Tech-invite   World Map
3GPPspecs     Glossaries     T+       IETF     RFCs     Groups     SIP     ABNFs

RFC 7970

 
 
 

The Incident Object Description Exchange Format Version 2

Part 4 of 9, p. 60 to 81
Prev Section       Next Section

 


prevText      Top      ToC       Page 60 
3.15.  Expectation Class

   The Expectation class conveys to the recipient of the IODEF document
   the actions the sender is requesting.

   +-------------------------+
   | Expectation             |
   +-------------------------+
   | ENUM action             |<>--{0..*}--[ Description ]
   | STRING ext-action       |<>--{0..*}--[ DefinedCOA  ]
   | ENUM severity           |<>--{0..1}--[ StartTime   ]
   | ENUM restriction        |<>--{0..1}--[ EndTime     ]
   | STRING ext-restriction  |<>--{0..1}--[ Contact     ]
   | ID observable-id        |
   +-------------------------+

                     Figure 31: The Expectation Class

   The aggregate classes of the Expectation class are:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      desired action(s).

   DefinedCOA
      Zero or more.  STRING.  A unique identifier meaningful to the
      sender and recipient of this document that references a course of
      action.  This class MUST be present if the action attribute is set
      to "defined-coa".

Top      Up      ToC       Page 61 
   StartTime
      Zero or one.  DATETIME.  The time at which the sender would like
      the action performed.  A timestamp that is earlier than the
      ReportTime specified in the Incident class denotes that the sender
      would like the action performed as soon as possible.  The absence
      of this element indicates no expectations of when the recipient
      would like the action performed.

   EndTime
      Zero or one.  DATETIME.  The time by which the sender expects the
      recipient to complete the action.  If the recipient cannot
      complete the action before EndTime, the recipient MUST NOT carry
      out the action.  Because of transit delays and clock drift, the
      sender MUST be prepared for the recipient to have carried out the
      action, even if it completes past EndTime.

   Contact
      Zero or one.  The entity expected to perform the action.  See
      Section 3.9.

   The attributes of the Expectation class are:

   action
      Optional.  ENUM.  Classifies the type of action requested.  The
      default value of "other".  These values are maintained in the
      "Expectation-action" IANA registry per Section 10.2.

      1.   nothing.  No action is requested.  Do nothing with the
           information.

      2.   contact-source-site.  Contact the site(s) identified as the
           source of the activity.

      3.   contact-target-site.  Contact the site(s) identified as the
           target of the activity.

      4.   contact-sender.  Contact the originator of the document.

      5.   investigate.  Investigate the system(s) listed in the event.

      6.   block-host.  Block traffic from the machine(s) listed as
           sources in the event.

      7.   block-network.  Block traffic from the network(s) lists as
           sources in the event.

      8.   block-port.  Block the port listed as sources in the event.

Top      Up      ToC       Page 62 
      9.   rate-limit-host.  Rate-limit the traffic from the machine(s)
           listed as sources in the event.

      10.  rate-limit-network.  Rate-limit the traffic from the
           network(s) lists as sources in the event.

      11.  rate-limit-port.  Rate-limit the port(s) listed as sources in
           the event.

      12.  redirect-traffic.  Redirect traffic from the intended
           recipient for further analysis.

      13.  honeypot.  Redirect traffic from systems listed in the event
           to a honeypot for further analysis.

      14.  upgrade-software.  Upgrade or patch the software or firmware
           on an asset listed in the event.

      15.  rebuild-asset.  Reinstall the operating system or
           applications on an asset listed in the event.

      16.  harden-asset.  Change the configuration of an asset listed in
           the event to reduce the attack surface.

      17.  remediate-other.  Remediate the activity in a way other than
           by rate-limiting or blocking.

      18.  status-triage.  Confirm receipt and begin triaging the
           incident.

      19.  status-new-info.  Notify the sender when new information is
           received for this incident.

      20.  watch-and-report.  Watch for the described activity or
           indicators, and notify the sender when seen.

      21.  training.  Train user to identify or mitigate the described
           threat.

      22.  defined-coa.  Perform a predefined course of action (COA).
           The COA is named in the DefinedCOA class.

      23.  other.  Perform a custom action described in the Description
           class.

      24.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 63 
   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.1.

   severity
      Optional.  ENUM.  Indicates the desired priority of the action.
      This attribute is an enumerated list with no default value, and
      the semantics of these relative measures are context dependent.

      1.  low.  Low priority

      2.  medium.  Medium priority

      3.  high.  High priority

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "default".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.16.  Flow Class

   The Flow class describes the systems and networks involved in the
   incident and the relationships between them.

   +------------------+
   | Flow             |
   +------------------+
   |                  |<>--{1..*}--[ System   ]
   +------------------+

                         Figure 32: The Flow Class

   The aggregate class of the Flow class is:

   System
      One or More.  A host or network involved in an event.  See
      Section 3.17.

   The Flow class has no attributes.

Top      Up      ToC       Page 64 
3.17.  System Class

   The System class describes a system or network involved in an event.

   +------------------------+
   | System                 |
   +------------------------+
   | ENUM category          |<>----------[ Node            ]
   | STRING ext-category    |<>--{0..*}--[ NodeRole        ]
   | STRING interface       |<>--{0..*}--[ Service         ]
   | ENUM spoofed           |<>--{0..*}--[ OperatingSystem ]
   | ENUM virtual           |<>--{0..*}--[ Counter         ]
   | ENUM ownership         |<>--{0..*}--[ AssetID         ]
   | STRING ext-ownership   |<>--{0..*}--[ Description     ]
   | ENUM restriction       |<>--{0..*}--[ AdditionalData  ]
   | STRING ext-restriction |
   | ID observable-id       |
   +------------------------+

                        Figure 33: The System Class

   The aggregate classes of the System class are:

   Node
      One.  A host or network involved in the incident.  See
      Section 3.18.

   NodeRole
      Zero or more.  The intended purpose of the system.  See
      Section 3.18.2.

   Service
      Zero or more.  A network service running on the system.  See
      Section 3.20.

   OperatingSystem
      Zero or more.  SOFTWARE.  The operating system running on the
      system.

   Counter
      Zero or more.  A counter with which to summarize properties of
      this host or network.  See Section 3.18.3.

   AssetID
      Zero or more.  STRING.  An asset identifier for the System.

Top      Up      ToC       Page 65 
   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      System.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The attributes of the System class are:

   category
      Optional.  ENUM.  Classifies the role the host or network played
      in the incident.  These values are maintained in the "System-
      category" IANA registry per Section 10.2.

      1.  source.  The System was the source of the event.

      2.  target.  The System was the target of the event.

      3.  intermediate.  The System was an intermediary in the event.

      4.  sensor.  The System was a sensor monitoring the event.

      5.  infrastructure.  The System was an infrastructure node of the
          IODEF document exchange.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.

   interface
      Optional.  STRING.  Specifies the interface on which the event(s)
      on this System originated.  If the Node class specifies a network
      rather than a host, this attribute has no meaning.

   spoofed
      Optional.  ENUM.  An indication of confidence in whether this
      System was the true target or attacking host.  The permitted
      values for this attribute are shown below.  The default value is
      "unknown".

      1.  unknown.  The accuracy of the category attribute value is
          unknown.

Top      Up      ToC       Page 66 
      2.  yes.  The category attribute value is likely incorrect.  In
          the case of a source, the System is likely a decoy; with a
          target, the System was likely not the intended victim.

      3.  no.  The category attribute value is believed to be correct.

   virtual
      Optional.  ENUM.  Indicates whether this System is a virtual or
      physical device.  The default value is "unknown".

      1.  yes.  The System is a virtual device.

      2.  no.  The System is a physical device.

      3.  unknown.  It is not known if the System is virtual.

   ownership
      Optional.  ENUM.  Describes the ownership of this System relative
      to the victim in the incident.  These values are maintained in the
      "System-ownership" IANA registry per Section 10.2.

      1.  organization.  Corporate or enterprise owned.

      2.  personal.  Personally owned by an employee or affiliate of the
          corporation or enterprise.

      3.  partner.  Owned by a partner of the corporation or enterprise.

      4.  customer.  Owned by a customer of the corporation or
          enterprise.

      5.  no-relationship.  Owned by an entity that has no known
          relationship with the victim organization.

      6.  unknown.  Ownership is unknown.

      7.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-ownership
      Optional.  STRING.  A means by which to extend the ownership
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.

Top      Up      ToC       Page 67 
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.18.  Node Class

   The Node class identifies a system, asset, or network and its
   location.

   +---------------+
   | Node          |
   +---------------+
   |               |<>--{0..*}--[ DomainData    ]
   |               |<>--{0..*}--[ Address       ]
   |               |<>--{0..1}--[ PostalAddress ]
   |               |<>--{0..*}--[ Location      ]
   |               |<>--{0..*}--[ Counter       ]
   +---------------+

                         Figure 34: The Node Class

   The aggregate classes of the Node class are:

   DomainData
      Zero or more.  The domain (DNS) information associated with this
      node.  If an Address is not provided, at least one DomainData MUST
      be specified.  See Section 3.19.

   Address
      Zero or more.  The hardware, network, or application address of
      the node.  If a DomainData is not provided, at least one Address
      MUST be specified.  See Section 3.18.1.

   PostalAddress
      Zero or one.  POSTAL.  The postal address of the node.

   Location
      Zero or more.  ML_STRING.  A free-form text description of the
      physical location of the node.  This description may provide a
      more detailed description of where at the address specified by the
      PostalAddress class this node is found (e.g., room number, rack
      number, or slot number in a chassis).

Top      Up      ToC       Page 68 
   Counter
      Zero or more.  A counter with which to summarize properties of
      this host or network.  See Section 3.18.3.

   The Node class has no attributes.

3.18.1.  Address Class

   The Address class represents a hardware (Layer 2), network (Layer 3),
   or application (Layer 7) address.

   +-------------------------+
   | Address                 |
   +-------------------------+
   | STRING                  |
   |                         |
   | ENUM category           |
   | STRING ext-category     |
   | STRING vlan-name        |
   | INTEGER vlan-num        |
   | ID observable-id        |
   +-------------------------+

                       Figure 35: The Address Class

   The content of the class is an address of type STRING whose semantics
   are determined by the category attribute.

   The attributes of the Address class are:

   category
      Required.  ENUM.  The type of address represented.  The default
      value is "ipv6-addr".  These values are maintained in the
      "Address-category" IANA registry per Section 10.2.

      1.   asn.  Autonomous System Number.

      2.   atm.  Asynchronous Transfer Mode (ATM) address.

      3.   e-mail.  Email address, per the EMAIL data type.

      4.   ipv4-addr.  IPv4 host address in dotted-decimal notation
           (i.e., a.b.c.d).

      5.   ipv4-net.  IPv4 network address in dotted-decimal notation,
           slash, significant bits (i.e., a.b.c.d/nn).

Top      Up      ToC       Page 69 
      6.   ipv4-net-masked.  A sanitized IPv4 address with significant
           bits per "ipv4-net" but with the character 'x' replacing any
           digit(s) in the address or prefix.

      7.   ipv4-net-mask.  IPv4 network address in dotted-decimal
           notation, slash, network mask in dotted-decimal notation
           (i.e., a.b.c.d/w.x.y.z).

      8.   ipv6-addr.  IPv6 host address per Section 4 of [RFC5952].

      9.   ipv6-net.  IPv6 network address, slash, prefix per
           Section 2.3 of [RFC4291].

      10.  ipv6-net-masked.  A sanitized IPv6 address and prefix per
           "ipv6-net" but with the character 'x' replacing any
           hexadecimal digit(s) in the address or digit(s) in the
           prefix.

      11.  mac.  Media Access Control (MAC) address (i.e.,
           aa:bb:cc:dd:ee:ff).

      12.  site-uri.  A URL or URI for a resource, per the URL data
           type.

      13.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.

   vlan-name
      Optional.  STRING.  The name of the Virtual LAN to which the
      address belongs.

   vlan-num
      Optional.  INTEGER.  The number of the Virtual LAN to which the
      address belongs.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.18.2.  NodeRole Class

   The NodeRole class describes the function performed by or role of a
   particular system, asset, or network.

Top      Up      ToC       Page 70 
   +-----------------------+
   | NodeRole              |
   +-----------------------+
   | ENUM category         |<>--{0..*}--[ Description ]
   | STRING ext-category   |
   +-----------------------+

                       Figure 36: The NodeRole Class

   The aggregate class of the NodeRole class is:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      role of the system.

   The attributes of the NodeRole class are:

   category
      Required.  ENUM.  Function or role of a node.  These values are
      maintained in the "NodeRole-category" IANA registry per
      Section 10.2.

      1.   client.  Client computer.

      2.   client-enterprise.  Client computer on the enterprise
           network.

      3.   client-partner.  Client computer on network of a partner.

      4.   client-remote.  Client computer remotely connected to the
           enterprise network.

      5.   client-kiosk.  Client computer serving as a kiosk.

      6.   client-mobile.  Mobile device.

      7.   server-internal.  Server with internal services.

      8.   server-public.  Server with public services.

      9.   www.  WWW server.

      10.  mail.  Mail server.

      11.  webmail.  Web mail server.

      12.  messaging.  Messaging server (e.g., NNTP, IRC, IM).

Top      Up      ToC       Page 71 
      13.  streaming.  Streaming-media server.

      14.  voice.  Voice server (e.g., SIP, H.323).

      15.  file.  File server.

      16.  ftp.  FTP server.

      17.  p2p.  Peer-to-peer node.

      18.  name.  Name server (e.g., DNS, WINS).

      19.  directory.  Directory server (e.g., LDAP, finger, whois).

      20.  credential.  Credential server (e.g., domain controller,
           Kerberos).

      21.  print.  Print server.

      22.  application.  Application server.

      23.  database.  Database server.

      24.  backup.  Backup server.

      25.  dhcp.  DHCP server.

      26.  assessment.  Assessment server (e.g., vulnerability scanner,
           endpoint assessment).

      27.  source-control.  Source code control server.

      28.  config-management.  Configuration management server.

      29.  monitoring.  Security monitoring server (e.g., IDS).

      30.  infra.  Infrastructure server (e.g., router, firewall, DHCP).

      31.  infra-firewall.  Firewall.

      32.  infra-router.  Router.

      33.  infra-switch.  Switch.

      34.  camera.  Camera and video system.

      35.  proxy.  Proxy server.

Top      Up      ToC       Page 72 
      36.  remote-access.  Remote access server.

      37.  log.  Log server (e.g., syslog).

      38.  virtualization.  Server running virtual machines.

      39.  pos.  Point-of-sale device.

      40.  scada.  Supervisory control and data acquisition (SCADA)
           system.

      41.  scada-supervisory.  Supervisory system for a SCADA.

      42.  sinkhole.  Traffic sinkhole destination.

      43.  honeypot.  Honeypot server.

      44.  anonymization.  Anonymization server (e.g., Tor node).

      45.  c2-server.  Malicious command and control server.

      46.  malware-distribution.  Server that distributes malware

      47.  drop-server.  Server to which exfiltrated content is
           uploaded.

      48.  hop-point.  Intermediary server used to get to a victim.

      49.  reflector.  A system used in a reflector attack.

      50.  phishing-site.  Site hosting phishing content.

      51.  spear-phishing-site.  Site hosting spear-phishing content.

      52.  recruiting-site.  Site to recruit.

      53.  fraudulent-site.  Fraudulent site.

      54.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.

Top      Up      ToC       Page 73 
3.18.3.  Counter Class

   The Counter class summarizes multiple occurrences of an event or
   conveys counts or rates of various features.

   The complete semantics of this class are context dependent based on
   the class in which it is aggregated.

   +---------------------+
   | Counter             |
   +---------------------+
   | REAL                |
   |                     |
   | ENUM type           |
   | STRING ext-type     |
   | ENUM unit           |
   | STRING ext-unit     |
   | STRING meaning      |
   | ENUM duration       |
   | STRING ext-duration |
   +---------------------+

                       Figure 37: The Counter Class

   The content of the class is a value of type REAL whose meaning and
   units are determined by the type and duration attributes,
   respectively.  If the duration attribute is present, the element
   content is a rate.  Otherwise, it is a simple counter.

   The attributes of the Counter class are:

   type
      Required.  ENUM.  Specifies the type of counter specified in the
      element content.  These values are maintained in the "Counter-
      type" IANA registry per Section 10.2.

      1.  count.  The Counter class value is a counter.

      2.  peak.  The Counter class value is a peak value.

      3.  average.  The Counter class value is an average.

      4.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

Top      Up      ToC       Page 74 
   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

   unit
      Required.  ENUM.  Specifies the units of the element content.
      These values are maintained in the "Counter-unit" IANA registry
      per Section 10.2.

      1.   byte.  Bytes transferred.

      2.   mbit.  Megabits (Mbits) transferred.

      3.   packet.  Packets.

      4.   flow.  Network flow records.

      5.   session.  Sessions.

      6.   alert.  Notifications generated by another system (e.g., IDS
           or SIEM system).

      7.   message.  Messages (e.g., mail messages).

      8.   event.  Events.

      9.   host.  Hosts.

      10.  site.  Site.

      11.  organization.  Organizations.

      12.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-unit
      Optional.  STRING.  A means by which to extend the unit attribute.
      See Section 5.1.1.

   meaning
      Optional.  STRING.  A free-form text description of the metric
      represented by the Counter.

Top      Up      ToC       Page 75 
   duration
      Optional.  ENUM.  If present, the Counter class represents a rate.
      This attribute specifies a unit of time over which the rate whose
      units are specified in the unit attribute is being conveyed.  This
      attribute is the denominator of the rate (where the unit attribute
      specified the nominator).  The possible values of this attribute
      are defined in the duration attribute of Section 3.12.3

   ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.1.

3.19.  DomainData Class

   The DomainData class describes a domain name and metadata associated
   with this domain.

   +--------------------------+
   | DomainData               |
   +--------------------------+
   | ENUM system-status       |<>----------[ Name                 ]
   | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ]
   | ENUM domain-status       |<>--{0..1}--[ RegistrationDate     ]
   | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate       ]
   | ID observable-id         |<>--{0..*}--[ RelatedDNS           ]
   |                          |<>--{0..*}--[ Nameservers          ]
   |                          |<>--{0..1}--[ DomainContacts       ]
   +--------------------------+

                      Figure 38: The DomainData Class

   The aggregate classes of the DomainData class are:

   Name
      One.  STRING.  The domain name of a system.

   DateDomainWasChecked
      Zero or one.  DATETIME.  A timestamp of when the domain listed in
      the Name class was resolved.

   RegistrationDate
      Zero or one.  DATETIME.  A timestamp of when domain listed in the
      Name class was registered.

   ExpirationDate
      Zero or one.  DATETIME.  A timestamp of when the domain listed in
      the Name class is set to expire.

Top      Up      ToC       Page 76 
   RelatedDNS
      Zero or more.  EXTENSION.  Additional DNS records associated with
      this domain.

   Nameservers
      Zero or more.  The nameservers identified for the domain listed in
      the Name class.  See Section 3.19.1.

   DomainContacts
      Zero or one.  Contact information for the domain listed in the
      Name class supplied by the registrar or through a whois query.

   The attributes of the DomainData class are:

   system-status
      Required.  ENUM.  Assesses the domain's involvement in the event.
      These values are maintained in the "DomainData-system-status" IANA
      registry per Section 10.2.

      1.  spoofed.  This domain was spoofed.

      2.  fraudulent.  This domain was operated with fraudulent
          intentions.

      3.  innocent-hacked.  This domain was compromised by a third
          party.

      4.  innocent-hijacked.  This domain was deliberately hijacked.

      5.  unknown.  No categorization for this domain known.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-system-status
      Optional.  STRING.  A means by which to extend the system-status
      attribute.  See Section 5.1.1.

   domain-status
      Required.  ENUM.  Categorizes the registry status of the domain at
      the time the document was generated.  These values and their
      associated descriptions are derived from Section 3.2.2 of
      [RFC3982].  These values are maintained in the
      "DomainData-domain-status" IANA registry per Section 10.2.

      1.   reservedDelegation.  The domain is permanently inactive.

Top      Up      ToC       Page 77 
      2.   assignedAndActive.  The domain is in a normal state.

      3.   assignedAndInactive.  The domain has an assigned
           registration, but the delegation is inactive.

      4.   assignedAndOnHold.  The domain is in dispute.

      5.   revoked.  The domain is in the process of being purged from
           the database.

      6.   transferPending.  The domain is pending a change in
           authority.

      7.   registryLock.  The domain is on hold by the registry.

      8.   registrarLock.  Same as "registryLock".

      9.   other.  The domain has a known status, but it is not one of
           the redefined enumerated values.

      10.  unknown.  The domain has an unknown status.

      11.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-domain-status
      Optional.  STRING.  A means by which to extend the domain-status
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.19.1.  Nameservers Class

   The Nameservers class describes the nameservers associated with a
   given domain.

   +--------------------+
   | Nameservers        |
   +--------------------+
   |                    |<>----------[ Server  ]
   |                    |<>--{1..*}--[ Address ]
   +--------------------+

                     Figure 39: The Nameservers Class

Top      Up      ToC       Page 78 
   The aggregate classes of the Nameservers class are:

   Server
      One.  STRING.  The domain name of the nameserver.

   Address
      One or more.  The address of the nameserver.  The value of the
      category attribute MUST be either "ipv4-addr" or "ipv6-addr".  See
      Section 3.18.1.

   The Nameservers class has no attributes.

3.19.2.  DomainContacts Class

   The DomainContacts class describes the contact information for a
   given domain provided either by the registrar or through a whois
   query.

   This contact information can be explicitly described through a
   Contact class, or a reference can be provided to a domain with
   identical contact information.  Either a single SameDomainContact or
   one or more Contact classes MUST be present.

   +--------------------+
   | DomainContacts     |
   +--------------------+
   |                    |<>--{0..1}--[ SameDomainContact ]
   |                    |<>--{1..*}--[ Contact ]
   +--------------------+

                    Figure 40: The DomainContacts Class

   The aggregate classes of the DomainContacts class are:

   SameDomainContact
      Zero or one.  STRING.  A domain name already cited in this
      document or through previous exchange that contains the identical
      contact information as the domain name in question.  The domain
      contact information associated with this domain should be used
      instead of an explicit definition with the Contact class.

   Contact
      One or more.  Contact information for the domain.  See
      Section 3.9.

   The DomainContacts class has no attributes.

Top      Up      ToC       Page 79 
3.20.  Service Class

   The Service class describes a network service.  The service is
   described by a protocol, port, protocol header field, and application
   providing or using the service.

   +-------------------------+
   | Service                 |
   +-------------------------+
   | INTEGER ip-protocol     |<>--{0..1}--[ ServiceName       ]
   | ID observable-id        |<>--{0..1}--[ Port              ]
   |                         |<>--{0..1}--[ Portlist          ]
   |                         |<>--{0..1}--[ ProtoCode         ]
   |                         |<>--{0..1}--[ ProtoType         ]
   |                         |<>--{0..1}--[ ProtoField        ]
   |                         |<>--{0..1}--[ ApplicationHeader ]
   |                         |<>--{0..1}--[ EmailData         ]
   |                         |<>--{0..1}--[ Application       ]
   +-------------------------+

                       Figure 41: The Service Class

   The aggregate classes of the Service class are:

   ServiceName
      Zero or one.  A protocol name.

   Port
      Zero or one.  INTEGER.  A port number.

   Portlist
      Zero or one.  PORTLIST.  A list of port numbers.

   ProtoCode
      Zero or one.  INTEGER.  A transport-layer (Layer 4) protocol-
      specific code field (e.g., ICMP code field).

   ProtoType
      Zero or one.  INTEGER.  A transport-layer (Layer 4) protocol-
      specific type field (e.g., ICMP type field).

   ProtoField
      Zero or one.  INTEGER.  A transport-layer (Layer 4) protocol-
      specific flag field (e.g., TCP flag field).

   ApplicationHeader
      Zero or one.  A protocol header.  See Section 3.20.2.

Top      Up      ToC       Page 80 
   EmailData
      Zero or one.  Headers associated with an email message.  See
      Section 3.21.

   Application
      Zero or one.  SOFTWARE.  The application acting as either the
      client or the server for the service.

   At least one of these classes MUST be present.

   When a given System class with category="source" and another with
   category="target" are aggregated into a single Flow class, and each
   of these System classes has a Service and Portlist class, an implicit
   relationship between these Portlists exists.  If N ports are listed
   for a System@category="source", and M ports are listed for
   System@category="target", the number of ports in N must be equal to
   M.  Likewise, the ports MUST be listed in an identical sequence such
   that the n-th port in the source corresponds to the n-th port of the
   target.  If N is greater than 1, a given instance of a Flow class
   MUST only have a single instance of a System@category="source" and
   System@category="target".

   The attributes of the Service class are:

   ip-protocol
      Optional.  INTEGER.  The IANA-assigned IP protocol number per
      [IANA.Protocols].  The attribute MUST be set if a Port, Portlist,
      ProtoCode, ProtoType, or ProtoField class is present.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.20.1.  ServiceName Class

   The ServiceName class identifies an application protocol.  It can be
   described by referencing an IANA-registered protocol, by referencing
   a URL, or with free-form text.

   +--------------------+
   | ServiceName        |
   +--------------------+
   |                    |<>--{0..1}--[ IANAService       ]
   |                    |<>--{0..*}--[ URL               ]
   |                    |<>--{0..*}--[ Description       ]
   +--------------------+

                     Figure 42: The ServiceName Class

Top      Up      ToC       Page 81 
   The aggregate classes of the ServiceName class are:

   IANAService
      Zero or one.  STRING.  The name of the service per the "Service
      Name" field of the registry [IANA.Ports].

   URL
      Zero or more.  URL.  A URL to a resource describing the service.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      service.

   At least one of these classes MUST be present.

   The ServiceName class has no attributes.

3.20.2.  ApplicationHeader Class

   The ApplicationHeader class describes arbitrary fields from a
   protocol header and its corresponding value.

   +--------------------------+
   | ApplicationHeader        |
   +--------------------------+
   |                          |<>--{1..*}--[ ApplicationHeaderField ]
   +--------------------------+

                  Figure 43: The ApplicationHeader Class

   The aggregate class of the ApplicationHeader class is:

   ApplicationHeaderField
      One or more.  EXTENSION.  A field name and value in a protocol
      header.  The name attribute MUST be set to the field name.  The
      field value MUST be set in the element content.

   The ApplicationHeader class has no attributes.


Next Section