YANG Data Model for Monitoring I2NSF Network Security Functions
draft-hong-i2nsf-nsf-monitoring-data-model-04
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
---|---|---|---|
Authors | Dongjin Hong , Jaehoon Paul Jeong , Jinyong Tim Kim , Susan Hares , Liang Xia , Henk Birkholz | ||
Last updated | 2018-07-02 | ||
Replaced by | draft-ietf-i2nsf-nsf-monitoring-data-model, draft-ietf-i2nsf-nsf-monitoring-data-model | ||
RFC stream | (None) | ||
Formats | |||
Additional resources | |||
Stream | Stream state | (No stream defined) | |
Consensus boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | I-D Exists | |
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-hong-i2nsf-nsf-monitoring-data-model-04
Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 | +--ro virus-name? string | +--ro file-type? string | +--ro file-name? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-intrusion | +--ro src-ip? inet:ipv4-address | +--ro dst-ip? inet:ipv4-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro protocol? identityref | +--ro app? string | +--ro sub-attack-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-botnet | +--ro src-ip? inet:ipv4-address | +--ro dst-ip? inet:ipv4-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro attack-type? identityref | +--ro protocol? identityref | +--ro botnet-name? string | +--ro role? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string Hong, et al. Expires January 3, 2019 [Page 7] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 | +--ro module-name? string | +--ro severity? severity +---n nsf-detection-web-attack | +--ro src-ip? inet:ipv4-address | +--ro dst-ip? inet:ipv4-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro rule-id uint8 | +--ro rule-name string | +--ro profile? string | +--ro raw-info? string | +--ro sub-attack-type? identityref | +--ro request-method? identityref | +--ro req-uri? string | +--ro uri-category? string | +--ro filtering-type* identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n system-access-log | +--ro login-ip inet:ipv4-address | +--ro administrator? string | +--ro login-mode? login-mode | +--ro operation-type? operation-type | +--ro result? string | +--ro content? string | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref +---n system-res-util-log | +--ro system-status? string | +--ro cpu-usage? uint8 | +--ro memory-usage? uint8 | +--ro disk-usage? uint8 | +--ro disk-left? uint8 | +--ro session-num? uint8 | +--ro process-num? uint8 | +--ro in-traffic-rate? uint32 | +--ro out-traffic-rate? uint32 | +--ro in-traffic-speed? uint32 | +--ro out-traffic-speed? uint32 | +--ro acquisition-method? identityref | +--ro emission-type? identityref Hong, et al. Expires January 3, 2019 [Page 8] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 | +--ro dampening-type? identityref +---n system-user-activity-log | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro user string | +--ro group string | +--ro login-ip-addr inet:ipv4-address | +--ro authentication? identityref | +--ro access? identityref | +--ro online-duration? string | +--ro logout-duration? string | +--ro addtional-info? string +---n nsf-log-ddos | +--ro attack-type? identityref | +--ro attack-ave-rate? uint32 | +--ro attack-ave-speed? uint32 | +--ro attack-pkt-num? uint32 | +--ro attack-src-ip? inet:ipv4-address | +--ro action? log-action | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-virus | +--ro attack-type? identityref | +--ro action? log-action | +--ro os? string | +--ro time yang:date-and-time | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-intrusion | +--ro attack-type? identityref | +--ro action? log-action | +--ro time yang:date-and-time | +--ro attack-rate? uint32 Hong, et al. Expires January 3, 2019 [Page 9] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 | +--ro attack-speed? uint32 | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-botnet | +--ro attack-type? identityref | +--ro action? log-action | +--ro botnet-pkt-num? uint8 | +--ro os? string | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-dpi | +--ro attack-type? dpi-type | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro src-ip? inet:ipv4-address | +--ro dst-ip? inet:ipv4-address | +--ro src-port? inet:port-number | +--ro dst-port? inet:port-number | +--ro src-zone? string | +--ro dst-zone? string | +--ro src-region? string | +--ro dst-region? string | +--ro policy-id? uint8 | +--ro policy-name? string | +--ro src-user? string | +--ro protocol? identityref | +--ro app? string | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity Hong, et al. Expires January 3, 2019 [Page 10] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 +---n nsf-log-vuln-scan | +--ro vulnerability-id? uint8 | +--ro victim-ip? inet:ipv4-address | +--ro protocol? identityref | +--ro port-num? inet:port-number | +--ro level? severity | +--ro os? string | +--ro vulnerability-info? string | +--ro fix-suggestion? string | +--ro service? string | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro dampening-type? identityref | +--ro message? string | +--ro time-stamp? yang:date-and-time | +--ro vendor-name? string | +--ro nsf-name? string | +--ro module-name? string | +--ro severity? severity +---n nsf-log-web-attack +--ro attack-type? identityref +--ro rsp-code? string +--ro req-clientapp? string +--ro req-cookies? string +--ro req-host? string +--ro raw-info? string +--ro acquisition-method? identityref +--ro emission-type? identityref +--ro dampening-type? identityref +--ro message? string +--ro time-stamp? yang:date-and-time +--ro vendor-name? string +--ro nsf-name? string +--ro module-name? string +--ro severity? severity Figure 1: Information Model for NSF Monitoring 5. YANG Data Model This section introduces a YANG data model for the information model of monitoring inforamtion based on [i2nsf-monitoring-im]. <CODE BEGINS> file "ietf-i2nsf-nsf-monitoring-dm@2018-07-02.yang" module ietf-i2nsf-nsf-monitoring-dm { yang-version 1.1; Hong, et al. Expires January 3, 2019 [Page 11] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 namespace "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring-dm"; prefix monitoring-information; import ietf-inet-types{ prefix inet; } import ietf-yang-types { prefix yang; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact "WG Web: <http://tools.ietf.org/wg/i2nsf> WG List: <mailto:i2nsf@ietf.org> WG Chair: Linda Dunbar <mailto:Linda.duhbar@huawei.com> Editor: Dongjin Hong <mailto:dong.jin@skku.edu> Editor: Jaehoon Paul Jeong <mailto:pauljeong@skku.edu>"; description "This module defines a YANG data module for monitoring NSFs."; revision "2018-07-02" { description "Fifth revision"; reference "draft-zhang-i2nsf-info-model-monitoring-06"; } typedef severity { type enumeration { enum high { description "high-level"; } enum middle { description "middle-level"; } enum low { description "low-level"; Hong, et al. Expires January 3, 2019 [Page 12] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 } } description "An indicator representing severity"; } typedef log-action { type enumeration { enum allow { description "If action is allow"; } enum alert { description "If action is alert"; } enum block { description "If action is block"; } enum discard { description "If action is discard"; } enum declare { description "If action is declare"; } enum block-ip { description "If action is block-ip"; } enum block-service{ description "If action is block-service"; } } description "This is used for protocol"; } typedef dpi-type{ type enumeration { enum file-blocking{ description "DPI for blocking file"; } enum data-filtering{ description "DPI for filtering data"; Hong, et al. Expires January 3, 2019 [Page 13] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 } enum application-behavior-control{ description "DPI for controlling application behavior"; } } description "This is used for dpi type"; } typedef operation-type{ type enumeration { enum login{ description "Login operation"; } enum logout{ description "Logout operation"; } enum configuration{ description "Configuration operation"; } } description "An indicator representing operation-type"; } typedef login-mode{ type enumeration { enum root{ description "Root login-mode"; } enum user{ description "User login-mode"; } enum guest{ description "Guest login-mode"; } } description "An indicater representing login-mode"; } identity characteristics { description Hong, et al. Expires January 3, 2019 [Page 14] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "Base identity for monitoring information characteristics"; } identity acquisition-method { base characteristics; description "The type of acquisition-method. Can be multiple types at once."; } identity subscription { base acquisition-method; description "The acquisition-method type is subscription"; } identity query { base acquisition-method; description "The acquisition-method type is query"; } identity emission-type { base characteristics; description "The type of emission-type."; } identity periodical { base emission-type; description "The emission-type type is periodical."; } identity on-change { base emission-type; description "The emission-type type is on-change."; } identity dampening-type { base characteristics; description "The type of dampening-type."; } identity no-dampening { base dampening-type; description "The dampening-type is no-dampening."; } identity on-repetition { base dampening-type; description "The dampening-type is on-repetition."; } Hong, et al. Expires January 3, 2019 [Page 15] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 identity none { base dampening-type; description "The dampening-type is none."; } identity authentication-mode { description "User authentication mode types: e.g., Local Authentication, Third-Party Server Authentication, Authentication Exemption, or SSO Authentication."; } identity local-authentication { base authentication-mode; description "Authentication-mode : local authentication."; } identity third-party-server-authentication { base authentication-mode; description "If authentication-mode is third-part-server-authentication"; } identity exemption-authentication { base authentication-mode; description "If authentication-mode is exemption-authentication"; } identity sso-authentication { base authentication-mode; description "If authentication-mode is sso-authentication"; } identity alarm-type { description "Base identity for detectable alarm types"; } identity MEM-USAGE-ALARM { base alarm-type; description "A memory alarm is alerted"; } identity CPU-USAGE-ALARM { base alarm-type; description Hong, et al. Expires January 3, 2019 [Page 16] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "A cpu alarm is alerted"; } identity DISK-USAGE-ALARM { base alarm-type; description "A disk alarm is alerted"; } identity HW-FAILURE-ALARM { base alarm-type; description "A hardware alarm is alerted"; } identity IFNET-STATE-ALARM { base alarm-type; description "An interface alarm is alerted"; } identity event-type { description "Base identity for detectable event types"; } identity ACCESS-DENIED { base event-type; description "The system event is access-denied."; } identity CONFIG-CHANGE { base event-type; description "The system event is config-change."; } identity flood-type { description "Base identity for detectable flood types"; } identity syn-flood { base flood-type; description "A SYN flood is detected"; } identity ack-flood { base flood-type; description "An ACK flood is detected"; } identity syn-ack-flood { base flood-type; Hong, et al. Expires January 3, 2019 [Page 17] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 description "An SYN-ACK flood is detected"; } identity fin-rst-flood { base flood-type; description "A FIN-RST flood is detected"; } identity tcp-con-flood { base flood-type; description "A TCP connection flood is detected"; } identity udp-flood { base flood-type; description "A UDP flood is detected"; } identity icmp-flood { base flood-type; description "An ICMP flood is detected"; } identity https-flood { base flood-type; description "A HTTPS flood is detected"; } identity http-flood { base flood-type; description "A HTTP flood is detected"; } identity dns-reply-flood { base flood-type; description "A DNS reply flood is detected"; } identity dns-query-flood { base flood-type; description "A DNS query flood is detected"; } identity sip-flood { base flood-type; description "A SIP flood is detected"; } Hong, et al. Expires January 3, 2019 [Page 18] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 identity nsf-event-name { description "Base identity for detectable nsf event types"; } identity SEC-EVENT-DDOS { base nsf-event-name; description "The nsf event is sec-event-ddos."; } identity SESSION-USAGE-HIGH { base nsf-event-name; description "The nsf event is session-usage-high"; } identity SEC-EVENT-VIRUS { base nsf-event-name; description "The nsf event is sec-event-virus"; } identity SEC-EVENT-INTRUSION { base nsf-event-name; description "The nsf event is sec-event-intrusion"; } identity SEC-EVENT-BOTNET { base nsf-event-name; description "The nsf event is sec-event-botnet"; } identity SEC-EVENT-WEBATTACK { base nsf-event-name; description "The nsf event is sec-event-webattack"; } identity attack-type { description "The root ID of attack based notification in the notification taxonomy"; } identity system-attack-type { base attack-type; description "This ID is intended to be used in the context of system events"; } identity nsf-attack-type { base attack-type; description Hong, et al. Expires January 3, 2019 [Page 19] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "This ID is intended to be used in the context of nsf event"; } identity botnet-attack-type { base nsf-attack-type; description "This is a ID stub limited to indicating that this attack type is botnet. The usual semantic and taxonomy is missing and name is used."; } identity virus-type { base nsf-attack-type; description "The type of virus. Can be multiple types at once. This attack type is associated with a detected system-log virus-attack"; } identity trojan { base virus-type; description "The detected virus type is trojan"; } identity worm { base virus-type; description "The detected virus type is worm"; } identity macro { base virus-type; description "The detected virus type is macro"; } identity intrusion-attack-type { base nsf-attack-type; description "The attack type is associatied with a detectedsystem-log intrusion"; } identity brute-force { base intrusion-attack-type; description "The intrusion type is brute-force"; } identity buffer-overflow { base intrusion-attack-type; description "The intrusion type is buffer-overflow"; } identity web-attack-type { Hong, et al. Expires January 3, 2019 [Page 20] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 base nsf-attack-type; description "The attack type associated with a detected system-log web-attack"; } identity command-injection { base web-attack-type; description "The detected web attack type is command injection"; } identity xss { base web-attack-type; description "The detected web attack type is XSS"; } identity csrf { base web-attack-type; description "The detected web attack type is CSRF"; } identity ddos-attack-type { base nsf-attack-type; description "The attack type is associated with a detected nsf-log event"; } identity req-method { description "A set of request types (if applicable). For instance, PUT or GET in HTTP"; } identity put-req { base req-method; description "The detected request type is PUT"; } identity get-req { base req-method; description "The detected request type is GET"; } identity filter-type { description "The type of filter used to detect, for example, a web-attack. Can be applicable to more than web-attacks. Can be more than one type."; } Hong, et al. Expires January 3, 2019 [Page 21] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 identity whitelist { base filter-type; description "The applied filter type is whitelist"; } identity blacklist { base filter-type; description "The applied filter type is blacklist"; } identity user-defined { base filter-type; description "The applied filter type is user-defined"; } identity balicious-category { base filter-type; description "The applied filter is balicious category"; } identity unknown-filter { base filter-type; description "The applied filter is unknown"; } identity access-mode { description "Base identity for detectable access mode."; } identity ppp { base access-mode; description "Access-mode : ppp"; } identity svn { base access-mode; description "Access-mode : svn"; } identity local { base access-mode; description "Access-mode : local"; } identity protocol-type { description Hong, et al. Expires January 3, 2019 [Page 22] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "An identity used to enable type choices in leafs and leaflists wrt protocol metadata."; } identity tcp { base ipv4; base ipv6; description "TCP protocol type."; } identity udp { base ipv4; base ipv6; description "UDP protocol type."; } identity icmp { base ipv4; base ipv6; description "General ICMP protocol type."; } identity icmpv4 { base ipv4; description "ICMPv4 protocol type."; } identity icmpv6 { base ipv6; description "ICMPv6 protocol type."; } identity ip { base protocol-type; description "General IP protocol type."; } identity ipv4 { base ip; description "IPv4 protocol type."; } identity ipv6 { base ip; description "IPv6 protocol type."; } identity http { base tcp; Hong, et al. Expires January 3, 2019 [Page 23] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 description "HTPP protocol type."; } identity ftp { base tcp; description "FTP protocol type."; } grouping common-monitoring-data { description "The data set of common monitoring"; leaf message { type string; description "This is a freetext annotation of monitoring notification content"; } leaf time-stamp { type yang:date-and-time; description "Indicates the time of message generation"; } leaf vendor-name { type string; description "The name of the NSF vendor"; } leaf nsf-name { type string; description "The name (or IP) of the NSF generating the message"; } leaf module-name { type string; description "The module name outputting the message"; } leaf severity { type severity; description "The severity of the alarm such asvcritical, high, middle, low."; } } grouping characteristics{ description "A set of monitoring information characteristics"; Hong, et al. Expires January 3, 2019 [Page 24] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 leaf acquisition-method { type identityref { base acquisition-method; } description "The acquisition-method for characteristics"; } leaf emission-type { type identityref { base emission-type; } description "The emission-type for characteristics"; } leaf dampening-type { type identityref { base dampening-type; } description "The dampening-type for characteristics"; } } grouping i2nsf-system-alarm-type-content { description "A set of system alarm type contents"; leaf usage { type uint8; description "specifies the amount of usage"; } leaf threshold { type uint8; description "The threshold triggering the alarm or the event"; } } grouping i2nsf-system-event-type-content { description "System event metadata associated with system events caused by user activity."; leaf user { type string; mandatory true; description "Name of a user"; } leaf group { type string; Hong, et al. Expires January 3, 2019 [Page 25] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 mandatory true; description "Group to which a user belongs."; } leaf login-ip-addr { type inet:ipv4-address; mandatory true; description "Login IP address of a user."; } leaf authentication { type identityref { base authentication-mode; } description "The authentication-mode for authentication"; } } grouping i2nsf-nsf-event-type-content-extend { description "A set of common IPv4-related NSF event content elements"; leaf src-ip { type inet:ipv4-address; description "The source IP address of the packet"; } leaf dst-ip { type inet:ipv4-address; description "The destination IP address of the packet"; } leaf src-port { type inet:port-number; description "The source port of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; } leaf src-zone { type string; description "The source security zone of the packet"; } leaf dst-zone { Hong, et al. Expires January 3, 2019 [Page 26] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 type string; description "The destination security zone of the packet"; } leaf rule-id { type uint8; mandatory true; description "The ID of the rule being triggered"; } leaf rule-name { type string; mandatory true; description "The name of the rule being triggered"; } leaf profile { type string; description "Security profile that traffic matches."; } leaf raw-info { type string; description "The information describing the packet triggering the event."; } } grouping i2nsf-nsf-event-type-content { description "A set of common IPv4-related NSF event content elements"; leaf dst-ip { type inet:ipv4-address; description "The destination IP address of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; } leaf rule-id { type uint8; mandatory true; description "The ID of the rule being triggered"; } Hong, et al. Expires January 3, 2019 [Page 27] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 leaf rule-name { type string; mandatory true; description "The name of the rule being triggered"; } leaf profile { type string; description "Security profile that traffic matches."; } leaf raw-info { type string; description "The information describing the packet triggering the event."; } } grouping traffic-rates { description "A set of traffic rates for statistics data"; leaf total-traffic { type uint32; description "Total traffic"; } leaf in-traffic-ave-rate { type uint32; description "Inbound traffic average rate in pps"; } leaf in-traffic-peak-rate { type uint32; description "Inbound traffic peak rate in pps"; } leaf in-traffic-ave-speed { type uint32; description "Inbound traffic average speed in bps"; } leaf in-traffic-peak-speed { type uint32; description "Inbound traffic peak speed in bps"; } leaf out-traffic-ave-rate { Hong, et al. Expires January 3, 2019 [Page 28] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 type uint32; description "Outbound traffic average rate in pps"; } leaf out-traffic-peak-rate { type uint32; description "Outbound traffic peak rate in pps"; } leaf out-traffic-ave-speed { type uint32; description "Outbound traffic average speed in bps"; } leaf out-traffic-peak-speed { type uint32; description "Outbound traffic peak speed in bps"; } } grouping i2nsf-system-counter-type-content{ description "A set of system counter type contents"; leaf interface-name { type string; description "Network interface name configured in NSF"; } leaf in-total-traffic-pkts { type uint32; description "Total inbound packets"; } leaf out-total-traffic-pkts { type uint32; description "Total outbound packets"; } leaf in-total-traffic-bytes { type uint32; description "Total inbound bytes"; } leaf out-total-traffic-bytes { type uint32; description "Total outbound bytes"; } Hong, et al. Expires January 3, 2019 [Page 29] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 leaf in-drop-traffic-pkts { type uint32; description "Total inbound drop packets"; } leaf out-drop-traffic-pkts { type uint32; description "Total outbound drop packets"; } leaf in-drop-traffic-bytes { type uint32; description "Total inbound drop bytes"; } leaf out-drop-traffic-bytes { type uint32; description "Total outbound drop bytes"; } uses traffic-rates; } grouping i2nsf-nsf-counters-type-content{ description "A set of nsf counters type contents"; leaf src-ip { type inet:ipv4-address; description "The source IP address of the packet"; } leaf dst-ip { type inet:ipv4-address; description "The destination IP address of the packet"; } leaf src-port { type inet:port-number; description "The source port of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; } leaf src-zone { type string; description Hong, et al. Expires January 3, 2019 [Page 30] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "The source security zone of the packet"; } leaf dst-zone { type string; description "The destination security zone of the packet"; } leaf src-region { type string; description "Source region of the traffic"; } leaf dst-region{ type string; description "Destination region of the traffic"; } leaf policy-id { type uint8; description "The ID of the policy being triggered"; } leaf policy-name { type string; description "The name of the policy being triggered"; } leaf src-user{ type string; description "User who generates traffic"; } leaf protocol { type identityref { base protocol-type; } description "Protocol type of traffic"; } leaf app { type string; description "Application type of traffic"; } } notification system-detection-alarm { description Hong, et al. Expires January 3, 2019 [Page 31] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "This notification is sent, when a system alarm is detected."; leaf alarm-catagory { type identityref { base alarm-type; } description "The alarm catagory for system-detection-alarm notification"; } uses characteristics; uses i2nsf-system-alarm-type-content; uses common-monitoring-data; } notification system-detection-event { description "This notification is sent, when a security-sensitive authentication action fails."; leaf event-catagory { type identityref { base event-type; } description "The event catagory for system-detection-event"; } uses characteristics; uses i2nsf-system-event-type-content; uses common-monitoring-data; } notification nsf-detection-flood { description "This notification is sent, when a specific flood type is detected"; leaf event-name { type identityref { base SEC-EVENT-DDOS; } description "The event name for nsf-detection-flood"; } uses i2nsf-nsf-event-type-content; leaf sub-attack-type { type identityref { base flood-type; } description "Any one of Syn flood, ACK flood, SYN-ACK flood, FIN/RST flood, TCP Connection flood, UDP flood, Hong, et al. Expires January 3, 2019 [Page 32] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 Icmp flood, HTTPS flood, HTTP flood, DNS query flood, DNS reply flood, SIP flood, and etc."; } leaf start-time { type yang:date-and-time; mandatory true; description "The time stamp indicating when the attack started"; } leaf end-time { type yang:date-and-time; mandatory true; description "The time stamp indicating when the attack ended"; } leaf attack-rate { type uint32; description "The PPS rate of attack traffic"; } leaf attack-speed { type uint32; description "The BPS speed of attack traffic"; } uses common-monitoring-data; } notification nsf-detection-session-table { description "This notification is sent, when an a session table event is deteced"; leaf current-session { type uint8; description "The number of concurrent sessions"; } leaf maximum-session { type uint8; description "The maximum number of sessions that the session table can support"; } leaf threshold { type uint8; description "The threshold triggering the event"; } uses common-monitoring-data; Hong, et al. Expires January 3, 2019 [Page 33] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 } notification nsf-detection-virus { description "This notification is sent, when a virus is detected"; uses i2nsf-nsf-event-type-content-extend; leaf virus { type identityref { base virus-type; } description "The virus type for nsf-detection-virus notification"; } leaf virus-name { type string; description "The name of the detected virus"; } leaf file-type { type string; description "The type of file virus code is found in (if appicable)."; } leaf file-name { type string; description "The name of file virus code is found in (if appicable)."; } uses common-monitoring-data; } notification nsf-detection-intrusion { description "This notification is send, when an intrusion event is detected."; uses i2nsf-nsf-event-type-content-extend; leaf protocol { type identityref { base protocol-type; } description "The protocol type for nsf-detection-intrusion notification"; } leaf app { type string; description "The employed application layer protocol"; } leaf sub-attack-type { Hong, et al. Expires January 3, 2019 [Page 34] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 type identityref { base intrusion-attack-type; } description "The sub attack type for intrusion attack"; } uses common-monitoring-data; } notification nsf-detection-botnet { description "This notification is send, when a botnet event is detected"; uses i2nsf-nsf-event-type-content-extend; leaf attack-type { type identityref { base botnet-attack-type; } description "The attack type for botnet attack"; } leaf protocol { type identityref { base protocol-type; } description "The protocol type for nsf-detection-botnet notification"; } leaf botnet-name { type string; description "The name of the detected botnet"; } leaf role { type string; description "The role of the communicating parties within the botnet"; } uses common-monitoring-data; } notification nsf-detection-web-attack { description "This notification is send, when an attack event is detected"; uses i2nsf-nsf-event-type-content-extend; leaf sub-attack-type { type identityref { base web-attack-type; Hong, et al. Expires January 3, 2019 [Page 35] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 } description "Concret web attack type, e.g., sql injection, command injection, XSS, CSRF"; } leaf request-method { type identityref { base req-method; } description "The method of requirement. For instance, PUT or GET in HTTP"; } leaf req-uri { type string; description "Requested URI"; } leaf uri-category { type string; description "Matched URI category"; } leaf-list filtering-type { type identityref { base filter-type; } description "URL filtering type, e.g., Blacklist, Whitelist, User-Defined, Predefined, Malicious Category, Unknown"; } uses common-monitoring-data; } notification system-access-log { description "The notification is send, if there is a new system log entry about a system access event"; leaf login-ip { type inet:ipv4-address; mandatory true; description "Login IP address of a user"; } leaf administrator { type string; description Hong, et al. Expires January 3, 2019 [Page 36] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "Administrator that maintains the device"; } leaf login-mode { type login-mode; description "Specifies the administrator log-in mode"; } leaf operation-type { type operation-type; description "The operation type that the administrator execute"; } leaf result { type string; description "Command execution result"; } leaf content { type string; description "The Operation performed by an administrator after login"; } uses characteristics; } notification system-res-util-log { description "This notification is send, if there is a new log entry representing ressource utiliztation updates."; leaf system-status { type string; description "The current systems running status"; } leaf cpu-usage { type uint8; description "Specifies the relative amount of cpu usage wrt plattform ressources"; } leaf memory-usage { type uint8; description "Specifies the amount of memory usage"; } leaf disk-usage { type uint8; Hong, et al. Expires January 3, 2019 [Page 37] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 description "Specifies the amount of disk usage"; } leaf disk-left { type uint8; description "Specifies the amount of disk left"; } leaf session-num { type uint8; description "The total number of sessions"; } leaf process-num { type uint8; description "The total number of process"; } leaf in-traffic-rate { type uint32; description "The total inbound traffic rate in pps"; } leaf out-traffic-rate { type uint32; description "The total outbount traffic rate in pps"; } leaf in-traffic-speed { type uint32; description "The total inbound traffic speed in bps"; } leaf out-traffic-speed { type uint32; description "The total outbound traffic speed in bps"; } uses characteristics; } notification system-user-activity-log { description "This notification is send, if there is a new user activity log entry"; uses characteristics; uses i2nsf-system-event-type-content; leaf access { type identityref { Hong, et al. Expires January 3, 2019 [Page 38] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 base access-mode; } description "The access type for system-user-activity-log notification"; } leaf online-duration { type string; description "Online duration"; } leaf logout-duration { type string; description "Lockout duration"; } leaf addtional-info { type string; description "User activities. e.g., Successful User Login, Failed Login attempts, User Logout, Successful User Password Change, Failed User Password Change, User Lockout, User Unlocking, Unknown"; } } notification nsf-log-ddos { description "This notification is send, if there is a new DDoS event log entry in the nsf log"; leaf attack-type { type identityref { base ddos-attack-type; } description "The ddos attack type for nsf-log-ddos notification"; } leaf attack-ave-rate { type uint32; description "The ave PPS of attack traffic"; } leaf attack-ave-speed { type uint32; description "the ave bps of attack traffic"; } Hong, et al. Expires January 3, 2019 [Page 39] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 leaf attack-pkt-num { type uint32; description "the number of attack packets"; } leaf attack-src-ip { type inet:ipv4-address; description "The source IP addresses of attack traffics. If there are a large amount of IP addresses, then pick a certain number of resources according to different rules."; } leaf action { type log-action; description "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-virus { description "This notification is send, If there is a new virus event log enry in the nsf log"; leaf attack-type { type identityref { base virus-type; } description "The virus type for nsf-log-virus notification"; } leaf action { type log-action; description "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } leaf os{ type string; description "simple os information"; } leaf time { Hong, et al. Expires January 3, 2019 [Page 40] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 type yang:date-and-time; mandatory true; description "Indicate the time when the message is generated"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-intrusion { description "This notification is send, if there is a new intrusion event log entry in the nsf log"; leaf attack-type { type identityref { base intrusion-attack-type; } description "The intrusion attack type for nsf-log-intrusion notification"; } leaf action { type log-action; description "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } leaf time { type yang:date-and-time; mandatory true; description "Indicate the time when the message is generated"; } leaf attack-rate { type uint32; description "The PPS of attack traffic"; } leaf attack-speed { type uint32; description "The bps of attack traffic"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-botnet { description Hong, et al. Expires January 3, 2019 [Page 41] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 "This noticiation is send, if there is a new botnet event log in the nsf log"; leaf attack-type { type identityref { base botnet-attack-type; } description "The botnet attack type for nsf-log-botnet notification"; } leaf action { type log-action; description "Action type: allow, alert, block, discard, declare, block-ip, block-service"; } leaf botnet-pkt-num{ type uint8; description "The number of the packets sent to or from the detected botnet"; } leaf os{ type string; description "simple os information"; } uses characteristics; uses common-monitoring-data; } notification nsf-log-dpi { description "This notification is send, if there is a new dpi event in the nsf log"; leaf attack-type { type dpi-type; description "The type of the dpi"; } uses characteristics; uses i2nsf-nsf-counters-type-content; uses common-monitoring-data; } notification nsf-log-vuln-scan { description "This notification is send, if there is a new vulnerability-scan report in the nsf log"; Hong, et al. Expires January 3, 2019 [Page 42] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 leaf vulnerability-id { type uint8; description "The vulnerability id"; } leaf victim-ip { type inet:ipv4-address; description "IP address of the victim host which has vulnerabilities"; } leaf protocol { type identityref { base protocol-type; } description "The protocol type for nsf-log-vuln-scan notification"; } leaf port-num { type inet:port-number; description "The port number"; } leaf level { type severity; description "The vulnerability severity"; } leaf os { type string; description "simple os information"; } leaf vulnerability-info { type string; description "The information about the vulnerability"; } leaf fix-suggestion { type string; description "The fix suggestion to the vulnerability"; } leaf service { type string; description "The service which has vulnerabillity in the victim host"; } Hong, et al. Expires January 3, 2019 [Page 43] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 uses characteristics; uses common-monitoring-data; } notification nsf-log-web-attack { description "This notificatio is send, if there is a new web-attack event in the nsf log"; leaf attack-type { type identityref { base web-attack-type; } description "The web attack type for nsf-log-web-attack notification"; } leaf rsp-code { type string; description "Response code"; } leaf req-clientapp { type string; description "The client application"; } leaf req-cookies { type string; description "Cookies"; } leaf req-host { type string; description "The domain name of the requested host"; } leaf raw-info { type string; description "The information describing the packet triggering the event."; } uses characteristics; uses common-monitoring-data; } container counters { description "This is probably better covered by an import as this will not be notifications. Hong, et al. Expires January 3, 2019 [Page 44] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 Counter are not very suitable as telemetry, maybe via periodic subscriptions, which would still violate principle of least surprise."; container system-interface { description "The system counter type is interface counter"; uses characteristics; uses i2nsf-system-counter-type-content; uses common-monitoring-data; } container nsf-firewall { description "The nsf counter type is firewall counter"; uses characteristics; uses i2nsf-nsf-counters-type-content; uses traffic-rates; } container nsf-policy-hits { description "The counters of policy hit"; uses characteristics; uses i2nsf-nsf-counters-type-content; uses common-monitoring-data; leaf hit-times { type uint32; description "The hit times for policy"; } } } } <CODE ENDS> Figure 2: Data Model of Monitoring 6. Acknowledgments This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). This document has greatly benefited from inputs by Daeyoung Hyun. Hong, et al. Expires January 3, 2019 [Page 45] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 7. References 7.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, October 2010. 7.2. Informative References [i2nsf-framework] Lopez,, D., Lopez,, E., Dunbar, L., Strassner, J., and R. Kumar, "Framework for Interface to Network Security Functions", RFC 8329, February 2018. [i2nsf-monitoring-im] Xia,, L., Zhang,, D., Wu, Y., Kumar, R., Lohiya, A., and H. Birkholz, "An Information Model for the Monitoring of Network Security Functions (NSF)", draft-zhang-i2nsf-info- model-monitoring-06 (work in progress), May 2018. [i2nsf-terminology] Hares,, S., Strassner,, J., Lopez,, D., Xia,, L., and H. Birkholz,, "Interface to Network Security Functions (I2NSF) Terminology", draft-ietf-i2nsf-terminology-05 (work in progress), July 2018. [i2rs-rib-data-model] Wang, L., Chen, M., Dass, A., Ananthakrishnan, H., Kini, S., and N. Bahadur, "A YANG Data Model for Routing Information Base (RIB)", draft-ietf-i2rs-rib-data-model-10 (work in progress), February 2018. Hong, et al. Expires January 3, 2019 [Page 46] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 Appendix A. Changes from draft-hong-i2nsf-nsf-monitoring-data-model-03 The following changes are made from draft-hong-i2nsf-nsf-monitoring- data-model-03: 1. The YANG data model has been reorganized in detail by synchronizing with the latest info model. 2. The YANG data model has been reorganized by a partial implementation based on ConfD. Authors' Addresses Dongjin Hong Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 7630 5473 EMail: dong.jin@skku.edu Jaehoon Paul Jeong Department of Software Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Fax: +82 31 290 7996 EMail: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php Jinyong Tim Kim Department of Computer Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea Phone: +82 10 8273 0930 EMail: timkim@skku.edu Hong, et al. Expires January 3, 2019 [Page 47] Internet-Draft I2NSF NSF Monitoring YANG Data Model July 2018 Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com Liang Xia (Frank) Huawei 101 Software Avenue, Yuhuatai District Nanjing, Jiangsu China EMail: Frank.xialiang@huawei.com Henk Birkholz Fraunhofer Institute for Secure Information Technology Rheinstrasse 75 Darmstadt 64295 Germany EMail: henk.birkholz@sit.fraunhofer.de Hong, et al. Expires January 3, 2019 [Page 48]