Internet Engineering Task Force (IETF) R. Danyliw
Request for Comments: 7970 CERT
Obsoletes: 5070, 6685 November 2016
Category: Standards Track
ISSN: 2070-1721
Internet Engineering Task Force (IETF) R. Danyliw
Request for Comments: 7970 CERT
Obsoletes: 5070, 6685 November 2016
Category: Standards Track
ISSN: 2070-1721
The Incident Object Description Exchange Format Version 2
事件对象描述交换格式版本2
Abstract
摘要
The Incident Object Description Exchange Format (IODEF) defines a data representation for security incident reports and indicators commonly exchanged by operational security teams for mitigation and watch and warning. This document describes an updated information model for the IODEF and provides an associated data model specified with the XML schema. This new information and data model obsoletes RFCs 5070 and 6685.
事件对象描述交换格式(IODEF)定义了安全事件报告和指标的数据表示形式,这些报告和指标通常由运营安全团队交换,用于缓解、监视和警告。本文档描述了IODEF的更新信息模型,并提供了用XML模式指定的关联数据模型。这种新的信息和数据模型淘汰了RFC5070和6685。
Status of This Memo
关于下段备忘
This is an Internet Standards Track document.
这是一份互联网标准跟踪文件。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7970.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7970.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
This document may contain material from IETF Documents or IETF Contributions published or made publicly available before November 10, 2008. The person(s) controlling the copyright in some of this material may not have granted the IETF Trust the right to allow modifications of such material outside the IETF Standards Process. Without obtaining an adequate license from the person(s) controlling the copyright in such materials, this document may not be modified outside the IETF Standards Process, and derivative works of it may not be created outside the IETF Standards Process, except to format it for publication as an RFC or to translate it into languages other than English.
本文件可能包含2008年11月10日之前发布或公开的IETF文件或IETF贡献中的材料。控制某些材料版权的人员可能未授予IETF信托允许在IETF标准流程之外修改此类材料的权利。在未从控制此类材料版权的人员处获得充分许可的情况下,不得在IETF标准流程之外修改本文件,也不得在IETF标准流程之外创建其衍生作品,除了将其格式化以RFC形式发布或将其翻译成英语以外的其他语言。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.4. Changes from RFC 5070 . . . . . . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 11
2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 12
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 12
2.14. Identifiers and Identifier References . . . . . . . . . . 12
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 13
2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 14
2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15
3. The IODEF Information Model . . . . . . . . . . . . . . . . . 18
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 18
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 20
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 23
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 23
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 25
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 25
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 26
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 27
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 28
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 29
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 30
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 34
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 35
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 36
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 37
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 38
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 40
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 41
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 42
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. About the IODEF Data Model . . . . . . . . . . . . . . . 7
1.4. Changes from RFC 5070 . . . . . . . . . . . . . . . . . . 7
2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . 9
2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . 9
2.3. Characters and Strings . . . . . . . . . . . . . . . . . 9
2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . 9
2.5. Binary Strings . . . . . . . . . . . . . . . . . . . . . 10
2.5.1. Base64 Bytes . . . . . . . . . . . . . . . . . . . . 10
2.5.2. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . 11
2.6. Enumerated Types . . . . . . . . . . . . . . . . . . . . 11
2.7. Date-Time String . . . . . . . . . . . . . . . . . . . . 11
2.8. Timezone String . . . . . . . . . . . . . . . . . . . . . 11
2.9. Port Lists . . . . . . . . . . . . . . . . . . . . . . . 11
2.10. Postal Address . . . . . . . . . . . . . . . . . . . . . 12
2.11. Telephone Number . . . . . . . . . . . . . . . . . . . . 12
2.12. Email String . . . . . . . . . . . . . . . . . . . . . . 12
2.13. Uniform Resource Locator Strings . . . . . . . . . . . . 12
2.14. Identifiers and Identifier References . . . . . . . . . . 12
2.15. Software . . . . . . . . . . . . . . . . . . . . . . . . 13
2.15.1. SoftwareReference Class . . . . . . . . . . . . . . 14
2.16. Extension . . . . . . . . . . . . . . . . . . . . . . . . 15
3. The IODEF Information Model . . . . . . . . . . . . . . . . . 18
3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . 18
3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . 20
3.3. Common Attributes . . . . . . . . . . . . . . . . . . . . 23
3.3.1. restriction Attribute . . . . . . . . . . . . . . . . 23
3.3.2. observable-id Attribute . . . . . . . . . . . . . . . 25
3.4. IncidentID Class . . . . . . . . . . . . . . . . . . . . 25
3.5. AlternativeID Class . . . . . . . . . . . . . . . . . . . 26
3.6. RelatedActivity Class . . . . . . . . . . . . . . . . . . 27
3.7. ThreatActor Class . . . . . . . . . . . . . . . . . . . . 28
3.8. Campaign Class . . . . . . . . . . . . . . . . . . . . . 29
3.9. Contact Class . . . . . . . . . . . . . . . . . . . . . . 30
3.9.1. RegistryHandle Class . . . . . . . . . . . . . . . . 34
3.9.2. PostalAddress Class . . . . . . . . . . . . . . . . . 35
3.9.3. Email Class . . . . . . . . . . . . . . . . . . . . . 36
3.9.4. Telephone Class . . . . . . . . . . . . . . . . . . . 37
3.10. Discovery Class . . . . . . . . . . . . . . . . . . . . . 38
3.10.1. DetectionPattern Class . . . . . . . . . . . . . . . 40
3.11. Method Class . . . . . . . . . . . . . . . . . . . . . . 41
3.11.1. Reference Class . . . . . . . . . . . . . . . . . . 42
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 43
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 45
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 48
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 50
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 52
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 53
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 54
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 54
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 57
3.14.1. Relating the Incident and EventData Classes . . . . 59
3.14.2. Recursive Definition of EventData . . . . . . . . . 59
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 60
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 63
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 64
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 67
3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 68
3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 69
3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 73
3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 75
3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 77
3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 78
3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 79
3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 80
3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 81
3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 82
3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 83
3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 84
3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 85
3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 87
3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 88
3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 89
3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 90
3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 90
3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 91
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 92
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 94
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 95
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 95
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 96
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 96
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 99
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 100
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 101
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 106
3.29.5. Expressions with IndicatorExpression . . . . . . . . 108
3.29.6. ObservableReference Class . . . . . . . . . . . . . 110
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 110
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 111
3.12. Assessment Class . . . . . . . . . . . . . . . . . . . . 43
3.12.1. SystemImpact Class . . . . . . . . . . . . . . . . . 45
3.12.2. BusinessImpact Class . . . . . . . . . . . . . . . . 48
3.12.3. TimeImpact Class . . . . . . . . . . . . . . . . . . 50
3.12.4. MonetaryImpact Class . . . . . . . . . . . . . . . . 52
3.12.5. Confidence Class . . . . . . . . . . . . . . . . . . 53
3.13. History Class . . . . . . . . . . . . . . . . . . . . . . 54
3.13.1. HistoryItem Class . . . . . . . . . . . . . . . . . 54
3.14. EventData Class . . . . . . . . . . . . . . . . . . . . . 57
3.14.1. Relating the Incident and EventData Classes . . . . 59
3.14.2. Recursive Definition of EventData . . . . . . . . . 59
3.15. Expectation Class . . . . . . . . . . . . . . . . . . . . 60
3.16. Flow Class . . . . . . . . . . . . . . . . . . . . . . . 63
3.17. System Class . . . . . . . . . . . . . . . . . . . . . . 64
3.18. Node Class . . . . . . . . . . . . . . . . . . . . . . . 67
3.18.1. Address Class . . . . . . . . . . . . . . . . . . . 68
3.18.2. NodeRole Class . . . . . . . . . . . . . . . . . . . 69
3.18.3. Counter Class . . . . . . . . . . . . . . . . . . . 73
3.19. DomainData Class . . . . . . . . . . . . . . . . . . . . 75
3.19.1. Nameservers Class . . . . . . . . . . . . . . . . . 77
3.19.2. DomainContacts Class . . . . . . . . . . . . . . . . 78
3.20. Service Class . . . . . . . . . . . . . . . . . . . . . . 79
3.20.1. ServiceName Class . . . . . . . . . . . . . . . . . 80
3.20.2. ApplicationHeader Class . . . . . . . . . . . . . . 81
3.21. EmailData Class . . . . . . . . . . . . . . . . . . . . . 82
3.22. Record Class . . . . . . . . . . . . . . . . . . . . . . 83
3.22.1. RecordData Class . . . . . . . . . . . . . . . . . . 84
3.22.2. RecordPattern Class . . . . . . . . . . . . . . . . 85
3.23. WindowsRegistryKeysModified Class . . . . . . . . . . . . 87
3.23.1. Key Class . . . . . . . . . . . . . . . . . . . . . 88
3.24. CertificateData Class . . . . . . . . . . . . . . . . . . 89
3.24.1. Certificate Class . . . . . . . . . . . . . . . . . 90
3.25. FileData Class . . . . . . . . . . . . . . . . . . . . . 90
3.25.1. File Class . . . . . . . . . . . . . . . . . . . . . 91
3.26. HashData Class . . . . . . . . . . . . . . . . . . . . . 92
3.26.1. Hash Class . . . . . . . . . . . . . . . . . . . . . 94
3.26.2. FuzzyHash Class . . . . . . . . . . . . . . . . . . 95
3.27. SignatureData Class . . . . . . . . . . . . . . . . . . . 95
3.28. IndicatorData Class . . . . . . . . . . . . . . . . . . . 96
3.29. Indicator Class . . . . . . . . . . . . . . . . . . . . . 96
3.29.1. IndicatorID Class . . . . . . . . . . . . . . . . . 99
3.29.2. AlternativeIndicatorID Class . . . . . . . . . . . . 100
3.29.3. Observable Class . . . . . . . . . . . . . . . . . . 101
3.29.4. IndicatorExpression Class . . . . . . . . . . . . . 106
3.29.5. Expressions with IndicatorExpression . . . . . . . . 108
3.29.6. ObservableReference Class . . . . . . . . . . . . . 110
3.29.7. IndicatorReference Class . . . . . . . . . . . . . . 110
3.29.8. AttackPhase Class . . . . . . . . . . . . . . . . . 111
4. Processing Considerations . . . . . . . . . . . . . . . . . . 112
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 112
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 112
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 112
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 113
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 114
5.1. Extending the Enumerated Values of Attributes . . . . . . 114
5.1.1. Private Extension of Enumerated Values . . . . . . . 114
5.1.2. Public Extension of Enumerated Values . . . . . . . . 115
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 115
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 117
6. Internationalization Issues . . . . . . . . . . . . . . . . . 118
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 119
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 120
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 121
9. Security Considerations . . . . . . . . . . . . . . . . . . . 161
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 161
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 162
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 163
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 163
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 163
10.3. Expert Review of IODEF-Related XML Registry Entries . . 166
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 167
11.1. Normative References . . . . . . . . . . . . . . . . . . 167
11.2. Informative References . . . . . . . . . . . . . . . . . 170
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 171
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 172
4. Processing Considerations . . . . . . . . . . . . . . . . . . 112
4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . 112
4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 112
4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . 112
4.4. Incompatibilities with v1 . . . . . . . . . . . . . . . . 113
5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 114
5.1. Extending the Enumerated Values of Attributes . . . . . . 114
5.1.1. Private Extension of Enumerated Values . . . . . . . 114
5.1.2. Public Extension of Enumerated Values . . . . . . . . 115
5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 115
5.3. Deconflicting Private Extensions . . . . . . . . . . . . 117
6. Internationalization Issues . . . . . . . . . . . . . . . . . 118
7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 119
7.1. Minimal Example . . . . . . . . . . . . . . . . . . . . . 119
7.2. Indicators from a Campaign . . . . . . . . . . . . . . . 120
8. The IODEF Data Model (XML Schema) . . . . . . . . . . . . . . 121
9. Security Considerations . . . . . . . . . . . . . . . . . . . 161
9.1. Security . . . . . . . . . . . . . . . . . . . . . . . . 161
9.2. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 162
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 163
10.1. Namespace and Schema . . . . . . . . . . . . . . . . . . 163
10.2. Enumerated Value Registries . . . . . . . . . . . . . . 163
10.3. Expert Review of IODEF-Related XML Registry Entries . . 166
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 167
11.1. Normative References . . . . . . . . . . . . . . . . . . 167
11.2. Informative References . . . . . . . . . . . . . . . . . 170
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 171
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 172
Organizations require help from other parties to mitigate malicious activity targeting their network and to gain insight into potential threats. This coordination might entail working with an ISP to filter attack traffic, contacting a remote site to take down a botnet, or sharing watch lists of known malicious indicators in a consortium.
组织需要其他各方的帮助,以减轻针对其网络的恶意活动,并深入了解潜在威胁。这种协调可能需要与ISP合作过滤攻击流量,联系远程站点关闭僵尸网络,或者在一个联盟中共享已知恶意指示器的监视列表。
The Incident Object Description Exchange Format (IODEF) is a format for representing computer security information commonly exchanged between Computer Security Incident Response Teams (CSIRTs) or other operational security teams. It provides an XML representation for conveying:
事件对象描述交换格式(IODEF)是一种表示计算机安全事件响应团队(CSIRT)或其他操作安全团队之间通常交换的计算机安全信息的格式。它提供了一种XML表示,用于传达:
o indicators to characterize a threat;
o 确定威胁特征的指标;
o security incident reports to document attacks against an organization;
o 安全事件报告,记录对组织的攻击;
o response activity taken or that could be taken in response to an incident; and
o 针对事件采取或可能采取的响应活动;和
o metadata so that these various classes of information can be exchanged among parties.
o 元数据,以便这些不同类别的信息可以在各方之间交换。
The purpose of the IODEF is to enhance the operational capabilities of CSIRTs. Adoption of the IODEF will improve the ability of a CSIRT to resolve security incidents; understand threats; and coordinate response activities and proactive mitigations by simplifying collaboration and data sharing with its partners. This structured format provided by the IODEF allows for:
IODEF的目的是增强CSIRT的作战能力。采用IODEF将提高CSIRT解决安全事件的能力;了解威胁;通过简化与合作伙伴的协作和数据共享,协调应对活动和主动缓解措施。IODEF提供的这种结构化格式允许:
o machine-to-machine exchange of incident and indicator data;
o 事件和指示器数据的机器间交换;
o automated processing of this data whereby allowing more rapid execution of appropriate courses of action; and
o 自动处理这些数据,从而允许更快速地执行适当的行动方案;和
o the development of an ecosystem of interoperable tools enabling security operations.
o 开发可互操作工具的生态系统,以实现安全操作。
Sharing and coordinating with other organizations is not strictly a technical problem. There are numerous procedural, cultural, legal, and trust-related barriers to overcome. The IODEF does not attempt to address them directly. However, operational implementations of the IODEF will need to consider these challenges.
与其他组织共享和协调并非严格意义上的技术问题。有许多程序、文化、法律和与信任相关的障碍需要克服。IODEF不会尝试直接解决这些问题。然而,IODEF的操作实现将需要考虑这些挑战。
Section 1 provides the background for the IODEF. Sections 3 and 8 specify the IODEF information and data model, respectively. The data types used in this document are described in Section 2. Processing considerations, extending the specification, internationalization, and security issues are covered in Sections 4, 5, 6, and 9, respectively. Examples are listed in Section 7.
第1节提供了IODEF的背景。第3节和第8节分别规定了IODEF信息和数据模型。第2节介绍了本文件中使用的数据类型。第4、5、6和9节分别介绍了处理注意事项、扩展规范、国际化和安全问题。第7节列出了示例。
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
The IODEF is specified as an Extensible Markup Language (XML) [W3C.XML] schema [W3C.SCHEMA]. The normative IODEF data model is found in the XML schema in Section 8. To aid in the understanding of the data elements, Section 3 also depicts the underlying information model using Unified Modeling Language (UML). This abstract presentation of the IODEF is not normative.
IODEF被指定为可扩展标记语言(XML)[W3C.XML]模式[W3C.schema]。在第8节的XML模式中可以找到标准的IODEF数据模型。为了帮助理解数据元素,第3节还使用统一建模语言(UML)描述了底层信息模型。IODEF的这一抽象表述不规范。
For clarity in this document, the term "XML document" will be used when referring generically to any instance of an XML document. The term "IODEF document" will be used to refer to an XML document conforming to the IODEF specification. The terms "schema" will be used to refer to Section 8 of this document. The terms "data model" and "schema" will be used interchangeably. The terms "class" and "element" will be used to reference either the corresponding data element in the UML-based information or XML schema-based data models, respectively.
为清楚起见,在本文档中,当泛指XML文档的任何实例时,将使用术语“XML文档”。术语“IODEF文档”将用于指符合IODEF规范的XML文档。术语“模式”将用于指代本文件第8节。术语“数据模型”和“模式”将互换使用。术语“类”和“元素”将分别用于引用基于UML的信息或基于XML模式的数据模型中的相应数据元素。
A number of considerations were made in the design of the IODEF data model.
在设计IODEF数据模型时考虑了许多因素。
o The data model found in this document is an evolution of the one previously specified in [RFC5070]. New fields were added to represent additional information. [RFC5070] was developed primarily to represent incident reports. This document builds upon it by adding support for indicators and revising it to reflect the current challenges faced by CSIRTs. An attempt was made to preserve backward compatibility, but this was not possible in all cases. See Section 4.4. This document obsoletes [RFC5070].
o 本文件中的数据模型是[RFC5070]中先前规定的数据模型的演变。添加了新字段以表示其他信息。[RFC5070]主要用于表示事故报告。本文件在此基础上增加了对指标的支持,并对其进行了修订,以反映CSIRT当前面临的挑战。曾试图保持向后兼容性,但并非在所有情况下都能做到这一点。见第4.4节。本文件废除了[RFC5070]。
o The IODEF is a transport format. Therefore, the data model may not be the optimal archival or in-memory processing format.
o IODEF是一种传输格式。因此,数据模型可能不是最佳的存档或内存处理格式。
o The IODEF is intended to be a framework to convey only commonly exchanged information. It ensures that there are mechanisms for extensibility to support organization-specific information and techniques to reference information kept outside of the data model.
o IODEF旨在作为一个框架,仅传达通常交换的信息。它确保存在支持特定于组织的信息的可扩展性机制和引用数据模型之外的信息的技术。
o Not all commonly exchanged information has a well-defined format or taxonomy. The IODEF attempts to strike a balance between enforcing sufficient structure to allow automated processing and supporting free-form content that enables maximum flexibility.
o 并非所有通常交换的信息都有定义良好的格式或分类。IODEF试图在强制执行足够的结构以允许自动处理和支持自由格式内容以实现最大灵活性之间取得平衡。
o The IODEF fits into a broader ecosystem of standards and conventions. An attempt was made to harmonize the data model with this context.
o IODEF符合更广泛的标准和公约生态系统。试图使数据模型与此上下文相协调。
A detailed list of additions made to the data model in [RFC5070] are enumerated in this section. See Section 4.4 for a list of incompatible changes.
本节列举了[RFC5070]中对数据模型所做添加的详细列表。有关不兼容更改的列表,请参见第4.4节。
o Updated the data types (Section 2) to improve internationalization, clarify ambiguity, and ensure consistency in extensions.
o 更新了数据类型(第2节),以改进国际化、澄清歧义并确保扩展的一致性。
o Added the observable-id attribute (Section 3.3.2) and IndicatorData class (Section 3.28) to represent indicators.
o 添加了可观察id属性(第3.3.2节)和IndicatorData类(第3.28节)以表示指标。
o Added the private-enum-name and private-enum-id attributes to the IODEF-Document class (Section 3.1) to disambiguate private extensions.
o 将私有枚举名称和私有枚举id属性添加到IODEF文档类(第3.1节)以消除私有扩展的歧义。
o Updated the Incident class (Section 3.2) to represent additional timing and workflow information.
o 更新了事件类别(第3.2节),以表示其他时间和工作流信息。
o Added the ThreatActor (Section 3.7) and Campaign (Section 3.8) classes to represent attack attribution information.
o 添加了ThreatActor(第3.7节)和Campaign(第3.8节)类来表示攻击归因信息。
o Updated the Contact class (Section 3.9) and its children to improve internationalization and represent additional information about an entity.
o 更新了Contact类(第3.9节)及其子类,以改进国际化并表示有关实体的附加信息。
o Updated the Method class (Section 3.11) to improve extensibility through externally referenced resources.
o 更新了方法类(第3.11节),以通过外部引用资源提高可扩展性。
o Added the Discovery class (Section 3.10) to describe how an incident was discovered.
o 增加了发现类(第3.10节)来描述事件是如何发现的。
o Updated the Assessment class (Section 3.12) to enable more descriptive characterizations of the impact of an incident.
o 更新了评估等级(第3.12节),以便对事件的影响进行更具描述性的描述。
o Updated the HistoryItem (Section 3.13.1) and Expectation (Section 3.15) classes to support a reference to a course of action.
o 更新了HistoryItem(第3.13.1节)和Expection(第3.15节)课程,以支持对行动方案的引用。
o Updated the EventData class (Section 3.14) with additional metadata added to the Incident class.
o 更新了EventData类(第3.14节),并向事件类添加了其他元数据。
o Updated the System class (Section 3.17) with additional metadata.
o 使用附加元数据更新了系统类(第3.17节)。
o Updated the Counter class (Section 3.18.3) to support additional rate metrics.
o 更新了计数器类(第3.18.3节),以支持其他费率指标。
o Added DomainData (Section 3.19), EmailData (Section 3.21), WindowsRegistryKeysModified (Section 3.23), CertificateData (Section 3.24), and FileData (Section 3.25) classes to improve the description of an incident and support this data as indicators.
o 添加了DomainData(第3.19节)、EmailData(第3.21节)、WindowsRegistryKeysModified(第3.23节)、CertificateData(第3.24节)和FileData(第3.25节)类,以改进对事件的描述,并支持将此数据作为指标。
o Added the SignatureData (Section 3.27) and HashData (Section 3.26) classes to represent digital signatures and hashes.
o 添加了SignatureData(第3.27节)和HashData(第3.26节)类来表示数字签名和哈希。
o Added support for public enumerated attribute extensions using IANA registries (Section 5.1.2).
o 增加了对使用IANA注册表的公共枚举属性扩展的支持(第5.1.2节)。
o Updated numerous enumerated attributes for completeness.
o 更新了大量枚举属性以确保完整性。
The IODEF uses a number of simple and complex types. This section describes these data types.
IODEF使用了许多简单和复杂的类型。本节介绍这些数据类型。
An integer is represented in the information model by the INTEGER data type. Integer data MUST be encoded in Base 10.
在信息模型中,整数由整数数据类型表示。整数数据必须以10为基数进行编码。
The INTEGER data type is implemented in the data model as an "xs:integer" type per Section 3.3.13 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.3.13节,整数数据类型在数据模型中实现为“xs:INTEGER”类型。
A real (floating-point) number is represented in the information model by the REAL data type. Real data MUST be encoded in Base 10.
在信息模型中,实数(浮点)由实数数据类型表示。实际数据必须以10为基数进行编码。
The REAL data type is implemented in the data model as an "xs:float" type per Section 3.2.4 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.4节,实际数据类型在数据模型中实现为“xs:float”类型。
A single character is represented in the information model by the CHARACTER data type. A string is represented by the STRING data type. Special characters MUST be encoded using entity references. See Section 4.1.
单个字符在信息模型中由字符数据类型表示。字符串由字符串数据类型表示。特殊字符必须使用实体引用进行编码。见第4.1节。
The CHARACTER and STRING data types are implemented in the data model as an "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.1节,字符和字符串数据类型在数据模型中实现为“xs:STRING”类型。
A string that needs to be represented in a human-readable language different than the default encoding of the document is represented in the information model by the ML_STRING data type.
需要以不同于文档默认编码的人类可读语言表示的字符串在信息模型中由ML_字符串数据类型表示。
The ML_STRING data type is implemented in the data model as the "iodef:MLStringType" type. This type extends the "xs:string" to include two attributes.
ML_字符串数据类型在数据模型中实现为“iodef:MLStringType”类型。此类型扩展了“xs:string”以包含两个属性。
+------------------------+
| iodef:MLStringType |
+------------------------+
| xs:string |
| |
| ENUM xml:lang |
| STRING translation-id |
+------------------------+
+------------------------+
| iodef:MLStringType |
+------------------------+
| xs:string |
| |
| ENUM xml:lang |
| STRING translation-id |
+------------------------+
Figure 1: The iodef:MLStringType Type
图1:iodef:MLStringType类型
The content of the class is a character string of type "xs:string" whose language MAY be specified by the xml:lang attribute.
类的内容是“xs:string”类型的字符串,其语言可以由xml:lang属性指定。
The attributes of the iodef:MLStringType type are:
iodef:MLStringType类型的属性为:
xml:lang Optional. ENUM. A language identifier per Section 2.12 of [W3C.XML] whose values and format are described in [RFC5646]. The interpretation of this code is described in Section 6.
xml:lang可选。枚举。[W3C.XML]第2.12节规定的语言标识符,其值和格式如[RFC5646]所述。本规范的解释见第6节。
translation-id Optional. STRING. An identifier to relate other instances of this class with the same parent as translations of this text. The scope of this identifier is limited to all of the direct, peer child classes of a given parent class.
翻译id可选。一串一个标识符,用于将此类的其他实例与此文本的翻译相同的父类相关联。此标识符的范围仅限于给定父类的所有直接对等子类。
Using this class enables representing translations of the same text in multiple languages. Each translation is a distinct instance of this class with a common parent. A group of classes each with a translated instance of text is related by setting a common identifier in the translation-id attribute. The language of a given class is set by the xml:lang attribute. See Section 6 for more details on representing translations of free-form text.
使用此类可以用多种语言表示同一文本的翻译。每个翻译都是此类的一个独特实例,具有一个公共父类。通过在translation id属性中设置公共标识符,将一组类(每个类都有一个已翻译的文本实例)关联起来。给定类的语言由xml:lang属性设置。有关表示自由格式文本翻译的更多详细信息,请参见第6节。
Binary octets can be represented with two encodings.
二进制八位字节可以用两种编码表示。
A binary octet encoded with base64 is represented in the information model by the BYTE data type. A sequence of these octets is of the BYTE[] data type.
在信息模型中,用base64编码的二进制八位字节由字节数据类型表示。这些八位字节的序列是BYTE[]数据类型。
The BYTE and BYTE[] data types are implemented in the data model as an "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].
The BYTE and BYTE[] data types are implemented in the data model as an "xs:base64Binary" type per Section 3.2.16 of [W3C.SCHEMA.DTYPES].translate error, please retry
A binary octet encoded as a character tuple consistent of two hexadecimal digits is represented in the information model by the HEXBIN data type. A sequence of these octets is of the HEXBIN[] data type.
在信息模型中,编码为两个十六进制数字一致的字符元组的二进制八位字节由HEXBIN数据类型表示。这些八位字节的序列属于HEXBIN[]数据类型。
The HEXBIN and HEXBIN[] data types are implemented in the data model as an "xs:hexBinary" type per Section 3.2.15 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.15节,HEXBIN和HEXBIN[]数据类型在数据模型中实现为“xs:hexBinary”类型。
An enumerated type is represented in the information model by the ENUM data type. It is an ordered list of acceptable string values. Each value has a representative keyword. Within the data model, the enumerated type keywords are used as attribute values.
枚举类型在信息模型中由枚举数据类型表示。它是可接受字符串值的有序列表。每个值都有一个代表性的关键字。在数据模型中,枚举类型关键字用作属性值。
The ENUM data type is implemented in the data model as values of an "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.3.4节,枚举数据类型在数据模型中作为“xs:NMTOKEN”类型的值实现。
A date-time string that describes a particular instant in time is represented in the information model by the DATETIME data type. Ranges are not supported.
描述特定时间瞬间的日期时间字符串在信息模型中由DATETIME数据类型表示。不支持范围。
The DATETIME data type is implemented in the data model as an "xs:dateTime" type per Section 3.2.7 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.7节,DATETIME数据类型在数据模型中实现为“xs:DATETIME”类型。
A timezone offset from UTC is represented in the information model by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
与UTC的时区偏移在信息模型中由时区数据类型表示。它根据以下正则表达式进行格式化:“Z |[\+\-](0[0-9]| 1[0-4]):[0-5][0-9]”。
The TIMEZONE data type is implemented in the data model as an "iodef:TimezoneType" type.
时区数据类型在数据模型中实现为“iodef:TimezoneType”类型。
A list of network ports is represented in the information model by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60".
网络端口列表在信息模型中由PORTLIST数据类型表示。端口列表由逗号分隔的数字和范围列表组成(N-M表示端口N到M,包括在内)。它根据以下正则表达式进行格式化:“\d+(\-\d+)(,\d+(\-\d+)?*”。例如,“2,5-15,30,32,40-50,55-60”。
The PORTLIST data type is implemented in the data model as an "iodef:PortlistType" type.
PORTLIST数据类型在数据模型中作为“iodef:PortlistType”类型实现。
A postal address is represented in the information model by the POSTAL data type. The format of the POSTAL data type is documented in Section 2.23 of [RFC4519] as a free-form multi-line string separated by the "$" character.
在信息模型中,邮政地址由邮政数据类型表示。[RFC4519]第2.23节将邮政数据类型的格式记录为自由格式的多行字符串,由“$”字符分隔。
The POSTAL data type is implemented in the data model as an "iodef:MLStringType" type.
邮政数据类型在数据模型中实现为“iodef:MLStringType”类型。
A telephone number is represented in the information model by the PHONE data type. The format of the PHONE data type is documented in [E.164].
在信息模型中,电话号码由电话数据类型表示。电话数据类型的格式记录在[E.164]中。
The PHONE data type is implemented in the data model as an "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.1节,电话数据类型在数据模型中实现为“xs:string”类型。
An email address is represented in the information model by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 of [RFC5322] and Section 3.3 of [RFC6531].
电子邮件地址在信息模型中由电子邮件数据类型表示。电子邮件数据类型的格式记录在[RFC5322]的第3.4.1节和[RFC6531]的第3.3节中。
The EMAIL data type is implemented in the data model as an "xs:string" type per Section 3.2.1 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.1节,电子邮件数据类型在数据模型中实现为“xs:string”类型。
A uniform resource locator (URL) is represented in the information model by the URL data type. The format of the URL data type is documented in [RFC3986].
统一资源定位器(URL)在信息模型中由URL数据类型表示。URL数据类型的格式记录在[RFC3986]中。
The URL data type is implemented as an "xs:anyURI" type per Section 3.2.17 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.2.17节,URL数据类型被实现为“xs:anyURI”类型。
An identifier unique to the IODEF document is represented in the information model by the ID data type. A reference to this identifier is represented by the IDREF data type.
IODEF文档的唯一标识符在信息模型中由ID数据类型表示。对该标识符的引用由IDREF数据类型表示。
The ID and IDREF data types are implemented in the model as "xs:ID" and "xs:IDREF" types per Sections 3.3.8 and 3.3.9 of [W3C.SCHEMA.DTYPES].
根据[W3C.SCHEMA.DTYPES]第3.3.8节和第3.3.9节,ID和IDREF数据类型在模型中实现为“xs:ID”和“xs:IDREF”类型。
A particular version of software is represented in the information model by the SOFTWARE data type. This software can be described by using a reference, a URL, or with free-form text.
在信息模型中,软件的特定版本由软件数据类型表示。可以使用引用、URL或自由格式文本来描述此软件。
The SOFTWARE data type is implemented in the data model as the "iodef:SoftwareType" type.
软件数据类型在数据模型中实现为“iodef:SoftwareType”类型。
+--------------------+
| iodef:SoftwareType |
+--------------------+
| |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
+--------------------+
| iodef:SoftwareType |
+--------------------+
| |<>--{0..1}--[ SoftwareReference ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 2: The SoftwareType Type
图2:SoftwareType类型
The aggregate classes of the SoftwareType type are:
SoftwareType类型的聚合类包括:
SoftwareReference Zero or one. Reference to a software application. See Section 2.15.1.
软件参考零或一。对软件应用程序的引用。见第2.15.1节。
URL Zero or more. URL. A URL to a resource describing the software.
URL为零或更多。网址。描述软件的资源的URL。
Description Zero or more. ML_STRING. A free-form text description of the software.
说明零或更多。ML_字符串。软件的自由格式文本描述。
At least one of these classes MUST be present.
这些类中必须至少有一个存在。
The iodef:SoftwareType type has no attributes.
iodef:SoftwareType类型没有属性。
The SoftwareReference class is a reference to a particular version of software.
SoftwareReference类是对特定版本软件的引用。
+----------------------+
| SoftwareReference |
+----------------------+
| xs:any |
| |
| ENUM spec-name |
| STRING ext-spec-name |
| ENUM dtype |
| STRING ext-dtype |
+----------------------+
+----------------------+
| SoftwareReference |
+----------------------+
| xs:any |
| |
| ENUM spec-name |
| STRING ext-spec-name |
| ENUM dtype |
| STRING ext-dtype |
+----------------------+
Figure 3: The SoftwareReference Class
图3:SoftwareReference类
The element content varies according to the value of the spec-name attribute. It is defined in the data model as "xs:any" per [W3C.SCHEMA].
元素内容根据等级库名称属性的值而变化。它在数据模型中根据[W3C.SCHEMA]定义为“xs:any”。
The attributes of the SoftwareReference class are:
SoftwareReference类的属性包括:
spec-name Required. ENUM. Identifies the format and semantics of the element body of this class. Formal standards and specifications can be referenced as well as a free-form text description with a user-provided data type. These values are maintained in the "SoftwareReference-spec-id" IANA registry per Section 10.2
需要规格名称。枚举。标识此类的元素体的格式和语义。可以引用正式的标准和规范,也可以使用用户提供的数据类型引用自由格式的文本描述。根据第10.2节,这些值保存在“SoftwareReference spec id”IANA注册表中
1. custom. The element content is free-form and of the data type specified by the dtype attribute. If this value is selected, then the dtype attribute MUST be set.
1. 风俗元素内容是自由格式的,并且是由dtype属性指定的数据类型。如果选择此值,则必须设置dtype属性。
2. cpe. The element content describes a Common Platform Enumeration (CPE) entry per [NIST.CPE].
2. cpe。元素内容根据[NIST.CPE]描述了公共平台枚举(CPE)条目。
3. swid. The element content describes a software identification (SWID) tag per [ISO19770].
3. 斯威德。元素内容根据[ISO19770]描述了软件标识(SWID)标签。
4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
4. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-spec-name Optional. STRING. A means by which to extend the spec-name attribute. See Section 5.1.1.
外部规范名称可选。一串扩展等级库名称属性的方法。见第5.1.1节。
dtype Optional. ENUM. The data type of the element content. The permitted values for this attribute are shown below. The default value is "string". These values are maintained in the "SoftwareReference-dtype" IANA registry per Section 10.2.
数据类型可选。枚举。元素内容的数据类型。此属性的允许值如下所示。默认值为“字符串”。根据第10.2节,这些值保存在“软件参考数据类型”IANA注册表中。
1. bytes. The element content is of type HEXBIN.
1. 字节。元素内容为HEXBIN类型。
2. integer. The element content is of type INTEGER.
2. 整数元素内容的类型为整数。
3. real. The element content is of type REAL.
3. 真实的元素内容的类型为REAL。
4. string. The element content is of type STRING.
4. 一串元素内容的类型为字符串。
5. xml. The element content is XML. See Section 5.2.
5. xml。元素内容是XML。见第5.2节。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-dtype Optional. STRING. A means by which to extend the dtype attribute. See Section 5.1.1.
ext数据类型可选。一串扩展数据类型属性的方法。见第5.1.1节。
Information not otherwise represented in the IODEF can be added using the EXTENSION data type. This data type is a generic extension mechanism.
可以使用扩展数据类型添加IODEF中未以其他方式表示的信息。此数据类型是一种通用扩展机制。
The EXTENSION data type is implemented in the data model as the "iodef:ExtensionType" type.
扩展数据类型在数据模型中实现为“iodef:ExtensionType”类型。
The data type of an EXTENSION is described by the dtype attribute. For simple information, atomic data types (e.g., integers, strings) are supported. Their semantics are further described by the meaning and formatid attributes. Encapsulating XML documents conforming to another schema is also supported. A detailed discussion of extending the schema can be found in Section 5. Additional coordination may be required to ensure that a recipient of a document using this type can parse and process it.
扩展的数据类型由dtype属性描述。对于简单信息,支持原子数据类型(例如整数、字符串)。语义由语义和formatid属性进一步描述。还支持封装符合另一模式的XML文档。关于扩展模式的详细讨论见第5节。可能需要额外的协调,以确保使用此类型的文档的收件人能够解析和处理它。
+------------------------+
| iodef:ExtensionType |
+------------------------+
| xs:any |
| |
| STRING name |
| ENUM dtype |
| STRING ext-dtype |
| STRING meaning |
| STRING formatid |
| ENUM restriction |
| STRING ext-restriction |
| ID observable-id |
+------------------------+
+------------------------+
| iodef:ExtensionType |
+------------------------+
| xs:any |
| |
| STRING name |
| ENUM dtype |
| STRING ext-dtype |
| STRING meaning |
| STRING formatid |
| ENUM restriction |
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 4: The iodef:ExtensionType Type
图4:iodef:ExtensionType类型
The element content of this type is the extension being added to the data model. This content is defined in the data model as "xs:any" per [W3C.SCHEMA].
此类型的元素内容是添加到数据模型的扩展。此内容在数据模型中根据[W3C.SCHEMA]定义为“xs:any”。
The attributes of the iodef:ExtensionType type are:
iodef:ExtensionType类型的属性为:
name Optional. STRING. A free-form name of the field or data element.
名称可选。一串字段或数据元素的自由格式名称。
dtype Required. ENUM. The data type of the element content. The default value is "string". These values are maintained in the "ExtensionType-dtype" IANA registry per Section 10.2.
需要数据类型。枚举。元素内容的数据类型。默认值为“字符串”。根据第10.2节,这些值保存在“ExtensionType dtype”IANA注册表中。
1. boolean. The element content is of type BOOLEAN.
1. 布尔型。元素内容为布尔类型。
2. byte. The element content is of type BYTE.
2. 字节元素内容的类型为BYTE。
3. bytes. The element content is of type HEXBIN.
3. 字节。元素内容为HEXBIN类型。
4. character. The element content is of type CHARACTER.
4. 性格元素内容为字符类型。
5. date-time. The element content is of type DATETIME.
5. 日期时间。元素内容的类型为DATETIME。
6. ntpstamp. Same as date-time.
6. NTP放大器。和日期时间一样。
7. integer. The element content is of type INTEGER.
7. 整数元素内容的类型为整数。
8. portlist. The element content is of type PORTLIST.
8. 端口列表。元素内容的类型为PORTLIST。
9. real. The element content is of type REAL.
9. 真实的元素内容的类型为REAL。
10. string. The element content is of type STRING.
10. 一串元素内容的类型为字符串。
11. file. The element content is a base64-encoded binary file encoded as a BYTE[] type.
11. 文件元素内容是一个base64编码的二进制文件,编码为BYTE[]类型。
12. path. The element content is a file-system path encoded as a STRING type.
12. 路径元素内容是编码为字符串类型的文件系统路径。
13. frame. The element content is a Layer 2 frame encoded as a HEXBIN type.
13. 框架元素内容是编码为HEXBIN类型的第2层帧。
14. packet. The element content is a Layer 3 packet encoded as a HEXBIN type.
14. 小包裹元素内容是编码为HEXBIN类型的第3层数据包。
15. ipv4-packet. The element content is an IPv4 packet encoded as a HEXBIN type.
15. ipv4数据包。元素内容是编码为HEXBIN类型的IPv4数据包。
16. ipv6-packet. The element content is an IPv6 packet encoded as a HEXBIN type.
16. ipv6数据包。元素内容是编码为HEXBIN类型的IPv6数据包。
17. url. The element content is of type URL.
17. 网址。元素内容的类型为URL。
18. csv. The element content is a comma-separated value (CSV) list per Section 2 of [RFC4180] encoded as a STRING type.
18. csv。元素内容是[RFC4180]第2节规定的逗号分隔值(CSV)列表,编码为字符串类型。
19. winreg. The element content is a Microsoft Windows registry key encoded as a STRING type.
19. 温瑞格。元素内容是编码为字符串类型的Microsoft Windows注册表项。
20. xml. The element content is XML. See Section 5.2.
20. xml。元素内容是XML。见第5.2节。
21. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
21. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-dtype Optional. STRING. A means by which to extend the dtype attribute. See Section 5.1.1.
ext数据类型可选。一串扩展数据类型属性的方法。见第5.1.1节。
meaning Optional. STRING. A free-form text description of the element content.
意思是可选的。一串元素内容的自由格式文本描述。
formatid Optional. STRING. An identifier referencing the format or semantics of the element content.
formatid是可选的。一串引用元素内容的格式或语义的标识符。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The specifics of the IODEF information model are discussed in this section. Each class and its relationships with the other classes is described. When necessary, clarifications are made about translating this information model to the schema in Section 8.
本节将讨论IODEF信息模型的细节。描述了每个类及其与其他类的关系。必要时,将在第8节中说明如何将此信息模型转换为模式。
The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class.
IODEF文档类是IODEF数据模型中的顶级类。所有IODEF文档都是此类的实例。
+--------------------------+
| IODEF-Document |
+--------------------------+
| STRING version |<>--{1..*}--[ Incident ]
| ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING format-id |
| STRING private-enum-name |
| STRING private-enum-id |
+--------------------------+
+--------------------------+
| IODEF-Document |
+--------------------------+
| STRING version |<>--{1..*}--[ Incident ]
| ENUM xml:lang |<>--{0..*}--[ AdditionalData ]
| STRING format-id |
| STRING private-enum-name |
| STRING private-enum-id |
+--------------------------+
Figure 5: The IODEF-Document Class
图5:IODEF文档类
The aggregate classes of the IODEF-Document class are:
IODEF文档类的聚合类包括:
Incident One or more. The information related to a single incident. See Section 3.2.
一个或多个事件。与单一事件相关的信息。见第3.2节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the IODEF-Document class are:
IODEF文档类的属性包括:
version Required. STRING. The IODEF specification version number to which this IODEF document conforms. The value of this attribute MUST be "2.00".
版本要求。一串本IODEF文件所遵循的IODEF规范版本号。此属性的值必须为“2.00”。
xml:lang Optional. ENUM. A language identifier per Section 2.12 of [W3C.XML] whose values and form are described in [RFC5646]. The interpretation of this code is described in Section 6.
xml:lang可选。枚举。[W3C.XML]第2.12节规定的语言标识符,其值和形式如[RFC5646]所述。本规范的解释见第6节。
format-id Optional. STRING. A free-form string to convey processing instructions to the recipient of the document. Its semantics must be negotiated out of band.
格式id可选。一串一种自由格式的字符串,用于向文档收件人传递处理指令。它的语义必须在带外协商。
private-enum-name Optional. STRING. A globally unique identifier for the CSIRT generating the document to deconflict private extensions used in the document. The fully qualified domain name (FQDN) associated with the CSIRT MUST be used as the identifier. See Section 5.3.
私有枚举名称可选。一串生成文档以消除文档中使用的私有扩展冲突的CSIRT的全局唯一标识符。必须将与CSIRT关联的完全限定域名(FQDN)用作标识符。见第5.3节。
private-enum-id Optional. STRING. An organizationally unique identifier for an extension used in the document. If this attribute is set, the private-enum-name MUST also be set. See Section 5.3.
私有枚举id是可选的。一串文档中使用的扩展的组织唯一标识符。如果设置了此属性,则还必须设置私有枚举名称。见第5.3节。
The Incident class describes commonly exchanged information when reporting or sharing derived analysis from security incidents.
事件类描述了在报告或共享从安全事件派生的分析时通常交换的信息。
+-------------------------+
| Incident |
+-------------------------+
| ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING ext-status |<>--{0..1}--[ DetectTime ]
| ENUM xml:lang |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
| ID observable-id |<>--{0..1}--[ ReportTime ]
| |<>----------[ GenerationTime ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ]
| |<>--{0..*}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ IndicatorData ]
| |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
+-------------------------+
| Incident |
+-------------------------+
| ENUM purpose |<>----------[ IncidentID ]
| STRING ext-purpose |<>--{0..1}--[ AlternativeID ]
| ENUM status |<>--{0..*}--[ RelatedActivity ]
| STRING ext-status |<>--{0..1}--[ DetectTime ]
| ENUM xml:lang |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--{ RecoveryTime ]
| ID observable-id |<>--{0..1}--[ ReportTime ]
| |<>----------[ GenerationTime ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*} [ Discovery ]
| |<>--{0..*}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{1..*}--[ Contact ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..1}--[ IndicatorData ]
| |<>--{0..1}--[ History ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
Figure 6: The Incident Class
图6:事件类
The aggregate classes of the Incident class are:
事件类别的聚合类别为:
IncidentID One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document. See Section 3.4.
包括一个。由生成IODEF文档的CSIRT分配给此事件的事件跟踪号。见第3.4节。
AlternativeID Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document. See Section 3.5.
或者是零或者一。其他CSIRT用于引用文档中描述的事件的事件跟踪号。见第3.5节。
RelatedActivity Zero or more. Related activity and attribution of this activity. See Section 3.6.
相关活动为零或更多。相关活动和该活动的归属。见第3.6节。
DetectTime Zero or one. DATETIME. The time the incident was first detected.
检测时间为零或一。日期时间。事件首次被发现的时间。
StartTime Zero or one. DATETIME. The time the incident started.
开始计时零或一。日期时间。事件开始的时间。
EndTime Zero or one. DATETIME. The time the incident ended.
结束时间0或1。日期时间。事件结束的时间。
RecoveryTime Zero or one. DATETIME. The time the site recovered from the incident.
恢复时间为0或1。日期时间。现场从事件中恢复的时间。
ReportTime Zero or one. DATETIME. The time the incident was reported.
报告时间为零或一。日期时间。事件被报道的时间。
GenerationTime One. DATETIME. The time the content in this Incident class was generated.
第一代。日期时间。生成此事件类中的内容的时间。
Description Zero or more. ML_STRING. A free-form text description of the incident.
说明零或更多。ML_字符串。事件的自由文本描述。
Discovery Zero or more. The means by which this incident was detected. See Section 3.10.
发现零或更多。检测此事件的方法。见第3.10节。
Assessment Zero or more. A characterization of the impact of the incident. See Section 3.12.
评估为零或更多。对事件影响的描述。见第3.12节。
Method Zero or more. The techniques used by the threat actor in the incident. See Section 3.11.
方法0或更多。事件中威胁行为人使用的技术。见第3.11节。
Contact One or more. Contact information for the parties involved in the incident. See Section 3.9.
联系一个或多个。事件相关方的联系信息。见第3.9节。
EventData Zero or more. Description of the events comprising the incident. See Section 3.14.
EventData为零或更多。对构成事件的事件的描述。见第3.14节。
IndicatorData Zero or one. Indicators from the analysis of an incident. See Section 3.28.
指示器数据0或1。事件分析的指标。见第3.28节。
History Zero or one. A log of significant events or actions that occurred during the course of handling the incident. See Section 3.13.
历史是零还是一。事件处理过程中发生的重大事件或行动的日志。见第3.13节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the Incident class are:
事件类的属性包括:
purpose Required. ENUM. The purpose attribute describes the rationale for documenting the information in this class. It is closely related to the Expectation class (Section 3.15). These values are maintained in the "Incident-purpose" IANA registry per Section 10.2. This attribute is defined as an enumerated list:
所需的目的。枚举。“目的”属性描述了记录此类信息的基本原理。它与期望等级密切相关(第3.15节)。根据第10.2节,这些值保存在“事故目的”IANA注册表中。此属性定义为枚举列表:
1. traceback. The incident was sent for trace-back purposes.
1. 追踪。该事件被发送用于追溯目的。
2. mitigation. The incident was sent to request aid in mitigating the described activity.
2. 缓解。事件被发送至请求协助缓解所述活动。
3. reporting. The incident was sent to comply with reporting requirements.
3. 报告。事件被发送以符合报告要求。
4. watch. The incident was sent to convey indicators that should be monitored.
4. 看这一事件是为了传达应加以监测的指标。
5. other. The incident was sent for purposes specified in the Expectation class.
5. 另外事件是为Expectation类中指定的目的发送的。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-purpose Optional. STRING. A means by which to extend the purpose attribute. See Section 5.1.1.
ext用途可选。一串扩展目的属性的方法。见第5.1.1节。
status Optional. ENUM. The status attribute conveys the state in a workflow where the incident is currently found. These values are maintained in the "Incident-status" IANA registry per Section 10.2. This attribute is defined as an enumerated list:
状态可选。枚举。“状态”属性表示当前发现事件的工作流中的状态。根据第10.2节,这些值保存在“事件状态”IANA注册表中。此属性定义为枚举列表:
1. new. The incident is newly reported, and no action has been taken.
1. 刚出现的这起事件是新报道的,尚未采取任何行动。
2. in-progress. The incident is under investigation.
2. 正在进行中。事件正在调查中。
3. forwarded. The incident has been forwarded to another party for handling.
3. 转发。事件已转交另一方处理。
4. resolved. The investigation into the activity in this incident has concluded.
4. 断然的。对这起事件中的活动的调查已经结束。
5. future. The described activity has not yet been detected.
5. 将来尚未检测到所述活动。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-status Optional. STRING. A means by which to extend the status attribute. See Section 5.1.1.
外部状态可选。一串扩展状态属性的方法。见第5.1.1节。
xml:lang Optional. ENUM. A language identifier per Section 2.12 of [W3C.XML] whose values and form are described in [RFC5646]. The interpretation of this code is described in Section 6.
xml:lang可选。枚举。[W3C.XML]第2.12节规定的语言标识符,其值和形式如[RFC5646]所述。本规范的解释见第6节。
restriction Optional. ENUM. See Section 3.3.1. The default value is "private".
限制是可选的。枚举。见第3.3.1节。默认值为“private”。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
There are a number of recurring attributes used in the information model. They are documented in this section.
信息模型中使用了许多重复属性。本节对其进行了记录。
The restriction attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no technical means to ensure that the recipient of the document handles the information as the sender requested.
“限制”属性表示发件人希望收件人遵守此类及其子类中表示的信息的披露准则。本指南不提供任何安全性,因为没有技术手段来确保文档收件人按照发件人的要求处理信息。
The value of this attribute is logically inherited by the children of this class. That is to say, the disclosure rules applied to this class also apply to its children.
该属性的值由此类的子级逻辑继承。也就是说,适用于该类的披露规则也适用于其子类。
It is possible to set a granular disclosure policy, since all of the high-level classes (i.e., children of the Incident class) have a restriction attribute. Therefore, a child can override the guidelines of a parent class, be it to restrict or relax the disclosure rules (e.g., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, and the children selectively apply more rigid controls). The implicit value of the restriction attribute for a class that did not specify one can be found in the closest ancestor that did specify a value.
可以设置粒度披露策略,因为所有高级类(即事件类的子类)都有一个限制属性。因此,子类可以覆盖父类的指导原则,以限制或放宽披露规则(例如,子类的策略弱于祖先类;或者祖先类的策略弱,子类选择性地应用更严格的控制)。未指定值的类的限制属性的隐式值可以在指定值的最近祖先中找到。
This attribute is defined as an enumerated value with a default value of "private". Note that the default value of the restriction attribute is only defined in the context of the Incident class. In other classes where this attribute is used, no default is specified.
此属性定义为默认值为“private”的枚举值。请注意,限制属性的默认值仅在事件类的上下文中定义。在使用此属性的其他类中,未指定默认值。
These values are maintained in the "Restriction" IANA registry per Section 10.2.
根据第10.2节,这些值保存在“限制”IANA注册表中。
1. public. The information can be freely distributed without restriction.
1. 平民的这些信息可以不受限制地自由分发。
2. partner. The information may be shared within a closed community of peers, partners, or affected parties, but cannot be openly published.
2. 配偶信息可以在由同行、合作伙伴或受影响方组成的封闭社区内共享,但不能公开发布。
3. need-to-know. The information may be shared only within the organization with individuals that have a need to know.
3. 我需要知道。信息只能在组织内部与需要了解的个人共享。
4. private. The information may not be shared.
4. 私有的这些信息可能无法共享。
5. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties.
5. 违约可以根据通信方预先安排的信息披露策略共享信息。
6. white. Same as 'public'.
6. 白色与“公共”相同。
7. green. Same as 'partner'.
7. 绿色与“合作伙伴”相同。
8. amber. Same as 'need-to-know'.
8. 琥珀色与“需要知道”相同。
9. red. Same as 'private'.
9. 红色与“私人”相同。
10. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
10. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
The observable-id attribute tags information in the document as an observable so that it can be referenced later in the description of an indicator. The value of this attribute is a unique identifier in the scope of the document. It is used by the ObservableReference class to enumerate observables when defining an indicator with the IndicatorData class.
可观测id属性将文档中的信息标记为可观测信息,以便稍后在指标描述中引用。此属性的值是文档范围内的唯一标识符。ObserverReference类在使用IndicatorData类定义指标时使用它来枚举可观察项。
The IncidentID class represents a tracking number that is unique in the context of the CSIRT. It serves as an identifier for an incident or a document identifier when sharing indicators. This identifier would serve as an index into a CSIRT's incident handling or knowledge management system.
IncidentID类表示在CSIRT上下文中唯一的跟踪号。它用作事件的标识符或共享指标时的文档标识符。该标识符可作为CSIRT事件处理或知识管理系统的索引。
The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident.
元素内容中的name属性和字符串的组合必须是描述活动的全局唯一标识符。给定CSIRT生成的文档不得重用相同的值,除非它们引用相同的事件。
+------------------------+
| IncidentID |
+------------------------+
| STRING |
| |
| STRING name |
| STRING instance |
| ENUM restriction |
| STRING ext-restriction |
+------------------------+
+------------------------+
| IncidentID |
+------------------------+
| STRING |
| |
| STRING name |
| STRING instance |
| ENUM restriction |
| STRING ext-restriction |
+------------------------+
Figure 7: The IncidentID Class
图7:包含的类别
The content of the class is an incident identifier of type STRING.
类的内容是字符串类型的事件标识符。
The attributes of the IncidentID class are:
IncidentID类的属性包括:
name Required. STRING. An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.
需要名称。一串描述创建文档的CSIRT的标识符。为了拥有全局唯一的CSIRT名称,必须使用与CSIRT关联的完全限定域名。
instance Optional. STRING. An identifier referencing a subset of the named incident.
实例可选。一串引用命名事件子集的标识符。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The AlternativeID class lists the tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described in the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by another CSIRT. The tracking numbers of the CSIRT that generated the IODEF document must never be considered an AlternativeID.
AlternativeID类列出CSIRT使用的跟踪号,而不是生成文档的跟踪号,以引用IODEF文档中描述的相同活动。列为备用ID的跟踪号引用另一个CSIRT检测到的相同事件。生成IODEF文档的CSIRT的跟踪号决不能被视为备选ID。
+------------------------+
| AlternativeID |
+------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ]
| STRING ext-restriction |
+------------------------+
+------------------------+
| AlternativeID |
+------------------------+
| ENUM restriction |<>--{1..*}--[ IncidentID ]
| STRING ext-restriction |
+------------------------+
Figure 8: The AlternativeID Class
图8:AlternativeID类
The aggregate class of the AlternativeID class is:
AlternativeID类的聚合类为:
IncidentID One or more. The tracking number of another CSIRT. See Section 3.4.
包含一个或多个。另一个CSIRT的跟踪号。见第3.4节。
The attributes of the AlternativeID class are:
AlternativeID类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The RelatedActivity class relates the information described in the rest of the document to previously observed incidents or activity and allows attribution to a specific actor or campaign.
RelatedActivity类将文档其余部分中描述的信息与以前观察到的事件或活动相关联,并允许将其归因于特定的参与者或活动。
+------------------------+
| RelatedActivity |
+------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ]
| |<>--{0..*}--[ IndicatorID ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| RelatedActivity |
+------------------------+
| ENUM restriction |<>--{0..*}--[ IncidentID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ ThreatActor ]
| |<>--{0..*}--[ Campaign ]
| |<>--{0..*}--[ IndicatorID ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 9: The RelatedActivity Class
图9:RelatedActivity类
The aggregate classes of the RelatedActivity class are:
RelatedActivity类的聚合类为:
IncidentID Zero or more. The tracking number of a related incident. See Section 3.4.
包括零或更多。相关事件的跟踪编号。见第3.4节。
URL Zero or more. URL. A URL to activity related to this incident.
URL为零或更多。网址。指向与此事件相关的活动的URL。
ThreatActor Zero or more. The threat actor to whom the incident activity is attributed. See Section 3.7.
威胁因子为零或更多。事件活动归因于的威胁参与者。见第3.7节。
Campaign Zero or more. The campaign of a given threat actor to whom the described activity is attributed. See Section 3.8.
活动零或更多。所述活动的特定威胁行为人的活动。见第3.8节。
IndicatorID Zero or more. A reference to a related indicator. See Section 3.4.
指示零或更多。对相关指标的引用。见第3.4节。
Confidence Zero or one. An estimate of the confidence in attributing this RelatedActivity to the events described in the document. See Section 3.12.5.
信心0或1。将此相关活动归因于文件中所述事件的置信度估计。见第3.12.5节。
Description Zero or more. ML_STRING. A description of how these relationships were derived.
说明零或更多。ML_字符串。这些关系是如何派生的描述。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The RelatedActivity class MUST have at least one instance of any of the following child classes: IncidentID, URL, ThreatActor, Campaign, Description, or AdditionalData.
RelatedActivity类必须至少具有以下任何子类的一个实例:IncidentID、URL、ThreatActor、Campaign、Description或AdditionalData。
The attributes of the RelatedActivity class are:
RelatedActivity类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The ThreatActor class describes a threat actor.
ThreatActor类描述威胁参与者。
+------------------------+
| ThreatActor |
+------------------------+
| ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| ThreatActor |
+------------------------+
| ENUM restriction |<>--{0..*}--[ ThreatActorID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 10: The ThreatActor Class
图10:ThreatActor类
The aggregate classes of the ThreatActor class are:
ThreatActor类的聚合类为:
ThreatActorID Zero or more. STRING. An identifier for the threat actor.
ThreatActorID为零或更多。一串威胁参与者的标识符。
URL Zero or more. URL. A URL to a reference describing the threat actor.
URL为零或更多。网址。描述威胁参与者的引用的URL。
Description Zero or more. ML_STRING. A description of the threat actor.
说明零或更多。ML_字符串。对威胁行为人的描述。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The ThreatActor class MUST have at least one instance of a child class.
ThreatActor类必须至少有一个子类的实例。
The attributes of the ThreatActor class are:
ThreatActor类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The Campaign class describes a campaign of attacks by a threat actor.
Campaign类描述威胁参与者的攻击活动。
+------------------------+
| Campaign |
+------------------------+
| ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| Campaign |
+------------------------+
| ENUM restriction |<>--{0..*}--[ CampaignID ]
| STRING ext-restriction |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 11: The Campaign Class
图11:Campaign类
The aggregate classes of the Campaign class are:
活动类的聚合类为:
CampaignID Zero or more. STRING. An identifier for the campaign.
活动ID为零或更多。一串活动的标识符。
URL Zero or more. URL. A URL to a reference describing the campaign.
URL为零或更多。网址。描述活动的引用的URL。
Description Zero or more. ML_STRING. A description of the campaign.
说明零或更多。ML_字符串。对竞选活动的描述。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The Campaign class MUST have at least one instance of a child class.
活动类必须至少有一个子类的实例。
The attributes of the Campaign class are:
Campaign类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident.
Contact类描述了参与事件的组织和人员的联系信息。此类允许命名相关方,指定他们的联系信息,并确定他们在事件中的角色。
People and organizations are treated interchangeably as contacts; one can be associated with the other using the recursive definition of the class (the Contact class is aggregated into the Contact class). The type attribute disambiguates the type of contact information being provided.
人们和组织可以互换地被视为联系人;一个可以使用类的递归定义与另一个相关联(Contact类聚合到Contact类中)。type属性消除了所提供联系信息类型的歧义。
The recursive definition of Contact provides a way to relate information without requiring the explicit use of identifiers or duplication of data. A complete point of contact is derived by a particular traversal from the root Contact class to the leaf Contact class. Each child Contact class logically inherits contact information from its ancestors.
联系人的递归定义提供了一种关联信息的方法,无需明确使用标识符或重复数据。通过从根接触类到叶接触类的特定遍历,可以导出完整的接触点。每个子联系人类从逻辑上继承其祖先的联系人信息。
+------------------------+
| Contact |
+------------------------+
| ENUM role |<>--{0..*}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..*}--[ PostalAddress ]
| STRING ext-restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| Contact |
+------------------------+
| ENUM role |<>--{0..*}--[ ContactName ]
| STRING ext-role |<>--{0..*}--[ ContactTitle ]
| ENUM type |<>--{0..*}--[ Description ]
| STRING ext-type |<>--{0..*}--[ RegistryHandle ]
| ENUM restriction |<>--{0..*}--[ PostalAddress ]
| STRING ext-restriction |<>--{0..*}--[ Email ]
| |<>--{0..*}--[ Telephone ]
| |<>--{0..1}--[ Timezone ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 12: The Contact Class
图12:Contact类
The aggregate classes of the Contact class are:
Contact类别的聚合类别为:
ContactName Zero or more. ML_STRING. The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics.
ContactName为零或更多。ML_字符串。联系人的姓名。联系人可以是组织或个人。type属性消除了语义的歧义。
ContactTitle Zero or more. ML_STRING. The title for the individual named in the ContactName.
ContactTitle零或更多。ML_字符串。ContactName中指定的个人的标题。
Description Zero or more. ML_STRING. A free-form text description of the contact.
说明零或更多。ML_字符串。联系人的自由格式文本描述。
RegistryHandle Zero or more. A handle name into the registry of the contact. See Section 3.9.1.
注册表句柄为零或更多。联系人注册表中的句柄名称。见第3.9.1节。
PostalAddress Zero or more. The postal address of the contact. See Section 3.9.2.
邮资为零或更多。联系人的邮政地址。见第3.9.2节。
Email Zero or more. The email address of the contact. See Section 3.9.3.
零封或多封电子邮件。联系人的电子邮件地址。见第3.9.3节。
Telephone Zero or more. The telephone number of the contact. See Section 3.9.4.
电话零或更多。联系人的电话号码。见第3.9.4节。
Timezone Zero or one. TIMEZONE. The timezone in which the contact resides.
时区0或1。时区。联系人所在的时区。
Contact Zero or more. A recursive definition of the Contact class. This definition can be used to group common data pertaining to multiple points of contact and is especially useful when listing multiple contacts at the same organization.
联系零或更多。Contact类的递归定义。此定义可用于对与多个联系人相关的公共数据进行分组,在列出同一组织中的多个联系人时尤其有用。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
At least one of the aggregate classes MUST be present in an instance of the Contact class.
Contact类的实例中必须至少存在一个聚合类。
The attributes of the Contact class are:
Contact类的属性包括:
role Required. ENUM. Indicates the role the contact fulfills. These values are maintained in the "Contact-role" IANA registry per Section 10.2.
角色要求。枚举。指示联系人履行的角色。根据第10.2节,这些值保存在“联系人角色”IANA注册表中。
1. creator. The entity that generates the document.
1. 造物主。生成文档的实体。
2. reporter. The entity that reported the information.
2. 记者报告信息的实体。
3. admin. An administrative contact or business owner for an asset or organization.
3. 管理资产或组织的管理联系人或业务所有者。
4. tech. An entity responsible for the day-to-day management of technical issues for an asset or organization.
4. 技术。负责资产或组织技术问题日常管理的实体。
5. provider. An external hosting provider for an asset.
5. 供应商。资产的外部托管提供程序。
6. user. An end-user of an asset or part of an organization.
6. 使用者资产或组织部分的最终用户。
7. billing. An entity responsible for billing issues for an asset or organization.
7. 演员表负责资产或组织账单问题的实体。
8. legal. An entity responsible for legal issues related to an asset or organization.
8. 合法的负责与资产或组织相关的法律问题的实体。
9. irt. An entity responsible for handling security issues for an asset or organization.
9. irt。负责处理资产或组织安全问题的实体。
10. abuse. An entity responsible for handling abuse originating from an asset or organization.
10. 滥用负责处理源自资产或组织的滥用行为的实体。
11. cc. An entity that is to be kept informed about the events related to an asset or organization.
11. 复写的副本。与资产或组织相关的事件将被告知的实体。
12. cc-irt. A CSIRT or information-sharing organization coordinating activity related to an asset or organization.
12. cc irt。协调资产或组织相关活动的CSIRT或信息共享组织。
13. leo. A law enforcement organization supporting the investigation of activity affecting an asset or organization.
13. 狮子座。支持调查影响资产或组织的活动的执法组织。
14. vendor. The vendor that produces an asset.
14. 小贩生产资产的供应商。
15. vendor-support. A vendor that provides services.
15. 供应商支持。提供服务的供应商。
16. victim. A victim in the incident.
16. 受害者事件中的受害者。
17. victim-notified. A victim in the incident who has been notified.
17. 已通知受害者。事件中已被通知的受害者。
18. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
18. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-role Optional. STRING. A means by which to extend the role attribute. See Section 5.1.1.
ext角色可选。一串扩展角色属性的方法。见第5.1.1节。
type Required. ENUM. Indicates the type of contact being described. This attribute is defined as an enumerated list. These values are maintained in the "Contact-type" IANA registry per Section 10.2.
所需类型。枚举。指示正在描述的触点类型。此属性定义为枚举列表。根据第10.2节,这些值保存在“联系人类型”IANA注册表中。
1. person. The information for this contact references an individual.
1. 人此联系人的信息引用个人。
2. organization. The information for this contact references an organization.
2. 组织此联系人的信息引用了一个组织。
3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
3. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The RegistryHandle class represents a handle into an Internet registry or community-specific database.
RegistryHandle类表示Internet注册表或社区特定数据库的句柄。
+---------------------+
| RegistryHandle |
+---------------------+
| STRING |
| |
| ENUM registry |
| STRING ext-registry |
+---------------------+
+---------------------+
| RegistryHandle |
+---------------------+
| STRING |
| |
| ENUM registry |
| STRING ext-registry |
+---------------------+
Figure 13: The RegistryHandle Class
图13:RegistryHandle类
The content of the class is a handle into a registry of type STRING.
类的内容是字符串类型注册表的句柄。
The attributes of the RegistryHandle class are:
RegistryHandle类的属性包括:
registry Required. ENUM. The database to which the handle belongs. These values are maintained in the "RegistryHandle-registry" IANA registry per Section 10.2. The possible values are:
需要注册。枚举。句柄所属的数据库。根据第10.2节,这些值保存在“RegistryHandle注册表”IANA注册表中。可能的值为:
1. internic. Internet Network Information Center
1. 国际。互联网信息中心
2. apnic. Asia Pacific Network Information Center
2. 呼吸暂停。亚太网络信息中心
3. arin. American Registry for Internet Numbers
3. 阿林。注册中心
4. lacnic. Latin American and Caribbean Internet Addresses Registry
4. 拉尼克。拉丁美洲和加勒比因特网地址登记处
5. ripe. Reseaux IP Europeens
5. 成熟的欧洲研究
6. afrinic. African Network Information Center
6. 非洲的。非洲网络信息中心
7. local. A database local to the CSIRT
7. 地方的CSIRT的本地数据库
8. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
8. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-registry Optional. STRING. A means by which to extend the registry attribute. See Section 5.1.1.
ext注册表可选。一串扩展注册表属性的方法。见第5.1.1节。
The PostalAddress class specifies a postal address and associated annotation.
PostalAddress类指定邮政地址和关联的批注。
+--------------------+
| PostalAddress |
+--------------------+
| ENUM type |<>----------[ PAddress ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
+--------------------+
| PostalAddress |
+--------------------+
| ENUM type |<>----------[ PAddress ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
Figure 14: The PostalAddress Class
图14:PostalAddress类
The aggregate classes of the PostalAddress class are:
邮资类别的合计类别为:
PAddress One. POSTAL. A postal address.
一号围裙。邮政。邮政地址。
Description Zero or more. ML_STRING. A free-form text description of the address.
说明零或更多。ML_字符串。地址的自由格式文本描述。
The attributes of the PostalAddress class are:
PostLadAddress类的属性包括:
type Optional. ENUM. Categorizes the type of address described in the PAddress class. These values are maintained in the "PostalAddress-type" IANA registry per Section 10.2.
类型可选。枚举。对PAddress类中描述的地址类型进行分类。根据第10.2节,这些值保存在“PostalAddress类型”IANA注册表中。
1. street. An address describing a physical location.
1. 大街描述物理位置的地址。
2. mailing. An address to which correspondence should be sent.
2. 邮寄。通信应该发送到的地址。
3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
3. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The Email class specifies an email address and associated annotation.
电子邮件类指定电子邮件地址和关联的批注。
+--------------------+
| Email |
+--------------------+
| ENUM type |<>----------[ EmailTo ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
+--------------------+
| Email |
+--------------------+
| ENUM type |<>----------[ EmailTo ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
Figure 15: The Email Class
图15:Email类
The aggregate classes of the Email class are:
电子邮件类的聚合类为:
EmailTo One. EMAIL. An email address.
给一个发电子邮件。电子邮件电子邮件地址。
Description Zero or more. ML_STRING. A free-form text description of the email address.
说明零或更多。ML_字符串。电子邮件地址的自由格式文本描述。
The attributes of the Email class are:
电子邮件类的属性包括:
type Optional. ENUM. Categorizes the type of email address described in the EmailTo class. These values are maintained in the "Email-type" IANA registry per Section 10.2.
类型可选。枚举。对EmailTo类中描述的电子邮件地址类型进行分类。根据第10.2节,这些值保存在“电子邮件类型”IANA注册表中。
1. direct. An email address of an individual.
1. 直接的个人的电子邮件地址。
2. hotline. An email address regularly monitored for operational purposes.
2. 热线电话为操作目的而定期监控的电子邮件地址。
3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
3. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The Telephone class describes a telephone number and associated annotation.
电话类描述电话号码和相关注释。
+--------------------+
| Telephone |
+--------------------+
| ENUM type |<>----------[ TelephoneNumber ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
+--------------------+
| Telephone |
+--------------------+
| ENUM type |<>----------[ TelephoneNumber ]
| STRING ext-type |<>--{0..*}--[ Description ]
+--------------------+
Figure 16: The Telephone Class
图16:电话类
The aggregate classes of the Telephone class are:
电话类的聚合类为:
TelephoneNumber One. PHONE. A telephone number.
一号电话。电话电话号码。
Description Zero or more. ML_STRING. A free-form text description of the phone number.
说明零或更多。ML_字符串。电话号码的自由格式文本说明。
The attributes of the Telephone class are:
电话类的属性包括:
type Optional. ENUM. Categorizes the type of telephone number described in the TelephoneNumber class. These values are maintained in the "Telephone-type" IANA registry per Section 10.2.
类型可选。枚举。对电话号码类中描述的电话号码类型进行分类。根据第10.2节,这些值保存在“电话类型”IANA注册表中。
1. wired. A number of a wire-line (land-line) phone.
1. 有线。有线(陆地线)电话的号码。
2. mobile. A number of a mobile phone.
2. 可移动的移动电话的号码。
3. fax. A number to a fax machine.
3. 传真传真机的号码。
4. hotline. A number to a regularly monitored operational hotline.
4. 热线电话定期监控运营热线的号码。
5. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
5. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The Discovery class describes how an incident was detected.
发现类描述如何检测事件。
+------------------------+
| Discovery |
+------------------------+
| ENUM source |<>--{0..*}--[ Description ]
| STRING ext-source |<>--{0..*}--[ Contact ]
| ENUM restriction |<>--{0..*}--[ DetectionPattern ]
| STRING ext-restriction |
+------------------------+
+------------------------+
| Discovery |
+------------------------+
| ENUM source |<>--{0..*}--[ Description ]
| STRING ext-source |<>--{0..*}--[ Contact ]
| ENUM restriction |<>--{0..*}--[ DetectionPattern ]
| STRING ext-restriction |
+------------------------+
Figure 17: The Discovery Class
图17:发现类
The aggregate classes of the Discovery class are:
发现类的聚合类包括:
Description Zero or more. ML_STRING. A free-form text description of how this incident was detected.
说明零或更多。ML_字符串。关于如何检测此事件的自由格式文本描述。
Contact Zero or more. Contact information for the party that discovered the incident. See Section 3.9.
联系零或更多。事件发现方的联系信息。见第3.9节。
DetectionPattern Zero or more. Describes an application-specific configuration that detected the incident. See Section 3.10.1.
检测模式为零或更多。描述检测到事件的特定于应用程序的配置。见第3.10.1节。
The attributes of the Discovery class are:
发现类的属性包括:
source Optional. ENUM. Categorizes the techniques used to discover the incident. These values are partially derived from Table 3-1 of [NIST800.61rev2]. These values are maintained in the "Discovery-source" IANA registry per Section 10.2.
源可选。枚举。对用于发现事件的技术进行分类。这些值部分源自[NIST800.61rev2]的表3-1。根据第10.2节,这些值保存在“发现源”IANA注册表中。
1. nidps. Network Intrusion Detection or Prevention System.
1. nidps。网络入侵检测或预防系统。
2. hips. Host-based Intrusion Prevention System.
2. 臀部。基于主机的入侵防御系统。
3. siem. Security Information and Event Management System.
3. 暹罗。安全信息和事件管理系统。
4. av. Antivirus or antispam software.
4. av。防病毒或反垃圾邮件软件。
5. third-party-monitoring. Contracted third-party monitoring service.
5. 第三方监测。签约的第三方监控服务。
6. incident. The activity was discovered while investigating an unrelated incident.
6. 发生的事情该活动是在调查一个无关事件时发现的。
7. os-log. Operating system logs.
7. 操作系统日志。操作系统日志。
8. application-log. Application logs.
8. 应用程序日志。应用程序日志。
9. device-log. Network device logs.
9. 设备日志。网络设备日志。
10. network-flow. Network flow analysis.
10. 网络流量。网络流分析。
11. passive-dns. Passive DNS analysis.
11. 被动dns。被动DNS分析。
12. investigation. Manual investigation initiated based on notification of a new vulnerability or exploit.
12. 调查根据新漏洞或漏洞的通知启动手动调查。
13. audit. Security audit.
13. 审计安全审计。
14. internal-notification. A party within the organization reported the activity.
14. 内部通知。该组织内的一个缔约方报告了该活动。
15. external-notification. A party outside of the organization reported the activity.
15. 外部通知。该组织以外的一方报告了该活动。
16. leo. A law enforcement organization notified the victim organization.
16. 狮子座。一个执法组织通知了受害者组织。
17. partner. A customer or business partner reported the activity to the victim organization.
17. 配偶客户或业务合作伙伴向受害组织报告了该活动。
18. actor. The threat actor directly or indirectly reported this activity to the victim organization.
18. 演员威胁行为人直接或间接向受害者组织报告了这一活动。
19. unknown. Unknown detection approach.
19. 未知的未知检测方法。
20. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
20. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-source Optional. STRING. A means by which to extend the source attribute. See Section 5.1.1.
ext源代码可选。一串扩展源属性的方法。见第5.1.1节。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The DetectionPattern class describes a configuration or signature that can be used by an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS), SIEM, antivirus, endpoint protection, network analysis, malware analysis, or host forensics tool to identify a particular phenomenon. This class requires the identification of the target application and allows the configuration to be described in either free form or machine-readable form.
DetectionPattern类描述入侵检测系统(IDS)/入侵预防系统(IPS)、SIEM、防病毒、端点保护、网络分析、恶意软件分析或主机取证工具可用于识别特定现象的配置或签名。此类需要识别目标应用程序,并允许以自由形式或机器可读形式描述配置。
+------------------------+
| DetectionPattern |
+------------------------+
| ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+
+------------------------+
| DetectionPattern |
+------------------------+
| ENUM restriction |<>----------[ Application ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DetectionConfiguration ]
+------------------------+
Figure 18: The DetectionPattern Class
图18:DetectionPattern类
The aggregate classes of the DetectionPattern class are:
DetectionPattern类的聚合类为:
Application One. SOFTWARE. The application for which the DetectionConfiguration or Description is being provided.
应用程序一。软件为其提供检测配置或描述的应用程序。
Description Zero or more. ML_STRING. A free-form text description of how to use the information provided in the Application or DetectionConfiguration classes.
说明零或更多。ML_字符串。关于如何使用Application或DetectionConfiguration类中提供的信息的自由格式文本说明。
DetectionConfiguration Zero or more. STRING. A machine-consumable configuration to find a pattern of activity.
检测配置为零或更多。一串用于查找活动模式的机器耗材配置。
An instance of either the Description or DetectionConfiguration class MUST be present.
必须存在Description或DetectionConfiguration类的实例。
The attributes of the DetectionPattern class are:
DetectionPattern类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Method class describes the tactics, techniques, procedures, or weakness used by the threat actor in an incident. This class consists of both a list of references describing the attack methods and weaknesses and a free-form text description.
Method类描述威胁参与者在事件中使用的战术、技术、过程或弱点。此类由描述攻击方法和弱点的引用列表和自由格式的文本描述组成。
+------------------------+
| Method |
+------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| Method |
+------------------------+
| ENUM restriction |<>--{0..*}--[ Reference ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ sci:AttackPattern ]
| |<>--{0..*}--[ sci:Vulnerability ]
| |<>--{0..*}--[ sci:Weakness ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 19: The Method Class
图19:方法类
The aggregate classes of the Method class are:
方法类的聚合类为:
Reference Zero or more. A reference to a vulnerability, malware sample, advisory, or analysis of an attack technique. See Section 3.11.1.
参考零或更多。对攻击技术的漏洞、恶意软件样本、建议或分析的引用。见第3.11.1节。
Description Zero or more. ML_STRING. A free-form text description of techniques, tactics, or procedures used by the threat actor.
说明零或更多。ML_字符串。威胁行为人使用的技术、战术或程序的自由形式文本描述。
sci:AttackPattern Zero or more. A reference to a pattern of attack or exploitation per [RFC7203].
sci:攻击模式为零或更多。根据[RFC7203]对攻击或利用模式的引用。
sci:Vulnerability Zero or more. A reference to a vulnerability per [RFC7203].
sci:漏洞为零或更多。根据[RFC7203]对漏洞的引用。
sci:Weakness Zero or more. A reference to the exploited weakness per [RFC7203].
sci:弱点为零或更多。根据[RFC7203]对被利用弱点的引用。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
An instance of one of these children MUST be present.
必须存在其中一个孩子的实例。
The attributes of the Method class are:
方法类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The Reference class is an external reference to relevant information such as a vulnerability, IDS alert, malware sample, advisory, or attack technique.
Reference类是对相关信息的外部引用,如漏洞、IDS警报、恶意软件样本、建议或攻击技术。
+-------------------------+
| Reference |
+-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+-------------------------+
+-------------------------+
| Reference |
+-------------------------+
| ID observable-id |<>--{0..1}--[ enum:ReferenceName ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+-------------------------+
Figure 20: The Reference Class
图20:参考类
The aggregate classes of the Reference class are:
参考类的聚合类为:
enum:ReferenceName Zero or one. Reference identifier per [RFC7495].
枚举:引用名称为零或一。参考标识符符合[RFC7495]。
URL Zero or more. URL. A URL to a reference.
URL为零或更多。网址。指向引用的URL。
Description Zero or more. ML_STRING. A free-form text description of this reference.
说明零或更多。ML_字符串。此引用的自由格式文本描述。
At least one of these classes MUST be present.
这些类中必须至少有一个存在。
The attribute of the Reference class is:
引用类的属性是:
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Assessment class describes the repercussions of the incident to the victim.
评估课程描述了事件对受害者的影响。
+-------------------------+
| Assessment |
+-------------------------+
| ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ SystemImpact ]
| STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ Cause ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
+-------------------------+
| Assessment |
+-------------------------+
| ENUM occurrence |<>--{0..*}--[ IncidentCategory ]
| ENUM restriction |<>--{0..*}--[ SystemImpact ]
| STRING ext-restriction |<>--{0..*}--[ BusinessImpact ]
| ID observable-id |<>--{0..*}--[ TimeImpact ]
| |<>--{0..*}--[ MonetaryImpact ]
| |<>--{0..*}--[ IntendedImpact ]
| |<>--{0..*}--[ Counter ]
| |<>--{0..*}--[ MitigatingFactor ]
| |<>--{0..*}--[ Cause ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
Figure 21: The Assessment Class
图21:评估类
The aggregate classes of the Assessment class are:
评估类别的合计类别为:
IncidentCategory Zero or more. ML_STRING. A free-form text description categorizing the type of incident.
意外类别零或更多。ML_字符串。对事件类型进行分类的自由格式文本描述。
SystemImpact Zero or more. A technical characterization of the impact of the incident activity on the victim's enterprise. See Section 3.12.1.
系统影响为零或更多。事件活动对受害者企业影响的技术特征。见第3.12.1节。
BusinessImpact Zero or more. Impact of the incident activity on the business functions of the victim organization. See Section 3.12.2.
业务影响为零或更多。事件活动对受害者组织业务职能的影响。见第3.12.2节。
TimeImpact Zero or more. A characterization of the victim organization due to the incident activity as a function of time. See Section 3.12.3.
时间影响为零或更多。事件活动导致的受害者组织的特征,作为时间的函数。见第3.12.3节。
MonetaryImpact Zero or more. The financial loss due to the incident activity. See Section 3.12.4.
货币影响为零或更多。事件活动造成的财务损失。见第3.12.4节。
IntendedImpact Zero or more. The intended outcome to the victim sought by the threat actor. Defined identically to the BusinessImpact defined in Section 3.12.2 but describes intent rather than the realized impact.
预期影响为零或更多。威胁行为人向被害人寻求的预期结果。定义与第3.12.2节中定义的业务影响相同,但描述的是意图而非已实现的影响。
Counter Zero or more. A counter with which to summarize the magnitude of the activity. See Section 3.18.3.
计数器为零或更多。一种计数器,用于汇总活动的大小。见第3.18.3节。
MitigatingFactor Zero or more. ML_STRING. A description of a mitigating factor relative to the impact on the victim organization.
缓解因子为零或更多。ML_字符串。与对受害者组织的影响相关的缓解因素说明。
Cause Zero or more. ML_STRING. A description of an underlying cause of the impact.
导致零或更多。ML_字符串。对影响的根本原因的描述。
Confidence Zero or one. An estimate of confidence in the impact assessment. See Section 3.12.5.
信心0或1。对影响评估的信心估计。见第3.12.5节。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
At least one instance of the possible five impact classes (i.e., SystemImpact, BusinessImpact, TimeImpact, MonetaryImpact, or IntendedImpact) MUST be present.
可能的五种影响类别(即系统影响、业务影响、时间影响、货币影响或预期影响)必须至少存在一个实例。
The attributes of the Assessment class are:
评估类的属性包括:
occurrence Optional. ENUM. Specifies whether the assessment is describing actual or potential outcomes.
事件发生是可选的。枚举。指定评估是描述实际结果还是潜在结果。
1. actual. This assessment describes activity that has occurred.
1. 真实的此评估描述了已发生的活动。
2. potential. This assessment describes potential activity that might occur.
2. 潜在的此评估描述了可能发生的潜在活动。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The SystemImpact class describes the technical impact of the incident to the systems on the network.
SystemImpact类描述了事件对网络系统的技术影响。
+-----------------------+
| SystemImpact |
+-----------------------+
| ENUM severity |<>--{0..*}--[ Description ]
| ENUM completion |
| ENUM type |
| STRING ext-type |
+-----------------------+
+-----------------------+
| SystemImpact |
+-----------------------+
| ENUM severity |<>--{0..*}--[ Description ]
| ENUM completion |
| ENUM type |
| STRING ext-type |
+-----------------------+
Figure 22: The SystemImpact Class
图22:SystemImpact类
The aggregate class of the SystemImpact class is:
SystemImpact类别的聚合类别为:
Description Zero or more. ML_STRING. A free-form text description of the impact to the system.
说明零或更多。ML_字符串。对系统影响的自由格式文本描述。
The attributes of the SystemImpact class are:
SystemImpact类的属性包括:
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
completion Optional. ENUM. An indication whether the described activity was successful. The permitted values are shown below. There is no default value.
完成可选。枚举。指示所述活动是否成功。允许值如下所示。没有默认值。
1. failed. The attempted activity was not successful.
1. 失败。尝试的活动未成功。
2. succeeded. The attempted activity succeeded.
2. 成功。尝试的活动成功。
type Required. ENUM. Classifies the impact. The permitted values are shown below. The default value is "unknown". These values are maintained in the "SystemImpact-type" IANA registry per Section 10.2.
所需类型。枚举。对影响进行分类。允许值如下所示。默认值为“未知”。根据第10.2节,这些值保存在“系统影响类型”IANA注册表中。
1. takeover-account. Control was taken of a given account.
1. 接管账户。对给定的帐户进行控制。
2. takeover-service. Control was taken of a given service.
2. 接管服务。对给定服务进行了控制。
3. takeover-system. Control was taken of a given system.
3. 接管制度。对给定系统进行控制。
4. cps-manipulation. A cyber-physical system was manipulated.
4. cps操作。操纵了一个网络物理系统。
5. cps-damage. A cyber-physical system was damaged.
5. cps损坏。一个网络物理系统遭到破坏。
6. availability-data. Access to particular data was degraded or denied.
6. 可用性数据。对特定数据的访问被降级或拒绝。
7. availability-account. Access to an account was degraded or denied.
7. 可用性帐户。对帐户的访问被降级或拒绝。
8. availability-service. Access to a service was degraded or denied.
8. 可用性服务。对服务的访问被降级或拒绝。
9. availability-system. Access to a system was degraded or denied.
9. 可用性系统。对系统的访问被降级或拒绝。
10. damaged-system. Hardware on a system was irreparably damaged.
10. 系统损坏。系统上的硬件遭到了无法修复的损坏。
11. damaged-data. Data on a system was deleted.
11. 损坏的数据。已删除系统上的数据。
12. breach-proprietary. Sensitive or proprietary information was accessed or exfiltrated.
12. 违反所有权。敏感或专有信息被访问或过滤。
13. breach-privacy. Personally identifiable information was accessed or exfiltrated.
13. 侵犯隐私。已访问或过滤个人身份信息。
14. breach-credential. Credential information was accessed or exfiltrated.
14. 违反凭证。已访问或过滤凭据信息。
15. breach-configuration. System configuration or data inventory was access or exfiltrated.
15. 破坏配置。系统配置或数据清单已被访问或过滤。
16. integrity-data. Data on the system was modified.
16. 完整性数据。修改了系统上的数据。
17. integrity-configuration. Application or system configuration was modified.
17. 完整性配置。已修改应用程序或系统配置。
18. integrity-hardware. Firmware of a hardware component was modified.
18. 完整性硬件。硬件组件的固件已修改。
19. traffic-redirection. Network traffic on the system was redirected
19. 流量重定向。系统上的网络流量已重定向
20. monitoring-traffic. Network traffic emerging from a host or enclave was monitored.
20. 监控流量。对从主机或飞地出现的网络流量进行了监控。
21. monitoring-host. System activity (e.g., running processes, keystrokes) were monitored.
21. 监控主机。监控系统活动(例如,运行过程、击键)。
22. policy. Activity violated the system owner's acceptable use policy.
22. 政策活动违反了系统所有者的可接受使用策略。
23. unknown. The impact is unknown.
23. 未知的影响不得而知。
24. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
24. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The BusinessImpact class describes and characterizes the degree to which the function of the organization was impacted by the incident.
BusinessImpact类描述和描述了事件对组织职能的影响程度。
+-------------------------+
| BusinessImpact |
+-------------------------+
| ENUM severity |<>--{0..*}--[ Description ]
| STRING ext-severity |
| ENUM type |
| STRING ext-type |
+-------------------------+
+-------------------------+
| BusinessImpact |
+-------------------------+
| ENUM severity |<>--{0..*}--[ Description ]
| STRING ext-severity |
| ENUM type |
| STRING ext-type |
+-------------------------+
Figure 23: The BusinessImpact Class
图23:BusinessImpact类
The aggregate class of the BusinessImpact class is:
BusinessImpact类的聚合类为:
Description Zero or more. ML_STRING. A free-form text description of the impact to the organization.
说明零或更多。ML_字符串。对组织影响的自由形式文本描述。
The attributes of the BusinessImpact class are:
BusinessImpact类的属性包括:
severity Optional. ENUM. Characterizes the severity of the incident on business functions. The permitted values are shown below. They were derived from Table 3-2 of [NIST800.61rev2]. The default value is "unknown". These values are maintained in the "BusinessImpact-severity" IANA registry per Section 10.2.
严重性可选。枚举。描述业务职能部门事件的严重性。允许值如下所示。它们来源于[NIST800.61rev2]的表3-2。默认值为“未知”。根据第10.2节,这些值保存在“BusinessImpact severity”IANA注册表中。
1. none. No effect to the organization's ability to provide all services to all users.
1. 没有一个不影响组织向所有用户提供所有服务的能力。
2. low. Minimal effect as the organization can still provide all critical services to all users but has lost efficiency.
2. 低的影响最小,因为该组织仍然可以向所有用户提供所有关键服务,但已失去效率。
3. medium. The organization has lost the ability to provide a critical service to a subset of system users.
3. 中等的组织已失去向系统用户子集提供关键服务的能力。
4. high. The organization is no longer able to provide some critical services to any users.
4. 高的该组织不再能够向任何用户提供某些关键服务。
5. unknown. The impact is not known.
5. 未知的影响不得而知。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-severity Optional. STRING. A means by which to extend the severity attribute. See Section 5.1.1.
外部严重性可选。一串扩展严重性属性的方法。见第5.1.1节。
type Required. ENUM. Characterizes the effect this incident had on the business. The permitted values are shown below. The default value is "unknown". These values are maintained in the "BusinessImpact-type" IANA registry per Section 10.2.
所需类型。枚举。描述了该事件对业务的影响。允许值如下所示。默认值为“未知”。根据第10.2节,这些值保存在“BusinessImpact type”IANA注册表中。
1. breach-proprietary. Sensitive or proprietary information was accessed or exfiltrated.
1. 违反所有权。敏感或专有信息被访问或过滤。
2. breach-privacy. Personally identifiable information was accessed or exfiltrated.
2. 侵犯隐私。已访问或过滤个人身份信息。
3. breach-credential. Credential information was accessed or exfiltrated.
3. 违反凭证。已访问或过滤凭据信息。
4. loss-of-integrity. Sensitive or proprietary information was changed or deleted.
4. 诚信缺失。敏感或专有信息已更改或删除。
5. loss-of-service. Service delivery was disrupted.
5. 失去服务。服务中断。
6. theft-financial. Money was stolen.
6. 金融盗窃。钱被偷了。
7. theft-service. Services were misappropriated.
7. 盗窃服务。服务被挪用。
8. degraded-reputation. The reputation of the organization's brand was diminished.
8. 名誉受损。该组织品牌的声誉降低了。
9. asset-damage. A cyber-physical system was damaged.
9. 资产损失。一个网络物理系统遭到破坏。
10. asset-manipulation. A cyber-physical system was manipulated.
10. 资产操纵。操纵了一个网络物理系统。
11. legal. The incident resulted in legal or regulatory action.
11. 合法的该事件导致了法律或监管行动。
12. extortion. The incident resulted in actors extorting the victim organization.
12. 勒索。这一事件导致演员勒索受害者组织。
13. unknown. The impact is unknown.
13. 未知的影响不得而知。
14. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
14. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time.
TimeImpact类将事件对组织的影响描述为时间的函数。它提供了一种传递停机时间和恢复时间的方法。
+---------------------+
| TimeImpact |
+---------------------+
| REAL |
| |
| ENUM severity |
| ENUM metric |
| STRING ext-metric |
| ENUM duration |
| STRING ext-duration |
+---------------------+
+---------------------+
| TimeImpact |
+---------------------+
| REAL |
| |
| ENUM severity |
| ENUM metric |
| STRING ext-metric |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 24: The TimeImpact Class
图24:TimeImpact类
The content of the class is of type REAL and specifies an amount of time. The duration attribute provides units for this content, and the metric attribute explains what this content is measuring.
类的内容是REAL类型,并指定了时间量。“持续时间”属性提供此内容的单位,“度量”属性解释此内容所测量的内容。
The attributes of the TimeImpact class are:
TimeImpact类的属性包括:
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
metric Required. ENUM. Defines the meaning of the value in the element content. These values are maintained in the "TimeImpact-metric" IANA registry per Section 10.2.
公制要求。枚举。定义元素内容中值的含义。根据第10.2节,这些值保存在“时间影响度量”IANA注册表中。
1. labor. Total staff time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours).
1. 劳动员工从活动中恢复所需的总时间(例如,2名员工每人工作4小时将为8小时)。
2. elapsed. Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time).
2. 逝去。从恢复开始到恢复完成所用的时间(即挂钟时间)。
3. downtime. Duration of time for which some provided service(s) was not available.
3. 停工期某些提供的服务不可用的持续时间。
4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
4. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-metric Optional. STRING. A means by which to extend the metric attribute. See Section 5.1.1.
ext公制可选。一串扩展度量属性的方法。见第5.1.1节。
duration Optional. ENUM. Defines the unit of time for the value in the element content. The default value is "hour". These values are maintained in the "TimeImpact-duration" IANA registry per Section 10.2.
持续时间可选。枚举。定义元素内容中值的时间单位。默认值为“小时”。根据第10.2节,这些值保存在“时间影响持续时间”IANA注册表中。
1. second. The unit of the element content is seconds.
1. 第二元素内容的单位是秒。
2. minute. The unit of the element content is minutes.
2. 分钟元素内容的单位是分钟。
3. hour. The unit of the element content is hours.
3. 小时元素含量的单位为小时。
4. day. The unit of the element content is days.
4. 白天元素内容的单位为天。
5. month. The unit of the element content is months.
5. 月元素含量的单位为月。
6. quarter. The unit of the element content is quarters.
6. 一刻钟元素内容的单位是四分之一。
7. year. The unit of the element content is years.
7. 年元素含量的单位为年。
8. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
8. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-duration Optional. STRING. A means by which to extend the duration attribute. See Section 5.1.1.
ext持续时间可选。一串扩展持续时间属性的方法。见第5.1.1节。
The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished productivity of the staff, or a tarnished reputation that will affect future opportunities.
MonetaryImpact类描述活动对组织的财务影响。例如,这种影响可以考虑由于调查或恢复的成本、员工生产力的降低或影响未来机会的玷污声誉而造成的损失。
+------------------+
| MonetaryImpact |
+------------------+
| REAL |
| |
| ENUM severity |
| STRING currency |
+------------------+
+------------------+
| MonetaryImpact |
+------------------+
| REAL |
| |
| ENUM severity |
| STRING currency |
+------------------+
Figure 25: The MonetaryImpact Class
图25:货币影响类别
The content of the class is of type REAL and specifies a quantity of money. The currency attribute defines the currency of this value.
该类的内容是REAL类型,并指定货币数量。“货币”属性定义此值的货币。
The attributes of the MonetaryImpact class are:
MonetaryImpact类的属性包括:
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
currency Optional. STRING. Defines the currency in which the value in the element content is expressed. The permitted values are defined in "Codes for the representation of currencies" [ISO4217]. There is no default value.
货币可选。一串定义表示元素内容中值的货币。允许值在“货币表示代码”[ISO4217]中定义。没有默认值。
The Confidence class represents an estimate of the validity and accuracy of data expressed in the document. This estimate can be expressed as a category or a numeric calculation.
置信度等级表示对文件中表示的数据的有效性和准确性的估计。该估算可以表示为类别或数值计算。
+-------------------+
| Confidence |
+-------------------+
| REAL |
| |
| ENUM rating |
| STRING ext-rating |
+-------------------+
+-------------------+
| Confidence |
+-------------------+
| REAL |
| |
| ENUM rating |
| STRING ext-rating |
+-------------------+
Figure 26: The Confidence Class
图26:置信度等级
The content of the class is of type REAL and specifies a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element MUST be empty.
该类的内容为REAL类型,当评级属性的值为“数值”时,指定数据置信度的数值评估。否则,此元素必须为空。
The attributes of the Confidence class are:
置信度等级的属性包括:
rating Required. ENUM. A qualitative assessment of confidence. These values are maintained in the "Confidence-rating" IANA registry per Section 10.2
评级要求。枚举。对信心的定性评估。根据第10.2节,这些值保存在“置信度评级”IANA注册表中
1. low. Low confidence.
1. 低的信心不足。
2. medium. Medium confidence.
2. 中等的中等自信。
3. high. High confidence.
3. 高的高度自信。
4. numeric. The element content contains a number that conveys the confidence of the data. The semantics of this number is outside the scope of this specification.
4. 数字的。元素内容包含一个表示数据可信度的数字。此数字的语义不在本规范的范围内。
5. unknown. The confidence rating value is not known.
5. 未知的置信度评级值未知。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-rating Optional. STRING. A means by which to extend the rating attribute. See Section 5.1.1.
外部评级可选。一串扩展分级属性的方法。见第5.1.1节。
The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident.
历史记录类是有关各方在处理事件过程中执行的重大事件或行动的日志。
The level of detail maintained in this log is left up to the discretion of those handling the incident.
本日志中维护的详细程度由事件处理人员自行决定。
+------------------------+
| History |
+------------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ]
| STRING ext-restriction |
+------------------------+
+------------------------+
| History |
+------------------------+
| ENUM restriction |<>--{1..*}--[ HistoryItem ]
| STRING ext-restriction |
+------------------------+
Figure 27: The History Class
图27:历史课
The aggregate classes of the History class are:
历史类的聚合类包括:
HistoryItem One or more. An entry in the history log of significant events or actions performed by the involved parties. See Section 3.13.1.
一个或多个历史项目。相关方执行的重大事件或行动的历史记录。见第3.13.1节。
The attributes of the History class are:
历史类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The HistoryItem class is an entry in the History (Section 3.13) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form text description, but each can be categorized with the type attribute.
HistoryItem类是历史记录(第3.13节)日志中的一个条目,用于记录在处理事件过程中发生的特定操作或事件。条目的详细信息是一个自由格式的文本描述,但每个条目都可以使用type属性进行分类。
+-------------------------+
| HistoryItem |
+-------------------------+
| ENUM action |<>----------[ DateTime ]
| STRING ext-action |<>--{0..1}--[ IncidentID ]
| ENUM restriction |<>--{0..1}--[ Contact ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
+-------------------------+
| HistoryItem |
+-------------------------+
| ENUM action |<>----------[ DateTime ]
| STRING ext-action |<>--{0..1}--[ IncidentID ]
| ENUM restriction |<>--{0..1}--[ Contact ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..*}--[ DefinedCOA ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
Figure 28: The HistoryItem Class
图28:HistoryItem类
The aggregate classes of the HistoryItem class are:
HistoryItem类的聚合类为:
DateTime One. DATETIME. A timestamp of this entry in the history log.
日期时间一号。日期时间。历史记录日志中此项的时间戳。
IncidentID Zero or one. In a history log created by multiple parties, the IncidentID provides a mechanism to specify which CSIRT created a particular entry and references this organization's tracking number. When a single organization is maintaining the log, this class can be ignored. See Section 3.4.
包括零或一。在多方创建的历史记录日志中,IncidentID提供了一种机制来指定哪个CSIRT创建了特定条目并引用了该组织的跟踪号。当单个组织维护日志时,可以忽略此类。见第3.4节。
Contact Zero or one. Provides contact information for the entity that performed the action documented in this class. See Section 3.9.
联系零或一。提供执行此类中记录的操作的实体的联系信息。见第3.9节。
Description Zero or more. ML_STRING. A free-form text description of the action or event.
说明零或更多。ML_字符串。对动作或事件的自由形式文本描述。
DefinedCOA Zero or more. STRING. An identifier meaningful to the sender and recipient of this document that references a course of action (COA). This class MUST be present if the action attribute is set to "defined-coa".
定义COA为零或更多。一串对本文件的发送者和接收者有意义的标识符,参考行动方案(COA)。如果action属性设置为“defined coa”,则此类必须存在。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the HistoryItem class are:
HistoryItem类的属性包括:
action Required. ENUM. Classifies a performed action or occurrence documented in this history log entry. As activity will likely have been instigated either through a previously conveyed expectation or through an internal investigation, this attribute is identical to the action attribute of the Expectation class. The difference is only one of tense. When an action is in this class, it has been completed. See Section 3.15.
需要采取的行动。枚举。对记录在此历史记录条目中的已执行操作或事件进行分类。由于活动可能是通过先前传递的期望或通过内部调查发起的,因此此属性与期望类的action属性相同。区别只在于时态的不同。当某个操作在此类中时,该操作已完成。见第3.15节。
ext-action Optional. STRING. A means by which to extend the action attribute. See Section 5.1.1.
ext操作可选。一串扩展action属性的方法。见第5.1.1节。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The EventData class is a container class to organize data about events that occurred during an incident.
EventData类是一个容器类,用于组织有关事件期间发生的事件的数据。
+-------------------------+
| EventData |
+-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ]
| STRING ext-restriction |<>--{0..1}--[ DetectTime ]
| ID observable-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ RecoveryTime ]
| |<>--{0..1}--[ ReportTime ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
+-------------------------+
| EventData |
+-------------------------+
| ENUM restriction |<>--{0..*}--[ Description ]
| STRING ext-restriction |<>--{0..1}--[ DetectTime ]
| ID observable-id |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ RecoveryTime ]
| |<>--{0..1}--[ ReportTime ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..*}--[ Discovery ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..*}--[ Method ]
| |<>--{0..*}--[ Flow ]
| |<>--{0..*}--[ Expectation ]
| |<>--{0..1}--[ Record ]
| |<>--{0..*}--[ EventData ]
| |<>--{0..*}--[ AdditionalData ]
+-------------------------+
Figure 29: The EventData Class
图29:EventData类
The aggregate classes of the EventData class are:
EventData类的聚合类包括:
Description Zero or more. ML_STRING. A free-form text description of the event.
说明零或更多。ML_字符串。事件的自由格式文本描述。
DetectTime Zero or one. DATETIME. The time the event was detected.
检测时间为零或一。日期时间。检测到事件的时间。
StartTime Zero or one. DATETIME. The time the event started.
开始计时零或一。日期时间。事件开始的时间。
EndTime Zero or one. DATETIME. The time the event ended.
结束时间0或1。日期时间。事件结束的时间。
RecoveryTime Zero or one. DATETIME. The time the site recovered from the event.
恢复时间为0或1。日期时间。站点从事件中恢复的时间。
ReportTime Zero or one. DATETIME. The time the event was reported.
报告时间为零或一。日期时间。事件报告的时间。
Contact Zero or more. Contact information for the parties involved in the event. See Section 3.9.
联系零或更多。事件相关方的联系信息。见第3.9节。
Discovery Zero or more. The means by which the event was detected. See Section 3.10.
发现零或更多。检测事件的方法。见第3.10节。
Assessment Zero or one. The impact of the event on the victim and the actions taken. See Section 3.12.
评估零或一。事件对受害者的影响和采取的行动。见第3.12节。
Method Zero or more. The technique used by the threat actor in the event. See Section 3.11.
方法0或更多。威胁行为人在事件中使用的技术。见第3.11节。
Flow Zero or more. A description of the systems or networks involved. See Section 3.16.
流量为零或更多。对所涉及的系统或网络的描述。见第3.16节。
Expectation Zero or more. The expected action to be performed by the recipient for the described event. See Section 3.15.
期望值为零或更多。收件人对所述事件执行的预期操作。见第3.15节。
Record Zero or one. Supportive data (e.g., log files) that provides additional information about the event. See Section 3.22.
记录0或1。提供事件附加信息的支持性数据(如日志文件)。见第3.22节。
EventData Zero or more. A recursive definition of the EventData class. See Section 3.14.2 for an explanation on using this class.
EventData为零或更多。EventData类的递归定义。有关使用该类的说明,请参见第3.14.2节。
AdditionalData Zero or more. EXTENSION. An extension mechanism for data not explicitly represented in the data model.
附加数据为零或更多。扩大数据模型中未显式表示的数据的扩展机制。
At least one of the aggregate classes MUST be present in an instance of the EventData class.
EventData类的实例中必须至少存在一个聚合类。
The attributes of the EventData class are:
EventData类的属性包括:
restriction Optional. ENUM. See Section 3.3.1. The default value is "default".
限制是可选的。枚举。见第3.3.1节。默认值为“default”。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
There is substantial overlap in the child classes aggregated in the Incident and EventData classes. Nevertheless, the semantics of these classes are quite different. The Incident class provides summary information about the entire incident, while the EventData class provides information about the individual events comprising the incident. In the common case, the EventData class will provide more specific information for the general description provided in the Incident class. However, in the case where the summarized information in the Incident class conflicts with the detailed information in an EventData class, the more specific EventData class MUST supersede the more generic information provided in the Incident class.
Incident和EventData类中聚合的子类存在大量重叠。然而,这些类的语义是完全不同的。事件类提供有关整个事件的摘要信息,而EventData类提供有关构成事件的各个事件的信息。在常见情况下,EventData类将为Incident类中提供的一般描述提供更具体的信息。但是,如果事件类中的摘要信息与EventData类中的详细信息冲突,则更具体的EventData类必须取代事件类中提供的更一般的信息。
The EventData class is a container for the properties of an event in an incident. These properties include: the hosts involved, impact of the incident activity on the hosts, forensic logs, etc. The recursive definition of EventData allows for the grouping of related information with common properties. This approach eliminates the need for explicit identifiers to relate information or duplicate it. Instead, the relative depth (nesting) of a class is used to group (relate) information.
EventData类是事件中事件属性的容器。这些属性包括:涉及的主机、事件活动对主机的影响、取证日志等。EventData的递归定义允许使用公共属性对相关信息进行分组。这种方法不需要显式标识符来关联或复制信息。相反,类的相对深度(嵌套)用于分组(关联)信息。
For example, consider a case where two hosts experience different impacts during an incident. However, these two hosts have common contact information. A depiction of how this situation would be represented can be found in Figure 30. EventData (2) and (3) group each of the two hosts with their unique impact. EventData (1) describes the common Contact class these two hosts share.
例如,考虑两个主机在事件中经历不同的影响的情况。但是,这两个主机有共同的联系信息。图30中描述了这种情况的表现形式。EventData(2)和(3)根据两个主机各自的独特影响对它们进行分组。EventData(1)描述这两个主机共享的公共联系人类。
+------------------+
| EventData (1) |
+------------------+
| |<>----[ Contact ]
| |
| |<>----[ EventData (2) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ]
| |
| |<>----[ EventData (3) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ]
+------------------+
+------------------+
| EventData (1) |
+------------------+
| |<>----[ Contact ]
| |
| |<>----[ EventData (2) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ]
| |
| |<>----[ EventData (3) ]<>----[ Flow ]
| | [ ]<>----[ Assessment ]
+------------------+
Figure 30: Recursion in the EventData Class
图30:EventData类中的递归
The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting.
Expectation类将发送方请求的操作传递给IODEF文档的接收方。
+-------------------------+
| Expectation |
+-------------------------+
| ENUM action |<>--{0..*}--[ Description ]
| STRING ext-action |<>--{0..*}--[ DefinedCOA ]
| ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--[ Contact ]
| ID observable-id |
+-------------------------+
+-------------------------+
| Expectation |
+-------------------------+
| ENUM action |<>--{0..*}--[ Description ]
| STRING ext-action |<>--{0..*}--[ DefinedCOA ]
| ENUM severity |<>--{0..1}--[ StartTime ]
| ENUM restriction |<>--{0..1}--[ EndTime ]
| STRING ext-restriction |<>--{0..1}--[ Contact ]
| ID observable-id |
+-------------------------+
Figure 31: The Expectation Class
图31:期望类
The aggregate classes of the Expectation class are:
期望类的聚合类为:
Description Zero or more. ML_STRING. A free-form text description of the desired action(s).
说明零或更多。ML_字符串。所需操作的自由格式文本描述。
DefinedCOA Zero or more. STRING. A unique identifier meaningful to the sender and recipient of this document that references a course of action. This class MUST be present if the action attribute is set to "defined-coa".
定义COA为零或更多。一串对本文档的发件人和收件人有意义的唯一标识符,该标识符引用了一个操作过程。如果action属性设置为“defined coa”,则此类必须存在。
StartTime Zero or one. DATETIME. The time at which the sender would like the action performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the sender would like the action performed as soon as possible. The absence of this element indicates no expectations of when the recipient would like the action performed.
开始计时零或一。日期时间。发送方希望执行操作的时间。早于事件类中指定的ReportTime的时间戳表示发送方希望尽快执行操作。如果没有此元素,则表示收件人不希望在何时执行操作。
EndTime Zero or one. DATETIME. The time by which the sender expects the recipient to complete the action. If the recipient cannot complete the action before EndTime, the recipient MUST NOT carry out the action. Because of transit delays and clock drift, the sender MUST be prepared for the recipient to have carried out the action, even if it completes past EndTime.
结束时间0或1。日期时间。发件人希望收件人完成操作的时间。如果收件人无法在EndTime之前完成操作,则收件人不得执行该操作。由于传输延迟和时钟漂移,发送方必须为接收方执行操作做好准备,即使它在结束时间之后完成。
Contact Zero or one. The entity expected to perform the action. See Section 3.9.
联系零或一。预期执行操作的实体。见第3.9节。
The attributes of the Expectation class are:
Expectation类的属性包括:
action Optional. ENUM. Classifies the type of action requested. The default value of "other". These values are maintained in the "Expectation-action" IANA registry per Section 10.2.
操作可选。枚举。对请求的操作类型进行分类。“其他”的默认值。根据第10.2节,这些值保存在“预期行动”IANA注册表中。
1. nothing. No action is requested. Do nothing with the information.
1. 没有什么不要求采取任何行动。不要处理这些信息。
2. contact-source-site. Contact the site(s) identified as the source of the activity.
2. 联系源站点。联系确定为活动来源的站点。
3. contact-target-site. Contact the site(s) identified as the target of the activity.
3. 联系目标站点。联系确定为活动目标的站点。
4. contact-sender. Contact the originator of the document.
4. 联系寄件人。联系文件的发起人。
5. investigate. Investigate the system(s) listed in the event.
5. 侦查调查事件中列出的系统。
6. block-host. Block traffic from the machine(s) listed as sources in the event.
6. 阻止主机。阻止来自事件中列为源的计算机的通信。
7. block-network. Block traffic from the network(s) lists as sources in the event.
7. 块网络。阻止来自事件中作为源的网络列表的流量。
8. block-port. Block the port listed as sources in the event.
8. 阻塞端口。阻止事件中列为源的端口。
9. rate-limit-host. Rate-limit the traffic from the machine(s) listed as sources in the event.
9. 速率限制主机。速率限制事件中作为源列出的计算机的通信量。
10. rate-limit-network. Rate-limit the traffic from the network(s) lists as sources in the event.
10. 速率限制网络。速率限制事件中作为源的网络列表中的流量。
11. rate-limit-port. Rate-limit the port(s) listed as sources in the event.
11. 速率限制端口。速率限制事件中列为源的端口。
12. redirect-traffic. Redirect traffic from the intended recipient for further analysis.
12. 重定向流量。重定向来自预期收件人的通信量以进行进一步分析。
13. honeypot. Redirect traffic from systems listed in the event to a honeypot for further analysis.
13. 蜜罐。将事件中列出的系统的流量重定向到蜜罐以进行进一步分析。
14. upgrade-software. Upgrade or patch the software or firmware on an asset listed in the event.
14. 升级软件。升级或修补事件中列出的资产上的软件或固件。
15. rebuild-asset. Reinstall the operating system or applications on an asset listed in the event.
15. 重建资产。在事件中列出的资产上重新安装操作系统或应用程序。
16. harden-asset. Change the configuration of an asset listed in the event to reduce the attack surface.
16. 硬化资产。更改事件中列出的资产的配置以减少攻击面。
17. remediate-other. Remediate the activity in a way other than by rate-limiting or blocking.
17. 纠正其他错误。以速率限制或阻塞以外的方式修正活动。
18. status-triage. Confirm receipt and begin triaging the incident.
18. 身份分类。确认收到并开始对事件进行分类。
19. status-new-info. Notify the sender when new information is received for this incident.
19. 状态新信息。收到此事件的新信息时通知发件人。
20. watch-and-report. Watch for the described activity or indicators, and notify the sender when seen.
20. 观察并报告。注意所描述的活动或指示器,并在看到时通知发件人。
21. training. Train user to identify or mitigate the described threat.
21. 训练培训用户识别或缓解所述威胁。
22. defined-coa. Perform a predefined course of action (COA). The COA is named in the DefinedCOA class.
22. 定义coa。执行预定义的行动方案(COA)。COA在DefinedCOA类中命名。
23. other. Perform a custom action described in the Description class.
23. 另外执行描述类中描述的自定义操作。
24. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
24. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-action Optional. STRING. A means by which to extend the action attribute. See Section 5.1.1.
ext操作可选。一串扩展action属性的方法。见第5.1.1节。
severity Optional. ENUM. Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
严重性可选。枚举。指示所需的操作优先级。该属性是一个枚举列表,没有默认值,这些相对度量的语义依赖于上下文。
1. low. Low priority
1. 低的低优先级
2. medium. Medium priority
2. 中等的中等优先级
3. high. High priority
3. 高的高优先级
restriction Optional. ENUM. See Section 3.3.1. The default value is "default".
限制是可选的。枚举。见第3.3.1节。默认值为“default”。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Flow class describes the systems and networks involved in the incident and the relationships between them.
Flow类描述事件中涉及的系统和网络以及它们之间的关系。
+------------------+
| Flow |
+------------------+
| |<>--{1..*}--[ System ]
+------------------+
+------------------+
| Flow |
+------------------+
| |<>--{1..*}--[ System ]
+------------------+
Figure 32: The Flow Class
图32:流类
The aggregate class of the Flow class is:
Flow类别的聚合类别为:
System One or More. A host or network involved in an event. See Section 3.17.
一个或多个系统。与事件有关的主机或网络。见第3.17节。
The Flow class has no attributes.
流类没有属性。
The System class describes a system or network involved in an event.
System类描述事件中涉及的系统或网络。
+------------------------+
| System |
+------------------------+
| ENUM category |<>----------[ Node ]
| STRING ext-category |<>--{0..*}--[ NodeRole ]
| STRING interface |<>--{0..*}--[ Service ]
| ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM ownership |<>--{0..*}--[ AssetID ]
| STRING ext-ownership |<>--{0..*}--[ Description ]
| ENUM restriction |<>--{0..*}--[ AdditionalData ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
+------------------------+
| System |
+------------------------+
| ENUM category |<>----------[ Node ]
| STRING ext-category |<>--{0..*}--[ NodeRole ]
| STRING interface |<>--{0..*}--[ Service ]
| ENUM spoofed |<>--{0..*}--[ OperatingSystem ]
| ENUM virtual |<>--{0..*}--[ Counter ]
| ENUM ownership |<>--{0..*}--[ AssetID ]
| STRING ext-ownership |<>--{0..*}--[ Description ]
| ENUM restriction |<>--{0..*}--[ AdditionalData ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 33: The System Class
图33:系统类
The aggregate classes of the System class are:
系统类的聚合类为:
Node One. A host or network involved in the incident. See Section 3.18.
节点一。事件中涉及的主机或网络。见第3.18节。
NodeRole Zero or more. The intended purpose of the system. See Section 3.18.2.
节点数为零或更多。系统的预期用途。见第3.18.2节。
Service Zero or more. A network service running on the system. See Section 3.20.
服务零或更多。在系统上运行的网络服务。见第3.20节。
OperatingSystem Zero or more. SOFTWARE. The operating system running on the system.
操作系统零或更多。软件在系统上运行的操作系统。
Counter Zero or more. A counter with which to summarize properties of this host or network. See Section 3.18.3.
计数器为零或更多。用于汇总此主机或网络属性的计数器。见第3.18.3节。
AssetID Zero or more. STRING. An asset identifier for the System.
AssetID为零或更多。一串系统的资产标识符。
Description Zero or more. ML_STRING. A free-form text description of the System.
说明零或更多。ML_字符串。系统的自由格式文本描述。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the System class are:
系统类的属性包括:
category Optional. ENUM. Classifies the role the host or network played in the incident. These values are maintained in the "System-category" IANA registry per Section 10.2.
类别可选。枚举。对主机或网络在事件中扮演的角色进行分类。根据第10.2节,这些值保存在“系统类别”IANA注册表中。
1. source. The System was the source of the event.
1. 来源系统是事件的根源。
2. target. The System was the target of the event.
2. 目标该系统是事件的目标。
3. intermediate. The System was an intermediary in the event.
3. 中间的该系统是这一事件的中间人。
4. sensor. The System was a sensor monitoring the event.
4. 传感器该系统是监控事件的传感器。
5. infrastructure. The System was an infrastructure node of the IODEF document exchange.
5. 基础设施该系统是IODEF文档交换的基础结构节点。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.1.
外部类别可选。一串扩展类别属性的方法。见第5.1.1节。
interface Optional. STRING. Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.
接口可选。一串指定此系统上的事件起源于的接口。如果节点类指定的是网络而不是主机,则此属性没有任何意义。
spoofed Optional. ENUM. An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".
欺骗可选。枚举。表明对该系统是真正的目标还是攻击主机有信心。此属性的允许值如下所示。默认值为“未知”。
1. unknown. The accuracy of the category attribute value is unknown.
1. 未知的类别属性值的准确性未知。
2. yes. The category attribute value is likely incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.
2. 对类别属性值可能不正确。在源的情况下,系统可能是诱饵;有了目标,系统很可能不是预期的受害者。
3. no. The category attribute value is believed to be correct.
3. 否。类别属性值被认为是正确的。
virtual Optional. ENUM. Indicates whether this System is a virtual or physical device. The default value is "unknown".
虚拟可选。枚举。指示此系统是虚拟设备还是物理设备。默认值为“未知”。
1. yes. The System is a virtual device.
1. 对该系统是一个虚拟设备。
2. no. The System is a physical device.
2. 不是。该系统是一个物理设备。
3. unknown. It is not known if the System is virtual.
3. 未知的不知道系统是否是虚拟的。
ownership Optional. ENUM. Describes the ownership of this System relative to the victim in the incident. These values are maintained in the "System-ownership" IANA registry per Section 10.2.
所有权是可选的。枚举。描述此系统相对于事件中受害者的所有权。根据第10.2节,这些值保存在“系统所有权”IANA注册表中。
1. organization. Corporate or enterprise owned.
1. 组织公司或企业拥有的。
2. personal. Personally owned by an employee or affiliate of the corporation or enterprise.
2. 个人的由公司或企业的雇员或附属公司个人拥有。
3. partner. Owned by a partner of the corporation or enterprise.
3. 配偶由公司或企业的合伙人拥有。
4. customer. Owned by a customer of the corporation or enterprise.
4. 顾客由公司或企业的客户拥有。
5. no-relationship. Owned by an entity that has no known relationship with the victim organization.
5. 没有关系。由与受害者组织没有已知关系的实体拥有。
6. unknown. Ownership is unknown.
6. 未知的所有权不明。
7. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
7. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-ownership Optional. STRING. A means by which to extend the ownership attribute. See Section 5.1.1.
ext所有权是可选的。一串扩展“所有权”属性的方法。见第5.1.1节。
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Node class identifies a system, asset, or network and its location.
节点类标识系统、资产或网络及其位置。
+---------------+
| Node |
+---------------+
| |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ]
| |<>--{0..*}--[ Counter ]
+---------------+
+---------------+
| Node |
+---------------+
| |<>--{0..*}--[ DomainData ]
| |<>--{0..*}--[ Address ]
| |<>--{0..1}--[ PostalAddress ]
| |<>--{0..*}--[ Location ]
| |<>--{0..*}--[ Counter ]
+---------------+
Figure 34: The Node Class
图34:节点类
The aggregate classes of the Node class are:
节点类的聚合类包括:
DomainData Zero or more. The domain (DNS) information associated with this node. If an Address is not provided, at least one DomainData MUST be specified. See Section 3.19.
域数据为零或更多。与此节点关联的域(DNS)信息。如果未提供地址,则必须至少指定一个DomainData。见第3.19节。
Address Zero or more. The hardware, network, or application address of the node. If a DomainData is not provided, at least one Address MUST be specified. See Section 3.18.1.
地址为零或更多。节点的硬件、网络或应用程序地址。如果未提供DomainData,则必须至少指定一个地址。见第3.18.1节。
PostalAddress Zero or one. POSTAL. The postal address of the node.
邮资是零还是一。邮政。节点的邮政地址。
Location Zero or more. ML_STRING. A free-form text description of the physical location of the node. This description may provide a more detailed description of where at the address specified by the PostalAddress class this node is found (e.g., room number, rack number, or slot number in a chassis).
位置零或更多。ML_字符串。节点物理位置的自由格式文本描述。此描述可提供更详细的描述,说明在PostLaddress类指定的地址中找到此节点的位置(例如,机箱中的房间号、机架号或插槽号)。
Counter Zero or more. A counter with which to summarize properties of this host or network. See Section 3.18.3.
计数器为零或更多。用于汇总此主机或网络属性的计数器。见第3.18.3节。
The Node class has no attributes.
节点类没有属性。
The Address class represents a hardware (Layer 2), network (Layer 3), or application (Layer 7) address.
Address类表示硬件(第2层)、网络(第3层)或应用程序(第7层)地址。
+-------------------------+
| Address |
+-------------------------+
| STRING |
| |
| ENUM category |
| STRING ext-category |
| STRING vlan-name |
| INTEGER vlan-num |
| ID observable-id |
+-------------------------+
+-------------------------+
| Address |
+-------------------------+
| STRING |
| |
| ENUM category |
| STRING ext-category |
| STRING vlan-name |
| INTEGER vlan-num |
| ID observable-id |
+-------------------------+
Figure 35: The Address Class
图35:Address类
The content of the class is an address of type STRING whose semantics are determined by the category attribute.
类的内容是字符串类型的地址,其语义由category属性确定。
The attributes of the Address class are:
Address类的属性包括:
category Required. ENUM. The type of address represented. The default value is "ipv6-addr". These values are maintained in the "Address-category" IANA registry per Section 10.2.
类别要求。枚举。表示的地址类型。默认值为“ipv6地址”。根据第10.2节,这些值保存在“地址类别”IANA注册表中。
1. asn. Autonomous System Number.
1. asn。自治系统编号。
2. atm. Asynchronous Transfer Mode (ATM) address.
2. 自动取款机。异步传输模式(ATM)地址。
3. e-mail. Email address, per the EMAIL data type.
3. 电子邮件电子邮件地址,根据电子邮件数据类型。
4. ipv4-addr. IPv4 host address in dotted-decimal notation (i.e., a.b.c.d).
4. ipv4地址。点十进制表示法(即a.b.c.d)的IPv4主机地址。
5. ipv4-net. IPv4 network address in dotted-decimal notation, slash, significant bits (i.e., a.b.c.d/nn).
5. ipv4网络。IPv4网络地址,采用点十进制表示法、斜杠、有效位(即a.b.c.d/nn)。
6. ipv4-net-masked. A sanitized IPv4 address with significant bits per "ipv4-net" but with the character 'x' replacing any digit(s) in the address or prefix.
6. ipv4网络屏蔽。经过净化的IPv4地址,每个“IPv4网络”具有有效位,但地址或前缀中的任何数字都由字符“x”替换。
7. ipv4-net-mask. IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (i.e., a.b.c.d/w.x.y.z).
7. ipv4网络掩码。点十进制表示法中的IPv4网络地址、斜杠、点十进制表示法中的网络掩码(即a.b.c.d/w.x.y.z)。
8. ipv6-addr. IPv6 host address per Section 4 of [RFC5952].
8. ipv6地址。[RFC5952]第4节规定的IPv6主机地址。
9. ipv6-net. IPv6 network address, slash, prefix per Section 2.3 of [RFC4291].
9. ipv6网络。根据[RFC4291]第2.3节,IPv6网络地址、斜杠和前缀。
10. ipv6-net-masked. A sanitized IPv6 address and prefix per "ipv6-net" but with the character 'x' replacing any hexadecimal digit(s) in the address or digit(s) in the prefix.
10. ipv6网络屏蔽。每个“IPv6网络”的净化IPv6地址和前缀,但用字符“x”替换地址中的任何十六进制数字或前缀中的数字。
11. mac. Media Access Control (MAC) address (i.e., aa:bb:cc:dd:ee:ff).
11. 雨衣。媒体访问控制(MAC)地址(即aa:bb:cc:dd:ee:ff)。
12. site-uri. A URL or URI for a resource, per the URL data type.
12. 站点uri。每个URL数据类型的资源的URL或URI。
13. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
13. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.1.
外部类别可选。一串扩展类别属性的方法。见第5.1.1节。
vlan-name Optional. STRING. The name of the Virtual LAN to which the address belongs.
vlan名称可选。一串地址所属的虚拟LAN的名称。
vlan-num Optional. INTEGER. The number of the Virtual LAN to which the address belongs.
vlan num可选。整数地址所属的虚拟LAN的编号。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The NodeRole class describes the function performed by or role of a particular system, asset, or network.
NodeRole类描述由特定系统、资产或网络执行的功能或角色。
+-----------------------+
| NodeRole |
+-----------------------+
| ENUM category |<>--{0..*}--[ Description ]
| STRING ext-category |
+-----------------------+
+-----------------------+
| NodeRole |
+-----------------------+
| ENUM category |<>--{0..*}--[ Description ]
| STRING ext-category |
+-----------------------+
Figure 36: The NodeRole Class
图36:NodeRole类
The aggregate class of the NodeRole class is:
NodeRole类的聚合类为:
Description Zero or more. ML_STRING. A free-form text description of the role of the system.
说明零或更多。ML_字符串。系统角色的自由格式文本描述。
The attributes of the NodeRole class are:
NodeRole类的属性包括:
category Required. ENUM. Function or role of a node. These values are maintained in the "NodeRole-category" IANA registry per Section 10.2.
类别要求。枚举。节点的功能或角色。根据第10.2节,这些值保存在“NodeRole类别”IANA注册表中。
1. client. Client computer.
1. 客户客户端计算机。
2. client-enterprise. Client computer on the enterprise network.
2. 客户企业。企业网络上的客户端计算机。
3. client-partner. Client computer on network of a partner.
3. 客户伙伴。合作伙伴网络上的客户端计算机。
4. client-remote. Client computer remotely connected to the enterprise network.
4. 远程客户端。远程连接到企业网络的客户端计算机。
5. client-kiosk. Client computer serving as a kiosk.
5. 客户端信息亭。用作信息亭的客户端计算机。
6. client-mobile. Mobile device.
6. 客户端移动。移动设备。
7. server-internal. Server with internal services.
7. 服务器内部。具有内部服务的服务器。
8. server-public. Server with public services.
8. 服务器是公共的。提供公共服务的服务器。
9. www. WWW server.
9. www.www服务器。
10. mail. Mail server.
10. 邮政邮件服务器。
11. webmail. Web mail server.
11. 网络邮件。网络邮件服务器。
12. messaging. Messaging server (e.g., NNTP, IRC, IM).
12. 信息。消息服务器(如NNTP、IRC、IM)。
13. streaming. Streaming-media server.
13. 流动。流媒体服务器。
14. voice. Voice server (e.g., SIP, H.323).
14. 嗓音语音服务器(如SIP、H.323)。
15. file. File server.
15. 文件文件服务器。
16. ftp. FTP server.
16. ftp。FTP服务器。
17. p2p. Peer-to-peer node.
17. p2p。对等节点。
18. name. Name server (e.g., DNS, WINS).
18. 名称名称服务器(例如DNS、WINS)。
19. directory. Directory server (e.g., LDAP, finger, whois).
19. 目录目录服务器(例如LDAP、finger、whois)。
20. credential. Credential server (e.g., domain controller, Kerberos).
20. 资质凭据服务器(例如,域控制器、Kerberos)。
21. print. Print server.
21. 打印打印服务器。
22. application. Application server.
22. 应用应用服务器。
23. database. Database server.
23. 数据库数据库服务器。
24. backup. Backup server.
24. 备份备份服务器。
25. dhcp. DHCP server.
25. dhcp。DHCP服务器。
26. assessment. Assessment server (e.g., vulnerability scanner, endpoint assessment).
26. 看法评估服务器(例如,漏洞扫描程序、端点评估)。
27. source-control. Source code control server.
27. 源头控制。源代码控制服务器。
28. config-management. Configuration management server.
28. 配置管理。配置管理服务器。
29. monitoring. Security monitoring server (e.g., IDS).
29. 监测。安全监控服务器(如IDS)。
30. infra. Infrastructure server (e.g., router, firewall, DHCP).
30. infra。基础结构服务器(如路由器、防火墙、DHCP)。
31. infra-firewall. Firewall.
31. 红外线防火墙。防火墙。
32. infra-router. Router.
32. 红外线路由器。路由器。
33. infra-switch. Switch.
33. 红外线开关。转换
34. camera. Camera and video system.
34. 照相机摄像机和视频系统。
35. proxy. Proxy server.
35. 代理代理服务器。
36. remote-access. Remote access server.
36. 远程访问。远程访问服务器。
37. log. Log server (e.g., syslog).
37. 日志日志服务器(例如,syslog)。
38. virtualization. Server running virtual machines.
38. 虚拟化。运行虚拟机的服务器。
39. pos. Point-of-sale device.
39. pos.销售点设备。
40. scada. Supervisory control and data acquisition (SCADA) system.
40. scada。监控和数据采集(SCADA)系统。
41. scada-supervisory. Supervisory system for a SCADA.
41. scada监控系统。SCADA的监控系统。
42. sinkhole. Traffic sinkhole destination.
42. 天坑。交通陷坑目的地。
43. honeypot. Honeypot server.
43. 蜜罐。蜜罐服务器。
44. anonymization. Anonymization server (e.g., Tor node).
44. 匿名化。匿名服务器(例如,Tor节点)。
45. c2-server. Malicious command and control server.
45. 指挥控制服务器。恶意命令和控制服务器。
46. malware-distribution. Server that distributes malware
46. 恶意软件分发。分发恶意软件的服务器
47. drop-server. Server to which exfiltrated content is uploaded.
47. 删除服务器。导出内容上载到的服务器。
48. hop-point. Intermediary server used to get to a victim.
48. 跳点。用于访问受害者的中间服务器。
49. reflector. A system used in a reflector attack.
49. 反射器。用于反射器攻击的系统。
50. phishing-site. Site hosting phishing content.
50. 钓鱼网站。网站托管钓鱼内容。
51. spear-phishing-site. Site hosting spear-phishing content.
51. 鱼叉钓鱼网站。网站托管鱼叉钓鱼内容。
52. recruiting-site. Site to recruit.
52. 招聘网站。网站招聘。
53. fraudulent-site. Fraudulent site.
53. 欺诈网站。欺诈网站。
54. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
54. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.1.
外部类别可选。一串扩展类别属性的方法。见第5.1.1节。
The Counter class summarizes multiple occurrences of an event or conveys counts or rates of various features.
计数器类汇总事件的多次出现,或传递各种特征的计数或速率。
The complete semantics of this class are context dependent based on the class in which it is aggregated.
这个类的完整语义是基于聚合它的类的上下文相关的。
+---------------------+
| Counter |
+---------------------+
| REAL |
| |
| ENUM type |
| STRING ext-type |
| ENUM unit |
| STRING ext-unit |
| STRING meaning |
| ENUM duration |
| STRING ext-duration |
+---------------------+
+---------------------+
| Counter |
+---------------------+
| REAL |
| |
| ENUM type |
| STRING ext-type |
| ENUM unit |
| STRING ext-unit |
| STRING meaning |
| ENUM duration |
| STRING ext-duration |
+---------------------+
Figure 37: The Counter Class
图37:计数器类
The content of the class is a value of type REAL whose meaning and units are determined by the type and duration attributes, respectively. If the duration attribute is present, the element content is a rate. Otherwise, it is a simple counter.
类的内容是REAL类型的值,其含义和单位分别由type和duration属性确定。如果存在duration属性,则元素内容为速率。否则,它就是一个简单的计数器。
The attributes of the Counter class are:
计数器类的属性包括:
type Required. ENUM. Specifies the type of counter specified in the element content. These values are maintained in the "Counter-type" IANA registry per Section 10.2.
所需类型。枚举。指定元素内容中指定的计数器类型。根据第10.2节,这些值保存在“计数器类型”IANA注册表中。
1. count. The Counter class value is a counter.
1. 计数计数器类值是计数器。
2. peak. The Counter class value is a peak value.
2. 峰计数器类值是峰值。
3. average. The Counter class value is an average.
3. 平均的计数器类值是平均值。
4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
4. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
unit Required. ENUM. Specifies the units of the element content. These values are maintained in the "Counter-unit" IANA registry per Section 10.2.
单位要求。枚举。指定元素内容的单位。根据第10.2节,这些值保存在“计数器单元”IANA注册表中。
1. byte. Bytes transferred.
1. 字节传输的字节数。
2. mbit. Megabits (Mbits) transferred.
2. mbit。传输的兆位(Mbits)。
3. packet. Packets.
3. 小包裹小包。
4. flow. Network flow records.
4. 流网络流量记录。
5. session. Sessions.
5. 一场会议。
6. alert. Notifications generated by another system (e.g., IDS or SIEM system).
6. 警觉的由其他系统(如IDS或SIEM系统)生成的通知。
7. message. Messages (e.g., mail messages).
7. 消息消息(例如,邮件消息)。
8. event. Events.
8. 事件事件。
9. host. Hosts.
9. 主办主持人。
10. site. Site.
10. 地点地点
11. organization. Organizations.
11. 组织组织。
12. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
12. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-unit Optional. STRING. A means by which to extend the unit attribute. See Section 5.1.1.
外部单元可选。一串扩展单位属性的方法。见第5.1.1节。
meaning Optional. STRING. A free-form text description of the metric represented by the Counter.
意思是可选的。一串计数器表示的度量的自由格式文本描述。
duration Optional. ENUM. If present, the Counter class represents a rate. This attribute specifies a unit of time over which the rate whose units are specified in the unit attribute is being conveyed. This attribute is the denominator of the rate (where the unit attribute specified the nominator). The possible values of this attribute are defined in the duration attribute of Section 3.12.3
持续时间可选。枚举。如果存在,计数器类表示一个速率。此属性指定一个时间单位,在该时间单位内,传输单位在“单位”属性中指定的速率。该属性是汇率的分母(其中单位属性指定了提名人)。该属性的可能值在第3.12.3节的持续时间属性中定义
ext-duration Optional. STRING. A means by which to extend the duration attribute. See Section 5.1.1.
ext持续时间可选。一串扩展持续时间属性的方法。见第5.1.1节。
The DomainData class describes a domain name and metadata associated with this domain.
DomainData类描述与此域关联的域名和元数据。
+--------------------------+
| DomainData |
+--------------------------+
| ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ]
+--------------------------+
+--------------------------+
| DomainData |
+--------------------------+
| ENUM system-status |<>----------[ Name ]
| STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
| ENUM domain-status |<>--{0..1}--[ RegistrationDate ]
| STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ]
| ID observable-id |<>--{0..*}--[ RelatedDNS ]
| |<>--{0..*}--[ Nameservers ]
| |<>--{0..1}--[ DomainContacts ]
+--------------------------+
Figure 38: The DomainData Class
图38:DomainData类
The aggregate classes of the DomainData class are:
The aggregate classes of the DomainData class are:translate error, please retry
Name One. STRING. The domain name of a system.
举一个例子。一串系统的域名。
DateDomainWasChecked Zero or one. DATETIME. A timestamp of when the domain listed in the Name class was resolved.
DateDomain被检查为零或一。日期时间。解析Name类中列出的域的时间戳。
RegistrationDate Zero or one. DATETIME. A timestamp of when domain listed in the Name class was registered.
注册日期为零或一。日期时间。注册Name类中列出的域的时间戳。
ExpirationDate Zero or one. DATETIME. A timestamp of when the domain listed in the Name class is set to expire.
到期日期为零或一。日期时间。Name类中列出的域设置为过期时的时间戳。
RelatedDNS Zero or more. EXTENSION. Additional DNS records associated with this domain.
相关DNS为零或更多。扩大与此域关联的其他DNS记录。
Nameservers Zero or more. The nameservers identified for the domain listed in the Name class. See Section 3.19.1.
名称服务器为零或更多。为名称类中列出的域标识的名称服务器。见第3.19.1节。
DomainContacts Zero or one. Contact information for the domain listed in the Name class supplied by the registrar or through a whois query.
域联系人为零或一。注册商提供的名称类中列出的域的联系信息或通过whois查询提供的域的联系信息。
The attributes of the DomainData class are:
DomainData类的属性包括:
system-status Required. ENUM. Assesses the domain's involvement in the event. These values are maintained in the "DomainData-system-status" IANA registry per Section 10.2.
需要系统状态。枚举。评估域名参与事件的情况。根据第10.2节,这些值保存在“DomainData system status”IANA注册表中。
1. spoofed. This domain was spoofed.
1. 欺骗。此域已被欺骗。
2. fraudulent. This domain was operated with fraudulent intentions.
2. 欺骗的该域名的运营带有欺诈意图。
3. innocent-hacked. This domain was compromised by a third party.
3. 无辜的黑客。此域已被第三方入侵。
4. innocent-hijacked. This domain was deliberately hijacked.
4. 无辜者被劫持。这个域名被蓄意劫持。
5. unknown. No categorization for this domain known.
5. 未知的此域的分类未知。
6. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
6. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-system-status Optional. STRING. A means by which to extend the system-status attribute. See Section 5.1.1.
外部系统状态可选。一串扩展系统状态属性的方法。见第5.1.1节。
domain-status Required. ENUM. Categorizes the registry status of the domain at the time the document was generated. These values and their associated descriptions are derived from Section 3.2.2 of [RFC3982]. These values are maintained in the "DomainData-domain-status" IANA registry per Section 10.2.
需要域状态。枚举。对生成文档时域的注册表状态进行分类。这些值及其相关说明源自[RFC3982]第3.2.2节。根据第10.2节,这些值保存在“DomainData domain status”IANA注册表中。
1. reservedDelegation. The domain is permanently inactive.
1. 保留公使权。该域永久不活动。
2. assignedAndActive. The domain is in a normal state.
2. 指定的和活动的。域处于正常状态。
3. assignedAndInactive. The domain has an assigned registration, but the delegation is inactive.
3. 指定指示词。域已分配注册,但委派处于非活动状态。
4. assignedAndOnHold. The domain is in dispute.
4. 分配给安多霍尔德。域名有争议。
5. revoked. The domain is in the process of being purged from the database.
5. 撤销的。域正在从数据库中清除。
6. transferPending. The domain is pending a change in authority.
6. 转让待定。域正在等待权限更改。
7. registryLock. The domain is on hold by the registry.
7. 注册锁。该域被注册表保留。
8. registrarLock. Same as "registryLock".
8. 注册锁。与“registryLock”相同。
9. other. The domain has a known status, but it is not one of the redefined enumerated values.
9. 另外域具有已知状态,但它不是重新定义的枚举值之一。
10. unknown. The domain has an unknown status.
10. 未知的域的状态未知。
11. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
11. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-domain-status Optional. STRING. A means by which to extend the domain-status attribute. See Section 5.1.1.
外部域状态可选。一串扩展域状态属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Nameservers class describes the nameservers associated with a given domain.
Nameservers类描述与给定域关联的名称服务器。
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server ]
| |<>--{1..*}--[ Address ]
+--------------------+
+--------------------+
| Nameservers |
+--------------------+
| |<>----------[ Server ]
| |<>--{1..*}--[ Address ]
+--------------------+
Figure 39: The Nameservers Class
图39:名称服务器类
The aggregate classes of the Nameservers class are:
NameServer类的聚合类包括:
Server One. STRING. The domain name of the nameserver.
一号服务器。一串名称服务器的域名。
Address One or more. The address of the nameserver. The value of the category attribute MUST be either "ipv4-addr" or "ipv6-addr". See Section 3.18.1.
解决一个或多个问题。名称服务器的地址。类别属性的值必须是“ipv4地址”或“ipv6地址”。见第3.18.1节。
The Nameservers class has no attributes.
Nameservers类没有属性。
The DomainContacts class describes the contact information for a given domain provided either by the registrar or through a whois query.
DomainContacts类描述由注册者或通过whois查询提供的给定域的联系信息。
This contact information can be explicitly described through a Contact class, or a reference can be provided to a domain with identical contact information. Either a single SameDomainContact or one or more Contact classes MUST be present.
可以通过contact类显式描述此联系人信息,也可以向具有相同联系人信息的域提供引用。必须存在单个SameDomainContact或一个或多个Contact类。
+--------------------+
| DomainContacts |
+--------------------+
| |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ]
+--------------------+
+--------------------+
| DomainContacts |
+--------------------+
| |<>--{0..1}--[ SameDomainContact ]
| |<>--{1..*}--[ Contact ]
+--------------------+
Figure 40: The DomainContacts Class
图40:DomainContacts类
The aggregate classes of the DomainContacts class are:
DomainContacts类的聚合类为:
SameDomainContact Zero or one. STRING. A domain name already cited in this document or through previous exchange that contains the identical contact information as the domain name in question. The domain contact information associated with this domain should be used instead of an explicit definition with the Contact class.
Samedomain联系零或一。一串本文档中或通过先前交换引用的域名,包含与所述域名相同的联系信息。应使用与此域关联的域联系人信息,而不是联系人类的显式定义。
Contact One or more. Contact information for the domain. See Section 3.9.
联系一个或多个。域的联系信息。见第3.9节。
The DomainContacts class has no attributes.
DomainContacts类没有属性。
The Service class describes a network service. The service is described by a protocol, port, protocol header field, and application providing or using the service.
服务类描述网络服务。服务由协议、端口、协议头字段和提供或使用服务的应用程序描述。
+-------------------------+
| Service |
+-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ]
+-------------------------+
+-------------------------+
| Service |
+-------------------------+
| INTEGER ip-protocol |<>--{0..1}--[ ServiceName ]
| ID observable-id |<>--{0..1}--[ Port ]
| |<>--{0..1}--[ Portlist ]
| |<>--{0..1}--[ ProtoCode ]
| |<>--{0..1}--[ ProtoType ]
| |<>--{0..1}--[ ProtoField ]
| |<>--{0..1}--[ ApplicationHeader ]
| |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ Application ]
+-------------------------+
Figure 41: The Service Class
图41:服务类
The aggregate classes of the Service class are:
服务类的聚合类为:
ServiceName Zero or one. A protocol name.
ServiceName为零或一。协议名。
Port Zero or one. INTEGER. A port number.
端口0或1。整数端口号。
Portlist Zero or one. PORTLIST. A list of port numbers.
端口列表0或1。端口列表。端口号列表。
ProtoCode Zero or one. INTEGER. A transport-layer (Layer 4) protocol-specific code field (e.g., ICMP code field).
原码为0或1。整数传输层(第4层)协议特定的代码字段(例如,ICMP代码字段)。
ProtoType Zero or one. INTEGER. A transport-layer (Layer 4) protocol-specific type field (e.g., ICMP type field).
原型零或一。整数传输层(第4层)协议特定类型字段(例如,ICMP类型字段)。
ProtoField Zero or one. INTEGER. A transport-layer (Layer 4) protocol-specific flag field (e.g., TCP flag field).
原野0或1。整数传输层(第4层)协议特定的标志字段(例如,TCP标志字段)。
ApplicationHeader Zero or one. A protocol header. See Section 3.20.2.
应用程序标头为零或一。协议头。见第3.20.2节。
EmailData Zero or one. Headers associated with an email message. See Section 3.21.
电子邮件数据零或一。与电子邮件关联的标题。见第3.21节。
Application Zero or one. SOFTWARE. The application acting as either the client or the server for the service.
应用程序0或1。软件充当服务的客户端或服务器的应用程序。
At least one of these classes MUST be present.
这些类中必须至少有一个存在。
When a given System class with category="source" and another with category="target" are aggregated into a single Flow class, and each of these System classes has a Service and Portlist class, an implicit relationship between these Portlists exists. If N ports are listed for a System@category="source", and M ports are listed for System@category="target", the number of ports in N must be equal to M. Likewise, the ports MUST be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. If N is greater than 1, a given instance of a Flow class MUST only have a single instance of a System@category="source" and System@category="target".
当一个具有category=“source”的给定系统类和另一个具有category=“target”的系统类聚合到一个流类中,并且这些系统类中的每个都有一个服务和端口列表类时,这些端口列表之间存在隐式关系。如果为一个端口列出了N个端口System@category=“源”和M个端口为System@category=“target”,N中的端口数必须等于M。同样,端口必须以相同的顺序列出,以便源中的第N个端口对应于目标的第N个端口。如果N大于1,则流类的给定实例必须只有流类的单个实例System@category=“来源”和System@category=“目标”。
The attributes of the Service class are:
服务类的属性包括:
ip-protocol Optional. INTEGER. The IANA-assigned IP protocol number per [IANA.Protocols]. The attribute MUST be set if a Port, Portlist, ProtoCode, ProtoType, or ProtoField class is present.
ip协议可选。整数IANA根据[IANA.Protocols]分配的IP协议编号。如果存在Port、Portlist、ProtoCode、ProtoType或ProtoField类,则必须设置该属性。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The ServiceName class identifies an application protocol. It can be described by referencing an IANA-registered protocol, by referencing a URL, or with free-form text.
ServiceName类标识应用程序协议。它可以通过引用IANA注册的协议、URL或自由格式的文本来描述。
+--------------------+
| ServiceName |
+--------------------+
| |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
+--------------------+
| ServiceName |
+--------------------+
| |<>--{0..1}--[ IANAService ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
+--------------------+
Figure 42: The ServiceName Class
图42:ServiceName类
The aggregate classes of the ServiceName class are:
ServiceName类的聚合类包括:
IANAService Zero or one. STRING. The name of the service per the "Service Name" field of the registry [IANA.Ports].
IANAService零或一。一串根据注册表[IANA.Ports]的“服务名称”字段显示的服务名称。
URL Zero or more. URL. A URL to a resource describing the service.
URL为零或更多。网址。描述服务的资源的URL。
Description Zero or more. ML_STRING. A free-form text description of the service.
说明零或更多。ML_字符串。服务的自由格式文本描述。
At least one of these classes MUST be present.
这些类中必须至少有一个存在。
The ServiceName class has no attributes.
ServiceName类没有属性。
The ApplicationHeader class describes arbitrary fields from a protocol header and its corresponding value.
ApplicationHeader类描述协议头及其相应值中的任意字段。
+--------------------------+
| ApplicationHeader |
+--------------------------+
| |<>--{1..*}--[ ApplicationHeaderField ]
+--------------------------+
+--------------------------+
| ApplicationHeader |
+--------------------------+
| |<>--{1..*}--[ ApplicationHeaderField ]
+--------------------------+
Figure 43: The ApplicationHeader Class
图43:ApplicationHeader类
The aggregate class of the ApplicationHeader class is:
ApplicationHeader类的聚合类为:
ApplicationHeaderField One or more. EXTENSION. A field name and value in a protocol header. The name attribute MUST be set to the field name. The field value MUST be set in the element content.
ApplicationHeaderField一个或多个。扩大协议头中的字段名和值。name属性必须设置为字段名。必须在元素内容中设置字段值。
The ApplicationHeader class has no attributes.
ApplicationHeader类没有属性。
The EmailData class describes headers from an email message and cryptographic hashes and signatures applied to it.
EmailData类描述电子邮件消息的标题以及应用于其的加密哈希和签名。
+-------------------------+
| EmailData |
+-------------------------+
| ID observable-id |<>--{0..*}--[ EmailTo ]
| |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..1}--[ EmailHeaders ]
| |<>--{0..1}--[ EmailBody ]
| |<>--{0..1}--[ EmailMessage ]
| |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ]
+-------------------------+
+-------------------------+
| EmailData |
+-------------------------+
| ID observable-id |<>--{0..*}--[ EmailTo ]
| |<>--{0..1}--[ EmailFrom ]
| |<>--{0..1}--[ EmailSubject ]
| |<>--{0..1}--[ EmailX-Mailer ]
| |<>--{0..*}--[ EmailHeaderField ]
| |<>--{0..1}--[ EmailHeaders ]
| |<>--{0..1}--[ EmailBody ]
| |<>--{0..1}--[ EmailMessage ]
| |<>--{0..*}--[ HashData ]
| |<>--{0..*}--[ SignatureData ]
+-------------------------+
Figure 44: EmailData Class
图44:EmailData类
The aggregate classes of the EmailData class are:
EmailData类的聚合类包括:
EmailTo Zero or more. EMAIL. The value of the "To:" header field (Section 3.6.3 of [RFC5322]) in an email.
电子邮件发送到零或更多。电子邮件电子邮件中“收件人:”标题字段(RFC5322的第3.6.3节)的值。
EmailFrom Zero or one. EMAIL. The value of the "From:" header field (Section 3.6.2 of [RFC5322]) in an email.
从零到一发电子邮件。电子邮件电子邮件中“发件人:”标题字段(RFC5322的第3.6.2节)的值。
EmailSubject Zero or one. STRING. The value of the "Subject:" header field in an email. See Section 3.6.5 of [RFC5322].
电子邮件主题0或1。一串电子邮件中“主题:”标题字段的值。见[RFC5322]第3.6.5节。
EmailX-Mailer Zero or one. STRING. The value of the "X-Mailer:" header field in an email.
EmailX-Mailer零或一。一串电子邮件中“X-Mailer:”标题字段的值。
EmailHeaderField Zero or more. EXTENSION. The header name and value of an arbitrary header field of the email message. The name attribute MUST be set to the header name. The header value MUST be set in the element body. The dtype attribute MUST be set to "string".
EmailHeaderField零或更多。扩大电子邮件任意标题字段的标题名称和值。“名称”属性必须设置为标题名称。必须在元素主体中设置标题值。数据类型属性必须设置为“字符串”。
EmailHeaders Zero or one. STRING. The headers of an email message.
电子邮件头零或一。一串电子邮件的标题。
EmailBody Zero or one. STRING. The body of an email message.
电子邮件正文0或1。一串电子邮件的正文。
EmailMessage Zero or one. STRING. The headers and body of an email message.
电子邮件0或1。一串电子邮件的标题和正文。
HashData Zero or more. Hash(es) associated with this email message. See Section 3.26.
哈希数据为零或更多。与此电子邮件关联的哈希。见第3.26节。
SignatureData Zero or more. Signature(s) associated with this email message. See Section 3.27.
签名数据为零或更多。与此电子邮件关联的签名。见第3.27节。
The attribute of the EmailData class is:
EmailData类的属性是:
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Record class is a container class for log and audit data that provides supportive information about the events in an incident. The source of this data will often be the output of monitoring tools. These logs substantiate the activity described in the document.
Record类是日志和审核数据的容器类,它提供有关事件中事件的支持性信息。这些数据的来源通常是监控工具的输出。这些日志证实了文件中描述的活动。
+------------------------+
| Record |
+------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction |
+------------------------+
+------------------------+
| Record |
+------------------------+
| ENUM restriction |<>--{1..*}--[ RecordData ]
| STRING ext-restriction |
+------------------------+
Figure 45: The Record Class
图45:记录类
The aggregate classes of the Record class are:
记录类的聚合类为:
RecordData One or more. Log or audit data generated by a particular tool. Separate instances of the RecordData class SHOULD be used for each type of log. See Section 3.22.1.
记录一个或多个数据。由特定工具生成的日志或审核数据。对于每种类型的日志,应使用RecordData类的单独实例。见第3.22.1节。
The attributes of the Record class are:
记录类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The RecordData class describes or references log or audit data from a given type of tool and provides a means to annotate the output.
RecordData类描述或引用来自给定类型工具的日志或审核数据,并提供对输出进行注释的方法。
+------------------------+
| RecordData |
+------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ FileData ]
| |<>--{0..*}--
| | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| RecordData |
+------------------------+
| ENUM restriction |<>--{0..1}--[ DateTime ]
| STRING ext-restriction |<>--{0..*}--[ Description ]
| ID observable-id |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ RecordPattern ]
| |<>--{0..*}--[ RecordItem ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ FileData ]
| |<>--{0..*}--
| | [ WindowsRegistryKeysModified ]
| |<>--{0..*}--[ CertificateData ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 46: The RecordData Class
图46:RecordData类
The aggregate classes of the RecordData class are:
RecordData类的聚合类包括:
DateTime Zero or one. DATETIME. A timestamp of the data found in the RecordItem or URL classes.
日期时间0或1。日期时间。在RecordItem或URL类中找到的数据的时间戳。
Description Zero or more. ML_STRING. A free-form text description of the data provided in the RecordItem or URL classes.
说明零或更多。ML_字符串。RecordItem或URL类中提供的数据的自由格式文本描述。
Application Zero or one. SOFTWARE. Identifies the tool used to generate the data in the RecordItem or URL classes.
应用程序0或1。软件标识用于在RecordItem或URL类中生成数据的工具。
RecordPattern Zero or more. A search string to precisely find the relevant data in the RecordItem or URL classes. See Section 3.22.2.
记录模式为零或更多。用于在RecordItem或URL类中精确查找相关数据的搜索字符串。见第3.22.2节。
RecordItem Zero or more. EXTENSION. Log, audit, or forensic data to support the conclusions made during the course of analyzing the incident.
记录项为零或更多。扩大记录、审计或法医数据,以支持在分析事件过程中得出的结论。
URL Zero or more. URL. A URL reference to a log or audit data.
URL为零或更多。网址。日志或审核数据的URL引用。
FileData Zero or one. The files involved in the incident. See Section 3.25.
文件数据为零或一。事件涉及的档案。见第3.25节。
WindowsRegistryKeysModified Zero or more. The registry keys that were involved in the incident. See Section 3.23.
WindowsRegistryKeysModified为零或更多。事件中涉及的注册表项。见第3.23节。
CertificateData Zero or more. The certificates that were involved in the incident. See Section 3.24.
认证数据为零或更多。与事件有关的证书。见第3.24节。
AdditionalData Zero or more. EXTENSION. An extension mechanism for data not explicitly represented in the data model.
附加数据为零或更多。扩大数据模型中未显式表示的数据的扩展机制。
At least one of the following classes MUST be present: RecordItem, URL, FileData, WindowsRegistryKeysModified, CertificateData, or AdditionalData.
必须至少存在以下类别之一:RecordItem、URL、FileData、WindowsRegistryKeysModified、CertificateData或AdditionalData。
The attributes of the RecordData class are:
RecordData类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The RecordPattern class describes where in the log data provided or referenced in the RecordData class relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.
RecordPattern类描述了在RecordData类中提供或引用的日志数据中可以找到相关信息的位置。它提供了一种在大型日志文件、审计跟踪或取证数据中引用由模式标识的信息子集的方法。
+-----------------------+
| RecordPattern |
+-----------------------+
| STRING |
| |
| ENUM type |
| STRING ext-type |
| INTEGER offset |
| ENUM offsetunit |
| STRING ext-offsetunit |
| INTEGER instance |
+-----------------------+
+-----------------------+
| RecordPattern |
+-----------------------+
| STRING |
| |
| ENUM type |
| STRING ext-type |
| INTEGER offset |
| ENUM offsetunit |
| STRING ext-offsetunit |
| INTEGER instance |
+-----------------------+
Figure 47: The RecordPattern Class
图47:RecordPattern类
The content of the class is of type STRING and specifies a search pattern.
类的内容为STRING类型,并指定搜索模式。
The attributes of the RecordPattern class are:
RecordPattern类的属性包括:
type Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex". These values are maintained in the "RecordPattern-type" IANA registry per Section 10.2.
所需类型。枚举。描述元素内容中指定的模式类型。默认值为“regex”。根据第10.2节,这些值保存在“RecordPattern type”IANA注册表中。
1. regex. Regular expression as defined by POSIX Extended Regular Expressions (ERE) in Chapter 9 of [IEEE.POSIX].
1. 正则表达式。[IEEE.POSIX]第9章中POSIX扩展正则表达式(ERE)定义的正则表达式。
2. binary. Binhex-encoded binary pattern, per the HEXBIN data type.
2. 二进制的Binhex编码的二进制模式,根据HEXBIN数据类型。
3. xpath. XML Path (XPath) [W3C.XPATH].
3. xpath。XML路径(XPath)[W3C.XPath]。
4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
4. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
offset Optional. INTEGER. Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.
偏移量可选。整数匹配模式之前要查找记录项数据的单位数(由offsetunit属性确定)。
offsetunit Optional. ENUM. Describes the units of the offset attribute. The default is "line". These values are maintained in the "RecordPattern-offsetunit" IANA registry per Section 10.2.
抵销单位可选。枚举。描述“偏移”属性的单位。默认值为“行”。根据第10.2节,这些值保存在“RecordPattern offsetunit”IANA注册表中。
1. line. Offset is a count of lines.
1. 线偏移量是行数。
2. byte. Offset is a count of bytes.
2. 字节偏移量是字节数。
3. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
3. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-offsetunit Optional. STRING. A means by which to extend the offsetunit attribute. See Section 5.1.1.
ext offsetunit可选。一串扩展offsetunit属性的方法。见第5.1.1节。
instance Optional. INTEGER. Number of times to apply the specified pattern.
实例可选。整数应用指定图案的次数。
The WindowsRegistryKeysModified class describes Windows operating system registry keys and the operations that were performed on them. This class was derived from [RFC5901].
WindowsRegistryKeysModified类描述Windows操作系统注册表项以及对其执行的操作。该类派生自[RFC5901]。
+-----------------------------+
| WindowsRegistryKeysModified |
+-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+
+-----------------------------+
| WindowsRegistryKeysModified |
+-----------------------------+
| ID observable-id |<>--{1..*}--[ Key ]
+-----------------------------+
Figure 48: The WindowsRegistryKeysModified Class
图48:WindowsRegistryKeysModified类
The aggregate classes of the WindowsRegistryKeysModified class are:
WindowsRegistryKeysModified类的聚合类为:
Key One or more. The Windows registry key. See Section 3.23.1.
键入一个或多个。Windows注册表项。见第3.23.1节。
The attribute of the WindowsRegistryKeysModified class is:
WindowsRegistryKeysModified类的属性为:
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Key class describes a Windows operating system registry key name and value pair, as well as the operation performed on it.
Key类描述Windows操作系统注册表项名称和值对,以及对其执行的操作。
+---------------------------+
| Key |
+---------------------------+
| ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id |
+---------------------------+
+---------------------------+
| Key |
+---------------------------+
| ENUM registryaction |<>----------[ KeyName ]
| STRING ext-registryaction |<>--{0..1}--[ KeyValue ]
| ID observable-id |
+---------------------------+
Figure 49: The Key Class
图49:关键类
The aggregate classes of the Key class are:
密钥类的聚合类为:
KeyName One. STRING. The name of a Windows operating system registry key (e.g., [HKEY_LOCAL_MACHINE\Software\Test\KeyName]).
关键字1。一串Windows操作系统注册表项的名称(例如,[HKEY\U LOCAL\U MACHINE\Software\Test\KeyName])。
KeyValue Zero or one. STRING. The value of the registry key identified in the KeyName class encoded per the .reg file format [KB310516].
键值为0或1。一串按照.reg文件格式[KB310516]编码的KeyName类中标识的注册表项的值。
The attributes of the Key class are:
密钥类的属性包括:
registryaction Optional. ENUM. The type of action taken on the registry key. These values are maintained in the "Key-registryaction" IANA registry per Section 10.2.
注册表操作可选。枚举。对注册表项执行的操作类型。根据第10.2节,这些值保存在“Key registryaction”IANA注册表中。
1. add-key. Registry key added.
1. 添加密钥。添加了注册表项。
2. add-value. Value added to a registry key.
2. 增加价值。添加到注册表项的值。
3. delete-key. Registry key deleted.
3. 删除键。注册表项已删除。
4. delete-value. Value deleted from a registry key.
4. 删除值。从注册表项中删除的值。
5. modify-key. Registry key modified.
5. 修改键。注册表项已修改。
6. modify-value. Value modified in a registry key.
6. 修改值。在注册表项中修改的值。
7. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
7. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-registryaction Optional. STRING. A means by which to extend the registryaction attribute. See Section 5.1.1.
ext registryaction可选。一串扩展registryaction属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The CertificateData class describes X.509 certificates.
CertificateData类描述X.509证书。
+------------------------+
| CertificateData |
+------------------------+
| ENUM restriction |<>--{1..*}--[ Certificate ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
+------------------------+
| CertificateData |
+------------------------+
| ENUM restriction |<>--{1..*}--[ Certificate ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 50: The CertificateData Class
图50:CertificateData类
The aggregate classes of the CertificateData class are:
CertificateData类别的合计类别为:
Certificate One or more. A description of an X.509 certificate or certificate chain. See Section 3.24.1.
一个或多个证书。X.509证书或证书链的说明。见第3.24.1节。
The attributes of the CertificateData class are:
CertificateData类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The Certificate class describes a given X.509 certificate or certificate chain.
Certificate类描述给定的X.509证书或证书链。
+--------------------------+
| Certificate |
+--------------------------+
| ID observable-id |<>----------[ ds:X509Data ]
| |<>--{0..*}--[ Description ]
+--------------------------+
+--------------------------+
| Certificate |
+--------------------------+
| ID observable-id |<>----------[ ds:X509Data ]
| |<>--{0..*}--[ Description ]
+--------------------------+
Figure 51: The Certificate Class
图51:证书类
The aggregate classes of the Certificate class are:
证书类的聚合类为:
ds:X509Data One. A given X.509 certificate or chain. See Section 4.4.4 of [W3C.XMLSIG].
ds:X509数据一。给定的X.509证书或链。参见[W3C.XMLSIG]第4.4.4节。
Description Zero or more. ML_STRING. A free-form text description explaining the context of this certificate.
说明零或更多。ML_字符串。解释本证书上下文的自由格式文本说明。
The attributes of the Certificate class are:
证书类的属性包括:
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The FileData class describes a file or set of files.
FileData类描述一个文件或一组文件。
+------------------------+
| FileData |
+------------------------+
| ENUM restriction |<>--{1..*}--[ File ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
+------------------------+
| FileData |
+------------------------+
| ENUM restriction |<>--{1..*}--[ File ]
| STRING ext-restriction |
| ID observable-id |
+------------------------+
Figure 52: The FileData Class
图52:FileData类
The aggregate classes of the FileData class are:
FileData类的聚合类包括:
File One or more. A description of a file. See Section 3.25.1.
提交一个或多个文件。对文件的描述。见第3.25.1节。
The attributes of the FileData class are:
FileData类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The File class describes a file; its associated metadata; and cryptographic hashes and signatures applied to it.
File类描述一个文件;其相关元数据;以及应用于它的加密散列和签名。
+-----------------------+
| File |
+-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ]
+-----------------------+
+-----------------------+
| File |
+-----------------------+
| ID observable-id |<>--{0..1}--[ FileName ]
| |<>--{0..1}--[ FileSize ]
| |<>--{0..1}--[ FileType ]
| |<>--{0..*}--[ URL ]
| |<>--{0..1}--[ HashData ]
| |<>--{0..1}--[ SignatureData ]
| |<>--{0..1}--[ AssociatedSoftware ]
| |<>--{0..*}--[ FileProperties ]
+-----------------------+
Figure 53: The File Class
图53:文件类
The aggregate classes of the File class are:
文件类的聚合类包括:
FileName Zero or one. STRING. The name of the file.
文件名为零或一。一串文件名。
FileSize Zero or one. INTEGER. The size of the file in bytes.
文件大小为零或一。整数文件的大小(以字节为单位)。
FileType Zero or one. STRING. The type of file per the IANA "Media Types" registry [IANA.Media]. Valid values correspond to the text in the "Template" column (e.g., "application/pdf").
文件类型为零或一。一串IANA“媒体类型”注册表[IANA.Media]中的文件类型。有效值对应于“模板”列中的文本(例如,“应用程序/pdf”)。
URL Zero or more. URL. A URL reference to the file.
URL为零或更多。网址。文件的URL引用。
HashData Zero or one. Hash(es) associated with this file. See Section 3.26.
哈希数据为0或1。与此文件关联的哈希。见第3.26节。
SignatureData Zero or one. Signature(s) associated with this file. See Section 3.27.
签名为零或一。与此文件关联的签名。见第3.27节。
AssociatedSoftware Zero or one. SOFTWARE. The software application or operating system to which this file belongs or by which it can be processed.
关联软件0或1。软件此文件所属或可用于处理此文件的软件应用程序或操作系统。
FileProperties Zero or more. EXTENSION. Mechanism by which to extend the data model to describe properties of the file.
文件属性为零或更多。扩大扩展数据模型以描述文件属性的机制。
The attributes of the File class are:
文件类的属性包括:
observable-id Optional. ID. See Section 3.3.2.
可观察id可选。ID.见第3.3.2节。
The HashData class describes different types of hashes on a given object (e.g., file, part of a file, email).
HashData类描述给定对象(例如,文件、文件的一部分、电子邮件)上不同类型的哈希。
+--------------------------+
| HashData |
+--------------------------+
| ENUM scope |<>--{0..1}--[ HashTargetID ]
| |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ]
+--------------------------+
+--------------------------+
| HashData |
+--------------------------+
| ENUM scope |<>--{0..1}--[ HashTargetID ]
| |<>--{0..*}--[ Hash ]
| |<>--{0..*}--[ FuzzyHash ]
+--------------------------+
Figure 54: The HashData Class
图54:HashData类
The aggregate classes of the HashData class are:
HashData类的聚合类包括:
HashTargetID Zero or one. STRING. An identifier that references a subset of the object being hashed. The semantics of this identifier are specified by the scope attribute.
HashTargetID为0或1。一串引用正在散列的对象子集的标识符。此标识符的语义由scope属性指定。
Hash Zero or more. The hash of an object. See Section 3.26.1.
散列为零或更多。对象的散列。见第3.26.1节。
FuzzyHash Zero or more. The fuzzy hash of an object. See Section 3.26.2.
模糊值为零或更多。对象的模糊散列。见第3.26.2节。
At least one instance of either Hash or FuzzyHash MUST be present.
必须至少存在哈希或FuzzyHash的一个实例。
The attribute of the HashData class is:
HashData类的属性是:
scope Required. ENUM. Describes on which part of the object the hash should be applied. These values are maintained in the "HashData-scope" IANA registry per Section 10.2.
所需范围。枚举。描述应在对象的哪个部分应用哈希。根据第10.2节,这些值保存在“HashData范围”IANA注册表中。
1. file-contents. A hash computed over the entire contents of a file.
1. 文件内容。对文件的全部内容进行计算的散列。
2. file-pe-section. A hash computed on a given section of a Windows Portable Executable (PE) file. If set to this value, the HashTargetID class MUST identify the section being hashed. A section is identified by an ordinal number (starting at 1) corresponding to the order in which the given section header was defined in the Section Table of the PE file header.
2. 文件pe部分。在Windows可移植可执行文件(PE)的给定部分上计算的哈希值。如果设置为该值,HashTargetID类必须标识要散列的节。节由序号(从1开始)标识,序号对应于PE文件头的节表中定义给定节头的顺序。
3. file-pe-iat. A hash computed on the Import Address Table (IAT) of a PE file. As IAT hashes are often tool dependent, if this value is set, the Application class of either the Hash or FuzzyHash classes MUST specify the tool used to generate the hash.
3. 文件pe iat。在PE文件的导入地址表(IAT)上计算的哈希。由于IAT哈希通常依赖于工具,如果设置了此值,则哈希或FuzzyHash类的应用程序类必须指定用于生成哈希的工具。
4. file-pe-resource. A hash computed on a given resource in a PE file. If set to this value, the HashTargetID class MUST identify the resource being hashed. A resource is identified by an ordinal number (starting at 1) corresponding to the order in which the given resource is declared in the Resource Directory of the Data Dictionary in the PE file header.
4. 文件pe资源。对PE文件中给定资源计算的哈希。如果设置为该值,HashTargetID类必须标识正在散列的资源。资源由序号(从1开始)标识,该序号对应于PE文件头中数据字典的资源目录中声明给定资源的顺序。
5. file-pdf-object. A hash computed on a given object in a Portable Document Format (PDF) file. If set to this value, the HashTargetID class MUST identify the object being hashed. This object is identified by its offset in the PDF file.
5. 文件pdf对象。在可移植文档格式(PDF)文件中对给定对象计算的哈希。如果设置为该值,HashTargetID类必须标识要散列的对象。此对象由其在PDF文件中的偏移量标识。
6. email-hash. A hash computed over the headers and body of an email message.
6. 电子邮件散列。在电子邮件的标题和正文上计算的哈希。
7. email-headers-hash. A hash computed over all of the headers of an email message.
7. 电子邮件标题散列。在电子邮件的所有标题上计算的哈希。
8. email-body-hash. A hash computed over the body of an email message.
8. 电子邮件正文散列。在电子邮件正文上计算的哈希。
9. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
9. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-scope Optional. STRING. A means by which to extend the scope attribute. See Section 5.1.1.
外部作用域可选。一串扩展scope属性的方法。见第5.1.1节。
The Hash class describes a cryptographic hash value; the algorithm and application used to generate it; and the canonicalization method applied to the object being hashed.
哈希类描述加密哈希值;用于生成它的算法和应用程序;以及应用于被散列对象的规范化方法。
+----------------+
| Hash |
+----------------+
| |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ]
+----------------+
+----------------+
| Hash |
+----------------+
| |<>----------[ ds:DigestMethod ]
| |<>----------[ ds:DigestValue ]
| |<>--{0..1}--[ ds:CanonicalizationMethod ]
| |<>--{0..1}--[ Application ]
+----------------+
Figure 55: The Hash Class
图55:散列类
The aggregate classes of the Hash class are:
哈希类的聚合类是:
ds:DigestMethod One. The hash algorithm used to generate the hash. See Section 4.3.3.5 of [W3C.XMLSIG].
ds:方法一。用于生成哈希的哈希算法。参见[W3C.XMLSIG]第4.3.3.5节。
ds:DigestValue One. The computed hash value. See Section 4.3.3.6 of [W3C.XMLSIG].
ds:DigestValue一。计算出的哈希值。参见[W3C.XMLSIG]第4.3.3.6节。
ds:CanonicalizationMethod Zero or one. The canonicalization method used on the object being hashed. See Section 4.3.1 of [W3C.XMLSIG].
ds:规范化方法0或1。对正在散列的对象使用的规范化方法。参见[W3C.XMLSIG]第4.3.1节。
Application Zero or one. SOFTWARE. The application used to calculate the hash.
应用程序0或1。软件用于计算散列的应用程序。
The HashData class has no attributes.
HashData类没有属性。
The FuzzyHash class describes a fuzzy hash and the application used to generate it.
FuzzyHash类描述了一个模糊散列以及用于生成它的应用程序。
+--------------------------+
| FuzzyHash |
+--------------------------+
| |<>--{1..*}--[ FuzzyHashValue ]
| |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+
+--------------------------+
| FuzzyHash |
+--------------------------+
| |<>--{1..*}--[ FuzzyHashValue ]
| |<>--{0..1}--[ Application ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+
Figure 56: The FuzzyHash Class
图56:FuzzyHash类
The aggregate classes of the FuzzyHash class are:
FuzzyHash类的骨料类别为:
FuzzyHashValue One or more. EXTENSION. The computed fuzzy hash value.
模糊值是一个或多个值。扩大计算出的模糊散列值。
Application Zero or one. SOFTWARE. The application used to calculate the hash.
应用程序0或1。软件用于计算散列的应用程序。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The FuzzyData class has no attributes.
FuzzyData类没有属性。
The SignatureData class describes different types of digital signatures on an object.
SignatureData类描述对象上不同类型的数字签名。
+--------------------------+
| SignatureData |
+--------------------------+
| |<>--{1..*}--[ ds:Signature ]
+--------------------------+
+--------------------------+
| SignatureData |
+--------------------------+
| |<>--{1..*}--[ ds:Signature ]
+--------------------------+
Figure 57: The SignatureData Class
图57:SignatureData类
The aggregate class of the SignatureData class is:
SignatureData类的聚合类为:
Signature One or more. A given signature. See Section 4.2 of [W3C.XMLSIG].
一个或多个签名。一个给定的签名。参见[W3C.XMLSIG]第4.2节。
The SignatureData class has no attributes.
SignatureData类没有属性。
The IndicatorData class describes indicators and metadata associated with them.
IndicatorData类描述了与之相关的指标和元数据。
+--------------------------+
| IndicatorData |
+--------------------------+
| |<>--{1..*}--[ Indicator ]
+--------------------------+
+--------------------------+
| IndicatorData |
+--------------------------+
| |<>--{1..*}--[ Indicator ]
+--------------------------+
Figure 58: The IndicatorData Class
图58:IndicatorData类
The aggregate class of the IndicatorData class is:
IndicatorData类的聚合类为:
Indicator One or more. A description of an indicator. See Section 3.29.
一个或多个指示器。对指示器的描述。见第3.29节。
The IndicatorData class has no attributes.
IndicatorData类没有属性。
The Indicator class describes an indicator. An indicator consists of observable features and phenomenon that aid in the forensic or proactive detection of malicious activity and associated metadata. An indicator can be described outright by referencing or composing previously defined indicators or by referencing observables described in the incident report found in this document.
Indicator类描述一个指示器。指标由可观察的特征和现象组成,有助于对恶意活动和相关元数据进行法医或主动检测。指标可以通过引用或组合先前定义的指标,或通过引用本文件中事件报告中描述的可观察指标来直接描述。
+------------------------+
| Indicator |
+------------------------+
| ENUM restriction |<>----------[ IndicatorID ]
| STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ AttackPhase ]
| |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| Indicator |
+------------------------+
| ENUM restriction |<>----------[ IndicatorID ]
| STRING ext-restriction |<>--{0..*}--[ AlternativeIndicatorID ]
| |<>--{0..*}--[ Description ]
| |<>--{0..1}--[ StartTime ]
| |<>--{0..1}--[ EndTime ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ Contact ]
| |<>--{0..1}--[ Observable ]
| |<>--{0..1}--[ ObservableReference ]
| |<>--{0..1}--[ IndicatorExpression ]
| |<>--{0..1}--[ IndicatorReference ]
| |<>--{0..*}--[ NodeRole ]
| |<>--{0..*}--[ AttackPhase ]
| |<>--{0..*}--[ Reference ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 59: The Indicator Class
图59:指标类
The aggregate classes of the Indicator class are:
指标类的聚合类为:
IndicatorID One. An identifier for this indicator. See Section 3.29.1.
指示的一个。此指示器的标识符。见第3.29.1节。
AlternativeIndicatorID Zero or more. An alternative identifier for this indicator. See Section 3.29.2.
交替指示零或更多。此指示器的替代标识符。见第3.29.2节。
Description Zero or more. ML_STRING. A free-form text description of the indicator.
说明零或更多。ML_字符串。指示器的自由格式文本描述。
StartTime Zero or one. DATETIME. A timestamp of the start of the time period during which this indicator is valid.
开始计时零或一。日期时间。此指示器有效的时间段开始的时间戳。
EndTime Zero or one. DATETIME. A timestamp of the end of the time period during which this indicator is valid.
结束时间0或1。日期时间。此指示器有效期间结束的时间戳。
Confidence Zero or one. An estimate of the confidence in the quality of the indicator. See Section 3.12.5.
信心0或1。对指标质量的置信度的估计。见第3.12.5节。
Contact Zero or more. Contact information for this indicator. See Section 3.9.
联系零或更多。此指示器的联系信息。见第3.9节。
Observable Zero or one. An observable feature or phenomenon of this indicator. See Section 3.29.3.
可观察到的零或一。该指示器的可观察特征或现象。见第3.29.3节。
ObservableReference Zero or one. A reference to an observable feature or phenomenon defined elsewhere in the document. See Section 3.29.6.
可观测参考零或一。对文件中其他地方定义的可观察特征或现象的引用。见第3.29.6节。
IndicatorExpression Zero or one. A composition of observables. See Section 3.29.4.
指示灯压力为零或一。可见物的组合。见第3.29.4节。
IndicatorReference Zero or one. A reference to an indicator. See Section 3.29.7.
指示灯参考零或一。对指示器的引用。见第3.29.7节。
NodeRole Zero or more. The role of the system in the attack should this indicator be matched to it. See Section 3.18.2.
节点数为零或更多。如果此指示器与系统匹配,则系统在攻击中的角色。见第3.18.2节。
AttackPhase Zero or more. The phase in an attack life cycle during which this indicator might be seen. See Section 3.29.8.
攻击相位为零或更多。攻击生命周期中可以看到此指示器的阶段。见第3.29.8节。
Reference Zero or more. A reference to additional information relevant to this indicator. See Section 3.11.1.
参考零或更多。参考与该指标相关的其他信息。见第3.11.1节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The Indicator class MUST have exactly one instance of an Observable, IndicatorExpression, ObservableReference, or IndicatorReference class.
Indicator类必须正好有一个Observable、IndicatorExpression、ObservableReference或IndicatorReference类的实例。
The StartTime and EndTime classes can be used to define an interval during which the indicator is valid. If both classes are present, the indicator is consider valid only during the described interval. If neither class is provided, the indicator is considered valid during any time interval. If only a StartTime is provided, the indicator is valid anytime after this timestamp. If only an EndTime is provided, the indicator is valid anytime prior to this timestamp.
StartTime和EndTime类可用于定义指示器有效的时间间隔。如果两个类都存在,则指示符仅在所述间隔期间被认为是有效的。如果未提供任何类别,则该指示器在任何时间间隔内均视为有效。如果只提供开始时间,则该指示器在此时间戳之后的任何时间都有效。如果仅提供EndTime,则该指示器在此时间戳之前的任何时间都有效。
The attributes of the Indicator class are:
The attributes of the Indicator class are:translate error, please retry
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The IndicatorID class identifies an indicator with a globally unique identifier. The combination of the name and version attributes and the element content form this identifier. Indicators generated by given CSIRT MUST NOT reuse the same value unless they are referencing the same indicator.
IndicatorID类使用全局唯一标识符标识指示器。名称和版本属性以及元素内容的组合构成了该标识符。给定CSIRT生成的指标不得重用相同的值,除非它们引用相同的指标。
+------------------+
| IndicatorID |
+------------------+
| ID |
| |
| STRING name |
| STRING version |
+------------------+
+------------------+
| IndicatorID |
+------------------+
| ID |
| |
| STRING name |
| STRING version |
+------------------+
Figure 60: The IndicatorID Class
图60:指示符类
The content of the class is of type ID and specifies an identifier for an indicator.
该类的内容为ID类型,并为指示符指定标识符。
The attributes of the IndicatorID class are:
指示类的属性包括:
name Required. STRING. An identifier describing the CSIRT that created the indicator. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used. This format is identical to the IncidentID@name attribute in Section 3.4.
需要名称。一串描述创建指示器的CSIRT的标识符。为了拥有全局唯一的CSIRT名称,必须使用与CSIRT关联的完全限定域名。此格式与IncidentID@name第3.4节中的属性。
version Required. STRING. A version number of an indicator.
版本要求。一串指示器的版本号。
The AlternativeIndicatorID class lists alternative identifiers for an indicator.
AlternativeIndicatorID类列出指示器的可选标识符。
+-------------------------+
| AlternativeIndicatorID |
+-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction |
+-------------------------+
+-------------------------+
| AlternativeIndicatorID |
+-------------------------+
| ENUM restriction |<>--{1..*}--[ IndicatorReference ]
| STRING ext-restriction |
+-------------------------+
Figure 61: The AlternativeIndicatorID Class
图61:可选指示符类
The aggregate class of the AlternativeIndicatorID class is:
替代指示类别的合计类别为:
IndicatorReference One or more. A reference to an indicator. See Section 3.29.7.
指示符号引用一个或多个。对指示器的引用。见第3.29.7节。
The attributes of the AlternativeIndicatorID class are:
AlternativeIndicator类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The Observable class describes a feature and phenomenon that can be observed or measured for the purposes of detecting malicious behavior.
Observable类描述了可观察或测量的特征和现象,用于检测恶意行为。
+------------------------+
| Observable |
+------------------------+
| ENUM restriction |<>--{0..1}--[ System ]
| STRING ext-restriction |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ]
| |<>--{0..1}--[ Expectation ]
| |<>--{0..1}--[ Reference ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ DetectionPattern ]
| |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| Observable |
+------------------------+
| ENUM restriction |<>--{0..1}--[ System ]
| STRING ext-restriction |<>--{0..1}--[ Address ]
| |<>--{0..1}--[ DomainData ]
| |<>--{0..1}--[ Service ]
| |<>--{0..1}--[ EmailData ]
| |<>--{0..1}--[ WindowsRegistryKeysModified ]
| |<>--{0..1}--[ FileData ]
| |<>--{0..1}--[ CertificateData ]
| |<>--{0..1]--[ RegistryHandle ]
| |<>--{0..1}--[ RecordData ]
| |<>--{0..1}--[ EventData ]
| |<>--{0..1}--[ Incident ]
| |<>--{0..1}--[ Expectation ]
| |<>--{0..1}--[ Reference ]
| |<>--{0..1}--[ Assessment ]
| |<>--{0..1}--[ DetectionPattern ]
| |<>--{0..1}--[ HistoryItem ]
| |<>--{0..1}--[ BulkObservable ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 62: The Observable Class
图62:可观察类
The aggregate classes of the Observable class are:
可观察类别的聚合类别为:
System Zero or one. A System observable. See Section 3.17.
系统0或1。可观察的系统。见第3.17节。
Address Zero or one. An Address observable. See Section 3.18.1.
地址为零或一。可观察到的地址。见第3.18.1节。
DomainData Zero or one. A DomainData observable. See Section 3.19.
域数据为零或一。一个可观察的领域。见第3.19节。
Service Zero or one. A Service observable. See Section 3.20.
服务零或一。可观察到的服务。见第3.20节。
EmailData Zero or one. An EmailData observable. See Section 3.21.
电子邮件数据零或一。可观察到的数据。见第3.21节。
WindowsRegistryKeysModified Zero or one. A WindowsRegistryKeysModified observable. See Section 3.23.
WindowsRegistryKeys修改为零或一。WindowsRegistryKeysModified可观察。见第3.23节。
FileData Zero or one. A FileData observable. See Section 3.25.
文件数据为零或一。可观察到的文件数据。见第3.25节。
CertificateData Zero or one. A CertificateData observable. See Section 3.24.
认证数据为零或一。可观察到的数据。见第3.24节。
RegistryHandle Zero or one. A RegistryHandle observable. See Section 3.9.1.
注册表句柄为零或一。可观察到的注册表句柄。见第3.9.1节。
RecordData Zero or one. A RecordData observable. See Section 3.22.1.
记录数据0或1。可观察到的记录数据。见第3.22.1节。
EventData Zero or one. An EventData observable. See Section 3.14.
事件数据为零或一。可观察到的事件数据。见第3.14节。
Incident Zero or one. An Incident observable. See Section 3.2.
事件零或一。可观察到的事件。见第3.2节。
Expectation Zero or one. An Expectation observable. See Section 3.15.
期望值为零或一。可以观察到的期望。见第3.15节。
Reference Zero or one. A Reference observable. See Section 3.11.1.
参考零或一。可观察到的参考。见第3.11.1节。
Assessment Zero or one. An Assessment observable. See Section 3.12.
评估零或一。可观察到的评估。见第3.12节。
DetectionPattern Zero or one. A DetectionPattern observable. See Section 3.10.1.
检测模式为0或1。可观察到的探测模式。见第3.10.1节。
HistoryItem Zero or one. A HistoryItem observable. See Section 3.13.1.
历史项目0或1。可以观察到的历史事件。见第3.13.1节。
BulkObservable Zero or one. A bulk list of observables. See Section 3.29.3.1.
可观测的零或一。大量的可观测数据。见第3.29.3.1节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The Observable class MUST have exactly one of the possible child classes.
可观察类必须正好有一个可能的子类。
The attributes of the Observable class are:
可观察类的属性包括:
restriction Optional. ENUM. See Section 3.3.1.
限制是可选的。枚举。见第3.3.1节。
ext-restriction Optional. STRING. A means by which to extend the restriction attribute. See Section 5.1.1.
外部限制可选。一串扩展限制属性的方法。见第5.1.1节。
The BulkObservable class allows the enumeration of a single type of observable without requiring each one to be encoded individually in multiple instances of the same class.
BulkObservable类允许枚举单个类型的observable,而无需在同一类的多个实例中单独编码每个类型。
The type attribute describes the type of observable listed in the child BulkObservableList class. The BulkObservableFormat class optionally provides additional metadata.
type属性描述子BulkObservableList类中列出的可观察对象的类型。BulkObserverFormat类可以选择提供额外的元数据。
+---------------------------+
| BulkObservable |
+---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
+---------------------------+
| BulkObservable |
+---------------------------+
| ENUM type |<>--{0..1}--[ BulkObservableFormat ]
| STRING ext-type |<>----------[ BulkObservableList ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
Figure 63: The BulkObservable Class
图63:可观察类
The aggregate classes of the BulkObservable class are:
可观察类别的聚合类别为:
BulkObservableFormat Zero or one. Provides additional metadata about the observables enumerated in the BulkObservableList class. See Section 3.29.3.1.1.
以0或1的形式显示。提供有关BulkObservableList类中枚举的可观察对象的附加元数据。见第3.29.3.1.1节。
BulkObservableList One. STRING. A list of observables, one per line. Each line is separated with either a LF character or CR and LF characters. The type attribute specifies which observables will be listed.
第一个。一串一个可观察的列表,每行一个。每行用LF字符或CR和LF字符分隔。type属性指定将列出哪些观察值。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the BulkObservable class are:
BulkObservable类的属性包括:
type Optional. ENUM. The type of the observable listed in the child ObservableList class. These values are maintained in the "BulkObservable-type" IANA registry per Section 10.2.
类型可选。枚举。子ObservableList类中列出的可观察对象的类型。根据第10.2节,这些值保存在“可观测类型”IANA注册表中。
1. asn. Autonomous System Number (per the Address@category attribute).
1. asn。自主系统编号(根据Address@category属性)。
2. atm. Asynchronous Transfer Mode (ATM) address (per the Address@category attribute).
2. 自动取款机。异步传输模式(ATM)地址(根据Address@category属性)。
3. e-mail. Email address (per the Address@category attribute).
3. 电子邮件电邮地址(按Address@category属性)。
4. ipv4-addr. IPv4 host address in dotted-decimal notation, e.g., 192.0.2.1 (per the Address@category attribute).
4. ipv4地址。点十进制表示法的IPv4主机地址,例如192.0.2.1(根据Address@category属性)。
5. ipv4-net. IPv4 network address in dotted-decimal notation, slash, significant bits, e.g., 192.0.2.0/24 (per the Address@category attribute).
5. ipv4网络。点十进制表示法、斜杠、有效位的IPv4网络地址,例如192.0.2.0/24(按Address@category属性)。
6. ipv4-net-mask. IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation, i.e., 192.0.2.0/255.255.255.0 (per the Address@category attribute).
6. ipv4网络掩码。点十进制表示法中的IPv4网络地址、斜杠、点十进制表示法中的网络掩码,即192.0.2.0/255.255.255.0(根据Address@category属性)。
7. ipv6-addr. IPv6 host address, e.g., 2001:DB8::3 (per the Address@category attribute).
7. ipv6地址。IPv6主机地址,例如,2001:DB8::3(根据Address@category属性)。
8. ipv6-net. IPv6 network address, slash, significant bits, e.g., 2001:DB8::/32 (per the Address@category attribute).
8. ipv6网络。IPv6网络地址、斜杠、有效位,例如2001:DB8::/32(根据Address@category属性)。
9. ipv6-net-mask. IPv6 network address, slash, network mask (per the Address@category attribute).
9. ipv6网络掩码。IPv6网络地址、斜杠、网络掩码(根据Address@category属性)。
10. mac. Media Access Control (MAC) address, i.e., a:b:c:d:e:f (per the Address@category attribute).
10. 雨衣。媒体访问控制(MAC)地址,即a:b:c:d:e:f(根据Address@category属性)。
11. site-uri. A URL or URI for a resource (per the Address@category attribute).
11. 站点uri。资源的URL或URI(根据Address@category属性)。
12. domain-name. A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com).
12. 域名。完全限定的域名或名称的一部分(例如,fqdn.example.com,example.com)。
13. domain-to-ipv4. A mapping of FQDN to IPv4 address specified as a comma-separated list (e.g., "fqdn.example.com, 192.0.2.1").
13. 域到ipv4。FQDN到指定为逗号分隔列表的IPv4地址的映射(例如,“FQDN.example.com,192.0.2.1”)。
14. domain-to-ipv6. A mapping of FQDN to IPv6 address specified as a comma-separated list (e.g., "fqdn.example.com, 2001:DB8::3").
14. 域到ipv6。FQDN到指定为逗号分隔列表的IPv6地址的映射(例如,“FQDN.example.com,2001:DB8::3”)。
15. domain-to-ipv4-timestamp. Same as domain-to-ipv4 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 192.0.2.1, 2015-06-11T00:38:31-06:00").
15. 域到ipv4的时间戳。与域到ipv4相同,但具有解析的时间戳(日期时间格式)(例如,“fqdn.example.com,192.0.2.112015-06-11T00:38:31-06:00”)。
16. domain-to-ipv6-timestamp. Same as domain-to-ipv6 but with a timestamp (in the DATETIME format) of the resolution (e.g., "fqdn.example.com, 2001:DB8::3, 2015-06-11T00:38:31-06:00").
16. 域到ipv6的时间戳。与域到ipv6相同,但具有解析的时间戳(日期时间格式)(例如,“fqdn.example.com,2001:DB8::32015-06-11T00:38:31-06:00”)。
17. ipv4-port. An IPv4 address, port, and protocol tuple (e.g., 192.0.2.1, 80, TCP). The protocol name corresponds to the "Keyword" column in the "Assigned Internet Protocol Numbers" registry [IANA.Protocols].
17. ipv4端口。IPv4地址、端口和协议元组(例如192.0.2.1、80、TCP)。协议名称对应于“分配的Internet协议编号”注册表[IANA.Protocols]中的“关键字”列。
18. ipv6-port. An IPv6 address, port, and protocol tuple (e.g., 2001:DB8::3, 80, TCP). The protocol name corresponds to the "Keyword" column in the "Assigned Internet Protocol Numbers" registry [IANA.Protocols].
18. ipv6端口。IPv6地址、端口和协议元组(例如,2001:DB8::3、80、TCP)。协议名称对应于“分配的Internet协议编号”注册表[IANA.Protocols]中的“关键字”列。
19. windows-reg-key. A Microsoft Windows registry key.
19. windows注册表项。Microsoft Windows注册表项。
20. file-hash. A file hash. The format of this hash is described in the Hash class that MUST be present in a sibling BulkObservableFormat class.
20. 文件散列。文件散列。此哈希的格式在哈希类中描述,该哈希类必须存在于同级BulkObserverFormat类中。
21. email-x-mailer. An X-Mailer field from an email.
21. email-x-mailer。电子邮件中的X-Mailer字段。
22. email-subject. An email subject line.
22. 电子邮件主题。电子邮件主题行。
23. http-user-agent. A User Agent field from an HTTP request header (e.g., "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0").
23. http用户代理。HTTP请求头中的用户代理字段(例如,“Mozilla/5.0(Windows NT 6.3;WOW64;rv:38.0)Gecko/20100101 Firefox/38.0”)。
24. http-request-uri. The Request URI from an HTTP request header.
24. http请求uri。来自HTTP请求头的请求URI。
25. mutex. The name of a system mutex (mutual exclusion lock).
25. 互斥。系统互斥锁(互斥锁)的名称。
26. file-path. A file path (e.g., "/tmp/local/file", "c:\windows\system32\file.sys").
26. 文件路径。文件路径(例如“/tmp/local/file”、“c:\windows\system32\file.sys”)。
27. user-name. A username.
27. 用户名。用户名。
28. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
28. 外部值。一个值,用于指示此属性已扩展,并使用相应的ext-*属性提供实际值。见第5.1.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.1.
ext类型可选。一串扩展类型属性的方法。见第5.1.1节。
The ObservableFormat class specifies metadata about the format of an observable enumerated in a sibling BulkObservableList class.
ObserverFormat类指定有关在同级BulkObserverBelist类中枚举的可观测数据格式的元数据。
+---------------------------+
| BulkObservableFormat |
+---------------------------+
| |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
+---------------------------+
| BulkObservableFormat |
+---------------------------+
| |<>--{0..1}--[ Hash ]
| |<>--{0..*}--[ AdditionalData ]
+---------------------------+
Figure 64: The BulkObservableFormat Class
图64:BulkObserverFormat类
The aggregate classes of the BulkObservableFormat class are:
BulkObservableFormat类别的聚合类别为:
Hash Zero or one. Describes the format of a hash. See Section 3.26.1.
散列0或1。描述哈希的格式。见第3.26.1节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The BulkObservableFormat class has no attributes.
BulkObserverFormat类没有属性。
Either Hash or AdditionalData MUST be present.
必须存在哈希或附加数据。
The IndicatorExpression describes an expression composed of observed phenomenon, features, or indicators. Elements of the expression can be described directly, reference relevant data from other parts of a given IODEF document, or reference previously defined indicators.
指示符表达式描述由观察到的现象、特征或指示符组成的表达式。表达式的元素可以直接描述,可以引用给定IODEF文档其他部分的相关数据,也可以引用以前定义的指标。
All child classes of a given instance of IndicatorExpression form a boolean algebraic expression where the operator between them is determined by the operator attribute.
给定IndicatorExpression实例的所有子类形成一个布尔代数表达式,其中它们之间的运算符由运算符属性确定。
+--------------------------+
| IndicatorExpression |
+--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| STRING ext-operator |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+
+--------------------------+
| IndicatorExpression |
+--------------------------+
| ENUM operator |<>--{0..*}--[ IndicatorExpression ]
| STRING ext-operator |<>--{0..*}--[ Observable ]
| |<>--{0..*}--[ ObservableReference ]
| |<>--{0..*}--[ IndicatorReference ]
| |<>--{0..1}--[ Confidence ]
| |<>--{0..*}--[ AdditionalData ]
+--------------------------+
Figure 65: The IndicatorExpression Class
图65:指示灯压力等级
The aggregate classes of the IndicatorExpression class are:
指示器压力等级的聚合等级为:
IndicatorExpression Zero or more. An expression composed of other observables or indicators. See Section 3.29.4.
指示灯压力为零或更多。由其他可观察物或指示器组成的表达式。见第3.29.4节。
Observable Zero or more. A description of an observable. See Section 3.29.3.
可观察到的零或更多。对可观察事物的描述。见第3.29.3节。
ObservableReference Zero or more. A reference to an observable. See Section 3.29.6.
可观测参考零或更多。对可观察到的事物的引用。见第3.29.6节。
IndicatorReference Zero or more. A reference to an indicator. See Section 3.29.7.
指示器参考零或更多。对指示器的引用。见第3.29.7节。
Confidence Zero or one. An estimate of the confidence in the quality of the terms expressed in the expression. See Section 3.12.5.
信心0或1。对表达式中表达的术语质量的置信度的估计。见第3.12.5节。
AdditionalData Zero or more. EXTENSION. Mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
The attributes of the IndicatorExpression class are:
IndicatorExpression类的属性包括:
operator Optional. ENUM. The operator to be applied between the child elements. See Section 3.29.5 for parsing guidance. The default value is "and". These values are maintained in the "IndicatorExpression-operator" IANA registry per Section 10.2.
操作员可选。枚举。要在子元素之间应用的运算符。解析指南见第3.29.5节。默认值为“和”。根据第10.2节的规定,这些值保存在IANA注册表中的“指示符显示运算符”中。
1. not. negation operator.
1. 不否定运算符。
2. and. conjunction operator.
2. 和连接运算符。
3. or. disjunction operator.
3. 或析取算子。
4. xor. exclusive disjunction operator.
4. 异或。排他析取算子。
ext-operator Optional. STRING. A means by which to extend the operator attribute. See Section 5.1.1.
ext运算符可选。一串扩展运算符属性的方法。见第5.1.1节。
Boolean algebraic expressions can be used to specify relationships between observables and indicators. These expressions are constructed through the use of the operator attribute and parent-child relationships in IndicatorExpressions. These expressions should be parsed as follows:
布尔代数表达式可用于指定观测值和指标之间的关系。这些表达式是通过使用指示符表达式中的运算符属性和父子关系构建的。这些表达式应按如下方式进行分析:
1. The operator specified by the operator attribute is applied between each of the child elements of the immediate parent IndicatorExpression element. If no operator attribute is specified, it should be assumed to be the conjunction operator (i.e., operator="and").
1. 运算符属性指定的运算符应用于直接父指示符pression元素的每个子元素之间。如果未指定运算符属性,则应假定它是连词运算符(即,operator=“and”)。
2. A nested IndicatorExpression element with a parent IndicatorExpression is the equivalent of a parentheses in the expression.
2. 带有父IndicatorExpression的嵌套IndicatorExpression元素相当于表达式中的括号。
The following examples in Figures 66 through 70 illustrate these parsing rules:
图66至图70中的以下示例说明了这些解析规则:
1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
1 : <IndicatorExpression>
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
Equivalent expression: (O1 AND O2)
等价表达式:(O1和O2)
Figure 66: Nested Elements in an IndicatorExpression without an Operator Attribute Specified
图66:未指定运算符属性的指示符表达式中的嵌套元素
1 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
1 : <IndicatorExpression operator="or">
2 [O1]: <Observable>..</Observable>
3 [O2]: <Observable>..</Observable>
4 : </IndicatorExpression>
Equivalent expression: (O1 OR O2)
等效表达式:(O1或O2)
Figure 67: Nested Elements in an IndicatorExpression with an Operator Attribute Specified
图67:指定运算符属性的指示符表达式中的嵌套元素
1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression operator="or">
3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression>
6 [O3]: <Observable>..</Observable>
7 : </IndicatorExpression>
1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression operator="or">
3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression>
6 [O3]: <Observable>..</Observable>
7 : </IndicatorExpression>
Equivalent expression: ((O1 OR O2) OR O3)
等效表达式:((O1或O2)或O3)
Figure 68: Nested Elements with a Recursive IndicatorExpression with an Operator Attribute Specified
图68:带有递归指示符的嵌套元素Pression,指定了运算符属性
1 : <IndicatorExpression operator="not">
2 : <IndicatorExpression operator="and">
3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression>
6 : </IndicatorExpression>
1 : <IndicatorExpression operator="not">
2 : <IndicatorExpression operator="and">
3 [O1]: <Observable>..</Observable>
4 [O2]: <Observable>..</Observable>
5 : </IndicatorExpression>
6 : </IndicatorExpression>
Equivalent expression: (NOT (O1 AND O2))
等价表达式:(非(O1和O2))
Figure 69: A Recursive IndicatorExpression with an Operator Attribute Specified
图69:指定运算符属性的递归指示符表达式
1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression>
3 [O1 with low confidence] : <Observable>..</Observable>
4 : <Confidence rating="low" />
5 : </IndicatorExpression>
6 : <IndicatorExpression>
7 [O2 with high confidence]: <Observable>..</Observable>
8 : <Confidence rating="high" />
9 : </IndicatorExpression>
10 : </IndicatorExpression>
1 : <IndicatorExpression operator="or">
2 : <IndicatorExpression>
3 [O1 with low confidence] : <Observable>..</Observable>
4 : <Confidence rating="low" />
5 : </IndicatorExpression>
6 : <IndicatorExpression>
7 [O2 with high confidence]: <Observable>..</Observable>
8 : <Confidence rating="high" />
9 : </IndicatorExpression>
10 : </IndicatorExpression>
Equivalent expression: ((O1) OR (O2))
等效表达式:((O1)或(O2))
Figure 70: Varying Confidence on Particular Observables
图70:特定观测值的不同置信度
Invalid algebraic expressions while valid XML MUST NOT be specified.
代数表达式无效,但不能指定有效的XML。
The ObservableReference describes a reference to an observable feature or phenomenon described elsewhere in the document.
ObserverReference描述了对文档中其他地方描述的可观察特征或现象的引用。
The ObservableReference class has no content.
ObserverReference类没有内容。
+-------------------------+
| ObservableReference |
+-------------------------+
| IDREF uid-ref |
+-------------------------+
+-------------------------+
| ObservableReference |
+-------------------------+
| IDREF uid-ref |
+-------------------------+
Figure 71: The ObservableReference Class
图71:ObserverReference类
The ObservableReference class has no content.
ObserverReference类没有内容。
The attribute of the ObservableReference class is:
ObserverReference类的属性是:
uid-ref Required. IDREF. An identifier that serves as a reference to a class in the IODEF document. The referenced class will have this identifier set in its observable-id attribute.
需要uid ref。伊德里夫。作为IODEF文档中类的引用的标识符。被引用的类将在其observable id属性中设置此标识符。
The IndicatorReference describes a reference to an indicator. This reference may be to an indicator described in this IODEF document or in a previously exchanged IODEF document.
指示器参考描述了对指示器的参考。该参考可能是指本IODEF文件或先前交换的IODEF文件中描述的指标。
The IndicatorReference class has no content.
IndicatorReference类没有内容。
+--------------------------+
| IndicatorReference |
+--------------------------+
| IDREF uid-ref |
| STRING euid-ref |
| STRING version |
+--------------------------+
+--------------------------+
| IndicatorReference |
+--------------------------+
| IDREF uid-ref |
| STRING euid-ref |
| STRING version |
+--------------------------+
Figure 72: The IndicatorReference Class
图72:指示符引用类
The attributes of the IndicatorReference class are:
IndicatorReference类的属性包括:
uid-ref Optional. IDREF. An identifier that references an Indicator class in the IODEF document. The referenced Indicator class will have this identifier set in its IndicatorID class.
uid ref可选。伊德里夫。引用IODEF文档中指标类的标识符。引用的指示符类将在其指示符类中设置此标识符。
euid-ref Optional. STRING. An identifier that references an IndicatorID not in this IODEF document.
euid ref可选。一串引用不在此IODEF文档中的指示符的标识符。
version Optional. STRING. A version number of an indicator.
版本可选。一串指示器的版本号。
Either the uid-ref or the euid-ref attribute MUST be set.
必须设置uid ref或euid ref属性。
The AttackPhase class describes a particular phase of an attack life cycle.
AttackPhase类描述攻击生命周期的特定阶段。
+------------------------+
| AttackPhase |
+------------------------+
| |<>--{0..*}--[ AttackPhaseID ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
+------------------------+
| AttackPhase |
+------------------------+
| |<>--{0..*}--[ AttackPhaseID ]
| |<>--{0..*}--[ URL ]
| |<>--{0..*}--[ Description ]
| |<>--{0..*}--[ AdditionalData ]
+------------------------+
Figure 73: The AttackPhase Class
图73:AttackPhase类
The aggregate classes of the AttackPhase class are:
AttackPhase类的聚合类为:
AttackPhaseID Zero or more. STRING. An identifier for the phase of the attack.
攻击相位ID为零或更多。一串攻击阶段的标识符。
URL Zero or more. URL. A URL to a resource describing this phase of the attack.
URL为零或更多。网址。描述此攻击阶段的资源的URL。
Description Zero or more. ML_STRING. A free-form text description of this phase of the attack.
说明零或更多。ML_字符串。此攻击阶段的自由格式文本描述。
AdditionalData Zero or more. EXTENSION. A mechanism by which to extend the data model.
附加数据为零或更多。扩大用于扩展数据模型的机制。
AttackPhase MUST have at least one instance of a child class.
AttackPhase必须至少有一个子类的实例。
The AttackPhase class has no attributes.
AttackPhase类没有属性。
This section provides additional requirements and guidance on creating and processing IODEF documents.
本节提供了有关创建和处理IODEF文档的附加要求和指导。
Every IODEF document MUST begin with an XML declaration and MUST specify the XML version used. The character encoding MUST also be explicitly specified. UTF-8 [RFC3629] SHOULD be used unless UTF-16 [RFC2781] is necessary. Encodings other than UTF-8 and UTF-16 SHOULD NOT be used. The IODEF conforms to all XML data-encoding conventions and constraints.
每个IODEF文档必须以XML声明开头,并且必须指定使用的XML版本。还必须明确指定字符编码。除非需要UTF-16[RFC2781],否则应使用UTF-8[RFC3629]。不应使用UTF-8和UTF-16以外的编码。IODEF符合所有XML数据编码约定和约束。
The XML declaration with UTF-8 character encoding will read as follows:
采用UTF-8字符编码的XML声明如下所示:
<?xml version="1.0" encoding="UTF-8" ?>
<?xml version="1.0" encoding="UTF-8" ?>
Certain characters have special meaning in XML and MUST not appear in literal form. Per Section 2.4 of [W3C.XML], these characters MUST be escaped with a numeric character or entity reference.
某些字符在XML中有特殊含义,不能以文字形式出现。根据[W3C.XML]第2.4节,这些字符必须用数字字符或实体引用转义。
The IODEF schema declares a namespace of "urn:ietf:params:xml:ns:iodef-2.0" and registers it per [W3C.XMLNS]. Each IODEF document MUST include a valid reference to the IODEF schema using the "xsi:schemaLocation" attribute. An example of such a declaration would look as follows:
IODEF模式声明了一个名称空间“urn:ietf:params:xml:ns:IODEF-2.0”,并根据[W3C.XMLNS]注册它。每个IODEF文档都必须使用“xsi:schemaLocation”属性包含对IODEF模式的有效引用。这种声明的一个例子如下:
<IODEF-Document
version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...>
<IODEF-Document
version="2.00" lang="en-US"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-2.0" ...>
IODEF documents MUST be well-formed XML. It is RECOMMENDED that recipients validate the document against the schema described in Section 8. However, mere conformance to this schema is not sufficient for a semantically valid IODEF document. The text of Section 3 describes further formatting and constraints, including some that cannot be conveniently encoded in the schema. These MUST also be considered by an IODEF implementation. Furthermore, the enumerated values present in this document are a static list that will be incomplete over time as select attributes can be extended by a corresponding IANA registry per Section 10.2. Therefore, IODEF
IODEF文档必须是格式良好的XML。建议收件人根据第8节中描述的模式验证文档。然而,对于语义上有效的IODEF文档来说,仅仅遵从此模式是不够的。第3节的文本描述了进一步的格式和约束,包括一些不能方便地在模式中编码的内容。IODEF实现还必须考虑这些问题。此外,本文件中的枚举值是一个静态列表,随着时间的推移,该列表将不完整,因为根据第10.2节,选择属性可以由相应的IANA注册表扩展。因此,IODEF
implementations SHOULD periodically update their schema and MAY need to update their parsing algorithms to incorporate newly registered values.
实现应该定期更新其模式,并且可能需要更新其解析算法以合并新注册的值。
The IODEF data model in this document makes a number of changes to [RFC5070]. These changes were largely additive -- classes and enumerated values were added. However, some incompatibilities between [RFC5070] and this new specification were introduced. These incompatibilities are as follows:
本文档中的IODEF数据模型对[RFC5070]进行了许多更改。这些变化在很大程度上是累加性的——添加了类和枚举值。然而,[RFC5070]与该新规范之间存在一些不兼容之处。这些不兼容性如下所示:
o The IODEF-Document@version attribute is set to "2.0".
o IODEF-Document@version属性设置为“2.0”。
o Attributes with enumerated values can now also be extended with IANA registries.
o 具有枚举值的属性现在也可以通过IANA注册表进行扩展。
o All iodef:MLStringType classes use xml:lang. IODEF-Document also uses xml:lang.
o 所有iodef:MLStringType类都使用xml:lang。iodef文档也使用xml:lang。
o The Service@ip_protocol attribute was renamed to @ip-protocol.
o 这个Service@ip_protocol属性已重命名为@ip协议。
o The Node/NodeName class was removed in favor of representing domain names with Node/DomainData/Name class. The Node/DataTime class was also removed, so that the Node/DomainData/ DateDomainWasChecked class can represent the time at which the name-to-address resolution occurred.
o 删除了Node/NodeName类,以便用Node/DomainData/Name类表示域名。Node/DataTime类也被删除,因此Node/DomainData/DateDomainWasChecked类可以表示名称到地址解析发生的时间。
o The Node/NodeRole class was moved to System/NodeRole.
o Node/NodeRole类已移动到System/NodeRole。
o The Reference class is now defined by [RFC7495].
o 引用类现在由[RFC7495]定义。
o The data previously represented in the Impact class is now in the SystemImpact and IncidentCategory classes. The Impact class has been removed.
o 以前在Impact类中表示的数据现在在SystemImpact和IncidentCategory类中。冲击等级已被删除。
o The semantics of Counter@type are now represented in Counter@unit.
o 语义Counter@type现在在Counter@unit.
o The IODEF-Document@formatid attribute has been renamed to @format-id.
o IODEF-Document@formatid属性已重命名为@format-id。
o The Incident/ReportTime class is no longer required. However, the GenerationTime class is required.
o 事件/报告时间类不再是必需的。但是,GenerationTime类是必需的。
o The Fax class was removed and is now represented by a generic Telephone class.
o Fax类已被删除,现在由通用电话类表示。
o The Telephone, Email, and PostalAddress classes were redefined from improved internationalization.
o 电话、电子邮件和邮递类是从改进的国际化重新定义的。
o The "ipv6-net-mask" value was removed from the category attribute of Address.
o 已从地址的类别属性中删除“ipv6网络掩码”值。
In order to support the dynamic nature of security operations, the IODEF data model will need to continue to evolve. This section discusses how new data elements can be incorporated into the IODEF. There is support to add additional enumerated values and new classes. Adding additional attributes to existing classes is not supported.
为了支持安全操作的动态性,IODEF数据模型需要继续发展。本节讨论如何将新数据元素合并到IODEF中。支持添加额外的枚举值和新类。不支持向现有类添加其他属性。
These extension mechanisms are designed so that adding new data elements is possible without requiring modifications to this document. Extensions can be implemented publicly or privately. With proven value, well-documented extensions can be incorporated into future versions of the specification.
这些扩展机制的设计可以在不需要修改本文档的情况下添加新的数据元素。扩展可以公开或私下实现。有了经验证的价值,文档化的扩展可以被合并到规范的未来版本中。
Additional enumerated values can be added to select attributes either through the use of specially marked attributes with the "ext-" prefix or through a set of corresponding IANA registries. The former approach allows for the extension to remain private. The latter approach is public.
通过使用带有“ext-”前缀的特殊标记属性或通过一组相应的IANA注册表,可以添加额外的枚举值以选择属性。前一种方法允许扩展保持私有。后一种方法是公开的。
The data model supports adding new enumerated values to an attribute without public registration. For each attribute that supports this extension technique, there is a corresponding attribute in the same element whose name is identical but with a prefix of "ext-". This special attribute is referred to as the extension attribute. The attribute being extended is referred to as an extensible attribute. For example, an extensible attribute named "foo" will have a corresponding extension attribute named "ext-foo". An element may have many extensible attributes.
数据模型支持在不进行公共注册的情况下向属性添加新的枚举值。对于支持此扩展技术的每个属性,同一元素中都有一个名称相同但前缀为“ext-”的对应属性。此特殊属性称为扩展属性。正在扩展的属性称为可扩展属性。例如,名为“foo”的可扩展属性将具有名为“ext foo”的相应扩展属性。一个元素可能有许多可扩展属性。
In addition to a corresponding extension attribute, each extensible attribute has "ext-value" as one its possible enumerated values. Selection of this particular value in an extensible attribute signals that the extension attribute contains data. Otherwise, this "ext-value" value has no meaning.
除了相应的扩展属性外,每个扩展属性都有“ext value”作为其可能的枚举值之一。在可扩展属性中选择此特定值表示扩展属性包含数据。否则,此“ext value”值没有意义。
In order to add a new enumerated value to an extensible attribute, the value of this attribute MUST be set to "ext-value", and the new desired value MUST be set in the corresponding extension attribute. For example, extending the type attribute of the SystemImpact class would look as follows:
为了向可扩展属性添加新的枚举值,必须将该属性的值设置为“ext value”,并且必须在相应的扩展属性中设置新的所需值。例如,扩展SystemImpact类的type属性如下所示:
<SystemImpact type="ext-value" ext-type="new-attack-type">
<SystemImpact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding extensible attribute has been set to "ext-value".
除非相应的可扩展属性已设置为“ext value”,否则不得设置给定的扩展属性。
The data model also supports publicly extending select enumerated attributes. A new entry can be added by registering a new entry in the appropriate IANA registry. Section 10.2 provides a mapping between the extensible attributes and their corresponding registry. Section 4.3 discusses the XML validation implications of this type of extension. All extensible attributes that support private extensions also support public extensions.
数据模型还支持公开扩展选择枚举属性。可以通过在适当的IANA注册表中注册新条目来添加新条目。第10.2节提供了可扩展属性与其对应注册表之间的映射。第4.3节讨论了这种扩展的XML验证含义。所有支持私有扩展的可扩展属性也支持公共扩展。
Classes of the EXTENSION (iodef:ExtensionType) type can extend the data model. They provide the ability to have new atomic or XML-encoded data elements in all of the top-level classes of the Incident class and in a few of the complex subordinate classes. As there are multiple instances of the extensible classes in the data model, there is discretion on where to add a new data element. It is RECOMMENDED that the extension be placed in the most closely related class to the new information.
扩展(iodef:ExtensionType)类型的类可以扩展数据模型。它们提供了在事件类的所有顶级类和一些复杂的下级类中拥有新的原子或XML编码的数据元素的能力。由于数据模型中有多个可扩展类的实例,因此可以自行决定在何处添加新的数据元素。建议将扩展名放在与新信息最密切相关的类中。
Extensions using the atomic data types (i.e., all values of the dtype attributes other than "xml") MUST:
使用原子数据类型(即除“xml”之外的所有dtype属性值)的扩展必须:
1. Set the element content to the desired value, and
1. 将元素内容设置为所需的值,然后
2. Set the dtype attribute to correspond to the data type of the element content.
2. 将dtype属性设置为与元素内容的数据类型相对应。
The following guidelines exist for extensions using XML (i.e., dtype="xml"):
对于使用XML(即dtype=“XML”)的扩展,有以下指导原则:
1. The element content of the extensible class MUST be set to the desired value, and the dtype attribute MUST be set to "xml".
1. 可扩展类的元素内容必须设置为所需的值,并且dtype属性必须设置为“xml”。
2. The extension schema MUST declare a separate namespace. It is RECOMMENDED that these extensions have the prefix "iodef-". This recommendation makes readability of the document easier by allowing the reader to infer which namespaces relate to IODEF by inspection.
2. 扩展架构必须声明一个单独的命名空间。建议这些扩展具有前缀“iodef-”。此建议允许读者通过检查推断哪些名称空间与IODEF相关,从而使文档的可读性更容易。
3. It is RECOMMENDED that extension schemas follow the naming convention of the IODEF data model. This too improves the readability of extended IODEF documents. The names of all elements SHOULD be capitalized. For elements with composed names, a capital letter SHOULD be used for each word. Attribute names SHOULD be in lowercase. Attributes with composed names SHOULD be separated by a hyphen.
3. 建议扩展模式遵循IODEF数据模型的命名约定。这也提高了扩展IODEF文档的可读性。所有元素的名称都应大写。对于具有组合名称的元素,每个单词应使用大写字母。属性名称应为小写。具有组合名称的属性应以连字符分隔。
4. Implementations that encounter an unrecognized element, attribute, or attribute value in a supported namespace SHOULD reject the document as a syntax error.
4. 在受支持的命名空间中遇到无法识别的元素、属性或属性值的实现应将文档作为语法错误拒绝。
5. There are security and performance implications in requiring implementations to dynamically download schemas at runtime. Therefore, implementations MUST NOT download schemas at runtime unless the appropriate precautions are taken. Implementations also need to contend with the potential of significant network and processing issues.
5. 要求实现在运行时动态下载模式涉及到安全性和性能问题。因此,除非采取适当的预防措施,否则实现不能在运行时下载模式。实现还需要应对潜在的重大网络和处理问题。
6. Some adopters of the IODEF may have private schema definitions that are not publicly available. Thus, implementations may encounter IODEF documents with references to private schemas that may not be resolvable. Hence, IODEF document recipients MUST be prepared for a schema definition in an IODEF document never to resolve.
6. IODEF的某些采用者可能具有不公开的私有模式定义。因此,实现可能会遇到对私有模式的引用可能无法解析的IODEF文档。因此,IODEF文档收件人必须为IODEF文档中的模式定义做好准备,以确保永远不会解析。
The following schema and XML document excerpt provide a template for an extension schema and its use in the IODEF document.
以下模式和XML文档摘录为扩展模式及其在IODEF文档中的使用提供了模板。
This example schema defines a namespace of "iodef-extension1" and a single element named "newdata".
这个示例模式定义了一个名称空间“iodef-extension1”和一个名为“newdata”的元素。
<xs:schema
targetNamespace="iodef-extension1.xsd"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
attributeFormDefault="unqualified"
elementFormDefault="qualified">
<xs:import
namespace="urn:ietf:params:xml:ns:iodef-2.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-2.0"/>
<xs:schema
targetNamespace="iodef-extension1.xsd"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
attributeFormDefault="unqualified"
elementFormDefault="qualified">
<xs:import
namespace="urn:ietf:params:xml:ns:iodef-2.0"
schemaLocation=" urn:ietf:params:xml:schema:iodef-2.0"/>
<xs:element name="newdata" type="xs:string" />
</xs:schema>
<xs:element name="newdata" type="xs:string" />
</xs:schema>
The following XML excerpt demonstrates the use of the above schema as an extension to the IODEF.
下面的XML摘录演示了如何使用上述模式作为IODEF的扩展。
<IODEF-Document
version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting">
...
<AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata>
Field that could not be represented elsewhere
</iodef-extension1:newdata>
</AdditionalData>
</Incident>
</IODEF-Document>
<IODEF-Document
version="2.00" lang="en-US"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef=" urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef-extension1="iodef-extension1.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="iodef-extension1.xsd">
<Incident purpose="reporting">
...
<AdditionalData dtype="xml" meaning="xml">
<iodef-extension1:newdata>
Field that could not be represented elsewhere
</iodef-extension1:newdata>
</AdditionalData>
</Incident>
</IODEF-Document>
To disambiguate which private extension is used in an IODEF document, the data model provides a means to identify the source of an extension. Two attributes in the IODEF-Document class, private-enum-name and private-enum-id, are used to specify this attribution. Only a single private extension can be identified in a given IODEF-Document.
为了消除IODEF文档中使用哪个私有扩展的歧义,数据模型提供了一种识别扩展源的方法。IODEF文档类中的两个属性,private enum name和private enum id,用于指定此属性。在给定的IODEF文档中只能标识一个专用扩展。
If an implementor has a single private extension, then only the private-enum-name attribute needs to be specified. Multiple distinct private extensions or versioning of a single extension can be attributed by also setting the corresponding private-num-id attribute.
如果实现者只有一个私有扩展,那么只需要指定私有枚举名称属性。通过设置相应的private num id属性,可以对多个不同的私有扩展或单个扩展的版本控制进行属性化。
The following XML excerpt demonstrates the specification of a private extension from "example.com" with an identifier of "13".
下面的XML摘录演示了“example.com”中标识符为“13”的私有扩展的规范。
<IODEF-Document
version="2.00" lang="en-US"
private-enum-name="example.com"
private-enum-id="13" ...>
...
</IODEF-Document>
<IODEF-Document
version="2.00" lang="en-US"
private-enum-name="example.com"
private-enum-id="13" ...>
...
</IODEF-Document>
If an unrecognized private extension is encountered in processing, the recipient MAY reject the entire document as a syntax error.
如果在处理过程中遇到无法识别的专用扩展名,收件人可能会因为语法错误而拒绝整个文档。
Internationalization and localization is of specific concern to the IODEF as it facilitates operational coordination with a diverse set of partners. The IODEF implements internationalization by relying on XML constructs and through explicit design choices in the data model.
国际化和本地化是IODEF特别关注的问题,因为它有助于与不同合作伙伴的运营协调。IODEF通过依赖XML构造和数据模型中的显式设计选择来实现国际化。
Since the IODEF is implemented as an XML schema, it supports different character encodings, such as UTF-8 and UTF-16, that are possible with XML. Additionally, each IODEF document MUST specify the language in which its content is encoded. The language can be specified with the attribute "xml:lang" (per Section 2.12 of [W3C.XML]) in the top-level element (i.e., IODEF-Document) and lets all other elements inherit that definition. All IODEF classes with a free-form text definition (i.e., all those defined with type iodef:MLStringType) can also specify a language different from the rest of the document.
由于IODEF是作为XML模式实现的,因此它支持不同的字符编码,如UTF-8和UTF-16,这在XML中是可能的。此外,每个IODEF文档必须指定其内容的编码语言。可以在顶级元素(即IODEF文档)中使用属性“xml:lang”(根据[W3C.xml]第2.12节)指定该语言,并允许所有其他元素继承该定义。所有具有自由格式文本定义的IODEF类(即所有使用IODEF:MLStringType类型定义的类)也可以指定不同于文档其余部分的语言。
The data model supports multiple translations of free-form text. All ML_STRING (iodef:MLStringType) classes have a one-to-many cardinality to their parent. This allows the identical text translated into different languages to be encoded in different instances of the same class with a common parent. This design also enables the creation of a single document containing all the translations. The IODEF implementation SHOULD extract the appropriate language relevant to the recipient.
数据模型支持自由格式文本的多个翻译。所有ML_STRING(iodef:MLStringType)类对其父类都具有一对多基数。这允许翻译成不同语言的相同文本在具有公共父类的同一类的不同实例中进行编码。此设计还支持创建包含所有翻译的单个文档。IODEF实现应提取与接收方相关的适当语言。
Related instances of a given iodef:MLStringType class that are translations of each other are identified by a common identifier set in the translation-id attribute. The example below shows three instances of a Description class expressed in three different languages. The relationship between these three instances of the Description class is conveyed by the common value of "1" in the translation-id attribute.
给定iodef:MLStringType类的相关实例是彼此的翻译,它们由翻译id属性中设置的公共标识符标识。下面的示例显示了用三种不同语言表示的描述类的三个实例。描述类的这三个实例之间的关系由translation id属性中的公共值“1”表示。
<IODEF-Document version="2.00" xml:lang="en" ...>
<Incident purpose="reporting">
...
<Description translation-id="1"
xml:lang="en">English</Description>
<Description translation-id="1"
xml:lang="de">Englisch</Description>
<Description translation-id="1"
xml:lang="fr">Anglais</Description>
<IODEF-Document version="2.00" xml:lang="en" ...>
<Incident purpose="reporting">
...
<Description translation-id="1"
xml:lang="en">English</Description>
<Description translation-id="1"
xml:lang="de">Englisch</Description>
<Description translation-id="1"
xml:lang="fr">Anglais</Description>
The IODEF balances internationalization support with the need for interoperability. While the IODEF supports different languages, the data model also relies heavily on standardized enumerated attributes that can crudely approximate the contents of the document. With this approach, a CSIRT should be able to make some sense of an IODEF document it receives even if the free-form text data elements are written in a language unfamiliar to the recipient.
IODEF平衡了国际化支持和互操作性需求。虽然IODEF支持不同的语言,但数据模型也严重依赖标准化的枚举属性,这些属性可以粗略地近似文档的内容。通过这种方法,CSIRT应该能够理解它接收到的IODEF文档,即使自由格式的文本数据元素是用接收者不熟悉的语言编写的。
This section provides examples of IODEF documents. These examples do not represent the full capabilities of the data model or the only way to encode particular information.
本节提供了IODEF文档的示例。这些示例并不代表数据模型的全部功能,也不是编码特定信息的唯一方法。
A document containing only the mandatory elements and attributes.
仅包含必需元素和属性的文档。
<?xml version="1.0" encoding="UTF-8"?>
<!-- Minimum IODEF document -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">492382</IncidentID>
<GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
<Contact type="organization" role="creator">
<?xml version="1.0" encoding="UTF-8"?>
<!-- Minimum IODEF document -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="reporting" restriction="private">
<IncidentID name="csirt.example.com">492382</IncidentID>
<GenerationTime>2015-07-18T09:00:00-05:00</GenerationTime>
<Contact type="organization" role="creator">
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<!-- Add more fields to make the document useful -->
</Incident>
</IODEF-Document>
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<!-- Add more fields to make the document useful -->
</Incident>
</IODEF-Document>
An example of C2 domains from a given campaign.
给定战役的C2域示例。
<?xml version="1.0" encoding="UTF-8"?>
<!-- A list of C2 domains associated with a campaign -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="watch" restriction="green">
<IncidentID name="csirt.example.com">897923</IncidentID>
<RelatedActivity>
<ThreatActor>
<ThreatActorID>
TA-12-AGGRESSIVE-BUTTERFLY
</ThreatActorID>
<Description>Aggressive Butterfly</Description>
</ThreatActor>
<Campaign>
<CampaignID>C-2015-59405</CampaignID>
<Description>Orange Giraffe</Description>
</Campaign>
</RelatedActivity>
<GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<Description>Summarizes the Indicators of Compromise
for the Orange Giraffe campaign of the Aggressive
Butterfly crime gang.
</Description>
<Assessment>
<BusinessImpact type="breach-proprietary"/>
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<?xml version="1.0" encoding="UTF-8"?>
<!-- A list of C2 domains associated with a campaign -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="watch" restriction="green">
<IncidentID name="csirt.example.com">897923</IncidentID>
<RelatedActivity>
<ThreatActor>
<ThreatActorID>
TA-12-AGGRESSIVE-BUTTERFLY
</ThreatActorID>
<Description>Aggressive Butterfly</Description>
</ThreatActor>
<Campaign>
<CampaignID>C-2015-59405</CampaignID>
<Description>Orange Giraffe</Description>
</Campaign>
</RelatedActivity>
<GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<Description>Summarizes the Indicators of Compromise
for the Orange Giraffe campaign of the Aggressive
Butterfly crime gang.
</Description>
<Assessment>
<BusinessImpact type="breach-proprietary"/>
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<IndicatorData>
<Indicator>
<IndicatorID name="csirt.example.com" version="1">
G90823490
</IndicatorID>
<Description>C2 domains</Description>
<StartTime>2014-12-02T11:18:00-05:00</StartTime>
<Observable>
<BulkObservable type="fqdn">
<BulkObservableList>
kj290023j09r34.example.com
09ijk23jfj0k8.example.net
klknjwfjiowjefr923.example.org
oimireik79msd.example.org
</BulkObservableList>
</BulkObservable>
</Observable>
</Indicator>
</IndicatorData>
</Incident>
</IODEF-Document>
<IndicatorData>
<Indicator>
<IndicatorID name="csirt.example.com" version="1">
G90823490
</IndicatorID>
<Description>C2 domains</Description>
<StartTime>2014-12-02T11:18:00-05:00</StartTime>
<Observable>
<BulkObservable type="fqdn">
<BulkObservableList>
kj290023j09r34.example.com
09ijk23jfj0k8.example.net
klknjwfjiowjefr923.example.org
oimireik79msd.example.org
</BulkObservableList>
</BulkObservable>
</Observable>
</Indicator>
</IndicatorData>
</Incident>
</IODEF-Document>
<?xml version="1.0"?>
<xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-enum-1.0.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0"
schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-sci-1.0.xsd"/>
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd"/>
<xs:annotation>
<xs:documentation>
Incident Object Description Exchange Format v2.0
<?xml version="1.0"?>
<xs:schema xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:enum="urn:ietf:params:xml:ns:iodef-enum-1.0"
xmlns:sci="urn:ietf:params:xml:ns:iodef-sci-1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
targetNamespace="urn:ietf:params:xml:ns:iodef-2.0"
elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:import namespace="http://www.w3.org/2000/09/xmldsig#"
schemaLocation="http://www.w3.org/TR/2002/
REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-enum-1.0"
schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-enum-1.0.xsd"/>
<xs:import namespace="urn:ietf:params:xml:ns:iodef-sci-1.0"
schemaLocation="http://www.iana.org/assignments/
xml-registry/schema/iodef-sci-1.0.xsd"/>
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3c.org/2001/xml.xsd"/>
<xs:annotation>
<xs:documentation>
Incident Object Description Exchange Format v2.0
</xs:documentation>
</xs:annotation>
<!--
===================================================================
== IODEF-Document class ==
===================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version" type="xs:string" fixed="2.00"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="format-id" type="xs:string" use="optional"/>
<xs:attribute name="private-enum-name"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Incident class ==
===================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID" minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:GenerationTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
</xs:documentation>
</xs:annotation>
<!--
===================================================================
== IODEF-Document class ==
===================================================================
-->
<xs:element name="IODEF-Document">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Incident" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="version" type="xs:string" fixed="2.00"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="format-id" type="xs:string" use="optional"/>
<xs:attribute name="private-enum-name"
type="xs:string" use="optional"/>
<xs:attribute name="private-enum-id"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Incident class ==
===================================================================
-->
<xs:element name="Incident">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"/>
<xs:element ref="iodef:AlternativeID" minOccurs="0"/>
<xs:element ref="iodef:RelatedActivity"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:GenerationTime"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorData" minOccurs="0"/>
<xs:element ref="iodef:History" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose"
type="incident-purpose-type" use="required"/>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="status" type="incident-status-type"/>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"
use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="incident-purpose-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="incident-status-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved"/>
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorData" minOccurs="0"/>
<xs:element ref="iodef:History" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="purpose"
type="incident-purpose-type" use="required"/>
<xs:attribute name="ext-purpose"
type="xs:string" use="optional"/>
<xs:attribute name="status" type="incident-status-type"/>
<xs:attribute name="ext-status"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" default="private"
use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="incident-purpose-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="traceback"/>
<xs:enumeration value="mitigation"/>
<xs:enumeration value="reporting"/>
<xs:enumeration value="watch"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="incident-status-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="new"/>
<xs:enumeration value="in-progress"/>
<xs:enumeration value="forwarded"/>
<xs:enumeration value="resolved"/>
<xs:enumeration value="future"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== IncidentID class ==
===================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
==================================================================
== AlternativeID class ==
==================================================================
-->
<xs:element name="AlternativeID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== RelatedActivity class ==
===================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
<!--
===================================================================
== IncidentID class ==
===================================================================
-->
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
<xs:complexType name="IncidentIDType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="instance"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<!--
==================================================================
== AlternativeID class ==
==================================================================
-->
<xs:element name="AlternativeID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== RelatedActivity class ==
===================================================================
-->
<xs:element name="RelatedActivity">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ThreatActor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<xs:element name="Campaign">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:CampaignID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Campaign"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:IndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActor">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ThreatActorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="ThreatActorID" type="xs:string"/>
<xs:element name="Campaign">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:CampaignID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
===================================================================
== Contact class ==
===================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Timezone" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role"
type="contact-role-type" use="required"/>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="contact-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="CampaignID" type="xs:string"/>
<!--
===================================================================
== Contact class ==
===================================================================
-->
<xs:element name="Contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ContactName"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:ContactTitle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RegistryHandle"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:PostalAddress"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Email"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Telephone"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Timezone" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="role"
type="contact-role-type" use="required"/>
<xs:attribute name="ext-role"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="contact-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="contact-role-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="contact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ContactName" type="iodef:MLStringType"/>
<xs:element name="ContactTitle" type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry"
type="registryhandle-registry-type"/>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="registryhandle-registry-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:simpleType name="contact-role-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="creator"/>
<xs:enumeration value="reporter"/>
<xs:enumeration value="admin"/>
<xs:enumeration value="tech"/>
<xs:enumeration value="provider"/>
<xs:enumeration value="user"/>
<xs:enumeration value="billing"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="abuse"/>
<xs:enumeration value="irt"/>
<xs:enumeration value="cc"/>
<xs:enumeration value="cc-irt"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="vendor"/>
<xs:enumeration value="vendor-services"/>
<xs:enumeration value="victim"/>
<xs:enumeration value="victim-notified"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="contact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="person"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ContactName" type="iodef:MLStringType"/>
<xs:element name="ContactTitle" type="iodef:MLStringType"/>
<xs:element name="RegistryHandle">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="registry"
type="registryhandle-registry-type"/>
<xs:attribute name="ext-registry"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="registryhandle-registry-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="internic"/>
<xs:enumeration value="apnic"/>
<xs:enumeration value="arin"/>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:PAddress"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="postaladdress-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="PAddress" type="iodef:MLStringType"/>
<xs:simpleType name="postaladdress-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="street"/>
<xs:enumeration value="mailing"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Telephone">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:TelephoneNumber"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="telephone-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="TelephoneNumber" type="xs:string"/>
<xs:simpleType name="telephone-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="wired"/>
<xs:enumeration value="mobile"/>
<xs:enumeration value="fax"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
<xs:enumeration value="lacnic"/>
<xs:enumeration value="ripe"/>
<xs:enumeration value="afrinic"/>
<xs:enumeration value="local"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="PostalAddress">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:PAddress"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="postaladdress-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="PAddress" type="iodef:MLStringType"/>
<xs:simpleType name="postaladdress-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="street"/>
<xs:enumeration value="mailing"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Telephone">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:TelephoneNumber"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="telephone-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="TelephoneNumber" type="xs:string"/>
<xs:simpleType name="telephone-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="wired"/>
<xs:enumeration value="mobile"/>
<xs:enumeration value="fax"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Email">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="email-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="email-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="direct"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Time-based classes ==
===================================================================
-->
<xs:element name="DateTime" type="xs:dateTime"/>
<xs:element name="ReportTime" type="xs:dateTime"/>
<xs:element name="DetectTime" type="xs:dateTime"/>
<xs:element name="StartTime" type="xs:dateTime"/>
<xs:element name="EndTime" type="xs:dateTime"/>
<xs:element name="RecoveryTime" type="xs:dateTime"/>
<xs:element name="GenerationTime" type="xs:dateTime"/>
<xs:element name="Timezone" type="iodef:TimezoneType"/>
<!--
===================================================================
== History class ==
===================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:simpleType>
<xs:element name="Email">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="email-type-type" use="optional"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="email-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="direct"/>
<xs:enumeration value="hotline"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Time-based classes ==
===================================================================
-->
<xs:element name="DateTime" type="xs:dateTime"/>
<xs:element name="ReportTime" type="xs:dateTime"/>
<xs:element name="DetectTime" type="xs:dateTime"/>
<xs:element name="StartTime" type="xs:dateTime"/>
<xs:element name="EndTime" type="xs:dateTime"/>
<xs:element name="RecoveryTime" type="xs:dateTime"/>
<xs:element name="GenerationTime" type="xs:dateTime"/>
<xs:element name="Timezone" type="iodef:TimezoneType"/>
<!--
===================================================================
== History class ==
===================================================================
-->
<xs:element name="History">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="DefinedCOA" type="xs:string"/>
<!--
===================================================================
== Expectation class ==
===================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="restriction"
</xs:element>
<xs:element name="HistoryItem">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime"/>
<xs:element ref="iodef:IncidentID" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" use="required"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="DefinedCOA" type="xs:string"/>
<!--
===================================================================
== Expectation class ==
===================================================================
-->
<xs:element name="Expectation">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DefinedCOA"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Contact" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="action"
type="iodef:action-type" default="other"/>
<xs:attribute name="ext-action"
type="xs:string" use="optional"/>
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Discovery class ==
===================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
type="discovery-source-type" use="optional"
default="unknown"/>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="discovery-source-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Discovery class ==
===================================================================
-->
<xs:element name="Discovery">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectionPattern"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="source"
type="discovery-source-type" use="optional"
default="unknown"/>
<xs:attribute name="ext-source"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="discovery-source-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nidps"/>
<xs:enumeration value="hips"/>
<xs:enumeration value="siem"/>
<xs:enumeration value="av"/>
<xs:enumeration value="third-party-monitoring"/>
<xs:enumeration value="incident"/>
<xs:enumeration value="os-log"/>
<xs:enumeration value="application-log"/>
<xs:enumeration value="device-log"/>
<xs:enumeration value="network-flow"/>
<xs:enumeration value="passive-dns"/>
<xs:enumeration value="investigation"/>
<xs:enumeration value="audit"/>
<xs:enumeration value="internal-notification"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Method class ==
===================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:AttackPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Vulnerability"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Weakness"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:enumeration value="external-notification"/>
<xs:enumeration value="leo"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="actor"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="DetectionPattern">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Application"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="DetectionConfiguration"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Method class ==
===================================================================
-->
<xs:element name="Method">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:AttackPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Vulnerability"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="sci:Weakness"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Reference class ==
===================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element ref="enum:ReferenceName" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Assessment class ==
===================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentCategory"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
<xs:element ref="iodef:IntendedImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:MitigatingFactor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Cause"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Reference class ==
===================================================================
-->
<xs:element name="Reference">
<xs:complexType>
<xs:sequence>
<xs:element ref="enum:ReferenceName" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Assessment class ==
===================================================================
-->
<xs:element name="Assessment">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IncidentCategory"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:SystemImpact"/>
<xs:element ref="iodef:BusinessImpact"/>
<xs:element ref="iodef:TimeImpact"/>
<xs:element ref="iodef:MonetaryImpact"/>
<xs:element ref="iodef:IntendedImpact"/>
</xs:choice>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:MitigatingFactor"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Cause"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor" type="iodef:MLStringType"/>
<xs:element name="Cause" type="iodef:MLStringType"/>
<xs:element name="SystemImpact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="iodef:severity-type" use="optional"/>
<xs:attribute name="completion"
type="iodef:systemimpact-completion-type"
use="optional"/>
<xs:attribute name="type"
type="systemimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="systemimpact-completion-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:attribute name="occurrence">
<xs:simpleType>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="actual"/>
<xs:enumeration value="potential"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IncidentCategory" type="iodef:MLStringType"/>
<xs:element name="BusinessImpact" type="iodef:BusinessImpactType"/>
<xs:element name="IntendedImpact" type="iodef:BusinessImpactType"/>
<xs:element name="MitigatingFactor" type="iodef:MLStringType"/>
<xs:element name="Cause" type="iodef:MLStringType"/>
<xs:element name="SystemImpact">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="iodef:severity-type" use="optional"/>
<xs:attribute name="completion"
type="iodef:systemimpact-completion-type"
use="optional"/>
<xs:attribute name="type"
type="systemimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="systemimpact-completion-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="failed"/>
<xs:enumeration value="succeeded"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="systemimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="takeover-account"/>
<xs:enumeration value="takeover-service"/>
<xs:enumeration value="takeover-system"/>
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availability-account"/>
<xs:enumeration value="availability-service"/>
<xs:enumeration value="availability-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="BusinessImpactType">
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="businessimpact-severity-type" use="optional"/>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="businessimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="businessimpact-severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="businessimpact-type-type">
<xs:enumeration value="cps-manipulation"/>
<xs:enumeration value="cps-damage"/>
<xs:enumeration value="availability-data"/>
<xs:enumeration value="availability-account"/>
<xs:enumeration value="availability-service"/>
<xs:enumeration value="availability-system"/>
<xs:enumeration value="damaged-system"/>
<xs:enumeration value="damaged-data"/>
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="breach-configuration"/>
<xs:enumeration value="integrity-data"/>
<xs:enumeration value="integrity-configuration"/>
<xs:enumeration value="integrity-hardware"/>
<xs:enumeration value="traffic-redirection"/>
<xs:enumeration value="monitoring-traffic"/>
<xs:enumeration value="monitoring-host"/>
<xs:enumeration value="policy"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="BusinessImpactType">
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="severity"
type="businessimpact-severity-type" use="optional"/>
<xs:attribute name="ext-severity"
type="xs:string" use="optional"/>
<xs:attribute name="type"
type="businessimpact-type-type"
use="optional" default="unknown"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
<xs:simpleType name="businessimpact-severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="none"/>
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="businessimpact-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service"/>
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="metric"
type="timeimpact-metric-type" use="required"/>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="timeimpact-metric-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="currency" type="xs:string"/>
</xs:extension>
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="breach-proprietary"/>
<xs:enumeration value="breach-privacy"/>
<xs:enumeration value="breach-credential"/>
<xs:enumeration value="loss-of-integrity"/>
<xs:enumeration value="loss-of-service"/>
<xs:enumeration value="theft-financial"/>
<xs:enumeration value="theft-service"/>
<xs:enumeration value="degraded-reputation"/>
<xs:enumeration value="asset-damage"/>
<xs:enumeration value="asset-manipulation"/>
<xs:enumeration value="legal"/>
<xs:enumeration value="extortion"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="TimeImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="metric"
type="timeimpact-metric-type" use="required"/>
<xs:attribute name="ext-metric"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="timeimpact-metric-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="labor"/>
<xs:enumeration value="elapsed"/>
<xs:enumeration value="downtime"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="MonetaryImpact">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/>
<xs:attribute name="currency" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType>
<xs:attribute name="rating"
type="confidence-rating-type" use="required"/>
<xs:attribute name="ext-rating"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EventData class ==
===================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" minOccurs="0"/>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Confidence">
<xs:complexType>
<xs:attribute name="rating"
type="confidence-rating-type" use="required"/>
<xs:attribute name="ext-rating"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="confidence-rating-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
<xs:enumeration value="numeric"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EventData class ==
===================================================================
-->
<xs:element name="EventData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DetectTime" minOccurs="0"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:RecoveryTime" minOccurs="0"/>
<xs:element ref="iodef:ReportTime" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Discovery"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:Method"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Flow"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Expectation"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Record" minOccurs="0"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Flow class ==
===================================================================
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== System class ==
===================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EventData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== Flow class ==
===================================================================
-->
<xs:element name="Flow">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:System" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== System class ==
===================================================================
-->
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node"/>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Service"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:OperatingSystem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="AssetID"
type="xs:string"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category" type="system-category-type"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" type="xs:string"/>
<xs:attribute name="spoofed"
type="yes-no-unknown-type" default="unknown"/>
<xs:attribute name="virtual"
type="yes-no-unknown-type" use="optional"
default="unknown"/>
<xs:attribute name="ownership" type="system-ownership-type"
use="optional"/>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="system-ownership-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Node class ==
==================================================================
-->
</xs:sequence>
<xs:attribute name="category" type="system-category-type"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="interface" type="xs:string"/>
<xs:attribute name="spoofed"
type="yes-no-unknown-type" default="unknown"/>
<xs:attribute name="virtual"
type="yes-no-unknown-type" use="optional"
default="unknown"/>
<xs:attribute name="ownership" type="system-ownership-type"
use="optional"/>
<xs:attribute name="ext-ownership"
type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="OperatingSystem" type="iodef:SoftwareType"/>
<xs:simpleType name="system-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="source"/>
<xs:enumeration value="target"/>
<xs:enumeration value="intermediate"/>
<xs:enumeration value="sensor"/>
<xs:enumeration value="infrastructure"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="system-ownership-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="organization"/>
<xs:enumeration value="personal"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="customer"/>
<xs:enumeration value="no-relationship"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
==================================================================
== Node class ==
==================================================================
-->
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress" minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category"
type="address-category-type"
default="ipv6-addr"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" type="xs:string"/>
<xs:attribute name="vlan-num" type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="address-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-masked"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-masked"/>
<xs:enumeration value="site-uri"/>
<xs:element name="Node">
<xs:complexType>
<xs:sequence>
<xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:DomainData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Address"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:element ref="iodef:PostalAddress" minOccurs="0"/>
<xs:element ref="iodef:Location"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Counter"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Address">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="category"
type="address-category-type"
default="ipv6-addr"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
<xs:attribute name="vlan-name" type="xs:string"/>
<xs:attribute name="vlan-num" type="xs:integer"/>
<xs:attribute name="observable-id"
type="xs:ID" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="address-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-masked"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-masked"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category"
type="noderole-category-type" use="required"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="noderole-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Location" type="iodef:MLStringType"/>
<xs:element name="NodeRole">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="category"
type="noderole-category-type" use="required"/>
<xs:attribute name="ext-category"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="noderole-category-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="client"/>
<xs:enumeration value="client-enterprise"/>
<xs:enumeration value="client-partner"/>
<xs:enumeration value="client-remote"/>
<xs:enumeration value="client-kiosk"/>
<xs:enumeration value="client-mobile"/>
<xs:enumeration value="server-internal"/>
<xs:enumeration value="server-public"/>
<xs:enumeration value="www"/>
<xs:enumeration value="mail"/>
<xs:enumeration value="webmail"/>
<xs:enumeration value="messaging"/>
<xs:enumeration value="streaming"/>
<xs:enumeration value="voice"/>
<xs:enumeration value="file"/>
<xs:enumeration value="ftp"/>
<xs:enumeration value="p2p"/>
<xs:enumeration value="name"/>
<xs:enumeration value="directory"/>
<xs:enumeration value="credential"/>
<xs:enumeration value="print"/>
<xs:enumeration value="application"/>
<xs:enumeration value="database"/>
<xs:enumeration value="backup"/>
<xs:enumeration value="dhcp"/>
<xs:enumeration value="assessment"/>
<xs:enumeration value="source-control"/>
<xs:enumeration value="config-management"/>
<xs:enumeration value="monitoring"/>
<xs:enumeration value="infra"/>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Service class ==
===================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element ref="iodef:ProtoField" minOccurs="0"/>
<xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:enumeration value="infra-firewall"/>
<xs:enumeration value="infra-router"/>
<xs:enumeration value="infra-switch"/>
<xs:enumeration value="camera"/>
<xs:enumeration value="proxy"/>
<xs:enumeration value="remote-access"/>
<xs:enumeration value="log"/>
<xs:enumeration value="virtualization"/>
<xs:enumeration value="pos"/>
<xs:enumeration value="scada"/>
<xs:enumeration value="scada-supervisory"/>
<xs:enumeration value="sinkhole"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="anonymization"/>
<xs:enumeration value="c2-server"/>
<xs:enumeration value="malware-distribution"/>
<xs:enumeration value="drop-server"/>
<xs:enumeration value="hop-point"/>
<xs:enumeration value="reflector"/>
<xs:enumeration value="phishing-site"/>
<xs:enumeration value="spear-phishing-site"/>
<xs:enumeration value="recruiting-site"/>
<xs:enumeration value="fraudulent-site"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Service class ==
===================================================================
-->
<xs:element name="Service">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ServiceName" minOccurs="0"/>
<xs:element ref="iodef:Port" minOccurs="0"/>
<xs:element ref="iodef:Portlist" minOccurs="0"/>
<xs:element ref="iodef:ProtoType" minOccurs="0"/>
<xs:element ref="iodef:ProtoCode" minOccurs="0"/>
<xs:element ref="iodef:ProtoField" minOccurs="0"/>
<xs:element ref="iodef:ApplicationHeader" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="ip-protocol"
type="xs:integer" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Port" type="xs:integer"/>
<xs:element name="Portlist" type="iodef:PortlistType"/>
<xs:element name="ProtoType" type="xs:integer"/>
<xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ApplicationHeaderField"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ApplicationHeaderField"
type="iodef:ExtensionType"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IANAService"
minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IANAService" type="xs:string"/>
<xs:element name="Application" type="iodef:SoftwareType"/>
<!--
===================================================================
== Counter class ==
===================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:float">
<xs:attribute name="type"
type="counter-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="unit"
type="counter-unit-type" use="required"/>
<xs:attribute name="ext-unit"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
</xs:element>
<xs:element name="Port" type="xs:integer"/>
<xs:element name="Portlist" type="iodef:PortlistType"/>
<xs:element name="ProtoType" type="xs:integer"/>
<xs:element name="ProtoCode" type="xs:integer"/>
<xs:element name="ProtoField" type="xs:integer"/>
<xs:element name="ApplicationHeader">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:ApplicationHeaderField"
maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ApplicationHeaderField"
type="iodef:ExtensionType"/>
<xs:element name="ServiceName">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IANAService"
minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="IANAService" type="xs:string"/>
<xs:element name="Application" type="iodef:SoftwareType"/>
<!--
===================================================================
== Counter class ==
===================================================================
-->
<xs:element name="Counter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:float">
<xs:attribute name="type"
type="counter-type-type" use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="unit"
type="counter-unit-type" use="required"/>
<xs:attribute name="ext-unit"
type="xs:string" use="optional"/>
<xs:attribute name="meaning"
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="counter-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="counter-unit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EmailData class ==
===================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
type="xs:string" use="optional"/>
<xs:attribute name="duration" type="iodef:duration-type"/>
<xs:attribute name="ext-duration"
type="xs:string" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="counter-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="counter"/>
<xs:enumeration value="rate"/>
<xs:enumeration value="average"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="counter-unit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="byte"/>
<xs:enumeration value="mbit"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="flow"/>
<xs:enumeration value="session"/>
<xs:enumeration value="event"/>
<xs:enumeration value="alert"/>
<xs:enumeration value="message"/>
<xs:enumeration value="host"/>
<xs:enumeration value="site"/>
<xs:enumeration value="organization"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== EmailData class ==
===================================================================
-->
<xs:element name="EmailData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:EmailTo"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailFrom" minOccurs="0"/>
<xs:element ref="iodef:EmailSubject" minOccurs="0"/>
<xs:element ref="iodef:EmailX-Mailer" minOccurs="0"/>
<xs:element ref="iodef:EmailHeaderField"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:EmailHeaders" minOccurs="0"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="SignatureData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/>
<xs:element name="EmailBody" type="xs:string"/>
<xs:element name="EmailMessage" type="xs:string"/>
<!--
===================================================================
== DomainData class ==
===================================================================
-->
<xs:element name="DomainData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Name"/>
<xs:element ref="iodef:DateDomainWasChecked"
minOccurs="0"/>
<xs:element ref="iodef:RegistrationDate"
minOccurs="0"/>
<xs:element ref="iodef:ExpirationDate"
minOccurs="0"/>
<xs:element ref="iodef:RelatedDNS"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DomainContacts"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="system-status"
type="domaindata-system-status-type"/>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"
type="domaindata-domain-status-type"/>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:element ref="iodef:EmailBody" minOccurs="0"/>
<xs:element ref="iodef:EmailMessage" minOccurs="0"/>
<xs:element ref="iodef:HashData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="SignatureData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="EmailTo" type="xs:string"/>
<xs:element name="EmailFrom" type="xs:string"/>
<xs:element name="EmailSubject" type="xs:string"/>
<xs:element name="EmailX-Mailer" type="xs:string"/>
<xs:element name="EmailHeaderField" type="iodef:ExtensionType"/>
<xs:element name="EmailHeaders" type="xs:string"/>
<xs:element name="EmailBody" type="xs:string"/>
<xs:element name="EmailMessage" type="xs:string"/>
<!--
===================================================================
== DomainData class ==
===================================================================
-->
<xs:element name="DomainData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Name"/>
<xs:element ref="iodef:DateDomainWasChecked"
minOccurs="0"/>
<xs:element ref="iodef:RegistrationDate"
minOccurs="0"/>
<xs:element ref="iodef:ExpirationDate"
minOccurs="0"/>
<xs:element ref="iodef:RelatedDNS"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Nameservers"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:DomainContacts"
minOccurs="0"/>
</xs:sequence>
<xs:attribute name="system-status"
type="domaindata-system-status-type"/>
<xs:attribute name="ext-system-status"
type="xs:string" use="optional"/>
<xs:attribute name="domain-status"
type="domaindata-domain-status-type"/>
<xs:attribute name="ext-domain-status"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Name" type="xs:string"/>
<xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate" type="xs:dateTime"/>
<xs:element name="ExpirationDate" type="xs:dateTime"/>
<xs:simpleType name="domaindata-system-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domaindata-domain-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RelatedDNS" type="iodef:ExtensionType"/>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Server"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Server" type="xs:string"/>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:SameDomainContact"/>
<xs:element ref="iodef:Contact"
minOccurs="1" maxOccurs="unbounded"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Name" type="xs:string"/>
<xs:element name="DateDomainWasChecked" type="xs:dateTime"/>
<xs:element name="RegistrationDate" type="xs:dateTime"/>
<xs:element name="ExpirationDate" type="xs:dateTime"/>
<xs:simpleType name="domaindata-system-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="spoofed"/>
<xs:enumeration value="fraudulent"/>
<xs:enumeration value="innocent-hacked"/>
<xs:enumeration value="innocent-hijacked"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="domaindata-domain-status-type">
<xs:restriction base="xs:string">
<xs:enumeration value="reservedDelegation"/>
<xs:enumeration value="assignedAndActive"/>
<xs:enumeration value="assignedAndInactive"/>
<xs:enumeration value="assignedAndOnHold"/>
<xs:enumeration value="revoked"/>
<xs:enumeration value="transferPending"/>
<xs:enumeration value="registryLock"/>
<xs:enumeration value="registrarLock"/>
<xs:enumeration value="other"/>
<xs:enumeration value="unknown"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RelatedDNS" type="iodef:ExtensionType"/>
<xs:element name="Nameservers">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Server"/>
<xs:element ref="iodef:Address" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Server" type="xs:string"/>
<xs:element name="DomainContacts">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:SameDomainContact"/>
<xs:element ref="iodef:Contact"
minOccurs="1" maxOccurs="unbounded"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="SameDomainContact" type="xs:string"/>
<!--
===================================================================
== Record class ==
===================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="SameDomainContact" type="xs:string"/>
<!--
===================================================================
== Record class ==
===================================================================
-->
<xs:element name="Record">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:RecordData" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:DateTime" minOccurs="0"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:RecordPattern"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:RecordItem"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FileData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:CertificateData"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type"
type="recordpattern-type-type"
use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
type="recordpattern-offsetunit-type"
use="optional" default="line"/>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="recordpattern-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RecordItem" type="iodef:ExtensionType"/>
<!--
===================================================================
== WindowsRegistryKeysModified class ==
===================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Key" maxOccurs="unbounded"/>
</xs:element>
<xs:element name="RecordPattern">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="type"
type="recordpattern-type-type"
use="required"/>
<xs:attribute name="ext-type"
type="xs:string" use="optional"/>
<xs:attribute name="offset"
type="xs:integer" use="optional"/>
<xs:attribute name="offsetunit"
type="recordpattern-offsetunit-type"
use="optional" default="line"/>
<xs:attribute name="ext-offsetunit"
type="xs:string" use="optional"/>
<xs:attribute name="instance"
type="xs:integer" use="optional"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="recordpattern-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="regex"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="xpath"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="recordpattern-offsetunit-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="line"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="RecordItem" type="iodef:ExtensionType"/>
<!--
===================================================================
== WindowsRegistryKeysModified class ==
===================================================================
-->
<xs:element name="WindowsRegistryKeysModified">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Key" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Key">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction"
type="key-registryaction-type"/>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
== FileData class ==
====================================================================
-->
<xs:element name="FileData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Key">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:KeyName"/>
<xs:element ref="iodef:Value" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="registryaction"
type="key-registryaction-type"/>
<xs:attribute name="ext-registryaction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="KeyName" type="xs:string"/>
<xs:element name="Value" type="xs:string"/>
<xs:simpleType name="key-registryaction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="add-key"/>
<xs:enumeration value="add-value"/>
<xs:enumeration value="delete-key"/>
<xs:enumeration value="delete-value"/>
<xs:enumeration value="modify-key"/>
<xs:enumeration value="modify-value"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
====================================================================
== FileData class ==
====================================================================
-->
<xs:element name="FileData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:File"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="File">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FileName" minOccurs="0"/>
<xs:element ref="iodef:FileSize" minOccurs="0"/>
<xs:element ref="FileType" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="iodef:SignatureData" minOccurs="0"/>
<xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!--
====================================================================
== HashData class ==
====================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope"
type="hashdata-scope-type" use="required"/>
<xs:attribute name="ext-scope" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HashTargetID" type="xs:string"/>
<xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:element name="File">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FileName" minOccurs="0"/>
<xs:element ref="iodef:FileSize" minOccurs="0"/>
<xs:element ref="FileType" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:HashData" minOccurs="0"/>
<xs:element ref="iodef:SignatureData" minOccurs="0"/>
<xs:element ref="iodef:AssociatedSoftware" minOccurs="0"/>
<xs:element ref="iodef:FileProperties"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="FileName" type="xs:string"/>
<xs:element name="FileSize" type="xs:integer"/>
<xs:element name="FileType" type="xs:string"/>
<xs:element name="AssociatedSoftware" type="iodef:SoftwareType"/>
<xs:element name="FileProperties" type="iodef:ExtensionType"/>
<!--
====================================================================
== HashData class ==
====================================================================
-->
<xs:element name="HashData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:HashTargetID" minOccurs="0"/>
<xs:element ref="iodef:Hash"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:FuzzyHash"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="scope"
type="hashdata-scope-type" use="required"/>
<xs:attribute name="ext-scope" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="HashTargetID" type="xs:string"/>
<xs:simpleType name="hashdata-scope-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="file-contents"/>
<xs:enumeration value="file-pe-section"/>
<xs:enumeration value="file-pe-iat"/>
<xs:enumeration value="file-pe-resource"/>
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FuzzyHashValue"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!--
===================================================================
== SignatureData class ==
===================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== CertificateData class ==
===================================================================
-->
<xs:element name="CertificateData">
<xs:enumeration value="file-pdf-object"/>
<xs:enumeration value="email-hash"/>
<xs:enumeration value="email-headers-hash"/>
<xs:enumeration value="email-body-hash"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="Hash">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:DigestMethod"/>
<xs:element ref="ds:DigestValue"/>
<xs:element ref="ds:CanonicalizationMethod"
minOccurs="0"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHash">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:FuzzyHashValue"
maxOccurs="unbounded"/>
<xs:element ref="iodef:Application" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="FuzzyHashValue" type="iodef:ExtensionType"/>
<!--
===================================================================
== SignatureData class ==
===================================================================
-->
<xs:element name="SignatureData">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:Signature" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<!--
===================================================================
== CertificateData class ==
===================================================================
-->
<xs:element name="CertificateData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:X509Data"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== IndicatorData class ==
===================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID"/>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Certificate" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Certificate">
<xs:complexType>
<xs:sequence>
<xs:element ref="ds:X509Data"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
</xs:element>
<!--
===================================================================
== IndicatorData class ==
===================================================================
-->
<xs:element name="IndicatorData">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Indicator"
minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Indicator">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID"/>
<xs:element ref="iodef:AlternativeIndicatorID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:StartTime" minOccurs="0"/>
<xs:element ref="iodef:EndTime" minOccurs="0"/>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:Contact"
minOccurs="0" maxOccurs="unbounded"/>
<xs:choice>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AttackPhase"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:System" minOccurs="0"/>
<xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:NodeRole"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AttackPhase"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Reference"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorID">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:ID">
<xs:attribute name="name" type="xs:string" use="required"/>
<xs:attribute name="version"
type="xs:string" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="AlternativeIndicatorID">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:IndicatorID" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="Observable">
<xs:complexType>
<xs:choice>
<xs:element ref="iodef:System" minOccurs="0"/>
<xs:element ref="iodef:Address" minOccurs="0"/>
<xs:element ref="iodef:DomainData" minOccurs="0"/>
<xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0"/>
<xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:DetectionPattern" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:element ref="iodef:Service" minOccurs="0"/>
<xs:element ref="iodef:EmailData" minOccurs="0"/>
<xs:element ref="iodef:WindowsRegistryKeysModified"
minOccurs="0"/>
<xs:element ref="iodef:FileData" minOccurs="0"/>
<xs:element ref="iodef:CertificateData" minOccurs="0"/>
<xs:element ref="iodef:RegistryHandle" minOccurs="0"/>
<xs:element ref="iodef:RecordData" minOccurs="0"/>
<xs:element ref="iodef:EventData" minOccurs="0"/>
<xs:element ref="iodef:Incident" minOccurs="0"/>
<xs:element ref="iodef:Expectation" minOccurs="0"/>
<xs:element ref="iodef:Reference" minOccurs="0"/>
<xs:element ref="iodef:Assessment" minOccurs="0"/>
<xs:element ref="iodef:DetectionPattern" minOccurs="0"/>
<xs:element ref="iodef:HistoryItem" minOccurs="0"/>
<xs:element ref="iodef:BulkObservable" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:choice>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservable">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:BulkObservableFormat" minOccurs="0"/>
<xs:element name="BulkObservableList"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="type"
type="bulkobservable-type-type" use="required"/>
<xs:attribute name="ext-type" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="bulkobservable-type-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="asn"/>
<xs:enumeration value="atm"/>
<xs:enumeration value="e-mail"/>
<xs:enumeration value="ipv4-addr"/>
<xs:enumeration value="ipv4-net"/>
<xs:enumeration value="ipv4-net-mask"/>
<xs:enumeration value="ipv6-addr"/>
<xs:enumeration value="ipv6-net"/>
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="domain-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="BulkObservableFormat">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Hash" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservableList" type="xs:string"/>
<xs:element name="IndicatorExpression">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="operator"
type="indicatorexpression-operator-type"
use="optional" default="and"/>
<xs:attribute name="ext-operator"
<xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="mac"/>
<xs:enumeration value="site-uri"/>
<xs:enumeration value="domain-name"/>
<xs:enumeration value="domain-to-ipv4"/>
<xs:enumeration value="domain-to-ipv6"/>
<xs:enumeration value="domain-to-ipv4-timestamp"/>
<xs:enumeration value="domain-to-ipv6-timestamp"/>
<xs:enumeration value="ipv4-port"/>
<xs:enumeration value="ipv6-port"/>
<xs:enumeration value="windows-reg-key"/>
<xs:enumeration value="file-hash"/>
<xs:enumeration value="email-x-mailer"/>
<xs:enumeration value="email-subject"/>
<xs:enumeration value="http-user-agent"/>
<xs:enumeration value="http-request-uri"/>
<xs:enumeration value="mutex"/>
<xs:enumeration value="file-path"/>
<xs:enumeration value="user-name"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="BulkObservableFormat">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Hash" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="BulkObservableList" type="xs:string"/>
<xs:element name="IndicatorExpression">
<xs:complexType>
<xs:sequence maxOccurs="unbounded">
<xs:choice>
<xs:element ref="iodef:IndicatorExpression"/>
<xs:element ref="iodef:Observable"/>
<xs:element ref="iodef:ObservableReference"/>
<xs:element ref="iodef:IndicatorReference"/>
</xs:choice>
<xs:element ref="iodef:Confidence" minOccurs="0"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="operator"
type="indicatorexpression-operator-type"
use="optional" default="and"/>
<xs:attribute name="ext-operator"
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref" type="xs:string" use="optional"/>
<xs:attribute name="version" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhase">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AttackPhaseID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhaseID" type="xs:string"/>
<!--
===================================================================
== Miscellaneous classes ==
===================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/>
type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="indicatorexpression-operator-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="not"/>
<xs:enumeration value="and"/>
<xs:enumeration value="or"/>
<xs:enumeration value="xor"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="ObservableReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="required"/>
</xs:complexType>
</xs:element>
<xs:element name="IndicatorReference">
<xs:complexType>
<xs:attribute name="uid-ref" type="xs:IDREF" use="optional"/>
<xs:attribute name="euid-ref" type="xs:string" use="optional"/>
<xs:attribute name="version" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhase">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:AttackPhaseID"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:URL" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:AdditionalData"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttackPhaseID" type="xs:string"/>
<!--
===================================================================
== Miscellaneous classes ==
===================================================================
-->
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
<xs:element name="Description" type="iodef:MLStringType"/>
<xs:element name="URL" type="xs:anyURI"/>
<!--
===================================================================
== IODEF data types ==
===================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="translation-id"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern
value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<!--
===================================================================
== IODEF data types ==
===================================================================
-->
<xs:simpleType name="PositiveFloatType">
<xs:restriction base="xs:float">
<xs:minExclusive value="0"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="MLStringType">
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="translation-id"
type="xs:string" use="optional"/>
<xs:attribute ref="xml:lang"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
<xs:simpleType name="PortlistType">
<xs:restriction base="xs:string">
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="TimezoneType">
<xs:restriction base="xs:string">
<xs:pattern
value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="ExtensionType" mixed="true">
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
<xs:attribute name="meaning" type="xs:string" use="optional"/>
<xs:attribute name="formatid" type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="iodef:dtype-type" use="required"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
<xs:attribute name="meaning" type="xs:string" use="optional"/>
<xs:attribute name="formatid" type="xs:string" use="optional"/>
<xs:attribute name="restriction"
type="iodef:restriction-type" use="optional"/>
<xs:attribute name="ext-restriction"
type="xs:string" use="optional"/>
<xs:attribute name="observable-id" type="xs:ID" use="optional"/>
</xs:complexType>
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="SoftwareReference">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="spec-name"
type="softwarereference-spec-name-type"
use="required"/>
<xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="softwarereference-dtype-type"
use="optional"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="softwarereference-spec-name-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="softwarereference-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Global attribute type declarations ==
===================================================================
<xs:complexType name="SoftwareType">
<xs:sequence>
<xs:element ref="iodef:SoftwareReference" minOccurs="0"/>
<xs:element ref="iodef:URL"
minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:element name="SoftwareReference">
<xs:complexType>
<xs:sequence>
<xs:any namespace="##any" processContents="lax"
minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
<xs:attribute name="spec-name"
type="softwarereference-spec-name-type"
use="required"/>
<xs:attribute name="ext-spec-name"
type="xs:string" use="optional"/>
<xs:attribute name="dtype"
type="softwarereference-dtype-type"
use="optional"/>
<xs:attribute name="ext-dtype" type="xs:string" use="optional"/>
</xs:complexType>
</xs:element>
<xs:simpleType name="softwarereference-spec-name-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="custom"/>
<xs:enumeration value="cpe"/>
<xs:enumeration value="swid"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="softwarereference-dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="bytes"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<!--
===================================================================
== Global attribute type declarations ==
===================================================================
-->
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
-->
<xs:simpleType name="yes-no-unknown-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
<xs:enumeration value="unknown"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="restriction-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="default"/>
<xs:enumeration value="public"/>
<xs:enumeration value="partner"/>
<xs:enumeration value="need-to-know"/>
<xs:enumeration value="private"/>
<xs:enumeration value="white"/>
<xs:enumeration value="green"/>
<xs:enumeration value="amber"/>
<xs:enumeration value="red"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="severity-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="low"/>
<xs:enumeration value="medium"/>
<xs:enumeration value="high"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="duration-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="second"/>
<xs:enumeration value="minute"/>
<xs:enumeration value="hour"/>
<xs:enumeration value="day"/>
<xs:enumeration value="month"/>
<xs:enumeration value="quarter"/>
<xs:enumeration value="year"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="action-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="nothing"/>
<xs:enumeration value="contact-source-site"/>
<xs:enumeration value="contact-target-site"/>
<xs:enumeration value="contact-sender"/>
<xs:enumeration value="investigate"/>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
<xs:enumeration value="block-host"/>
<xs:enumeration value="block-network"/>
<xs:enumeration value="block-port"/>
<xs:enumeration value="rate-limit-host"/>
<xs:enumeration value="rate-limit-network"/>
<xs:enumeration value="rate-limit-port"/>
<xs:enumeration value="redirect-traffic"/>
<xs:enumeration value="honeypot"/>
<xs:enumeration value="upgrade-software"/>
<xs:enumeration value="rebuild-asset"/>
<xs:enumeration value="harden-asset"/>
<xs:enumeration value="remediate-other"/>
<xs:enumeration value="status-triage"/>
<xs:enumeration value="status-new-info"/>
<xs:enumeration value="watch-and-report"/>
<xs:enumeration value="defined-coa"/>
<xs:enumeration value="other"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="dtype-type">
<xs:restriction base="xs:NMTOKEN">
<xs:enumeration value="boolean"/>
<xs:enumeration value="byte"/>
<xs:enumeration value="bytes"/>
<xs:enumeration value="character"/>
<xs:enumeration value="date-time"/>
<xs:enumeration value="integer"/>
<xs:enumeration value="ntpstamp"/>
<xs:enumeration value="portlist"/>
<xs:enumeration value="real"/>
<xs:enumeration value="string"/>
<xs:enumeration value="file"/>
<xs:enumeration value="path"/>
<xs:enumeration value="frame"/>
<xs:enumeration value="packet"/>
<xs:enumeration value="ipv4-packet"/>
<xs:enumeration value="ipv6-packet"/>
<xs:enumeration value="url"/>
<xs:enumeration value="csv"/>
<xs:enumeration value="winreg"/>
<xs:enumeration value="xml"/>
<xs:enumeration value="ext-value"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
The IODEF data model does not directly introduce security or privacy issues. However, as the data encoded by the IODEF might be considered sensitive by the parties exchanging it or by those described by it, care needs to be taken to ensure appropriate handling during the document construction, exchange, processing, archiving, subsequent retrieval, and analysis.
IODEF数据模型不会直接引入安全或隐私问题。但是,由于IODEF编码的数据可能被交换数据的各方或其描述的各方视为敏感数据,因此需要注意确保在文档构建、交换、处理、归档、后续检索和分析期间进行适当处理。
The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter-network Defense (RID) protocol [RFC6545] and its associated transport binding IODEF/RID over HTTP/TLS [RFC6546] provide such security.
用于交换IODEF实例的底层消息传递格式和协议必须提供适当的机密性、完整性和真实性保证。鼓励使用标准化的安全协议。实时网络间防御(RID)协议[RFC6545]及其相关的传输绑定IODEF/RID over HTTP/TLS[RFC6546]提供了这种安全性。
An IODEF implementation may act on the data in the document. These actions might be explicitly requested in the document or the result of analytical logic that triggered on data in the document. For this reason, care must be taken by IODEF implementations to properly authenticate the sender and receiver of the document. The sender needs confidence that sensitive information and timely requests for action are sent to the correct recipient. The recipient may interpret the contents of the document differently based on who sent it or vary actions based on the sender. While the sender of the document may explicitly convey confidence in the data in a granular way using the Confidence class, the recipient is free to ignore or refine this information to make its own assessment. Ambiguous Confidence elements (where it is unclear to which of a set of other elements the Confidence element relates) in a document MUST be ignored by the recipient.
IODEF实现可以对文档中的数据起作用。这些操作可能会在文档中明确请求,也可能是对文档中的数据触发的分析逻辑的结果。因此,IODEF实现必须注意正确验证文档的发送方和接收方。发送者需要有信心将敏感信息和及时的行动请求发送给正确的接收者。收件人可能会根据发送人的不同对文档内容进行不同的解释,或者根据发件人的不同采取不同的行动。虽然文档的发送者可以使用置信等级以细粒度的方式明确传达对数据的信任,但接收者可以忽略或细化这些信息,以进行自己的评估。接收人必须忽略文档中不明确的置信元素(不清楚该置信元素与一组其他元素中的哪一个相关)。
Certain classes may require out-of-band coordination to agree upon their semantics (e.g., Confidence@rating="low" or DefinedCOA). This coordination MUST occur prior to operational data exchange to prevent the incorrect interpretation of these select data elements. When parsing these data elements, implementations should validate, when possible, that they conform to the agreed upon semantics. These semantics may need to be periodically reevaluated.
某些类可能需要带外协调才能就其语义达成一致(例如。,Confidence@rating=“低”或定义的COA)。这种协调必须在操作数据交换之前进行,以防止对这些选定数据元素的错误解释。在解析这些数据元素时,实现应该在可能的情况下验证它们是否符合约定的语义。这些语义可能需要定期重新评估。
Executable content of various forms could be embedded into the IODEF document directly or through an extension. Implementation MUST handle this content with care to prevent unintentional automated execution. The following classes are explicitly intended to represent content that might be executable:
各种形式的可执行内容可以直接或通过扩展嵌入到IODEF文档中。实现必须小心处理此内容,以防止意外的自动执行。以下类明确表示可执行的内容:
o All classes of type iodef:ExtensionType and the RecordPattern class can represent arbitrary binary strings such as legitimate software programs or malware.
o 所有iodef:ExtensionType类型的类和RecordPattern类都可以表示任意二进制字符串,如合法软件程序或恶意软件。
o The EmailMessage and EmailBody classes can represent email attachments that can contain arbitrary content.
o EmailMessage和EmailBody类可以表示可以包含任意内容的电子邮件附件。
o The DetectionPattern class could specify a machine-readable configuration that directs the execution of the corresponding tool.
o DetectionPattern类可以指定一个机器可读的配置,用于指导相应工具的执行。
Per Section 4.3, IODEF implementations will need to periodically consult the IANA registries specified in Section 10.2 to discover newly registered enumerated attribute values. These implementations MUST communicate with IANA in a way that ensures the integrity of the values and the authenticity of the source. HTTPS over TLS [RFC2818][RFC5246] provides such security.
根据第4.3节,IODEF实现需要定期查阅第10.2节中指定的IANA注册表,以发现新注册的枚举属性值。这些实现必须以确保值的完整性和源的真实性的方式与IANA通信。TLS上的HTTPS[RFC2818][RFC5246]提供了这种安全性。
The IODEF contains numerous fields that are identifiers that could be linked to an individual or organization. IODEF documents may contain sensitive information about these identified parties; repeated document exchanges about the same and related parties may enable the correlation of data about them. Likewise, a party may report on another to a third party without their knowledge.
IODEF包含许多字段,这些字段是可以链接到个人或组织的标识符。IODEF文件可能包含有关这些被识别方的敏感信息;关于同一方和相关方的重复文件交换可能会使他们的数据相互关联。同样,一方可在不知情的情况下向第三方报告另一方的情况。
When creating an IODEF document, careful consideration must be given to what information is shared. Personal identifiers and attributable sensitive information should only be shared when necessary.
创建IODEF文档时,必须仔细考虑共享哪些信息。个人识别码和可归因于敏感信息仅在必要时共享。
When exchanging documents, transport security MUST provide document-level confidentiality. XML element-level confidentiality can also be provided by using [W3C.XMLENC].
交换文件时,运输安全部门必须提供文件级机密性。XML元素级别的机密性也可以通过使用[W3C.XMLENC]来提供。
In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it.
为了建议编码信息的数据处理和处理准则,IODEF允许文档发送者使用限制属性传递隐私策略。此属性的各种实例允许不同的策略覆盖文档的不同数据元素。虽然这种方法很灵活,但必须强调的是,这种方法仅作为发送方的指导方针,因为接收方可以自由地忽略它。
Although outside of the scope of an IODEF implementation, the contents of IODEF documents and any derived analysis should be archived with appropriate confidentiality controls. Likewise, access to retrieve and analyze this data should be restricted to authorized users.
虽然不在IODEF实施的范围内,但IODEF文件的内容和任何衍生分析都应在适当的保密控制下存档。同样,检索和分析此数据的权限应限制为授权用户。
This document registers a namespace, an XML schema, and a number of registries that map to enumerated values defined in the data model. It also defines an Expert Review process for IODEF-related XML registry entries.
该文档注册了一个名称空间、一个XML模式和许多映射到数据模型中定义的枚举值的注册表。它还定义了与IODEF相关的XML注册表项的专家评审过程。
This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [RFC3688].
本文档使用URN来描述符合[RFC3688]中描述的注册表机制的XML命名空间和模式。
Registration for the IODEF namespace:
IODEF命名空间的注册:
o URI: urn:ietf:params:xml:ns:iodef-2.0
o URI:urn:ietf:params:xml:ns:iodef-2.0
o Registrant Contact: See the author in the "Author's Address" section of this document.
o 注册人联系人:见本文件“作者地址”一节中的作者。
o XML: None. Namespace URIs do not represent an XML specification.
o XML:没有。命名空间URI不表示XML规范。
Registration for the IODEF XML schema:
注册IODEF XML架构:
o URI: urn:ietf:params:xml:schema:iodef-2.0
o URI:urn:ietf:params:xml:schema:iodef-2.0
o Registrant Contact: See the first author of the "Author's Address" section of this document.
o 注册人联系人:见本文件“作者地址”部分的第一作者。
o XML: See Section 8 of this document.
o XML:参见本文档第8节。
This document creates 34 identically structured registries to be managed by IANA:
本文件创建了34个结构相同的注册中心,由IANA管理:
o Name of the parent registry: "Incident Object Description Exchange Format v2 (IODEF)"
o 父注册表的名称:“事件对象描述交换格式v2(IODEF)”
o URL of the registry: <http://www.iana.org/assignments/iodef2>
o 注册表的URL:<http://www.iana.org/assignments/iodef2>
o Namespace format: A registry entry consists of:
o 命名空间格式:注册表项包括:
* Value. A value for a given IODEF attribute. It MUST conform to the formatting specified by the IODEF ENUM data type which is implemented as an "xs:NMTOKEN" type per Section 3.3.4 of [W3C.SCHEMA.DTYPES]. The value SHOULD conform to the convention specified in Section 5.2.
* 价值给定IODEF属性的值。它必须符合IODEF ENUM数据类型指定的格式,该数据类型根据[W3C.SCHEMA.DTYPES]第3.3.4节实现为“xs:NMTOKEN”类型。该值应符合第5.2节规定的惯例。
* Description. A short description of the enumerated value.
* 描述枚举值的简短描述。
* Reference. An optional list of URIs to further describe the value.
* 参考用于进一步描述值的URI的可选列表。
o Allocation policy: Expert Review per [RFC5226]. This reviewer will ensure that the requested registry entry conforms to the prescribed formatting. The reviewer will also ensure that the entry is an appropriate value for the attribute per the information model (Section 3).
o 分配政策:根据[RFC5226]进行专家审查。此审阅者将确保请求的注册表项符合规定的格式。审核人还将确保条目是信息模型中属性的适当值(第3节)。
The registries to be created are named in the "Registry Name" column of Table 1. Each registry is initially populated with values and descriptions that come from an attribute specified in the IODEF schema (Section 8) whose description is found in a sub-section of the information model (Section 3). The initial values for the Value and Description fields of a given registry are listed in the "IV (Value)" and "IV (Desc.)" columns, respectively. The "IV (Value)" points to a given schema type per Section 8. Each enumerated value in the schema gets a corresponding entry in a given registry. The "IV (Desc.)" points to a section in the text of this document that describes each enumerated value. The initial value of the Reference field of every registry entry described below should be this document.
要创建的注册表在表1的“注册表名”列中命名。每个注册表最初都填充了来自IODEF模式(第8节)中指定的属性的值和描述,该属性的描述可在信息模型(第3节)的子节中找到。给定注册表的Value和Description字段的初始值分别列在“IV(Value)”和“IV(Desc.)”列中。“IV(Value)”根据第8节指向给定的模式类型。架构中的每个枚举值都会在给定注册表中获得相应的条目。“IV(Desc.)”指向本文档文本中描述每个枚举值的部分。下面描述的每个注册表项的引用字段的初始值应为本文档。
+-------------------------+-----------------------------+-----------+
| Registry Name | IV (Value) | IV |
| | | (Desc.) |
+-------------------------+-----------------------------+-----------+
| Restriction | iodef-restriction-type | 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | 3.2 |
| | | |
| Incident-status | incident-status-type | 3.2 |
| | | |
| Contact-role | contact-role-type | 3.9 |
| | | |
| Contact-type | contact-type-type | 3.9 |
| | | |
| RegistryHandle-registry | registryhandle-registry- | 3.9.1 |
| | type | |
| | | |
| PostalAddress-type | postaladdress-type-type | 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | 3.9.4 |
| | | |
| Email-type | email-type-type | 3.9.3 |
| | | |
| Expectation-action | action-type | 3.15 |
| | | |
| Discovery-source | discovery-source-type | 3.10 |
| | | |
| SystemImpact-type | systemimpact-type-type | 3.12.1 |
| | | |
| BusinessImpact-severity | businessimpact-severity- | 3.12.2 |
| | type | |
| | | |
| BusinessImpact-type | businessimpact-type-type | 3.12.2 |
| | | |
| TimeImpact-metric | timeimpact-metric-type | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | 3.18.2 |
| | | |
| System-category | system-category-type | 3.17 |
| | | |
| System-ownership | system-ownership-type | 3.17 |
| | | |
| Address-category | address-category-type | 3.18.1 |
| | | |
+-------------------------+-----------------------------+-----------+
| Registry Name | IV (Value) | IV |
| | | (Desc.) |
+-------------------------+-----------------------------+-----------+
| Restriction | iodef-restriction-type | 3.3.1 |
| | | |
| Incident-purpose | incident-purpose-type | 3.2 |
| | | |
| Incident-status | incident-status-type | 3.2 |
| | | |
| Contact-role | contact-role-type | 3.9 |
| | | |
| Contact-type | contact-type-type | 3.9 |
| | | |
| RegistryHandle-registry | registryhandle-registry- | 3.9.1 |
| | type | |
| | | |
| PostalAddress-type | postaladdress-type-type | 3.9.2 |
| | | |
| Telephone-type | telephone-type-type | 3.9.4 |
| | | |
| Email-type | email-type-type | 3.9.3 |
| | | |
| Expectation-action | action-type | 3.15 |
| | | |
| Discovery-source | discovery-source-type | 3.10 |
| | | |
| SystemImpact-type | systemimpact-type-type | 3.12.1 |
| | | |
| BusinessImpact-severity | businessimpact-severity- | 3.12.2 |
| | type | |
| | | |
| BusinessImpact-type | businessimpact-type-type | 3.12.2 |
| | | |
| TimeImpact-metric | timeimpact-metric-type | 3.12.3 |
| | | |
| TimeImpact-duration | duration-type | 3.12.3 |
| | | |
| Confidence-rating | confidence-rating-type | 3.12.5 |
| | | |
| NodeRole-category | noderole-category-type | 3.18.2 |
| | | |
| System-category | system-category-type | 3.17 |
| | | |
| System-ownership | system-ownership-type | 3.17 |
| | | |
| Address-category | address-category-type | 3.18.1 |
| | | |
| Counter-type | counter-type-type | 3.18.3 |
| | | |
| Counter-unit | counter-unit-type | 3.18.3 |
| | | |
| DomainData-system- | domaindata-system-status- | 3.19 |
| status | type | |
| | | |
| DomainData-domain- | domaindata-domain-status- | 3.19 |
| status | type | |
| | | |
| RecordPattern-type | recordpattern-type-type | 3.22.2 |
| | | |
| RecordPattern- | recordpattern-offsetunit- | 3.22.2 |
| offsetunit | type | |
| | | |
| Key-registryaction | key-registryaction-type | 3.23.1 |
| | | |
| HashData-scope | hashdata-scope-type | 3.26 |
| | | |
| BulkObservable-type | bulkobservable-type-type | 3.29.3.1 |
| | | |
| IndicatorExpression- | indicatorexpression- | 3.29.4 |
| operator | operator-type | |
| | | |
| ExtensionType-dtype | dtype-type | 2.16 |
| | | |
| SoftwareReference-spec- | softwarereference-spec-id- | 2.15.1 |
| id | type | |
| | | |
| SoftwareReference-dtype | softwarereference-dtype- | 2.15.1 |
| | type | |
+-------------------------+-----------------------------+-----------+
| Counter-type | counter-type-type | 3.18.3 |
| | | |
| Counter-unit | counter-unit-type | 3.18.3 |
| | | |
| DomainData-system- | domaindata-system-status- | 3.19 |
| status | type | |
| | | |
| DomainData-domain- | domaindata-domain-status- | 3.19 |
| status | type | |
| | | |
| RecordPattern-type | recordpattern-type-type | 3.22.2 |
| | | |
| RecordPattern- | recordpattern-offsetunit- | 3.22.2 |
| offsetunit | type | |
| | | |
| Key-registryaction | key-registryaction-type | 3.23.1 |
| | | |
| HashData-scope | hashdata-scope-type | 3.26 |
| | | |
| BulkObservable-type | bulkobservable-type-type | 3.29.3.1 |
| | | |
| IndicatorExpression- | indicatorexpression- | 3.29.4 |
| operator | operator-type | |
| | | |
| ExtensionType-dtype | dtype-type | 2.16 |
| | | |
| SoftwareReference-spec- | softwarereference-spec-id- | 2.15.1 |
| id | type | |
| | | |
| SoftwareReference-dtype | softwarereference-dtype- | 2.15.1 |
| | type | |
+-------------------------+-----------------------------+-----------+
Table 1: IANA Enumerated Value Registries
表1:IANA枚举值注册表
IODEF class extensions, per Section 5.2, could register their namespaces and schemas with the IANA XML namespace ("ns" on <http://www.iana.org/assignments/xml-registry/>) and schema registries ("schema" on <http://www.iana.org/assignments/ xml-registry/>) described in [RFC3688]. In addition to any reviews required by IANA, changes to the XML "schema" registry for schema names beginning with "urn:ietf:params:xml:schema:iodef" are subject to an additional IODEF Expert Review [RFC5226] to ensure compatibility with IODEF and other existing IODEF extensions.
根据第5.2节的规定,IODEF类扩展可以将其名称空间和模式注册到上的IANA XML名称空间(“ns”)<http://www.iana.org/assignments/xml-registry/>)和模式注册表(“模式”位于<http://www.iana.org/assignments/ [RFC3688]中描述的xml注册表/>)。除了IANA要求的任何审查外,对以“urn:ietf:params:XML:schema:iodef”开头的模式名称的XML“schema”注册表的更改还需要经过额外的iodef专家审查[RFC5226],以确保与iodef和其他现有iodef扩展兼容。
The IODEF expert(s) for these reviews will be designated by the IETF Security Area Directors.
这些审查的IODEF专家将由IETF安全区域主管指定。
This document obsoletes [RFC6685].
本文件废除了[RFC6685]。
[E.164] ITU Telecommunication Standardization Sector, "The International Public Telecommunication Numbering Plan", ITU-T Recommendation E.164, November 2010.
[E.164]ITU电信标准化部门,“国际公共电信编号计划”,ITU-T建议E.164,2010年11月。
[IANA.Media] IANA, "Media Types", <http://www.iana.org/assignments/media-types/>.
[IANA.Media]IANA,“媒体类型”<http://www.iana.org/assignments/media-types/>.
[IANA.Ports] IANA, "Service Name and Transport Protocol Port Number Registry", <http://www.iana.org/assignments/ service-names-port-numbers/>.
[IANA.Ports]IANA,“服务名称和传输协议端口号注册表”<http://www.iana.org/assignments/ 服务名称端口号/>。
[IANA.Protocols] IANA, "Assigned Internet Protocol Numbers", <http://www.iana.org/assignments/protocol-numbers/>.
[IANA.Protocols]IANA,“分配的互联网协议编号”<http://www.iana.org/assignments/protocol-numbers/>.
[IEEE.POSIX] IEEE, "Information Technology - Portable Operating System Interface (POSIX) Base Specifications, Issue 7", IEEE Std 1003.1-2001, DOI 10.1109/IEEESTD.2009.5393893, September 2009.
[IEEE.POSIX]IEEE,“信息技术-便携式操作系统接口(POSIX)基本规范,第7期”,IEEE标准1003.1-2001,DOI 10.1109/IEEESTD.2009.5393893,2009年9月。
[ISO19770] International Organization for Standardization, "Information technology -- Software asset management -- Part 2: Software identification tag", ISO Standard 19770-2:2015, October 2015.
[ISO19770]国际标准化组织,“信息技术——软件资产管理——第2部分:软件标识标签”,ISO标准19770-2:2015,2015年10月。
[ISO4217] International Organization for Standardization, "Codes for the representation of currencies", ISO 4217:2015, 2015.
[ISO4217]国际标准化组织,“货币表示代码”,ISO 4217:2015,2015。
[NIST.CPE] Cheikes, B., Waltermire, D., and K. Scarfone, "Common Platform Enumeration: Naming Specification Version 2.3", NIST Interagency Report 7695, August 2011, <http://csrc.nist.gov/publications/nistir/ir7695/ NISTIR-7695-CPE-Naming.pdf>.
[NIST.CPE]Cheikes,B.,Waltermire,D.,和K.Scarfone,“公共平台枚举:命名规范版本2.3”,NIST机构间报告76952011年8月<http://csrc.nist.gov/publications/nistir/ir7695/ NISTIR-7695-CPE-Naming.pdf>。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC2781] Hoffman, P. and F. Yergeau, "UTF-16, an encoding of ISO 10646", RFC 2781, DOI 10.17487/RFC2781, February 2000, <http://www.rfc-editor.org/info/rfc2781>.
[RFC2781]Hoffman,P.和F.Yergeau,“UTF-16,ISO 10646编码”,RFC 2781,DOI 10.17487/RFC2781,2000年2月<http://www.rfc-editor.org/info/rfc2781>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3629]Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,DOI 10.17487/RFC3629,2003年11月<http://www.rfc-editor.org/info/rfc3629>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, <http://www.rfc-editor.org/info/rfc3688>.
[RFC3688]Mealling,M.,“IETF XML注册表”,BCP 81,RFC 3688,DOI 10.17487/RFC3688,2004年1月<http://www.rfc-editor.org/info/rfc3688>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>.
[RFC3986]Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,STD 66,RFC 3986,DOI 10.17487/RFC3986,2005年1月<http://www.rfc-editor.org/info/rfc3986>.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, DOI 10.17487/RFC4291, February 2006, <http://www.rfc-editor.org/info/rfc4291>.
[RFC4291]Hinden,R.和S.Deering,“IP版本6寻址体系结构”,RFC 4291,DOI 10.17487/RFC42912006年2月<http://www.rfc-editor.org/info/rfc4291>.
[RFC4519] Sciberras, A., Ed., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519, DOI 10.17487/RFC4519, June 2006, <http://www.rfc-editor.org/info/rfc4519>.
[RFC4519]Sciberras,A.,Ed.,“轻量级目录访问协议(LDAP):用户应用程序模式”,RFC 4519,DOI 10.17487/RFC4519,2006年6月<http://www.rfc-editor.org/info/rfc4519>.
[RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, DOI 10.17487/RFC5322, October 2008, <http://www.rfc-editor.org/info/rfc5322>.
[RFC5322]Resnick,P.,Ed.,“互联网信息格式”,RFC 5322,DOI 10.17487/RFC5322,2008年10月<http://www.rfc-editor.org/info/rfc5322>.
[RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, September 2009, <http://www.rfc-editor.org/info/rfc5646>.
[RFC5646]Phillips,A.,Ed.和M.Davis,Ed.,“识别语言的标签”,BCP 47,RFC 5646,DOI 10.17487/RFC5646,2009年9月<http://www.rfc-editor.org/info/rfc5646>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 Address Text Representation", RFC 5952, DOI 10.17487/RFC5952, August 2010, <http://www.rfc-editor.org/info/rfc5952>.
[RFC5952]Kawamura,S.和M.Kawashima,“IPv6地址文本表示的建议”,RFC 5952,DOI 10.17487/RFC5952,2010年8月<http://www.rfc-editor.org/info/rfc5952>.
[RFC6531] Yao, J. and W. Mao, "SMTP Extension for Internationalized Email", RFC 6531, DOI 10.17487/RFC6531, February 2012, <http://www.rfc-editor.org/info/rfc6531>.
[RFC6531]Yao,J.和W.Mao,“国际化电子邮件的SMTP扩展”,RFC 6531,DOI 10.17487/RFC653112012年2月<http://www.rfc-editor.org/info/rfc6531>.
[RFC7203] Takahashi, T., Landfield, K., and Y. Kadobayashi, "An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information", RFC 7203, DOI 10.17487/RFC7203, April 2014, <http://www.rfc-editor.org/info/rfc7203>.
[RFC7203]Takahashi,T.,Landfield,K.,和Y.Kadobayashi,“结构化网络安全信息的事件对象描述交换格式(IODEF)扩展”,RFC 7203,DOI 10.17487/RFC7203,2014年4月<http://www.rfc-editor.org/info/rfc7203>.
[RFC7495] Montville, A. and D. Black, "Enumeration Reference Format for the Incident Object Description Exchange Format (IODEF)", RFC 7495, DOI 10.17487/RFC7495, March 2015, <http://www.rfc-editor.org/info/rfc7495>.
[RFC7495]蒙特维尔,A.和D.布莱克,“事件对象描述交换格式(IODEF)的枚举参考格式”,RFC 7495,DOI 10.17487/RFC7495,2015年3月<http://www.rfc-editor.org/info/rfc7495>.
[W3C.SCHEMA] Thompson, H., Beech, D., Maloney, M., and N. Mendelsohn, "XML Schema Part 1: Structures Second Edition", W3C Recommendation REC-xmlschema-1-20041028, October 2004, <http://www.w3.org/TR/xmlschema-1/>.
[W3C.SCHEMA]Thompson,H.,Beech,D.,Maloney,M.,和N.Mendelsohn,“XML模式第1部分:结构第二版”,W3C建议REC-xmlschema-1-20041028,2004年10月<http://www.w3.org/TR/xmlschema-1/>.
[W3C.SCHEMA.DTYPES] Biron, P. and A. Malhotra, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation REC-xmlschema-2-20041028, October 2004, <http://www.w3.org/TR/xmlschema-2/>.
[W3C.SCHEMA.DTYPES]Biron,P.和A.Malhotra,“XML模式第2部分:数据类型第二版”,W3C建议REC-xmlschema-2-20041028,2004年10月<http://www.w3.org/TR/xmlschema-2/>.
[W3C.XML] Bray, T., Paoli, J., Sperberg-McQueen, M., Maler, E., and F. Yergeau, "Extensible Markup Language (XML) 1.0 (Fifth Edition)", W3C Recommendation REC-xml-20081126, November 2008, <http://www.w3.org/TR/2008/REC-xml-20081126/>.
[W3C.XML]Bray,T.,Paoli,J.,Sperberg McQueen,M.,Maler,E.,和F.Yergeau,“可扩展标记语言(XML)1.0(第五版)”,W3C建议REC-XML-20081126,2008年11月<http://www.w3.org/TR/2008/REC-xml-20081126/>.
[W3C.XMLNS] Bray, T., Hollander, D., Layman, A., Tobin, R., and H. Thompson, "Namespaces in XML 1.0 (Third Edition)", W3C Recommendation REC-xml-names-20091208, December 2009, <http://www.w3.org/TR/2009/REC-xml-names-20091208/>.
[W3C.XMLNS]Bray,T.,Hollander,D.,Layman,A.,Tobin,R.,和H.Thompson,“XML 1.0中的名称空间(第三版)”,W3C建议REC-XML-names-20091208,2009年12月<http://www.w3.org/TR/2009/REC-xml-names-20091208/>.
[W3C.XMLSIG] Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and T. Roessler, "XML Signature Syntax and Processing (Second Edition)", W3C Recommendation REC-xmldsig-core-20080610, June 2008, <http://www.w3.org/TR/xmldsig-core/>.
[W3C.XMLSIG]Eastlake,D.,Reagle,J.,Solo,D.,Hirsch,F.,和T.Roessler,“XML签名语法和处理(第二版)”,W3C建议REC-xmldsig-core-20080610,2008年6月<http://www.w3.org/TR/xmldsig-core/>.
[W3C.XPATH] Robie, J., Dyck, M., and J. Spiegel, "XML Path Language (XPath) 3.1", W3C Candidate Recommendation CR-xpath-31-20151217, December 2015, <https://www.w3.org/TR/xpath-3/>.
[W3C.XPATH]Robie,J.,Dyck,M.,和J.Spiegel,“XML路径语言(XPATH)3.1”,W3C候选建议CR-XPATH-31-20151217,2015年12月<https://www.w3.org/TR/xpath-3/>.
[KB310516] Microsoft Corporation, "How to add, modify, or delete registry subkeys and values by using a .reg file", September 2013, <https://support.microsoft.com/en-us/kb/310516>.
[KB310516]微软公司,“如何使用.reg文件添加、修改或删除注册表子项和值”,2013年9月<https://support.microsoft.com/en-us/kb/310516>.
[NIST800.61rev2] National Institute of Standards and Technology, "Computer Security Incident Handling Guide", NIST Special Publication 800-61, Revision 2, August 2012, <http://dx.doi.org/10.6028/NIST.SP.800-61r2>.
[NIST800.61rev2]国家标准与技术研究所,《计算机安全事件处理指南》,NIST特别出版物800-61,第2版,2012年8月<http://dx.doi.org/10.6028/NIST.SP.800-61r2>.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/RFC2818, May 2000, <http://www.rfc-editor.org/info/rfc2818>.
[RFC2818]Rescorla,E.,“TLS上的HTTP”,RFC 2818,DOI 10.17487/RFC2818,2000年5月<http://www.rfc-editor.org/info/rfc2818>.
[RFC3982] Newton, A. and M. Sanz, "IRIS: A Domain Registry (dreg) Type for the Internet Registry Information Service (IRIS)", RFC 3982, DOI 10.17487/RFC3982, January 2005, <http://www.rfc-editor.org/info/rfc3982>.
[RFC3982]Newton,A.和M.Sanz,“IRIS:Internet注册表信息服务(IRIS)的域注册表(dreg)类型”,RFC 3982,DOI 10.17487/RFC3982,2005年1月<http://www.rfc-editor.org/info/rfc3982>.
[RFC4180] Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) Files", RFC 4180, DOI 10.17487/RFC4180, October 2005, <http://www.rfc-editor.org/info/rfc4180>.
[RFC4180]Shafranovich,Y,“逗号分隔值(CSV)文件的通用格式和MIME类型”,RFC 4180,DOI 10.17487/RFC4180,2005年10月<http://www.rfc-editor.org/info/rfc4180>.
[RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident Object Description Exchange Format", RFC 5070, DOI 10.17487/RFC5070, December 2007, <http://www.rfc-editor.org/info/rfc5070>.
[RFC5070]Danyliw,R.,Meijer,J.,和Y.Demchenko,“事故对象描述交换格式”,RFC 5070,DOI 10.17487/RFC5070,2007年12月<http://www.rfc-editor.org/info/rfc5070>.
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC5226]Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 5226,DOI 10.17487/RFC5226,2008年5月<http://www.rfc-editor.org/info/rfc5226>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>.
[RFC5246]Dierks,T.和E.Rescorla,“传输层安全(TLS)协议版本1.2”,RFC 5246,DOI 10.17487/RFC5246,2008年8月<http://www.rfc-editor.org/info/rfc5246>.
[RFC5901] Cain, P. and D. Jevans, "Extensions to the IODEF-Document Class for Reporting Phishing", RFC 5901, DOI 10.17487/RFC5901, July 2010, <http://www.rfc-editor.org/info/rfc5901>.
[RFC5901]Cain,P.和D.Jevans,“用于报告网络钓鱼的IODEF文档类的扩展”,RFC 5901,DOI 10.17487/RFC5901,2010年7月<http://www.rfc-editor.org/info/rfc5901>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC 6545, DOI 10.17487/RFC6545, April 2012, <http://www.rfc-editor.org/info/rfc6545>.
[RFC6545]Moriarty,K.,“实时网络间防御(RID)”,RFC 6545,DOI 10.17487/RFC65452012年4月<http://www.rfc-editor.org/info/rfc6545>.
[RFC6546] Trammell, B., "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS", RFC 6546, DOI 10.17487/RFC6546, April 2012, <http://www.rfc-editor.org/info/rfc6546>.
[RFC6546]特拉梅尔,B.,“通过HTTP/TLS传输实时网络间防御(RID)消息”,RFC 6546,DOI 10.17487/RFC6546,2012年4月<http://www.rfc-editor.org/info/rfc6546>.
[RFC6685] Trammell, B., "Expert Review for Incident Object Description Exchange Format (IODEF) Extensions in IANA XML Registry", RFC 6685, DOI 10.17487/RFC6685, July 2012, <http://www.rfc-editor.org/info/rfc6685>.
[RFC6685]特拉梅尔,B,“IANA XML注册表中事件对象描述交换格式(IODEF)扩展的专家评审”,RFC 6685,DOI 10.17487/RFC6685,2012年7月<http://www.rfc-editor.org/info/rfc6685>.
[W3C.XMLENC] Eastlake, D., Reagle, J., Solo, D., Hirsch, F., Nystrom, M., Roessler, T., and K. Yiu, "XML Encryption Syntax and Processing Version 1.1", W3C Recommendation REC-xmldsig-core1-20130411, April 2013, <https://www.w3.org/TR/xmlenc-core1/>.
[W3C.XMLENC]伊斯特莱克,D.,雷格尔,J.,索洛,D.,赫希,F.,Nystrom,M.,Roessler,T.,和K.Yiu,“XML加密语法和处理版本1.1”,W3C建议REC-xmldsig-core1-20130411,2013年4月<https://www.w3.org/TR/xmlenc-core1/>.
Acknowledgments
致谢
Thanks to Paul Stoecker for his editorial leadership in the transition of an early draft to the current document.
感谢Paul Stoecker在早期草案向当前文件过渡过程中发挥的编辑领导作用。
Thanks to Kathleen Moriarty, Brian Trammel, Alexey Melnikov, Takeshi Takahashi, David Waltermire, and Sean Turner (as the MILE working group chairs, secretary, and area directors) for providing feedback and coordination of this document.
感谢Kathleen Moriarty、Brian Trammel、Alexey Melnikov、Takeshi Takahashi、David Waltermire和Sean Turner(作为MILE工作组主席、秘书和区域主管)为本文件提供反馈和协调。
Thanks to the following individuals (listed alphabetically) who provided feedback during the meetings, on the mailing list, or through implementation experience: Jerome Athias, David Black, Eric Burger, Toma Cejka, Patrick Curry, John Field, Christopher Harrington, Chris Inacio, Panos Kampanakis, David Misell, Daisuke Miyamoto, Adam Montville, Robert Moskowitz, Lagadec Philippe, Tony Rutkowski, Mio Suzuki, and Nik Teague.
感谢以下在会议期间、邮件列表上或通过实施经验提供反馈的个人(按字母顺序列出):Jerome Athias、David Black、Eric Burger、Toma Cejka、Patrick Curry、John Field、Christopher Harrington、Chris Inacio、Panos Kampanakis、David Misell、Daisuke Miyamoto、Adam Montville、,罗伯特·莫斯科维茨、拉加迪克·菲利普、托尼·鲁特考斯基、米奥·铃木和尼克·蒂格。
Author's Address
作者地址
Roman Danyliw CERT Software Engineering Institute Carnegie Mellon University 4500 Fifth Avenue Pittsburgh, PA United States of America
美国宾夕法尼亚州匹兹堡第五大道4500号卡内基梅隆大学罗曼·达尼略认证软件工程研究所
Email: rdd@cert.org
Email: rdd@cert.org