Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 4765

The Intrusion Detection Message Exchange Format (IDMEF)

Pages: 157
Experimental
Part 6 of 6 – Pages 134 to 157
First   Prev   None

Top   ToC   RFC4765 - Page 134   prevText

Appendix A. Acknowledgements

The following individuals contributed substantially to this document and should be recognized for their efforts. This document would not exist without their help: Dominique Alessandri, IBM Corporation Spencer Allain, Teknowledge Corporation James L. Burden, California Independent Systems Operator Marc Dacier, IBM Corporation Oliver Dain, MIT Lincoln Laboratory Nicolas Delon, Prelude Hybrid IDS project David J. Donahoo, AFIWC Michael Erlinger, Harvey Mudd College Reinhard Handwerker, Internet Security Systems, Inc. Ming-Yuh Huang, The Boeing Company Glenn Mansfield, Cyber Solutions, Inc. Joe McAlerney, Silicon Defense Cynthia McLain, MIT Lincoln Laboratory Paul Osterwald, Intrusion.com Jean-Philippe Pouzol James Riordan, IBM Corporation Paul Sangree, Cisco Systems Stephane Schitter, IBM Corporation Michael J. Slifcak, Trusted Network Technologies, Inc. Steven R. Snapp, CyberSafe Corporation Stuart Staniford-Chen, Silicon Defense Michael Steiner, University of Saarland Maureen Stillman, Nokia IP Telephony Vimal Vaidya, AXENT Yoann Vandoorselaere, Prelude Hybrid IDS project Andy Walther, Harvey Mudd College Andreas Wespi, IBM Corporation John C. C. White, MITRE Eric D. Williams, Information Brokers, Inc. S. Felix Wu, University of California Davis
Top   ToC   RFC4765 - Page 135

Appendix B. The IDMEF Schema Definition (Non-normative)

<?xml version="1.0"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:idmef="http://iana.org/idmef" targetNamespace="http://iana.org/idmef" elementFormDefault="qualified" > <xsd:annotation> <xsd:documentation> Intrusion Detection Message Exchange Format (IDMEF) Version 1.0 </xsd:documentation> </xsd:annotation> <!-- Section 1 --> <!-- Omitted. This section did namespace magic and is not needed with XSD validation. --> <!-- Section 2 --> <!-- Values for the Action.category attribute. --> <xsd:simpleType name="action-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="block-installed" /> <xsd:enumeration value="notification-sent" /> <xsd:enumeration value="taken-offline" /> <xsd:enumeration value="other" /> </xsd:restriction> </xsd:simpleType> <!-- Values for the Address.category attribute. --> <xsd:simpleType name="address-category"> <xsd:restriction base="xsd:token"> <xsd:enumeration value="unknown" /> <xsd:enumeration value="atm" /> <xsd:enumeration value="e-mail" /> <xsd:enumeration value="lotus-notes" /> <xsd:enumeration value="mac" /> <xsd:enumeration value="sna" /> <xsd:enumeration value="vm" /> <xsd:enumeration value="ipv4-addr" /> <xsd:enumeration value="ipv4-addr-hex" /> <xsd:enumeration value="ipv4-net" /> <xsd:enumeration value="ipv4-net-mask" />
Top   ToC   RFC4765 - Page 136
         <xsd:enumeration value="ipv6-addr"     />
         <xsd:enumeration value="ipv6-addr-hex" />
         <xsd:enumeration value="ipv6-net"      />
         <xsd:enumeration value="ipv6-net-mask" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the Impact.severity attribute.
      -->
     <xsd:simpleType name="impact-severity">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="info" />
         <xsd:enumeration value="low" />
         <xsd:enumeration value="medium" />
         <xsd:enumeration value="high" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
       Values for the Impact.completion attribute.
      -->
     <xsd:simpleType name="impact-completion">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="failed" />
         <xsd:enumeration value="succeeded" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the Impact.type attribute.
      -->
     <xsd:simpleType name="impact-type">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="admin" />
         <xsd:enumeration value="dos"   />
         <xsd:enumeration value="file"  />
         <xsd:enumeration value="recon" />
         <xsd:enumeration value="user"  />
         <xsd:enumeration value="other" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
       Values for the File.category attribute.
      -->
     <xsd:simpleType name="file-category">
       <xsd:restriction base="xsd:token">
Top   ToC   RFC4765 - Page 137
         <xsd:enumeration value="current"  />
         <xsd:enumeration value="original" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
       Values for the FileAccess.Permissions attribute
     -->
     <xsd:simpleType name="file-permission">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="noAccess"/>
         <xsd:enumeration value="read"/>
         <xsd:enumeration value="write"/>
         <xsd:enumeration value="execute"/>
         <xsd:enumeration value="search" />
         <xsd:enumeration value="delete" />
         <xsd:enumeration value="executeAs" />
         <xsd:enumeration value="changePermissions" />
         <xsd:enumeration value="takeOwnership" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
       Values for the Id.type attribute.
      -->
     <xsd:simpleType name="id-type">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="current-user"  />
         <xsd:enumeration value="original-user" />
         <xsd:enumeration value="target-user"   />
         <xsd:enumeration value="user-privs"    />
         <xsd:enumeration value="current-group" />
         <xsd:enumeration value="group-privs"   />
         <xsd:enumeration value="other-privs"   />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the Linkage.category attribute.
      -->
     <xsd:simpleType name="linkage-category">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="hard-link"     />
         <xsd:enumeration value="mount-point"   />
         <xsd:enumeration value="reparse-point" />
         <xsd:enumeration value="shortcut"      />
         <xsd:enumeration value="stream"        />
         <xsd:enumeration value="symbolic-link" />
Top   ToC   RFC4765 - Page 138
       </xsd:restriction>
     </xsd:simpleType>

     <!--
       | Values for the Checksum.algorithm attribute
     -->
     <xsd:simpleType name="checksum-algorithm">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="MD4" />
         <xsd:enumeration value="MD5" />
         <xsd:enumeration value="SHA1" />
         <xsd:enumeration value="SHA2-256" />
         <xsd:enumeration value="SHA2-384" />
         <xsd:enumeration value="SHA2-512" />
         <xsd:enumeration value="CRC-32" />
         <xsd:enumeration value="Haval" />
         <xsd:enumeration value="Tiger" />
         <xsd:enumeration value="Gost" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the Node.category attribute.
      -->
     <xsd:simpleType name="node-category">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="unknown"  />
         <xsd:enumeration value="ads"      />
         <xsd:enumeration value="afs"      />
         <xsd:enumeration value="coda"     />
         <xsd:enumeration value="dfs"      />
         <xsd:enumeration value="dns"      />
         <xsd:enumeration value="hosts"    />
         <xsd:enumeration value="kerberos" />
         <xsd:enumeration value="nds"      />
         <xsd:enumeration value="nis"      />
         <xsd:enumeration value="nisplus"  />
         <xsd:enumeration value="nt"       />
         <xsd:enumeration value="wfw"      />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the reference.origin attribute.
      -->
     <xsd:simpleType name="reference-origin">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="unknown" />
Top   ToC   RFC4765 - Page 139
         <xsd:enumeration value="vendor-specific" />
         <xsd:enumeration value="user-specific" />
         <xsd:enumeration value="bugtraqid" />
         <xsd:enumeration value="cve" />
         <xsd:enumeration value="osvdb" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the Confidence.rating attribute.
      -->
     <xsd:simpleType name="confidence-rating">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="low"    />
         <xsd:enumeration value="medium" />
         <xsd:enumeration value="high"   />
         <xsd:enumeration value="numeric" />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
      | Values for the User.category attribute.
      -->
     <xsd:simpleType name="user-category">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="unknown"     />
         <xsd:enumeration value="application" />
         <xsd:enumeration value="os-device"   />
       </xsd:restriction>
     </xsd:simpleType>

     <!--
     / Values for the additionaldata.type attribute.
     -->
     <xsd:simpleType name="additionaldata-type">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="boolean"     />
         <xsd:enumeration value="byte"        />
         <xsd:enumeration value="character"   />
         <xsd:enumeration value="date-time"   />
         <xsd:enumeration value="integer"     />
         <xsd:enumeration value="ntpstamp"    />
         <xsd:enumeration value="portlist"    />
         <xsd:enumeration value="real"        />
         <xsd:enumeration value="string"      />
         <xsd:enumeration value="byte-string" />
         <xsd:enumeration value="xml"         />
       </xsd:restriction>
Top   ToC   RFC4765 - Page 140
     </xsd:simpleType>


     <!--
      | Values for yes/no attributes such as Source.spoofed and
      | Target.decoy.
      -->
     <xsd:simpleType name="yes-no-type">
       <xsd:restriction base="xsd:token">
         <xsd:enumeration value="unknown" />
         <xsd:enumeration value="yes"     />
         <xsd:enumeration value="no"      />
       </xsd:restriction>
     </xsd:simpleType>

     <xsd:simpleType name="port-range">
       <xsd:restriction base="xsd:string">
         <xsd:pattern value="[0-9]{1,5}(\-[0-9]{1,5})?"/>
       </xsd:restriction>
     </xsd:simpleType>

     <xsd:simpleType name="port-list">
       <xsd:list itemType="idmef:port-range" />
     </xsd:simpleType>

     <xsd:simpleType name="ntpstamp">
       <xsd:restriction base="xsd:string">
         <xsd:pattern value="0x[A-Fa-f0-9]{8}.0x[A-Fa-f0-9]{8}"/>
       </xsd:restriction>
     </xsd:simpleType>

     <xsd:simpleType name="mime-type">
       <xsd:restriction base="xsd:string">
       </xsd:restriction>
     </xsd:simpleType>


     <!-- Section 3: Top-level element declarations.  The IDMEF-Message
          element and the types of messages it can include. -->

     <xsd:complexType name="IDMEF-Message" >
       <xsd:choice minOccurs="1" maxOccurs="unbounded">
         <xsd:element ref="idmef:Alert"     />
         <xsd:element ref="idmef:Heartbeat" />
       </xsd:choice>
       <xsd:attribute name="version" type="xsd:decimal"
                      fixed="1.0" />
     </xsd:complexType>
Top   ToC   RFC4765 - Page 141
     <xsd:element name="IDMEF-Message" type="idmef:IDMEF-Message" />

     <xsd:complexType name="Alert">
       <xsd:sequence>
         <xsd:element name="Analyzer"
                      type="idmef:Analyzer" />
         <xsd:element name="CreateTime"
                      type="idmef:TimeWithNtpstamp" />
         <xsd:element name="DetectTime"
                      type="idmef:TimeWithNtpstamp"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="AnalyzerTime"
                      type="idmef:TimeWithNtpstamp"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Source"
                      type="idmef:Source"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="Target"
                      type="idmef:Target"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="Classification"
                      type="idmef:Classification" />
         <xsd:element name="Assessment"
                      type="idmef:Assessment"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:choice minOccurs="0" maxOccurs="1">
           <xsd:element name="ToolAlert"
                        type="idmef:ToolAlert" />
           <xsd:element name="OverflowAlert"
                        type="idmef:OverflowAlert" />
           <xsd:element name="CorrelationAlert"
                        type="idmef:CorrelationAlert" />
         </xsd:choice>
         <xsd:element name="AdditionalData"
                      type="idmef:AdditionalData"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="messageid"
                      type="xsd:string"
                      default="0" />
     </xsd:complexType>
Top   ToC   RFC4765 - Page 142
     <xsd:element name="Alert" type="idmef:Alert" />

     <xsd:complexType name="Heartbeat">
       <xsd:sequence>
         <xsd:element name="Analyzer" type="idmef:Analyzer" />
         <xsd:element name="CreateTime"
                      type="idmef:TimeWithNtpstamp" />
         <xsd:element name="HeartbeatInterval"
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="AnalyzerTime"
                      type="idmef:TimeWithNtpstamp"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="AdditionalData"
                      type="idmef:AdditionalData"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="messageid"
                      type="xsd:string"
                      default="0" />
     </xsd:complexType>

     <xsd:element name="Heartbeat"
                  type="idmef:Heartbeat" />

     <!-- Section 4: Subclasses of the Alert class that provide
          more data for specific types of alerts. -->

     <xsd:complexType name="CorrelationAlert">
       <xsd:sequence>
         <xsd:element name="name"
                      type="xsd:string" />
         <xsd:element name="alertident"
                      type="idmef:Alertident"
                      minOccurs="1"
                      maxOccurs="unbounded" />
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="OverflowAlert">
       <xsd:sequence>
         <xsd:element name="program"
                      type="xsd:string" />
         <xsd:element name="size"
                      type="xsd:string" />
Top   ToC   RFC4765 - Page 143
         <xsd:element name="buffer"
                      type="xsd:hexBinary" />
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="ToolAlert">
       <xsd:sequence>
         <xsd:element name="name"
                      type="xsd:string" />
         <xsd:element name="command"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="alertident"
                      type="idmef:Alertident"
                      minOccurs="1"
                      maxOccurs="unbounded" />
       </xsd:sequence>
     </xsd:complexType>

     <!-- Section 5: The AdditionalData element.  This element allows an
          alert to include additional information that cannot be encoded
          elsewhere in the data model. -->

     <xsd:complexType name="AdditionalData">
       <xsd:choice>
         <xsd:element name="boolean"
                      type="xsd:boolean" />
         <xsd:element name="byte"
                      type="xsd:byte" />
         <xsd:element name="character">
           <xsd:simpleType>
             <xsd:restriction base="xsd:string">
               <xsd:minLength value="1"/>
               <xsd:maxLength value="1"/>
             </xsd:restriction>
           </xsd:simpleType>
         </xsd:element>
         <xsd:element name="date-time"
                      type="xsd:dateTime" />
         <xsd:element name="integer"
                      type="xsd:integer" />
         <xsd:element name="ntpstamp"
                      type="idmef:ntpstamp" />
         <xsd:element name="portlist"
                      type="idmef:port-list" />
         <xsd:element name="real"
                      type="xsd:decimal" />
Top   ToC   RFC4765 - Page 144
         <xsd:element name="string"
                      type="xsd:string" />
         <xsd:element name="byte-string"
                      type="xsd:hexBinary" />
         <xsd:element name="xml"
                      type="idmef:xmltext" />
       </xsd:choice>
       <xsd:attribute name="type"
                      type="idmef:additionaldata-type" />
       <xsd:attribute name="meaning"
                      type="xsd:string" />
     </xsd:complexType>

     <!-- Section 6: Elements related to identifying entities -
          analyzers (the senders of these messages), sources (of
          attacks), and targets (of attacks). -->

     <xsd:complexType name="Analyzer">
       <xsd:sequence>
         <xsd:element name="Node"
                      type="idmef:Node"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Process"
                      type="idmef:Process"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Analyzer"
                      type="idmef:Analyzer"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
       <xsd:attribute name="analyzerid"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="name"
                      type="xsd:string" />
       <xsd:attribute name="manufacturer"
                      type="xsd:string" />
       <xsd:attribute name="model"
                      type="xsd:string" />
       <xsd:attribute name="version"
                      type="xsd:string" />
       <xsd:attribute name="class"
                      type="xsd:string" />
       <xsd:attribute name="ostype"
                      type="xsd:string" />
       <xsd:attribute name="osversion"
Top   ToC   RFC4765 - Page 145
                      type="xsd:string" />
     </xsd:complexType>

     <xsd:complexType name="Source">
       <xsd:sequence>
         <xsd:element name="Node"
                      type="idmef:Node"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="User"
                      type="idmef:User"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Process"
                      type="idmef:Process"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Service"
                      type="idmef:Service"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="spoofed"
                      type="idmef:yes-no-type"
                      default="unknown" />
       <xsd:attribute name="interface"
                      type="xsd:string" />
     </xsd:complexType>

     <xsd:complexType name="Target">
       <xsd:sequence>
         <xsd:element name="Node"
                      type="idmef:Node"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="User"
                      type="idmef:User"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Process"
                      type="idmef:Process"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Service"
                      type="idmef:Service"
Top   ToC   RFC4765 - Page 146
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="File"
                      type="idmef:File"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="decoy"
                      type="idmef:yes-no-type"
                      default="unknown" />
       <xsd:attribute name="interface"
                      type="xsd:string" />
     </xsd:complexType>

     <!-- Section 7: Support elements used for providing detailed info
          about entities - addresses, names, etc. -->

     <xsd:complexType name="Address">
       <xsd:sequence>
         <xsd:element name="address"
                      type="xsd:string" />
         <xsd:element name="netmask"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="category"
                      type="idmef:address-category"
                      default="unknown" />
       <xsd:attribute name="vlan-name"
                      type="xsd:string" />
       <xsd:attribute name="vlan-num"
                      type="xsd:string" />
     </xsd:complexType>

     <xsd:complexType name="Assessment">
       <xsd:sequence>
         <xsd:element name="Impact"
                      type="idmef:Impact"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Action"
Top   ToC   RFC4765 - Page 147
                      type="idmef:Action"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="Confidence"
                      type="idmef:Confidence"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
     </xsd:complexType>
     <xsd:complexType name="Reference">
       <xsd:sequence>
         <xsd:element name="name"
                      type="xsd:string" />
         <xsd:element name="url"
                      type="xsd:string" />
       </xsd:sequence>
       <xsd:attribute name="origin"
                      type="idmef:reference-origin"
                      default="unknown" />
       <xsd:attribute name="meaning"
                      type="xsd:string" />
     </xsd:complexType>

     <xsd:complexType name="Classification">
       <xsd:sequence>
         <xsd:element name="Reference"
                      type="idmef:Reference"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="text"
                      type="xsd:string"
                      use="required" />
     </xsd:complexType>

     <xsd:complexType name="File">
       <xsd:sequence>
         <xsd:element name="name"
                      type="xsd:string" />
         <xsd:element name="path"
                      type="xsd:string" />
         <xsd:element name="create-time"
                      type="xsd:dateTime"
                      minOccurs="0"
                      maxOccurs="1" />
Top   ToC   RFC4765 - Page 148
         <xsd:element name="modify-time"
                      type="xsd:dateTime"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="access-time"
                      type="xsd:dateTime"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="data-size"
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="disk-size"
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="FileAccess"
                      type="idmef:FileAccess"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="Linkage"
                      type="idmef:Linkage"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="Inode"
                      type="idmef:Inode"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="Checksum"
                      type="idmef:Checksum"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="category"
                      type="idmef:file-category"
                      use="required" />
       <xsd:attribute name="fstype"
                      type="xsd:string"
                      use="required" />
       <xsd:attribute name="file-type"
                      type="idmef:mime-type" />
     </xsd:complexType>

     <xsd:complexType name="Permission">
       <xsd:attribute name="perms"
Top   ToC   RFC4765 - Page 149
                      type="idmef:file-permission"
                      use="required" />
     </xsd:complexType>

     <xsd:complexType name="FileAccess">
       <xsd:sequence>
         <xsd:element name="UserId"
                      type="idmef:UserId" />
         <xsd:element name="permission"
                      type="idmef:Permission"
                      minOccurs="1"
                      maxOccurs="unbounded" />
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="Inode">
       <xsd:sequence>
         <xsd:element name="change-time"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:sequence minOccurs="0" maxOccurs="1">
           <xsd:element name="number"
                        type="xsd:string" />
           <xsd:element name="major-device"
                        type="xsd:string" />
           <xsd:element name="minor-device"
                        type="xsd:string" />
         </xsd:sequence>
         <xsd:sequence minOccurs="0" maxOccurs="1">
           <xsd:element name="c-major-device"
                        type="xsd:string" />
           <xsd:element name="c-minor-device"
                        type="xsd:string" />
         </xsd:sequence>
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="Linkage">
       <xsd:choice>
         <xsd:sequence>
           <xsd:element name="name" type="xsd:string" />
           <xsd:element name="path" type="xsd:string" />
         </xsd:sequence>
         <xsd:element name="File" type="idmef:File" />
       </xsd:choice>
       <xsd:attribute name="category"
                      type="idmef:linkage-category"
Top   ToC   RFC4765 - Page 150
                      use="required" />
     </xsd:complexType>

     <xsd:complexType name="Checksum">
       <xsd:sequence>
         <xsd:element name="value"
                      type="xsd:string" />
         <xsd:element name="key"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
       <xsd:attribute name="algorithm"
                      type="idmef:checksum-algorithm"
                      use="required" />
     </xsd:complexType>

     <xsd:complexType name="Node">
       <xsd:sequence>
         <xsd:element name="location"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:choice>
           <xsd:element name="name"
                        type="xsd:string" />
           <xsd:element name="Address"
                        type="idmef:Address" />
         </xsd:choice>
         <xsd:element name="Address"
                      type="idmef:Address"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="category"
                      type="idmef:node-category"
                      default="unknown" />
     </xsd:complexType>

     <xsd:complexType name="Process">
       <xsd:sequence>
         <xsd:element name="name"
                      type="xsd:string" />
         <xsd:element name="pid"
                      type="xsd:integer"
Top   ToC   RFC4765 - Page 151
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="path"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="arg"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="unbounded" />
         <xsd:element name="env"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
     </xsd:complexType>

     <xsd:complexType name="Service">
       <xsd:sequence>
         <xsd:choice>
           <xsd:sequence>
             <xsd:element name="name"
                          type="xsd:string" />
             <xsd:element name="port"
                          type="xsd:integer"
                          minOccurs="0"
                          maxOccurs="1" />
           </xsd:sequence>
           <xsd:sequence>
             <xsd:element name="port"
                          type="xsd:integer" />
             <xsd:element name="name"
                          type="xsd:string"
                          minOccurs="0"
                          maxOccurs="1" />
           </xsd:sequence>
           <xsd:element name="portlist"
                        type="idmef:port-list" />
         </xsd:choice>
         <xsd:element name="protocol"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="SNMPService"
                      type="idmef:SNMPService"
Top   ToC   RFC4765 - Page 152
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="WebService"
                      type="idmef:WebService"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="ip_version"
                      type="xsd:integer" />
       <xsd:attribute name="iana_protocol_number"
                      type="xsd:integer" />
       <xsd:attribute name="iana_protocol_name"
                      type="xsd:string" />
     </xsd:complexType>

     <xsd:complexType name="WebService">
       <xsd:sequence>
         <xsd:element name="url"
                      type="xsd:anyURI" />
         <xsd:element name="cgi"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="http-method"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="arg"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="unbounded" />
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="SNMPService">
       <xsd:sequence>
         <xsd:element name="oid"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="messageProcessingModel"
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="securityModel"
Top   ToC   RFC4765 - Page 153
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="securityName"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="securityLevel"
                      type="xsd:integer"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="contextName"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="contextEngineID"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
         <xsd:element name="command"
                      type="xsd:string"
                      minOccurs="0"
                      maxOccurs="1" />
       </xsd:sequence>
     </xsd:complexType>

     <xsd:complexType name="User">
       <xsd:sequence>
         <xsd:element name="UserId"
                      type="idmef:UserId"
                      minOccurs="1"
                      maxOccurs="unbounded" />
       </xsd:sequence>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="category"
                      type="idmef:user-category"
                      default="unknown" />
     </xsd:complexType>

     <xsd:complexType name="UserId" >
       <xsd:choice>
         <xsd:sequence>
           <xsd:element name="name"
                        type="xsd:string" />
           <xsd:element name="number"
                        type="xsd:integer"
Top   ToC   RFC4765 - Page 154
                        minOccurs="0"
                        maxOccurs="1" />
         </xsd:sequence>
         <xsd:sequence>
           <xsd:element name="number"
                        type="xsd:integer" />
           <xsd:element name="name"
                        type="xsd:string"
                        minOccurs="0"
                        maxOccurs="1" />
         </xsd:sequence>
       </xsd:choice>
       <xsd:attribute name="ident"
                      type="xsd:string"
                      default="0" />
       <xsd:attribute name="type"
                      type="idmef:id-type"
                      default="original-user" />
       <xsd:attribute name="tty"
                      type="xsd:string" />
     </xsd:complexType>

     <!-- Section 8: Simple elements with sub-elements or attributes
          of a special nature. -->

     <xsd:complexType name="Action">
       <xsd:simpleContent>
         <xsd:extension base="xsd:string" >
           <xsd:attribute name="category"
                          type="idmef:action-category"
                          default="other" />
         </xsd:extension>
       </xsd:simpleContent>
     </xsd:complexType>

     <xsd:complexType name="Confidence">
       <xsd:simpleContent>
         <xsd:extension base="xsd:string" >
           <xsd:attribute name="rating"
                          type="idmef:confidence-rating"
                          use="required" />
         </xsd:extension>
       </xsd:simpleContent>
     </xsd:complexType>

     <xsd:complexType name="TimeWithNtpstamp">
       <xsd:simpleContent>
         <xsd:extension base="xsd:dateTime">
Top   ToC   RFC4765 - Page 155
           <xsd:attribute name="ntpstamp"
                          type="idmef:ntpstamp"
                          use="required"/>
         </xsd:extension>
       </xsd:simpleContent>
     </xsd:complexType>

     <xsd:complexType name="Impact">
       <xsd:simpleContent>
         <xsd:extension base="xsd:string" >
           <xsd:attribute name="severity"
                          type="idmef:impact-severity" />
           <xsd:attribute name="completion"
                          type="idmef:impact-completion" />
           <xsd:attribute name="type" type="idmef:impact-type"
                          default="other" />
         </xsd:extension>
       </xsd:simpleContent>
     </xsd:complexType>

     <xsd:complexType name="Alertident">
       <xsd:simpleContent>
         <xsd:extension base="xsd:string" >
           <xsd:attribute name="analyzerid"
                          type="xsd:string" />
         </xsd:extension>
       </xsd:simpleContent>
     </xsd:complexType>

     <xsd:complexType name="xmltext">
       <xsd:complexContent mixed="true">
         <xsd:restriction base="xsd:anyType">
           <xsd:sequence>
             <xsd:any namespace="##other"
                      processContents="lax"
                      minOccurs="0"
                      maxOccurs="unbounded" />
           </xsd:sequence>
         </xsd:restriction>
       </xsd:complexContent>
     </xsd:complexType>

   </xsd:schema>
Top   ToC   RFC4765 - Page 156

Authors' Addresses

Herve Debar France Telecom R & D 42 Rue des Coutures Caen 14000 FR Phone: +33 2 31 75 92 61 EMail: herve.debar@orange-ftgroup.com URI: http://www.francetelecom.fr/ David A. Curry Guardian Life Insurance Company of America 7 Hanover Square, 24th Floor New York, NY 10004 US Phone: +1 212 919-3086 EMail: david_a_curry@glic.com URI: http://www.glic.com/ Benjamin S. Feinstein SecureWorks, Inc. PO Box 95007 Atlanta, GA 30347 US Phone: +1 404 327-6339 Email: bfeinstein@acm.org URI: http://www.secureworks.com/
Top   ToC   RFC4765 - Page 157
Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.