Network Working Group R. Danyliw Request for Comments: 5070 CERT Category: Standards Track J. Meijer UNINETT Y. Demchenko University of Amsterdam December 2007
Network Working Group R. Danyliw Request for Comments: 5070 CERT Category: Standards Track J. Meijer UNINETT Y. Demchenko University of Amsterdam December 2007
The Incident Object Description Exchange Format
事件对象描述交换格式
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Abstract
摘要
The Incident Object Description Exchange Format (IODEF) defines a data representation that provides a framework for sharing information commonly exchanged by Computer Security Incident Response Teams (CSIRTs) about computer security incidents. This document describes the information model for the IODEF and provides an associated data model specified with XML Schema.
事件对象描述交换格式(IODEF)定义了一种数据表示形式,它提供了一个框架,用于共享计算机安全事件响应团队(CSIRT)通常交换的有关计算机安全事件的信息。本文档描述了IODEF的信息模型,并提供了用XML模式指定的关联数据模型。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . . 5 1.4. About the IODEF Implementation . . . . . . . . . . . . . . 6 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Characters and Strings . . . . . . . . . . . . . . . . . . 7 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . . 7 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 7 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . . 8 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 8
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5 1.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3. About the IODEF Data Model . . . . . . . . . . . . . . . . 5 1.4. About the IODEF Implementation . . . . . . . . . . . . . . 6 2. IODEF Data Types . . . . . . . . . . . . . . . . . . . . . . . 6 2.1. Integers . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2. Real Numbers . . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Characters and Strings . . . . . . . . . . . . . . . . . . 7 2.4. Multilingual Strings . . . . . . . . . . . . . . . . . . . 7 2.5. Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.6. Hexadecimal Bytes . . . . . . . . . . . . . . . . . . . . 7 2.7. Enumerated Types . . . . . . . . . . . . . . . . . . . . . 8 2.8. Date-Time Strings . . . . . . . . . . . . . . . . . . . . 8
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 8 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . . 8 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . . 9 2.12. Person or Organization . . . . . . . . . . . . . . . . . . 9 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 9 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . . 9 2.15. Uniform Resource Locator strings . . . . . . . . . . . . . 9 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . . 9 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . . 10 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . . 10 3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . . 14 3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 14 3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 15 3.6. AdditionalData Class . . . . . . . . . . . . . . . . . . . 16 3.7. Contact Class . . . . . . . . . . . . . . . . . . . . . . 18 3.7.1. RegistryHandle Class . . . . . . . . . . . . . . . . . 21 3.7.2. PostalAddress Class . . . . . . . . . . . . . . . . . 22 3.7.3. Email Class . . . . . . . . . . . . . . . . . . . . . 22 3.7.4. Telephone and Fax Classes . . . . . . . . . . . . . . 23 3.8. Time Classes . . . . . . . . . . . . . . . . . . . . . . . 23 3.8.1. StartTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.2. EndTime . . . . . . . . . . . . . . . . . . . . . . . 24 3.8.3. DetectTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.4. ReportTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.5. DateTime . . . . . . . . . . . . . . . . . . . . . . . 24 3.9. Method Class . . . . . . . . . . . . . . . . . . . . . . . 24 3.9.1. Reference Class . . . . . . . . . . . . . . . . . . . 25 3.10. Assessment Class . . . . . . . . . . . . . . . . . . . . . 25 3.10.1. Impact Class . . . . . . . . . . . . . . . . . . . . . 27 3.10.2. TimeImpact Class . . . . . . . . . . . . . . . . . . . 29 3.10.3. MonetaryImpact Class . . . . . . . . . . . . . . . . . 30 3.10.4. Confidence Class . . . . . . . . . . . . . . . . . . . 31 3.11. History Class . . . . . . . . . . . . . . . . . . . . . . 32 3.11.1. HistoryItem Class . . . . . . . . . . . . . . . . . . 33 3.12. EventData Class . . . . . . . . . . . . . . . . . . . . . 34 3.12.1. Relating the Incident and EventData Classes . . . . . 36 3.12.2. Cardinality of EventData . . . . . . . . . . . . . . . 37 3.13. Expectation Class . . . . . . . . . . . . . . . . . . . . 37 3.14. Flow Class . . . . . . . . . . . . . . . . . . . . . . . . 40 3.15. System Class . . . . . . . . . . . . . . . . . . . . . . . 40 3.16. Node Class . . . . . . . . . . . . . . . . . . . . . . . . 42 3.16.1. Counter Class . . . . . . . . . . . . . . . . . . . . 43 3.16.2. Address Class . . . . . . . . . . . . . . . . . . . . 45 3.16.3. NodeRole Class . . . . . . . . . . . . . . . . . . . . 46 3.17. Service Class . . . . . . . . . . . . . . . . . . . . . . 48 3.17.1. Application Class . . . . . . . . . . . . . . . . . . 50 3.18. OperatingSystem Class . . . . . . . . . . . . . . . . . . 51 3.19. Record Class . . . . . . . . . . . . . . . . . . . . . . . 51
2.9. Timezone String . . . . . . . . . . . . . . . . . . . . . 8 2.10. Port Lists . . . . . . . . . . . . . . . . . . . . . . . . 8 2.11. Postal Address . . . . . . . . . . . . . . . . . . . . . . 9 2.12. Person or Organization . . . . . . . . . . . . . . . . . . 9 2.13. Telephone and Fax Numbers . . . . . . . . . . . . . . . . 9 2.14. Email String . . . . . . . . . . . . . . . . . . . . . . . 9 2.15. Uniform Resource Locator strings . . . . . . . . . . . . . 9 3. The IODEF Data Model . . . . . . . . . . . . . . . . . . . . . 9 3.1. IODEF-Document Class . . . . . . . . . . . . . . . . . . . 10 3.2. Incident Class . . . . . . . . . . . . . . . . . . . . . . 10 3.3. IncidentID Class . . . . . . . . . . . . . . . . . . . . . 14 3.4. AlternativeID Class . . . . . . . . . . . . . . . . . . . 14 3.5. RelatedActivity Class . . . . . . . . . . . . . . . . . . 15 3.6. AdditionalData Class . . . . . . . . . . . . . . . . . . . 16 3.7. Contact Class . . . . . . . . . . . . . . . . . . . . . . 18 3.7.1. RegistryHandle Class . . . . . . . . . . . . . . . . . 21 3.7.2. PostalAddress Class . . . . . . . . . . . . . . . . . 22 3.7.3. Email Class . . . . . . . . . . . . . . . . . . . . . 22 3.7.4. Telephone and Fax Classes . . . . . . . . . . . . . . 23 3.8. Time Classes . . . . . . . . . . . . . . . . . . . . . . . 23 3.8.1. StartTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.2. EndTime . . . . . . . . . . . . . . . . . . . . . . . 24 3.8.3. DetectTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.4. ReportTime . . . . . . . . . . . . . . . . . . . . . . 24 3.8.5. DateTime . . . . . . . . . . . . . . . . . . . . . . . 24 3.9. Method Class . . . . . . . . . . . . . . . . . . . . . . . 24 3.9.1. Reference Class . . . . . . . . . . . . . . . . . . . 25 3.10. Assessment Class . . . . . . . . . . . . . . . . . . . . . 25 3.10.1. Impact Class . . . . . . . . . . . . . . . . . . . . . 27 3.10.2. TimeImpact Class . . . . . . . . . . . . . . . . . . . 29 3.10.3. MonetaryImpact Class . . . . . . . . . . . . . . . . . 30 3.10.4. Confidence Class . . . . . . . . . . . . . . . . . . . 31 3.11. History Class . . . . . . . . . . . . . . . . . . . . . . 32 3.11.1. HistoryItem Class . . . . . . . . . . . . . . . . . . 33 3.12. EventData Class . . . . . . . . . . . . . . . . . . . . . 34 3.12.1. Relating the Incident and EventData Classes . . . . . 36 3.12.2. Cardinality of EventData . . . . . . . . . . . . . . . 37 3.13. Expectation Class . . . . . . . . . . . . . . . . . . . . 37 3.14. Flow Class . . . . . . . . . . . . . . . . . . . . . . . . 40 3.15. System Class . . . . . . . . . . . . . . . . . . . . . . . 40 3.16. Node Class . . . . . . . . . . . . . . . . . . . . . . . . 42 3.16.1. Counter Class . . . . . . . . . . . . . . . . . . . . 43 3.16.2. Address Class . . . . . . . . . . . . . . . . . . . . 45 3.16.3. NodeRole Class . . . . . . . . . . . . . . . . . . . . 46 3.17. Service Class . . . . . . . . . . . . . . . . . . . . . . 48 3.17.1. Application Class . . . . . . . . . . . . . . . . . . 50 3.18. OperatingSystem Class . . . . . . . . . . . . . . . . . . 51 3.19. Record Class . . . . . . . . . . . . . . . . . . . . . . . 51
3.19.1. RecordData Class . . . . . . . . . . . . . . . . . . . 51 3.19.2. RecordPattern Class . . . . . . . . . . . . . . . . . 53 3.19.3. RecordItem Class . . . . . . . . . . . . . . . . . . . 54 4. Processing Considerations . . . . . . . . . . . . . . . . . . 54 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 55 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . . 55 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 56 5.1. Extending the Enumerated Values of Attributes . . . . . . 56 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 57 6. Internationalization Issues . . . . . . . . . . . . . . . . . 59 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 61 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 63 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . . 65 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . . 66 9. Security Considerations . . . . . . . . . . . . . . . . . . . 87 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 88 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 89 12.1. Normative References . . . . . . . . . . . . . . . . . . . 89 12.2. Informative References . . . . . . . . . . . . . . . . . . 90
3.19.1. RecordData Class . . . . . . . . . . . . . . . . . . . 51 3.19.2. RecordPattern Class . . . . . . . . . . . . . . . . . 53 3.19.3. RecordItem Class . . . . . . . . . . . . . . . . . . . 54 4. Processing Considerations . . . . . . . . . . . . . . . . . . 54 4.1. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2. IODEF Namespace . . . . . . . . . . . . . . . . . . . . . 55 4.3. Validation . . . . . . . . . . . . . . . . . . . . . . . . 55 5. Extending the IODEF . . . . . . . . . . . . . . . . . . . . . 56 5.1. Extending the Enumerated Values of Attributes . . . . . . 56 5.2. Extending Classes . . . . . . . . . . . . . . . . . . . . 57 6. Internationalization Issues . . . . . . . . . . . . . . . . . 59 7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.1. Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 7.2. Reconnaissance . . . . . . . . . . . . . . . . . . . . . . 61 7.3. Bot-Net Reporting . . . . . . . . . . . . . . . . . . . . 63 7.4. Watch List . . . . . . . . . . . . . . . . . . . . . . . . 65 8. The IODEF Schema . . . . . . . . . . . . . . . . . . . . . . . 66 9. Security Considerations . . . . . . . . . . . . . . . . . . . 87 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 88 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 88 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 89 12.1. Normative References . . . . . . . . . . . . . . . . . . . 89 12.2. Informative References . . . . . . . . . . . . . . . . . . 90
Organizations require help from other parties to mitigate malicious activity targeting their network and to gain insight into potential threats. This coordination might entail working with an ISP to filter attack traffic, contacting a remote site to take down a bot-network, or sharing watch-lists of known malicious IP addresses in a consortium.
组织需要其他各方的帮助,以减轻针对其网络的恶意活动,并深入了解潜在威胁。这种协调可能需要与ISP合作过滤攻击流量,联系远程站点关闭机器人网络,或者在一个联盟中共享已知恶意IP地址的监视列表。
The Incident Object Description Exchange Format (IODEF) is a format for representing computer security information commonly exchanged between Computer Security Incident Response Teams (CSIRTs). It provides an XML representation for conveying incident information across administrative domains between parties that have an operational responsibility of remediation or a watch-and-warning over a defined constituency. The data model encodes information about hosts, networks, and the services running on these systems; attack methodology and associated forensic evidence; impact of the activity; and limited approaches for documenting workflow.
事件对象描述交换格式(IODEF)是一种表示计算机安全事件响应团队(CSIRT)之间通常交换的计算机安全信息的格式。它提供了一种XML表示,用于在具有修复操作责任的各方之间跨管理域传递事件信息,或在定义的用户群上进行监视和警告。数据模型对这些系统上运行的主机、网络和服务的信息进行编码;攻击方法和相关的法医证据;活动的影响;记录工作流的方法也很有限。
The overriding purpose of the IODEF is to enhance the operational capabilities of CSIRTs. Community adoption of the IODEF provides an improved ability to resolve incidents and convey situational awareness by simplifying collaboration and data sharing. This structured format provided by the IODEF allows for:
IODEF的首要目的是增强CSIRT的作战能力。社区采用IODEF通过简化协作和数据共享,提高了解决事件和传达态势感知的能力。IODEF提供的这种结构化格式允许:
o increased automation in processing of incident data, since the resources of security analysts to parse free-form textual documents will be reduced;
o 提高了事件数据处理的自动化程度,因为安全分析师解析自由格式文本文档的资源将减少;
o decreased effort in normalizing similar data (even when highly structured) from different sources; and
o 减少了规范化来自不同来源的类似数据(即使是高度结构化的数据)的工作;和
o a common format on which to build interoperable tools for incident handling and subsequent analysis, specifically when data comes from multiple constituencies.
o 一种通用格式,用于构建用于事件处理和后续分析的可互操作工具,特别是当数据来自多个选区时。
Coordinating with other CSIRTs is not strictly a technical problem. There are numerous procedural, trust, and legal considerations that might prevent an organization from sharing information. The IODEF does not attempt to address them. However, operational implementations of the IODEF will need to consider this broader context.
与其他CSIRT的协调严格来说不是一个技术问题。有许多程序、信任和法律考虑因素可能会阻止组织共享信息。IODEF不会尝试解决这些问题。然而,IODEF的操作实现需要考虑更广泛的上下文。
Sections 3 and 8 specify the IODEF data model with text and an XML schema. The types used by the data model are covered in Section 2. Processing considerations, the handling of extensions, and internationalization issues related to the data model are covered in
第3节和第8节使用文本和XML模式指定IODEF数据模型。第2节介绍了数据模型使用的类型。与数据模型相关的处理注意事项、扩展处理和国际化问题将在中介绍
Sections 4, 5, and 6, respectively. Examples are listed in Section 7. Section 1 provides the background for the IODEF, and Section 9 documents the security considerations.
第4、5和6节。第7节列出了示例。第1节提供了IODEF的背景,第9节记录了安全注意事项。
The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [6].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC2119[6]中所述进行解释。
Definitions for some of the common computer security-related terminology used in this document can be found in Section 2 of [16].
本文件中使用的一些常见计算机安全相关术语的定义见[16]第2节。
The normative IODEF data model is specified with the text in Section 3 and the XML schema in Section 8. To help in the understanding of the data elements, Section 3 also depicts the underlying information model using Unified Modeling Language (UML). This abstract presentation of the IODEF is not normative.
第3节中的文本和第8节中的XML模式指定了标准的IODEF数据模型。为了帮助理解数据元素,第3节还描述了使用统一建模语言(UML)的底层信息模型。IODEF的这一抽象表述不规范。
For clarity in this document, the term "XML document" will be used when referring generically to any instance of an XML document. The term "IODEF document" will be used to refer to specific elements and attributes of the IODEF schema. The terms "class" and "element" will be used interchangeably to reference either the corresponding data element in the information or data models, respectively.
为清楚起见,在本文档中,当泛指XML文档的任何实例时,将使用术语“XML文档”。术语“IODEF文档”将用于指代IODEF模式的特定元素和属性。术语“类”和“元素”将互换使用,以分别引用信息或数据模型中的相应数据元素。
The IODEF data model is a data representation that provides a framework for sharing information commonly exchanged by CSIRTs about computer security incidents. A number of considerations were made in the design of the data model.
IODEF数据模型是一种数据表示,它提供了一个框架,用于共享CSIRT通常交换的有关计算机安全事件的信息。在设计数据模型时考虑了许多因素。
o The data model serves as a transport format. Therefore, its specific representation is not the optimal representation for on-disk storage, long-term archiving, or in-memory processing.
o 数据模型用作传输格式。因此,它的特定表示不是磁盘存储、长期存档或内存处理的最佳表示。
o As there is no precise widely agreed upon definition for an incident, the data model does not attempt to dictate one through its implementation. Rather, a broad understanding is assumed in the IODEF that is flexible enough to encompass most operators.
o 由于没有对事件进行精确的广泛一致的定义,因此数据模型不会试图通过其实现来规定一个定义。相反,在IODEF中假设有广泛的理解,该理解足够灵活,可以涵盖大多数操作员。
o Describing an incident for all definitions would require an extremely complex data model. Therefore, the IODEF only intends to be a framework to convey commonly exchanged incident information. It ensures that there are ample mechanisms for
o 为所有定义描述事件需要极其复杂的数据模型。因此,IODEF只是一个传达共同交换的事件信息的框架。它确保了有足够的机制来解决这些问题
extensibility to support organization-specific information, and techniques to reference information kept outside of the explicit data model.
支持组织特定信息的可扩展性,以及引用显式数据模型之外的信息的技术。
o The domain of security analysis is not fully standardized and must rely on free-form textual descriptions. The IODEF attempts to strike a balance between supporting this free-form content, while still allowing automated processing of incident information.
o 安全分析领域没有完全标准化,必须依赖于自由形式的文本描述。IODEF试图在支持这种自由形式的内容,同时仍然允许自动处理事件信息之间取得平衡。
o The IODEF is only one of several security relevant data representations being standardized. Attempts were made to ensure they were complimentary. The data model of the Intrusion Detection Message Exchange Format [17] influenced the design of the IODEF.
o IODEF只是正在标准化的几个安全相关数据表示形式之一。为了确保它们是互补的,我们做了一些尝试。入侵检测消息交换格式的数据模型[17]影响了IODEF的设计。
Further discussion of the desirable properties for the IODEF can be found in the Requirements for the Format for Incident Information Exchange (FINE) [16].
有关IODEF理想特性的进一步讨论,请参见《事件信息交换格式要求》(FINE)[16]。
The IODEF implementation is specified as an Extensible Markup Language (XML) [1] Schema [2] in Section 8.
IODEF实现在第8节中被指定为可扩展标记语言(XML)[1]模式[2]。
Implementing the IODEF in XML provides numerous advantages. Its extensibility makes it ideal for specifying a data encoding framework that supports various character encodings. Likewise, the abundance of related technologies (e.g., XSL, XPath, XML-Signature) makes for simplified manipulation. However, XML is fundamentally a text representation, which makes it inherently inefficient when binary data must be embedded or large volumes of data must be exchanged.
在XML中实现IODEF具有许多优点。它的可扩展性使得它非常适合指定支持各种字符编码的数据编码框架。类似地,丰富的相关技术(如XSL、XPath、XML签名)简化了操作。然而,XML从根本上说是一种文本表示,这使得它在必须嵌入二进制数据或必须交换大量数据时效率低下。
The various data elements of the IODEF data model are typed. This section discusses these data types. When possible, native Schema data types were adopted, but for more complicated formats, regular expressions (see Appendix F of [3]) or external standards were used.
IODEF数据模型的各种数据元素都是类型化的。本节讨论这些数据类型。如果可能,采用本机模式数据类型,但对于更复杂的格式,使用正则表达式(见[3]的附录F)或外部标准。
An integer is represented by the INTEGER data type. Integer data MUST be encoded in Base 10.
整数由整数数据类型表示。整数数据必须以10为基数进行编码。
The INTEGER data type is implemented as an "xs:integer" [3] in the schema.
整数数据类型在模式中实现为“xs:INTEGER”[3]。
Real (floating-point) attributes are represented by the REAL data type. Real data MUST be encoded in Base 10.
实数(浮点)属性由实数数据类型表示。实际数据必须以10为基数进行编码。
The REAL data type is implemented as an "xs:float" [3] in the schema.
实际数据类型在模式中实现为“xs:float”[3]。
A single character is represented by the CHARACTER data type. A character string is represented by the STRING data type. Special characters must be encoded using entity references. See Section 4.1.
单个字符由字符数据类型表示。字符串由字符串数据类型表示。特殊字符必须使用实体引用进行编码。见第4.1节。
The CHARACTER and STRING data types are implement as an "xs:string" [3] in the schema.
字符和字符串数据类型在模式中实现为“xs:STRING”[3]。
STRING data that represents multi-character attributes in a language different than the default encoding of the document is of the ML_STRING data type.
以不同于文档默认编码的语言表示多字符属性的字符串数据为ML_字符串数据类型。
The ML_STRING data type is implemented as an "iodef:MLStringType" in the schema.
ML_字符串数据类型在模式中实现为“iodef:MLStringType”。
A binary octet is represented by the BYTE data type. A sequence of binary octets is represented by the BYTE[] data type. These octets are encoded using base64.
二进制八位字节由字节数据类型表示。二进制八位字节序列由BYTE[]数据类型表示。这些八位字节使用base64编码。
The BYTE data type is implemented as an "xs:base64Binary" [3] in the schema.
字节数据类型在模式中实现为“xs:base64Binary”[3]。
A binary octet is represented by the HEXBIN (and HEXBIN[]) data type. This octet is encoded as a character tuple consisting of two hexadecimal digits.
二进制八位字节由HEXBIN(和HEXBIN[])数据类型表示。此八位字节编码为由两个十六进制数字组成的字符元组。
The HEXBIN data type is implemented as an "xs:hexBinary" [3] in the schema.
HEXBIN数据类型在模式中实现为“xs:hexBinary”[3]。
Enumerated types are represented by the ENUM data type, and consist of an ordered list of acceptable values. Each value has a representative keyword. Within the IODEF schema, the enumerated type keywords are used as attribute values.
枚举类型由枚举数据类型表示,并由可接受值的有序列表组成。每个值都有一个代表性的关键字。在IODEF模式中,枚举类型关键字用作属性值。
The ENUM data type is implemented as a series of "xs:NMTOKEN" in the schema.
枚举数据类型在模式中实现为一系列“xs:NMTOKEN”。
Date-time strings are represented by the DATETIME data type. Each date-time string identifies a particular instant in time; ranges are not supported.
日期时间字符串由日期时间数据类型表示。每个日期时间字符串标识特定的时间瞬间;不支持范围。
Date-time strings are formatted according to a subset of ISO 8601: 2000 [13] documented in RFC 3339 [12].
日期时间字符串根据RFC 3339[12]中记录的ISO 8601:2000[13]的子集进行格式化。
The DATETIME data type is implemented as an "xs:dateTime" [3] in the schema.
DATETIME数据类型在模式中实现为“xs:DATETIME”[3]。
A timezone offset from UTC is represented by the TIMEZONE data type. It is formatted according to the following regular expression: "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]".
与UTC的时区偏移量由时区数据类型表示。它根据以下正则表达式进行格式化:“Z |[\+\-](0[0-9]| 1[0-4]):[0-5][0-9]”。
The TIMEZONE data type is implemented as an "xs:string" with a regular expression constraint in the schema. This regular expression is identical to the timezone representation implemented in an "xs: dateTime".
时区数据类型实现为“xs:string”,在模式中带有正则表达式约束。此正则表达式与“xs:dateTime”中实现的时区表示形式相同。
A list of network ports are represented by the PORTLIST data type. A PORTLIST consists of a comma-separated list of numbers and ranges (N-M means ports N through M, inclusive). It is formatted according to the following regular expression: "\d+(\-\d+)?(,\d+(\-\d+)?)*". For example, "2,5-15,30,32,40-50,55-60".
网络端口列表由PORTLIST数据类型表示。端口列表由逗号分隔的数字和范围列表组成(N-M表示端口N到M,包括在内)。它根据以下正则表达式进行格式化:“\d+(\-\d+)(,\d+(\-\d+)?*”。例如,“2,5-15,30,32,40-50,55-60”。
The PORTLIST data type is implemented as an "xs:string" with a regular expression constraint in the schema.
PORTLIST数据类型被实现为“xs:string”,在模式中带有正则表达式约束。
A postal address is represented by the POSTAL data type. This data type is an ML_STRING whose format is documented in Section 2.23 of RFC 4519 [10]. It defines a postal address as a free-form multi-line string separated by the "$" character.
邮政地址由邮政数据类型表示。该数据类型为ML_字符串,其格式见RFC 4519[10]第2.23节。它将邮政地址定义为由“$”字符分隔的自由格式多行字符串。
The POSTAL data type is implemented as an "xs:string" in the schema.
邮政数据类型在模式中实现为“xs:string”。
The name of an individual or organization is represented by the NAME data type. This data type is an ML_STRING whose format is documented in Section 2.3 of RFC 4519 [10].
个人或组织的名称由名称数据类型表示。该数据类型为ML_字符串,其格式见RFC 4519[10]第2.3节。
The NAME data type is implemented as an "xs:string" in the schema.
名称数据类型在模式中实现为“xs:string”。
A telephone or fax number is represented by the PHONE data type. The format of the PHONE data type is documented in Section 2.35 of RFC 4519 [10].
电话或传真号码由电话数据类型表示。RFC 4519[10]第2.35节记录了电话数据类型的格式。
The PHONE data type is implemented as an "xs:string" in the schema.
电话数据类型在模式中实现为“xs:string”。
An email address is represented by the EMAIL data type. The format of the EMAIL data type is documented in Section 3.4.1 RFC 2822 [11]
电子邮件地址由电子邮件数据类型表示。第3.4.1节RFC 2822[11]中记录了电子邮件数据类型的格式
The EMAIL data type is implemented as an "xs:string" in the schema.
电子邮件数据类型在模式中实现为“xs:string”。
A uniform resource locator (URL) is represented by the URL data type. The format of the URL data type is documented in RFC 2396 [8].
统一资源定位器(URL)由URL数据类型表示。URL数据类型的格式记录在RFC 2396[8]中。
The URL data type is implemented as an "xs:anyURI" in the schema.
URL数据类型在模式中实现为“xs:anyURI”。
In this section, the individual components of the IODEF data model will be discussed in detail. For each class, the semantics will be described and the relationship with other classes will be depicted with UML. When necessary, specific comments will be made about corresponding definition in the schema in Section 8
在本节中,将详细讨论IODEF数据模型的各个组件。对于每个类,将描述语义,并使用UML描述与其他类的关系。必要时,将在第8节中对模式中的相应定义作出具体评论
The IODEF-Document class is the top level class in the IODEF data model. All IODEF documents are an instance of this class.
IODEF文档类是IODEF数据模型中的顶级类。所有IODEF文档都是此类的实例。
+-----------------+ | IODEF-Document | +-----------------+ | STRING version |<>--{1..*}--[ Incident ] | ENUM lang | | STRING formatid | +-----------------+
+-----------------+ | IODEF-Document | +-----------------+ | STRING version |<>--{1..*}--[ Incident ] | ENUM lang | | STRING formatid | +-----------------+
Figure 1: IODEF-Document Class
图1:IODEF文档类
The aggregate class that constitute IODEF-Document is:
构成IODEF文档的聚合类为:
Incident One or more. The information related to a single incident.
一个或多个事件。与单一事件相关的信息。
The IODEF-Document class has three attributes:
IODEF文档类有三个属性:
version Required. STRING. The IODEF specification version number to which this IODEF document conforms. The value of this attribute MUST be "1.00"
版本要求。一串本IODEF文件所遵循的IODEF规范版本号。此属性的值必须为“1.00”
lang Required. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.
朗需要。枚举。受“xs:language”定义约束的RFC 4646[7]规定的有效语言代码。本规范的解释见第6节。
formatid Optional. STRING. A free-form string to convey processing instructions to the recipient of the document. Its semantics must be negotiated out-of-band.
formatid是可选的。一串一种自由格式的字符串,用于向文档收件人传递处理指令。它的语义必须在带外协商。
Every incident is represented by an instance of the Incident class. This class provides a standardized representation for commonly exchanged incident data.
每个事件都由事件类的一个实例表示。此类为常用的交换事件数据提供标准化表示。
+--------------------+ | Incident | +--------------------+ | ENUM purpose |<>----------[ IncidentID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | ENUM lang |<>--{0..1}--[ RelatedActivity ] | ENUM restriction |<>--{0..1}--[ DetectTime ] | |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>----------[ ReportTime ] | |<>--{0..*}--[ Description ] | |<>--{1..*}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{1..*}--[ Contact ] | |<>--{0..*}--[ EventData ] | |<>--{0..1}--[ History ] | |<>--{0..*}--[ AdditionalData ] +--------------------+
+--------------------+ | Incident | +--------------------+ | ENUM purpose |<>----------[ IncidentID ] | STRING ext-purpose |<>--{0..1}--[ AlternativeID ] | ENUM lang |<>--{0..1}--[ RelatedActivity ] | ENUM restriction |<>--{0..1}--[ DetectTime ] | |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>----------[ ReportTime ] | |<>--{0..*}--[ Description ] | |<>--{1..*}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{1..*}--[ Contact ] | |<>--{0..*}--[ EventData ] | |<>--{0..1}--[ History ] | |<>--{0..*}--[ AdditionalData ] +--------------------+
Figure 2: The Incident Class
图2:事件类
The aggregate classes that constitute Incident are:
构成事故的总类包括:
IncidentID One. An incident tracking number assigned to this incident by the CSIRT that generated the IODEF document.
包括一个。由生成IODEF文档的CSIRT分配给此事件的事件跟踪号。
AlternativeID Zero or one. The incident tracking numbers used by other CSIRTs to refer to the incident described in the document.
或者是零或者一。其他CSIRT用于引用文档中描述的事件的事件跟踪号。
RelatedActivity Zero or one. The incident tracking numbers of related incidents.
相关活动0或1。相关事件的事件跟踪编号。
DetectTime Zero or one. The time the incident was first detected.
检测时间为零或一。事件首次被发现的时间。
StartTime Zero or one. The time the incident started.
开始计时零或一。事件开始的时间。
EndTime Zero or one. The time the incident ended.
结束时间0或1。事件结束的时间。
ReportTime One. The time the incident was reported.
第一次报道。事件被报道的时间。
Description Zero or more. ML_STRING. A free-form textual description of the incident.
说明零或更多。ML_字符串。事件的自由形式文本描述。
Assessment One or more. A characterization of the impact of the incident.
评估一个或多个。对事件影响的描述。
Method Zero or more. The techniques used by the intruder in the incident.
方法0或更多。入侵者在事件中使用的技术。
Contact One or more. Contact information for the parties involved in the incident.
联系一个或多个。事件相关方的联系信息。
EventData Zero or more. Description of the events comprising the incident.
EventData为零或更多。对构成事件的事件的描述。
History Zero or one. A log of significant events or actions that occurred during the course of handling the incident.
历史是零还是一。事件处理过程中发生的重大事件或行动的日志。
AdditionalData Zero or more. Mechanism by which to extend the data model.
附加数据为零或更多。用于扩展数据模型的机制。
The Incident class has four attributes:
事件类有四个属性:
purpose Required. ENUM. The purpose attribute represents the reason why the IODEF document was created. It is closely related to the Expectation class (Section 3.13). This attribute is defined as an enumerated list:
所需的目的。枚举。purpose属性表示创建IODEF文档的原因。它与期望等级密切相关(第3.13节)。此属性定义为枚举列表:
1. traceback. The document was sent for trace-back purposes.
1. 追踪。发送该文档是为了进行追溯。
2. mitigation. The document was sent to request aid in mitigating the described activity.
2. 缓解。发送该文件是为了请求协助缓解所述活动。
3. reporting. The document was sent to comply with reporting requirements.
3. 报告。发送该文件是为了符合报告要求。
4. other. The document was sent for purposes specified in the Expectation class.
4. 另外该文档是为Expectation类中指定的目的发送的。
5. ext-value. An escape value used to extend this attribute. See Section 5.1.
5. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-purpose Optional. STRING. A means by which to extend the purpose attribute. See Section 5.1.
ext用途可选。一串扩展目的属性的方法。见第5.1节。
lang Optional. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.
lang可选。枚举。受“xs:language”定义约束的RFC 4646[7]规定的有效语言代码。本规范的解释见第6节。
restriction Optional. ENUM. This attribute indicates the disclosure guidelines to which the sender expects the recipient to adhere for the information represented in this class and its children. This guideline provides no security since there are no specified technical means to ensure that the recipient of the document handles the information as the sender requested.
限制是可选的。枚举。此属性表示发送方希望接收方遵守此类及其子类中表示的信息的披露准则。本指南不提供任何安全性,因为没有指定的技术手段来确保文档收件人按照发件人的要求处理信息。
The value of this attribute is logically inherited by the children of this class. That is to say, the disclosure rules applied to this class, also apply to its children.
该属性的值由此类的子级逻辑继承。也就是说,适用于这个类的披露规则,也适用于它的子类。
It is possible to set a granular disclosure policy, since all of the high-level classes (i.e., children of the Incident class) have a restriction attribute. Therefore, a child can override the guidelines of a parent class, be it to restrict or relax the disclosure rules (e.g., a child has a weaker policy than an ancestor; or an ancestor has a weak policy, and the children selectively apply more rigid controls). The implicit value of the restriction attribute for a class that did not specify one can be found in the closest ancestor that did specify a value.
可以设置粒度披露策略,因为所有高级类(即事件类的子类)都有一个限制属性。因此,子类可以覆盖父类的指导原则,以限制或放宽披露规则(例如,子类的策略弱于祖先类;或者祖先类的策略弱,子类选择性地应用更严格的控制)。未指定值的类的限制属性的隐式值可以在指定值的最近祖先中找到。
This attribute is defined as an enumerated value with a default value of "private". Note that the default value of the restriction attribute is only defined in the context of the Incident class. In other classes where this attribute is used, no default is specified.
此属性定义为默认值为“private”的枚举值。请注意,限制属性的默认值仅在事件类的上下文中定义。在使用此属性的其他类中,未指定默认值。
1. public. There are no restrictions placed in the information.
1. 平民的信息中没有任何限制。
2. need-to-know. The information may be shared with other parties that are involved in the incident as determined by the recipient of this document (e.g., multiple victim sites can be informed of each other).
2. 我需要知道。该信息可与本文件接收人确定的涉及事件的其他各方共享(例如,可相互通知多个受害者现场)。
3. private. The information may not be shared.
3. 私有的这些信息可能无法共享。
4. default. The information can be shared according to an information disclosure policy pre-arranged by the communicating parties.
4. 违约可以根据通信方预先安排的信息披露策略共享信息。
The IncidentID class represents an incident tracking number that is unique in the context of the CSIRT and identifies the activity characterized in an IODEF Document. This identifier would serve as an index into the CSIRT incident handling system. The combination of the name attribute and the string in the element content MUST be a globally unique identifier describing the activity. Documents generated by a given CSIRT MUST NOT reuse the same value unless they are referencing the same incident.
IncidentID类表示在CSIRT上下文中唯一的事件跟踪号,并标识IODEF文档中描述的活动。该标识符将作为CSIRT事件处理系统的索引。元素内容中的name属性和字符串的组合必须是描述活动的全局唯一标识符。给定CSIRT生成的文档不得重用相同的值,除非它们引用相同的事件。
+------------------+ | IncidentID | +------------------+ | STRING | | | | STRING name | | STRING instance | | ENUM restriction | +------------------+
+------------------+ | IncidentID | +------------------+ | STRING | | | | STRING name | | STRING instance | | ENUM restriction | +------------------+
Figure 3: The IncidentID Class
图3:包含的类别
The IncidentID class has three attributes:
IncidentID类有三个属性:
name Required. STRING. An identifier describing the CSIRT that created the document. In order to have a globally unique CSIRT name, the fully qualified domain name associated with the CSIRT MUST be used.
需要名称。一串描述创建文档的CSIRT的标识符。为了拥有全局唯一的CSIRT名称,必须使用与CSIRT关联的完全限定域名。
instance Optional. STRING. An identifier referencing a subset of the named incident.
实例可选。一串引用命名事件子集的标识符。
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The AlternativeID class lists the incident tracking numbers used by CSIRTs, other than the one generating the document, to refer to the identical activity described the IODEF document. A tracking number listed as an AlternativeID references the same incident detected by
AlternativeID类列出了CSIRTs使用的事件跟踪编号,而不是生成文档的编号,以引用IODEF文档中描述的相同活动。列为备用ID的跟踪号引用了由
another CSIRT. The incident tracking numbers of the CSIRT that generated the IODEF document should never be considered an AlternativeID.
另一个CSIRT。生成IODEF文档的CSIRT的事件跟踪号不应被视为备选ID。
+------------------+ | AlternativeID | +------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | | +------------------+
+------------------+ | AlternativeID | +------------------+ | ENUM restriction |<>--{1..*}--[ IncidentID ] | | +------------------+
Figure 4: The AlternativeID Class
图4:AlternativeID类
The aggregate class that constitutes AlternativeID is:
构成AlternativeID的聚合类是:
IncidentID One or more. The incident tracking number of another CSIRT.
包含一个或多个。另一个CSIRT的事件跟踪号。
The AlternativeID class has one attribute:
AlternativeID类有一个属性:
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The RelatedActivity class lists either incident tracking numbers of incidents or URLs (not both) that refer to activity related to the one described in the IODEF document. These references may be to local incident tracking numbers or to those of other CSIRTs.
RelatedActivity类列出事件的事件跟踪编号或引用与IODEF文档中描述的活动相关的活动的URL(不是两者)。这些参考可能是本地事件跟踪编号或其他CSIRT的编号。
The specifics of how a CSIRT comes to believe that two incidents are related are considered out of scope.
CSIRT如何认定两起事件相关的细节被视为超出范围。
+------------------+ | RelatedActivity | +------------------+ | ENUM restriction |<>--{0..*}--[ IncidentID ] | |<>--{0..*}--[ URL ] +------------------+
+------------------+ | RelatedActivity | +------------------+ | ENUM restriction |<>--{0..*}--[ IncidentID ] | |<>--{0..*}--[ URL ] +------------------+
Figure 5: RelatedActivity Class
图5:RelatedActivity类
The aggregate classes that constitutes RelatedActivity are:
构成RelatedActivity的聚合类包括:
IncidentID One or more. The incident tracking number of a related incident.
包含一个或多个。相关事件的事件跟踪编号。
URL One or more. URL. A URL to activity related to this incident.
一个或多个URL。网址。指向与此事件相关的活动的URL。
The RelatedActivity class has one attribute:
RelatedActivity类有一个属性:
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5.
AdditionalData类用作数据模型中未以其他方式表示的信息的扩展机制。对于相对简单的信息,原子数据类型(例如整数、字符串)提供了一种注释其含义的机制。该类还可以用于扩展数据模型(以及相关的模式),通过封装符合另一模式(例如IDMEF)的整个XML文档来支持专有扩展。有关扩展数据模型和模式的详细讨论,请参见第5节。
Unlike XML, which is self-describing, atomic data must be documented to convey its meaning. This information is described in the 'meaning' attribute. Since these description are outside the scope of the specification, some additional coordination may be required to ensure that a recipient of a document using the AdditionalData classes can make sense of the custom extensions.
与自描述的XML不同,原子数据必须被记录以传达其含义。此信息在“含义”属性中描述。由于这些描述超出了规范的范围,因此可能需要进行一些额外的协调,以确保使用AdditionalData类的文档收件人能够理解自定义扩展。
+------------------+ | AdditionalData | +------------------+ | ANY | | | | ENUM dtype | | STRING ext-dtype | | STRING meaning | | STRING formatid | | ENUM restriction | +------------------+
+------------------+ | AdditionalData | +------------------+ | ANY | | | | ENUM dtype | | STRING ext-dtype | | STRING meaning | | STRING formatid | | ENUM restriction | +------------------+
Figure 6: The AdditionalData Class
图6:AdditionalData类
The AdditionalData class has five attributes:
AdditionalData类有五个属性:
dtype Required. ENUM. The data type of the element content. The permitted values for this attribute are shown below. The default value is "string".
需要数据类型。枚举。元素内容的数据类型。此属性的允许值如下所示。默认值为“字符串”。
1. boolean. The element content is of type BOOLEAN.
1. 布尔型。元素内容为布尔类型。
2. byte. The element content is of type BYTE.
2. 字节元素内容的类型为BYTE。
3. character. The element content is of type CHARACTER.
3. 性格元素内容为字符类型。
4. date-time. The element content is of type DATETIME.
4. 日期时间。元素内容的类型为DATETIME。
5. integer. The element content is of type INTEGER.
5. 整数元素内容的类型为整数。
6. portlist. The element content is of type PORTLIST.
6. 端口列表。元素内容的类型为PORTLIST。
7. real. The element content is of type REAL.
7. 真实的元素内容的类型为REAL。
8. string. The element content is of type STRING.
8. 一串元素内容的类型为字符串。
9. file. The element content is a base64 encoded binary file encoded as a BYTE[] type.
9. 文件元素内容是一个base64编码的二进制文件,编码为BYTE[]类型。
10. frame. The element content is a layer-2 frame encoded as a HEXBIN type.
10. 框架元素内容是编码为HEXBIN类型的第2层帧。
11. packet. The element content is a layer-3 packet encoded as a HEXBIN type.
11. 小包裹元素内容是编码为HEXBIN类型的第3层数据包。
12. ipv4-packet. The element content is an IPv4 packet encoded as a HEXBIN type.
12. ipv4数据包。元素内容是编码为HEXBIN类型的IPv4数据包。
13. ipv6-packet. The element content is an IPv6 packet encoded as a HEXBIN type.
13. ipv6数据包。元素内容是编码为HEXBIN类型的IPv6数据包。
14. path. The element content is a file-system path encoded as a STRING type.
14. 路径元素内容是编码为字符串类型的文件系统路径。
15. url. The element content is of type URL.
15. 网址。元素内容的类型为URL。
16. csv. The element content is a common separated value (CSV) list per Section 2 of [20] encoded as a STRING type.
16. csv。元素内容是[20]第2节规定的公共分隔值(CSV)列表,编码为字符串类型。
17. winreg. The element content is a Windows registry key encoded as a STRING type.
17. 温瑞格。元素内容是编码为字符串类型的Windows注册表项。
18. xml. The element content is XML (see Section 5).
18. xml。元素内容是XML(参见第5节)。
19. ext-value. An escape value used to extend this attribute. See Section 5.1.
19. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-dtype Optional. STRING. A means by which to extend the dtype attribute. See Section 5.1.
ext数据类型可选。一串扩展数据类型属性的方法。见第5.1节。
meaning Optional. STRING. A free-form description of the element content.
意思是可选的。一串元素内容的自由形式描述。
formatid Optional. STRING. An identifier referencing the format and semantics of the element content.
formatid是可选的。一串引用元素内容的格式和语义的标识符。
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The Contact class describes contact information for organizations and personnel involved in the incident. This class allows for the naming of the involved party, specifying contact information for them, and identifying their role in the incident.
Contact类描述了参与事件的组织和人员的联系信息。此类允许命名相关方,指定他们的联系信息,并确定他们在事件中的角色。
People and organizations are treated interchangeably as contacts; one can be associated with the other using the recursive definition of the class (the Contact class is aggregated into the Contact class). The 'type' attribute disambiguates the type of contact information being provided.
人们和组织可以互换地被视为联系人;一个可以使用类的递归定义与另一个相关联(Contact类聚合到Contact类中)。“type”属性消除了所提供联系信息类型的歧义。
The inheriting definition of Contact provides a way to relate information without requiring the explicit use of identifiers in the classes or duplication of data. A complete point of contact is derived by a particular traversal from the root Contact class to the leaf Contact class. As such, multiple points of contact might be specified in a single instance of a Contact class. Each child Contact class logically inherits contact information from its ancestors.
Contact的继承定义提供了一种关联信息的方法,无需在类中显式使用标识符或重复数据。通过从根接触类到叶接触类的特定遍历,可以导出完整的接触点。因此,可以在contact类的单个实例中指定多个接触点。每个子联系人类从逻辑上继承其祖先的联系人信息。
+------------------+ | Contact | +------------------+ | ENUM role |<>--{0..1}--[ ContactName ] | STRING ext-role |<>--{0..*}--[ Description ] | ENUM type |<>--{0..*}--[ RegistryHandle ] | STRING ext-type |<>--{0..1}--[ PostalAddress ] | ENUM restriction |<>--{0..*}--[ Email ] | |<>--{0..*}--[ Telephone ] | |<>--{0..1}--[ Fax ] | |<>--{0..1}--[ Timezone ] | |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ AdditionalData ] +------------------+
+------------------+ | Contact | +------------------+ | ENUM role |<>--{0..1}--[ ContactName ] | STRING ext-role |<>--{0..*}--[ Description ] | ENUM type |<>--{0..*}--[ RegistryHandle ] | STRING ext-type |<>--{0..1}--[ PostalAddress ] | ENUM restriction |<>--{0..*}--[ Email ] | |<>--{0..*}--[ Telephone ] | |<>--{0..1}--[ Fax ] | |<>--{0..1}--[ Timezone ] | |<>--{0..*}--[ Contact ] | |<>--{0..*}--[ AdditionalData ] +------------------+
Figure 7: The Contact Class
图7:Contact类
The aggregate classes that constitute the Contact class are:
构成接触类的聚合类包括:
ContactName Zero or one. ML_STRING. The name of the contact. The contact may either be an organization or a person. The type attribute disambiguates the semantics.
联系人姓名为零或一。ML_字符串。联系人的姓名。联系人可以是组织或个人。type属性消除了语义的歧义。
Description Zero or many. ML_STRING. A free-form description of this contact. In the case of a person, this is often the organizational title of the individual.
描述零或多。ML_字符串。此联系人的自由形式描述。就个人而言,这通常是个人的组织头衔。
RegistryHandle Zero or many. A handle name into the registry of the contact.
注册表句柄为零或多。联系人注册表中的句柄名称。
PostalAddress Zero or one. The postal address of the contact.
邮资是零还是一。联系人的邮政地址。
Email Zero or many. The email address of the contact.
零封或多封电子邮件。联系人的电子邮件地址。
Telephone Zero or many. The telephone number of the contact.
电话零或多。联系人的电话号码。
Fax Zero or one. The facsimile telephone number of the contact.
传真0或1。联系人的传真电话号码。
Timezone Zero or one. TIMEZONE. The timezone in which the contact resides formatted according to Section 2.9.
时区0或1。时区。联系人所在时区的格式符合第2.9节的规定。
Contact Zero or many. A Contact instance contained within another Contact instance inherits the values of the parent(s). This recursive definition can be used to group common data pertaining to multiple points of contact and is especially useful when listing multiple contacts at the same organization.
联系零个或多个。另一个联系人实例中包含的联系人实例继承父实例的值。此递归定义可用于对与多个联系人相关的公共数据进行分组,在列出同一组织中的多个联系人时尤其有用。
AdditionalData Zero or many. A mechanism by which to extend the data model.
附加数据为零或多。用于扩展数据模型的机制。
At least one of the aggregate classes MUST be present in an instance of the Contact class. This is not enforced in the IODEF schema as there is no simple way to accomplish it.
Contact类的实例中必须至少存在一个聚合类。这在IODEF模式中没有强制执行,因为没有简单的方法来实现它。
The Contact class has five attributes:
Contact类有五个属性:
role Required. ENUM. Indicates the role the contact fulfills. This attribute is defined as an enumerated list:
角色要求。枚举。指示联系人履行的角色。此属性定义为枚举列表:
1. creator. The entity that generate the document.
1. 造物主。生成文档的实体。
2. admin. An administrative contact for a host or network.
2. 管理主机或网络的管理联系人。
3. tech. A technical contact for a host or network.
3. 技术。主机或网络的技术联系人。
4. irt. The CSIRT involved in handling the incident.
4. irt。参与处理事件的CSIRT。
5. cc. An entity that is to be kept informed about the handling of the incident.
5. 复写的副本。被告知事件处理情况的实体。
6. ext-value. An escape value used to extend this attribute. See Section 5.1.
6. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-role Optional. STRING. A means by which to extend the role attribute. See Section 5.1.
ext角色可选。一串扩展角色属性的方法。见第5.1节。
type Required. ENUM. Indicates the type of contact being described. This attribute is defined as an enumerated list:
所需类型。枚举。指示正在描述的触点类型。此属性定义为枚举列表:
1. person. The information for this contact references an individual.
1. 人此联系人的信息引用个人。
2. organization. The information for this contact references an organization.
2. 组织此联系人的信息引用了一个组织。
3. ext-value. An escape value used to extend this attribute. See Section 5.1.
3. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.
ext类型可选。一串扩展类型属性的方法。见第5.1节。
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
The RegistryHandle class represents a handle into an Internet registry or community-specific database. The handle is specified in the element content and the type attribute specifies the database.
RegistryHandle类表示Internet注册表或社区特定数据库的句柄。句柄在元素内容中指定,类型属性指定数据库。
+---------------------+ | RegistryHandle | +---------------------+ | STRING | | | | ENUM registry | | STRING ext-registry | +---------------------+
+---------------------+ | RegistryHandle | +---------------------+ | STRING | | | | ENUM registry | | STRING ext-registry | +---------------------+
Figure 8: The RegistryHandle Class
图8:RegistryHandle类
The RegistryHandle class has two attributes:
RegistryHandle类有两个属性:
registry Required. ENUM. The database to which the handle belongs. The default value is 'local'. The possible values are:
需要注册。枚举。句柄所属的数据库。默认值为“本地”。可能的值为:
1. internic. Internet Network Information Center
1. 国际。互联网信息中心
2. apnic. Asia Pacific Network Information Center
2. 呼吸暂停。亚太网络信息中心
3. arin. American Registry for Internet Numbers
3. 阿林。注册中心
4. lacnic. Latin-American and Caribbean IP Address Registry
4. 拉尼克。拉丁美洲和加勒比IP地址登记处
5. ripe. Reseaux IP Europeens
5. 成熟的欧洲研究
6. afrinic. African Internet Numbers Registry
6. 非洲的。非洲互联网号码登记处
7. local. A database local to the CSIRT
7. 地方的CSIRT的本地数据库
8. ext-value. An escape value used to extend this attribute. See Section 5.1.
8. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-registry Optional. STRING. A means by which to extend the registry attribute. See Section 5.1.
ext注册表可选。一串扩展注册表属性的方法。见第5.1节。
The PostalAddress class specifies a postal address formatted according to the POSTAL data type (Section 2.11).
PostalAddress类指定根据邮政数据类型格式化的邮政地址(第2.11节)。
+---------------------+ | PostalAddress | +---------------------+ | POSTAL | | | | ENUM meaning | | ENUM lang | +---------------------+
+---------------------+ | PostalAddress | +---------------------+ | POSTAL | | | | ENUM meaning | | ENUM lang | +---------------------+
Figure 9: The PostalAddress Class
图9:PostaladAddress类
The PostalAddress class has two attributes:
PostLadAddress类有两个属性:
meaning Optional. ENUM. A free-form description of the element content.
意思是可选的。枚举。元素内容的自由形式描述。
lang Required. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.
朗需要。枚举。受“xs:language”定义约束的RFC 4646[7]规定的有效语言代码。本规范的解释见第6节。
The Email class specifies an email address formatted according to EMAIL data type (Section 2.14).
电子邮件类指定根据电子邮件数据类型格式化的电子邮件地址(第2.14节)。
+--------------+ | Email | +--------------+ | EMAIL | | | | ENUM meaning | +--------------+
+--------------+ | Email | +--------------+ | EMAIL | | | | ENUM meaning | +--------------+
Figure 10: The Email Class
图10:Email类
The Email class has one attribute:
电子邮件类有一个属性:
meaning Optional. ENUM. A free-form description of the element content.
意思是可选的。枚举。元素内容的自由形式描述。
The Telephone and Fax classes specify a voice or fax telephone number respectively, and are formatted according to PHONE data type (Section 2.13).
电话和传真类分别指定语音或传真电话号码,并根据电话数据类型进行格式化(第2.13节)。
+--------------------+ | {Telephone | Fax } | +--------------------+ | PHONE | | | | ENUM meaning | +--------------------+
+--------------------+ | {Telephone | Fax } | +--------------------+ | PHONE | | | | ENUM meaning | +--------------------+
Figure 11: The Telephone and Fax Classes
图11:电话和传真类
The Telephone class has one attribute:
电话类有一个属性:
meaning Optional. ENUM. A free-form description of the element content (e.g., hours of coverage for a given number).
意思是可选的。枚举。元素内容的自由形式描述(例如,给定数量的覆盖时间)。
The data model uses five different classes to represent a timestamp. Their definition is identical, but each has a distinct name to convey a difference in semantics.
数据模型使用五个不同的类来表示时间戳。它们的定义是相同的,但每一个都有一个不同的名称来表达语义上的差异。
The element content of each class is a timestamp formatted according to the DATETIME data type (see Section 2.8).
每个类的元素内容是根据DATETIME数据类型格式化的时间戳(参见第2.8节)。
+----------------------------------+ | {Start| End| Report| Detect}Time | +----------------------------------+ | DATETIME | +----------------------------------+
+----------------------------------+ | {Start| End| Report| Detect}Time | +----------------------------------+ | DATETIME | +----------------------------------+
Figure 12: The Time Classes
图12:时间类
The StartTime class represents the time the incident began.
StartTime类表示事件开始的时间。
The EndTime class represents the time the incident ended.
EndTime类表示事件结束的时间。
The DetectTime class represents the time the first activity of the incident was detected.
DetectTime类表示检测到事件的第一个活动的时间。
The ReportTime class represents the time the incident was reported. This timestamp SHOULD coincide to the time at which the IODEF document is generated.
ReportTime类表示事件报告的时间。此时间戳应与生成IODEF文档的时间一致。
The DateTime class is a generic representation of a timestamp. Its semantics should be inferred from the parent class in which it is aggregated.
DateTime类是时间戳的通用表示形式。它的语义应该从聚合它的父类中推断出来。
The Method class describes the methodology used by the intruder to perpetrate the events of the incident. This class consists of a list of references describing the attack method and a free form description of the technique.
Method类描述入侵者用于实施事件的方法。此类由描述攻击方法的引用列表和技术的自由形式描述组成。
+------------------+ | Method | +------------------+ | ENUM restriction |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------+
+------------------+ | Method | +------------------+ | ENUM restriction |<>--{0..*}--[ Reference ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +------------------+
Figure 13: The Method Class
图13:方法类
The Method class is composed of three aggregate classes.
方法类由三个聚合类组成。
Reference Zero or many. A reference to a vulnerability, malware sample, advisory, or analysis of an attack technique.
参考零或多。对攻击技术的漏洞、恶意软件样本、建议或分析的引用。
Description Zero or many. ML_STRING. A free-form text description of the methodology used by the intruder.
描述零或多。ML_字符串。入侵者使用的方法的自由形式文本描述。
AdditionalData Zero or many. A mechanism by which to extend the data model.
附加数据为零或多。用于扩展数据模型的机制。
Either an instance of the Reference or Description class MUST be present.
必须存在引用类或描述类的实例。
The Method class has one attribute:
该方法类有一个属性:
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
The Reference class is a reference to a vulnerability, IDS alert, malware sample, advisory, or attack technique. A reference consists of a name, a URL to this reference, and an optional description.
引用类是对漏洞、IDS警报、恶意软件样本、建议或攻击技术的引用。引用由名称、指向此引用的URL和可选描述组成。
+------------------+ | Reference | +------------------+ | |<>----------[ ReferenceName ] | |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] +------------------+
+------------------+ | Reference | +------------------+ | |<>----------[ ReferenceName ] | |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] +------------------+
Figure 14: The Reference Class
图14:参考类
The aggregate classes that constitute Reference:
构成引用的聚合类:
ReferenceName One. ML_STRING. Name of the reference.
参考名称。ML_字符串。引用的名称。
URL Zero or many. URL. A URL associated with the reference.
URL为零或多。网址。与引用关联的URL。
Description Zero or many. ML_STRING. A free-form text description of this reference.
描述零或多。ML_字符串。此引用的自由格式文本描述。
The Assessment class describes the technical and non-technical repercussions of the incident on the CSIRT's constituency.
评估课程描述了事件对CSIRT选区的技术和非技术影响。
This class was derived from the IDMEF[17].
该类派生自IDMEF[17]。
+------------------+ | Assessment | +------------------+ | ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM restriction |<>--{0..*}--[ TimeImpact ] | |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ Counter ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ AdditionalData ] +------------------+
+------------------+ | Assessment | +------------------+ | ENUM occurrence |<>--{0..*}--[ Impact ] | ENUM restriction |<>--{0..*}--[ TimeImpact ] | |<>--{0..*}--[ MonetaryImpact ] | |<>--{0..*}--[ Counter ] | |<>--{0..1}--[ Confidence ] | |<>--{0..*}--[ AdditionalData ] +------------------+
Figure 15: Assessment Class
图15:评估等级
The aggregate classes that constitute Assessment are:
构成评估的总类包括:
Impact Zero or many. Technical impact of the incident on a network.
影响零或多。事件对网络的技术影响。
TimeImpact Zero or many. Impact of the activity measured with respect to time.
时间影响为零或多。活动对时间的影响。
MonetaryImpact Zero or many. Impact of the activity measured with respect to financial loss.
货币影响零或多。就财务损失衡量的活动的影响。
Counter Zero or more. A counter with which to summarize the magnitude of the activity.
计数器为零或更多。一种计数器,用于汇总活动的大小。
Confidence Zero or one. An estimate of confidence in the assessment.
信心0或1。对评估信心的估计。
AdditionalData Zero or many. A mechanism by which to extend the data model.
附加数据为零或多。用于扩展数据模型的机制。
A least one instance of the possible three impact classes (i.e., Impact, TimeImpact, or MonetaryImpact) MUST be present.
必须至少存在三种可能影响类别(即影响、时间影响或货币影响)的一个实例。
The Assessment class has two attributes:
评估类有两个属性:
occurrence Optional. ENUM. Specifies whether the assessment is describing actual or potential outcomes. The default is "actual" and is assumed if not specified.
事件发生是可选的。枚举。指定评估是描述实际结果还是潜在结果。默认值为“实际”,如果未指定,则假定为“实际”。
1. actual. This assessment describes activity that has occurred.
1. 真实的此评估描述了已发生的活动。
2. potential. This assessment describes potential activity that might occur.
2. 潜在的此评估描述了可能发生的潜在活动。
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
The Impact class allows for categorizing and describing the technical impact of the incident on the network of an organization.
影响类别允许对事件对组织网络的技术影响进行分类和描述。
This class is based on the IDMEF [17].
此类基于IDMEF[17]。
+------------------+ | Impact | +------------------+ | ML_STRING | | | | ENUM lang | | ENUM severity | | ENUM completion | | ENUM type | | STRING ext-type | +------------------+
+------------------+ | Impact | +------------------+ | ML_STRING | | | | ENUM lang | | ENUM severity | | ENUM completion | | ENUM type | | STRING ext-type | +------------------+
Figure 16: Impact Class
图16:冲击等级
The element content will be a free-form textual description of the impact.
元素内容将是对影响的自由形式文本描述。
The Impact class has five attributes:
影响类有五个属性:
lang Required. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.
朗需要。枚举。受“xs:language”定义约束的RFC 4646[7]规定的有效语言代码。本规范的解释见第6节。
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
completion Optional. ENUM. An indication whether the described activity was successful. The permitted values are shown below. There is no default value.
完成可选。枚举。指示所述活动是否成功。允许值如下所示。没有默认值。
1. failed. The attempted activity was not successful.
1. 失败。尝试的活动未成功。
2. succeeded. The attempted activity succeeded.
2. 成功。尝试的活动成功。
type Required. ENUM. Classifies the malicious activity into incident categories. The permitted values are shown below. The default value is "other".
所需类型。枚举。将恶意活动划分为事件类别。允许值如下所示。默认值为“其他”。
1. admin. Administrative privileges were attempted.
1. 管理尝试了管理权限。
2. dos. A denial of service was attempted.
2. 磁盘操作系统试图拒绝服务。
3. file. An action that impacts the integrity of a file or database was attempted.
3. 文件试图执行影响文件或数据库完整性的操作。
4. info-leak. An attempt was made to exfiltrate information.
4. 信息泄露。试图过滤信息。
5. misconfiguration. An attempt was made to exploit a mis-configuration in a system.
5. 配置错误。试图利用系统中的错误配置进行攻击。
6. policy. Activity violating site's policy was attempted.
6. 政策尝试了违反站点策略的活动。
7. recon. Reconnaissance activity was attempted.
7. 侦察。试图进行侦察活动。
8. social-engineering. A social engineering attack was attempted.
8. 社会工程。试图进行社会工程攻击。
9. user. User privileges were attempted.
9. 使用者尝试了用户权限。
10. unknown. The classification of this activity is unknown.
10. 未知的此活动的分类未知。
11. ext-value. An escape value used to extend this attribute. See Section 5.1.
11. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.
ext类型可选。一串扩展类型属性的方法。见第5.1节。
The TimeImpact class describes the impact of the incident on an organization as a function of time. It provides a way to convey down time and recovery time.
TimeImpact类将事件对组织的影响描述为时间的函数。它提供了一种传递停机时间和恢复时间的方法。
+---------------------+ | TimeImpact | +---------------------+ | REAL | | | | ENUM severity | | ENUM metric | | STRING ext-metric | | ENUM duration | | STRING ext-duration | +---------------------+
+---------------------+ | TimeImpact | +---------------------+ | REAL | | | | ENUM severity | | ENUM metric | | STRING ext-metric | | ENUM duration | | STRING ext-duration | +---------------------+
Figure 17: TimeImpact Class
图17:TimeImpact类
The element content is a positive, floating point (REAL) number specifying a unit of time. The duration and metric attributes will imply the semantics of the element content.
元素内容是指定时间单位的正浮点数(实数)。duration和metric属性将暗示元素内容的语义。
The TimeImpact class has five attributes:
TimeImpact类有五个属性:
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
metric Required. ENUM. Defines the metric in which the time is expressed. The permitted values are shown below. There is no default value.
公制要求。枚举。定义表示时间的度量。允许值如下所示。没有默认值。
1. labor. Total staff-time to recovery from the activity (e.g., 2 employees working 4 hours each would be 8 hours).
1. 劳动员工从活动中恢复所需的总时间(例如,2名员工每人工作4小时将为8小时)。
2. elapsed. Elapsed time from the beginning of the recovery to its completion (i.e., wall-clock time).
2. 逝去。从恢复开始到恢复完成所用的时间(即挂钟时间)。
3. downtime. Duration of time for which some provided service(s) was not available.
3. 停工期某些提供的服务不可用的持续时间。
4. ext-value. An escape value used to extend this attribute. See Section 5.1.
4. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-metric Optional. STRING. A means by which to extend the metric attribute. See Section 5.1.
ext公制可选。一串扩展度量属性的方法。见第5.1节。
duration Required. ENUM. Defines a unit of time, that when combined with the metric attribute, fully describes a metric of impact that will be conveyed in the element content. The permitted values are shown below. The default value is "hour".
所需时间。枚举。定义一个时间单位,当与metric属性结合使用时,该时间单位完全描述将在元素内容中传达的影响度量。允许值如下所示。默认值为“小时”。
1. second. The unit of the element content is seconds.
1. 第二元素内容的单位是秒。
2. minute. The unit of the element content is minutes.
2. 分钟元素内容的单位是分钟。
3. hour. The unit of the element content is hours.
3. 小时元素含量的单位为小时。
4. day. The unit of the element content is days.
4. 白天元素内容的单位为天。
5. month. The unit of the element content is months.
5. 月元素含量的单位为月。
6. quarter. The unit of the element content is quarters.
6. 一刻钟元素内容的单位是四分之一。
7. year. The unit of the element content is years.
7. 年元素含量的单位为年。
8. ext-value. An escape value used to extend this attribute. See Section 5.1.
8. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-duration Optional. STRING. A means by which to extend the duration attribute. See Section 5.1.
ext持续时间可选。一串扩展持续时间属性的方法。见第5.1节。
The MonetaryImpact class describes the financial impact of the activity on an organization. For example, this impact may consider losses due to the cost of the investigation or recovery, diminished
MonetaryImpact类描述活动对组织的财务影响。例如,这种影响可以考虑由于调查或回收成本而造成的损失,减少。
productivity of the staff, or a tarnished reputation that will affect future opportunities.
员工的生产力,或影响未来机会的名誉受损。
+------------------+ | MonetaryImpact | +------------------+ | REAL | | | | ENUM severity | | STRING currency | +------------------+
+------------------+ | MonetaryImpact | +------------------+ | REAL | | | | ENUM severity | | STRING currency | +------------------+
Figure 18: MonetaryImpact Class
图18:货币影响类别
The element content is a positive, floating point number (REAL) specifying a unit of currency described in the currency attribute.
元素内容是一个正浮点数(实数),指定货币属性中描述的货币单位。
The MonetaryImpact class has two attributes:
MonetaryImpact类有两个属性:
severity Optional. ENUM. An estimate of the relative severity of the activity. The permitted values are shown below. There is no default value.
严重性可选。枚举。对活动相对严重性的估计。允许值如下所示。没有默认值。
1. low. Low severity
1. 低的低严重性
2. medium. Medium severity
2. 中等的中等严重程度
3. high. High severity
3. 高的高严重性
currency Required. STRING. Defines the currency in which the monetary impact is expressed. The permitted values are defined in ISO 4217:2001, Codes for the representation of currencies and funds [14]. There is no default value.
所需货币。一串定义表示货币影响的货币。ISO 4217:2001《货币和资金表示代码》[14]中定义了允许值。没有默认值。
The Confidence class represents a best estimate of the validity and accuracy of the described impact (see Section 3.10) of the incident activity. This estimate can be expressed as a category or a numeric calculation.
置信度等级代表对事件活动所述影响(见第3.10节)的有效性和准确性的最佳估计。该估算可以表示为类别或数值计算。
This class if based upon the IDMEF [17]).
该类基于IDMEF[17])。
+------------------+ | Confidence | +------------------+ | REAL | | | | ENUM rating | +------------------+
+------------------+ | Confidence | +------------------+ | REAL | | | | ENUM rating | +------------------+
Figure 19: Confidence Class
图19:置信度等级
The element content expresses a numerical assessment in the confidence of the data when the value of the rating attribute is "numeric". Otherwise, this element should be empty.
当评级属性的值为“数值”时,元素内容表示数据置信度的数值评估。否则,此元素应为空。
The Confidence class has one attribute.
信心类有一个属性。
rating Required. ENUM. A rating of the analytical validity of the specified Assessment. The permitted values are shown below. There is no default value.
评级要求。枚举。指定评估的分析有效性评级。允许值如下所示。没有默认值。
1. low. Low confidence in the validity.
1. 低的对有效性的信心较低。
2. medium. Medium confidence in the validity.
2. 中等的对有效性的信心中等。
3. high. High confidence in the validity.
3. 高的对有效性有很高的信心。
4. numeric. The element content contains a number that conveys the confidence of the data. The semantics of this number outside the scope of this specification.
4. 数字的。元素内容包含一个表示数据可信度的数字。此数字的语义超出了本规范的范围。
The History class is a log of the significant events or actions performed by the involved parties during the course of handling the incident.
历史记录类是有关各方在处理事件过程中执行的重大事件或行动的日志。
The level of detail maintained in this log is left up to the discretion of those handling the incident.
本日志中维护的详细程度由事件处理人员自行决定。
+------------------+ | History | +------------------+ | ENUM restriction |<>--{1..*}--[ HistoryItem ] | | +------------------+
+------------------+ | History | +------------------+ | ENUM restriction |<>--{1..*}--[ HistoryItem ] | | +------------------+
Figure 20: The History Class
图20:历史课
The class that constitutes History is:
构成历史的类别是:
HistoryItem One or many. Entry in the history log of significant events or actions performed by the involved parties.
历史项目一个或多个。记录相关方执行的重大事件或行动的历史记录。
The History class has one attribute:
历史类有一个属性:
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
The HistoryItem class is an entry in the History (Section 3.11) log that documents a particular action or event that occurred in the course of handling the incident. The details of the entry are a free-form description, but each can be categorized with the type attribute.
HistoryItem类是历史记录(第3.11节)日志中的一个条目,用于记录在处理事件过程中发生的特定操作或事件。条目的详细信息是一个自由形式的描述,但每个条目都可以使用type属性进行分类。
+-------------------+ | HistoryItem | +-------------------+ | ENUM restriction |<>----------[ DateTime ] | ENUM action |<>--{0..1}--[ IncidentId ] | STRING ext-action |<>--{0..1}--[ Contact ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +-------------------+
+-------------------+ | HistoryItem | +-------------------+ | ENUM restriction |<>----------[ DateTime ] | ENUM action |<>--{0..1}--[ IncidentId ] | STRING ext-action |<>--{0..1}--[ Contact ] | |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +-------------------+
Figure 21: HistoryItem Class
图21:HistoryItem类
The aggregate classes that constitute HistoryItem are:
构成HistoryItem的聚合类包括:
DateTime One. Timestamp of this entry in the history log (e.g., when the action described in the Description was taken).
日期时间一号。历史记录日志中该条目的时间戳(例如,当执行描述中描述的操作时)。
IncidentID Zero or One. In a history log created by multiple parties, the IncidentID provides a mechanism to specify which CSIRT created a particular entry and references this organization's incident tracking number. When a single organization is maintaining the log, this class can be ignored.
包括零或一。在多方创建的历史日志中,IncidentID提供了一种机制来指定哪个CSIRT创建了特定条目并引用了该组织的事件跟踪号。当单个组织维护日志时,可以忽略此类。
Contact Zero or One. Provides contact information for the person that performed the action documented in this class.
联系零或一。提供执行此类中记录的操作的人员的联系信息。
Description Zero or many. ML_STRING. A free-form textual description of the action or event.
描述零或多。ML_字符串。对动作或事件的自由形式的文本描述。
AdditionalData Zero or many. A mechanism by which to extend the data model.
附加数据为零或多。用于扩展数据模型的机制。
The HistoryItem class has three attributes:
HistoryItem类有三个属性:
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
action Required. ENUM. Classifies a performed action or occurrence documented in this history log entry. As activity will likely have been instigated either through a previously conveyed expectation or internal investigation, this attribute is identical to the category attribute of the Expectation class. The difference is only one of tense. When an action is in this class, it has been completed. See Section 3.13.
需要采取的行动。枚举。对记录在此历史记录条目中的已执行操作或事件进行分类。由于活动可能是通过先前传达的期望或内部调查发起的,因此此属性与期望类的类别属性相同。区别只在于时态的不同。当某个操作在此类中时,该操作已完成。见第3.13节。
ext-action Optional. STRING. A means by which to extend the action attribute. See Section 5.1.
ext操作可选。一串扩展action属性的方法。见第5.1节。
The EventData class describes a particular event of the incident for a given set of hosts or networks. This description includes the systems from which the activity originated and those targeted, an assessment of the techniques used by the intruder, the impact of the activity on the organization, and any forensic evidence discovered.
EventData类描述一组给定主机或网络的特定事件。该描述包括活动起源和目标系统、入侵者使用的技术评估、活动对组织的影响以及发现的任何法医证据。
+------------------+ | EventData | +------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | |<>--{0..1}--[ DetectTime ] | |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>--{0..*}--[ Contact ] | |<>--{0..1}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[ Record ] | |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +------------------+
+------------------+ | EventData | +------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | |<>--{0..1}--[ DetectTime ] | |<>--{0..1}--[ StartTime ] | |<>--{0..1}--[ EndTime ] | |<>--{0..*}--[ Contact ] | |<>--{0..1}--[ Assessment ] | |<>--{0..*}--[ Method ] | |<>--{0..*}--[ Flow ] | |<>--{0..*}--[ Expectation ] | |<>--{0..1}--[ Record ] | |<>--{0..*}--[ EventData ] | |<>--{0..*}--[ AdditionalData ] +------------------+
Figure 22: The EventData Class
图22:EventData类
The aggregate classes that constitute EventData are:
构成EventData的聚合类包括:
Description Zero or more. ML_STRING. A free-form textual description of the event.
说明零或更多。ML_字符串。事件的自由形式文本描述。
DetectTime Zero or one. The time the event was detected.
检测时间为零或一。检测到事件的时间。
StartTime Zero or one. The time the event started.
开始计时零或一。事件开始的时间。
EndTime Zero or one. The time the event ended.
结束时间0或1。事件结束的时间。
Contact Zero or more. Contact information for the parties involved in the event.
联系零或更多。事件相关方的联系信息。
Assessment Zero or one. The impact of the event on the target and the actions taken.
评估零或一。事件对目标的影响和采取的行动。
Method Zero or more. The technique used by the intruder in the event.
方法0或更多。入侵者在事件中使用的技术。
Flow Zero or more. A description of the systems or networks involved.
流量为零或更多。对所涉及的系统或网络的描述。
Expectation Zero or more. The expected action to be performed by the recipient for the described event.
期望值为零或更多。收件人对所述事件执行的预期操作。
Record Zero or one. Supportive data (e.g., log files) that provides additional information about the event.
记录0或1。提供事件附加信息的支持性数据(如日志文件)。
EventData Zero or more. EventData instances contained within another EventData instance inherit the values of the parent(s); this recursive definition can be used to group common data pertaining to multiple events. When EventData elements are defined recursively, only the leaf instances (those EventData instances not containing other EventData instances) represent actual events.
EventData为零或更多。另一个EventData实例中包含的EventData实例继承父实例的值;此递归定义可用于对与多个事件相关的公共数据进行分组。当以递归方式定义EventData元素时,只有叶实例(不包含其他EventData实例的那些EventData实例)表示实际事件。
AdditionalData Zero or more. An extension mechanism for data not explicitly represented in the data model.
附加数据为零或更多。数据模型中未显式表示的数据的扩展机制。
At least one of the aggregate classes MUST be present in an instance of the EventData class. This is not enforced in the IODEF schema as there is no simple way to accomplish it.
EventData类的实例中必须至少存在一个聚合类。这在IODEF模式中没有强制执行,因为没有简单的方法来实现它。
The EventData class has one attribute:
EventData类有一个属性:
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
There is substantial overlap in the Incident and EventData classes. Nevertheless, the semantics of these classes are quite different. The Incident class provides summary information about the entire incident, while the EventData class provides information about the individual events comprising the incident. In the most common case, the EventData class will provide more specific information for the general description provided in the Incident class. However, it may also be possible that the overall summarized information about the incident conflicts with some individual information in an EventData class when there is a substantial composition of various events in the incident. In such a case, the interpretation of the more specific EventData MUST supersede the more generic information provided in IncidentData.
Incident和EventData类中存在大量重叠。然而,这些类的语义是完全不同的。事件类提供有关整个事件的摘要信息,而EventData类提供有关构成事件的各个事件的信息。在最常见的情况下,EventData类将为Incident类中提供的一般描述提供更具体的信息。然而,当事件中存在各种事件的实质性组成时,关于事件的总体汇总信息也可能与EventData类中的某些单独信息冲突。在这种情况下,对更具体的事件数据的解释必须取代IncidentData中提供的更一般的信息。
The EventData class can be thought of as a container for the properties of an event in an incident. These properties include: the hosts involved, impact of the incident activity on the hosts, forensic logs, etc. With an instance of the EventData class, hosts (i.e., System class) are grouped around these common properties.
可以将EventData类视为事件中事件属性的容器。这些属性包括:涉及的主机、事件活动对主机的影响、取证日志等。对于EventData类的实例,主机(即系统类)围绕这些公共属性分组。
The recursive definition (or instance property inheritance) of the EventData class (the EventData class is aggregated into the EventData class) provides a way to related information without requiring the explicit use of unique attribute identifiers in the classes or duplicating information. Instead, the relative depth (nesting) of a class is used to group (relate) information.
EventData类(EventData类聚合到EventData类中)的递归定义(或实例属性继承)提供了一种获取相关信息的方法,而无需在类中显式使用唯一属性标识符或复制信息。相反,类的相对深度(嵌套)用于分组(关联)信息。
For example, an EventData class might be used to describe two machines involved in an incident. This description can be achieved using multiple instances of the Flow class. It happens that there is a common technical contact (i.e., Contact class) for these two machines, but the impact (i.e., Assessment class) on them is different. A depiction of the representation for this situation can be found in Figure 23.
例如,EventData类可用于描述事件中涉及的两台机器。可以使用Flow类的多个实例来实现此描述。这两台机器有一个共同的技术联系(即联系等级),但对它们的影响(即评估等级)是不同的。图23中描述了这种情况的表示。
+------------------+ | EventData | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] +------------------+
+------------------+ | EventData | +------------------+ | |<>----[ Contact ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] | | | |<>----[ EventData ]<>----[ Flow ] | | [ ]<>----[ Assessment ] +------------------+
Figure 23: Recursion in the EventData Class
图23:EventData类中的递归
The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. The scope of the requested action is limited to purview of the EventData class in which this class is aggregated.
Expectation类将发送方请求的操作传递给IODEF文档的接收方。请求操作的范围仅限于聚合此类的EventData类的权限。
+-------------------+ | Expectation | +-------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | ENUM severity |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ EndTime ] | STRING ext-action |<>--{0..1}--[ Contact ] +-------------------+
+-------------------+ | Expectation | +-------------------+ | ENUM restriction |<>--{0..*}--[ Description ] | ENUM severity |<>--{0..1}--[ StartTime ] | ENUM action |<>--{0..1}--[ EndTime ] | STRING ext-action |<>--{0..1}--[ Contact ] +-------------------+
Figure 24: The Expectation Class
图24:期望类
The aggregate classes that constitute Expectation are:
构成预期的总类包括:
Description Zero or many. ML_STRING. A free-form description of the desired action(s).
描述零或多。ML_字符串。所需操作的自由形式描述。
StartTime Zero or one. The time at which the action should be performed. A timestamp that is earlier than the ReportTime specified in the Incident class denotes that the expectation should be fulfilled as soon as possible. The absence of this element leaves the execution of the expectation to the discretion of the recipient.
开始计时零或一。应执行操作的时间。早于事件类中指定的ReportTime的时间戳表示应尽快满足期望。如果没有这一要素,则预期的执行将由接收方自行决定。
EndTime Zero or one. The time by which the action should be completed. If the action is not carried out by this time, it should no longer be performed.
结束时间0或1。操作应完成的时间。如果此时未执行该操作,则不应再执行该操作。
Contact Zero or one. The expected actor for the action.
联系零或一。该动作的预期演员。
The Expectations class has four attributes:
Expectations类有四个属性:
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
severity Optional. ENUM. Indicates the desired priority of the action. This attribute is an enumerated list with no default value, and the semantics of these relative measures are context dependent.
严重性可选。枚举。指示所需的操作优先级。该属性是一个枚举列表,没有默认值,这些相对度量的语义依赖于上下文。
1. low. Low priority
1. 低的低优先级
2. medium. Medium priority
2. 中等的中等优先级
3. high. High priority
3. 高的高优先级
action Optional. ENUM. Classifies the type of action requested. This attribute is an enumerated list with no default value.
操作可选。枚举。对请求的操作类型进行分类。此属性是没有默认值的枚举列表。
1. nothing. No action is requested. Do nothing with the information.
1. 没有什么不要求采取任何行动。不要处理这些信息。
2. contact-source-site. Contact the site(s) identified as the source of the activity.
2. 联系源站点。联系确定为活动来源的站点。
3. contact-target-site. Contact the site(s) identified as the target of the activity.
3. 联系目标站点。联系确定为活动目标的站点。
4. contact-sender. Contact the originator of the document.
4. 联系寄件人。联系文件的发起人。
5. investigate. Investigate the systems(s) listed in the event.
5. 侦查调查事件中列出的系统。
6. block-host. Block traffic from the machine(s) listed as sources the event.
6. 阻止主机。阻止来自列为事件源的计算机的通信。
7. block-network. Block traffic from the network(s) lists as sources in the event.
7. 块网络。阻止来自事件中作为源的网络列表的流量。
8. block-port. Block the port listed as sources in the event.
8. 阻塞端口。阻止事件中列为源的端口。
9. rate-limit-host. Rate-limit the traffic from the machine(s) listed as sources in the event.
9. 速率限制主机。速率限制事件中作为源列出的计算机的通信量。
10. rate-limit-network. Rate-limit the traffic from the network(s) lists as sources in the event.
10. 速率限制网络。速率限制事件中作为源的网络列表中的流量。
11. rate-limit-port. Rate-limit the port(s) listed as sources in the event.
11. 速率限制端口。速率限制事件中列为源的端口。
12. remediate-other. Remediate the activity in a way other than by rate limiting or blocking.
12. 纠正其他错误。以速率限制或阻塞以外的方式修正活动。
13. status-triage. Conveys receipts and the triaging of an incident.
13. 身份分类。传达事故的收据和分类。
14. status-new-info. Conveys that new information was received for this incident.
14. 状态新信息。表示已收到有关此事件的新信息。
15. other. Perform some custom action described in the Description class.
15. 另外执行描述类中描述的一些自定义操作。
16. ext-value. An escape value used to extend this attribute. See Section 5.1.
16. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-action Optional. STRING. A means by which to extend the action attribute. See Section 5.1.
ext操作可选。一串扩展action属性的方法。见第5.1节。
The Flow class groups related the source and target hosts.
与源主机和目标主机相关的流类组。
+------------------+ | Flow | +------------------+ | |<>--{1..*}--[ System ] +------------------+
+------------------+ | Flow | +------------------+ | |<>--{1..*}--[ System ] +------------------+
Figure 25: The Flow Class
图25:流类
The aggregate class that constitutes Flow is:
构成流量的聚合类为:
System One or More. A host or network involved in an event.
一个或多个系统。与事件有关的主机或网络。
The Flow System class has no attributes.
流系统类没有属性。
The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.
System类描述事件中涉及的系统或网络。此类表示的系统或网络通过“类别”属性根据它们在事件中扮演的角色进行分类。这个category属性的值决定了系统类中聚合类的语义。如果category属性的值为“source”,则聚合类表示活动发起的机器和服务。如果类别属性值为“target”或“mediator”,则机器或服务就是活动中的目标机器或服务。“传感器”的值表示该系统是监测网络的仪器的一部分。
+---------------------+ | System | +---------------------+ | ENUM restriction |<>----------[ Node ] | ENUM category |<>--{0..*}--[ Service ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ] | STRING interface |<>--{0..*}--[ Counter ] | ENUM spoofed |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +---------------------+
+---------------------+ | System | +---------------------+ | ENUM restriction |<>----------[ Node ] | ENUM category |<>--{0..*}--[ Service ] | STRING ext-category |<>--{0..*}--[ OperatingSystem ] | STRING interface |<>--{0..*}--[ Counter ] | ENUM spoofed |<>--{0..*}--[ Description ] | |<>--{0..*}--[ AdditionalData ] +---------------------+
Figure 26: The System Class
图26:系统类
The aggregate classes that constitute System are:
构成系统的聚合类包括:
Node One. A host or network involved in the incident.
节点一。事件中涉及的主机或网络。
Service Zero or more. A network service running on the system.
服务零或更多。在系统上运行的网络服务。
OperatingSystem Zero or one. The operating system running on the system.
操作系统0或1。在系统上运行的操作系统。
Counter Zero or more. A counter with which to summarize properties of this host or network.
计数器为零或更多。用于汇总此主机或网络属性的计数器。
Description Zero or more. ML_STRING. A free-form text description of the System.
说明零或更多。ML_字符串。系统的自由格式文本描述。
AdditionalData Zero or many. A mechanism by which to extend the data model.
附加数据为零或多。用于扩展数据模型的机制。
The System class has five attributes:
系统类有五个属性:
restriction Optional. ENUM. This attribute is defined in Section 3.2.
限制是可选的。枚举。该属性在第3.2节中定义。
category Required. ENUM. Classifies the role the host or network played in the incident. The possible values are:
类别要求。枚举。对主机或网络在事件中扮演的角色进行分类。可能的值为:
1. source. The System was the source of the event.
1. 来源系统是事件的根源。
2. target. The System was the target of the event.
2. 目标该系统是事件的目标。
3. intermediate. The System was an intermediary in the event.
3. 中间的该系统是这一事件的中间人。
4. sensor. The System was a sensor monitoring the event.
4. 传感器该系统是监控事件的传感器。
5. infrastructure. The System was an infrastructure node of IODEF document exchange.
5. 基础设施该系统是IODEF文档交换的基础结构节点。
6. ext-value. An escape value used to extend this attribute. See Section 5.1.
6. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.
外部类别可选。一串扩展类别属性的方法。见第5.1节。
interface Optional. STRING. Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.
接口可选。一串指定此系统上的事件起源于的接口。如果节点类指定的是网络而不是主机,则此属性没有任何意义。
spoofed Optional. ENUM. An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".
欺骗可选。枚举。表明对该系统是真正的目标还是攻击主机有信心。此属性的允许值如下所示。默认值为“未知”。
1. unknown. The accuracy of the category attribute value is unknown.
1. 未知的类别属性值的准确性未知。
2. yes. The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.
2. 对类别属性值可能不正确。在源的情况下,系统可能是诱饵;有了目标,系统很可能不是预期的受害者。
3. no. The category attribute value is believed to be correct.
3. 否。类别属性值被认为是正确的。
The Node class names a system (e.g., PC, router) or network.
节点类为系统(如PC、路由器)或网络命名。
This class was derived from the IDMEF [17].
该类派生自IDMEF[17]。
+---------------+ | Node | +---------------+ | |<>--{0..*}--[ NodeName ] | |<>--{0..*}--[ Address ] | |<>--{0..1}--[ Location ] | |<>--{0..1}--[ DateTime ] | |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ Counter ] +---------------+
+---------------+ | Node | +---------------+ | |<>--{0..*}--[ NodeName ] | |<>--{0..*}--[ Address ] | |<>--{0..1}--[ Location ] | |<>--{0..1}--[ DateTime ] | |<>--{0..*}--[ NodeRole ] | |<>--{0..*}--[ Counter ] +---------------+
Figure 27: The Node Class
图27:节点类
The aggregate classes that constitute Node are:
构成节点的聚合类包括:
NodeName Zero or more. ML_STRING. The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.
节点名称为零或更多。ML_字符串。节点的名称(例如,完全限定的域名)。如果未提供地址信息,则必须提供此信息。
Address Zero or more. The hardware, network, or application address of the Node. If a NodeName is not provided, at least one Address MUST be specified.
地址为零或更多。节点的硬件、网络或应用程序地址。如果未提供节点名,则必须至少指定一个地址。
Location Zero or one. ML_STRING. A free-from description of the physical location of the equipment.
位置0或1。ML_字符串。A无需说明设备的实际位置。
DateTime Zero or one. A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.
日期时间0或1。执行名称和地址之间解析的时间戳。如果同时指定了地址和节点名,则应提供此信息。
NodeRole Zero or more. The intended purpose of the Node.
节点数为零或更多。节点的预期用途。
Counter Zero or more. A counter with which to summarizes properties of this host or network.
计数器为零或更多。用于汇总此主机或网络属性的计数器。
The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events).
计数器类汇总某些事件的多次出现,或传递各种功能(例如,数据包、会话、事件)的计数或速率。
The value of the counter is the element content with its units represented in the type attribute. A rate for a given feature can be expressed by setting the duration attribute. The complete semantics are entirely context dependent based on the class in which the Counter is aggregated.
计数器的值是元素内容,其单位在type属性中表示。给定特性的速率可以通过设置duration属性来表示。完整语义完全依赖于聚合计数器的类的上下文。
+---------------------+ | Counter | +---------------------+ | REAL | | | | ENUM type | | STRING ext-type | | STRING meaning | | ENUM duration | | STRING ext-duration | +---------------------+
+---------------------+ | Counter | +---------------------+ | REAL | | | | ENUM type | | STRING ext-type | | STRING meaning | | ENUM duration | | STRING ext-duration | +---------------------+
Figure 28: The Counter Class
图28:计数器类
The Counter class has three attribute:
计数器类有三个属性:
type Required. ENUM. Specifies the units of the element content.
所需类型。枚举。指定元素内容的单位。
1. byte. Count of bytes.
1. 字节字节计数。
2. packet. Count of packets.
2. 小包裹包的计数。
3. flow. Count of flow (e.g., NetFlow records).
3. 流流量计数(例如,网络流量记录)。
4. session. Count of sessions.
4. 一场会话计数。
5. alert. Count of notifications generated by another system (e.g., IDS or SIM).
5. 警觉的由另一个系统(如IDS或SIM卡)生成的通知计数。
6. message. Count of messages (e.g., mail messages).
6. 消息邮件计数(例如,邮件邮件)。
7. event. Count of events.
7. 事件事件计数。
8. host. Count of hosts.
8. 主办主机数。
9. site. Count of site.
9. 地点站点计数。
10. organization. Count of organizations.
10. 组织组织数。
11. ext-value. An escape value used to extend this attribute. See Section 5.1.
11. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.
ext类型可选。一串扩展类型属性的方法。见第5.1节。
duration Optional. ENUM. If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined in Section 3.10.2
持续时间可选。枚举。如果存在,计数器类表示整个事件的速率而不是计数。在这种情况下,该属性指定了汇率的分母(其中type属性指定了提名人)。该属性的可能值在第3.10.2节中定义
ext-duration Optional. STRING. A means by which to extend the duration attribute. See Section 5.1.
ext持续时间可选。一串扩展持续时间属性的方法。见第5.1节。
The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.
Address类表示硬件(第2层)、网络(第3层)或应用程序(第7层)地址。
This class was derived from the IDMEF [17].
该类派生自IDMEF[17]。
+---------------------+ | Address | +---------------------+ | ENUM category | | STRING ext-category | | STRING vlan-name | | INTEGER vlan-num | +---------------------+
+---------------------+ | Address | +---------------------+ | ENUM category | | STRING ext-category | | STRING vlan-name | | INTEGER vlan-num | +---------------------+
Figure 29: The Address Class
图29:Address类
The Address class has four attributes:
Address类有四个属性:
category Required. ENUM. The type of address represented. The permitted values for this attribute are shown below. The default value is "ipv4-addr".
类别要求。枚举。表示的地址类型。此属性的允许值如下所示。默认值为“ipv4地址”。
1. asn. Autonomous System Number
1. asn。自治系统号
2. atm. Asynchronous Transfer Mode (ATM) address
2. 自动取款机。异步传输模式(ATM)地址
3. e-mail. Electronic mail address (RFC 822)
3. 电子邮件电子邮件地址(RFC 822)
4. ipv4-addr. IPv4 host address in dotted-decimal notation (a.b.c.d)
4. ipv4地址。点十进制表示法的IPv4主机地址(a.b.c.d)
5. ipv4-net. IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
5. ipv4网络。点十进制表示法、斜杠、有效位的IPv4网络地址(a.b.c.d/nn)
6. ipv4-net-mask. IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
6. ipv4网络掩码。点十进制表示法的IPv4网络地址、斜杠、点十进制表示法的网络掩码(a.b.c.d/w.x.y.z)
7. ipv6-addr. IPv6 host address
7. ipv6地址。IPv6主机地址
8. ipv6-net. IPv6 network address, slash, significant bits
8. ipv6网络。IPv6网络地址、斜杠、有效位
9. ipv6-net-mask. IPv6 network address, slash, network mask
9. ipv6网络掩码。IPv6网络地址、斜杠、网络掩码
10. mac. Media Access Control (MAC) address
10. 雨衣。媒体访问控制(MAC)地址
11. ext-value. An escape value used to extend this attribute. See Section 5.1.
11. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.
外部类别可选。一串扩展类别属性的方法。见第5.1节。
vlan-name Optional. STRING. The name of the Virtual LAN to which the address belongs.
vlan名称可选。一串地址所属的虚拟LAN的名称。
vlan-num Optional. STRING. The number of the Virtual LAN to which the address belongs.
vlan num可选。一串地址所属的虚拟LAN的编号。
The NodeRole class describes the intended function performed by a particular host.
NodeRole类描述特定主机执行的预期功能。
+---------------------+ | NodeRole | +---------------------+ | ENUM category | | STRING ext-category | | ENUM lang | +---------------------+
+---------------------+ | NodeRole | +---------------------+ | ENUM category | | STRING ext-category | | ENUM lang | +---------------------+
Figure 30: The NodeRole Class
图30:NodeRole类
The NodeRole class has three attributes:
NodeRole类有三个属性:
category Required. ENUM. Functionality provided by a node.
类别要求。枚举。节点提供的功能。
1. client. Client computer
1. 客户客户端计算机
2. server-internal. Server with internal services
2. 服务器内部。具有内部服务的服务器
3. server-public. Server with public services
3. 服务器是公共的。公共服务服务器
4. www. WWW server
4. www.www服务器
5. mail. Mail server
5. 邮政邮件服务器
6. messaging. Messaging server (e.g., NNTP, IRC, IM)
6. 信息。消息服务器(如NNTP、IRC、IM)
7. streaming. Streaming-media server
7. 流动。流媒体服务器
8. voice. Voice server (e.g., SIP, H.323)
8. 嗓音语音服务器(如SIP、H.323)
9. file. File server (e.g., SMB, CVS, AFS)
9. 文件文件服务器(如SMB、CVS、AFS)
10. ftp. FTP server
10. ftp。FTP服务器
11. p2p. Peer-to-peer node
11. p2p。对等节点
12. name. Name server (e.g., DNS, WINS)
12. 名称名称服务器(例如DNS、WINS)
13. directory. Directory server (e.g., LDAP, finger, whois)
13. 目录目录服务器(如LDAP、finger、whois)
14. credential. Credential server (e.g., domain controller, Kerberos)
14. 资质凭据服务器(例如,域控制器、Kerberos)
15. print. Print server
15. 打印打印服务器
16. application. Application server
16. 应用应用服务器
17. database. Database server
17. 数据库数据库服务器
18. infra. Infrastructure server (e.g., router, firewall, DHCP)
18. infra。基础结构服务器(如路由器、防火墙、DHCP)
19. log. Logserver (e.g., syslog)
19. 日志日志服务器(例如,系统日志)
20. ext-value. An escape value used to extend this attribute. See Section 5.1.
20. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-category Optional. STRING. A means by which to extend the category attribute. See Section 5.1.
外部类别可选。一串扩展类别属性的方法。见第5.1节。
lang Required. ENUM. A valid language code per RFC 4646 [7] constrained by the definition of "xs:language". The interpretation of this code is described in Section 6.
朗需要。枚举。受“xs:language”定义约束的RFC 4646[7]规定的有效语言代码。本规范的解释见第6节。
The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
服务类描述主机或网络的网络服务。该服务由特定端口或端口列表以及侦听该端口的应用程序标识。
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.
当服务作为源系统的聚合类出现时,则此服务是感兴趣的活动的来源。相反,当服务作为目标系统的聚合类出现时,则该服务是感兴趣的活动所指向的服务。
This class was derived from the IDMEF [17].
该类派生自IDMEF[17]。
+---------------------+ | Service | +---------------------+ | INTEGER ip_protocol |<>--{0..1}--[ Port ] | |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoFlags ] | |<>--{0..1}--[ Application ] +---------------------+
+---------------------+ | Service | +---------------------+ | INTEGER ip_protocol |<>--{0..1}--[ Port ] | |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoFlags ] | |<>--{0..1}--[ Application ] +---------------------+
Figure 31: The Service Class
图31:服务类
The aggregate classes that constitute Service are:
构成服务的聚合类包括:
Port Zero or one. INTEGER. A port number.
端口0或1。整数端口号。
Portlist Zero or one. PORTLIST. A list of port numbers formatted according to Section 2.10.
端口列表0或1。端口列表。根据第2.10节格式化的端口号列表。
ProtoCode Zero or one. INTEGER. A layer-4 protocol-specific code field (e.g., ICMP code field).
原码为0或1。整数第4层协议特定的代码字段(例如,ICMP代码字段)。
ProtoType Zero or one. INTEGER. A layer-4 protocol specific type field (e.g., ICMP type field).
原型零或一。整数第4层协议特定类型字段(例如,ICMP类型字段)。
ProtoFlags Zero or one. INTEGER. A layer-4 protocol specific flag field (e.g., TCP flag field).
这是零还是一。整数第4层协议特定的标志字段(例如,TCP标志字段)。
Application Zero or more. The application bound to the specified Port or Portlist.
应用程序0或更多。绑定到指定端口或端口列表的应用程序。
Either a Port or Portlist class MUST be specified for a given instance of a Service class.
必须为服务类的给定实例指定端口或端口列表类。
For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.
对于给定的源,System@type=“源”,对应的目标,System@type=“目标”,可以定义,反之亦然。当在流类的给定实例的源和目标的服务类中定义了Portlist类时,端口的枚举必须对称。因此,如果为源列出n个端口,则应为目标列出n个端口。同样,端口应以相同的顺序列出,以便源中的第n个端口对应于目标的第n个端口。端口列表和顺序中的这种对称性适用于是否存在1对1、1对多或多对多源到目标。在1对多或多对多中,系统类在流类中枚举的确切顺序非常重要。
The Service class has one attribute:
服务类有一个属性:
ip_protocol Required. INTEGER. The IANA protocol number.
需要ip_协议。整数IANA协议编号。
The Application class describes an application running on a System providing a Service.
Application类描述在提供服务的系统上运行的应用程序。
+--------------------+ | Application | +--------------------+ | STRING swid |<>--{0..1}--[ URL ] | STRING configid | | STRING vendor | | STRING family | | STRING name | | STRING version | | STRING patch | +--------------------+
+--------------------+ | Application | +--------------------+ | STRING swid |<>--{0..1}--[ URL ] | STRING configid | | STRING vendor | | STRING family | | STRING name | | STRING version | | STRING patch | +--------------------+
Figure 32: The Application Class
图32:应用程序类
The aggregate class that constitutes Application is:
构成应用程序的聚合类为:
URL Zero or one. URL. A URL describing the application.
URL为零或一。网址。描述应用程序的URL。
The Application class has seven attributes:
应用程序类有七个属性:
swid Optional. STRING. An identifier that can be used to reference this software.
swid可选。一串可用于引用此软件的标识符。
configid Optional. STRING. An identifier that can be used to reference a particular configuration of this software.
configid是可选的。一串可用于引用此软件的特定配置的标识符。
vendor Optional. STRING. Vendor name of the software.
供应商可选。一串软件的供应商名称。
family Optional. STRING. Family of the software.
家庭可选。一串软件系列。
name Optional. STRING. Name of the software.
名称可选。一串软件的名称。
version Optional. STRING. Version of the software.
版本可选。一串软件的版本。
patch Optional. STRING. Patch or service pack level of the software.
补丁是可选的。一串软件的修补程序或服务包级别。
The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1).
OperatingSystem类描述在系统上运行的操作系统。定义与应用类别相同(第3.17.1节)。
The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document.
Record类是日志和审核数据的容器类,它提供有关事件的支持性信息。这些数据的来源通常是监控工具的输出。这些日志应证实文件中描述的活动。
+------------------+ | Record | +------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] +------------------+
+------------------+ | Record | +------------------+ | ENUM restriction |<>--{1..*}--[ RecordData ] +------------------+
Figure 33: Record Class
图33:记录类
The aggregate class that constitutes Record is:
构成记录的聚合类为:
RecordData One or more. Log or audit data generated by a particular type of sensor. Separate instances of the RecordData class SHOULD be used for each sensor type.
记录一个或多个数据。记录或审核特定类型传感器生成的数据。应为每种传感器类型使用RecordData类的单独实例。
The Record class has one attribute:
记录类有一个属性:
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output.
RecordData类对来自给定传感器的日志或审计数据(例如,IDS、防火墙日志)进行分组,并提供一种注释输出的方法。
+------------------+ | RecordData | +------------------+ | ENUM restriction |<>--{0..1}--[ DateTime ] | |<>--{0..*}--[ Description ] | |<>--{0..1}--[ Application ] | |<>--{0..*}--[ RecordPattern ] | |<>--{1..*}--[ RecordItem ] | |<>--{0..*}--[ AdditionalData ] +------------------+
+------------------+ | RecordData | +------------------+ | ENUM restriction |<>--{0..1}--[ DateTime ] | |<>--{0..*}--[ Description ] | |<>--{0..1}--[ Application ] | |<>--{0..*}--[ RecordPattern ] | |<>--{1..*}--[ RecordItem ] | |<>--{0..*}--[ AdditionalData ] +------------------+
Figure 34: The RecordData Class
图34:RecordData类
The aggregate classes that constitutes RecordData is:
构成RecordData的聚合类是:
DateTime Zero or one. Timestamp of the RecordItem data.
日期时间0或1。记录项数据的时间戳。
Description Zero or more. ML_STRING. Free-form textual description of the provided RecordItem data. At minimum, this description should convey the significance of the provided RecordItem data.
说明零或更多。ML_字符串。提供的记录项数据的自由格式文本描述。该说明至少应传达所提供记录项数据的重要性。
Application Zero or one. Information about the sensor used to generate the RecordItem data.
应用程序0或1。有关用于生成RecordItem数据的传感器的信息。
RecordPattern Zero or more. A search string to precisely find the relevant data in a RecordItem.
记录模式为零或更多。在记录项中精确查找相关数据的搜索字符串。
RecordItem One or more. Log, audit, or forensic data.
一个或多个记录项。日志、审计或取证数据。
AdditionalData Zero or one. An extension mechanism for data not explicitly represented in the data model.
附加数据0或1。数据模型中未显式表示的数据的扩展机制。
The RecordData class has one attribute:
RecordData类有一个属性:
restriction Optional. ENUM. This attribute has been defined in Section 3.2.
限制是可选的。枚举。该属性已在第3.2节中定义。
The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data.
RecordPattern类描述了可以在RecordItem内容的何处找到相关信息。它提供了一种在大型日志文件、审计跟踪或取证数据中引用由模式标识的信息子集的方法。
+-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+
+-----------------------+ | RecordPattern | +-----------------------+ | STRING | | | | ENUM type | | STRING ext-type | | INTEGER offset | | ENUM offsetunit | | STRING ext-offsetunit | | INTEGER instance | +-----------------------+
Figure 35: The RecordPattern Class
图35:RecordPattern类
The specific pattern to search with in the RecordItem is defined in the body of the element. It is further annotated by four attributes:
要在RecordItem中搜索的特定模式在元素体中定义。它由四个属性进一步注释:
type Required. ENUM. Describes the type of pattern being specified in the element content. The default is "regex".
所需类型。枚举。描述元素内容中指定的模式类型。默认值为“regex”。
1. regex. regular expression, per Appendix F of [3].
1. 正则表达式。正则表达式,参见[3]的附录F。
2. binary. Binhex encoded binary pattern, per the HEXBIN data type.
2. 二进制的Binhex编码的二进制模式,根据HEXBIN数据类型。
3. xpath. XML Path (XPath) [5]
3. xpath。XML路径(XPath)[5]
4. ext-value. An escape value used to extend this attribute. See Section 5.1.
4. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-type Optional. STRING. A means by which to extend the type attribute. See Section 5.1.
ext类型可选。一串扩展类型属性的方法。见第5.1节。
offset Optional. INTEGER. Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.
偏移量可选。整数匹配模式之前要查找记录项数据的单位数(由offsetunit属性确定)。
offsetunit Optional. ENUM. Describes the units of the offset attribute. The default is "line".
抵销单位可选。枚举。描述“偏移”属性的单位。默认值为“行”。
1. line. Offset is a count of lines.
1. 线偏移量是行数。
2. binary. Offset is a count of bytes.
2. 二进制的偏移量是字节数。
3. ext-value. An escape value used to extend this attribute. See Section 5.1.
3. 外部值。用于扩展此属性的转义值。见第5.1节。
ext-offsetunit Optional. STRING. A means by which to extend the offsetunit attribute. See Section 5.1.
ext offsetunit可选。一串扩展offsetunit属性的方法。见第5.1节。
instance Optional. INTEGER. Number of types to apply the specified pattern.
实例可选。整数要应用指定模式的类型数。
The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere.
RecordItem类提供了一种合并相关日志、审计跟踪或法医数据的方法,以支持在分析事件过程中得出的结论。该类既支持数据的直接封装,也提供引用存储在别处的数据的原语。
This class is identical to AdditionalData class (Section 3.6).
该类与附加数据类(第3.6节)相同。
This section defines additional requirements on creating and parsing IODEF documents.
本节定义了创建和解析IODEF文档的附加要求。
Every IODEF document MUST begin with an XML declaration, and MUST specify the XML version used. If UTF-8 encoding is not used, the character encoding MUST also be explicitly specified. The IODEF conforms to all XML data encoding conventions and constraints.
每个IODEF文档必须以XML声明开头,并且必须指定使用的XML版本。如果未使用UTF-8编码,则还必须明确指定字符编码。IODEF符合所有XML数据编码约定和约束。
The XML declaration with no character encoding will read as follows:
没有字符编码的XML声明将如下所示:
<?xml version="1.0" ?>
<?xml version="1.0" ?>
When a character encoding is specified, the XML declaration will read like the following:
指定字符编码后,XML声明将如下所示:
<?xml version="1.0" encoding="charset" ?>
<?xml version="1.0" encoding="charset" ?>
Where "charset" is the name of the character encoding as registered with the Internet Assigned Numbers Authority (IANA), see [9].
其中,“字符集”是在互联网分配号码管理局(IANA)注册的字符编码名称,请参见[9]。
The following characters have special meaning in XML and MUST be escaped with their entity reference equivalent: "&", "<", ">", "\"" (double quotation mark), and "'" (apostrophe). These entity references are "&", "<", ">", """, and "'" respectively.
以下字符在XML中具有特殊含义,必须使用其实体引用等效项进行转义:“&”、“<”、“>”、“\”(双引号)和“'”(撇号)。这些实体引用是“&;“,”<;“,”>;“,”;“、和”&apos;“分别。
The IODEF schema declares a namespace of "urn:ietf:params:xml:ns:iodef-1.0" and registers it per [4]. Each IODEF document SHOULD include a valid reference to the IODEF schema using the "xsi:schemaLocation" attribute. An example of such a declaration would look as follows:
IODEF模式声明了一个名称空间“urn:ietf:params:xml:ns:IODEF-1.0”,并根据[4]注册它。每个IODEF文档都应该使用“xsi:schemaLocation”属性包含对IODEF模式的有效引用。这种声明的一个例子如下:
<IODEF-Document version="1.00" lang="en-US" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0">
<IODEF-Document version="1.00" lang="en-US" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xsi:schemaLocation="urn:ietf:params:xmls:schema:iodef-1.0">
The IODEF documents MUST be well-formed XML and SHOULD be validated against the schema described in Section 8. However, mere conformance to the schema is not sufficient for a semantically valid IODEF document. There is additional specification in the text of Section 3 that cannot be readily encoded in the schema and it must also be considered by an IODEF parser. The following is a list of discrepancies in what is more strictly specified in the normative text (Section 3), but not enforced in the IODEF schema:
IODEF文档必须是格式良好的XML,并且应该根据第8节中描述的模式进行验证。然而,对于语义上有效的IODEF文档来说,仅仅符合模式是不够的。在第3节的文本中有一些附加的规范,这些规范不能轻易地编码到模式中,并且还必须由IODEF解析器来考虑。以下是规范性文本(第3节)中更严格规定但在IODEF模式中未强制执行的差异列表:
o The elements or attributes that are defined as POSTAL, NAME, PHONE, and EMAIL data-types are implemented as "xs:string", but more rigid formatting requirements are specified in the text.
o 定义为POSTAL、NAME、PHONE和EMAIL数据类型的元素或属性实现为“xs:string”,但文本中规定了更严格的格式要求。
o The IODEF-Document@lang and MLStringType@lang attributes are declared as an "xs:language" that constrains values with a regular expression. However, the value of this attribute still needs to be validated against the list of possible enumerated values is defined in [7].
o IODEF-Document@lang和MLStringType@lang属性声明为“xs:language”,用正则表达式约束值。但是,此属性的值仍需要根据[7]中定义的可能枚举值列表进行验证。
o The MonetaryImpact@currency attribute is declared as an "xs: string", but the list of valid values as defined in [14].
o 这个MonetaryImpact@currency属性声明为“xs:string”,但有效值列表如[14]中所定义。
o All of the aggregated classes Contact and EventData are optional in the schema, but at least one of these aggregated classes MUST be present.
o 所有聚合类Contact和EventData在架构中都是可选的,但这些聚合类中必须至少有一个存在。
o There are multiple conventions that can be used to categorize a system using the NodeRole class or to specify software with the Application and OperatingSystem classes. IODEF parsers MUST accept incident reports that do not use these fields in accordance with local conventions.
o 有多种约定可用于使用NodeRole类对系统进行分类,或使用Application和OperatingSystem类指定软件。IODEF解析器必须根据本地约定接受不使用这些字段的事件报告。
o The Confidence@rating attribute determines whether the element content of Confidence should be empty.
o 这个Confidence@rating属性确定置信度的元素内容是否应为空。
o The Address@type attribute determines the format of the element content.
o 这个Address@type属性确定元素内容的格式。
o The attributes AdditionalData@dtype and RecordItem@dtype derived from iodef:ExtensionType determine the semantics and formatting of the element content.
o 属性AdditionalData@dtype和RecordItem@dtype派生自iodef:ExtensionType确定元素内容的语义和格式。
o Symmetry in the enumerated ports of a Portlist class is required between sources and targets. See Section 3.17.
o 源和目标之间需要在Portlist类的枚举端口中对称。见第3.17节。
In order to support the changing activity of CSIRTS, the IODEF data model will need to evolve along with them. This section discusses how new data elements that have no current representation in the data model can be incorporated into the IODEF. These techniques are designed so that adding new data will not require a change to the IODEF schema. With proven value, well documented extensions can be incorporated into future versions of the specification. However, this approach also supports private extensions relevant only to a closed consortium.
为了支持CSIRT不断变化的活动,IODEF数据模型需要与之一起发展。本节讨论如何将数据模型中没有当前表示形式的新数据元素合并到IODEF中。这些技术的设计使得添加新数据不需要更改IODEF模式。有了经验证的价值,文档化的扩展可以被合并到规范的未来版本中。然而,这种方法也支持仅与封闭财团相关的私有扩展。
The data model supports a means by which to add new enumerated values to an attribute. For each attribute that supports this extension technique, there is a corresponding attribute in the same element whose name is identical, less a prefix of "ext-". This special attribute is referred to as the extension attribute, and the attribute being extended is referred to as an extensible attribute. For example, an extensible attribute named "foo" will have a corresponding extension attribute named "ext-foo". An element may have many extensible, and therefore many extension, attributes.
数据模型支持向属性添加新枚举值的方法。对于支持此扩展技术的每个属性,同一元素中有一个名称相同的对应属性,其前缀为“ext-”。此特殊属性称为扩展属性,正在扩展的属性称为可扩展属性。例如,名为“foo”的可扩展属性将具有名为“ext foo”的相应扩展属性。一个元素可能有许多可扩展属性,因此也有许多可扩展属性。
In addition to a corresponding extension attribute, each extensible attribute has "ext-value" as one its possible values. This particular value serves as an escape sequence and has no valid meaning.
除了相应的扩展属性外,每个扩展属性都有“ext value”作为其可能值之一。此特定值用作转义序列,没有有效含义。
In order to add a new enumerated value to an extensible attribute, the value of this attribute MUST be set to "ext-value", and the new desired value MUST be set in the corresponding extension attribute. For example, an extended instance of the type attribute of the Impact class would look as follows:
为了向可扩展属性添加新的枚举值,必须将该属性的值设置为“ext value”,并且必须在相应的扩展属性中设置新的所需值。例如,Impact类的type属性的扩展实例如下所示:
<Impact type="ext-value" ext-type="new-attack-type">
<Impact type="ext-value" ext-type="new-attack-type">
A given extension attribute MUST NOT be set unless the corresponding extensible attribute has been set to "ext-value".
除非相应的可扩展属性已设置为“ext value”,否则不得设置给定的扩展属性。
The classes of the data model can be extended only through the use of the AdditionalData and RecordItem classes. These container classes, collectively referred to as the extensible classes, are implemented with the iodef:ExtensionType data type in the schema. They provide the ability to have new atomic or XML-encoded data elements in all of the top-level classes of the Incident class and a few of the more complicated subordinate classes. As there are multiple instances of the extensible classes in the data model, there is discretion on where to add a new data element. It is RECOMMENDED that the extension be placed in the most closely related class to the new information.
数据模型的类只能通过使用AdditionalData和RecordItem类进行扩展。这些容器类统称为可扩展类,在模式中使用iodef:ExtensionType数据类型实现。它们提供了在事件类的所有顶级类和一些更复杂的下级类中拥有新的原子或XML编码的数据元素的能力。由于数据模型中有多个可扩展类的实例,因此可以自行决定在何处添加新的数据元素。建议将扩展名放在与新信息最密切相关的类中。
Extensions using the atomic data types (i.e., all values of the dtype attributes other than "xml") MUST:
使用原子数据类型(即除“xml”之外的所有dtype属性值)的扩展必须:
1. Set the element content of extensible class to the desired value, and
1. 将可扩展类的元素内容设置为所需的值,并
2. Set the dtype attribute to correspond to the data type of the element content.
2. 将dtype属性设置为与元素内容的数据类型相对应。
The following guidelines exist for extensions using XML:
对于使用XML的扩展,有以下准则:
1. The element content of the extensible class MUST be set to the desired value and the dtype attribute MUST be set to "xml".
1. 可扩展类的元素内容必须设置为所需的值,dtype属性必须设置为“xml”。
2. The extension schema MUST declare a separate namespace. It is RECOMMENDED that these extensions have the prefix "iodef-".
2. 扩展架构必须声明一个单独的命名空间。建议这些扩展具有前缀“iodef-”。
3. It is RECOMMENDED that extension schemas follow the naming convention of the IODEF data model. The names of all elements are capitalized. For composed names, a capital letter is used for each word. Attribute names are lower case.
3. 建议扩展模式遵循IODEF数据模型的命名约定。所有元素的名称都大写。对于组合名称,每个单词都使用大写字母。属性名称是小写的。
4. When a parser encounters an IODEF document with an extension it does not understand, this extension MUST be ignored (and not processed), but the remainder of the document MUST be processed. Parsers will be able to identify these extensions for which they have no processing logic through the namespace declaration. Parsers that encounter an unrecognized element in a namespace that they do support SHOULD reject the document as a syntax error.
4. 当解析器遇到具有其不理解的扩展名的IODEF文档时,必须忽略(且不处理)此扩展名,但必须处理文档的其余部分。解析器将能够通过名称空间声明识别这些没有处理逻辑的扩展。如果解析器在其支持的命名空间中遇到无法识别的元素,则应将文档作为语法错误拒绝。
5. Implementations SHOULD NOT download schemas at runtime due to the security implications, and extensions MUST NOT be required to provide a resolvable location of their schema.
5. 由于安全问题,实现不应在运行时下载模式,扩展也不必提供模式的可解析位置。
The following schema and XML document excerpt provide a template for an extension schema and its use in the IODEF document.
以下模式和XML文档摘录为扩展模式及其在IODEF文档中的使用提供了模板。
This example schema defines a namespace of "iodef-extension1" and a single element named "newdata".
这个示例模式定义了一个名称空间“iodef-extension1”和一个名为“newdata”的元素。
<xs:schema targetNamespace="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> attributeFormDefault="unqualified" elementFormDefault="qualified"> <xs:import namespace="urn:ietf:params:xml:ns:iodef-1.0" schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:schema targetNamespace="iodef-extension1.xsd" xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> attributeFormDefault="unqualified" elementFormDefault="qualified"> <xs:import namespace="urn:ietf:params:xml:ns:iodef-1.0" schemaLocation=" urn:ietf:params:xml:schema:iodef-1.0"/>
<xs:element name="newdata" type="xs:string" /> </xs:schema>
<xs:element name="newdata" type="xs:string" /> </xs:schema>
The following XML excerpt demonstrates the use of the above schema as an extension to the IODEF.
下面的XML摘录演示了如何使用上述模式作为IODEF的扩展。
<IODEF-Document version="1.00" lang="en-US" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="iodef-extension1.xsd"> <Incident purpose="reporting"> ... <AdditionalData dtype="xml" meaning="xml"> <iodef-extension1:newdata> Field that could not be represented elsewhere </iodef-extension1:newdata> </AdditionalData> </Incident> </IODEF-Document>
<IODEF-Document version="1.00" lang="en-US" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef=" urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef-extension1="iodef-extension1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="iodef-extension1.xsd"> <Incident purpose="reporting"> ... <AdditionalData dtype="xml" meaning="xml"> <iodef-extension1:newdata> Field that could not be represented elsewhere </iodef-extension1:newdata> </AdditionalData> </Incident> </IODEF-Document>
Internationalization and localization is of specific concern to the IODEF, since it is only through collaboration, often across language barriers, that certain incidents be resolved. The IODEF supports this goal by depending on XML constructs, and through explicit design choices in the data model.
国际化和本地化是IODEF特别关注的问题,因为只有通过协作(通常跨越语言障碍)才能解决某些事件。IODEF通过依赖XML构造和数据模型中的显式设计选择来支持这一目标。
Since IODEF is implemented as an XML Schema, it implicitly supports all the different character encodings, such as UTF-8 and UTF-16, possible with XML. Additionally, each IODEF document MUST specify the language in which their contents are encoded. The language can be specified with the attribute "xml:lang" (per Section 2.12 of [1]) in the top-level element (i.e., IODEF-Document@lang) and letting all other elements inherit that definition. All IODEF classes with a free-form text definition (i.e., all those defined of type iodef: MLStringType) can also specify a language different from the rest of the document. The valid language codes for the "xml:lang" attribute are described in RFC 4646 [7].
由于IODEF是作为XML模式实现的,因此它隐式地支持XML可能使用的所有不同字符编码,例如UTF-8和UTF-16。此外,每个IODEF文档必须指定其内容的编码语言。可以在顶级元素(即IODEF)中使用属性“xml:lang”(根据[1]第2.12节)指定该语言-Document@lang)并让所有其他元素继承该定义。具有自由格式文本定义的所有IODEF类(即所有IODEF:MLStringType类型定义的类)也可以指定不同于文档其余部分的语言。RFC4646[7]中描述了“xml:lang”属性的有效语言代码。
The data model supports multiple translations of free-form text. In the places where free-text is used for descriptive purposes, the given class always has a one-to-many cardinality to its parent (e.g., Description class). The intent is to allow the identical text to be encoded in different instances of the same class, but each being in a different language. This approach allows an IODEF document author to send recipients speaking different languages an identical document. The IODEF parser SHOULD extract the appropriate language relevant to the recipient.
数据模型支持自由格式文本的多个翻译。在自由文本用于描述目的的地方,给定的类对其父类(例如,描述类)始终具有一对多的基数。其目的是允许在同一类的不同实例中对相同的文本进行编码,但每个实例使用不同的语言。这种方法允许IODEF文档作者向使用不同语言的收件人发送相同的文档。IODEF解析器应该提取与接收者相关的适当语言。
While the intent of the data model is to provide internationalization and localization, the intent is not to do so at the detriment of interoperability. While the IODEF does support different languages, the data model also relies heavily on standardized enumerated attributes that can crudely approximate the contents of the document. With this approach, a CSIRT should be able to make some sense of an IODEF document it receives even if the text based data elements are written in a language unfamiliar to the analyst.
虽然数据模型的目的是提供国际化和本地化,但这样做并不会损害互操作性。虽然IODEF支持不同的语言,但数据模型也严重依赖于标准化的枚举属性,这些属性可以粗略地近似文档的内容。通过这种方法,即使基于文本的数据元素是用分析员不熟悉的语言编写的,CSIRT也应该能够理解它接收到的IODEF文档。
This section provides examples of an incident encoded in the IODEF. These examples do not necessarily represent the only way to encode a particular incident.
本节提供了IODEF中编码的事件示例。这些示例不一定代表对特定事件进行编码的唯一方法。
An example of a CSIRT reporting an instance of the Code Red worm.
CSIRT报告红色代码蠕虫实例的示例。
<?xml version="1.0" encoding="UTF-8"?> <!-- This example demonstrates a report for a very old worm (Code Red) --> <IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting"> <IncidentID name="csirt.example.com">189493</IncidentID> <ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <Description>Host sending out Code Red probes</Description> <!-- An administrative privilege was attempted, but failed --> <Assessment> <Impact completion="failed" type="admin"/> </Assessment> <Contact role="creator" type="organization"> <ContactName>Example.com CSIRT</ContactName> <RegistryHandle registry="arin">example-com</RegistryHandle> <Email>contact@csirt.example.com</Email> </Contact> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.200</Address> <Counter type="event">57</Counter> </Node> </System> <System category="target">
<?xml version="1.0" encoding="UTF-8"?> <!-- This example demonstrates a report for a very old worm (Code Red) --> <IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting"> <IncidentID name="csirt.example.com">189493</IncidentID> <ReportTime>2001-09-13T23:19:24+00:00</ReportTime> <Description>Host sending out Code Red probes</Description> <!-- An administrative privilege was attempted, but failed --> <Assessment> <Impact completion="failed" type="admin"/> </Assessment> <Contact role="creator" type="organization"> <ContactName>Example.com CSIRT</ContactName> <RegistryHandle registry="arin">example-com</RegistryHandle> <Email>contact@csirt.example.com</Email> </Contact> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.200</Address> <Counter type="event">57</Counter> </Node> </System> <System category="target">
<Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Service ip_protocol="6"> <Port>80</Port> </Service> </System> </Flow> <Expectation action="block-host" /> <!-- <RecordItem> has an excerpt from a log --> <Record> <RecordData> <DateTime>2001-09-13T18:11:21+02:00</DateTime> <Description>Web-server logs</Description> <RecordItem dtype="string"> 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX </RecordItem> <!-- Additional logs --> <RecordItem dtype="url"> http://mylogs.example.com/logs/httpd_access</RecordItem> </RecordData> </Record> </EventData> <History> <!-- Contact was previously made with the source network owner --> <HistoryItem action="contact-source-site"> <DateTime>2001-09-14T08:19:01+00:00</DateTime> <Description>Notification sent to constituency-contact@192.0.2.200</Description> </HistoryItem> </History> </Incident> </IODEF-Document>
<Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Service ip_protocol="6"> <Port>80</Port> </Service> </System> </Flow> <Expectation action="block-host" /> <!-- <RecordItem> has an excerpt from a log --> <Record> <RecordData> <DateTime>2001-09-13T18:11:21+02:00</DateTime> <Description>Web-server logs</Description> <RecordItem dtype="string"> 192.0.2.1 - - [13/Sep/2001:18:11:21 +0200] "GET /default.ida? XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX </RecordItem> <!-- Additional logs --> <RecordItem dtype="url"> http://mylogs.example.com/logs/httpd_access</RecordItem> </RecordData> </Record> </EventData> <History> <!-- Contact was previously made with the source network owner --> <HistoryItem action="contact-source-site"> <DateTime>2001-09-14T08:19:01+00:00</DateTime> <Description>Notification sent to constituency-contact@192.0.2.200</Description> </HistoryItem> </History> </Incident> </IODEF-Document>
An example of a CSIRT reporting a scanning activity.
CSIRT报告扫描活动的示例。
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example describes reconnaissance activity: one-to-one and one-to-many scanning -->
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example describes reconnaissance activity: one-to-one and one-to-many scanning -->
<IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting"> <IncidentID name="csirt.example.com">59334</IncidentID> <ReportTime>2006-08-02T05:54:02-05:00</ReportTime> <Assessment> <Impact type="recon" completion="succeeded" /> </Assessment> <Method> <!-- Reference to the scanning tool "nmap" --> <Reference> <ReferenceName>nmap</ReferenceName> <URL>http://nmap.toolsite.example.com</URL> </Reference> </Method> <!-- Organizational contact and that for staff in that organization --> <Contact role="creator" type="organization"> <ContactName>CSIRT for example.com</ContactName> <Email>contact@csirt.example.com</Email> <Telephone>+1 412 555 12345</Telephone> <!-- Since this <Contact> is nested, Joe Smith is part of the CSIRT for example.com --> <Contact role="tech" type="person" restriction="need-to-know"> <ContactName>Joe Smith</ContactName> <Email>smith@csirt.example.com</Email> </Contact> </Contact> <EventData> <!-- Scanning activity as follows: 192.0.2.1:60524 >> 192.0.2.3:137 192.0.2.1:60526 >> 192.0.2.3:138 192.0.2.1:60527 >> 192.0.2.3:139 192.0.2.1:60531 >> 192.0.2.3:445 --> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.200</Address> </Node> <Service ip_protocol="6"> <Portlist>60524,60526,60527,60531</Portlist> </Service> </System> <System category="target"> <Node>
<IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting"> <IncidentID name="csirt.example.com">59334</IncidentID> <ReportTime>2006-08-02T05:54:02-05:00</ReportTime> <Assessment> <Impact type="recon" completion="succeeded" /> </Assessment> <Method> <!-- Reference to the scanning tool "nmap" --> <Reference> <ReferenceName>nmap</ReferenceName> <URL>http://nmap.toolsite.example.com</URL> </Reference> </Method> <!-- Organizational contact and that for staff in that organization --> <Contact role="creator" type="organization"> <ContactName>CSIRT for example.com</ContactName> <Email>contact@csirt.example.com</Email> <Telephone>+1 412 555 12345</Telephone> <!-- Since this <Contact> is nested, Joe Smith is part of the CSIRT for example.com --> <Contact role="tech" type="person" restriction="need-to-know"> <ContactName>Joe Smith</ContactName> <Email>smith@csirt.example.com</Email> </Contact> </Contact> <EventData> <!-- Scanning activity as follows: 192.0.2.1:60524 >> 192.0.2.3:137 192.0.2.1:60526 >> 192.0.2.3:138 192.0.2.1:60527 >> 192.0.2.3:139 192.0.2.1:60531 >> 192.0.2.3:445 --> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.200</Address> </Node> <Service ip_protocol="6"> <Portlist>60524,60526,60527,60531</Portlist> </Service> </System> <System category="target"> <Node>
<Address category="ipv4-addr">192.0.2.201</Address> </Node> <Service ip_protocol="6"> <Portlist>137-139,445</Portlist> </Service> </System> </Flow> <!-- Scanning activity as follows: 192.0.2.2 >> 192.0.2.3/28:445 --> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.240</Address> </Node> </System> <System category="target"> <Node> <Address category="ipv4-net">192.0.2.64/28</Address> </Node> <Service ip_protocol="6"> <Port>445</Port> </Service> </System> </Flow> </EventData> </Incident> </IODEF-Document>
<Address category="ipv4-addr">192.0.2.201</Address> </Node> <Service ip_protocol="6"> <Portlist>137-139,445</Portlist> </Service> </System> </Flow> <!-- Scanning activity as follows: 192.0.2.2 >> 192.0.2.3/28:445 --> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.240</Address> </Node> </System> <System category="target"> <Node> <Address category="ipv4-net">192.0.2.64/28</Address> </Node> <Service ip_protocol="6"> <Port>445</Port> </Service> </System> </Flow> </EventData> </Incident> </IODEF-Document>
An example of a CSIRT reporting a bot-network.
CSIRT报告机器人网络的示例。
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example describes a compromise and subsequent installation of bots --> <IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="mitigation"> <IncidentID name="csirt.example.com">908711</IncidentID> <ReportTime>2006-06-08T05:44:53-05:00</ReportTime> <Description>Large bot-net</Description> <Assessment> <Impact type="dos" severity="high" completion="succeeded" />
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example describes a compromise and subsequent installation of bots --> <IODEF-Document version="1.00" lang="en" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="mitigation"> <IncidentID name="csirt.example.com">908711</IncidentID> <ReportTime>2006-06-08T05:44:53-05:00</ReportTime> <Description>Large bot-net</Description> <Assessment> <Impact type="dos" severity="high" completion="succeeded" />
</Assessment> <Method> <!-- References a given piece of malware, "GT Bot" --> <Reference> <ReferenceName>GT Bot</ReferenceName> </Reference> <!-- References the vulnerability used to compromise the machines --> <Reference> <ReferenceName>CA-2003-22</ReferenceName> <URL>http://www.cert.org/advisories/CA-2003-22.html</URL> <Description>Root compromise via this IE vulnerability to install the GT Bot</Description> </Reference> </Method> <!-- A member of the CSIRT that is coordinating this incident --> <Contact type="person" role="irt"> <ContactName>Joe Smith</ContactName> <Email>jsmith@csirt.example.com</Email> </Contact> <EventData> <Description>These hosts are compromised and acting as bots communicating with irc.example.com.</Description> <Flow> <!-- bot running on 192.0.2.1 and sending DoS traffic at 10,000 bytes/second --> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.1</Address> </Node> <Counter type="byte" duration="second">10000</Counter> <Description>bot</Description> </System> <!-- a second bot on 192.0.2.3 --> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.3</Address> </Node> <Counter type="byte" duration="second">250000</Counter> <Description>bot</Description> </System> <!-- Command-and-control IRC server for these bots--> <System category="intermediate"> <Node> <NodeName>irc.example.com</NodeName> <Address category="ipv4-addr">192.0.2.20</Address> <DateTime>2006-06-08T01:01:03-05:00</DateTime>
</Assessment> <Method> <!-- References a given piece of malware, "GT Bot" --> <Reference> <ReferenceName>GT Bot</ReferenceName> </Reference> <!-- References the vulnerability used to compromise the machines --> <Reference> <ReferenceName>CA-2003-22</ReferenceName> <URL>http://www.cert.org/advisories/CA-2003-22.html</URL> <Description>Root compromise via this IE vulnerability to install the GT Bot</Description> </Reference> </Method> <!-- A member of the CSIRT that is coordinating this incident --> <Contact type="person" role="irt"> <ContactName>Joe Smith</ContactName> <Email>jsmith@csirt.example.com</Email> </Contact> <EventData> <Description>These hosts are compromised and acting as bots communicating with irc.example.com.</Description> <Flow> <!-- bot running on 192.0.2.1 and sending DoS traffic at 10,000 bytes/second --> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.1</Address> </Node> <Counter type="byte" duration="second">10000</Counter> <Description>bot</Description> </System> <!-- a second bot on 192.0.2.3 --> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.3</Address> </Node> <Counter type="byte" duration="second">250000</Counter> <Description>bot</Description> </System> <!-- Command-and-control IRC server for these bots--> <System category="intermediate"> <Node> <NodeName>irc.example.com</NodeName> <Address category="ipv4-addr">192.0.2.20</Address> <DateTime>2006-06-08T01:01:03-05:00</DateTime>
</Node> <Description>IRC server on #give-me-cmd channel</Description> </System> </Flow> <!-- Request to take these machines offline --> <Expectation action="investigate"> <Description>Confirm the source and take machines off-line and remediate</Description> </Expectation> </EventData> </Incident> </IODEF-Document>
</Node> <Description>IRC server on #give-me-cmd channel</Description> </System> </Flow> <!-- Request to take these machines offline --> <Expectation action="investigate"> <Description>Confirm the source and take machines off-line and remediate</Description> </Expectation> </EventData> </Incident> </IODEF-Document>
An example of a CSIRT conveying a watch-list.
传送监视列表的CSIRT示例。
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example demonstrates a trivial IP watch-list --> <!-- @formatid is set to "watch-list-043" to demonstrate how additional semantics about this document could be conveyed assuming both parties understood it--> <IODEF-Document version="1.00" lang="en" formatid="watch-list-043" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting" restriction="private"> <IncidentID name="csirt.example.com">908711</IncidentID> <ReportTime>2006-08-01T00:00:00-05:00</ReportTime> <Description>Watch-list of known bad IPs or networks</Description> <Assessment> <Impact type="admin" completion="succeeded" /> <Impact type="recon" completion="succeeded" /> </Assessment> <Contact type="organization" role="creator"> <ContactName>CSIRT for example.com</ContactName> <Email>contact@csirt.example.com</Email> </Contact> <!-- Separate <EventData> used to convey different <Expectation> --> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.53</Address> </Node>
<?xml version="1.0" encoding="UTF-8" ?> <!-- This example demonstrates a trivial IP watch-list --> <!-- @formatid is set to "watch-list-043" to demonstrate how additional semantics about this document could be conveyed assuming both parties understood it--> <IODEF-Document version="1.00" lang="en" formatid="watch-list-043" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:ietf:params:xml:schema:iodef-1.0"> <Incident purpose="reporting" restriction="private"> <IncidentID name="csirt.example.com">908711</IncidentID> <ReportTime>2006-08-01T00:00:00-05:00</ReportTime> <Description>Watch-list of known bad IPs or networks</Description> <Assessment> <Impact type="admin" completion="succeeded" /> <Impact type="recon" completion="succeeded" /> </Assessment> <Contact type="organization" role="creator"> <ContactName>CSIRT for example.com</ContactName> <Email>contact@csirt.example.com</Email> </Contact> <!-- Separate <EventData> used to convey different <Expectation> --> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.53</Address> </Node>
<Description>Source of numerous attacks</Description> </System> </Flow> <!-- Expectation class indicating that sender of list would like to be notified if activity from the host is seen --> <Expectation action="contact-sender" /> </EventData> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Description> Source of heavy scanning over past 1-month </Description> </System> </Flow> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.241</Address> </Node> <Description>C2 IRC server</Description> </System> </Flow> <!-- Expectation class recommends that these networks be filtered --> <Expectation action="block-host" /> </EventData> </Incident> </IODEF-Document>
<Description>Source of numerous attacks</Description> </System> </Flow> <!-- Expectation class indicating that sender of list would like to be notified if activity from the host is seen --> <Expectation action="contact-sender" /> </EventData> <EventData> <Flow> <System category="source"> <Node> <Address category="ipv4-net">192.0.2.16/28</Address> </Node> <Description> Source of heavy scanning over past 1-month </Description> </System> </Flow> <Flow> <System category="source"> <Node> <Address category="ipv4-addr">192.0.2.241</Address> </Node> <Description>C2 IRC server</Description> </System> </Flow> <!-- Expectation class recommends that these networks be filtered --> <Expectation action="block-host" /> </EventData> </Incident> </IODEF-Document>
<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">
<?xml version="1.0" encoding="UTF-8"?> <xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-1.0" xmlns="urn:ietf:params:xml:ns:iodef-1.0" xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" attributeFormDefault="unqualified">
<xs:annotation> <xs:documentation> Incident Object Description Exchange Format v1.00, see RFC 5070
<xs:annotation> <xs:documentation> Incident Object Description Exchange Format v1.00, see RFC 5070
</xs:documentation> </xs:annotation>
</xs:documentation> </xs:annotation>
<!-- ==================================================================== == IODEF-Document class == ==================================================================== --> <xs:element name="IODEF-Document"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Incident" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="version" type="xs:string" fixed="1.00"/> <xs:attribute name="lang" type="xs:language" use="required"/> <xs:attribute name="formatid" type="xs:string"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Incident class === ==================================================================== --> <xs:element name="Incident"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID"/> <xs:element ref="iodef:AlternativeID" minOccurs="0"/> <xs:element ref="iodef:RelatedActivity" minOccurs="0"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" maxOccurs="unbounded"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/>
<!-- ==================================================================== == IODEF-Document class == ==================================================================== --> <xs:element name="IODEF-Document"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Incident" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="version" type="xs:string" fixed="1.00"/> <xs:attribute name="lang" type="xs:language" use="required"/> <xs:attribute name="formatid" type="xs:string"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Incident class === ==================================================================== --> <xs:element name="Incident"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID"/> <xs:element ref="iodef:AlternativeID" minOccurs="0"/> <xs:element ref="iodef:RelatedActivity" minOccurs="0"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:ReportTime"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" maxOccurs="unbounded"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:History" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="purpose" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="traceback"/> <xs:enumeration value="mitigation"/> <xs:enumeration value="reporting"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-purpose" type="xs:string" use="optional"/> <xs:attribute name="lang" type="xs:language"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="private"/> </xs:complexType> </xs:element> <!-- ==================================================================== == IncidentID class == ==================================================================== --> <xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:complexType name="IncidentIDType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="instance" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="public"/> </xs:extension> </xs:simpleContent> </xs:complexType>
<xs:element ref="iodef:Contact" maxOccurs="unbounded"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:History" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="purpose" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="traceback"/> <xs:enumeration value="mitigation"/> <xs:enumeration value="reporting"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-purpose" type="xs:string" use="optional"/> <xs:attribute name="lang" type="xs:language"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="private"/> </xs:complexType> </xs:element> <!-- ==================================================================== == IncidentID class == ==================================================================== --> <xs:element name="IncidentID" type="iodef:IncidentIDType"/> <xs:complexType name="IncidentIDType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="name" type="xs:string" use="required"/> <xs:attribute name="instance" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type" default="public"/> </xs:extension> </xs:simpleContent> </xs:complexType>
<!-- ==================================================================== == AlternativeID class == ==================================================================== --> <xs:element name="AlternativeID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ==================================================================== == RelatedActivity class == ==================================================================== --> <xs:element name="RelatedActivity"> <xs:complexType> <xs:choice> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" maxOccurs="unbounded"/> </xs:choice> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ==================================================================== === AdditionalData class === ==================================================================== --> <xs:element name="AdditionalData" type="iodef:ExtensionType"/> <!-- ==================================================================== === Contact class === ==================================================================== --> <xs:element name="Contact"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ContactName" minOccurs="0"/>
<!-- ==================================================================== == AlternativeID class == ==================================================================== --> <xs:element name="AlternativeID"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ==================================================================== == RelatedActivity class == ==================================================================== --> <xs:element name="RelatedActivity"> <xs:complexType> <xs:choice> <xs:element ref="iodef:IncidentID" maxOccurs="unbounded"/> <xs:element ref="iodef:URL" maxOccurs="unbounded"/> </xs:choice> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <!-- ==================================================================== === AdditionalData class === ==================================================================== --> <xs:element name="AdditionalData" type="iodef:ExtensionType"/> <!-- ==================================================================== === Contact class === ==================================================================== --> <xs:element name="Contact"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:ContactName" minOccurs="0"/>
<xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:PostalAddress" minOccurs="0"/> <xs:element ref="iodef:Email" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Telephone" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Fax" minOccurs="0"/> <xs:element ref="iodef:Timezone" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="role" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="creator"/> <xs:enumeration value="admin"/> <xs:enumeration value="tech"/> <xs:enumeration value="irt"/> <xs:enumeration value="cc"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-role" type="xs:string" use="optional"/> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="person"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element>
<xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RegistryHandle" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:PostalAddress" minOccurs="0"/> <xs:element ref="iodef:Email" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Telephone" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Fax" minOccurs="0"/> <xs:element ref="iodef:Timezone" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="role" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="creator"/> <xs:enumeration value="admin"/> <xs:enumeration value="tech"/> <xs:enumeration value="irt"/> <xs:enumeration value="cc"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-role" type="xs:string" use="optional"/> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="person"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element>
<xs:element name="ContactName" type="iodef:MLStringType"/> <xs:element name="RegistryHandle"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="registry"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="internic"/> <xs:enumeration value="apnic"/> <xs:enumeration value="arin"/> <xs:enumeration value="lacnic"/> <xs:enumeration value="ripe"/> <xs:enumeration value="afrinic"/> <xs:enumeration value="local"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-registry" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element>
<xs:element name="ContactName" type="iodef:MLStringType"/> <xs:element name="RegistryHandle"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="registry"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="internic"/> <xs:enumeration value="apnic"/> <xs:enumeration value="arin"/> <xs:enumeration value="lacnic"/> <xs:enumeration value="ripe"/> <xs:enumeration value="afrinic"/> <xs:enumeration value="local"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-registry" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element>
<xs:element name="PostalAddress"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Email" type="iodef:ContactMeansType"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/> <xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:element name="PostalAddress"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Email" type="iodef:ContactMeansType"/> <xs:element name="Telephone" type="iodef:ContactMeansType"/> <xs:element name="Fax" type="iodef:ContactMeansType"/>
<xs:complexType name="ContactMeansType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent>
<xs:complexType name="ContactMeansType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="meaning" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent>
</xs:complexType>
</xs:complexType>
<!-- ==================================================================== === Time-based classes === ==================================================================== --> <xs:element name="DateTime" type="xs:dateTime"/> <xs:element name="ReportTime" type="xs:dateTime"/> <xs:element name="DetectTime" type="xs:dateTime"/> <xs:element name="StartTime" type="xs:dateTime"/> <xs:element name="EndTime" type="xs:dateTime"/> <xs:element name="Timezone" type="iodef:TimezoneType"/> <xs:simpleType name="TimezoneType"> <xs:restriction base="xs:string"> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> </xs:restriction> </xs:simpleType> <!-- ==================================================================== === History class === ==================================================================== --> <xs:element name="History"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> </xs:complexType> </xs:element> <xs:element name="HistoryItem"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:IncidentID" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> <xs:element ref="iodef:Description"
<!-- ==================================================================== === Time-based classes === ==================================================================== --> <xs:element name="DateTime" type="xs:dateTime"/> <xs:element name="ReportTime" type="xs:dateTime"/> <xs:element name="DetectTime" type="xs:dateTime"/> <xs:element name="StartTime" type="xs:dateTime"/> <xs:element name="EndTime" type="xs:dateTime"/> <xs:element name="Timezone" type="iodef:TimezoneType"/> <xs:simpleType name="TimezoneType"> <xs:restriction base="xs:string"> <xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/> </xs:restriction> </xs:simpleType> <!-- ==================================================================== === History class === ==================================================================== --> <xs:element name="History"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:HistoryItem" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> </xs:complexType> </xs:element> <xs:element name="HistoryItem"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime"/> <xs:element ref="iodef:IncidentID" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> <xs:element ref="iodef:Description"
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="action" type="iodef:action-type" use="required"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Expectation class === ==================================================================== --> <xs:element name="Expectation"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="action" type="iodef:action-type" default="other"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Method class === ==================================================================== --> <xs:element name="Method"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded">
minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="action" type="iodef:action-type" use="required"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Expectation class === ==================================================================== --> <xs:element name="Expectation"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="action" type="iodef:action-type" default="other"/> <xs:attribute name="ext-action" type="xs:string" use="optional"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Method class === ==================================================================== --> <xs:element name="Method"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded">
<xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Description"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="Reference"> <xs:complexType> <xs:sequence> <xs:element name="ReferenceName" type="iodef:MLStringType"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- ==================================================================== === Assessment class === ==================================================================== --> <xs:element name="Assessment"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Impact"/> <xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:MonetaryImpact"/> </xs:choice> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="occurrence"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="actual"/> <xs:enumeration value="potential"/> </xs:restriction> </xs:simpleType>
<xs:element ref="iodef:Reference"/> <xs:element ref="iodef:Description"/> </xs:choice> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="Reference"> <xs:complexType> <xs:sequence> <xs:element name="ReferenceName" type="iodef:MLStringType"/> <xs:element ref="iodef:URL" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- ==================================================================== === Assessment class === ==================================================================== --> <xs:element name="Assessment"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element ref="iodef:Impact"/> <xs:element ref="iodef:TimeImpact"/> <xs:element ref="iodef:MonetaryImpact"/> </xs:choice> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Confidence" minOccurs="0"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="occurrence"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="actual"/> <xs:enumeration value="potential"/> </xs:restriction> </xs:simpleType>
</xs:attribute> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="Impact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="completion"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="failed"/> <xs:enumeration value="succeeded"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="type" use="optional" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="admin"/> <xs:enumeration value="dos"/> <xs:enumeration value="extortion"/> <xs:enumeration value="file"/> <xs:enumeration value="info-leak"/> <xs:enumeration value="misconfiguration"/> <xs:enumeration value="recon"/> <xs:enumeration value="policy"/> <xs:enumeration value="social-engineering"/> <xs:enumeration value="user"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TimeImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType">
</xs:attribute> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="Impact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="completion"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="failed"/> <xs:enumeration value="succeeded"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="type" use="optional" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="admin"/> <xs:enumeration value="dos"/> <xs:enumeration value="extortion"/> <xs:enumeration value="file"/> <xs:enumeration value="info-leak"/> <xs:enumeration value="misconfiguration"/> <xs:enumeration value="recon"/> <xs:enumeration value="policy"/> <xs:enumeration value="social-engineering"/> <xs:enumeration value="user"/> <xs:enumeration value="unknown"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="TimeImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType">
<xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="metric" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="labor"/> <xs:enumeration value="elapsed"/> <xs:enumeration value="downtime"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-metric" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="MonetaryImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="currency" type="xs:string"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Confidence"> <xs:complexType mixed="true"> <xs:attribute name="rating" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="numeric"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> </xs:attribute>
<xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="metric" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="labor"/> <xs:enumeration value="elapsed"/> <xs:enumeration value="downtime"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-metric" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="MonetaryImpact"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:PositiveFloatType"> <xs:attribute name="severity" type="iodef:severity-type"/> <xs:attribute name="currency" type="xs:string"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Confidence"> <xs:complexType mixed="true"> <xs:attribute name="rating" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> <xs:enumeration value="numeric"/> <xs:enumeration value="unknown"/> </xs:restriction> </xs:simpleType> </xs:attribute>
</xs:complexType> </xs:element> <!-- ==================================================================== === EventData class === ==================================================================== --> <xs:element name="EventData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Flow" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Expectation" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Record" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Flow class === ==================================================================== --> <xs:element name="Flow"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:System"
</xs:complexType> </xs:element> <!-- ==================================================================== === EventData class === ==================================================================== --> <xs:element name="EventData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:DetectTime" minOccurs="0"/> <xs:element ref="iodef:StartTime" minOccurs="0"/> <xs:element ref="iodef:EndTime" minOccurs="0"/> <xs:element ref="iodef:Contact" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Assessment" minOccurs="0"/> <xs:element ref="iodef:Method" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Flow" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Expectation" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Record" minOccurs="0"/> <xs:element ref="iodef:EventData" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type" default="default"/> </xs:complexType> </xs:element> <!-- ==================================================================== === Flow class === ==================================================================== --> <xs:element name="Flow"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:System"
maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- ==================================================================== === System class === ==================================================================== --> <xs:element name="System"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Node"/> <xs:element ref="iodef:Service" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:OperatingSystem" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="interface" type="xs:string"/> <xs:attribute name="category"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="source"/> <xs:enumeration value="target"/> <xs:enumeration value="intermediate"/> <xs:enumeration value="sensor"/> <xs:enumeration value="infrastructure"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="spoofed" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="unknown"/> <xs:enumeration value="yes"/>
maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <!-- ==================================================================== === System class === ==================================================================== --> <xs:element name="System"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:Node"/> <xs:element ref="iodef:Service" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:OperatingSystem" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> <xs:attribute name="interface" type="xs:string"/> <xs:attribute name="category"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="source"/> <xs:enumeration value="target"/> <xs:enumeration value="intermediate"/> <xs:enumeration value="sensor"/> <xs:enumeration value="infrastructure"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="spoofed" default="unknown"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="unknown"/> <xs:enumeration value="yes"/>
<xs:enumeration value="no"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <!-- ==================================================================== === Node class === ==================================================================== --> <xs:element name="Node"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element name="NodeName" type="iodef:MLStringType" minOccurs="0"/> <xs:element ref="iodef:Address" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:Location" minOccurs="0"/> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:NodeRole" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Address"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="category" default="ipv4-addr"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="asn"/> <xs:enumeration value="atm"/> <xs:enumeration value="e-mail"/> <xs:enumeration value="mac"/> <xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="no"/> </xs:restriction> </xs:simpleType> </xs:attribute> </xs:complexType> </xs:element> <!-- ==================================================================== === Node class === ==================================================================== --> <xs:element name="Node"> <xs:complexType> <xs:sequence> <xs:choice maxOccurs="unbounded"> <xs:element name="NodeName" type="iodef:MLStringType" minOccurs="0"/> <xs:element ref="iodef:Address" minOccurs="0" maxOccurs="unbounded"/> </xs:choice> <xs:element ref="iodef:Location" minOccurs="0"/> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:NodeRole" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Counter" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> </xs:complexType> </xs:element> <xs:element name="Address"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="category" default="ipv4-addr"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="asn"/> <xs:enumeration value="atm"/> <xs:enumeration value="e-mail"/> <xs:enumeration value="mac"/> <xs:enumeration value="ipv4-addr"/> <xs:enumeration value="ipv4-net"/> <xs:enumeration value="ipv4-net-mask"/> <xs:enumeration value="ipv6-addr"/> <xs:enumeration value="ipv6-net"/> <xs:enumeration value="ipv6-net-mask"/>
<xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="vlan-name" type="xs:string"/> <xs:attribute name="vlan-num" type="xs:integer"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="NodeRole"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="category" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="client"/> <xs:enumeration value="server-internal"/> <xs:enumeration value="server-public"/> <xs:enumeration value="www"/> <xs:enumeration value="mail"/> <xs:enumeration value="messaging"/> <xs:enumeration value="streaming"/> <xs:enumeration value="voice"/> <xs:enumeration value="file"/> <xs:enumeration value="ftp"/> <xs:enumeration value="p2p"/> <xs:enumeration value="name"/> <xs:enumeration value="directory"/> <xs:enumeration value="credential"/> <xs:enumeration value="print"/> <xs:enumeration value="application"/> <xs:enumeration value="database"/> <xs:enumeration value="infra"/> <xs:enumeration value="log"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> </xs:extension>
<xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> <xs:attribute name="vlan-name" type="xs:string"/> <xs:attribute name="vlan-num" type="xs:integer"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <xs:element name="Location" type="iodef:MLStringType"/> <xs:element name="NodeRole"> <xs:complexType> <xs:simpleContent> <xs:extension base="iodef:MLStringType"> <xs:attribute name="category" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="client"/> <xs:enumeration value="server-internal"/> <xs:enumeration value="server-public"/> <xs:enumeration value="www"/> <xs:enumeration value="mail"/> <xs:enumeration value="messaging"/> <xs:enumeration value="streaming"/> <xs:enumeration value="voice"/> <xs:enumeration value="file"/> <xs:enumeration value="ftp"/> <xs:enumeration value="p2p"/> <xs:enumeration value="name"/> <xs:enumeration value="directory"/> <xs:enumeration value="credential"/> <xs:enumeration value="print"/> <xs:enumeration value="application"/> <xs:enumeration value="database"/> <xs:enumeration value="infra"/> <xs:enumeration value="log"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-category" type="xs:string" use="optional"/> </xs:extension>
</xs:simpleContent> </xs:complexType> </xs:element> <!-- ==================================================================== === Service Class === ==================================================================== --> <xs:element name="Service"> <xs:complexType> <xs:sequence> <xs:choice minOccurs="0"> <xs:element name="Port" type="xs:integer"/> <xs:element name="Portlist" type="iodef:PortlistType"/> </xs:choice> <xs:element name="ProtoType" type="xs:integer" minOccurs="0"/> <xs:element name="ProtoCode" type="xs:integer" minOccurs="0"/> <xs:element name="ProtoField" type="xs:integer" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/> </xs:sequence> <xs:attribute name="ip_protocol" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:simpleType name="PortlistType"> <xs:restriction base="xs:string"> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> </xs:restriction> </xs:simpleType> <!-- ==================================================================== === Counter class === ==================================================================== --> <xs:element name="Counter"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:double"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="byte"/>
</xs:simpleContent> </xs:complexType> </xs:element> <!-- ==================================================================== === Service Class === ==================================================================== --> <xs:element name="Service"> <xs:complexType> <xs:sequence> <xs:choice minOccurs="0"> <xs:element name="Port" type="xs:integer"/> <xs:element name="Portlist" type="iodef:PortlistType"/> </xs:choice> <xs:element name="ProtoType" type="xs:integer" minOccurs="0"/> <xs:element name="ProtoCode" type="xs:integer" minOccurs="0"/> <xs:element name="ProtoField" type="xs:integer" minOccurs="0"/> <xs:element ref="iodef:Application" minOccurs="0"/> </xs:sequence> <xs:attribute name="ip_protocol" type="xs:integer" use="required"/> </xs:complexType> </xs:element> <xs:simpleType name="PortlistType"> <xs:restriction base="xs:string"> <xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/> </xs:restriction> </xs:simpleType> <!-- ==================================================================== === Counter class === ==================================================================== --> <xs:element name="Counter"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:double"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="byte"/>
<xs:enumeration value="packet"/> <xs:enumeration value="flow"/> <xs:enumeration value="session"/> <xs:enumeration value="event"/> <xs:enumeration value="alert"/> <xs:enumeration value="message"/> <xs:enumeration value="host"/> <xs:enumeration value="site"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- ==================================================================== === Record class === ==================================================================== --> <xs:element name="Record"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:RecordData" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="RecordData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Application"
<xs:enumeration value="packet"/> <xs:enumeration value="flow"/> <xs:enumeration value="session"/> <xs:enumeration value="event"/> <xs:enumeration value="alert"/> <xs:enumeration value="message"/> <xs:enumeration value="host"/> <xs:enumeration value="site"/> <xs:enumeration value="organization"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string" use="optional"/> <xs:attribute name="duration" type="iodef:duration-type"/> <xs:attribute name="ext-duration" type="xs:string" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element> <!-- ==================================================================== === Record class === ==================================================================== --> <xs:element name="Record"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:RecordData" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="RecordData"> <xs:complexType> <xs:sequence> <xs:element ref="iodef:DateTime" minOccurs="0"/> <xs:element ref="iodef:Description" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:Application"
minOccurs="0"/> <xs:element ref="iodef:RecordPattern" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="RecordPattern"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="regex"/> <xs:enumeration value="binary"/> <xs:enumeration value="xpath"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="offset" type="xs:integer" use="optional"/> <xs:attribute name="offsetunit" use="optional" default="line"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="line"/> <xs:enumeration value="byte"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-offsetunit" type="xs:string" use="optional"/> <xs:attribute name="instance" type="xs:integer" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element>
minOccurs="0"/> <xs:element ref="iodef:RecordPattern" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="iodef:RecordItem" maxOccurs="unbounded"/> <xs:element ref="iodef:AdditionalData" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> </xs:element> <xs:element name="RecordPattern"> <xs:complexType> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="type" use="required"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="regex"/> <xs:enumeration value="binary"/> <xs:enumeration value="xpath"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-type" type="xs:string" use="optional"/> <xs:attribute name="offset" type="xs:integer" use="optional"/> <xs:attribute name="offsetunit" use="optional" default="line"> <xs:simpleType> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="line"/> <xs:enumeration value="byte"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:attribute> <xs:attribute name="ext-offsetunit" type="xs:string" use="optional"/> <xs:attribute name="instance" type="xs:integer" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> </xs:element>
<xs:element name="RecordItem" type="iodef:ExtensionType"/> <!-- ==================================================================== === Classes that describe software === ==================================================================== --> <xs:complexType name="SoftwareType"> <xs:sequence> <xs:element ref="iodef:URL" minOccurs="0"/> </xs:sequence> <xs:attribute name="swid" type="xs:string" default="0"/> <xs:attribute name="configid" type="xs:string" default="0"/> <xs:attribute name="vendor" type="xs:string"/> <xs:attribute name="family" type="xs:string"/> <xs:attribute name="name" type="xs:string"/> <xs:attribute name="version" type="xs:string"/> <xs:attribute name="patch" type="xs:string"/> </xs:complexType> <xs:element name="Application" type="iodef:SoftwareType"/> <xs:element name="OperatingSystem" type="iodef:SoftwareType"/> <!-- ==================================================================== === Miscellaneous simple classes === ==================================================================== --> <xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/> <!-- ==================================================================== === Data Types === ==================================================================== --> <xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:float"> <xs:minExclusive value="0"/>
<xs:element name="RecordItem" type="iodef:ExtensionType"/> <!-- ==================================================================== === Classes that describe software === ==================================================================== --> <xs:complexType name="SoftwareType"> <xs:sequence> <xs:element ref="iodef:URL" minOccurs="0"/> </xs:sequence> <xs:attribute name="swid" type="xs:string" default="0"/> <xs:attribute name="configid" type="xs:string" default="0"/> <xs:attribute name="vendor" type="xs:string"/> <xs:attribute name="family" type="xs:string"/> <xs:attribute name="name" type="xs:string"/> <xs:attribute name="version" type="xs:string"/> <xs:attribute name="patch" type="xs:string"/> </xs:complexType> <xs:element name="Application" type="iodef:SoftwareType"/> <xs:element name="OperatingSystem" type="iodef:SoftwareType"/> <!-- ==================================================================== === Miscellaneous simple classes === ==================================================================== --> <xs:element name="Description" type="iodef:MLStringType"/> <xs:element name="URL" type="xs:anyURI"/> <!-- ==================================================================== === Data Types === ==================================================================== --> <xs:simpleType name="PositiveFloatType"> <xs:restriction base="xs:float"> <xs:minExclusive value="0"/>
</xs:restriction> </xs:simpleType> <xs:complexType name="MLStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="lang" type="xs:language" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:complexType name="ExtensionType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="dtype" type="iodef:dtype-type" use="required"/> <xs:attribute name="ext-dtype" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string"/> <xs:attribute name="formatid" type="xs:string"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> <!-- ==================================================================== === Global attribute type declarations === ==================================================================== --> <xs:simpleType name="restriction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="default"/> <xs:enumeration value="public"/> <xs:enumeration value="need-to-know"/> <xs:enumeration value="private"/> </xs:restriction> </xs:simpleType>
</xs:restriction> </xs:simpleType> <xs:complexType name="MLStringType"> <xs:simpleContent> <xs:extension base="xs:string"> <xs:attribute name="lang" type="xs:language" use="optional"/> </xs:extension> </xs:simpleContent> </xs:complexType> <xs:complexType name="ExtensionType" mixed="true"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:attribute name="dtype" type="iodef:dtype-type" use="required"/> <xs:attribute name="ext-dtype" type="xs:string" use="optional"/> <xs:attribute name="meaning" type="xs:string"/> <xs:attribute name="formatid" type="xs:string"/> <xs:attribute name="restriction" type="iodef:restriction-type"/> </xs:complexType> <!-- ==================================================================== === Global attribute type declarations === ==================================================================== --> <xs:simpleType name="restriction-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="default"/> <xs:enumeration value="public"/> <xs:enumeration value="need-to-know"/> <xs:enumeration value="private"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="severity-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="severity-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="low"/> <xs:enumeration value="medium"/> <xs:enumeration value="high"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="duration-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="second"/> <xs:enumeration value="minute"/> <xs:enumeration value="hour"/> <xs:enumeration value="day"/> <xs:enumeration value="month"/> <xs:enumeration value="quarter"/> <xs:enumeration value="year"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="duration-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="second"/> <xs:enumeration value="minute"/> <xs:enumeration value="hour"/> <xs:enumeration value="day"/> <xs:enumeration value="month"/> <xs:enumeration value="quarter"/> <xs:enumeration value="year"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="action-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nothing"/> <xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-sender"/> <xs:enumeration value="investigate"/> <xs:enumeration value="block-host"/> <xs:enumeration value="block-network"/> <xs:enumeration value="block-port"/> <xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-port"/> <xs:enumeration value="remediate-other"/> <xs:enumeration value="status-triage"/> <xs:enumeration value="status-new-info"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="action-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="nothing"/> <xs:enumeration value="contact-source-site"/> <xs:enumeration value="contact-target-site"/> <xs:enumeration value="contact-sender"/> <xs:enumeration value="investigate"/> <xs:enumeration value="block-host"/> <xs:enumeration value="block-network"/> <xs:enumeration value="block-port"/> <xs:enumeration value="rate-limit-host"/> <xs:enumeration value="rate-limit-network"/> <xs:enumeration value="rate-limit-port"/> <xs:enumeration value="remediate-other"/> <xs:enumeration value="status-triage"/> <xs:enumeration value="status-new-info"/> <xs:enumeration value="other"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType>
<xs:simpleType name="dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="ntpstamp"/> <xs:enumeration value="portlist"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="file"/> <xs:enumeration value="path"/> <xs:enumeration value="frame"/>
<xs:simpleType name="dtype-type"> <xs:restriction base="xs:NMTOKEN"> <xs:enumeration value="boolean"/> <xs:enumeration value="byte"/> <xs:enumeration value="character"/> <xs:enumeration value="date-time"/> <xs:enumeration value="integer"/> <xs:enumeration value="ntpstamp"/> <xs:enumeration value="portlist"/> <xs:enumeration value="real"/> <xs:enumeration value="string"/> <xs:enumeration value="file"/> <xs:enumeration value="path"/> <xs:enumeration value="frame"/>
<xs:enumeration value="packet"/> <xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv6-packet"/> <xs:enumeration value="url"/> <xs:enumeration value="csv"/> <xs:enumeration value="winreg"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:schema>
<xs:enumeration value="packet"/> <xs:enumeration value="ipv4-packet"/> <xs:enumeration value="ipv6-packet"/> <xs:enumeration value="url"/> <xs:enumeration value="csv"/> <xs:enumeration value="winreg"/> <xs:enumeration value="xml"/> <xs:enumeration value="ext-value"/> </xs:restriction> </xs:simpleType> </xs:schema>
The IODEF data model itself does not directly introduce security issues. Rather, it simply defines a representation for incident information. As the data encoded by the IODEF might be considered privacy sensitive by the parties exchanging the information or by those described by it, care needs to be taken in ensuring the appropriate disclosure during both document exchange and subsequent processing. The former must be handled by a messaging format, but the latter risk must be addressed by the systems that process, store, and archive IODEF documents and information derived from them.
IODEF数据模型本身并不直接引入安全问题。相反,它只是定义了事件信息的表示。由于信息交换方或信息交换方可能认为IODEF编码的数据对隐私敏感,因此需要注意确保在文件交换和后续处理过程中适当披露。前者必须通过消息传递格式来处理,但后者的风险必须由处理、存储和归档IODEF文档及其衍生信息的系统来解决。
The contents of an IODEF document may include a request for action or an IODEF parser may independently have logic to take certain actions based on information that it finds. For this reason, care must be taken by the parser to properly authenticate the recipient of the document and ascribe an appropriate confidence to the data prior to action.
IODEF文档的内容可以包括动作请求,或者IODEF解析器可以独立地具有基于其找到的信息采取某些动作的逻辑。出于这个原因,解析器必须谨慎地对文档的接收者进行适当的身份验证,并在操作之前赋予数据适当的可信度。
The underlying messaging format and protocol used to exchange instances of the IODEF MUST provide appropriate guarantees of confidentiality, integrity, and authenticity. The use of a standardized security protocol is encouraged. The Real-time Inter-network Defense (RID) protocol [18] and its associated transport binding IODEF/RID over SOAP [19] provide such security.
用于交换IODEF实例的底层消息传递格式和协议必须提供适当的机密性、完整性和真实性保证。鼓励使用标准化的安全协议。实时网络间防御(RID)协议[18]及其相关的传输绑定IODEF/RID over SOAP[19]提供了此类安全性。
In order to suggest data processing and handling guidelines of the encoded information, the IODEF allows a document sender to convey a privacy policy using the restriction attribute. The various instances of this attribute allow different data elements of the document to be covered by dissimilar policies. While flexible, it must be stressed that this approach only serves as a guideline from the sender, as the recipient is free to ignore it. The issue of enforcement is not a technical problem.
为了建议编码信息的数据处理和处理准则,IODEF允许文档发送者使用限制属性传递隐私策略。此属性的各种实例允许不同的策略覆盖文档的不同数据元素。虽然这种方法很灵活,但必须强调的是,这种方法仅作为发送方的指导方针,因为接收方可以自由地忽略它。执行问题不是一个技术问题。
This document uses URNs to describe an XML namespace and schema conforming to a registry mechanism described in [15]
本文档使用URN来描述符合[15]中描述的注册表机制的XML名称空间和模式
Registration for the IODEF namespace:
IODEF命名空间的注册:
o URI: urn:ietf:params:xml:ns:iodef-1.0
o URI:urn:ietf:params:xml:ns:iodef-1.0
o Registrant Contact: See the first author of the "Author's Address" section of this document.
o 注册人联系人:见本文件“作者地址”部分的第一作者。
o XML: None. Namespace URIs do not represent an XML specification.
o XML:没有。命名空间URI不表示XML规范。
Registration for the IODEF XML schema:
注册IODEF XML架构:
o URI: urn:ietf:params:xml:schema:iodef-1.0
o URI:urn:ietf:params:xml:schema:iodef-1.0
o Registrant Contact: See the first author of the "Author's Address" section of this document.
o 注册人联系人:见本文件“作者地址”部分的第一作者。
o XML: See the "IODEF Schema" in Section 8 of this document.
o XML:请参阅本文档第8节中的“IODEF模式”。
The following groups and individuals, listed alphabetically, contributed substantially to this document and should be recognized for their efforts.
下列团体和个人(按字母顺序排列)对本文件作出了重大贡献,他们的努力应得到承认。
o Patrick Cain, Cooper-Cain Group, Inc.
o 帕特里克·凯恩,库珀·凯恩集团公司。
o The eCSIRT.net Project
o eCSIRT.net项目
o The Incident Object Description and Exchange Format Working-Group of the TERENA task-force (TF-CSIRT)
o TERENA特遣部队(TF-CSIRT)事件对象描述和交换格式工作组
o Glenn Mansfield Keeni, Cyber Solutions, Inc.
o 格伦·曼斯菲尔德·基尼,网络解决方案公司。
o Hiroyuki Kido, NARA Institute of Science and Technology
o 奈良科学技术研究所纪藤博之
o Kathleen Moriarty, MIT Lincoln Laboratory
o Kathleen Moriarty,麻省理工学院林肯实验室
o Brian Trammell, CERT/NetSA
o Brian Trammell,CERT/NetSA
[1] World Wide Web Consortium, "Extensible Markup Language (XML) 1.0 (Second Edition)", W3C Recommendation , October 2000, <http://www.w3.org/TR/2000/REC-xml-20001006>.
[1] 万维网联盟,“可扩展标记语言(XML)1.0(第二版)”,W3C建议,2000年10月<http://www.w3.org/TR/2000/REC-xml-20001006>.
[2] World Wide Web Consortium, "XML XML Schema Part 1: Structures Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-1/>.
[2] 万维网联盟,“XML模式第1部分:结构第二版”,W3C建议,2004年10月<http://www.w3.org/TR/xmlschema-1/>.
[3] World Wide Web Consortium, "XML Schema Part 2: Datatypes Second Edition", W3C Recommendation , October 2004, <http://www.w3.org/TR/xmlschema-2/>.
[3] 万维网联盟,“XML模式第2部分:数据类型第二版”,W3C建议,2004年10月<http://www.w3.org/TR/xmlschema-2/>.
[4] World Wide Web Consortium, "Namespaces in XML", W3C Recommendation , January 1999, <http://www.w3.org/TR/REC-xml-names/>.
[4] 万维网联盟,“XML中的名称空间”,W3C建议,1999年1月<http://www.w3.org/TR/REC-xml-names/>.
[5] World Wide Web Consortium, "XML Path Language (XPath) 2.0", W3C Candidate Recommendation , June 2006, <http://www.w3.org/TR/xpath20/>.
[5] 万维网联盟,“XML路径语言(XPath)2.0”,W3C候选推荐,2006年6月<http://www.w3.org/TR/xpath20/>.
[6] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997.
[6] Bradner,S.,“RFC中用于表示需求水平的关键词”,RFC 211997年3月。
[7] Philips, A. and M. Davis, "Tags for Identifying of Languages", RFC 4646, September 2006.
[7] Philips,A.和M.Davis,“识别语言的标签”,RFC 46462006年9月。
[8] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifiers (URI): Generic Syntax", RFC 3986, January 2005`.
[8] Berners Lee,T.,Fielding,R.,和L.Masinter,“统一资源标识符(URI):通用语法”,RFC 3986,2005年1月。
[9] Freed, N. and J. Postel, "IANA Charset Registration Procedures", BCP 2978, October 2000.
[9] Freed,N.和J.Postel,“IANA字符集注册程序”,BCP 2978,2000年10月。
[10] Sciberras, A., "Schema for User Applications", RFC 4519, June 2006.
[10] Sciberas,A.,“用户应用程序模式”,RFC45192006年6月。
[11] Resnick, P., "Internet Message Format", RFC 2822, April 2001.
[11] Resnick,P.,“互联网信息格式”,RFC 2822,2001年4月。
[12] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002.
[12] Klyne,G.和C.Newman,“互联网上的日期和时间:时间戳”,RFC 33392002年7月。
[13] International Organization for Standardization, "International Standard: Data elements and interchange formats - Information interchange - Representation of dates and times", ISO 8601, Second Edition, December 2000.
[13] 国际标准化组织,“国际标准:数据元和交换格式-信息交换-日期和时间的表示”,ISO 8601,第二版,2000年12月。
[14] International Organization for Standardization, "International Standard: Codes for the representation of currencies and funds, ISO 4217:2001", ISO 4217:2001, August 2001.
[14] 国际标准化组织,“国际标准:货币和资金表示代码,ISO 4217:2001”,ISO 4217:2001,2001年8月。
[15] Mealling, M., "The IETF XML Registry", RFC 3688, January 2004.
[15] Mealling,M.,“IETFXML注册表”,RFC3688,2004年1月。
[16] Keeni, G., Demchenko, Y., and R. Danyliw, "Requirements for the Format for Incident Information Exchange (FINE)", Work in Progress, June 2006.
[16] Keeni,G.,Demchenko,Y.,和R.Danyliw,“事件信息交换格式的要求(FINE)”,正在进行的工作,2006年6月。
[17] Debar, H., Curry, D., Debar, H., and B. Feinstein, "Intrusion Detection Message Exchange Format", RFC 4765, March 2007.
[17] Debar,H.,Curry,D.,Debar,H.,和B.Feinstein,“入侵检测消息交换格式”,RFC 47652007年3月。
[18] Moriarty, K., "Real-time Inter-network Defense", Work in Progress, April 2007.
[18] 莫里亚蒂,K.,“实时网络间防御”,正在进行的工作,2007年4月。
[19] Moriarty, K. and B. Trammell, "IODEF/RID over SOAP", Work in Progress, April 2007.
[19] Moriarty,K.和B.Trammell,“IODEF/RID覆盖肥皂”,正在进行的工作,2007年4月。
[20] Shafranovich, Y., "Common Format and MIME Type for Comma-Separated Values (CSV) File", RFC 4180, October 2005.
[20] Shafranovich,Y.,“逗号分隔值(CSV)文件的通用格式和MIME类型”,RFC 41802005年10月。
Authors' Addresses
作者地址
Roman Danyliw CERT - Software Engineering Institute Pittsburgh, PA USA
Roman Danyliw证书-美国宾夕法尼亚州匹兹堡软件工程研究所
EMail: rdd@cert.org
EMail: rdd@cert.org
Jan Meijer
简·梅杰
EMail: jan@flyingcloggies.nl
EMail: jan@flyingcloggies.nl
Yuri Demchenko University of Amsterdam Amsterdam Netherlands
尤里阿姆斯特丹阿姆斯特丹大学
EMail: demch@chello.nl
EMail: demch@chello.nl
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.