Protocol Independent (Hardened) Bandwidth
draft-hao-rtgwg-ip-hard-pipes-03

Internet-Draft                  IODEFv2                      June 2015

      5.  session.  Sessions.

      6.  alert.  Notifications generated by another system (e.g., IDS
          or SIM).

      7.  message.  Messages (e.g., mail messages).

      8.  event.  Events.

      9.  host.  Hosts.

      10.  site.  Site.

      11.  organization.  Organizations.

      12.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.1.

  ext-unit
      Optional.  STRING.  A means by which to extend the unit attribute.
      See Section 5.1.1.

  meaning
      Optional.  STRING.  A free-form description of the metric
      represented by the Counter.

  duration
      Optional.  ENUM.  If present, the Counter class represents a rate.
      This attribute specifies unit of time over which the rate whose
      units are specified in the unit attribute is being conveyed.  This
      attribute is the the denominator of the rate (where the unit
      attribute specified the nominator).  The possible values of this
      attribute are defined in Section 3.14.3

  ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.1.

3.21.  DomainData Class

  The DomainData class describes a domain name and meta-data associated
  with this domain.

Danyliw & Stoecker      Expires December 20, 2015              [Page 68]
Internet-Draft                  IODEFv2                      June 2015

  +--------------------------+
  | DomainData              |
  +--------------------------+
  | ENUM system-status      |<>----------[ Name                ]
  | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
  | ENUM domain-status      |<>--{0..1}--[ RegistrationDate    ]
  | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate      ]
  | ID observable-id        |<>--{0..*}--[ RelatedDNS          ]
  |                          |<>--{0..*}--[ Nameservers          ]
  |                          |<>--{0..1}--[ DomainContacts      ]
  |                          |
  +--------------------------+

                      Figure 37: The DomainData Class

  The aggregate classes that constitute DomainData are:

  Name
      One.  STRING.  The domain name of the Node (e.g., fully qualified
      domain name).

  DateDomainWasChecked
      Zero or one.  DATETIME.  A timestamp of when the Name was
      resolved.

  RegistrationDate
      Zero or one.  DATETIME.  A timestamp of when domain listed in Name
      was registered.

  ExpirationDate
      Zero or one.  DATETIME.  A timestamp of when the domain listed in
      Name is set to expire.

  RelatedDNS
      Zero or more.  Additional DNS records associated with this domain.

  Nameservers
      Zero or more.  The name servers identified for the domain listed
      in Name.

  DomainContacts
      Zero or one.  Contact information for the domain listed in Name
      supplied by the registrar or through a whois query.

  The DomainData class has five attribute:

  system-status

Danyliw & Stoecker      Expires December 20, 2015              [Page 69]
Internet-Draft                  IODEFv2                      June 2015

      Required.  ENUM.  Assesses the domain's involvement in the event.
      These values are maintained in the "DomainData-system-status&New version available: draft-hao-rtgwg-ip-hard-pipes-03.txt

New version available: quot; IANA
      registry per Table 1.

      1.  spoofed.  This domain was spoofed.

      2.  fraudulent.  This domain was operated with fraudulent
          intentions.

      3.  innocent-hacked.  This domain was compromised by a third
          party.

      4.  innocent-hijacked.  This domain was deliberately hijacked.

      5.  unknown.  No categorization for this domain known.

      6.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.1.

  ext-system-status
      Optional.  STRING.  A means by which to extend the system-status
      attribute.  See Section 5.1.1.

  domain-status
      Required.  ENUM.  Categorizes the registry status of the domain at
      the time the document was generated.  These values and their
      associated descriptions are derived from Section 3.2.2 of
      [RFC3982].  These values are maintained in the "DomainData-domain-
      status" IANA registry per Table 1.

      1.  reservedDelegation.  The domain is permanently inactive.

      2.  assignedAndActive.  The domain is in a normal state.

      3.  assignedAndInactive.  The domain has an assigned registration
          but the delegation is inactive.

      4.  assignedAndOnHold.  The domain is under dispute.

      5.  revoked.  The domain is in the process of being purged from
          the database.

      6.  transferPending.  The domain is pending a change in
          authority.

      7.  registryLock.  The domain is on hold by the registry.

      8.  registrarLock.  Same as "registryLock".

Danyliw & Stoecker      Expires December 20, 2015              [Page 70]
Internet-Draft                  IODEFv2                      June 2015

      9.  other.  The domain has a known status but it is not one of
          the redefined enumerated values.

      10.  unknown.  The domain has an unknown status.

      11.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.1.

  ext-domain-status
      Optional.  STRING.  A means by which to extend the domain-status
      attribute.  See Section 5.1.1.

  observable-id
      Optional.  ID.  See Section 3.3.2.

3.21.1.  RelatedDNS

  The RelatedDNS class describes additional record types associated
  with a given domain name.  The record type is described in the
  record-type attribute and the value of the record is the element
  content. ... TODO Issue #39 ...

  +----------------------+
  | RelatedDNS          |
  +----------------------+
  | STRING              |
  |                      |
  | ENUM record-type    |
  +----------------------+

                      Figure 38: The RelatedDNS Class

  The RelatedDNS class has one attribute:

  record-type
      Required.  ENUM.  The DNS record type.  ... TODO values need to be
      listed ...

3.21.2.  Nameservers Class

  The Nameservers class describes the name servers associated with a
  given domain.

Danyliw & Stoecker      Expires December 20, 2015              [Page 71]
Internet-Draft                  IODEFv2                      June 2015

  +--------------------+
  | Nameservers        |
  +--------------------+
  |                    |<>----------[ Server  ]
  |                    |<>--{1..*}--[ Address ]
  +--------------------+

                    Figure 39: The Nameservers Class

  The aggregate classes that constitute Nameservers are:

  Server
      One.  STRING.  The domain name of the name server.

  Address
      One or more.  The address of the name server.  See Section 3.20.1.

3.21.3.  DomainContacts Class

  The DomainContacts class describes the contact information for a
  given domain provided either by the registrar or through a whois
  query.

  This contact information can be explicitly described through a
  Contact class or a reference can be provided to a domain with
  identical contact information.  Either a single SameDomainContact
  MUST be present or one or many Contact classes.

  +--------------------+
  | DomainContacts    |
  +--------------------+
  |                    |<>--{0..1}--[ SameDomainContact ]
  |                    |<>--{1..*}--[ Contact ]
  +--------------------+

                    Figure 40: The DomainContacts Class

  The aggregate classes that constitute DomainContacts are:

  SameDomainContact
      Zero or one.  STRING.  A domain name already cited in this
      document or through previous exchange that contains the identical
      contact information as the domain name in question.  The domain
      contact information associated with this domain should be used in
      lieu of explicit definition with the Contact class.

  Contact

Danyliw & Stoecker      Expires December 20, 2015              [Page 72]
Internet-Draft                  IODEFv2                      June 2015

      One or more.  Contact information for the domain.  See
      Section 3.10.

3.22.  Service Class

  The Service class describes a network service of a host or network.
  The service is identified by specific port or list of ports, along
  with the application listening on that port.

  When Service occurs as an aggregate class of a System that is a
  source, then this service is the one from which activity of interest
  is originating.  Conversely, when Service occurs as an aggregate
  class of a System that is a target, then that service is the one to
  which activity of interest is directed.

  This class was derived from [RFC4765].

  +-------------------------+
  | Service                |
  +-------------------------+
  + INTEGER ip-protocol    |<>--{0..1}--[ ServiceName      ]
  | ID observable-id        |<>--{0..1}--[ Port              ]
  |                        |<>--{0..1}--[ Portlist          ]
  |                        |<>--{0..1}--[ ProtoCode        ]
  |                        |<>--{0..1}--[ ProtoType        ]
  |                        |<>--{0..1}--[ ProtoField        ]
  |                        |<>--{0..*}--[ ApplicationHeader ]
  |                        |<>--{0..1}--[ EmailData        ]
  |                        |<>--{0..1}--[ Application      ]
  +-------------------------+

                      Figure 41: The Service Class

  The aggregate classes that constitute Service are:

  ServiceName
      Zero or one.  STRING.  The name of the service per the "Service
      Name" field of the [IANA.Ports] registry.

  Port
      Zero or one.  INTEGER.  A port number.

  Portlist
      Zero or one.  PORTLIST.  A list of port numbers formatted
      according to Section 2.10.

  ProtoCode

Danyliw & Stoecker      Expires December 20, 2015              [Page 73]
Internet-Draft                  IODEFv2                      June 2015

      Zero or one.  INTEGER.  A transport layer (layer 4) protocol-
      specific code field (e.g., ICMP code field).

  ProtoType
      Zero or one.  INTEGER.  A transport layer (layer 4) protocol
      specific type field (e.g., ICMP type field).

  ProtoField
      Zero or one.  INTEGER.  A transport layer (layer 4) protocol
      specific flag field (e.g., TCP flag field).

  ApplicationHeader
      Zero or more.  An application layer (layer 7) protocol header.
      See Section 3.22.1.

  EmailData
      Zero or one.  Headers associated with an email.  See Section 3.24.

  Application
      Zero or one.  The application bound to the specified Port or
      Portlist.  See Section 3.22.2.

  Either a Port or Portlist class MUST be specified for a given
  instance of a Service class.

  When a given System classes with category="source" and another with
  category="target" are aggregated into a single Flow class, and each
  of these System classes has a Service and Portlist class, an implicit
  relationship between these Portlists exists.  If N ports are listed
  for a System@category="sourcegt;
            <xs:element ref="iodef:Application"/>
            <xs:element ref="iodef:Description"
                        minOccurs="0" maxOccurs="unbounded"/>
            <xs:element name="DetectionConfiguration"
                        type="xs:string"
                        minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="restriction"
                        type="iodef:restriction-type"/>
          <xs:attribute name="ext-restriction"
                        type="xs:string" use="optional"/>
        </xs:complexType>
      </xs:element>

    <!--
      ==================================================================
      ==  Method class                                                ==
      ==================================================================
    -->
      <xs:element name="Method">
        <xs:complexType>
          <xs:sequence>
            <xs:choice maxOccurs="unbounded">
              <xs:element ref="iodef:Reference"/>
              <xs:element ref="iodef:Description"/>
            </xs:choice>
            <xs:element ref="iodef:AdditionalData"
                        minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="restriction"
                        type="iodef:restriction-type"/>
          <xs:attribute name="ext-restriction"
                        type="xs:string" use="optional"/>
        </xs:complexType>
      </xs:element>

    <!--
      ==================================================================
      ==  Reference class                                            ==
      ==================================================================
    -->
      <xs:element name="Reference">

Danyliw & Stoecker      Expires December 20, 2015            [Page 129]
Internet-Draft                  IODEFv2                      June 2015

        <xs:complexType>
          <xs:sequence>
            <xs:element ref="enum:ReferenceName"
                        minOccurs="0" />
            <xs:element ref="iodef:URL"
                        minOccurs="0" maxOccurs="unbounded"/", and M ports are listed for
  System@category="target", the number of ports in N must be equal to
  M.  Likewise, the ports MUST be listed in an identical sequence such
  that the n-th port in the source corresponds to the n-th port of the
  target.  If N is greater than 1, a given instance of a Flow class
  MUST only have a single instance of a System@category="source" and
  System@category="target".

  The Service class has two attributes:

  ip-protocol
      Required.  INTEGER.  The IANA assigned IP protocol number per
      [IANA.Protocols].

  observable-id
      Optional.  ID.  See Section 3.3.2.

Danyliw & Stoecker      Expires December 20, 2015              [Page 74]
Internet-Draft                  IODEFv2                      June 2015

3.22.1.  ApplicationHeader Class

  The ApplicationHeader class allows the representation of arbitrary
  fields from an application layer protocol header and its
  corresponding value.

  +--------------------------+
  | ApplicationHeader        |
  +--------------------------+
  | ANY                      |
  |                          |
  | INTEGER proto            |
  | STRING proto-name        |
  | STRING field            |
  | ENUM dtype              |
  | STRING ext-dtype        |
  | ID observable-id        |
  +--------------------------+

                  Figure 42: The ApplicationHeader Class

  The ApplicationHeader class has six attributes:

  proto
      Optional.  INTEGER.  The IANA assigned port number per the
      "Protocol Number" field of the [IANA.Ports] registry corresponding
      to the application layer protocol whose field will be represented.

  proto-name
      Optional.  STRING.  The IANA assigned service name per the
      "Service Name" field of the the [IANA.Ports] registry
      corresponding to the application layer protocol whose field will
      be represented.

  field
      Required.  STRING.  The name of the protocol field whose value
      will be found in the element body.

  dtype
      Required.  ENUM.  The data type of the element content.  The
      permitted values for this attribute are shown below.  The default
      value is "string".

      1.  boolean.  The element content is of type BOOLEAN.

      2.  byte.  The element content is of type BYTE.

      3.  bytes.  The element content is of type HEXBIN.

Danyliw & Stoecker      Expires December 20, 2015              [Page 75]
Internet-Draft                  IODEFv2                      June 2015

      4.  character.  The element content is of type CHARACTER.

      5.  date-time.  The element content is of type DATETIME.

      6.  integer.  The element content is of type INTEGER.

      7.  portlist.  The element content is of type PORTLIST.

      8.  real.  The element content is of type REAL.

      9.  string.  The element content is of type STRING.

      10.  file.  The element content is a base64 encoded binary file
          encoded as a BYTE[] type.

      11.  path.  The element content is a file-system path encoded as a
          STRING type.

      12.  xml.  The element content is XML.  See Section 5.

      13.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.1.

  ext-dtype
      Optional.  STRING.  A means by which to extend the dtype
      attribute.  See Section 5.1.1.

  observable-id
      Optional.  ID.  See Section 3.3.2.

  Either the proto or proto-name attribute MUST be set.  If both are
  set, they MUST correspond to the same entry in the registry.

3.22.2.  Application Class

  The Application class describes an application running on a System
  providing a Service.

Danyliw & Stoecker      Expires December 20, 2015              [Page 76]
Internet-Draft                  IODEFv2                      June 2015

  +--------------------+
  | Application        |
  +--------------------+
  | STRING swid        |<>--{0..1}--[ URL        ]
  | STRING configid    |
  | STRING vendor      |
  | STRING family      |
  | STRING name        |
  | STRING version    |
  | STRING patch      |
  +--------------------+

                    Figure 43: The Application Class

  The aggregate class that constitute Application is:

  URL
      Zero or one.  URL.  A URL describing the application.

  The Application class has seven attributes:

  swid
      Optional.  STRING.  An identifier that can be used to reference
      this software, where the default value is "0".

  configid
      Optional.  STRING.  An identifier that can be used to reference a
      particular configuration of this software, where the default value
      is "0".

  vendor
      Optional.  STRING.  Vendor name of the software.

  family
      Optional.  STRING.  Family of the software.

  name
      Optional.  STRING.  Name of the software.

  version
      Optional.  STRING.  Version of the software.

  patch
      Optional.  STRING.  Patch or service pack level of the software.

Danyliw & Stoecker      Expires December 20, 2015              [Page 77]
Internet-Draft                  IODEFv2                      June 2015

3.23.  OperatingSystem Class

  The OperatingSystem class describes the operating system running on a
  System.  The definition is identical to the Application class
  (Section 3.22.2).

3.24.  EmailData Class

  The EmailData class describes headers from an email message.  Common
  headers have dedicated classes, but arbitrary headers can also be
  described.

  +-------------------------+
  | EmailData              |
  +-------------------------+
  | ID observable-id        |<>--{0..1}--[ EmailFrom        ]
  |                        |<>--{0..1}--[ EmailSubject    ]
  |                        |<>--{0..1}--[ EmailX-Mailer    ]
  |                        |<>--{0..*}--[ EmailHeaderField ]
  |                        |<>--{0..*}--[ HashData        ]
  |                        |<>--{0..*}--[ SignatureData    ]
  +-------------------------+

                        Figure 44: EmailData Class

  The aggregate class that constitutes EmailData are:

  EmailFrom
      Zero or one.  The value of the "From:" header field in an email.
      See Section 3.6.2 of [RFC5322].

  EmailSubject
      Zero or one.  The value of the "Subject:" header field in an
      email.  See Section 3.6.4 of [RFC5322].

  EmailX-Mailer
      Zero or one.  The value of the "X-Mailer:" header field in an
      email.

  EmailHeaderField
      Zero or one.  The value of an arbitrary header field in the email.
      See Section 3.22.1.  The attributes of EmailHeaderField MUST be
      set as follows: proto="25" or proto-name="smtp", or both can be
      set; and dtype="string".  The name of the email header field MUST
      be set in the field attribute.

  HashData
      Zero or One.  Hash(es) associated with this email.

Danyliw & Stoecker      Expires December 20, 2015              [Page 78]
Internet-Draft                  IODEFv2                      June 2015

  SignatureData
      Zero or One.  Signature(s) associated with this email.

  The EmailData class has one attribute:

  observable-id
      Optional.  ID.  See Section 3.3.2.

3.25.  Record Class

  The Record class is a container class for log and audit data that
  provides supportive information about the incident.  The source of
  this data will often be the output of monitoring tools.  These logs
  substantiate the activity described in the document.

  +------------------------+
  | Record                |
  +------------------------+
  | ENUM restriction      |<>--{1..*}--[ RecordData ]
  | STRING ext-restriction |
  +------------------------+

                          Figure 45: Record Class

  The aggregate class that constitutes Record is:

  RecordData
      One or more.  Log or audit data generated by a particular type of
      sensor.  Separate instances of the RecordData class SHOULD be used
      for each sensor type.

  The Record class has two attributes:

  restriction
      Optional.  ENUM.  See Section 3.3.1.

  ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

3.25.1.  RecordData Class

  The RecordData class groups log or audit data from a given sensor
  (e.g., IDS, firewall log) and provides a way to annotate the output.

Danyliw & Stoecker      Expires December 20, 2015              [Page 79]
Internet-Draft                  IODEFv2                      June 2015

  +------------------------+
  | RecordData            |
  +------------------------+
  | ENUM restriction      |<>--{0..1}--[ DateTime              ]
  | STRING ext-restriction |<>--{0..*}--[ Description            ]
  | ID observable-id      |<>--{0..1}--[ Application            ]
  |                        |<>--{0..*}--[ RecordPattern          ]
  |                        |<>--{0..*}--[ RecordItem            ]
  |                        |<>--{0..*}--[ FileData              ]
  |                        |<>--{0..*}--[ CertificateData        ]
  |                        |<>--{0..*}--
  |                        |      [ WindowsRegistryKeysModified ]
  |                        |<>--{0..*}--[ AdditionalData        ]
  +------------------------+

                      Figure 46: The RecordData Class

  The aggregate classes that constitutes RecordData is:

  DateTime
      Zero or one.  Timestamp of the RecordItem data.

  Description
      Zero or more.  ML_STRING.  Free-form textual description of the
      provided RecordItem data.  At minimum, this description should
      convey the significance of the provided RecordItem data.

  Application
      Zero or one.  Information about the sensor used to generate the
      RecordItem data.

  RecordPattern
      Zero or more.  A search string to precisely find the relevant data
      in a RecordItem.

  RecordItem
      Zero or more.  Log, audit, or forensic data.

  FileData
      Zero or one.  The file name and hash of a file indicator.

  WindowsRegistryKeysModified
      Zero or more.  The registry keys that were modified that are
      indicator(s).

  AdditionalData
      Zero or more.  An extension mechanism for data not explicitly
      represented in the data model.

Danyliw & Stoecker      Expires December 20, 2015              [Page 80]
>
            <xs:element ref="iodef:Description"
                        minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="observable-id"
                        type="xs:ID" use="optional"/>
        </xs:complexType>
      </xs:element>

    <!--
      ==================================================================
      ==  Assessment class                                            ==
      ==================================================================
    -->
      <xs:element name="Assessment">
        <xs:complexType>
          <xs:sequence>
            <xs:element name="IncidentCategory"
                        type="iodef:MLStringType"
                        minOccurs="0" maxOccurs="unbounded"/>
            <xs:choice maxOccurs="unbounded">
              <xs:element ref="iodef:SystemImpact"/>
              <xs:element name="BusinessImpact"
                          type="iodef:BusinessImpactType" />
              <xs:element ref="iodef:TimeImpact"/>
              <xs:element ref="iodef:MonetaryImpact"/>
              <xs:element name="IntendedImpact"
                          type="iodef:BusinessImpactType"/>
            </xs:choice>
            <xs:element ref="iodef:Counter"
                        minOccurs="0" maxOccurs="unbounded"/>
            <xs:element name="MitigatingFactor"
                        type="iodef:MLStringType"
                        minOccurs="0" maxOccurs="unbounded"/>
            <xs:element ref="iodef:Confidence" minOccurs="0"/>
            <xs:element ref="iodef:AdditionalData"
                        minOccurs="0" maxOccurs="unbounded"/>
          </xs:sequence>
          <xs:attribute name="occurrence">
            <xs:simpleType>
              <xs:restriction base="xs:NMTOKEN">
                <xs:enumeration value="actual"/>
                <xs:enumeration value="potential"/>

Danyliw & Stoecker      Expires December 20, 2015            [Page 130]
Internet-Draft                  IODEFv2                      June 2015

              </xs:restriction>
            </xs:simpleType>
          </xs:attribute>
          <xs:attribute name="restriction"
                        type="iodef:restriction-type"/>
          <xs:attribute name="ext-restriction"
                        type="xs:string" use="optional"/>
          <xs:attribute name=Internet-Draft                  IODEFv2                      June 2015

  The RecordData class has three attributes:

  restriction
      Optional.  ENUM.  See Section 3.3.1.

  ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

  observable-id
      Optional.  ID.  See Section 3.3.2.

3.25.2.  RecordPattern Class

  The RecordPattern class describes where in the content of the
  RecordItem relevant information can be found.  It provides a way to
  reference subsets of information, identified by a pattern, in a large
  log file, audit trail, or forensic data.

  +-----------------------+
  | RecordPattern        |
  +-----------------------+
  | STRING                |
  |                      |
  | ENUM type            |
  | STRING ext-type      |
  | INTEGER offset        |
  | ENUM offsetunit      |
  | STRING ext-offsetunit |
  | INTEGER instance      |
  +-----------------------+

                    Figure 47: The RecordPattern Class

  The specific pattern to search with in the RecordItem is defined in
  the body of the element.  It is further annotated by six attributes:

  type
      Required.  ENUM.  Describes the type of pattern being specified in
      the element content.  The default is "regex".  These values are
      maintained in the "RecordPattern-type" IANA registry per Table 1.

      1.  regex.  regular expression as defined by POSIX Extended
          Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX].

      2.  binary.  Binhex encoded binary pattern, per the HEXBIN data
          type.

draft-hao-rtgwg-ip-hard-pipes-02.txt