IODEF Flow Zoom¶
IncidentThe Flow Class¶
The Flow class groups related the source and target hosts.
The aggregate class that constitutes Flow is:¶
- System
One or More. A host or network involved in an event.
The Flow System class has no attributes.¶
The System Class¶
The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.
The aggregate classes that constitute System are:¶
- Node
One. A host or network involved in the incident.
- Service
Zero or more. A network service running on the system.
- OperatingSystem
Zero or one. The operating system running on the system.
- Counter
Zero or more. A counter with which to summarize properties of this host or network.
- Description
Zero or more. ML_STRING. A free-form text description of the System.
- AdditionalData
Zero or many. A mechanism by which to extend the data model.
The System class has five attributes:¶
- restriction
Optional. ENUM. This attribute has been defined in Incident Class
- category
Required. ENUM. Classifies the role the host or network played in the incident. The possible values are:
Rank Keyword Description 1 source The System was the source of the event. 2 target The System was the target of the event. 3 intermediate The System was an intermediary in the event. 4 sensor The System was a sensor monitoring the event. 5 infrastructure The System was an infrastructure node of IODEF document exchange. 6 ext-value An escape value used to extend this attribute.
- ext-category
Optional. STRING. A means by which to extend the category attribute.
- interface
Optional. STRING. Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.
- spoofed
Optional. ENUM. An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description 1 unknown The accuracy of the category attribute value is unknown. 2 yes The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim. 3 no The category attribute value is believed to be correct.
The Node Class¶
The Node class names a system (e.g., PC, router) or network. This class was derived from the IDMEF.
The aggregate classes that constitute Node are:¶
- NodeName
Zero or more. ML_STRING. The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.
- Address
the Node. If a NodeName is not provided, at least one AddressZero or more. The hardware, network, or application address of
MUST be specified.
- Location
Zero or one. ML_STRING. A free-from description of the physical location of the equipment.
- DateTime
Zero or one. A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.
- NodeRole
Zero or more. The intended purpose of the Node.
- Counter
Zero or more. A counter with which to summarizes properties of this host or network.
The Address Class¶
The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.
This class was derived from the IDMEF.
The Address class has four attributes:¶
- category
Required. ENUM. The type of address represented. The permitted values for this attribute are shown below. The default value is "ipv4-addr".
Rank Keyword Description 1 asn Autonomous System Number 2 atm Asynchronous Transfer Mode (ATM) address 3 Electronic mail address (RFC 822) 4 ipv4-addr IPv4 host address in dotted-decimal notation (a.b.c.d) 5 ipv4-net IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn 6 ipv4-net-mask IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z) 7 ipv6-addr IPv6 host address 8 ipv6-net IPv6 network address, slash, significant bits 9 ipv6-net-mask IPv6 network address, slash, network mask 10 mac Media Access Control (MAC) address 11 ext-value An escape value used to extend this attribute.
- ext-category
Optional. STRING. A means by which to extend the category attribute.
- vlan-name
Optional. STRING. The name of the Virtual LAN to which the address belongs.
- vlan-num
Optional. STRING. The number of the Virtual LAN to which the address belongs.
NodeRole Class¶
The NodeRole class describes the intended function performed by a particular host.
The NodeRole class has three attributes:¶
- category
Required. ENUM. Functionality provided by a node.
Rank Keyword Description 1 client Client computer 2 server-internal Server with internal services 3 server-public Server with public services) 4 www WWW server 5 Mail server 6 messaging Messaging server (e.g., NNTP, IRC, IM) 7 streaming Streaming-media server 8 voice Voice server (e.g., SIP, H.323) 9 file File server (e.g., SMB, CVS, AFS) 10 ftp FTP server 11 p2p Peer-to-peer node 12 name Name server (e.g., DNS, WINS) 13 directory Directory server (e.g., LDAP, finger, whois) 14 credential Credential server (e.g., domain controller, Kerberos) 15 Print server 16 application Application server 17 database Database server 18 infra Infrastructure server (e.g., router, firewall, DHCP) 19 log Logserver (e.g., syslog) 20 ext-value An escape value used to extend this attribute.
- ext-category
Optional. STRING. A means by which to extend the category attribute.
- lang
Required. ENUM. A valid language code per RFC 4646 constrained by the definition of "xs:language".
The Service Class¶
The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating. Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.
This class was derived from the IDMEF.
The aggregate classes that constitute Service are:¶
- Port
Zero or one. INTEGER. A port number.
- Portlist
Zero or one. PORTLIST. A list of port numbers.
- ProtoCode
Zero or one. INTEGER. A layer-4 protocol-specific code field (e.g., ICMP code field).
- ProtoType
Zero or one. INTEGER. A layer-4 protocol specific type field (e.g., ICMP type field).
- ProtoFlags
Zero or one. INTEGER. A layer-4 protocol specific flag field (e.g., TCP flag field).
- Application
Zero or more. The application bound to the specified Port or Portlist.
Either a Port or Portlist class MUST be specified for a given instance of a Service class.
For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa. When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target. This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets. In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.
The Service class has one attribute:¶
- ip_protocol
Required. INTEGER. The IANA protocol number.
The Application Class¶
The Application class describes an application running on a System providing a Service.
The aggregate class that constitutes Application is:¶
- URL
Zero or one. URL. A URL describing the application.
The Application class has seven attributes:¶
- swid
Optional. STRING. An identifier that can be used to reference this software.
- configid
Optional. STRING. An identifier that can be used to reference a particular configuration of this software.
- vendor
Optional. STRING. Vendor name of the software.
- family
Optional. STRING. Family of the software.
- name
Optional. STRING. Name of the software.
- version
Optional. STRING. Version of the software.
- patch
Optional. STRING. Patch or service pack level of the software.
OperatingSystem Class¶
The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class.