tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 5070

 
 
 

The Incident Object Description Exchange Format

Part 2 of 4, p. 18 to 42
Prev RFC Part       Next RFC Part

 


prevText      Top      Up      ToC       Page 18 
3.7.  Contact Class

   The Contact class describes contact information for organizations and
   personnel involved in the incident.  This class allows for the naming
   of the involved party, specifying contact information for them, and
   identifying their role in the incident.

   People and organizations are treated interchangeably as contacts; one
   can be associated with the other using the recursive definition of
   the class (the Contact class is aggregated into the Contact class).
   The 'type' attribute disambiguates the type of contact information
   being provided.

   The inheriting definition of Contact provides a way to relate
   information without requiring the explicit use of identifiers in the
   classes or duplication of data.  A complete point of contact is
   derived by a particular traversal from the root Contact class to the
   leaf Contact class.  As such, multiple points of contact might be
   specified in a single instance of a Contact class.  Each child
   Contact class logically inherits contact information from its
   ancestors.

Top      Up      ToC       Page 19 
   +------------------+
   | Contact          |
   +------------------+
   | ENUM role        |<>--{0..1}--[ ContactName    ]
   | STRING ext-role  |<>--{0..*}--[ Description    ]
   | ENUM type        |<>--{0..*}--[ RegistryHandle ]
   | STRING ext-type  |<>--{0..1}--[ PostalAddress  ]
   | ENUM restriction |<>--{0..*}--[ Email          ]
   |                  |<>--{0..*}--[ Telephone      ]
   |                  |<>--{0..1}--[ Fax            ]
   |                  |<>--{0..1}--[ Timezone       ]
   |                  |<>--{0..*}--[ Contact        ]
   |                  |<>--{0..*}--[ AdditionalData ]
   +------------------+

                        Figure 7: The Contact Class

   The aggregate classes that constitute the Contact class are:

   ContactName
      Zero or one.  ML_STRING.  The name of the contact.  The contact
      may either be an organization or a person.  The type attribute
      disambiguates the semantics.

   Description
      Zero or many.  ML_STRING.  A free-form description of this
      contact.  In the case of a person, this is often the
      organizational title of the individual.

   RegistryHandle
      Zero or many.  A handle name into the registry of the contact.

   PostalAddress
      Zero or one.  The postal address of the contact.

   Email
      Zero or many.  The email address of the contact.

   Telephone
      Zero or many.  The telephone number of the contact.

   Fax
      Zero or one.  The facsimile telephone number of the contact.

   Timezone
      Zero or one.  TIMEZONE.  The timezone in which the contact resides
      formatted according to Section 2.9.

Top      Up      ToC       Page 20 
   Contact
      Zero or many.  A Contact instance contained within another Contact
      instance inherits the values of the parent(s).  This recursive
      definition can be used to group common data pertaining to multiple
      points of contact and is especially useful when listing multiple
      contacts at the same organization.

   AdditionalData
      Zero or many.  A mechanism by which to extend the data model.

   At least one of the aggregate classes MUST be present in an instance
   of the Contact class.  This is not enforced in the IODEF schema as
   there is no simple way to accomplish it.

   The Contact class has five attributes:

   role
      Required.  ENUM.  Indicates the role the contact fulfills.  This
      attribute is defined as an enumerated list:

      1.  creator.  The entity that generate the document.

      2.  admin.  An administrative contact for a host or network.

      3.  tech.  A technical contact for a host or network.

      4.  irt.  The CSIRT involved in handling the incident.

      5.  cc.  An entity that is to be kept informed about the handling
          of the incident.

      6.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-role
      Optional.  STRING.  A means by which to extend the role attribute.
      See Section 5.1.

   type
      Required.  ENUM.  Indicates the type of contact being described.
      This attribute is defined as an enumerated list:

      1.  person.  The information for this contact references an
          individual.

      2.  organization.  The information for this contact references an
          organization.

Top      Up      ToC       Page 21 
      3.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

3.7.1.  RegistryHandle Class

   The RegistryHandle class represents a handle into an Internet
   registry or community-specific database.  The handle is specified in
   the element content and the type attribute specifies the database.

   +---------------------+
   | RegistryHandle      |
   +---------------------+
   | STRING              |
   |                     |
   | ENUM registry       |
   | STRING ext-registry |
   +---------------------+

                    Figure 8: The RegistryHandle Class

   The RegistryHandle class has two attributes:

   registry
      Required.  ENUM.  The database to which the handle belongs.  The
      default value is 'local'.  The possible values are:

      1.  internic.  Internet Network Information Center

      2.  apnic.  Asia Pacific Network Information Center

      3.  arin.  American Registry for Internet Numbers

      4.  lacnic.  Latin-American and Caribbean IP Address Registry

      5.  ripe.  Reseaux IP Europeens

      6.  afrinic.  African Internet Numbers Registry

      7.  local.  A database local to the CSIRT

Top      Up      ToC       Page 22 
      8.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-registry
      Optional.  STRING.  A means by which to extend the registry
      attribute.  See Section 5.1.

3.7.2.  PostalAddress Class

   The PostalAddress class specifies a postal address formatted
   according to the POSTAL data type (Section 2.11).

   +---------------------+
   | PostalAddress       |
   +---------------------+
   | POSTAL              |
   |                     |
   | ENUM meaning        |
   | ENUM lang           |
   +---------------------+

                     Figure 9: The PostalAddress Class

   The PostalAddress class has two attributes:

   meaning
      Optional.  ENUM.  A free-form description of the element content.

   lang
      Required.  ENUM.  A valid language code per RFC 4646 [7]
      constrained by the definition of "xs:language".  The
      interpretation of this code is described in Section 6.

3.7.3.  Email Class

   The Email class specifies an email address formatted according to
   EMAIL data type (Section 2.14).

   +--------------+
   | Email        |
   +--------------+
   | EMAIL        |
   |              |
   | ENUM meaning |
   +--------------+

                        Figure 10: The Email Class

Top      Up      ToC       Page 23 
   The Email class has one attribute:

   meaning
      Optional.  ENUM.  A free-form description of the element content.

3.7.4.  Telephone and Fax Classes

   The Telephone and Fax classes specify a voice or fax telephone number
   respectively, and are formatted according to PHONE data type
   (Section 2.13).

   +--------------------+
   | {Telephone | Fax } |
   +--------------------+
   | PHONE              |
   |                    |
   | ENUM meaning       |
   +--------------------+

                 Figure 11: The Telephone and Fax Classes

   The Telephone class has one attribute:

   meaning
      Optional.  ENUM.  A free-form description of the element content
      (e.g., hours of coverage for a given number).

3.8.  Time Classes

   The data model uses five different classes to represent a timestamp.
   Their definition is identical, but each has a distinct name to convey
   a difference in semantics.

   The element content of each class is a timestamp formatted according
   to the DATETIME data type (see Section 2.8).

   +----------------------------------+
   | {Start| End| Report| Detect}Time |
   +----------------------------------+
   | DATETIME                         |
   +----------------------------------+

                        Figure 12: The Time Classes

Top      Up      ToC       Page 24 
3.8.1.  StartTime

   The StartTime class represents the time the incident began.

3.8.2.  EndTime

   The EndTime class represents the time the incident ended.

3.8.3.  DetectTime

   The DetectTime class represents the time the first activity of the
   incident was detected.

3.8.4.  ReportTime

   The ReportTime class represents the time the incident was reported.
   This timestamp SHOULD coincide to the time at which the IODEF
   document is generated.

3.8.5.  DateTime

   The DateTime class is a generic representation of a timestamp.  Its
   semantics should be inferred from the parent class in which it is
   aggregated.

3.9.  Method Class

   The Method class describes the methodology used by the intruder to
   perpetrate the events of the incident.  This class consists of a list
   of references describing the attack method and a free form
   description of the technique.

   +------------------+
   | Method           |
   +------------------+
   | ENUM restriction |<>--{0..*}--[ Reference      ]
   |                  |<>--{0..*}--[ Description    ]
   |                  |<>--{0..*}--[ AdditionalData ]
   +------------------+

                        Figure 13: The Method Class

   The Method class is composed of three aggregate classes.

   Reference
      Zero or many.  A reference to a vulnerability, malware sample,
      advisory, or analysis of an attack technique.

Top      Up      ToC       Page 25 
   Description
      Zero or many.  ML_STRING.  A free-form text description of the
      methodology used by the intruder.

   AdditionalData
      Zero or many.  A mechanism by which to extend the data model.

   Either an instance of the Reference or Description class MUST be
   present.

   The Method class has one attribute:

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

3.9.1.  Reference Class

   The Reference class is a reference to a vulnerability, IDS alert,
   malware sample, advisory, or attack technique.  A reference consists
   of a name, a URL to this reference, and an optional description.

   +------------------+
   | Reference        |
   +------------------+
   |                  |<>----------[ ReferenceName ]
   |                  |<>--{0..*}--[ URL           ]
   |                  |<>--{0..*}--[ Description   ]
   +------------------+

                      Figure 14: The Reference Class

   The aggregate classes that constitute Reference:

   ReferenceName
      One. ML_STRING.  Name of the reference.

   URL
      Zero or many.  URL.  A URL associated with the reference.

   Description
      Zero or many.  ML_STRING.  A free-form text description of this
      reference.

3.10.  Assessment Class

   The Assessment class describes the technical and non-technical
   repercussions of the incident on the CSIRT's constituency.

Top      Up      ToC       Page 26 
   This class was derived from the IDMEF[17].

    +------------------+
    | Assessment       |
    +------------------+
    | ENUM occurrence  |<>--{0..*}--[ Impact         ]
    | ENUM restriction |<>--{0..*}--[ TimeImpact     ]
    |                  |<>--{0..*}--[ MonetaryImpact ]
    |                  |<>--{0..*}--[ Counter        ]
    |                  |<>--{0..1}--[ Confidence     ]
    |                  |<>--{0..*}--[ AdditionalData ]
    +------------------+

                        Figure 15: Assessment Class

   The aggregate classes that constitute Assessment are:

   Impact
      Zero or many.  Technical impact of the incident on a network.

   TimeImpact
      Zero or many.  Impact of the activity measured with respect to
      time.

   MonetaryImpact
      Zero or many.  Impact of the activity measured with respect to
      financial loss.

   Counter
      Zero or more.  A counter with which to summarize the magnitude of
      the activity.

   Confidence
      Zero or one.  An estimate of confidence in the assessment.

   AdditionalData
      Zero or many.  A mechanism by which to extend the data model.

   A least one instance of the possible three impact classes (i.e.,
   Impact, TimeImpact, or MonetaryImpact) MUST be present.

   The Assessment class has two attributes:

   occurrence
      Optional.  ENUM.  Specifies whether the assessment is describing
      actual or potential outcomes.  The default is "actual" and is
      assumed if not specified.

Top      Up      ToC       Page 27 
      1.  actual.  This assessment describes activity that has occurred.

      2.  potential.  This assessment describes potential activity that
          might occur.

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

3.10.1.  Impact Class

   The Impact class allows for categorizing and describing the technical
   impact of the incident on the network of an organization.

   This class is based on the IDMEF [17].

   +------------------+
   | Impact           |
   +------------------+
   | ML_STRING        |
   |                  |
   | ENUM lang        |
   | ENUM severity    |
   | ENUM completion  |
   | ENUM type        |
   | STRING ext-type  |
   +------------------+

                          Figure 16: Impact Class

   The element content will be a free-form textual description of the
   impact.

   The Impact class has five attributes:

   lang
      Required.  ENUM.  A valid language code per RFC 4646 [7]
      constrained by the definition of "xs:language".  The
      interpretation of this code is described in Section 6.

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

Top      Up      ToC       Page 28 
      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

   completion
      Optional.  ENUM.  An indication whether the described activity was
      successful.  The permitted values are shown below.  There is no
      default value.

      1.  failed.  The attempted activity was not successful.

      2.  succeeded.  The attempted activity succeeded.

   type
      Required.  ENUM.  Classifies the malicious activity into incident
      categories.  The permitted values are shown below.  The default
      value is "other".

      1.   admin.  Administrative privileges were attempted.

      2.   dos.  A denial of service was attempted.

      3.   file.  An action that impacts the integrity of a file or
           database was attempted.

      4.   info-leak.  An attempt was made to exfiltrate information.

      5.   misconfiguration.  An attempt was made to exploit a mis-
           configuration in a system.

      6.   policy.  Activity violating site's policy was attempted.

      7.   recon.  Reconnaissance activity was attempted.

      8.   social-engineering.  A social engineering attack was
           attempted.

      9.   user.  User privileges were attempted.

      10.  unknown.  The classification of this activity is unknown.

      11.  ext-value.  An escape value used to extend this attribute.
           See Section 5.1.

Top      Up      ToC       Page 29 
   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.

3.10.2.  TimeImpact Class

   The TimeImpact class describes the impact of the incident on an
   organization as a function of time.  It provides a way to convey down
   time and recovery time.

         +---------------------+
         | TimeImpact          |
         +---------------------+
         | REAL                |
         |                     |
         | ENUM severity       |
         | ENUM metric         |
         | STRING ext-metric   |
         | ENUM duration       |
         | STRING ext-duration |
         +---------------------+

                        Figure 17: TimeImpact Class

   The element content is a positive, floating point (REAL) number
   specifying a unit of time.  The duration and metric attributes will
   imply the semantics of the element content.

   The TimeImpact class has five attributes:

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

   metric
      Required.  ENUM.  Defines the metric in which the time is
      expressed.  The permitted values are shown below.  There is no
      default value.

Top      Up      ToC       Page 30 
      1.  labor.  Total staff-time to recovery from the activity (e.g.,
          2 employees working 4 hours each would be 8 hours).

      2.  elapsed.  Elapsed time from the beginning of the recovery to
          its completion (i.e., wall-clock time).

      3.  downtime.  Duration of time for which some provided service(s)
          was not available.

      4.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-metric
      Optional.  STRING.  A means by which to extend the metric
      attribute.  See Section 5.1.

   duration
      Required.  ENUM.  Defines a unit of time, that when combined with
      the metric attribute, fully describes a metric of impact that will
      be conveyed in the element content.  The permitted values are
      shown below.  The default value is "hour".

      1.  second.  The unit of the element content is seconds.

      2.  minute.  The unit of the element content is minutes.

      3.  hour.  The unit of the element content is hours.

      4.  day.  The unit of the element content is days.

      5.  month.  The unit of the element content is months.

      6.  quarter.  The unit of the element content is quarters.

      7.  year.  The unit of the element content is years.

      8.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.

3.10.3.  MonetaryImpact Class

   The MonetaryImpact class describes the financial impact of the
   activity on an organization.  For example, this impact may consider
   losses due to the cost of the investigation or recovery, diminished

Top      Up      ToC       Page 31 
   productivity of the staff, or a tarnished reputation that will affect
   future opportunities.

         +------------------+
         | MonetaryImpact   |
         +------------------+
         | REAL             |
         |                  |
         | ENUM severity    |
         | STRING currency  |
         +------------------+

                      Figure 18: MonetaryImpact Class

   The element content is a positive, floating point number (REAL)
   specifying a unit of currency described in the currency attribute.

   The MonetaryImpact class has two attributes:

   severity
      Optional.  ENUM.  An estimate of the relative severity of the
      activity.  The permitted values are shown below.  There is no
      default value.

      1.  low.  Low severity

      2.  medium.  Medium severity

      3.  high.  High severity

   currency
      Required.  STRING.  Defines the currency in which the monetary
      impact is expressed.  The permitted values are defined in ISO
      4217:2001, Codes for the representation of currencies and funds
      [14].  There is no default value.

3.10.4.  Confidence Class

   The Confidence class represents a best estimate of the validity and
   accuracy of the described impact (see Section 3.10) of the incident
   activity.  This estimate can be expressed as a category or a numeric
   calculation.

   This class if based upon the IDMEF [17]).

Top      Up      ToC       Page 32 
         +------------------+
         | Confidence       |
         +------------------+
         | REAL             |
         |                  |
         | ENUM rating      |
         +------------------+

                        Figure 19: Confidence Class

   The element content expresses a numerical assessment in the
   confidence of the data when the value of the rating attribute is
   "numeric".  Otherwise, this element should be empty.

   The Confidence class has one attribute.

   rating
      Required.  ENUM.  A rating of the analytical validity of the
      specified Assessment.  The permitted values are shown below.
      There is no default value.

      1.  low.  Low confidence in the validity.

      2.  medium.  Medium confidence in the validity.

      3.  high.  High confidence in the validity.

      4.  numeric.  The element content contains a number that conveys
          the confidence of the data.  The semantics of this number
          outside the scope of this specification.

3.11.  History Class

   The History class is a log of the significant events or actions
   performed by the involved parties during the course of handling the
   incident.

   The level of detail maintained in this log is left up to the
   discretion of those handling the incident.

   +------------------+
   | History          |
   +------------------+
   | ENUM restriction |<>--{1..*}--[ HistoryItem ]
   |                  |
   +------------------+

Top      Up      ToC       Page 33 
                       Figure 20: The History Class

   The class that constitutes History is:

   HistoryItem
      One or many.  Entry in the history log of significant events or
      actions performed by the involved parties.

   The History class has one attribute:

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

3.11.1.  HistoryItem Class

   The HistoryItem class is an entry in the History (Section 3.11) log
   that documents a particular action or event that occurred in the
   course of handling the incident.  The details of the entry are a
   free-form description, but each can be categorized with the type
   attribute.

   +-------------------+
   | HistoryItem       |
   +-------------------+
   | ENUM restriction  |<>----------[ DateTime       ]
   | ENUM action       |<>--{0..1}--[ IncidentId     ]
   | STRING ext-action |<>--{0..1}--[ Contact        ]
   |                   |<>--{0..*}--[ Description    ]
   |                   |<>--{0..*}--[ AdditionalData ]
   +-------------------+

                       Figure 21: HistoryItem Class

   The aggregate classes that constitute HistoryItem are:

   DateTime
      One. Timestamp of this entry in the history log (e.g., when the
      action described in the Description was taken).

   IncidentID
      Zero or One. In a history log created by multiple parties, the
      IncidentID provides a mechanism to specify which CSIRT created a
      particular entry and references this organization's incident
      tracking number.  When a single organization is maintaining the
      log, this class can be ignored.

Top      Up      ToC       Page 34 
   Contact
      Zero or One. Provides contact information for the person that
      performed the action documented in this class.

   Description
      Zero or many.  ML_STRING.  A free-form textual description of the
      action or event.

   AdditionalData
      Zero or many.  A mechanism by which to extend the data model.

   The HistoryItem class has three attributes:

   restriction
      Optional.  ENUM.  This attribute has been defined in Section 3.2.

   action
      Required.  ENUM.  Classifies a performed action or occurrence
      documented in this history log entry.  As activity will likely
      have been instigated either through a previously conveyed
      expectation or internal investigation, this attribute is identical
      to the category attribute of the Expectation class.  The
      difference is only one of tense.  When an action is in this class,
      it has been completed.  See Section 3.13.

   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.

3.12.  EventData Class

   The EventData class describes a particular event of the incident for
   a given set of hosts or networks.  This description includes the
   systems from which the activity originated and those targeted, an
   assessment of the techniques used by the intruder, the impact of the
   activity on the organization, and any forensic evidence discovered.

Top      Up      ToC       Page 35 
   +------------------+
   | EventData        |
   +------------------+
   | ENUM restriction |<>--{0..*}--[ Description    ]
   |                  |<>--{0..1}--[ DetectTime     ]
   |                  |<>--{0..1}--[ StartTime      ]
   |                  |<>--{0..1}--[ EndTime        ]
   |                  |<>--{0..*}--[ Contact        ]
   |                  |<>--{0..1}--[ Assessment     ]
   |                  |<>--{0..*}--[ Method         ]
   |                  |<>--{0..*}--[ Flow           ]
   |                  |<>--{0..*}--[ Expectation    ]
   |                  |<>--{0..1}--[ Record         ]
   |                  |<>--{0..*}--[ EventData      ]
   |                  |<>--{0..*}--[ AdditionalData ]
   +------------------+

                      Figure 22: The EventData Class

   The aggregate classes that constitute EventData are:

   Description
      Zero or more.  ML_STRING.  A free-form textual description of the
      event.

   DetectTime
      Zero or one.  The time the event was detected.

   StartTime
      Zero or one.  The time the event started.

   EndTime
      Zero or one.  The time the event ended.

   Contact
      Zero or more.  Contact information for the parties involved in the
      event.

   Assessment
      Zero or one.  The impact of the event on the target and the
      actions taken.

   Method
      Zero or more.  The technique used by the intruder in the event.

Top      Up      ToC       Page 36 
   Flow
      Zero or more.  A description of the systems or networks involved.

   Expectation
      Zero or more.  The expected action to be performed by the
      recipient for the described event.

   Record
      Zero or one.  Supportive data (e.g., log files) that provides
      additional information about the event.

   EventData
      Zero or more.  EventData instances contained within another
      EventData instance inherit the values of the parent(s); this
      recursive definition can be used to group common data pertaining
      to multiple events.  When EventData elements are defined
      recursively, only the leaf instances (those EventData instances
      not containing other EventData instances) represent actual events.

   AdditionalData
      Zero or more.  An extension mechanism for data not explicitly
      represented in the data model.

   At least one of the aggregate classes MUST be present in an instance
   of the EventData class.  This is not enforced in the IODEF schema as
   there is no simple way to accomplish it.

   The EventData class has one attribute:

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

3.12.1.  Relating the Incident and EventData Classes

   There is substantial overlap in the Incident and EventData classes.
   Nevertheless, the semantics of these classes are quite different.
   The Incident class provides summary information about the entire
   incident, while the EventData class provides information about the
   individual events comprising the incident.  In the most common case,
   the EventData class will provide more specific information for the
   general description provided in the Incident class.  However, it may
   also be possible that the overall summarized information about the
   incident conflicts with some individual information in an EventData
   class when there is a substantial composition of various events in
   the incident.  In such a case, the interpretation of the more
   specific EventData MUST supersede the more generic information
   provided in IncidentData.

Top      Up      ToC       Page 37 
3.12.2.  Cardinality of EventData

   The EventData class can be thought of as a container for the
   properties of an event in an incident.  These properties include: the
   hosts involved, impact of the incident activity on the hosts,
   forensic logs, etc.  With an instance of the EventData class, hosts
   (i.e., System class) are grouped around these common properties.

   The recursive definition (or instance property inheritance) of the
   EventData class (the EventData class is aggregated into the EventData
   class) provides a way to related information without requiring the
   explicit use of unique attribute identifiers in the classes or
   duplicating information.  Instead, the relative depth (nesting) of a
   class is used to group (relate) information.

   For example, an EventData class might be used to describe two
   machines involved in an incident.  This description can be achieved
   using multiple instances of the Flow class.  It happens that there is
   a common technical contact (i.e., Contact class) for these two
   machines, but the impact (i.e., Assessment class) on them is
   different.  A depiction of the representation for this situation can
   be found in Figure 23.

   +------------------+
   | EventData        |
   +------------------+
   |                  |<>----[ Contact    ]
   |                  |
   |                  |<>----[ EventData  ]<>----[ Flow     ]
   |                  |      [            ]<>----[ Assessment ]
   |                  |
   |                  |<>----[ EventData  ]<>----[ Flow     ]
   |                  |      [            ]<>----[ Assessment ]
   +------------------+

                Figure 23: Recursion in the EventData Class

3.13.  Expectation Class

   The Expectation class conveys to the recipient of the IODEF document
   the actions the sender is requesting.  The scope of the requested
   action is limited to purview of the EventData class in which this
   class is aggregated.

Top      Up      ToC       Page 38 
   +-------------------+
   | Expectation       |
   +-------------------+
   | ENUM restriction  |<>--{0..*}--[ Description ]
   | ENUM severity     |<>--{0..1}--[ StartTime   ]
   | ENUM action       |<>--{0..1}--[ EndTime     ]
   | STRING ext-action |<>--{0..1}--[ Contact     ]
   +-------------------+

                     Figure 24: The Expectation Class

   The aggregate classes that constitute Expectation are:

   Description
      Zero or many.  ML_STRING.  A free-form description of the desired
      action(s).

   StartTime
      Zero or one.  The time at which the action should be performed.  A
      timestamp that is earlier than the ReportTime specified in the
      Incident class denotes that the expectation should be fulfilled as
      soon as possible.  The absence of this element leaves the
      execution of the expectation to the discretion of the recipient.

   EndTime
      Zero or one.  The time by which the action should be completed.
      If the action is not carried out by this time, it should no longer
      be performed.

   Contact
      Zero or one.  The expected actor for the action.

   The Expectations class has four attributes:

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

   severity
      Optional.  ENUM.  Indicates the desired priority of the action.
      This attribute is an enumerated list with no default value, and
      the semantics of these relative measures are context dependent.

      1.  low.  Low priority

      2.  medium.  Medium priority

      3.  high.  High priority

Top      Up      ToC       Page 39 
   action
      Optional.  ENUM.  Classifies the type of action requested.  This
      attribute is an enumerated list with no default value.

      1.   nothing.  No action is requested.  Do nothing with the
           information.

      2.   contact-source-site.  Contact the site(s) identified as the
           source of the activity.

      3.   contact-target-site.  Contact the site(s) identified as the
           target of the activity.

      4.   contact-sender.  Contact the originator of the document.

      5.   investigate.  Investigate the systems(s) listed in the event.

      6.   block-host.  Block traffic from the machine(s) listed as
           sources the event.

      7.   block-network.  Block traffic from the network(s) lists as
           sources in the event.

      8.   block-port.  Block the port listed as sources in the event.

      9.   rate-limit-host.  Rate-limit the traffic from the machine(s)
           listed as sources in the event.

      10.  rate-limit-network.  Rate-limit the traffic from the
           network(s) lists as sources in the event.

      11.  rate-limit-port.  Rate-limit the port(s) listed as sources in
           the event.

      12.  remediate-other.  Remediate the activity in a way other than
           by rate limiting or blocking.

      13.  status-triage.  Conveys receipts and the triaging of an
           incident.

      14.  status-new-info.  Conveys that new information was received
           for this incident.

      15.  other.  Perform some custom action described in the
           Description class.

      16.  ext-value.  An escape value used to extend this attribute.
           See Section 5.1.

Top      Up      ToC       Page 40 
   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.

3.14.  Flow Class

   The Flow class groups related the source and target hosts.

   +------------------+
   | Flow             |
   +------------------+
   |                  |<>--{1..*}--[ System   ]
   +------------------+

                         Figure 25: The Flow Class

   The aggregate class that constitutes Flow is:

   System
      One or More.  A host or network involved in an event.

   The Flow System class has no attributes.

3.15.  System Class

   The System class describes a system or network involved in an event.
   The systems or networks represented by this class are categorized
   according to the role they played in the incident through the
   category attribute.  The value of this category attribute dictates
   the semantics of the aggregated classes in the System class.  If the
   category attribute has a value of "source", then the aggregated
   classes denote the machine and service from which the activity is
   originating.  With a category attribute value of "target" or
   "intermediary", then the machine or service is the one targeted in
   the activity.  A value of "sensor" dictates that this System was part
   of an instrumentation to monitor the network.

Top      Up      ToC       Page 41 
   +---------------------+
   | System              |
   +---------------------+
   | ENUM restriction    |<>----------[ Node            ]
   | ENUM category       |<>--{0..*}--[ Service         ]
   | STRING ext-category |<>--{0..*}--[ OperatingSystem ]
   | STRING interface    |<>--{0..*}--[ Counter         ]
   | ENUM spoofed        |<>--{0..*}--[ Description     ]
   |                     |<>--{0..*}--[ AdditionalData  ]
   +---------------------+

                        Figure 26: The System Class

   The aggregate classes that constitute System are:

   Node
      One. A host or network involved in the incident.

   Service
      Zero or more.  A network service running on the system.

   OperatingSystem
      Zero or one.  The operating system running on the system.

   Counter
      Zero or more.  A counter with which to summarize properties of
      this host or network.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      System.

   AdditionalData
      Zero or many.  A mechanism by which to extend the data model.

   The System class has five attributes:

   restriction
      Optional.  ENUM.  This attribute is defined in Section 3.2.

   category
      Required.  ENUM.  Classifies the role the host or network played
      in the incident.  The possible values are:

      1.  source.  The System was the source of the event.

      2.  target.  The System was the target of the event.

Top      Up      ToC       Page 42 
      3.  intermediate.  The System was an intermediary in the event.

      4.  sensor.  The System was a sensor monitoring the event.

      5.  infrastructure.  The System was an infrastructure node of
          IODEF document exchange.

      6.  ext-value.  An escape value used to extend this attribute.
          See Section 5.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.

   interface
      Optional.  STRING.  Specifies the interface on which the event(s)
      on this System originated.  If the Node class specifies a network
      rather than a host, this attribute has no meaning.

   spoofed
      Optional.  ENUM.  An indication of confidence in whether this
      System was the true target or attacking host.  The permitted
      values for this attribute are shown below.  The default value is
      "unknown".

      1.  unknown.  The accuracy of the category attribute value is
          unknown.

      2.  yes.  The category attribute value is probably incorrect.  In
          the case of a source, the System is likely a decoy; with a
          target, the System was likely not the intended victim.

      3.  no.  The category attribute value is believed to be correct.



(page 42 continued on part 3)

Next RFC Part