The Incident Object Description Exchange Format v2
draft-ietf-mile-rfc5070-bis-06
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 7970.
|
|
---|---|---|---|
Authors | Roman Danyliw , Paul Stoecker | ||
Last updated | 2014-05-29 (Latest revision 2014-02-13) | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews | |||
Additional resources | Mailing list discussion | ||
Stream | WG state | WG Document | |
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 7970 (Proposed Standard) | |
Consensus boilerplate | Unknown | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-mile-rfc5070-bis-06
"required"/> <xs:attribute name="formatid" type="xs:string"/> </xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 92] Internet-Draft IODEFv2 February 2014 </xs:element> <!-- ================================================================== === Incident class === ================================================================== --> <xs:element name="Incident"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID"/> <xs:element ref="iodef:AlternativeID" minOccurs="0"/> <xs:element ref="iodef:RelatedActivity" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Discovery" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" maxOccurs="unbounded"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Contact" maxOccurs="unbounded"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:History" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="purpose" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="traceback"/> <xs:enumeration value="mitigation"/> <xs:enumeration value="reporting"/> <xs:enumeration value="watch" /> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> Danyliw & Stoecker Expires August 18, 2014 [Page 93] Internet-Draft IODEFv2 February 2014 </xs:simpleType> </xs:attribute> <xs:attribute name="ext-purpose" type="xs:string" use="optional"/> <xs:attribute name="lang" type="xs:language"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="private"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == IncidentID class == ================================================================== --> <xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:complexType name="IncidentIDType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="instance" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="public"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- ================================================================== == ReportID class == ================================================================== --> <xs:element name="ReportID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 94] Internet-Draft IODEFv2 February 2014 </xs:element> <!-- ================================================================== == AlternativeID class == ================================================================== --> <xs:element name="AlternativeID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ================================================================== == RelatedActivity class == ================================================================== --> <xs:element name="RelatedActivity"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" maxOccurs="unbounded"/> <xs:element ref="iodef:ThreatActor" maxOccurs="unbounded"/> <xs:element ref="iodef:Campaign" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- Danyliw & Stoecker Expires August 18, 2014 [Page 95] Internet-Draft IODEFv2 February 2014 ================================================================== == ThreatActor class == ================================================================== --> <xs:element name="ThreatActor"> <xs:complexType> <xs:sequence> <xs:choice> <xs:sequence> <xs:element ref="iodef:ThreatActorID" /> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:element ref="iodef:Description" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="ThreatActorID" type="xs:string"/> <!-- ================================================================== == Campaign class == ================================================================== --> <xs:element name="Campaign"> <xs:complexType> <xs:sequence> <xs:choice> <xs:sequence> <xs:element ref="iodef:CampaignID"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:element ref="iodef:Description" minOccurs="1" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 96] Internet-Draft IODEFv2 February 2014 </xs:element> <xs:element name="CampaignID" type="xs:string"/> <!-- ================================================================== == AdditionalData class == ================================================================== --> <xs:element name="AdditionalData" type="iodef:ExtensionType"/> <!-- ================================================================== == Contact class == ================================================================== --> <xs:element name="Contact"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ContactName" minOccurs="0"/> <xs:element ref="iodef:ContactTitle" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:PostalAddress" minOccurs="0"/> <xs:element ref="iodef:Email" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Telephone" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Fax" minOccurs="0"/> <xs:element ref="iodef:Timezone" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="role" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="creator"/> <xs:enumeration value="reporter"/> <xs:enumeration value="admin"/> <xs:enumeration value="tech"/> <xs:enumeration value="provider"/> Danyliw & Stoecker Expires August 18, 2014 [Page 97] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="zone"/> <xs:enumeration value="user"/> <xs:enumeration value="billing"/> <xs:enumeration value="legal"/> <xs:enumeration value="abuse"/> <xs:enumeration value="irt"/> <xs:enumeration value="cc"/> <xs:enumeration value="cc-irt"/> <xs:enumeration value="le"/> <xs:enumeration value="vendor"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-role" type="xs:string" use="optional"/> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="person"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="ContactName" type="iodef:MLStringType"/> <xs:element name="ContactTitle" type="iodef:MLStringType"/> <xs:element name="RegistryHandle"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="registry"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="internic"/> <xs:enumeration value="apnic"/> <xs:enumeration value="arin"/> <xs:enumeration value="lacnic"/> <xs:enumeration value="ripe"/> <xs:enumeration value="afrinic"/> Danyliw & Stoecker Expires August 18, 2014 [Page 98] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="local"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-registry" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="PostalAddress"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Email" type="iodef:ContactMeansType"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/> <xs:element name="Fax" type="iodef:ContactMeansType"/> <xs:complexType name="ContactMeansType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <!-- ================================================================== == Time-based classes == ================================================================== --> <xs:element name="DateTime" type="xs:dateTime"/> <xs:element name="ReportTime" type="xs:dateTime"/> <xs:element name="DetectTime" type="xs:dateTime"/> <xs:element name="StartTime" type="xs:dateTime"/> Danyliw & Stoecker Expires August 18, 2014 [Page 99] Internet-Draft IODEFv2 February 2014 <xs:element name="EndTime" type="xs:dateTime"/> <xs:element name="Timezone" type="iodef:TimezoneType"/> <xs:simpleType name="TimezoneType"> <xs:restriction base="xs:string"> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> </xs:restriction> </xs:simpleType> <!-- ================================================================== == History class == ================================================================== --> <xs:element name="History"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> </xs:complexType> </xs:element> <xs:element name="HistoryItem"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:IncidentID" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="DefinedCOA" type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="action" type="iodef:action-type" use="required"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> <xs:attribute name="indicator-uid" Danyliw & Stoecker Expires August 18, 2014 [Page 100] Internet-Draft IODEFv2 February 2014 type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Expectation class == ================================================================== --> <xs:element name="Expectation"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="DefinedCOA" type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="action" type="iodef:action-type" default="other"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Discovery class == ================================================================== --> <xs:element name="Discovery"> <xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 101] Internet-Draft IODEFv2 February 2014 <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectionPattern" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="source" use="optional" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="idps"/> <xs:enumeration value="siem"/> <xs:enumeration value="av"/> <xs:enumeration value="file-integrity"/> <xs:enumeration value="third-party-monitoring"/> <xs:enumeration value="os-log"/> <xs:enumeration value="application-log"/> <xs:enumeration value="device-log"/> <xs:enumeration value="network-flow"/> <xs:enumeration value="investigation"/> <xs:enumeration value="internal-notification"/> <xs:enumeration value="external-notification"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-source" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="DetectionPattern"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Application"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="DetectionConfiguration" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> Danyliw & Stoecker Expires August 18, 2014 [Page 102] Internet-Draft IODEFv2 February 2014 </xs:complexType> </xs:element> <!-- ================================================================== == Method class == ================================================================== --> <xs:element name="Method"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Description"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ================================================================== == Reference class == ================================================================== --> <xs:element name="Reference"> <xs:complexType> <xs:sequence> <xs:element name="ReferenceName" type="iodef:MLStringType"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> <!-- Adding in Attack Type --> <xs:attribute name="attacktype" type="att-type" use="required"> </xs:attribute> <xs:attribute name="ext-attacktype" type="xs:string" use="optional"/> </xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 103] Internet-Draft IODEFv2 February 2014 </xs:element> <!-- ================================================================== == Assessment class == ================================================================== --> <xs:element name="Assessment"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Impact"/> <xs:element ref="iodef:BusinessImpact"/> <xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:MonetaryImpact"/> </xs:choice> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="occurrence"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="actual"/> <xs:enumeration value="potential"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="Impact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="completion"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="failed"/> Danyliw & Stoecker Expires August 18, 2014 [Page 104] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="succeeded"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="type" use="optional" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="admin"/> <xs:enumeration value="dos"/> <xs:enumeration value="extortion"/> <xs:enumeration value="file"/> <xs:enumeration value="info-leak"/> <xs:enumeration value="misconfiguration"/> <xs:enumeration value="recon"/> <xs:enumeration value="policy"/> <xs:enumeration value="social-engineering"/> <xs:enumeration value="user"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="BusinessImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="severity" use="optional"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="none"/> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-severity" type="xs:string" use="optional"/> Danyliw & Stoecker Expires August 18, 2014 [Page 105] Internet-Draft IODEFv2 February 2014 <xs:attribute name="type" use="optional"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="breach-proprietary"/> <xs:enumeration value="breach-privacy"/> <xs:enumeration value="loss-of-integrity"/> <xs:enumeration value="loss-of-service" /> <xs:enumeration value="loss-financial"/> <xs:enumeration value="degraded-reputation"/> <xs:enumeration value="asset-damage"/> <xs:enumeration value="asset-manipulation"/> <xs:enumeration value="legal"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TimeImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="metric" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="labor"/> <xs:enumeration value="elapsed"/> <xs:enumeration value="downtime"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-metric" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> Danyliw & Stoecker Expires August 18, 2014 [Page 106] Internet-Draft IODEFv2 February 2014 </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="MonetaryImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="currency" type="xs:string"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Confidence"> <xs:complexType mixed="true"> <xs:attribute name="rating" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="numeric"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <!-- ================================================================== == EventData class == ================================================================== --> <xs:element name="EventData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> Danyliw & Stoecker Expires August 18, 2014 [Page 107] Internet-Draft IODEFv2 February 2014 <xs:element ref="iodef:Discovery" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Flow" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Expectation" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Record" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Flow class == ================================================================== --> <!-- Added System unbounded for use only when the source or target watchlist is in use, otherwise only one system entry is expected. --> <xs:element name="Flow"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:System" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- ================================================================== == System class == ================================================================== --> Danyliw & Stoecker Expires August 18, 2014 [Page 108] Internet-Draft IODEFv2 February 2014 <xs:element name="System"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Node" maxOccurs="unbounded"/> <xs:element ref="iodef:Service" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:OperatingSystem" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="AssetID" type="xs:string" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="category"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="source"/> <xs:enumeration value="target"/> <!-- CHANGE - adding two new values to cover watchlist groups --> <xs:enumeration value="watchlist-source"/> <xs:enumeration value="watchlist-target"/> <xs:enumeration value="intermediate"/> <xs:enumeration value="sensor"/> <xs:enumeration value="infrastructure"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="interface" type="xs:string"/> <xs:attribute name="spoofed" type="yes-no-unknown-type" default="unknown" /> <xs:attribute name="virtual" type="yes-no-unknown-type" use="optional" default="unknown"/> <xs:attribute name="ownership"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="organization"/> <xs:enumeration value="personal"/> Danyliw & Stoecker Expires August 18, 2014 [Page 109] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="partner"/> <xs:enumeration value="customer"/> <xs:enumeration value="no-relationship"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-ownership" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Node class == ================================================================== --> <xs:element name="Node"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:DomainData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Address" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:PostalAddress" minOccurs="0"/> <xs:element ref="iodef:Location" minOccurs="0"/> <xs:element ref="iodef:NodeRole" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Address"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="category" default="ipv4-addr"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="asn"/> <xs:enumeration value="atm"/> <xs:enumeration value="e-mail"/> <xs:enumeration value="mac"/> Danyliw & Stoecker Expires August 18, 2014 [Page 110] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net-mask"/> <xs:enumeration value="site-uri"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="vlan-name" type="xs:string"/> <xs:attribute name="vlan-num" type="xs:integer"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="NodeRole"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="category" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="client"/> <xs:enumeration value="client-enterprise"/> <xs:enumeration value="client-partner"/> <xs:enumeration value="client-remote"/> <xs:enumeration value="client-kiosk"/> <xs:enumeration value="client-mobile"/> <xs:enumeration value="server-internal"/> <xs:enumeration value="server-public"/> <xs:enumeration value="www"/> <xs:enumeration value="mail"/> <xs:enumeration value="messaging"/> <xs:enumeration value="streaming"/> <xs:enumeration value="voice"/> <xs:enumeration value="file"/> <xs:enumeration value="ftp"/> Danyliw & Stoecker Expires August 18, 2014 [Page 111] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="p2p"/> <xs:enumeration value="name"/> <xs:enumeration value="directory"/> <xs:enumeration value="credential"/> <xs:enumeration value="print"/> <xs:enumeration value="application"/> <xs:enumeration value="database"/> <xs:enumeration value="backup"/> <xs:enumeration value="dhcp"/> <xs:enumeration value="infra"/> <xs:enumeration value="infra-firewall"/> <xs:enumeration value="infra-router"/> <xs:enumeration value="infra-switch"/> <xs:enumeration value="camera"/> <xs:enumeration value="proxy"/> <xs:enumeration value="remote-access"/> <xs:enumeration value="log"/> <xs:enumeration value="virtualization"/> <xs:enumeration value="pos"/> <xs:enumeration value="scada"/> <xs:enumeration value="scada-supervisory"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="attacktype" type="att-type" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- ================================================================== == Service Class == ================================================================== --> <xs:element name="Service"> <xs:complexType> <xs:sequence> <xs:choice minOccurs="0"> <xs:element name="Port" type="xs:integer"/> <xs:element name="Portlist" type="iodef:PortlistType"/> </xs:choice> <xs:element name="ProtoType" Danyliw & Stoecker Expires August 18, 2014 [Page 112] Internet-Draft IODEFv2 February 2014 type="xs:integer" minOccurs="0"/> <xs:element name="ProtoCode" type="xs:integer" minOccurs="0"/> <xs:element name="ProtoField" type="xs:integer" minOccurs="0"/> <xs:element name="ApplicationHeader" type="iodef:ApplicationHeaderType" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="EmailData" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/> </xs:sequence> <xs:attribute name="ip-protocol" type="xs:integer" use="required"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:simpleType name="PortlistType"> <xs:restriction base="xs:string"> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> </xs:restriction> </xs:simpleType> <!-- ================================================================== == Counter class == ================================================================== --> <xs:element name="Counter"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:double"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="byte"/> <xs:enumeration value="packet"/> <xs:enumeration value="flow"/> <xs:enumeration value="session"/> <xs:enumeration value="event"/> <xs:enumeration value="alert"/> <xs:enumeration value="message"/> <xs:enumeration value="host"/> <xs:enumeration value="site"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> Danyliw & Stoecker Expires August 18, 2014 [Page 113] Internet-Draft IODEFv2 February 2014 </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- ================================================================== == EmailData class == ================================================================== --> <xs:element name="EmailData"> <xs:complexType> <xs:sequence> <xs:element name="EmailFrom" type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EmailSubject" type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EmailX-Mailer" type="iodef:MLStringType" minOccurs="0"/> <xs:element name="EmailHeaderField" type="iodef:ApplicationHeaderType" minOccurs="0"/> </xs:sequence> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == DomainData class - from RFC5901 == ================================================================== --> <xs:element name="DomainData"> <xs:complexType> Danyliw & Stoecker Expires August 18, 2014 [Page 114] Internet-Draft IODEFv2 February 2014 <xs:sequence> <xs:element name="Name" type="iodef:MLStringType" maxOccurs="1" /> <xs:element name="DateDomainWasChecked" type="xs:dateTime" minOccurs="0" maxOccurs="1" /> <xs:element name="RegistrationDate" type="xs:dateTime" minOccurs="0" maxOccurs="1" /> <xs:element name="ExpirationDate" type="xs:dateTime" minOccurs="0" maxOccurs="1" /> <xs:element name="RelatedDNS" type="iodef:RelatedDNSEntryType" minOccurs="0" maxOccurs="unbounded" /> <xs:element ref="iodef:Nameservers" minOccurs="0" maxOccurs="unbounded" /> <xs:element ref="iodef:DomainContacts" minOccurs="0" maxOccurs="1" /> </xs:sequence> <xs:attribute name="system-status"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="spoofed"/> <xs:enumeration value="fraudulent"/> <xs:enumeration value="innocent-hacked"/> <xs:enumeration value="innocent-hijacked"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-system-status" type="xs:string" use="optional"/> <xs:attribute name="domain-status"> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="reservedDelegation"/> <xs:enumeration value="assignedAndActive"/> <xs:enumeration value="assignedAndInactive"/> <xs:enumeration value="assignedAndOnHold"/> <xs:enumeration value="revoked"/> <xs:enumeration value="transferPending"/> <xs:enumeration value="registryLock"/> <xs:enumeration value="registrarLock"/> <xs:enumeration value="other"/> <xs:enumeration value="unknown"/> </xs:restriction> Danyliw & Stoecker Expires August 18, 2014 [Page 115] Internet-Draft IODEFv2 February 2014 </xs:simpleType> </xs:attribute> <xs:attribute name="ext-domain-status" type="xs:string" use="optional"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="RelatedDNS" type="iodef:RelatedDNSEntryType"/> <xs:complexType name="RelatedDNSEntryType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="record-type" use="optional"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="A"/> <xs:enumeration value="AAAA"/> <xs:enumeration value="AFSDB"/> <xs:enumeration value="APL"/> <xs:enumeration value="AXFR"/> <xs:enumeration value="CAA"/> <xs:enumeration value="CERT"/> <xs:enumeration value="CNAME"/> <xs:enumeration value="DHCID"/> <xs:enumeration value="DLV"/> <xs:enumeration value="DNAME"/> <xs:enumeration value="DNSKEY"/> <xs:enumeration value="DS"/> <xs:enumeration value="HIP"/> <xs:enumeration value="IXFR"/> <xs:enumeration value="IPSECKEY"/> <xs:enumeration value="LOC"/> <xs:enumeration value="MX"/> <xs:enumeration value="NAPTR"/> <xs:enumeration value="NS"/> <xs:enumeration value="NSEC"/> <xs:enumeration value="NSEC3"/> <xs:enumeration value="NSEC3PARAM"/> <xs:enumeration value="OPT"/> <xs:enumeration value="PTR"/> <xs:enumeration value="RRSIG"/> <xs:enumeration value="RP"/> <xs:enumeration value="SIG"/> <xs:enumeration value="SOA"/> Danyliw & Stoecker Expires August 18, 2014 [Page 116] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="SPF"/> <xs:enumeration value="SRV"/> <xs:enumeration value="SSHFP"/> <xs:enumeration value="TA"/> <xs:enumeration value="TKEY"/> <xs:enumeration value="TLSA"/> <xs:enumeration value="TSIG"/> <xs:enumeration value="TXT"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-record-type" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:element name="Nameservers"> <xs:complexType> <xs:sequence> <xs:element name="Server" type="iodef:MLStringType"/> <xs:element ref="iodef:Address" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="DomainContacts"> <xs:complexType> <xs:choice> <xs:element name="SameDomainContact" type="iodef:MLStringType"/> <xs:element ref="iodef:Contact" maxOccurs="unbounded" minOccurs="1"/> </xs:choice> </xs:complexType> </xs:element> <!-- ================================================================== == Record class == ================================================================== --> <xs:element name="Record"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:RecordData" Danyliw & Stoecker Expires August 18, 2014 [Page 117] Internet-Draft IODEFv2 February 2014 maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="RecordData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Application" minOccurs="0"/> <xs:element ref="iodef:RecordPattern" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/> <xs:element ref="iodef:HashInformation" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:WindowsRegistryKeysModified" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <xs:element name="RecordPattern"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="regex"/> <xs:enumeration value="binary"/> <xs:enumeration value="xpath"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> Danyliw & Stoecker Expires August 18, 2014 [Page 118] Internet-Draft IODEFv2 February 2014 </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="offset" type="xs:integer" use="optional"/> <xs:attribute name="offsetunit" use="optional" default="line"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="line"/> <xs:enumeration value="byte"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-offsetunit" type="xs:string" use="optional"/> <xs:attribute name="instance" type="xs:integer" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="RecordItem" type="iodef:ExtensionType"/> <!-- ================================================================== == Class to describe Windows Registry Keys == ================================================================== --> <xs:element name="WindowsRegistryKeysModified"> <xs:complexType> <xs:sequence> <xs:element name="Key" maxOccurs="unbounded"> <xs:complexType> <xs:sequence> <!-- Allows for the value to be optional for cases such as, the registry key was deleted --> <xs:element name="KeyName" type="xs:string"/> <xs:element name="Value" type="xs:string" minOccurs="0"/> </xs:sequence> <xs:attribute name="registryaction"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="add-key"/> <xs:enumeration value="add-value"/> <xs:enumeration value="delete-key"/> Danyliw & Stoecker Expires August 18, 2014 [Page 119] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="delete-value"/> <xs:enumeration value="modify-key"/> <xs:enumeration value="modify-value"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-registryaction" type="xs:string" use="optional"/> </xs:complexType> </xs:element> </xs:sequence> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ================================================================== == Classes that describe hash types, file information == == with certificate properties and digital signature info == == provided through the W3C digital signature schema == == so it does not need to be maintained here. == ================================================================== --> <xs:element name="HashInformation"> <xs:complexType> <xs:sequence> <xs:element name="FileName" type="iodef:MLStringType" minOccurs="0" maxOccurs="unbounded"/> <xs:element name="FileSize" type="xs:integer" minOccurs="0" maxOccurs="unbounded"/> <!-- CHANGE: Represent file hash information via digsig schema and the Reference class. You may need any of the other classes and in particular the KeyInfo (see RFC3275 sect 4.4.4/4.4.5), which has been added. KeyName, KeyValue, SignatureProperties classes may be useful, so Signature was added, but you can use KeyInfo and Reference directly to avoid some bloat. --> <xs:element ref="ds:Signature" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="ds:KeyInfo" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="ds:Reference" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> Danyliw & Stoecker Expires August 18, 2014 [Page 120] Internet-Draft IODEFv2 February 2014 </xs:sequence> <xs:attribute name="type" use="optional"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="PKI-email-ds"/> <xs:enumeration value="PKI-file-ds"/> <xs:enumeration value="PKI-email-ds-watchlist"/> <xs:enumeration value="PKI-file-ds-watchlist"/> <xs:enumeration value="PGP-email-ds"/> <xs:enumeration value="PGP-file-ds"/> <xs:enumeration value="PGP-email-ds-watchlist"/> <xs:enumeration value="PGP-file-ds-watchlist"/> <xs:enumeration value="file-hash"/> <xs:enumeration value="email-hash"/> <xs:enumeration value="file-hash-watchlist"/> <xs:enumeration value="email-hash-watchlist"/> <!-- QUESTION: Are values needed to differentiate the key information shared when the ds:KeyInfo class is referenced? --> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="valid" type="xs:boolean" use="optional" /> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ================================================================== == Classes that describe software == ================================================================== --> <xs:complexType name="SoftwareType"> <xs:sequence> <xs:element ref="iodef:URL" minOccurs="0"/> </xs:sequence> <xs:attribute name="swid" type="xs:string" default="0"/> Danyliw & Stoecker Expires August 18, 2014 [Page 121] Internet-Draft IODEFv2 February 2014 <xs:attribute name="configid" type="xs:string" default="0"/> <xs:attribute name="vendor" type="xs:string"/> <xs:attribute name="family" type="xs:string"/> <xs:attribute name="name" type="xs:string"/> <!-- CHANGE: Should UserAgent or HTTPUserAgent fit in SoftwareTypes? This is typically intended to mean servers, but the category seems more appropriate than others. --> <xs:attribute name="user-agent" type="xs:string"/> <xs:attribute name="version" type="xs:string"/> <xs:attribute name="patch" type="xs:string"/> </xs:complexType> <xs:element name="Application" type="iodef:SoftwareType"/> <xs:element name="OperatingSystem" type="iodef:SoftwareType"/> <!-- ================================================================== == Miscellaneous simple classes == ================================================================== --> <xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/> <!-- ================================================================== == Data Types == ================================================================== --> <xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:float"> <xs:minExclusive value="0"/> </xs:restriction> </xs:simpleType> <xs:complexType name="MLStringType"> <xs:simpleContent> <xs:extension base="xs:string"> Danyliw & Stoecker Expires August 18, 2014 [Page 122] Internet-Draft IODEFv2 February 2014 <xs:attribute name="lang" type="xs:language" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:complexType name="ExtensionType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="dtype" type="iodef:dtype-type" use="required"/> <xs:attribute name="ext-dtype" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string"/> <xs:attribute name="formatid" type="xs:string"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> <xs:complexType name="ApplicationHeaderType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="proto" type="xs:integer" use="required"/> <xs:attribute name="field" type="xs:string" use="required"/> <xs:attribute name="dtype" type="iodef:proto-dtype-type" use="required"/> <xs:attribute name="indicator-uid" type="xs:string" use="optional"/> <xs:attribute name="indicator-set-id" type="xs:string" use="optional"/> </xs:complexType> <!-- ================================================================== == Global attribute type declarations == ================================================================== --> <xs:simpleType name="yes-no-type"> <xs:restriction base="xs:NMTOKEN"> Danyliw & Stoecker Expires August 18, 2014 [Page 123] Internet-Draft IODEFv2 February 2014 <xs:enumeration value="yes"/> <xs:enumeration value="no"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="yes-no-unknown-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="yes"/> <xs:enumeration value="no"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="restriction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="default"/> <xs:enumeration value="public"/> <xs:enumeration value="partner"/> <xs:enumeration value="need-to-know"/> <xs:enumeration value="private"/> <xs:enumeration value="white"/> <xs:enumeration value="green"/> <xs:enumeration value="amber"/> <xs:enumeration value="red"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="severity-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="duration-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="second"/> <xs:enumeration value="minute"/> <xs:enumeration value="hour"/> <xs:enumeration value="day"/> <xs:enumeration value="month"/> <xs:enumeration value="quarter"/> <xs:enumeration value="year"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="action-type"> Danyliw & Stoecker Expires August 18, 2014 [Page 124] Internet-Draft IODEFv2 February 2014 <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nothing"/> <xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-sender"/> <xs:enumeration value="investigate"/> <xs:enumeration value="block-host"/> <xs:enumeration value="block-network"/> <xs:enumeration value="block-port"/> <xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-port"/> <xs:enumeration value="upgrade-software"/> <xs:enumeration value="rebuild-asset"/> <xs:enumeration value="remediate-other"/> <xs:enumeration value="status-triage"/> <xs:enumeration value="status-new-info"/> <xs:enumeration value="watch-and-report"/> <xs:enumeration value="defined-coa"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="bytes"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="ntpstamp"/> <xs:enumeration value="portlist"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="file"/> <xs:enumeration value="path"/> <xs:enumeration value="frame"/> <xs:enumeration value="packet"/> <xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv6-packet"/> <xs:enumeration value="url"/> <xs:enumeration value="csv"/> <xs:enumeration value="winreg"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> Danyliw & Stoecker Expires August 18, 2014 [Page 125] Internet-Draft IODEFv2 February 2014 </xs:simpleType> <xs:simpleType name="proto-dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="bytes"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> <xs:simpleType name="att-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="c2-server"/> <xs:enumeration value="sink-hole"/> <xs:enumeration value="malware-distribution"/> <xs:enumeration value="phishing"/> <xs:enumeration value="spear-phishing"/> <xs:enumeration value="recruiting"/> <xs:enumeration value="fraudulent-site"/> <xs:enumeration value="dns-spoof"/> <xs:enumeration value="other"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:schema> 9. Security Considerations The IODEF data model itself does not directly introduce security issues. Rather, it simply defines a representation for incident information. As the data encoded by the IODEF might be considered privacy sensitive by the parties exchanging the information or by those described by it, care needs to be taken in ensuring the appropriate disclosure during both document exchange and subsequent processing. The former must be handled by a messaging format, but the latter risk must be addressed by the systems that process, store, and archive IODEF documents and information derived from them. Danyliw & Stoecker Expires August 18, 2014 [Page 126] Internet-Draft IODEFv2 February 2014 Executable content could be embedded into the IODEF document directly or through an extension. The IODEF parser should handle this content with care to prevent unintentional automated execution. The contents of an IODEF document may include a request for action or an IODEF parser may independently have logic to take certain actions based on information that it finds. For this reason, care must be taken by the parser to properly authenticate the recipient of the document and ascribe an appropriate confidence to the data prior to action. The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter- network Defense (RID) protocol [RFC6545] and its associated transport binding IODEF/RID over HTTP/TLS [RFC6546] provide such security. In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it. The issue of enforcement is not a technical problem. 10. IANA Considerations This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [RFC3688] Registration for the IODEF namespace: o URI: urn:ietf:params:xml:ns:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. o XML: None. Namespace URIs do not represent an XML specification. Registration for the IODEF XML schema: o URI: urn:ietf:params:xml:schema:iodef-2.0 o Registrant Contact: See the first author of the "Author's Address" section of this document. Danyliw & Stoecker Expires August 18, 2014 [Page 127] Internet-Draft IODEFv2 February 2014 o XML: See the "IODEF Schema" in Section 8 of this document. 11. Acknowledgments The following groups and individuals, listed alphabetically, contributed substantially to this document and should be recognized for their efforts. o Kathleen Moriarty, EMC Corporation o Brian Trammell, ETH Zurich o Patrick Cain, Cooper-Cain Group, Inc. o ... TODO many more to add ... 12. References 12.1. Normative References [W3C.XML] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C Recommendation , October 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>. [W3C.SCHEMA] World Wide Web Consortium, "XML XML Schema Part 1: Structures Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-1/>. [W3C.SCHEMA.DTYPES] World Wide Web Consortium, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-2/>. [W3C.XMLNS] World Wide Web Consortium, "Namespaces in XML", W3C Recommendation , January 1999, <http://www.w3.org/TR/REC-xml-names/>. [W3C.XPATH] World Wide Web Consortium, "XML Path Language (XPath) 2.0", W3C Candidate Recommendation , June 2006, <http://www.w3.org/TR/xpath20/>. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. Danyliw & Stoecker Expires August 18, 2014 [Page 128] Internet-Draft IODEFv2 February 2014 [RFC4646] Philips, A. and M. Davis, "Tags for Identifying of Languages", RFC 4646, September 2006. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, January 2005`. [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration Procedures", BCP 2978, October 2000. [RFC4519] Sciberras, A., "Schema for User Applications", RFC 4519, June 2006. [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, October 2008. [RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002. [ISO8601] International Organization for Standardization, "International Standard: Data elements and interchange formats - Information interchange - Representation of dates and times", ISO 8601, Second Edition, December 2000. [ISO4217] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001. [RFC3688] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004. [RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup Language) XML-Signature Syntax and Processing", RFC 3275, March 2002. [IANA.Ports] Internet Assigned Numbers Authority, "Service Name and Transport Protocol Port Number Registry", January 2014, <http://www.iana.org/assignments/ service-names-port-numbers/ service-names-port-numbers.txt>. [IANA.Protocols] Internet Assigned Numbers Authority, "Assigned Internet Protocol Numbers", January 2014, <http://www.iana.org/ assignments/protocol-numbers/protocol-numbers.txt>. Danyliw & Stoecker Expires August 18, 2014 [Page 129] Internet-Draft IODEFv2 February 2014 12.2. Informative References [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "Incident Object Description Exchange Format", RFC 5070, December 2007. [refs.requirements] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements for the Format for Incident Information Exchange (FINE)", Work in Progress, June 2006. [RFC4765] Debar, H., Curry, D., Debar, H., and B. Feinstein, "Intrusion Detection Message Exchange Format", RFC 4765, March 2007. [RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, April 2012. [RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, April 2012. [RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document Class for Reporting Phishing", RFC 5901, July 2010. [NIST800.61rev2] Cichonski, P., Millar, T., Grance, T., and K. Scarfone, "NIST Special Publication 800-61 Revision 2: Computer Security Incident Handling Guide", January 2012, <http://csrc.nist.gov/publications/nistpubs/800-61rev2/ SP800-61rev2.pdf>. [RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS)", RFC 3982, January 2005. [KB310516] Microsoft Corporation, "How to add, modify, or delete registry subkeys and values by using a registration entries (.reg) file", December 2007. [RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma- Separated Values (CSV) File", RFC 4180, October 2005. Danyliw & Stoecker Expires August 18, 2014 [Page 130] Internet-Draft IODEFv2 February 2014 Authors' Addresses Roman Danyliw CERT - Software Engineering Institute Pittsburgh, PA USA EMail: rdd@cert.org Paul Stoecker RSA Reston, VA USA EMail: paul.stoecker@rsa.com Danyliw & Stoecker Expires August 18, 2014 [Page 131]