Protocol Independent (Hardened) Bandwidth
draft-hao-rtgwg-ip-hard-pipes-03
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2017-12-15
|
03 | (System) | Document has expired |
2017-06-13
|
03 | Loa Andersson | Internet-Draft IODEFv2 June 2015 … Internet-Draft IODEFv2 June 2015 5. session. Sessions. 6. alert. Notifications generated by another system (e.g., IDS or SIM). 7. message. Messages (e.g., mail messages). 8. event. Events. 9. host. Hosts. 10. site. Site. 11. organization. Organizations. 12. ext-value. An escape value used to extend this attribute. See Section 5.1.1. ext-unit Optional. STRING. A means by which to extend the unit attribute. See Section 5.1.1. meaning Optional. STRING. A free-form description of the metric represented by the Counter. duration Optional. ENUM. If present, the Counter class represents a rate. This attribute specifies unit of time over which the rate whose units are specified in the unit attribute is being conveyed. This attribute is the the denominator of the rate (where the unit attribute specified the nominator). The possible values of this attribute are defined in Section 3.14.3 ext-duration Optional. STRING. A means by which to extend the duration attribute. See Section 5.1.1. 3.21. DomainData Class The DomainData class describes a domain name and meta-data associated with this domain. Danyliw & Stoecker Expires December 20, 2015 [Page 68] Internet-Draft IODEFv2 June 2015 +--------------------------+ | DomainData | +--------------------------+ | ENUM system-status |<>----------[ Name ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | ID observable-id |<>--{0..*}--[ RelatedDNS ] | |<>--{0..*}--[ Nameservers ] | |<>--{0..1}--[ DomainContacts ] | | +--------------------------+ Figure 37: The DomainData Class The aggregate classes that constitute DomainData are: Name One. STRING. The domain name of the Node (e.g., fully qualified domain name). DateDomainWasChecked Zero or one. DATETIME. A timestamp of when the Name was resolved. RegistrationDate Zero or one. DATETIME. A timestamp of when domain listed in Name was registered. ExpirationDate Zero or one. DATETIME. A timestamp of when the domain listed in Name is set to expire. RelatedDNS Zero or more. Additional DNS records associated with this domain. Nameservers Zero or more. The name servers identified for the domain listed in Name. DomainContacts Zero or one. Contact information for the domain listed in Name supplied by the registrar or through a whois query. The DomainData class has five attribute: system-status Danyliw & Stoecker Expires December 20, 2015 [Page 69] Internet-Draft IODEFv2 June 2015 Required. ENUM. Assesses the domain's involvement in the event. These values are maintained in the "DomainData-system-status&New version available: draft-hao-rtgwg-ip-hard-pipes-03.txt |
2017-06-13
|
03 | (System) | New version approved |
2017-06-13
|
03 | (System) | Request for posting confirmation emailed to previous authors: Soh Hock , JiangTao Hao , Gang Gai , Loa Andersson |
2017-06-13
|
03 | Loa Andersson | Uploaded new revision |
2016-12-18
|
02 | Loa Andersson | New version available: quot; IANA registry per Table 1. 1. spoofed. This domain was spoofed. 2. … New version available: quot; IANA registry per Table 1. 1. spoofed. This domain was spoofed. 2. fraudulent. This domain was operated with fraudulent intentions. 3. innocent-hacked. This domain was compromised by a third party. 4. innocent-hijacked. This domain was deliberately hijacked. 5. unknown. No categorization for this domain known. 6. ext-value. An escape value used to extend this attribute. See Section 5.1.1. ext-system-status Optional. STRING. A means by which to extend the system-status attribute. See Section 5.1.1. domain-status Required. ENUM. Categorizes the registry status of the domain at the time the document was generated. These values and their associated descriptions are derived from Section 3.2.2 of [RFC3982]. These values are maintained in the "DomainData-domain- status" IANA registry per Table 1. 1. reservedDelegation. The domain is permanently inactive. 2. assignedAndActive. The domain is in a normal state. 3. assignedAndInactive. The domain has an assigned registration but the delegation is inactive. 4. assignedAndOnHold. The domain is under dispute. 5. revoked. The domain is in the process of being purged from the database. 6. transferPending. The domain is pending a change in authority. 7. registryLock. The domain is on hold by the registry. 8. registrarLock. Same as "registryLock". Danyliw & Stoecker Expires December 20, 2015 [Page 70] Internet-Draft IODEFv2 June 2015 9. other. The domain has a known status but it is not one of the redefined enumerated values. 10. unknown. The domain has an unknown status. 11. ext-value. An escape value used to extend this attribute. See Section 5.1.1. ext-domain-status Optional. STRING. A means by which to extend the domain-status attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2. 3.21.1. RelatedDNS The RelatedDNS class describes additional record types associated with a given domain name. The record type is described in the record-type attribute and the value of the record is the element content. ... TODO Issue #39 ... +----------------------+ | RelatedDNS | +----------------------+ | STRING | | | | ENUM record-type | +----------------------+ Figure 38: The RelatedDNS Class The RelatedDNS class has one attribute: record-type Required. ENUM. The DNS record type. ... TODO values need to be listed ... 3.21.2. Nameservers Class The Nameservers class describes the name servers associated with a given domain. Danyliw & Stoecker Expires December 20, 2015 [Page 71] Internet-Draft IODEFv2 June 2015 +--------------------+ | Nameservers | +--------------------+ | |<>----------[ Server ] | |<>--{1..*}--[ Address ] +--------------------+ Figure 39: The Nameservers Class The aggregate classes that constitute Nameservers are: Server One. STRING. The domain name of the name server. Address One or more. The address of the name server. See Section 3.20.1. 3.21.3. DomainContacts Class The DomainContacts class describes the contact information for a given domain provided either by the registrar or through a whois query. This contact information can be explicitly described through a Contact class or a reference can be provided to a domain with identical contact information. Either a single SameDomainContact MUST be present or one or many Contact classes. +--------------------+ | DomainContacts | +--------------------+ | |<>--{0..1}--[ SameDomainContact ] | |<>--{1..*}--[ Contact ] +--------------------+ Figure 40: The DomainContacts Class The aggregate classes that constitute DomainContacts are: SameDomainContact Zero or one. STRING. A domain name already cited in this document or through previous exchange that contains the identical contact information as the domain name in question. The domain contact information associated with this domain should be used in lieu of explicit definition with the Contact class. Contact Danyliw & Stoecker Expires December 20, 2015 [Page 72] Internet-Draft IODEFv2 June 2015 One or more. Contact information for the domain. See Section 3.10. 3.22. Service Class The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed. This class was derived from [RFC4765]. +-------------------------+ | Service | +-------------------------+ + INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | ID observable-id |<>--{0..1}--[ Port ] | |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoField ] | |<>--{0..*}--[ ApplicationHeader ] | |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ Application ] +-------------------------+ Figure 41: The Service Class The aggregate classes that constitute Service are: ServiceName Zero or one. STRING. The name of the service per the "Service Name" field of the [IANA.Ports] registry. Port Zero or one. INTEGER. A port number. Portlist Zero or one. PORTLIST. A list of port numbers formatted according to Section 2.10. ProtoCode Danyliw & Stoecker Expires December 20, 2015 [Page 73] Internet-Draft IODEFv2 June 2015 Zero or one. INTEGER. A transport layer (layer 4) protocol- specific code field (e.g., ICMP code field). ProtoType Zero or one. INTEGER. A transport layer (layer 4) protocol specific type field (e.g., ICMP type field). ProtoField Zero or one. INTEGER. A transport layer (layer 4) protocol specific flag field (e.g., TCP flag field). ApplicationHeader Zero or more. An application layer (layer 7) protocol header. See Section 3.22.1. EmailData Zero or one. Headers associated with an email. See Section 3.24. Application Zero or one. The application bound to the specified Port or Portlist. See Section 3.22.2. Either a Port or Portlist class MUST be specified for a given instance of a Service class. When a given System classes with category="source" and another with category="target" are aggregated into a single Flow class, and each of these System classes has a Service and Portlist class, an implicit relationship between these Portlists exists. If N ports are listed for a System@category="sourcegt; <xs:element ref="iodef:Application"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="DetectionConfiguration" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Method class == ================================================================== --> <xs:element name="Method"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Description"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Reference class == ================================================================== --> <xs:element name="Reference"> Danyliw & Stoecker Expires December 20, 2015 [Page 129] Internet-Draft IODEFv2 June 2015 <xs:complexType> <xs:sequence> <xs:element ref="enum:ReferenceName" minOccurs="0" /> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/", and M ports are listed for System@category="target", the number of ports in N must be equal to M. Likewise, the ports MUST be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. If N is greater than 1, a given instance of a Flow class MUST only have a single instance of a System@category="source" and System@category="target". The Service class has two attributes: ip-protocol Required. INTEGER. The IANA assigned IP protocol number per [IANA.Protocols]. observable-id Optional. ID. See Section 3.3.2. Danyliw & Stoecker Expires December 20, 2015 [Page 74] Internet-Draft IODEFv2 June 2015 3.22.1. ApplicationHeader Class The ApplicationHeader class allows the representation of arbitrary fields from an application layer protocol header and its corresponding value. +--------------------------+ | ApplicationHeader | +--------------------------+ | ANY | | | | INTEGER proto | | STRING proto-name | | STRING field | | ENUM dtype | | STRING ext-dtype | | ID observable-id | +--------------------------+ Figure 42: The ApplicationHeader Class The ApplicationHeader class has six attributes: proto Optional. INTEGER. The IANA assigned port number per the "Protocol Number" field of the [IANA.Ports] registry corresponding to the application layer protocol whose field will be represented. proto-name Optional. STRING. The IANA assigned service name per the "Service Name" field of the the [IANA.Ports] registry corresponding to the application layer protocol whose field will be represented. field Required. STRING. The name of the protocol field whose value will be found in the element body. dtype Required. ENUM. The data type of the element content. The permitted values for this attribute are shown below. The default value is "string". 1. boolean. The element content is of type BOOLEAN. 2. byte. The element content is of type BYTE. 3. bytes. The element content is of type HEXBIN. Danyliw & Stoecker Expires December 20, 2015 [Page 75] Internet-Draft IODEFv2 June 2015 4. character. The element content is of type CHARACTER. 5. date-time. The element content is of type DATETIME. 6. integer. The element content is of type INTEGER. 7. portlist. The element content is of type PORTLIST. 8. real. The element content is of type REAL. 9. string. The element content is of type STRING. 10. file. The element content is a base64 encoded binary file encoded as a BYTE[] type. 11. path. The element content is a file-system path encoded as a STRING type. 12. xml. The element content is XML. See Section 5. 13. ext-value. An escape value used to extend this attribute. See Section 5.1.1. ext-dtype Optional. STRING. A means by which to extend the dtype attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2. Either the proto or proto-name attribute MUST be set. If both are set, they MUST correspond to the same entry in the registry. 3.22.2. Application Class The Application class describes an application running on a System providing a Service. Danyliw & Stoecker Expires December 20, 2015 [Page 76] Internet-Draft IODEFv2 June 2015 +--------------------+ | Application | +--------------------+ | STRING swid |<>--{0..1}--[ URL ] | STRING configid | | STRING vendor | | STRING family | | STRING name | | STRING version | | STRING patch | +--------------------+ Figure 43: The Application Class The aggregate class that constitute Application is: URL Zero or one. URL. A URL describing the application. The Application class has seven attributes: swid Optional. STRING. An identifier that can be used to reference this software, where the default value is "0". configid Optional. STRING. An identifier that can be used to reference a particular configuration of this software, where the default value is "0". vendor Optional. STRING. Vendor name of the software. family Optional. STRING. Family of the software. name Optional. STRING. Name of the software. version Optional. STRING. Version of the software. patch Optional. STRING. Patch or service pack level of the software. Danyliw & Stoecker Expires December 20, 2015 [Page 77] Internet-Draft IODEFv2 June 2015 3.23. OperatingSystem Class The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.22.2). 3.24. EmailData Class The EmailData class describes headers from an email message. Common headers have dedicated classes, but arbitrary headers can also be described. +-------------------------+ | EmailData | +-------------------------+ | ID observable-id |<>--{0..1}--[ EmailFrom ] | |<>--{0..1}--[ EmailSubject ] | |<>--{0..1}--[ EmailX-Mailer ] | |<>--{0..*}--[ EmailHeaderField ] | |<>--{0..*}--[ HashData ] | |<>--{0..*}--[ SignatureData ] +-------------------------+ Figure 44: EmailData Class The aggregate class that constitutes EmailData are: EmailFrom Zero or one. The value of the "From:" header field in an email. See Section 3.6.2 of [RFC5322]. EmailSubject Zero or one. The value of the "Subject:" header field in an email. See Section 3.6.4 of [RFC5322]. EmailX-Mailer Zero or one. The value of the "X-Mailer:" header field in an email. EmailHeaderField Zero or one. The value of an arbitrary header field in the email. See Section 3.22.1. The attributes of EmailHeaderField MUST be set as follows: proto="25" or proto-name="smtp", or both can be set; and dtype="string". The name of the email header field MUST be set in the field attribute. HashData Zero or One. Hash(es) associated with this email. Danyliw & Stoecker Expires December 20, 2015 [Page 78] Internet-Draft IODEFv2 June 2015 SignatureData Zero or One. Signature(s) associated with this email. The EmailData class has one attribute: observable-id Optional. ID. See Section 3.3.2. 3.25. Record Class The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs substantiate the activity described in the document. +------------------------+ | Record | +------------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] | STRING ext-restriction | +------------------------+ Figure 45: Record Class The aggregate class that constitutes Record is: RecordData One or more. Log or audit data generated by a particular type of sensor. Separate instances of the RecordData class SHOULD be used for each sensor type. The Record class has two attributes: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1. 3.25.1. RecordData Class The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. Danyliw & Stoecker Expires December 20, 2015 [Page 79] Internet-Draft IODEFv2 June 2015 +------------------------+ | RecordData | +------------------------+ | ENUM restriction |<>--{0..1}--[ DateTime ] | STRING ext-restriction |<>--{0..*}--[ Description ] | ID observable-id |<>--{0..1}--[ Application ] | |<>--{0..*}--[ RecordPattern ] | |<>--{0..*}--[ RecordItem ] | |<>--{0..*}--[ FileData ] | |<>--{0..*}--[ CertificateData ] | |<>--{0..*}-- | | [ WindowsRegistryKeysModified ] | |<>--{0..*}--[ AdditionalData ] +------------------------+ Figure 46: The RecordData Class The aggregate classes that constitutes RecordData is: DateTime Zero or one. Timestamp of the RecordItem data. Description Zero or more. ML_STRING. Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data. Application Zero or one. Information about the sensor used to generate the RecordItem data. RecordPattern Zero or more. A search string to precisely find the relevant data in a RecordItem. RecordItem Zero or more. Log, audit, or forensic data. FileData Zero or one. The file name and hash of a file indicator. WindowsRegistryKeysModified Zero or more. The registry keys that were modified that are indicator(s). AdditionalData Zero or more. An extension mechanism for data not explicitly represented in the data model. Danyliw & Stoecker Expires December 20, 2015 [Page 80] > <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="observable-id" type="xs:ID" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Assessment class == ================================================================== --> <xs:element name="Assessment"> <xs:complexType> <xs:sequence> <xs:element name="IncidentCategory" type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:SystemImpact"/> <xs:element name="BusinessImpact" type="iodef:BusinessImpactType" /> <xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:MonetaryImpact"/> <xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/> </xs:choice> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="MitigatingFactor" type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="occurrence"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="actual"/> <xs:enumeration value="potential"/> Danyliw & Stoecker Expires December 20, 2015 [Page 130] Internet-Draft IODEFv2 June 2015 </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="ext-restriction" type="xs:string" use="optional"/> <xs:attribute name=Internet-Draft IODEFv2 June 2015 The RecordData class has three attributes: restriction Optional. ENUM. See Section 3.3.1. ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1. observable-id Optional. ID. See Section 3.3.2. 3.25.2. RecordPattern Class The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. +-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+ Figure 47: The RecordPattern Class The specific pattern to search with in the RecordItem is defined in the body of the element. It is further annotated by six attributes: type Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex". These values are maintained in the "RecordPattern-type" IANA registry per Table 1. 1. regex. regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chaper 9 of [IEEE.POSIX]. 2. binary. Binhex encoded binary pattern, per the HEXBIN data type. draft-hao-rtgwg-ip-hard-pipes-02.txt |
2016-12-18
|
02 | (System) | New version approved |
2016-12-18
|
02 | (System) | Request for posting confirmation emailed to previous authors: "Loa Andersson" , "Gang Gai" , "Soh Hock" , "JiangTao Hao" |
2016-12-18
|
02 | Loa Andersson | Uploaded new revision |
2016-12-16
|
01 | Loa Andersson | New version available: draft-hao-rtgwg-ip-hard-pipes-01.txt |
2016-12-16
|
01 | (System) | New version approved |
2016-12-16
|
01 | (System) | Request for posting confirmation emailed to previous authors: "Loa Andersson" , "Gang Gai" , "JiangTao Hao" |
2016-12-16
|
01 | Loa Andersson | Uploaded new revision |
2016-12-15
|
00 | Loa Andersson | New version available: draft-hao-rtgwg-ip-hard-pipes-00.txt |
2016-12-15
|
00 | (System) | New version approved |
2016-12-15
|
00 | Loa Andersson | Request for posting confirmation emailed to submitter and authors: "Loa Andersson" , "Gang Gai" , "Jiangtao Hao" |
2016-12-15
|
00 | Loa Andersson | Uploaded new revision |