h1. IODEF Flow Zoom

[[IODEF Incident Zoom|Incident]]

* [[IODEF Contact Zoom|Contact]]

* [[IODEF Method Zoom|Method]]

* [[IODEF Assessment Zoom|Assessment]]

* [[IODEF EventData Zoom|EventData]]

** *Flow*

* [[IODEF History Zoom|History]]

----

!/attachments/download/57/flow.svg!

----

h2. The Flow Class

The Flow class groups related the source and target hosts.

h4. The aggregate class that constitutes Flow is:

* System

> One or More.  A host or network involved in an event.

h4. The Flow System class has no attributes.

h2. The System Class

The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute.  The value of this category attribute dictates the semantics of the aggregated classes in the System class.  If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating.  With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity.  A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.

h4. The aggregate classes that constitute System are:

* Node

> One. A host or network involved in the incident.

* Service

> Zero or more.  A network service running on the system.

* OperatingSystem

> Zero or one.  The operating system running on the system.

* Counter

> Zero or more.  A counter with which to summarize properties of this host or network.

* Description

> Zero or more.  ML_STRING.  A free-form text description of the System.

* AdditionalData

> Zero or many.  A mechanism by which to extend the data model.

h4. The System class has five attributes:

* restriction

> Optional.  ENUM.  This attribute has been defined in [[IODEF_Incident_Zoom#Incident-Class| Incident Class]]

* category

> Required.  ENUM.  Classifies the role the host or network played in the incident.  The possible values are:

>|_.Rank        |_.Keyword          |_.Description|

> |    1 | source  | The System was the source of the event.         |

> |    2 | target  | The System was the target of the event.         |

> |    3 | intermediate  | The System was an intermediary in the event.         |

> |    4 | sensor  | The System was a sensor monitoring the event.         |

> |    5 | infrastructure  | The System was an infrastructure node of IODEF document exchange.|

> |    6 | ext-value  | An escape value used to extend this attribute.         |

* ext-category

> Optional.  STRING.  A means by which to extend the category attribute.

* interface

> Optional.  STRING.  Specifies the interface on which the event(s) on this System originated.  If the Node class specifies a network rather than a host, this attribute has no meaning.

* spoofed

> Optional.  ENUM.  An indication of confidence in whether this System was the true target or attacking host.  The permitted values for this attribute are shown below.  The default value is "unknown".

>|_.Rank        |_.Keyword          |_.Description|

> |    1 | unknown  | The accuracy of the category attribute value is unknown.         |

> |    2 | yes  |The category attribute value is probably incorrect.  In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.         |

> |    3 | no  | The category attribute value is believed to be correct.         |

h2. The Node Class

The Node class names a system (e.g., PC, router) or network. This class was derived from the [[IDMEFDiag| IDMEF]].

h4. The aggregate classes that constitute Node are:

* NodeName

> Zero or more.  ML_STRING.  The name of the Node (e.g., fully qualified domain name).  This information MUST be provided if no Address information is given.

* Address

> Zero or more.  The hardware, network, or application address of

      the Node.  If a NodeName is not provided, at least one Address

      MUST be specified.

* Location

> Zero or one.  ML_STRING.  A free-from description of the physical location of the equipment.

* DateTime

> Zero or one.  A timestamp of when the resolution between the name and address was performed.  This information SHOULD be provided if both an Address and NodeName are specified.

* NodeRole

> Zero or more.  The intended purpose of the Node.

* Counter

> Zero or more.  A counter with which to summarizes properties of this host or network.

h2. The Address Class

The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address.

This class was derived from the [[IDMEFDiag| IDMEF]].

h4. The Address class has four attributes:

* category

> Required.  ENUM.  The type of address represented.  The permitted values for this attribute are shown below.  The default value is "ipv4-addr".

>|_.Rank        |_.Keyword          |_.Description|

> |    1 | asn  | Autonomous System Number         |

> |    2 | atm  | Asynchronous Transfer Mode (ATM) address         |

> |    3 | e-mail  | Electronic mail address (RFC 822)         |

> |    4 | ipv4-addr  | IPv4 host address in dotted-decimal notation (a.b.c.d)         |

> |    5 | ipv4-net  | IPv4 network address in dotted-decimal notation, slash, significant bits (a.b.c.d/nn         |

> |    6 | ipv4-net-mask  | IPv4 network address in dotted-decimal notation, slash, network mask in dotted-decimal notation (a.b.c.d/w.x.y.z)         |

> |    7 | ipv6-addr  | IPv6 host address        |

> |    8 | ipv6-net  | IPv6 network address, slash, significant bits        |

> |    9 | ipv6-net-mask  | IPv6 network address, slash, network mask         |

> |    10 | mac  | Media Access Control (MAC) address         |

> |    11 | ext-value  | An escape value used to extend this attribute.         |

* ext-category

> Optional.  STRING.  A means by which to extend the category attribute.

* vlan-name

> Optional.  STRING.  The name of the Virtual LAN to which the address belongs.

* vlan-num

> Optional.  STRING.  The number of the Virtual LAN to which the address belongs.

h2. NodeRole Class

The NodeRole class describes the intended function performed by a particular host.

h4. The NodeRole class has three attributes:

* category

> Required.  ENUM.  Functionality provided by a node.

>|_.Rank        |_.Keyword          |_.Description|

> |    1 | client  | Client computer         |

> |    2 | server-internal  | Server with internal services         |

> |    3 | server-public  | Server with public services)         |

> |    4 | www  | WWW server         |

> |    5 | mail  | Mail server         |

> |    6 | messaging  | Messaging server (e.g., NNTP, IRC, IM)         |

> |    7 | streaming  | Streaming-media server        |

> |    8 | voice  | Voice server (e.g., SIP, H.323)       |

> |    9 | file  | File server (e.g., SMB, CVS, AFS)         |

> |    10 | ftp  | FTP server         |

> |    11 | p2p  | Peer-to-peer node         |

> |    12 | name  | Name server (e.g., DNS, WINS)         |

> |    13 | directory  | Directory server (e.g., LDAP, finger, whois)         |

> |    14 | credential  | Credential server (e.g., domain controller, Kerberos)         |

> |    15 | print  | Print server         |

> |    16 | application  | Application server         |

> |    17 | database  | Database server         |

> |    18 | infra  | Infrastructure server (e.g., router, firewall, DHCP)         |

> |    19 | log  | Logserver (e.g., syslog)        |

> |    20 | ext-value  | An escape value used to extend this attribute.         |

* ext-category

> Optional.  STRING.  A means by which to extend the category attribute.

* lang

> Required.  ENUM.  A valid language code per "RFC 4646":https://tools.ietf.org/rfc/rfc4646.txt constrained by the definition of "xs:language". 

h2. The Service Class

The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port.

When Service occurs as an aggregate class of a System that is a source, then this service is the one from which activity of interest is originating.  Conversely, when Service occurs as an aggregate class of a System that is a target, then that service is the one to which activity of interest is directed.

This class was derived from the [[IDMEFDiag| IDMEF]].

h4. The aggregate classes that constitute Service are:

* Port

> Zero or one.  INTEGER.  A port number.

* Portlist

> Zero or one.  PORTLIST.  A list of port numbers.

* ProtoCode

> Zero or one.  INTEGER.  A layer-4 protocol-specific code field (e.g., ICMP code field).

* ProtoType

> Zero or one.  INTEGER.  A layer-4 protocol specific type field (e.g., ICMP type field).

* ProtoFlags

> Zero or one.  INTEGER.  A layer-4 protocol specific flag field (e.g., TCP flag field).

* Application

> Zero or more.  The application bound to the specified Port or Portlist.

Either a Port or Portlist class MUST be specified for a given instance of a Service class.

For a given source, System@type="source", a corresponding target, System@type="target", maybe defined, or vice versa.  When a Portlist class is defined in the Service class of both the source and target in a given instance of the Flow class, there MUST be symmetry in the enumeration of the ports. Thus, if n-ports are listed for a source, n-ports should be listed for the target. Likewise, the ports should be listed in an identical sequence such that the n-th port in the source corresponds to the n-th port of the target.  This symmetry in listing and sequencing of ports applies whether there are 1-to-1, 1-to-many, or many-to-many sources-to-targets.  In the 1-to-many or many-to-many, the exact order in which the System classes are enumerated in the Flow class is significant.

h4. The Service class has one attribute:

* ip_protocol

> Required.  INTEGER.  The IANA protocol number.

h2. The Application Class

The Application class describes an application running on a System providing a Service.

h4. The aggregate class that constitutes Application is:

* URL

> Zero or one.  URL.  A URL describing the application.

h4. The Application class has seven attributes:

* swid

> Optional.  STRING.  An identifier that can be used to reference this software.

* configid

> Optional.  STRING.  An identifier that can be used to reference a particular configuration of this software.

* vendor

> Optional.  STRING.  Vendor name of the software.

* family

> Optional.  STRING.  Family of the software.

* name

>Optional.  STRING.  Name of the software.

* version

> Optional.  STRING.  Version of the software.

* patch

> Optional.  STRING.  Patch or service pack level of the software.

h2. OperatingSystem Class

The OperatingSystem class describes the operating system running on a System.  The definition is identical to the [[IODEF_EventData_Zoom#Application-Class|Application class]].