Project

General

Profile

IODEF Flow Zoom

Incident


The Flow Class

The Flow class groups related the source and target hosts.

The aggregate class that constitutes Flow is:

  • System

One or More. A host or network involved in an event.

The Flow System class has no attributes.

The System Class

The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.

The aggregate classes that constitute System are:

  • Node

One. A host or network involved in the incident.

  • Service

Zero or more. A network service running on the system.

  • OperatingSystem

Zero or one. The operating system running on the system.

  • Counter

Zero or more. A counter with which to summarize properties of this host or network.

  • Description

Zero or more. ML_STRING. A free-form text description of the System.

  • AdditionalData

Zero or many. A mechanism by which to extend the data model.

The System class has five attributes:

  • restriction

Optional. ENUM. This attribute has been defined in Incident Class

  • category

Required. ENUM. Classifies the role the host or network played in the incident. The possible values are:

Rank Keyword Description
1 source The System was the source of the event.
2 target The System was the target of the event.
3 intermediate The System was an intermediary in the event.
4 sensor The System was a sensor monitoring the event.
5 infrastructure The System was an infrastructure node of IODEF document exchange.
6 ext-value An escape value used to extend this attribute.
  • ext-category

Optional. STRING. A means by which to extend the category attribute.

  • interface

Optional. STRING. Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.

  • spoofed

Optional. ENUM. An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".

Rank Keyword Description
1 unknown The accuracy of the category attribute value is unknown.
2 yes The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.
3 no The category attribute value is believed to be correct.

The Node Class

The Node class names a system (e.g., PC, router) or network. This class was derived from the IDMEF.

The aggregate classes that constitute Node are:

  • NodeName

Zero or more. ML_STRING. The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.

  • Address

Zero or more. The hardware, network, or application address of

the Node. If a NodeName is not provided, at least one Address
MUST be specified.
  • Location

Zero or one. ML_STRING. A free-from description of the physical location of the equipment.

  • DateTime

Zero or one. A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.

  • NodeRole

Zero or more. The intended purpose of the Node.

  • Counter

Zero or more. A counter with which to summarizes properties of this host or network.

The Address Class

The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.

This class was derived from the IDMEF.

The Address class has four attributes:

  • category

Required. ENUM. The type of address represented. The permitted values for this attribute are shown below. The default value is "ipv4-addr".

Rank Keyword Description
1 asn Autonomous System Number
2 atm Asynchronous Transfer Mode (ATM) address
3 e-mail Electronic mail address (RFC 822)
4 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d)
5 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn
6 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
7 ipv6-addr IPv6 host address
8 ipv6-net IPv6 network address, slash, significant bits
9 ipv6-net-mask IPv6 network address, slash, network mask
10 mac Media Access Control (MAC) address
11 ext-value An escape value used to extend this attribute.
  • ext-category

Optional. STRING. A means by which to extend the category attribute.

  • vlan-name

Optional. STRING. The name of the Virtual LAN to which the address belongs.

  • vlan-num

Optional. STRING. The number of the Virtual LAN to which the address belongs.

NodeRole Class

The NodeRole class describes the intended function performed by a particular host.

The NodeRole class has three attributes:

  • category

Required. ENUM. Functionality provided by a node.

Rank Keyword Description
1 client Client computer
2 server-internal Server with internal services
3 server-public Server with public services)
4 www WWW server
5 mail Mail server
6 messaging Messaging server (e.g., NNTP, IRC, IM)
7 streaming Streaming-media server
8 voice Voice server (e.g., SIP, H.323)
9 file File server (e.g., SMB, CVS, AFS)
10 ftp FTP server
11 p2p Peer-to-peer node
12 name Name server (e.g., DNS, WINS)
13 directory Directory server (e.g., LDAP, finger, whois)
14 credential Credential server (e.g., domain controller, Kerberos)
15 print Print server
16 application Application server
17 database Database server
18 infra Infrastructure server (e.g., router, firewall, DHCP)
19 log Logserver (e.g., syslog)
20 ext-value An escape value used to extend this attribute.
  • ext-category

Optional. STRING. A means by which to extend the category attribute.

  • lang

Required. ENUM. A valid language code per RFC 4646 constrained by the definition of "xs:language".

The Service Class

The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.

This class was derived from the IDMEF.

The aggregate classes that constitute Service are:

  • Port

Zero or one. INTEGER. A port number.

  • Portlist

Zero or one. PORTLIST. A list of port numbers.

  • ProtoCode

Zero or one. INTEGER. A layer-4 protocol-specific code field (e.g., ICMP code field).

  • ProtoType

Zero or one. INTEGER. A layer-4 protocol specific type field (e.g., ICMP type field).

  • ProtoFlags

Zero or one. INTEGER. A layer-4 protocol specific flag field (e.g., TCP flag field).

  • Application

Zero or more. The application bound to the specified Port or Portlist.

Either a Port or Portlist class MUST be specified for a given instance of a Service class.

For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.

The Service class has one attribute:

  • ip_protocol

Required. INTEGER. The IANA protocol number.

The Application Class

The Application class describes an application running on a System providing a Service.

The aggregate class that constitutes Application is:

  • URL

Zero or one. URL. A URL describing the application.

The Application class has seven attributes:

  • swid

Optional. STRING. An identifier that can be used to reference this software.

  • configid

Optional. STRING. An identifier that can be used to reference a particular configuration of this software.

  • vendor

Optional. STRING. Vendor name of the software.

  • family

Optional. STRING. Family of the software.

  • name

Optional. STRING. Name of the software.

  • version

Optional. STRING. Version of the software.

  • patch

Optional. STRING. Patch or service pack level of the software.

OperatingSystem Class

The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class.

flow.svg View - IODEF UML Diagram flow Zoom (157 KB) Vérène Houdebine, 05/07/2015 05:42 PM