Project

General

Profile

Enumeration

Mis à jour des énumérations existants :

Checksum.algorithm

Rank Keyword Description
0 MD4 The MD4 algorithm.
1 MD5 The MD5 algorithm.
2 SHA1 The SHA1 algorithm.
3 SHA2-256 The SHA2 algorithm with 256 bits length.
4 SHA2-384 The SHA2 algorithm with 384 bits length.
5 SHA2-512 The SHA2 algorithm with 512 bits length.
6 CRC-32 The CRC algorithm with 32 bits length.
7 Haval The Haval algorithm.
8 Tiger The Tiger algorithm.
9 Gost The Gost algorithm.

Pas de modification

Source.spoofed/ Target.decoy

Rank Keyword Description
Rank Keyword Description
0 unknown Accuracy of target information unknown
1 yes Target is believed to be a decoy
2 no Target is believed to be "real"

Pas de modification

FileAccess.permissions

Rank Keyword Description
0 noAccess No access at all is allowed for this user
1 read This user has read access to the file
2 write This user has write access to the file
3 execute This user has the ability to execute the file
4 search This user has the ability to search this file (applies to "execute" permission on directories in Unix)
5 delete This user has the ability to delete this file
6 executeAs This user has the ability to execute this file as another user
7 changePermissions This user has the ability to change the access permissions on this file
8 takeOwnership ChangeOwnership This user has the ability to take change ownership of this file
9 + ReadPermissions This user has the ability to read the access permissions on this file

Ajout de ReadPermissions et changement de takeOwnership

Action.category

Rank Keyword Description
0 block-installed A block of some sort was installed to prevent an attack from reaching its destination. The block could be a port block, address block, etc., or disabling a user account.
1 notification-sent A notification message of some sort was sent out-of-band (via pager, e-mail, etc.). Does not include the transmission of this alert.
2 taken-offline A system, computer, or user was taken offline, as when the computer is shut down or a user is logged off.
3 + sanitize Temporary block the attack
4 other Anything not in one of the above categories.

Ajout de sanitize
Mise à jour des descriptions

Confidence.rating

Rank Keyword Description
0 low The analyzer has little confidence in its validity
1 medium The analyzer has average confidence in its validity
2 high The analyzer has high confidence in its validity
3 numeric The analyzer has provided a posterior probability value indicating its confidence in its validity

Pas de modification

UserID.type

Rank Keyword Description
0 current-user The current user id being used by the user or process. On Unix systems, this would be the "real" user id, in general.
1 original-user The actual identity of the user or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a user id from the "audit id" token, that value should be used. On those systems that do not support this, and where the user has logged into the system, the "login id" should be used.
2 target-user The user id the user or process is attempting to become. This would apply, on Unix systems for example, when the user attempts to use "su", "rlogin", "telnet", etc.
3 + current-group The current group id being used by the user or process. On Unix systems, this would be the "real" group id, in general.
4 original-group The actual identity of the group or process being reported on. On those systems that (a) do some type of auditing and (b) support extracting a group id from the "audit id" token, that value should be used. On those systems that do not support this, and where the group has logged into the system, the "login id" should be used.
5 + target-group The group id the user or process is attempting to become. This would apply, on Unix systems for example, when the group attempts to use "su", "rlogin", "telnet", etc.
6 user-privs User id associated with a file permission. On Unix systems, this would be the "effective" user id in a user or process context, and the owner permissions in a file context. Multiple UserId elements of this type may be used to specify a list of privileges.
7 group-privs Group id associated with a file permission. On Unix systems, this would be the "effective" group id in a group or process context, and the group permissions in a file context. On BSD-derived Unix systems, multiple UserId elements of this type would be used to include all the group ids on the "group list".
8 other-privs The file permissions assigned to users who do not match either the user or group permissions on the file. On Unix systems, this would be the "world" permissions.

Mise à jour des descriptions
Ajout des current-group, target-group

Impact.completion

Rank Keyword Description
0 failed The attempt was not successful
1 succeeded The attempt succeeded
2 + unknown Unknown

Ajout de unknown

Impact.severity

Rank Keyword Description
0 info Alert represents informational activity
1 low Low severity
2 medium Medium severity
3 high High severity

Pas de modification

Impact.type

Rank Keyword Description
0 admin Administrative privileges were attempted or obtained
1 dos A denial of service was attempted or completed
2 file An action on a file was attempted or completed
3 recon A reconnaissance probe was attempted or completed
4 user User privileges were attempted or obtained
5 other Anything not in one of the above categories

Se baser sur la norme ISI 002 section B1.2

Node.catogory

Rank Keyword Description
0 unknown Domain unknown or not relevant
1 ads Windows 2000 Advanced Directory Services
2 afs Andrew File System (Transarc)
3 coda Coda Distributed File System
4 dfs Distributed File System (IBM)
5 dns Domain Name System
6 hosts Local hosts file
7 kerberos Kerberos realm
8 nds Novell Directory Services
9 nis Network Information Services (Sun)
10 nisplus Network Information Services Plus (Sun)
11 nt Windows NT domain
12 wfw Windows for Workgroups
13 llmnr Link-local Multicast Name Resolution
14 mdns multicast Domain Name System

Ajout de LLMNR et de mDNS
changer ads en AD ?

Address.category

Rank Keyword Description
0 unknown Address type unknown
1 atm Asynchronous Transfer Mode network address
2 e-mail Electronic mail address (RFC 2822 [12])
3 lotus-notes Lotus Notes e-mail address
4 mac Media Access Control (MAC) address
5 sna IBM Shared Network Architecture (SNA) address
6 vm IBM VM ("PROFS") e-mail address
7 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d)
8 ipv4-addr-hex IPv4 host address in hexadecimal notation
9 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn)
10 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
11 ipv6-addr IPv6 host address
12 ipv6-addr-hex IPv6 host address in hexadecimal notation
13 ipv6-net IPv6 network address, slash, significant bits
14 ipv6-net-mask IPv6 network address, slash, network mask

Déplacer les email dans UserID ?

Linkage.category

Rank Keyword Description
0 hard-link The <name> element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others.
1 mount-point An alias for the directory specified by the parent's <name> and <path> elements.
2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points.
3 shortcut The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager.
4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main <File>.
5 symbolic-link The <name> element represents the file to which the link points.

Pas de modification

Reference.origin

Rank Keyword Description
0 unknown Origin of the name is not known
1 vendor-specific A vendor-specific name (and hence, URL); this can be used to provide product-specific information
2 user-specific A user-specific name (and hence, URL); this can be used to provide installation-specific information
3 bugtraqid The SecurityFocus ("Bugtraq") vulnerability database identifier (http://www.securityfocus.com/bid)
4 cve The Common Vulnerabilities and Exposures (CVE) name (http://www.cve.mitre.org/)
5 osvdb The Open Source Vulnerability Database (http://www.osvdb.org)
6 + cert-specific A cert-specific name (and hence, URL); this can be used to provide installation-specific information

Ajout de cert-specific

YV / HD : pas de champ "other", énumération. Le standard fourni un lien vers l'IANA qui donne une liste mise à jour régulièrement des valeurs existantes (similaire IODEFv2).