Centerlow. Low priority 2.apnic. Asia Pacific Network Information Centermedium. Medium priority 3.arin. American Registry for Internet Numbers 4. lacnic. Regional Latin-American and Caribbean IP Address Registry 5. ripe. Reseaux IP Europeens 6. ti. TERNEA Trusted Introducerhigh. High priority Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page25]24] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 7. local. A database local toNovember 2004 category Optional. ENUM. Classifies theCSIRT. 3.9 Time classes The data model uses for different classes to represent a timestamp. Their definitiontype of action requested. This attribute isidentical, but eachan enumerated list with no default value. 1. nothing. No action isnamed differently to convey a semantic difference. The element contentrequested. Do nothing with the information. 2. contact-site. Contact the listed site in the recipient's constituency. 3. contact-me. Contact the originator ofeach class is a timestamp formated according totheDATETIME data type (see Section 2.2.6). +----------------------------------+ | {Start| End| Report| Detect}Time | +----------------------------------+ | DATETIME | | | | NTPSTAMP ntpstamp | +----------------------------------+ Figure 11:document. 4. investigate. Investigate theTime classes The Time classes have one attribute: ntpstamp Optional. NTPTIMESTAMP. The NTP timestamp representingmachine(s) listed in thetimestampdocument. 5. block. Block traffic from the machine(s) listed in theelement content. The NTPSTAMP format of this attribute's value isdocument. 6. other. Perform some custom action described inSection 2.2.7.the Description class. 3.10 Method class Theuse ofMethod class describes thentpstamp attribute is optional since it is redundant. However, it has been maintainedmethodology used by the intruder toensure compatibility withperpetrate theIDMEF [7]. Representing a timestamp in bothevents of theelement content and attribute is NOT RECOMMENDED. However, if both are used, their values MUST be identical. 3.9.1 StartTime The StartTimeincident. This classrepresents timestamp forcan reference well-known vulnerability or exploit databases; the intruder tools used in thestartattack; and provide a free-form description ofanthe activity.3.9.2 EndTime+------------------+ | Method | +------------------+ | ENUM restriction |<>--{0..*}--[ Classification ] | | | |<>--{0..*}--[ Description ] +------------------+ Figure 11: TheEndTimeMethod classrepresents the timestamp for the endThe Method class is composed ofan activity. 3.9.3 DetectTimetwo aggregate classes. Classification Zero or many. A reference to a well-known vulnerability or exploit databases. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page26]25] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 The DetectTime class represents the timestampNovember 2004 Description Zero or many. STRING. A free-form text description ofwhen an activity was first detected. 3.9.4 ReportTime The ReportTime class representsthetimestamp of when a detected activity was reported. 3.9.5 DateTime The DateTime class is a generic representation of a timestamp. Its semantics should be inferred frommethodology used by theparentintruder. The Method classinto which ithas one attribute: restriction Optional. ENUM. This attribute isaggregated. 3.10 Expectationdefined in Section 3.2. 3.10.1 Classification class TheExpectationClassification classconveysis a reference tothe recipientan external database of computer vulnerabilities, exposures, or viruses. A reference consists of theIODEF documentdatabase name, theactionsentry name in thesender is requesting.database, and the URI to this entry. +------------------+ |ExpectationClassification | +------------------+ | ENUM restriction|<>--{1..*}--[ Description|<>----------[ name ] | ENUMpriority | | ENUM category |<>--{0..1}--[ StartTime ] | | | |<>--{0..1}--[ EndTime ] | | |origin |<>--{0..1}--[Contacturl ] +------------------+ Figure 12:the ExpectationThe Classification class The aggregate classes that constituteExpectation are: Description One or many.Classification: name One. STRING.A free-form description ofThe key into thedesired action(s). StartTimedatabase specified in the origin attribute. url Zero orone. The time at which the action should be performed.One. URI. Atimestamp that is earlier thanURL to additional information about theReportTime specified invulnerability or exposure referenced by theIncidentDataname. The Classification classdenotes that the expectation should be fulfilled as soon as possible.has two attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2. origin Required. ENUM. Theabsence of this element leaves the executionname of theexpectationdatabase to which thediscretion of the recipient. Meijer, et al. Expires March 29, 2004reference is being made. The permitted values are shown below. 1. bugtraqid. Bugtraq 2. cve. Mitre Common Vulnerabilities or Exposures Meijer, et al. Expires May 10, 2005 [Page27]26] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 EndTime Zero or one. The time by which the action should be completed. If the action is not carried out by this time, itNovember 2004 3. certcc. CERT Coordination Center Vulnerability Catalog 4. vendor. A product vendor whose name shouldno longer be performed. Contact Zero or one. The expected actor for the action. The 'role' attribute of the Contact MUSTbeset to "actor". The Expectations class has three attributes: restriction Optional. ENUM. This attribute is definedspecified inSection 3.2. priority Optional. ENUM. Indicates the desired priority of the action. This attribute is an enumerated list with no default value. 1. low. Low priority 2. medium. Medium priority 3. high. High priority category Optional. ENUM. Classifiesthetype of action requested. This attribute is an enumerated list with no default value. 1. nothing. No actionname class 5. local. A local database. 6. other. A custom database whose URL isrequested. Do nothing with the information. 2. contact-site. Contact the listed sitespecified in therecipient's constituency. 3. contact-me. Contacturl class, and theoriginatorname of thedocument. 4. block. Block or investigate machines listed in the documententry is specified in therecipient's constituency.name class. 3.11MethodAssessment class TheMethodAssessment classprovides information aboutdescribes themethodology used bytechnical and non-technical repercussions of theintruder to perpetrateincident on theeventsCSIRT's constituency. Note: The IODEF definition of theincident. ThisAssessment classcan reference well-known vulnerability or exploit databases, list the intruder tools used inreuses theattack, and provide for a free-form descriptionIDMEF definition (see Section 4.2.4.5 ofthe activity. Meijer, et al. Expires March 29, 2004 [Page 28] Internet-Draft IODEF Data Model and Implementation September 2003[7]), but also extends it. +------------------+ |MethodAssessment | +------------------+ | ENUM restriction |<>--{0..*}--[ClassificationImpact ] |||<>--{0..*}--[ TimeImpact ] | |<>--{0..*}--[DescriptionMonetaryImpact ] | |<>--{0..1}--[ Confidence ] +------------------+ Figure 13:The MethodAssessment class TheMethod class is composed of twoaggregateclasses. Classificationclasses that constitute Assessment are: Impact Zero or many.A reference toTechnical impact of the incident on awell-known vulnerabilitynetwork. TimeImpact Zero orexploit databases. Descriptionmany. Impact of the activity measured with respect to time. MonetaryImpact Zero or many.STRING A free-form text descriptionImpact of themethodology usedactivity measured with respect to financial loss. Confidence Zero or one. An estimate of confidence in theincident.assessment. Meijer, et al. Expires May 10, 2005 [Page 27] Internet-Draft IODEF Data Model and Implementation November 2004 TheMethodAssessment class has one attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2. 3.11.1ClassificationImpact class TheClassificationImpact classis a reference to an external databaseallows for categorizing and describing the technical impact ofcomputer vulnerabilities, exposures, or viruses. A reference consiststhe incident on the network of an organization. Note: The IODEF definition of thedatabase name,Impact class reuses theentry inIDMEF definition (see Section 4.2.6.1 of [7]). 3.11.2 TimeImpact class The TimeImpact class describes thedatabase, andimpact of theURIincident on an organization as a function of time. It provides a way tothis entry.convey down time and recovery time. +------------------+ |ClassificationTimeImpact | +------------------+ | REAL | | | | ENUMrestriction |<>----------[ name ]severity | | ENUMoriginmetric | ||<>----------[ url ]ENUM units | +------------------+ Figure 14:The ClassificationTimeImpact class Theaggregate classes that constitute Classification: name One. STRING. The name of the reference to the database specified in the origin attribute.element content will be a numeric value (REAL) specifying a unit of time. The unit and metric attributes will imply the semantics of the element content. The TimeImpact class has three attributes: severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page29]28] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 url One. URI. A URL to additional information aboutNovember 2004 3. high. High severity metric Required. ENUM. Defines thevulnerability or exposure referenced bymetric in which thename. The Classification class has two attribute: restriction Optional. ENUM. This attributetime isdefined in Section 3.2. origin Required. ENUM.expressed. Thenamepermitted values are shown below. There is no default value. 1. labor. Total staff-time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours) 2. elapsed. Elapsed time from the beginning of thedatabaserecovery to its completion. 3. downtime. Duration of time for which some provided service(s) was not available. units Required. ENUM. Defines thereferenceunits in which the element content isbeing made.expressed. The permitted values are shown below. The default value is "hours". 1.bugtraqid. Bugtraqseconds. Seconds. 2.cve. Common Vulnerabilities or Exposuresminutes. Minutes. 3.certcc. CERT Coordination Center Vulnerability Cataloghours. Hours. 4.vendor. A product vendor whose name should be specified in the name class 5. local. A local database. 6. other. 3.12 Assessmentdays. Days. 3.11.3 MonetaryImpact class TheAssessmentMonetaryImpact class describes thetechnical and non-technical repercussionsfinancial impact of theincident activity. Note: The IODEF definitionactivity on an organization. For example, this impact may consider losses due to the cost of theAssessment class reuses the IDMEF definition (see Section 4.2.4.5investigation or recovery, diminished productivity of[7]), but also extends it.the staff, or a tarnished reputation that will affect future opportunities. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page30]29] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 +------------------+ |AssessmentMonetaryImpact | +------------------+ |ENUM restriction |<>--{0..*}--[ Impact ] | | | |<>--{0..*}--[ TimeImpact ] | |REAL ||<>--{0..*}--[ MonetaryImpact ]| | ||<>--{0..*}--[ LifeImpact ]ENUM severity | | STRING currency ||<>--{0..1}--[ Confidence ]+------------------+ Figure 15:AssessmentMonetaryImpact class Theaggregate classes that constitute Assessment are: Impact Zero or many. Technical impact of the activity on the computers and networks. TimeImpact Zero or many. Impactelement content will be a numeric value (REAL) specifying a unit of currency described in theactivity measured with respect to time.currency attribute. The MonetaryImpactZero or many. Impact of the activity measured with respect to money. LifeImpact Zero or many. Impact of the activity measured with respect to human life. Confidence Zero or one.class has two attributes: severity Optional. ENUM. An estimate ofconfidence intheassessment.relative severity of the activity. TheAssessment class has one attribute: restriction Optional.permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity currency Required. ENUM.This attributeDefines the currency in which the monetary impact is expressed. The permitted values are defined inSection 3.2. 3.12.1 ImpactISO 4217:2001, Codes for the representation of currencies and funds [16]. There is no default value. 3.11.4 Confidence class TheImpactConfidence classallows for classifying as well as providingrepresents adescriptionbest estimate of thetechnicalvalidity and accuracy of the described impactdue to(see Section 3.11) of the incidentactivity on the computers and networks of an organization. Meijer, et al. Expires March 29, 2004 [Page 31] Internet-Draft IODEF Data Model and Implementation September 2003 Attributes allow the impact toactivity. This estimate can beclassified according to the consequences on the host and the severity of these consequences. The element content is used for the description.expressed as a category, or a numeric calculation. Note: The IODEF definition of theImpactConfidence class reuses the IDMEF definition (see Section4.2.6.14.2.6.3 of[7]), but also extends it[7]). 3.12 History class The History class is a log of the significant events or actions performed by the involved parties during the course of handling the Meijer, et al. Expires May 10, 2005 [Page 30] Internet-Draft IODEF Data Model andaltersImplementation November 2004 incident. The level of detail maintained in this log is left up to thesemantics.discretion of those handling the incident. +------------------+ |ImpactHistory | +------------------+ |STRING | | | |ENUM restriction |<>--{1..*}--[ HistoryItem ] | |ENUM severity | | ENUM completion | | ENUM type |+------------------+ Figure 16:ImpactThe History class Theelement content may be empty,class that constitutes History is: HistoryItem One orcontain a free-form description (STRING)many. Entry in the history log of significant events or actions performed by thetechnical impact.involved parties. TheImpactHistory class hasfour attributes:one attribute: restriction Optional. ENUM. This attributehas beenis defined in Section 3.2.severity Optional. ENUM. An estimate of the relative severity of the activity.3.12.1 HistoryItem class Thepermitted values are shown below. ThereHistoryItem class isno default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity completion Optional. ENUM. An indication of whetheran entry in thecreator ofHistory (Section 3.12) log that documents a particular action or event that occurred in theIODEF document believescourse of handling theactivity was successful.incident. Thepermitted valuesdetails of the entry areshown below. There is no default value. 1. failed. The attempt was not successful 2. succeeded. The attempt succeededa free-form description, but each can be categorized with the type attribute. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page32]31] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 type Required. ENUM. The type of impact in relatively broad categories. The permitted values are shown below. The default value is "unknown." 1. admin. Administrative privileges were attempted or obtained 2. dos. A denial of service was attempted or completed 3. file. An action on a file was attempted or completed 4. recon. A reconnaissance probe was attempted or completed 5. user. User privileges were attempted or obtained 6. none. The activity did not have any (technical) impact 7. unknown. The impact of the activity is unknown 8. other. Anything not in one of the above categories 3.12.2 TimeImpact class The TimeImpact class describes the non-technical impact of the activity on an organization as a function of time. Different types of time calculations and well as units can be used.November 2004 +------------------+ |TimeImpactHistoryItem | +------------------+ |REAL | | | |ENUM restriction| | ENUM severity | | ENUM metric ||<>--{0..1}--[ IncidentID ] | ENUMunitstype |<>----------[ DateTime ] | |<>--{1..*}--[ Description ] +------------------+ Figure 17:TimeImpactHistoryItem class Theelement content will beaggregate classes that constitute HistoryItem are: IncidentID Zero or One. In anumeric value (REAL) specifyinghistory log created by multiple parties, theimpact asIncidentID provides afunction of time. The attributes represent the specific units and metric. The TimeImpact class has four attributes: Meijer, et al. Expires March 29, 2004 [Page 33] Internet-Draft IODEF Data Modelmechanism to specify which CSIRT created a particular entry andImplementation September 2003 restriction Optional. ENUM. This attribute has been defined in Section 3.2. severity Optional. ENUM. An estimate ofreferences this organization's incident tracking number. When a single organization is maintaining therelative severitylog, this class can be ignored. DateTime One. Timestamp of theactivity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity metric Required. ENUM. Defines the metricthis entry inwhich the time is expressed. The permitted values are shown below. There is no default value. 1. labor. Total staff-time to recovery fromtheactivityhistory log (e.g.,2 employees working 4 hours each would be 8 hours) 2. elapsed. Elapsed time fromwhen thebeginning ofaction described in therecovery to its completion. 3. downtime. Duration of time for which some provided service(s)Description wasnot available. units Required. ENUM. Definestaken). Description One or many. STRING. A free-form textual description of theunitsaction or event. The HistoryItem class has two attributes: restriction Optional. ENUM. This attribute has been defined inwhichSection 3.2. type Optional. ENUM. Classifies themetric is expressed.type of activity or event documented in this history log entry. Thepermittedpossible values areshown below. Thean enumerated list whose default value is"hours"."other": 1.seconds. Seconds 2. minutes. Minutes 3. hours. Hours 4. days. Days 3.12.3 MonetaryImpact classtriaged. TheMonetaryImpact class describes the financial impact of the activity onincident data was received and processed by anorganization. For example, this impact may consider loss dueIHS. 2. notification. Notification to an involved party in thecost ofincident was sent (e.g., a CSIRT sending a message to theinvestigation or recovery, diminished productivity ofattacking site). 3. shared-info. Information about this incident was shared with party not directly involved. 4. received-info. Additional information about thestaff, or a tarnished reputation that will affectincident was Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page34]32] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 future opportunities.November 2004 received. 5. remediation. The incident has been resolved; a short description may be included. 6. other. A custom entry. 3.13 EventData class The EventData class describes the events of the incident surrounding a particular set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered. +------------------+ |MonetaryImpactEventData | +------------------+ |REAL |ENUM restriction |<>--{0..*}--[ Description ] | |<>--{0..1}--[ DetectTime ] | |<>--{0..1}--[ StartTime ] |ENUM restriction|<>--{0..1}--[ EndTime ] | |<>--{0..*}--[ Contact ] |ENUM severity|<>--{0..1}--[ Assessment ] | |<>--{0..*}--[ Method ] |ENUM metric|<>--{0..*}--[ Flow ] | |<>--{0..1}--[ Record ] |STRING currency|<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +------------------+ Figure 18:MonetaryImpactThe EventData class Theelement content will be a numeric value (REAL) specifying the impact as a functionaggregate classes that constitute EventData are: Description Zero or more. STRING. A free-form textual description ofmoney.the event. DetectTime Zero or one. Theattributes representtime thespecific currencyevent was detected. StartTime Zero or one. The time the event started. Meijer, et al. Expires May 10, 2005 [Page 33] Internet-Draft IODEF Data Model andmetric.Implementation November 2004 EndTime Zero or one. TheMonetaryImpact class has four attributes: restriction Optional. ENUM. This attribute has been definedtime the event ended. Contact Zero or more. The different parties involved inSection 3.2. severity Optional. ENUM. An estimate oftherelative severityincident Assessment Zero or one. The impact of theactivity. The permitted values are shown below. There is no default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity currency Required. ENUM. Definesincident on thecurrency in whichtarget and themonetary impact is expressed.actions taken. Method Zero or more. Thepermitted values are defined in ISO 4217:2001, Codes formethodology used by therepresentationintruders. Flow Zero or more. A description ofcurrencies and funds [18]. There is no default value. 3.12.4 LifeImpact class The LifeImpact class describestheloss of human lifesystems orinjury due to an incident. Meijer, et al. Expires March 29, 2004 [Page 35] Internet-Draft IODEF Data Model and Implementation September 2003 +------------------+ | LifeImpact | +------------------+ | INTEGER | | | | ENUM restriction | | ENUM severity | | ENUM metric | +------------------+ Figure 19: LifeImpact class The element content will be a numeric value (INTEGER) specifyingnetworks involved. Record Zero or one. Support data (e.g., log files) that provides additional information about theimpact as a functionevent. EventData Zero or more. Recursive definition ofhuman life. The attributes representEventData allowing for thespecific metric.grouping of data AdditionalData Zero or one. An extension mechanism for data not explicitly represented in the data model. TheLifeImpactEventData class hasthree attributes:one attribute: restriction Optional. ENUM. This attributehas beenis defined in Section 3.2.severity Optional. ENUM. An estimate of the relative severity of3.13.1 Relating theactivity. The permitted values are shown below.Incident and EventData classes There isno default value. 1. low. Low severity 2. medium. Medium severity 3. high. High severity metric Required. ENUM. Defines the metricsubstantial overlap inwhichtheLifeImpact is expressed. The permitted valuesIncident and EventData classes. Nevertheless, the semantics of these classes areshown below. There is no default value. 1. Deaths 2. Injuries 3.12.5 Confidence class The Confidencequite different. The Incident classrepresents a best estimate ofprovides summary information about thevalidity and accuracy ofentire incident, while thedescribed impact (see Section 3.12) ofEventData class provides information about theincident activity. This estimate canindividual events comprising the incident. In the most common case, the EventData class will provide more specific information for the general description provided in the Incident class. However, it may also beexpressed as a category, orpossible that the overall summarized information about the incident conflicts with some individual information in an EventData class when there is anumeric calculation.substantial composition of various events in the an incident. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page36]34] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 Note:November 2004 3.13.2 Cardinality of EventData TheIODEF definitionEventData class can be thought of as a container for theConfidence class reusesproperties of an event in an incident. These properties include: theIDMEF definition (see Section 4.2.6.3hosts involved, impact of[7]), but also extends it and altersthesemantics.incident activity on the hosts, forensic logs, etc. With an instance of the EventData class, hosts hosts (i.e., System class) are grouped around these common properties. TheConfidence class has been reused fromrecursive definition of theIDMEF [7], it has been extended and has been altered. +------------------+ | Confidence | +------------------+ | REAL | | | | ENUM restriction | | ENUM rating | +------------------+ Figure 20: ConfidenceEventData classThe element content may be empty if(the EventData class is aggregated into theratingEventData class) provides a way to related information without requiring the explicit use of unique attribute identifiers in the classes or duplicating information. Instead, the relative depth (nesting) of a class isnot setused to"numeric". Otherwise, a confidence value (REAL) must be provided. The Confidence class has two attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. rating Required. ENUM. Indicatesgroup (relate) information. Nested EventData classes imply that while theconfidencechild classes share theCSIRT has in its assessment. The permitted values are shown below. The default valueproperties of the parent, there is"numeric." 1. low 2. medium 3. high 4. numeric. The CSIRT has providedsome properties for which they do not agree. Therefore, in order express these distinct properties, the nesting approach was used. In such aprobability value indicating its confidencescheme, a parent EventData class MUST always have more than one EventData child. For example, an EventData class might be used to describe two machines involved inits assessment. 5. unknownan incident. Thiselement SHOULD onlydescription can beused whenachieved using multiple instances of theCSIRT can produce meaningful information. When onlySystem class. It happens that there is arough estimatecommon technical contact (i.e., Contact class) for these two machines, but the impact (i.e., Assessment class) on them ispossible "low", "medium", or "high" SHOULDdifferent. A depiction of the representation for this situation can beused asfound in Figure 19. +------------------+ | EventData | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData ]<>----[ System ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData ]<>----[ System ] | | [ ]<>----[ Assessment ] +------------------+ Figure 19: Recursion in therating value. When a reasonable probability estimate is possible "numeric" SHOULDEventData class Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page37]35] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 be used asNovember 2004 3.14 Flow class The Flow class groups therating valuesource andinclude a numeric confidence valuetarget hosts or networks in an event. +------------------+ | Flow | +------------------+ | |<>--{1..*}--[ System ] +------------------+ Figure 20: theelement content. This numeric value is a floating point number between 0.0 and 1.0, inclusive. Different CSIRTs may compute and represent confidence values in different ways. Care should be taken to take proper notice of the exact meaning ofFlow class The aggregate class that constitutes Flow is: System One or More. A host or network involved in theconfidence values of different CSIRTs when comparing confidence values. 3.13 Historyincident activity. The Flow System class has no attributes. 3.15 System class TheHistorySystem classisrepresents alogcomputer ordiary ofnetwork involved in thesignificant events that occurred or actions performedincident. The systems represented by this class are categorized according to theinvolved parties (e.g., initial reporter, investigating CSIRT, or involved system administrators) duringrole they played in thecourse of handlingincident through theincident.category attribute. Thelevelvalue ofdetail maintained inthislog is left up tocategory attribute dictates thediscretionsemantics ofthose handlingtheincident.aggregated classes in the System class. If the category attribute has a value of 'source', then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of 'target' or 'intermediary', then the machine or service is the one targeted in the activity. Meijer, et al. Expires May 10, 2005 [Page 36] Internet-Draft IODEF Data Model and Implementation November 2004 +------------------+ |HistorySystem | +------------------+ | ENUM restriction|<>--{1..*}--[ HistoryItem|<>----------[ Node ] | ENUM category |<>--{0..*}--[ Service ] | STRING interface |<>--{0..*}--[ Counter ] | ENUM spoofed | +------------------+ Figure 21:The Historythe System class Theclassaggregate classes that constituteHistorySystem are:HistoryItem OneNode One. A host ormany. Entriesnetwork involved in thehistory log of significant eventsincident. Service Zero oractions performed bymore. A network service running on theinvolved parties.system. Counter Zero or more. A counter with which to summarizes properties of this host or network. TheHistorySystem class hasonefour attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2.3.13.1 HistoryItem class The HistoryItem class is a particular entry incategory Required. ENUM. Classifies theHistory (Section 3.13) log that documents a particular significant actionrole the host orevent that occurrednetwork played in thecourseincident. The possible values are: 1. source. The System was the source ofhandlingthecurrent incident. This detailsattack. 2. target. The System was the target of theentryattack. 3. intermediate. The System was an intermediary in the attack. interface Optional. STRING. Specifies the interface on which the event(s) on thislog areSystem originated. If the Node class specifies afree-form description, but each can also be categorized.network rather than a host, this attribute has no meaning. spoofed Optional. ENUM. An indication of confidence as to whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown". Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page38]37] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 +------------------+ | HistoryItem | +------------------+ | ENUM restriction |<>--{0..1}--[ IncidentID ] | ENUM type | | |<>----------[ DateTime ] | | | |<>--{1..*}--[ Description ] +------------------+ Figure 22: HistoryItem classNovember 2004 1. unknown. Theaggregate classes that constitute HistoryItem are: IncidentID Zero or One.accuracy of the category attribute value is unknown 2. yes. The category attribute value is probably incorrect. Inhistory logs created by multiple parties,theIncidentID providescase of away specify which CSIRT createdsource, theparticular entry and reference this organizations local incident tracking number for this activity. When a single organizationSystem ismaintaininglikely a decoy; with a target, thehistory log, this class canSystem was likely not the intended victim. 3. no. The category attribute value is believed to beignored. DateTime One. Timestampcorrect. 3.16 Node class The Node class identifies a host, network device, or network. The base definition of thethis entry inclass is reused from thehistory log (e.g., whenIDMEF specification, see Section 4.2.7.1 of [7]. However, theaction described inclass has been extended by adding theDescription was taken). Description OneNodeRole and DateTime classes. +---------------+ | Node | +---------------+ | ENUM category |<>--{0..1}--[ Location ] | |<>--{0..1}--[ name ] | |<>--{0..*}--[ Address ] | |<>--{0..1}--[ DateTime ] | |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ Counter ] +---------------+ Figure 22: The Node class The aggregate classes that constitute Node are: Location Zero ormany.one. STRING. Afree-form textualfree-from description of theaction or event to be document in the history log. The HistoryItem class has two attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. type Optional. ENUM. Classifies the typephysical location ofactivitythe equipment. name Zero orevent being document in this history log entry.one. STRING. Theparticular detailsname of theentry are a free-form description documented in the Description class. Possible values are an enumerated list whose default valueequipment (e.g., fully qualified domain name). This information MUST be provided if no Address information is"other": 1. triaged.given. Address Zero or more. Theincident data was received and processed by an IHS 2. notification. Notification to an involved party inhardware, network, or application address of theincident was sent (e.g.,Node. Unless aCSIRT sending a message to the attacking site).name is provided, at least one address must be specified. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page39]38] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 3. shared-info. Information about this incident was shared with party not directly involved. 4. received-info. Additional information about the incident was received 5. remediation. The incident has been resolved; a short description may be included. 6. other. 3.14 EventData class The EventData class describes the events of the incident surrounding a particular set of hostsNovember 2004 DateTime Zero ornetworks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impactone. A timestamp of when theactivity onresolution between theorganization, a list of incident handling tasks performed, andname andany forensic evidence discovered. Meijer, et al. Expires March 29, 2004 [Page 40] Internet-Draft IODEF Data Modeladdress was performed. This information SHOULD be provided if both an Address andImplementation September 2003 +------------------+ | EventData | +------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | | | |<>--{0..1}--[ Assessment ] | | | |<>--{0..*}--[ Method ] | | | |<>--{0..1}--[ DetectTime ] | | | |<>--{0..1}--[ StartTime ] | | | |<>--{0..1}--[ EndTime ] | | | |<>--{0..*}--[ Contact ] | | | |<>--{0..1}--[ History ] | | | |<>--{0..*}--[ System ] | | | |<>--{0..1}--[ Record ] | | | |<>--{0..*}--[ EventData ] | | | |<>--{0..*}--[ AdditionalData ] +------------------+ Figure 23: The EventData class The aggregate classes that constitute EventData are: Descriptionname are given. NodeRole Zero or more.STRING. A free-form textual descriptionThe intended purpose of theevent. Systemequipment. Counter Zero or more.The systems (nodes, networks) involved in the event as either sources, targets or intermediaries. Method ZeroA counter with which to summarizes properties of this host ormore.network. Themethods byNode class has one attribute: category Optional. ENUM. The context in which theevent was staged. Information about tools usedAddress andvulnerabilities exploited. Record Zeroname classes should be considered, if relevant. The permitted values for this attribute are shown below. The default value is "unknown". 1. unknown. Domain unknown orone. Support data (e.g., log files) that provides information on the events.not relevant 2. ads. Windows 2000 Advanced Directory Services 3. afs. Andrew File System (Transarc) 4. coda. Coda Distributed File System 5. dfs. Distributed File System (IBM) 6. dns. Domain Name System 7. hosts. Local hosts file 8. kerberos. Kerberos realm 9. nds. Novell Directory Services 10. nis. Network Information Services (Sun) 11. nisplus. Network Information Services Plus (Sun) 12. nt. Windows NT domain 13. wfw. Windows for Workgroups Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page41]39] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 StartTime Zero or one.November 2004 3.16.1 Counter class Thetime the event started. EndTime ZeroCounter class summarize multiple occurrences of some event, orone.conveys counts on various features (e.g., packets, sessions, events). Thetimevalue of theevent ended. DetectTime Zero or one. The timecounter is theevent was detected. Contact Zero or more. The different parties involvedelement content, with its units represented in theincident Assessment Zero or one. Indicates the impact of the incidenttype attribute. The complete semantics are entirely context dependant based on thetarget and the actions taken. AdditionalData Zero or one. Anything that can not be putclass inone ofwhich theother elements Event Zero or more. Recursive definition of Event, allowing for grouping of data The EventData class has oneCounter is aggregated. +------------------+ | Counter | +------------------+ | INTEGER | | | | ENUM type | | STRING meaning | +------------------+ Figure 23: the Counter class The Counter class has two attribute:restrictiontype Optional. ENUM.This attribute is defined in Section 3.2. 3.15 Relating the IncidentData and EventData classes At first glance, the duplication in the aggregate classes of IncidentData and EventData are obvious. However,Specifies thesemanticsunits ofthese classes are quite different. IncidentData provides summary information abouttheentire incident, while EventData provides information about a subsetelement contents. 1. packet. Count ofthe incident. For example, note that the Assessment class is aggregated in both classes. Consider a case where IncidentData:Assessment:MonetaryImpact has been assigned a valuepackets. 2. session. Count ofx. Now, consider a valuesessions 3. event. Count ofy (where y < x) being assigned to a given MonetaryImpact class that is aggregated inevents 4. other. User defined count meaning Optional. STRING. Describes theEventData class. Thesemantics ofthese two values is some monetary loss. In the case ofthefigure inelement content if theIncidentData class, this loss is incident-wide. The figure in EventDatatype attribute isa subset of this overall loss, and allows oneset toassociate a particular loss withother. 3.16.2 Address The Address class represents agiven subset of events that constitutehardware (layer-2), network (layer-3), or application (layer-7) address. This class was originally derived from theincident. It effectively provides a breakdown (or more specific description) ofIDMEF specification [7]. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page42]40] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 the overall loss previously specified inNovember 2004 +------------------+ | Address | +------------------+ | ENUM category | | STRING vlan-name | | INTEGER vlan-num | +------------------+ Figure 24: theIncidentData class. 3.16 Cardinality of EventDataAddress class Therecursive definitionAddress class has four attributes: category Required. ENUM. The type of address represented. The permitted values for thisclass (the EventData class is aggregated into the EventData class) provides a way to related information without requiring the explicit use of uniqueattributeidentifiersare shown below. The default value is "ipv4-addr". 1. atm. Asynchronous Transfer Mode (ATM) 2. mac. Media Access Control (MAC) address 3. sna. IBM Shared Network Architecture (SNA) address 4. ipv4-addr. IPv4 host address inthe classes.dotted-decimal notation (a.b.c.d) 5. ipv4-net. IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn) 6. ipv4-net-mask. IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z) 7. ipv6-addr. IPv6 host address 8. ipv6-net. IPv6 network address, slash, significant bits 9. ipv6-net-mask. IPv6 network address, slash, network mask 10. vm. IBM VM ("PROFS") email address 11. e-mail. Electronic mail address (RFC 822) 12. lotus-notes. Lotus Notes e-mail address Meijer, et al. Expires May 10, 2005 [Page 41] Internet-Draft IODEF Data Model and Implementation November 2004 vlan-name Optional. STRING. Thedepthname ofan element intheXML tree is usedVirtual LAN torelated information. The EventData class can be thought of as a container describingwhich thepropertiesaddress belongs. vlan-num Optional. STRING. The number ofan event in an incident. These properties include:thehosts involved, impact ofVirtual LAN to which theincident activityaddress belongs. 3.16.3 NodeRole class The NodeRole class describes (based on a pre-defined list) thehosts, forensic logs, etc. One groups (via an instance of the EventData class) hosts (i.e., System class) around these common properties. A child EventDatafunction performed by a particular host. +---------------+ | NodeRole | +---------------+ | STRING | | | | ENUM category | +---------------+ Figure 25: The NodeRole class(andThe element content should be empty in allits siblings) logically "inherits" the aggregated classes of a parent EventData class. However,cases other than when thepresence of sibling EventData classes (it "never" makes sensecategory attribute is set tohave only"other". The NodeRole class has oneEventData child in an EventData class) means that there are some disjoin propertiesattributes: category Required. Functionality provided by a node. If a value ofthe event. These children of the parent EventData class represent these differences, while still retaining"other" is specified, away to represent the common properties (i.e., the parent-child relationship). For example, an EventData class might be used to describe two machines involved in an incident. ThisdescriptioncanSHOULD beachieved using multiple instances of the System class. It happens that the technical contact (i.e., Contact class) for these two machines is identical, butprovided in theimpact (i.e., Assessment class) is different.element content. Theproblem lies in representing two hostsdefault value is "other". 1. client. Client computer 2. server-internal. Server witha common contact, but different impacts without duplicating any information. This event can be representinternal services 3. server-public. Server withthe following design represented in Figure 24.public services 4. www. WWW server 5. mail. Mail server 6. messaging. Messaging server (e.g. NNTP, IRC, IM) 7. streaming. Streaming-media server Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page43]42] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 +------------------+ | EventData | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData ]<>----[ System ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData ]<>----[ System ] | | [ ]<>----[ Assessment ] +------------------+ Figure 24: RecursionNovember 2004 8. voice. Voice server (e.g. SIP, H.323) 9. file. File server (e.g. SMB, CVS, AFS) 10. ftp. FTP server 11. p2p. Peer-to-peer node 12. name. Name server (e.g. DNS, WINS) 13. directory. Directory server (e.g. LDAP, finger, whois) 14. credential. Credential server (e.g. domain controller, Kerberos) 15. print. Print server 16. application. Application server 17. database. Database server 18. infra. Infrastructure server (e.g. router, firewall, DHCP) 19. log. Logserver 20. other. other role not inthe EventData classthis list 3.17SystemProcess class TheSystemProcess classrepresents the technical information fordescribes a running program on a givencomputer or networkhost involved inthean incident.The systems represented by thisThis classare categorized according to the role they played in the incident via throughis reused outright from thecategory attribute. The valueIDMEF specification, see Section 4.2.7.3 ofthis category attribute dictates the semantics[7]. 3.18 Service class The Service class describes a network service ofthe aggregated classes in the System class.a host or network. Themeaningservice is identified by specific port or list of ports, along with theNode, User, Process, andapplication listening on that port. When Service occurs as an aggregate classdepend on the value of the category attributeofthe System class. If thea Systemclass category attributethat is'source',a source, then that thedescribed aggregated classes denote the machine, user, process, orservice is the one from whichtheactivity of interest is originating.With a category attribute valueConversely, when Service occurs as an aggregate class of'target' or 'intermediary',a System that is a target, thenthe described machine, user, process, orthat service is the onetargeted into which activity of interest is being directed. This class was originally derived from theactivity.IDMEF specification, see Section 4.2.7.4 of [7]. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page44]43] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 +------------------+ | System | +------------------+ | ENUM restriction |<>----------[ Node ]November 2004 +--------------------+ |ENUM categoryService | +--------------------+ | STRINGinterface |<>--{0..*}--[ User ] | ENUM spoofed | | |<>--{0..*}--[ Processip_version |<>--{0..1}--[ port ] || | |<>--{0..*}--[ ServiceSTRING ip_protocol |<>--{0..1}--[ portlist ] || ||<>--{0..1}--[FileListApplication ]+------------------++--------------------+ Figure25: the System26: The Service class The aggregate classes that constituteSystemService are:Node One. A host or network involved in the incident activity. Userport Zero ormore. The applicationone. INTEGER. A port number. portlist Zero oroperating system user running on the specified host that was involved in the incident. Processone. PORTLIST. A list of port numbers formatted according to Section 2.2.7. Application Zero or more. Theprocess targeted or the source of the attack onapplication bound to the specifiedhost, Service Zeroport orone.portlist. Thenetwork service targeted on the host specified in Node. FileList ZeroService class must specify either a port orone. Information about the files on the host involved in the incident.portlist. TheSystemService class hasfour attribute: restriction Optional. ENUM. This attribute is defined in Section 3.2. categorytwo attributes: ip_version Required.ENUM. Classifies the role the System played in the incident activity.INTEGER. Thepossible values are: 1. source.IP version number. ip_protocol Required. INTEGER. TheSystem wasIANA protocol number. 3.19 Record class The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools (e.g., IDMEF messages generated by an IDS, connection logs from a web server) that were used to uncover theattackmalicious activity. These logs should provide evidence as to why a CSIRT believes an incident has occurred. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page45]44] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 2. target.November 2004 +------------------+ | Record | +------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] +------------------+ Figure 27: Record class TheSystem was the targetaggregate class that constitutes Record is: RecordData One or more. Log or audit data generated by a particular type of sensor. Seperate instances of theattack 3. intermediate. The System was an intermediate machineRecordData class SHOULD be usedin the attack. interface Optional. STRING. Specifies the interface on which the event(s) on this System originated. spoofedfor each sensor type. The Record class has one attributes: restriction Optional. ENUM.An indication of confidence as to whether this System was the true target or attacking host. The permitted values for thisThis attributeare shown below. The default value is "unknown". 1. unknown. The accuracy of the category information is unknown 2. yes. The category value classifying the host or network as an source or target is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim. 3. no. The category value classifying the host or network as a source or target is believed to be correct. 3.18 Nodehas been defined in Section 3.2. 3.19.1 RecordData class TheNodeRecordData classis used to identify a hostgroups log ornetwork device (e.g., routers, switches). The base definition of the class is reusedaudit data fromthe IDMEF specification, see Section 4.2.7.1 of [7]. However, the class has been extended by adding the NodeRole class. Meijer, et al. Expires March 29, 2004 [Page 46] Internet-Draft IODEF Data Modela given sensor (e.g., IDS, firewall log) andImplementation September 2003 +---------------+provides a way to annotate the output. +------------------+ |NodeRecordData |+---------------++------------------+ | ENUMcategory |<>--{0..1}--[ Location ] | | |restriction |<>--{0..1}--[nameDateTime ] || ||<>--{0..*}--[AddressDescription ] || ||<>--{0..1}--[DateTimeAnalyzer ] || | |<>--{0..*}--[ NodeRole|<>--{1..*}--[ RecordItem ]+---------------++------------------+ Figure26:28: TheNodeRecordData class The aggregate classes thatconstitute Node are: Locationconstitutes RecordData is: DateTime Zero or one.STRING. The physical locationTimestamp of theequipment. nameRecordItem data. Description Zero orone.more. STRING.The nameFree-form textual description of theequipment (e.g., fully qualified domain name). This information MUST beprovidedif no Address information is given. Address Zero or more. The network or hardware address ofRecordItem data. At minimum, this description should convey theequipment. Unless a name is provided, at least one address must be specified. DateTime Zero or one. A timestampsignificance ofwhen the resolution betweenthename and address was performed. This information SHOULD beprovidedif both an Address and name are given. NodeRole Zero or more. The intended purpose of the equipment. The Node class has one attribute: category Optional. ENUM. The context in which the Address and name classes should be considered, if relevant. The permitted values for this attribute are shown below. The default value is "unknown". 1. unknown. Domain unknown or not relevantRecordItem data. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page47]45] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 2. ads. Windows 2000 Advanced Directory Services 3. afs. Andrew File System (Transarc) 4. coda. Coda Distributed File System 5. dfs. Distributed File System (IBM) 6. dns. Domain Name System 7. hosts. Local hosts file 8. kerberos. Kerberos realm 9. nds. Novell Directory Services 10. nis. Network Information Services (Sun) 11. nisplus. NetworkNovember 2004 Analyzer Zero or one. InformationServices Plus (Sun) 12. nt. Windows NT domain 13. wfw. Windows for Workgroups 3.18.1 Addressabout the sensor used to generate the RecordItem data. RecordItem One or more. Log, audit, or forensic data. TheAddressRecordData classrepresents a network, hardware, and application address.has one attributes: restriction Optional. ENUM. Thisclass is reused outright from the IDMEF specification, seeattribute has been defined in Section4.2.7.1.1 of [7]. 3.18.2 NodeRole3.2. 3.19.2 Analyzer class TheNodeRoleAnalyzer classdescribes (based on a pre-defined list)identifies thefunction performed by asensor (e.g., IDS, firewall, web server) used to generate particularhost.log or audit data. The definition of the class is reused from the IDMEF specification, see Section 4.2.7.3 of [7]. However, in this context, the definition of an analyzer is expanded beyond merely an IDS. 3.19.3 RecordItem class The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere. The dtype attribute will dictate the type of log data that will be found in this class. This class is very similar to the AdditionalData class (Section 3.6) in that it is an extension mechanism that can support proprietary representations of security event data, not all of which is necessarily in XML. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page48]46] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 +---------------+November 2004 +------------------+ |NodeRoleRecordItem |+---------------++------------------+ |STRINGANY | | | | ENUMcategorytype |+---------------++------------------+ Figure27:29: TheNodeRoleRecordItem class Theelement content should be empty in all cases other than when the category attribute is set to "other". The NodeRoleRecorditem class has oneattributes: categoryattribute: type Required.Functionality provided by a node. If a valueThe type of"other" is specified, a description SHOULD be provideddata included in theelement'selement content. The permitted values for this attribute are shown below. The default value is"other"."string". 1.client. Client computerboolean. The element contains a boolean value, i.e., the strings "true" or "false" 2.server-internal. Server with internal services 3. server-public. Server with public services 4. www. WWW serverbyte. The element content is a single 8-bit byte (see Section 2.2.4); 3. character. The element content is a single character (see Section 2.2.3); 4. date-time. The element content is a date-time string (see Section 2.2.6); 5.mail. Mail serverinteger. The element content is an integer (see Section 2.2.1); 6.messaging. Messaging server (e.g. NNTP, IRC, IM)portlist. The element content is a port list (see Section 2.2.7); 7.streaming. Streaming-media serverreal. The element content is a real number (see Section 2.2.2); 8.voice. Voice server (e.g. SIP, H.323)string. The element content is a string (see Section 2.2.3); 9. file.File server (e.g. SMB, CVS, AFS)The element content is a base64 encoded binary file; 10.ftp. FTP serverpath. The element content is a filesystem path; 11.p2p. Peer-to-peer nodeurl. The element content is a URL (see Section 2.2.12;) 12.name. Name server (e.g. DNS, WINS) 13. directory. Directory server (e.g. LDAP, finger, whois) 14. credential. Credential server (e.g. domain controller, Kerberos)xml. The element content is XML-tagged data (see Section 4). Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page49]47] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 15. print. Print server 16. application. Application server 17. database. Database server 18. infra. Infrastructure server (e.g. router, firewall, DHCP) 19. log. Logserver 20. other. other role not in this list 3.19 FileList class The FileList class describes files and other file-like objects on hosts involved in an incident. This class is reused outright fromNovember 2004 4. Extending theIDMEF specification, see Section 4.2.7.5 of [7]. 3.20 User The User class describes an application or operating system user account involved in an incident. This class is reused outright from the IDMEF specification, see Section 4.2.7.2 of [7]. 3.21 Process The Process class describes a running program on a given host involved in an incident. This class is reused outright from the IDMEF specification, see Section 4.2.7.3 of [7]. 3.22 Service The Service class describes a network service of a host. This class is reused outright from the IDMEF specification, see Section 4.2.7.4 of [7]. 3.23 Record class The Record class groups log or audit data that provides a record of the incident activity. The source of this data will typically be the output of monitoring tools (e.g., IDMEF messages generated by an IDS, connection logs from a web server) that were used to uncover the malicious activity. These logs should provide evidence as to why a reporter to CSIRT believes an incident has occurred. Meijer, et al. Expires March 29, 2004 [Page 50] Internet-Draft IODEF Data Model and Implementation September 2003 +------------------+ | Record | +------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] +------------------+ Figure 28: Record class The aggregate class that constitutes Record is: RecordData One or more. Log or audit data generated by a particular type of sensor. The Record class has one attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. 3.23.1 RecordData class The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. +------------------+ | RecordData | +------------------+ | ENUM restriction |<>--{0..1}--[ DateTime ] | | | |<>--{0..*}--[ Description ] | | | |<>--{0..1}--[ Analyzer ] | | | |<>--{1..*}--[ RecordItem ] +------------------+ Figure 29: The RecordData class The aggregate classes that constitutes RecordData is: DateTime Zero or one. Timestamp information for the RecordItem data. Description Zero or more. STRING. Free-form textual description of the provided RecordItem data. At minimum, this description should Meijer, et al. Expires March 29, 2004 [Page 51] Internet-Draft IODEF Data Model and Implementation September 2003 convey the significance of the provided RecordItem data. Analyzer Zero or one. Information about the sensor used to generate the RecordItem data. RecordItem One or more. Log, audit, or forensic data. The RecordData class has one attributes: restriction Optional. ENUM. This attribute has been defined in Section 3.2. 3.23.1.1 Analyzer class The Analyzer class identifies the sensor (e.g., IDS, firewall, web server) used to generate particular log or audit data. The definition of the class is reused from the IDMEF specification, see Section 4.2.7.3 of [7]. However, in this context, the definition of an analyzer is expanded beyond merely an IDS. 3.23.1.2 RecordItem class The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. This data can be directly encapsulated as part of this document, or can be referenced whereby using this class as merely a pointer to the relevant information. The dtype attribute will dictate the type of log data that will be found in this class. This class is very similar to the AdditionalData class (Section 3.6) in that it is essentially an extension class that can support proprietary representations of security event data, not all of which is necessarily in XML. Meijer, et al. Expires March 29, 2004 [Page 52] Internet-Draft IODEF Data Model and Implementation September 2003 +------------------+ | RecordItem | +------------------+ | ANY | | | | ENUM type | +------------------+ Figure 30: The RecordItem class The Recorditem class has one attribute: type Required. The type of data included in the element content. The permitted values for this attribute are shown below. The default value is "string". 1. boolean. The element contains a boolean value, i.e., the strings "true" or "false" 2. byte. The element content is a single 8-bit byte (see Section 2.2.4); 3. character. The element content is a single character (see Section 2.2.3); 4. date-time. The element content is a date-time string (see Section 2.2.6); 5. integer. The element content is an integer (see Section 2.2.1); 6. ntpstamp. The element content is a NTP timestamp (see Section 2.2.7); 7. portlist. The element content is a port list (see Section 2.2.8); 8. real. The element content is a real number (see xref target="dt_real_numbers" />); 9. string. The element content is a string (see Section 2.2.3); 10. file. The element content is a base64 encoded binary file; 11. path. The element content is a filesystem path; 12. url. The element content is a URL (see Section 2.2.13;) Meijer, et al. Expires March 29, 2004 [Page 53] Internet-Draft IODEF Data Model and Implementation September 2003 13. xml. The element content is XML-tagged data (see Section 4). Meijer, et al. Expires March 29, 2004 [Page 54] Internet-Draft IODEF Data Model and Implementation September 2003 4. Extending the IODEF In order to support the changing activityIODEF In order to support the changing activity of CSIRTS, the IODEF data model and DTD will need to evolve along with them. To allow new features to be added, both the data model and the DTD can be extended as described in this section. As these extensions mature, they canthenbe incorporated into future versions of the specification or published separately. 4.1 Extending the data model There are two mechanisms for extending the IODEF data model: inheritance and aggregation. o By using inheritance, new subclasses may be derived and given additional attributes or operations not found in the superclass. o Aggregation allows for entirely new, self-contained classes to be created and associated with a parent class. Of the two extension mechanisms, inheritance is preferred, because it preserves the existing data model and the operations (methods) executed on the classes of the model. There are explicit guidelines for extending the XML DTD (see Section 4.2) which set limits on where extensions to the data model may be made. 4.2 Extending the XML DTD There are two ways to extend the IODEF XML DTD: 1. The AdditionalData (see Section 3.6) and RecordItem (see Section3.23.1.2)3.19.3) classes allow implementers to include arbitrary "atomic" data. (e.g., integers, strings). This approach SHOULD be used whenever possible. 2. The AdditionalData and RecordItem classes also allow implementers to extend the IODEF XML DTD with additional DTDs that describe arbitrarily complex data types and relationships. The following guidelines MUST be followed when extending the IODEF DTD with another DTD in the extension classes: 1. The IODEF description MUST include a document type declaration (see Section 2.1.1.3); 2. The document type declaration MUST define a parameter entity that contains the location of the extension DTD, and then reference Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page55]48] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 that entity: <!DOCTYPE IODEF-Document SYSTEM "/path/to/IODEF-Document.dtd" [ <!ENTITY % x-extension SYSTEM "/path/to/extension.dtd"> % x-extension; ]> In this example, the "x-extension" parameter entity is defined and then referenced, causing the DTD for the extension to be read by the XML parser. The name of the parameter entity defined for this purpose MUST be a string beginning with "x-"; there are no other restrictions on the name (other than those imposed on all entity names by XML). Multiple extensions may be included by defining multiple entities and referencing them. For example: <!DOCTYPE IODEF-Document SYSTEM "/path/to/IODEF-Document.dtd" [ <!ENTITY % x-extension SYSTEM "/path/to/extension.dtd"> <!ENTITY % x-another SYSTEM "/path/to/another.dtd"> %x-extension; %x-another; ]> 3. Extension DTDs MUST declare all of their elements and attributes in a separate XML namespace. Extension DTDs MUST NOT declare any elements or attributes in the "IODEF" or default namespaces. For example, the "test" extension might be declared as follows: <!ELEMENT test:test ( test:a, test:b, test:c )> <!ATTLIST test:test xmlns CDATA #IMPLIED xmlns:test CDATA #IMPLIED > <!ELEMENT test:a (#PCDATA)> <!ATTLIST test:a test:attr CDATA #IMPLIED > <!ELEMENT test:b (#PCDATA)> <!ELEMENT test:c (#PCDATA)> 4. Extensions MUST only be included in the AdditionalDataclass of the Incident classor RecordItem classes whose "type" attribute is "xml". For example: Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page56]49] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 <IODEF-Document version="0.0"> <Incident ident="..."> ... <AdditionalData type="xml"> <test:test xmlns:test="http://www.ietf.org/iodef/test.html" xmlns="http://www.ietf.org/iodef/test.html"> <test:a test:attr="...">...</test:a> <test:b>...</test:b> <test:c>...</test:c> </test:test> </AdditionalData> </Incident> </IODEF-Document> Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page57]50] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 5. Processing ConsiderationsThis section discusses some of the special considerations that must be taken into account by implementers of the IODEF. 5.1 XML Validity and Well-FormednessThe IODEF documents MUST be well-formed, and whenpossible and practical the documentspractical, SHOULD also be valid. It is expected that IODEF-compliant applications will normally not include the IODEF DTD in their communications. Instead, the DTD will be referenced in the document type declaration section of the IODEF document (see Section2.1.1.3. While an XML document SHOULD contain a document type declaration. This requirement imposes a significant overhead on an IODEF-compliant application in bandwidth consumption and computation for the DTD may need to be downloaded and parsed before use by the XML parser. Implementers MAY decide to have entities who regularly exchange IODEF message agree out-of-band on the particular document type definition they will be using to exchange messages (the standard one as defined here, or one with extensions), and then omit it from IODEF documents. The method for negotiating this agreement is outside the scope of this document. NOTE: Care must be taken in negotiating any such agreements, as each entities will have to keep state on this agreed upon document type definition. The management complexity of these negotiations grows more complex as entities make such arrangements with many collaborators. 5.2 Unrecognized Data and XML Tags2.1.1.3). On occasion, an IODEF-compliant application may receive a well- formed, or well-formed and valid IODEF document containing tags or content in the tags that are not expected. These spurious conditions might include: o Unrecognized tags used in one of the extension classes (i.e., AdditionalData or RecordItem); o Unrecognized tags outside of the extension classes; or o Well-formed and validate document where element or attribute values to not conform to the expected values identified by an enumerated list;Meijer, et al. Expires March 29, 2004 [Page 58] Internet-Draft IODEF Data Model and Implementation September 2003IODEF-compliant applications MUST continue to process IODEF documents that contain unknown tags, provided that these documents are well-formed. It is up to the individual application to decide how to process any content from the unknown tag. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page59]51] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 6. Internationalization issues Internationalization and localization is of specific concern to theIODEF. ItIODEF, since it is only throughcollaboration, often across language barriers,collaboration, often across language barriers, that certain incidents be resolved. The IODEF supports this goal by depending on XML constructs, and through explicit design choices in the data model. The IODEF leverages thatcertain incidents be resolved.XMLalreadynatively supports different character encodings. This flexibilitywill allowallows information encoded inthean IODEF document to be in mostwrittenlanguages.Furthermore,In order to disambiguate the explicit language used on a per-element basis, XMLalsoprovides the xml:langattribute through whichattribute. Using thetype of language being used in a given element can be specified. By including thisxml:lang attributein the %attlist.global entity found in all elements, users ofallows the IODEFcanto make usedifferentof multiple languages in the same document. The intent of the data modelensureswas to provide internationalization and localization, but not to the detriment of inter-operability. While IODEF does support different languages, the data model also relies heavily on standardized enumerated attributes that can crudely approximate thecardinalitycontents of theDescription class isdocument. With this approach, a CSIRT should be able to make some sense of an IODEF document it might receive that uses a language unfamiliar to its analysts. Likewise, the data model was designed so that classes where free-text might be used for descriptive purposes always have a one-to-many cardinality with itsparent. Oneparent (i.e., Description class). The primary intent ofthe intents forthis design was to allow the same description to be repeated in another instance of theDescription class,class but in a different language.Parsers of the IODEF document, could extract only the elements with the relevant language. SupportingThis approach allows recipients speaking different languagesallows CSIRTs to localize the IODEF. However, it does not aid data interchange if the recipient of a document does not understand the underlying language. In ordertoensure that the recipient can at least crudely approximate the contents ofreceive the identical document, but allows thedata model relies on enumerated attributes that are standardizedIODEF parser toconvey meaning (e.g., %attlist.purpose).select the appropriate language. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page60]52] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 7. ExamplesThese examples provide an idea of what IODEF-Documents can look like. It must be stressed that as IODEF is a data-exchange-format, it does not specify detailed rules on which elements and attributesThis section provides representative examples of incident data converted touse under all imaginable circumstances.an IODEF document. 7.1 Code Red detection notification The following email message is a typical example of an incident report where one host is infected with a worm. Theinitialoriginal reportissentinbyemail, the subsequently shown IODEF-Document illustrates the communication between the responsible CSIRT and its constituent. The constituentemail isa contact for the CSIRTpresented in Figure 34, andresponsible for coordinatingtherequired actions at his site.corresponding equivalent as an IODEF document is shown below. Frome-citizen@hisdomain.dee-citizen@domain.com Date: 13 Sep 2001 23:19:24 -0000From: e-citizen@hisdomain.deTo:cert-for-ourdomain.pl@ourdomain.plcert-domain@domain.com Subject: 10.1.1.2 - Code Red Virus detected Automated message, you don't have to reply to this email. Your system with the IP number 10.1.1.2 seems to be infected with the Code Red virus. For more information seehttp://www.incidents.org/react/code_redII.phphttp://www.domain.org/react/code_redII.html Please fix the problem or inform a person who is responsible for that machine to do so. >From our web server logs (Port 80): 10.1.1.2 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Figure35:34: Code Red detection notification: initial report <IODEF-Document version="1.0"> <Incident restriction="need-to-know" purpose="handling"> <IncidentIDname="CERT-FOR-OUR-DOMAIN.PL">CERT-FOR-OUR-DOMAIN.PL#189</IncidentID> Meijer, et al. Expires March 29, 2004 [Page 61] Internet-Draft IODEF Data Model and Implementation September 2003 <IncidentData>name="CERT-DOMAIN.COM">CERT-DOMAIN.COM#189</IncidentID> <Description>Host sending out Code Red probes</Description><ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <Expectation category="other"> <Description>Track and clean host</Description> </Expectation><Assessment> <Impact severity="low" completion="failed" type="none"></Impact> </Assessment> <ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <Contact role="creator" role="irt" type="organization"> Meijer, et al. Expires May 10, 2005 [Page 53] Internet-Draft IODEF Data Model and Implementation November 2004 <name>CERT-FOR-OUR-DOMAIN.PL</name> <Email>cert-for-our-domain.pl@ourdomain.pl</Email> </Contact> <Contact role="tech" type="organization"> <name>Constituency-contact for 10.1.1.2</name> <Email>Constituency-contact@10.1.1.2.pl</Email> </Contact><History> <HistoryItem type="notification"> <IncidentID name="CERT-FOR-OUR-DOMAIN.PL">CERT-FOR-OUR-DOMAIN.PL#189</IncidentID> <Description>Notification sent to Constituency-contact@10.1.1.2.pl</Description> <DateTime>2001-09-14T08:19:01+00:00</DateTime> </HistoryItem> </History><Expectation category="investigate"> <Description>Track and clean host</Description> </Expectation> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">10.1.1.2</Address> </Node> </System> <System category="target"><Service><Service ip_version=4" ip_protocol="6"> <port>80</port> </Service> </System> </Flow> <Record> <RecordData> <DateTime>2001-09-13T18:11:21+02:00</DateTime> <Description>Web-server logs</Description> <RecordItem> 10.1.1.2 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida?XXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX </RecordItem> </RecordData> </Record> </EventData> <History> <HistoryItem type="notification"> <Description>Notification sent to Constituency-contact@10.1.1.2 </Description> <DateTime>2001-09-14T08:19:01+00:00</DateTime> </HistoryItem> </History> </Incident> </IODEF-Document> Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page62]54] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 </RecordData> </Record> </EventData> </IncidentData> </Incident> </IODEF-Document>November 2004 Figure36:35: Code Red detection notification: CSIRT response 7.2 IODEF-Document with XML signature 7.3 IODEF-Document encrypted using XML encryption 7.4 IODEF-Document encrypted and signed using XML signature & encryption Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page63]55] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 8. The IODEF Document Type Definition <?xml version="1.0" encoding="UTF-8"?> <!-- ******************************************************************** ******************************************************************** ***IncidentDataIncident Object Description Exchange FormatXMLDTD *** *** Version 01,September 2003November 2004 *** ******************************************************************** ******************************************************************** --> <!ENTITY % attlist.iodef " version CDATA #FIXED'0.20''0.30' "> <!-- ==================================================================== == Element definitions == ==================================================================== --> <!-- ==================================================================== == IODEF-Document class == ==================================================================== --> <!ELEMENT IODEF-Document (Incident+)> <!ATTLIST IODEF-Document %attlist.iodef; xmlns:iodef CDATA #FIXED "urn:iana:xml:ns:iodef" > <!-- ==================================================================== == Incident class == ==================================================================== --> <!ELEMENT Incident (IncidentID, AlternativeID?, RelatedActivity?,IncidentData,Description*, Contact+, ReportTime, DetectTime?, StartTime?, EndTime?, Expectation*, Method*, Assessment+, EventData*, History?, AdditionalData*)> <!ATTLIST Incident restriction %attvals.restriction; "private" purpose %attvals.purpose; #REQUIRED > <!-- ==================================================================== == IncidentID class == ==================================================================== --> <!ELEMENT IncidentID (#PCDATA)> <!ATTLIST IncidentID name CDATA #IMPLIED Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page64]56] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== == AlternativeID class == ==================================================================== --> <!ELEMENT AlternativeID (IncidentID+)> <!ATTLIST AlternativeID restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== == RelatedActivity class == ==================================================================== --> <!ELEMENT RelatedActivity (IncidentID+)> <!ATTLIST RelatedActivity restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== === AdditionalData class === ==================================================================== --> <!ELEMENT AdditionalData ANY> <!ATTLIST AdditionalData restriction %attvals.restriction; #IMPLIED type %attvals.dtype; #REQUIRED meaning CDATA #IMPLIED > <!-- ==================================================================== ===IncidentData class === ==================================================================== --> <!ELEMENT IncidentData (Description*, Contact+, ReportTime, DetectTime?, StartTime?, EndTime?, Expectation*, Method*, Assessment+, EventData*, History?, AdditionalData*)> <!ATTLIST IncidentData restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== ===Contact class === === - Name === - RegistryHandle === - PostalAddress === - Email === - TelephoneMeijer, et al. Expires March 29, 2004 [Page 65] Internet-Draft IODEF Data Model and Implementation September 2003=== - Fax === -TimeZoneTimezone === - Contact (recursive) ==================================================================== --> <!ELEMENT Contact (Name?, Description*, RegistryHandle*, PostalAddress?, Email*, Telephone*, Fax?,TimeZone,Timezone, Contact*)> <!ATTLIST Contact contactrole (creator | admin | tech | irt | cc) #REQUIRED contacttype (person | organization) #REQUIRED Meijer, et al. Expires May 10, 2005 [Page 57] Internet-Draft IODEF Data Model and Implementation November 2004 restriction %attvals.restriction; #IMPLIED > <!ELEMENT RegistryHandle (#PCDATA)> <!ATTLIST RegistryHandle type %attvals.registrytype; "local" > <!ELEMENT PostalAddress (#PCDATA)> <!ATTLIST PostalAddress lang NMTOKEN #IMPLIED > <!ELEMENT Email (#PCDATA)> <!ELEMENT Telephone (#PCDATA)> <!ELEMENT Fax (#PCDATA)> <!-- ==================================================================== === Time-based classes === === - DateTime === - ReportTime === - DetectTime === - StartTime === - EndTime ==================================================================== --> <!ELEMENT DateTime(#PCDATA)> <!ATTLIST DateTime ntpstamp CDATA #IMPLIED > <!ELEMENT ReportTime (#PCDATA)> <!ATTLIST ReportTime ntpstamp CDATA #IMPLIED > <!ELEMENT DetectTime (#PCDATA)> <!ATTLIST DetectTime ntpstamp CDATA #IMPLIED > <!ELEMENT StartTime (#PCDATA)> <!ATTLIST StartTime ntpstamp CDATA #IMPLIED > Meijer, et al. Expires March 29, 2004 [Page 66] Internet-Draft IODEF Data Model and Implementation September 2003(#PCDATA)> <!ELEMENTEndTimeReportTime (#PCDATA)> <!ELEMENT DetectTime (#PCDATA)> <!ATTLIST DetectTime <!ELEMENT StartTime (#PCDATA)> <!ELEMENT EndTimentpstamp CDATA #IMPLIED >(#PCDATA)> <!-- ==================================================================== === History class === === - HistoryItem ==================================================================== --> <!ELEMENT History (HistoryItem+)> <!ATTLIST History restriction %attvals.restriction; #IMPLIED > <!ELEMENT HistoryItem (DateTime, IncidentID?, Description+)> <!ATTLIST HistoryItem type %attvals.historycat; #IMPLIED restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== === Expectation class === Meijer, et al. Expires May 10, 2005 [Page 58] Internet-Draft IODEF Data Model and Implementation November 2004 ==================================================================== --> <!ELEMENT Expectation (Description+, Contact?, StartTime?, EndTime?)> <!ATTLIST Expectation priority %attvals.priority; #IMPLIED restriction %attvals.restriction; #IMPLIED category %attvals.expectcat; #IMPLIED > <!-- ==================================================================== === Method class === === - Classification ==================================================================== --> <!ELEMENT Method (Classification*, Description*)> <!ATTLIST Method restriction %attvals.restriction; #IMPLIED > <!ELEMENT Classification (name, url?)> <!ATTLIST Classification restriction %attvals.restriction; #IMPLIED origin %attvals.origin; "other" > <!-- ==================================================================== === Assessment class ===Meijer, et al. Expires March 29, 2004 [Page 67] Internet-Draft IODEF Data Model and Implementation September 2003=== - Impact === - TimeImpact === - MonetaryImpact === - LifeImpact === - Confidence ==================================================================== --> <!ELEMENT Assessment (Impact*, TimeImpact*, MonetaryImpact*, LifeImpact*, Confidence?)> <!ATTLIST Assessment restriction %attvals.restriction; #IMPLIED > <!ELEMENT Impact (#PCDATA)> <!ATTLIST Impactrestriction %attvals.restriction; #IMPLIEDseverity %attvals.severity; #IMPLIED completion %attvals.completion; #IMPLIED type %attvals.impacttype; "unknown" lang NMTOKEN #IMPLIED > <!ELEMENT TimeImpact (#PCDATA)> <!ATTLIST TimeImpactrestriction %attvals.restriction; #IMPLIEDseverity %attvals.severity; #IMPLIED unit (labor | elapsed | downtime) #REQUIRED Meijer, et al. Expires May 10, 2005 [Page 59] Internet-Draft IODEF Data Model and Implementation November 2004 metric (days | hours | minutes | seconds) "hours" > <!ELEMENT MonetaryImpact (#PCDATA)> <!ATTLIST MonetaryImpactrestriction %attvals.restriction; #IMPLIEDseverity %attvals.severity; #IMPLIED currency CDATA #REQUIRED > <!ELEMENT LifeImpact (#PCDATA)> <!ATTLIST LifeImpactrestriction %attvals.restriction; #IMPLIEDseverity %attvals.severity; #IMPLIED metric (deaths | injuries) #REQUIRED > <!ELEMENT Confidence EMPTY> <!ATTLIST Confidence rating %attvals.rating; #REQUIRED > <!-- ==================================================================== === EventData class === ==================================================================== --> <!ELEMENT EventData (Description*,Contact*, ReportTime?,DetectTime?, StartTime?, EndTime?,Expectation?, System*, Method*,Contact*, Assessment?, Method*, Flow*, EventData*,History?,Record?, AdditionalData*)>Meijer, et al. Expires March 29, 2004 [Page 68] Internet-Draft IODEF Data Model and Implementation September 2003<!ATTLIST EventData restriction %attvals.restriction; #IMPLIED > <!-- ==================================================================== === Flow and System class === === Note. Represents merged Source and Target classes ofIDMFIDMEF === (sections 4.2.4.3, 4.2.4.4) ==================================================================== --> <!ELEMENT Flow (System+)> <!ELEMENT System (Node,User*, Process*,Service*,FileList?)>Counter*)> <!ATTLIST System category %attvals.systemcat; #IMPLIED spoofed %attvals.spoofed; "unknown" interface CDATA #IMPLIED restriction %attvals.restriction; #IMPLIED > <!-- ======================================================================= FileList====== Node classIDMEF (4.2.7.5) === === - File === - access-time === - change-time === - create-time===- modify-time === - c-major-device=== -c-minor-deviceAddress === -data-sizeNodeRole === -disk-size ==================================================================== --> <!ELEMENT FileList (File+)> <!ENTITY % attvals.filecat " ( current | original ) "> <!ELEMENT File (name, path, create-time?, modify-time?, access-time?, data-size?, disk-size?, FileAccess*, Linkage*, Inode?)> <!ATTLIST File ident CDATA "0" category %attvals.filecat; #REQUIRED fstype CDATA #REQUIRED > <!ELEMENT access-time (#PCDATA)> <!ELEMENT change-time (#PCDATA)> <!ELEMENT create-time (#PCDATA)> <!ELEMENT modify-time (#PCDATA)> <!ELEMENT c-major-device (#PCDATA)> <!ELEMENT c-minor-device (#PCDATA)> <!ELEMENT data-size (#PCDATA)>Location Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page69]60] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 <!ELEMENT disk-size (#PCDATA)> <!ELEMENT major-device (#PCDATA)> <!ELEMENT minor-device (#PCDATA)> <!ELEMENT Linkage ((name, path) | File)> <!ATTLIST Linkage category %attvals.linkcat; #REQUIRED > <!ELEMENT FileAccess (UserId, permission+)> <!ELEMENT Inode (change-time?, (number, major-device, minor-device)?, (c-major-device, c-minor-device)?)> <!-- ==================================================================== ====== Node class === === - Address === - NodeRole === - LocationNovember 2004 === - name === Note. IODEF Node class is extended IDMEF Node class (4.2.7.1): === <!ELEMENT Node ( location?, (name | Address), Address* )> ==================================================================== --> <!ELEMENT Node (name?, Address*, DateTime?, Location?,NodeRole*)>NodeRole*, Counter*)> <!ATTLIST Node category %attvals.nodecat; "unknown" > <!ELEMENT Address(address, netmask?)>(#PCDATA)> <!ATTLIST Addressident CDATA "0"category %attvals.addrcat;"unknown""ipv4-addr" vlan-name CDATA #IMPLIED vlan-num CDATA #IMPLIED > <!ELEMENTaddress (#PCDATA)> <!ELEMENT netmask (#PCDATA)> <!ELEMENTLocation (#PCDATA)> <!ATTLIST Location lang NMTOKEN #IMPLIED > <!ELEMENT NodeRole (#PCDATA)> <!ATTLIST NodeRole category %attvals.noderolecat; "other" lang NMTOKEN #IMPLIED > <!-- ======================================================================= User class === === - UserID ==================================================================== --> Meijer, et al. Expires March 29, 2004 [Page 70] Internet-Draft IODEF Data Model and Implementation September 2003 <!ELEMENT User (UserId+)> <!ATTLIST User ident CDATA "0" category %attvals.usercat; "unknown" > <!ELEMENT UserId ( (number, name?) | (name, number?))> <!ATTLIST UserId ident CDATA "0" type %attvals.idtype; "original-user" > <!ELEMENT number (#PCDATA)> <!-- ==================================================================== === Process class === === IDMEF (4.2.7.3) === <!ELEMENT Process (name, pid?, path?, arg*, env* )> ======================================================================= Counter class === ==================================================================== --> <!ELEMENTProcess (name, pid?, path?, arg*, env*)>Counter (#PCDATA)> <!ATTLISTProcess identCounter type (packet | session | event | other ) "other" meaning CDATA"0"#IMPLIED ><!ELEMENT env (#PCDATA)> <!ELEMENT pid (#PCDATA)><!-- ==================================================================== === Service Class === === - port === - portlist ===- protocol === - SNMPService === - WebService === - url, cgi, arg, http-method === - SNMPService === - oid, community, command ===IDMEF (4.2.7.4) ==================================================================== --> <!ELEMENT Service(((name?, port),((port | portlist),protocol?, SNMPService?, WebService?)>Application?)> <!ATTLIST Serviceidentip_version CDATA"0" > <!ELEMENT port (#PCDATA)> <!ELEMENT portlist (#PCDATA)> <!ELEMENT protocol (#PCDATA)> <!-- ====== Web Service ====== -->"4" ip_protocol CDATA #REQUIRED Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page71]61] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 <!ELEMENT WebService (url, cgi?, http-method?, arg*)> <!ELEMENT cgi (#PCDATA)> <!ELEMENT arg (#PCDATA)> <!ELEMENT http-method (#PCDATA)> <!-- ====== SNMPService ====== --> <!ELEMENT SNMPService (oid?, community?, command?)>November 2004 > <!ELEMENToidport (#PCDATA)> <!ELEMENTcommunityportlist (#PCDATA)> <!ELEMENTcommand (#PCDATA)>Application (name, url?)> <!ATTLIST Application appid CDATA "0" configid CDATA "0" vendor_name CDATA #IMPLIED version CDATA #IMPLIED > <!-- ==================================================================== === Record class === === - RecordData === - Analyzer === - RecordItem ==================================================================== --> <!ELEMENT Record (RecordData+)> <!ATTLIST Record restriction %attvals.restriction; #IMPLIED > <!ELEMENT RecordData (Description*, DateTime?, Analyzer?, RecordItem+)> <!ATTLIST RecordData ident CDATA "0" restriction %attvals.restriction; #IMPLIED > <!--Element Analyzer of IODEF is re-used from IDMEF (4.2.4.1) --> <!ELEMENT Analyzer (Node?, Process?)> <!ATTLIST Analyzer analyzerid CDATA "0" manufacturer CDATA #IMPLIED model CDATA #IMPLIED version CDATA #IMPLIED class CDATA #IMPLIED ostype CDATA #IMPLIED osversion CDATA #IMPLIED > <!--Element Process of IODEF is re-used from IDMEF (4.2.7.3) --> <!ELEMENT Process (name, pid?, path?, arg*, env*)> <!ATTLIST Process ident CDATA "0" > <!ELEMENT env (#PCDATA)> <!ELEMENT pid (#PCDATA)> Meijer, et al. Expires May 10, 2005 [Page 62] Internet-Draft IODEF Data Model and Implementation November 2004 <!ELEMENT path (#PCDATA)> <!ELEMENT RecordItem ANY> <!ATTLIST RecordItem dtype %attvals.dtype; #REQUIRED > <!-- ==================================================================== === Simple classes containing multilingual content === === - Description === - Contact.NameMeijer, et al. Expires March 29, 2004 [Page 72] Internet-Draft IODEF Data Model and Implementation September 2003==================================================================== --> <!ELEMENT Description ANY> <!ATTLIST Description preserve %attvals.preserve; #IMPLIED transform %attvals.transform; #IMPLIED lang NMTOKEN #IMPLIED > <!ELEMENT Name ANY> <!ATTLIST Name preserve %attvals.preserve; #IMPLIED transform %attvals.transform; #IMPLIED lang NMTOKEN #IMPLIED > <!-- ==================================================================== === Miscellaneous simple classes === === -pathurl === -urlname ==================================================================== --> <!ELEMENT name (#PCDATA)> <!ATTLIST name lang NMTOKEN #IMPLIED > <!ELEMENTpath (#PCDATA)> <!ELEMENTurl (#PCDATA)> <!-- ==================================================================== === Attribute list declarations. === ==================================================================== --> <!-- | Attributes of the IODEF element. In general, the fixed value | of this attribute will change each time a new version of | the DTD is released. --> <!-- Meijer, et al. Expires May 10, 2005 [Page 63] Internet-Draft IODEF Data Model and Implementation November 2004 ==================================================================== === SECTION 2. Attribute value declarations. Enumerated values === === for the many element-specific attribute lists. === ==================================================================== --> <!-- | Defines purpose of the Incident --> <!ENTITY % attvals.purpose " ( handling | statistics | warning | other )Meijer, et al. Expires March 29, 2004 [Page 73] Internet-Draft IODEF Data Model and Implementation September 2003"> <!-- | Defines restriction on access to an element's content --> <!ENTITY % attvals.restriction " ( default | public | need-to-know | private ) "> <!-- | Values for the Expectation.expectcat attributes --> <!ENTITY % attvals.expectcat " ( nothing | contact-site | contact-me | investigate | block | other ) "> <!-- | Values for the AdditionalData.type attribute. --> <!ENTITY % attvals.adtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | xml ) "> <!-- | Values for the RecordItem.type attribute --> <!ENTITY % attvals.dtype " ( boolean | byte | character | date-time | integer | ntpstamp | portlist | real | string | file | path | url | xml ) "> <!-- | Values for the History.type attribute. --> <!ENTITY % attvals.historycat " ( triaged | notification | shared-info | received-info | remediation | other ) "> <!-- | Values for the Address.category attribute. --> Meijer, et al. Expires May 10, 2005 [Page 64] Internet-Draft IODEF Data Model and Implementation November 2004 <!ENTITY % attvals.addrcat " (unknown |atm |e-mail | lotus-notes |mac | sna |vm |ipv4-addr |ipv4-addr-hex |ipv4-net | ipv4-net-mask | ipv6-addr |ipv6-addr-hex |ipv6-net | ipv6-net-mask | asn | vm | e-mail | lotus-notes ) "> <!-- | Values for the Id.type attribute. --> <!ENTITY % attvals.idtype " ( current-user | original-user | target-user | user-privs |Meijer, et al. Expires March 29, 2004 [Page 74] Internet-Draft IODEF Data Model and Implementation September 2003current-group | group-privs ) "> <!-- | Values for theImpact.completion attribute. --> <!ENTITY % attvals.completion " ( failed | succeeded ) "> <!-- | Values for the File.categoryImpact.completion attribute. --> <!ENTITY %attvals.filecatattvals.completion " (currentfailed |originalsucceeded ) "> <!-- | Values for the Impact.type attribute. --> <!ENTITY % attvals.impacttype " ( none | admin | dos | file | recon | user | unknown | other ) "> <!-- | Values for theLinkage.category attribute. --> <!ENTITY % attvals.linkcat " ( hard-link | mount-point | reparse-point | shortcut | stream | symbolic-link ) "> <!-- | Values for theRegistryHandle.type attribute. --> <!ENTITY % attvals.registrytype " ( internic | apnic | arin | lacnic | ripencc |ti |local ) "> <!-- | Values for the Confidence.rating attribute. --> <!ENTITY % attvals.rating " ( low | medium | high | numeric | unknown ) "> <!-- | Values for the Impact.severity attribute. --> <!ENTITY % attvals.severity " ( low | medium | high ) "> <!ENTITY % attvals.priority " ( low | medium | high ) "> Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page75]65] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 ">November 2004 <!-- | Values for the Node.category attribute. --> <!ENTITY % attvals.nodecat " ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos | nds | nis | nisplus | nt | wfw ) "> <!-- | Values for the NodeRole.category attribute. --> <!ENTITY % attvals.noderolecat " ( client | server-internal | server-public | www | mail | messaging | streaming | voice | file | ftp | p2p | name | directory | credential | print | application | database | infra | log | other ) "> <!-- | Values for the Classification.origin attribute. --> <!ENTITY % attvals.origin " ( bugtraqid | cve | certcc | vendor | local | other) "> <!-- | Values for theUser.category attribute. --> <!ENTITY % attvals.usercat " ( unknown | application | os-device ) "> <!-- | Values for theSystem.spoofed attribute --> <!ENTITY % attvals.spoofed " ( unknown | yes | no ) "> <!-- | Values for the System.category attribute --> <!ENTITY % attvals.systemcat " ( source | target | intermediate ) "> <!-- | Values for the MultilingText.preserve and MultilingText.transform attribute --> <!ENTITY % attvals.preserve " ( yes | no ) "> <!ENTITY % attvals.transform "Meijer, et al. Expires March 29, 2004 [Page 76] Internet-Draft IODEF Data Model and Implementation September 2003( none |Base64 | QP | stringprep | zip | URI ) "> <!-- Full Copyright Statement Copyright (C) The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. -->Base64 | QP | stringprep | zip | URI ) "> Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page77]66] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 9. Security considerations Due to the sensitive nature of some of the data that might be represented in the IODEF, the integrity, confidentiality, and non-repudiation of these documents in transit SHOULD be ensured. Although this protection can be provided by the transport mechanism, applying this security toan instance ofthe IODEF document itself is RECOMMENDED.However, the specific protective measures applied to an IODEF document (be in through XML or the underlying transport protocol) should be driven by the requirements ofWhen used, thecollaborators. Theapplied protective measures MUST use cryptographic techniques. XML Digital Signatures[16][14] SHOULD be used for ensuring integrity and non-repudiation,andwhile XML Encryption[17][15] SHOULD be used to ensure the confidentiality of an IODEF document. Examples using signatures and encryption on an IODEF document can be found inthe Examples chapter (Section 7):Section 7: o IODEF-Document with XML signature (Section 7.2) o IODEF-Document encrypted using XML encryption (Section 7.3) o IODEF-Document encrypted and signed using XML signature & encryption (Section 7.4)InformationAdditional information onthe implementation-specifics ofapplying XML Digital Signatures and XML Encryption to anIODEF-DocumentIODEF document can be found in the IODEF Implementation Guide[20]. When using cryptographic techniques the issue of key management (whether symmetric or public key cryptography is used) must be addressed. Overall security measures must be applied to secure the IODEF-Document processing environment. The definition of these measures is outside the scope of this memo.[18]. Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page78]67] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 10. IANA considerations Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page79]68] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 11. Acknowledgments The following groups contributed substantially to this document and should be recognized for their efforts.This document would not exist without their help:o the Incident Object Description and Exchange Format Working-Group of the TERENA task-force (TF-CSIRT) o the eCSIRT.net project Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page80]69] Internet-Draft IODEF Data Model and ImplementationSeptember 2003November 2004 12. References 12.1 Normative References [1] Demchenko, Y., Hiroyuki, H. and G. Keeni, "Requirements for Format for Incident Report Exchange", RFC XXX,September 2003.November 2004. [2] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0 (Second Edition)", , October 2000,<http://www.w3.org/TR/ 2000/REC-xml-20001006>.<http://www.w3.org/TR/2000/REC-xml-20001006>. [3] World Wide Web Consortium, "Namespaces in XML", , January 1999, <http://www.w3.org/TR/REC-xml-names/>. [4] World Wide Web Consortium, "Extensible Stylesheet Language (XSL) Version 1.0", , October 2001,<http://www.w3.org/TR/xsl/ >.<http://www.w3.org/TR/xsl/>. [5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [6] Alvestrand, H., "Tags for the Identification of Languages", RFC 3066, January 2001. [7] Curry, D. and H. Debar, "Intrusion Detection Message Exchange Format", RFC XXX,January 2003.July 2004. [8] Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 2396, August 1998. [9] Freed, N., "IANA Charset Registration Procedures", BCP 2278, January 1998. [10]Mills, D., "Network Time Protocol (Version 3) Specification, Implementation, and Analysis", BCP 2278, March 1992. [11] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI", RFC 2030, October 1996. [12]Wahl, M., "A Summary of the X.500(96) User Schema for use with LDAPv3", RFC 2256, December 1997.[13][11] Resnick, P., "Internet Message Format", RFC 2822, April 2001.[14][12] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July2002. [15] International Organization for Standardization, "International Standard: Data elements and interchange formats - Information Meijer, et al. Expires March 29, 2004 [Page 81] Internet-Draft IODEF Data Model and Implementation September 2003 interchange - Representation of dates and times", ISO 8601, Second Edition, December 2000. [16] Eastlake 3rd, D., Reagle, J. and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [17] Imamura, T., Dillaway, B. and E. Simon, "XML Encryption Syntax and Processing, W3C Recommendation", December 2002, <http:// www.w3.org/TR/2002/REC-xmlenc-core-20021210/>. [18] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. Meijer, et al. Expires March 29, 2004 [Page 82] Internet-Draft IODEF2002. [13] International Organization for Standardization, "International Standard: DataModelelements andImplementation September 2003 Informative References [19] Rumbaugh, J., Jacobson, I.interchange formats - Information interchange - Representation of dates andG. Booch, "The Unified Modeling Language Reference Model, ISBN 020130998X, Addison-Wesley", 1998. [20] Helme, A.times", ISO 8601, Second Edition, December 2000. [14] Eastlake 3rd, D., Reagle, J. andR. Danyliw, "The IODEF Implementation Guide, document to be created by the INCH WG", 2003. Authors' Addresses Jan Meijer SURFnet bv P.O. Box 19035 Utrecht NL-3501 DA Netherlands Phone: +31 302 305 305 EMail: jan.meijer@surfnet.nl Roman Danyliw CERT Coordination Center 4500 Fifth Ave. Pittsburgh, PA 15213 USA Phone: +1 412 268 7090 EMail: rdd@cert.org Yuri Demchenko NLnet Labs Netherlands EMail: demch@chello.nlD. Solo, "(Extensible Markup Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page83]70] Internet-Draft IODEF Data Model and ImplementationSeptember 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publicationNovember 2004 Language) XML-Signature Syntax andany assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information toProcessing", RFC 3275, March 2002. [15] Imamura, T., Dillaway, B. and E. Simon, "XML Encryption Syntax and Processing, W3C Recommendation", December 2002, <http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/>. [16] International Organization for Standardization, "International Standard: Codes for theIETF Executive Director.representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. 12.2 Informative References [17] Rumbaugh, J., Jacobson, I. and G. Booch, "The Unified Modeling Language Reference Model, ISBN 020130998X, Addison-Wesley", 1998. [18] Danyliw, R., "The IODEF Implementation Guide", RFC XXX, 2003. Authors' Addresses Jan Meijer SURFnet bv P.O. Box 19035 Utrecht NL-3501 DA Netherlands Phone: +31 302 305 305 EMail: jan.meijer@surfnet.nl Roman Danyliw CERT Coordination Center 4500 Fifth Ave. Pittsburgh, PA 15213 USA Phone: +1 412 268 7090 EMail: rdd@cert.org Yuri Demchenko NLnet Labs Netherlands EMail: demch@chello.nl Meijer, et al. Expires May 10, 2005 [Page 71] Internet-Draft IODEF Data Model and Implementation November 2004 Full Copyright Statement Copyright (C) The Internet Society(2003). All Rights Reserved.(2004). This documentand translations of it may be copied and furnishedis subject toothers, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided thattheabove copyright notice and this paragraph are included on all such copiesrights, licenses andderivative works. However, this document itself may not be modifiedrestrictions contained inany way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations,BCP 78, and except asneeded for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked byset forth therein, theInternet Society or its successors or assignees.authors retain all their rights. This document and the information contained hereinisare provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE REPRESENTS THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCEDISCLAIMSDISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATIONMeijer, et al. Expires March 29, 2004 [Page 84] Internet-Draft IODEF Data Model and Implementation September 2003HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society.Meijer, et al. ExpiresMarch 29, 2004May 10, 2005 [Page85]72] ----