History

IODEF Flow Zoom¶

Incident

The Flow Class¶

The Flow class groups related the source and target hosts.

The aggregate class that constitutes Flow is:¶

System

One or More. A host or network involved in an event.

The Flow System class has no attributes.¶

The System Class¶

The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.

The aggregate classes that constitute System are:¶

Node

One. A host or network involved in the incident.

Service

Zero or more. A network service running on the system.

OperatingSystem

Zero or one. The operating system running on the system.

Counter

Zero or more. A counter with which to summarize properties of this host or network.

Description

Zero or more. ML_STRING. A free-form text description of the System.

AdditionalData

Zero or many. A mechanism by which to extend the data model.

The System class has five attributes:¶

restriction

Optional. ENUM. This attribute has been defined in Incident Class

category

Required. ENUM. Classifies the role the host or network played in the incident. The possible values are:

Rank Keyword Description

1 source The System was the source of the event.

2 target The System was the target of the event.

3 intermediate The System was an intermediary in the event.

4 sensor The System was a sensor monitoring the event.

5 infrastructure The System was an infrastructure node of IODEF document exchange.

6 ext-value An escape value used to extend this attribute.

ext-category

Optional. STRING. A means by which to extend the category attribute.

interface

Optional. STRING. Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.

spoofed

Optional. ENUM. An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".

Rank Keyword Description

1 unknown The accuracy of the category attribute value is unknown.

2 yes The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.

3 no The category attribute value is believed to be correct.

The Node Class¶

The Node class names a system (e.g., PC, router) or network. This class was derived from the IDMEF.

The aggregate classes that constitute Node are:¶

NodeName

Zero or more. ML_STRING. The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.

Address

Zero or more. The hardware, network, or application address of

the Node. If a NodeName is not provided, at least one Address
MUST be specified.

Location

Zero or one. ML_STRING. A free-from description of the physical location of the equipment.

DateTime

Zero or one. A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.

NodeRole

Zero or more. The intended purpose of the Node.

Counter

Zero or more. A counter with which to summarizes properties of this host or network.

The Address Class¶

The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.

This class was derived from the IDMEF.

The Address class has four attributes:¶

category

Required. ENUM. The type of address represented. The permitted values for this attribute are shown below. The default value is "ipv4-addr".

Rank Keyword Description

1 asn Autonomous System Number

2 atm Asynchronous Transfer Mode (ATM) address

3 e-mail Electronic mail address (RFC 822)

4 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d)

5 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn

6 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)

7 ipv6-addr IPv6 host address

8 ipv6-net IPv6 network address, slash, significant bits

9 ipv6-net-mask IPv6 network address, slash, network mask

10 mac Media Access Control (MAC) address

11 ext-value An escape value used to extend this attribute.

ext-category

Optional. STRING. A means by which to extend the category attribute.

vlan-name

Optional. STRING. The name of the Virtual LAN to which the address belongs.

vlan-num

Optional. STRING. The number of the Virtual LAN to which the address belongs.

NodeRole Class¶

The NodeRole class describes the intended function performed by a particular host.

The NodeRole class has three attributes:¶

category

Required. ENUM. Functionality provided by a node.

Rank Keyword Description

1 client Client computer

2 server-internal Server with internal services

3 server-public Server with public services)

4 www WWW server

5 mail Mail server

6 messaging Messaging server (e.g., NNTP, IRC, IM)

7 streaming Streaming-media server

8 voice Voice server (e.g., SIP, H.323)

9 file File server (e.g., SMB, CVS, AFS)

10 ftp FTP server

11 p2p Peer-to-peer node

12 name Name server (e.g., DNS, WINS)

13 directory Directory server (e.g., LDAP, finger, whois)

14 credential Credential server (e.g., domain controller, Kerberos)

15 print Print server

16 application Application server

17 database Database server

18 infra Infrastructure server (e.g., router, firewall, DHCP)

19 log Logserver (e.g., syslog)

20 ext-value An escape value used to extend this attribute.

ext-category

Optional. STRING. A means by which to extend the category attribute.

lang

Required. ENUM. A valid language code per RFC 4646 constrained by the definition of "xs:language".

The Service Class¶

The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.

This class was derived from the IDMEF.

The aggregate classes that constitute Service are:¶

Port

Zero or one. INTEGER. A port number.

Portlist

Zero or one. PORTLIST. A list of port numbers.

ProtoCode

Zero or one. INTEGER. A layer-4 protocol-specific code field (e.g., ICMP code field).

ProtoType

Zero or one. INTEGER. A layer-4 protocol specific type field (e.g., ICMP type field).

ProtoFlags

Zero or one. INTEGER. A layer-4 protocol specific flag field (e.g., TCP flag field).

Application

Zero or more. The application bound to the specified Port or Portlist.

Either a Port or Portlist class MUST be specified for a given instance of a Service class.

For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.

The Service class has one attribute:¶

ip_protocol

Required. INTEGER. The IANA protocol number.

The Application Class¶

The Application class describes an application running on a System providing a Service.

The aggregate class that constitutes Application is:¶

Zero or one. URL. A URL describing the application.

The Application class has seven attributes:¶

swid

Optional. STRING. An identifier that can be used to reference this software.

configid

Optional. STRING. An identifier that can be used to reference a particular configuration of this software.

vendor

Optional. STRING. Vendor name of the software.

family

Optional. STRING. Family of the software.

name

Optional. STRING. Name of the software.

version

Optional. STRING. Version of the software.

patch

Optional. STRING. Patch or service pack level of the software.

OperatingSystem Class¶

The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class.

Project

General

Profile

Wiki

IODEF Flow Zoom¶

The Flow Class¶

The aggregate class that constitutes Flow is:¶

The Flow System class has no attributes.¶

The System Class¶

The aggregate classes that constitute System are:¶

The System class has five attributes:¶

The Node Class¶

The aggregate classes that constitute Node are:¶

The Address Class¶

The Address class has four attributes:¶

NodeRole Class¶

The NodeRole class has three attributes:¶

The Service Class¶

The aggregate classes that constitute Service are:¶

The Service class has one attribute:¶

The Application Class¶

The aggregate class that constitutes Application is:¶

The Application class has seven attributes:¶

OperatingSystem Class¶

Rank	Keyword	Description
1	source	The System was the source of the event.
2	target	The System was the target of the event.
3	intermediate	The System was an intermediary in the event.
4	sensor	The System was a sensor monitoring the event.
5	infrastructure	The System was an infrastructure node of IODEF document exchange.
6	ext-value	An escape value used to extend this attribute.

Rank	Keyword	Description
1	unknown	The accuracy of the category attribute value is unknown.
2	yes	The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.
3	no	The category attribute value is believed to be correct.

Rank	Keyword	Description
1	asn	Autonomous System Number
2	atm	Asynchronous Transfer Mode (ATM) address
3	e-mail	Electronic mail address (RFC 822)
4	ipv4-addr	IPv4 host address in dotted-decimal notation (a.b.c.d)
5	ipv4-net	IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn
6	ipv4-net-mask	IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)
7	ipv6-addr	IPv6 host address
8	ipv6-net	IPv6 network address, slash, significant bits
9	ipv6-net-mask	IPv6 network address, slash, network mask
10	mac	Media Access Control (MAC) address
11	ext-value	An escape value used to extend this attribute.

Rank	Keyword	Description
1	client	Client computer
2	server-internal	Server with internal services
3	server-public	Server with public services)
4	www	WWW server
5	mail	Mail server
6	messaging	Messaging server (e.g., NNTP, IRC, IM)
7	streaming	Streaming-media server
8	voice	Voice server (e.g., SIP, H.323)
9	file	File server (e.g., SMB, CVS, AFS)
10	ftp	FTP server
11	p2p	Peer-to-peer node
12	name	Name server (e.g., DNS, WINS)
13	directory	Directory server (e.g., LDAP, finger, whois)
14	credential	Credential server (e.g., domain controller, Kerberos)
15	print	Print server
16	application	Application server
17	database	Database server
18	infra	Infrastructure server (e.g., router, firewall, DHCP)
19	log	Logserver (e.g., syslog)
20	ext-value	An escape value used to extend this attribute.