Project

General

Profile

IODEF Flow Zoom » History » Version 3

Anonymous, 06/08/2015 12:31 PM

1 1 Anonymous
h1. IODEF Flow Zoom
2 1 Anonymous
3 1 Anonymous
[[IODEF Incident Zoom|Incident]]
4 1 Anonymous
* [[IODEF Contact Zoom|Contact]]
5 1 Anonymous
* [[IODEF Method Zoom|Method]]
6 1 Anonymous
* [[IODEF Assessment Zoom|Assessment]]
7 1 Anonymous
* [[IODEF EventData Zoom|EventData]]
8 1 Anonymous
** *Flow*
9 1 Anonymous
* [[IODEF History Zoom|History]]
10 1 Anonymous
11 1 Anonymous
----
12 1 Anonymous
13 1 Anonymous
!/attachments/download/57/flow.svg!
14 2 Anonymous
15 2 Anonymous
----
16 2 Anonymous
17 2 Anonymous
h2. The Flow Class
18 2 Anonymous
19 2 Anonymous
The Flow class groups related the source and target hosts.
20 2 Anonymous
21 2 Anonymous
22 2 Anonymous
h4. The aggregate class that constitutes Flow is:
23 2 Anonymous
24 2 Anonymous
* System
25 2 Anonymous
      
26 2 Anonymous
> One or More.  A host or network involved in an event.
27 2 Anonymous
28 2 Anonymous
h4. The Flow System class has no attributes.
29 2 Anonymous
30 2 Anonymous
h2. The System Class
31 2 Anonymous
32 2 Anonymous
The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute.  The value of this category attribute dictates the semantics of the aggregated classes in the System class.  If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating.  With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity.  A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.
33 2 Anonymous
34 2 Anonymous
h4. The aggregate classes that constitute System are:
35 2 Anonymous
36 2 Anonymous
* Node
37 2 Anonymous
      
38 2 Anonymous
> One. A host or network involved in the incident.
39 2 Anonymous
40 2 Anonymous
* Service
41 2 Anonymous
      
42 2 Anonymous
> Zero or more.  A network service running on the system.
43 2 Anonymous
44 2 Anonymous
* OperatingSystem
45 2 Anonymous
      
46 2 Anonymous
> Zero or one.  The operating system running on the system.
47 2 Anonymous
48 2 Anonymous
* Counter
49 2 Anonymous
      
50 2 Anonymous
> Zero or more.  A counter with which to summarize properties of this host or network.
51 2 Anonymous
52 2 Anonymous
* Description
53 2 Anonymous
      
54 2 Anonymous
> Zero or more.  ML_STRING.  A free-form text description of the System.
55 2 Anonymous
56 2 Anonymous
* AdditionalData
57 2 Anonymous
      
58 2 Anonymous
> Zero or many.  A mechanism by which to extend the data model.
59 2 Anonymous
60 2 Anonymous
h4. The System class has five attributes:
61 2 Anonymous
62 2 Anonymous
* restriction
63 2 Anonymous
      
64 3 Anonymous
> Optional.  ENUM.  This attribute has been defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]]
65 2 Anonymous
66 2 Anonymous
* category
67 2 Anonymous
      
68 2 Anonymous
> Required.  ENUM.  Classifies the role the host or network played in the incident.  The possible values are:
69 2 Anonymous
70 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
71 2 Anonymous
> |    1 | source  | The System was the source of the event.         |
72 2 Anonymous
> |    2 | target  | The System was the target of the event.         |
73 2 Anonymous
> |    3 | intermediate  | The System was an intermediary in the event.         |
74 2 Anonymous
> |    4 | sensor  | The System was a sensor monitoring the event.         |
75 2 Anonymous
> |    5 | infrastructure  | The System was an infrastructure node of IODEF document exchange.|
76 2 Anonymous
> |    6 | ext-value  | An escape value used to extend this attribute.         |
77 2 Anonymous
78 2 Anonymous
* ext-category
79 2 Anonymous
      
80 2 Anonymous
> Optional.  STRING.  A means by which to extend the category attribute.
81 2 Anonymous
82 2 Anonymous
* interface
83 2 Anonymous
      
84 2 Anonymous
> Optional.  STRING.  Specifies the interface on which the event(s) on this System originated.  If the Node class specifies a network rather than a host, this attribute has no meaning.
85 2 Anonymous
86 2 Anonymous
* spoofed
87 2 Anonymous
      
88 2 Anonymous
> Optional.  ENUM.  An indication of confidence in whether this System was the true target or attacking host.  The permitted values for this attribute are shown below.  The default value is "unknown".
89 2 Anonymous
90 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
91 2 Anonymous
> |    1 | unknown  | The accuracy of the category attribute value is unknown.         |
92 2 Anonymous
> |    2 | yes  |The category attribute value is probably incorrect.  In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.         |
93 2 Anonymous
> |    3 | no  | The category attribute value is believed to be correct.         |
94 2 Anonymous
95 2 Anonymous
h2. The Node Class
96 2 Anonymous
97 3 Anonymous
The Node class names a system (e.g., PC, router) or network. This class was derived from the [[IDMEFDiag| IDMEF]].
98 2 Anonymous
99 2 Anonymous
h4. The aggregate classes that constitute Node are:
100 2 Anonymous
101 2 Anonymous
* NodeName
102 2 Anonymous
      
103 2 Anonymous
> Zero or more.  ML_STRING.  The name of the Node (e.g., fully qualified domain name).  This information MUST be provided if no Address information is given.
104 2 Anonymous
105 2 Anonymous
* Address
106 2 Anonymous
      
107 2 Anonymous
> Zero or more.  The hardware, network, or application address of
108 2 Anonymous
      the Node.  If a NodeName is not provided, at least one Address
109 2 Anonymous
      MUST be specified.
110 2 Anonymous
111 2 Anonymous
* Location
112 2 Anonymous
113 2 Anonymous
> Zero or one.  ML_STRING.  A free-from description of the physical location of the equipment.
114 2 Anonymous
115 2 Anonymous
* DateTime
116 2 Anonymous
      
117 2 Anonymous
> Zero or one.  A timestamp of when the resolution between the name and address was performed.  This information SHOULD be provided if both an Address and NodeName are specified.
118 2 Anonymous
119 2 Anonymous
* NodeRole
120 2 Anonymous
121 2 Anonymous
> Zero or more.  The intended purpose of the Node.
122 2 Anonymous
123 2 Anonymous
* Counter
124 2 Anonymous
125 2 Anonymous
> Zero or more.  A counter with which to summarizes properties of this host or network.
126 2 Anonymous
127 2 Anonymous
h2. The Address Class
128 2 Anonymous
129 2 Anonymous
The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.
130 2 Anonymous
131 3 Anonymous
This class was derived from the [[IDMEFDiag| IDMEF]].
132 2 Anonymous
133 2 Anonymous
h4. The Address class has four attributes:
134 2 Anonymous
135 2 Anonymous
* category
136 2 Anonymous
      
137 2 Anonymous
> Required.  ENUM.  The type of address represented.  The permitted values for this attribute are shown below.  The default value is "ipv4-addr".
138 2 Anonymous
139 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
140 2 Anonymous
> |    1 | asn  | Autonomous System Number         |
141 2 Anonymous
> |    2 | atm  | Asynchronous Transfer Mode (ATM) address         |
142 2 Anonymous
> |    3 | e-mail  | Electronic mail address (RFC 822)         |
143 2 Anonymous
> |    4 | ipv4-addr  | IPv4 host address in dotted-decimal notation (a.b.c.d)         |
144 2 Anonymous
> |    5 | ipv4-net  | IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn         |
145 2 Anonymous
> |    6 | ipv4-net-mask  | IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)         |
146 2 Anonymous
> |    7 | ipv6-addr  | IPv6 host address        |
147 2 Anonymous
> |    8 | ipv6-net  | IPv6 network address, slash, significant bits        |
148 2 Anonymous
> |    9 | ipv6-net-mask  | IPv6 network address, slash, network mask         |
149 2 Anonymous
> |    10 | mac  | Media Access Control (MAC) address         |
150 2 Anonymous
> |    11 | ext-value  | An escape value used to extend this attribute.         |
151 2 Anonymous
152 2 Anonymous
* ext-category
153 2 Anonymous
      
154 2 Anonymous
> Optional.  STRING.  A means by which to extend the category attribute.
155 2 Anonymous
156 2 Anonymous
* vlan-name
157 2 Anonymous
      
158 2 Anonymous
> Optional.  STRING.  The name of the Virtual LAN to which the address belongs.
159 2 Anonymous
160 2 Anonymous
* vlan-num
161 2 Anonymous
162 2 Anonymous
> Optional.  STRING.  The number of the Virtual LAN to which the address belongs.
163 2 Anonymous
164 2 Anonymous
h2. NodeRole Class
165 2 Anonymous
166 2 Anonymous
The NodeRole class describes the intended function performed by a particular host.
167 2 Anonymous
168 2 Anonymous
h4. The NodeRole class has three attributes:
169 2 Anonymous
170 2 Anonymous
* category
171 2 Anonymous
      
172 2 Anonymous
> Required.  ENUM.  Functionality provided by a node.
173 2 Anonymous
174 2 Anonymous
>|_.Rank        |_.Keyword          |_.Description|
175 2 Anonymous
> |    1 | client  | Client computer         |
176 2 Anonymous
> |    2 | server-internal  | Server with internal services         |
177 2 Anonymous
> |    3 | server-public  | Server with public services)         |
178 2 Anonymous
> |    4 | www  | WWW server         |
179 2 Anonymous
> |    5 | mail  | Mail server         |
180 2 Anonymous
> |    6 | messaging  | Messaging server (e.g., NNTP, IRC, IM)         |
181 2 Anonymous
> |    7 | streaming  | Streaming-media server        |
182 2 Anonymous
> |    8 | voice  | Voice server (e.g., SIP, H.323)       |
183 2 Anonymous
> |    9 | file  | File server (e.g., SMB, CVS, AFS)         |
184 2 Anonymous
> |    10 | ftp  | FTP server         |
185 2 Anonymous
> |    11 | p2p  | Peer-to-peer node         |
186 2 Anonymous
> |    12 | name  | Name server (e.g., DNS, WINS)         |
187 2 Anonymous
> |    13 | directory  | Directory server (e.g., LDAP, finger, whois)         |
188 2 Anonymous
> |    14 | credential  | Credential server (e.g., domain controller, Kerberos)         |
189 2 Anonymous
> |    15 | print  | Print server         |
190 2 Anonymous
> |    16 | application  | Application server         |
191 2 Anonymous
> |    17 | database  | Database server         |
192 2 Anonymous
> |    18 | infra  | Infrastructure server (e.g., router, firewall, DHCP)         |
193 2 Anonymous
> |    19 | log  | Logserver (e.g., syslog)        |
194 2 Anonymous
> |    20 | ext-value  | An escape value used to extend this attribute.         |
195 2 Anonymous
196 2 Anonymous
* ext-category
197 2 Anonymous
      
198 2 Anonymous
> Optional.  STRING.  A means by which to extend the category attribute.
199 2 Anonymous
200 2 Anonymous
* lang
201 2 Anonymous
      
202 3 Anonymous
> Required.  ENUM.  A valid language code per "RFC 4646":https://tools.ietf.org/rfc/rfc4646.txt constrained by the definition of "xs:language". 
203 2 Anonymous
204 2 Anonymous
h2. The Service Class
205 2 Anonymous
206 2 Anonymous
The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.
207 2 Anonymous
When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating.  Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.
208 2 Anonymous
209 3 Anonymous
This class was derived from the [[IDMEFDiag| IDMEF]].
210 2 Anonymous
211 2 Anonymous
h4. The aggregate classes that constitute Service are:
212 2 Anonymous
213 2 Anonymous
* Port
214 2 Anonymous
      
215 2 Anonymous
> Zero or one.  INTEGER.  A port number.
216 2 Anonymous
217 2 Anonymous
* Portlist
218 2 Anonymous
      
219 3 Anonymous
> Zero or one.  PORTLIST.  A list of port numbers.
220 2 Anonymous
221 2 Anonymous
* ProtoCode
222 2 Anonymous
      
223 2 Anonymous
> Zero or one.  INTEGER.  A layer-4 protocol-specific code field (e.g., ICMP code field).
224 2 Anonymous
225 2 Anonymous
* ProtoType
226 2 Anonymous
227 2 Anonymous
> Zero or one.  INTEGER.  A layer-4 protocol specific type field (e.g., ICMP type field).
228 2 Anonymous
229 2 Anonymous
* ProtoFlags
230 2 Anonymous
231 2 Anonymous
> Zero or one.  INTEGER.  A layer-4 protocol specific flag field (e.g., TCP flag field).
232 2 Anonymous
233 2 Anonymous
* Application
234 2 Anonymous
      
235 2 Anonymous
> Zero or more.  The application bound to the specified Port or Portlist.
236 2 Anonymous
237 2 Anonymous
Either a Port or Portlist class MUST be specified for a given instance of a Service class.
238 2 Anonymous
239 2 Anonymous
For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa.  When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target.  This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets.  In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.
240 2 Anonymous
241 3 Anonymous
h4. The Service class has one attribute:
242 2 Anonymous
243 2 Anonymous
* ip_protocol
244 2 Anonymous
      
245 2 Anonymous
> Required.  INTEGER.  The IANA protocol number.
246 2 Anonymous
247 2 Anonymous
248 2 Anonymous
h2. The Application Class
249 2 Anonymous
250 2 Anonymous
The Application class describes an application running on a System providing a Service.
251 2 Anonymous
252 2 Anonymous
h4. The aggregate class that constitutes Application is:
253 2 Anonymous
254 2 Anonymous
* URL
255 2 Anonymous
      
256 2 Anonymous
> Zero or one.  URL.  A URL describing the application.
257 2 Anonymous
258 2 Anonymous
h4. The Application class has seven attributes:
259 2 Anonymous
260 2 Anonymous
* swid
261 2 Anonymous
      
262 2 Anonymous
> Optional.  STRING.  An identifier that can be used to reference this software.
263 2 Anonymous
264 2 Anonymous
* configid
265 2 Anonymous
      
266 2 Anonymous
> Optional.  STRING.  An identifier that can be used to reference a particular configuration of this software.
267 2 Anonymous
268 2 Anonymous
* vendor
269 2 Anonymous
      
270 2 Anonymous
> Optional.  STRING.  Vendor name of the software.
271 2 Anonymous
272 2 Anonymous
* family
273 2 Anonymous
      
274 2 Anonymous
> Optional.  STRING.  Family of the software.
275 2 Anonymous
276 2 Anonymous
* name
277 2 Anonymous
      
278 2 Anonymous
>Optional.  STRING.  Name of the software.
279 2 Anonymous
280 2 Anonymous
* version
281 2 Anonymous
      
282 2 Anonymous
> Optional.  STRING.  Version of the software.
283 2 Anonymous
284 2 Anonymous
* patch
285 2 Anonymous
      
286 2 Anonymous
> Optional.  STRING.  Patch or service pack level of the software.
287 2 Anonymous
288 2 Anonymous
h2. OperatingSystem Class
289 2 Anonymous
290 3 Anonymous
The OperatingSystem class describes the operating system running on a System.  The definition is identical to the [[IODEF_EventData_Zoom#Application-Class|Application class]].