Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7970

The Incident Object Description Exchange Format Version 2

Pages: 172
Proposed Standard
Errata
Obsoletes:  50706685
Part 4 of 9 – Pages 60 to 81
First   Prev   Next

Top   ToC   RFC7970 - Page 60   prevText

3.15. Expectation Class

The Expectation class conveys to the recipient of the IODEF document the actions the sender is requesting. +-------------------------+ | Expectation | +-------------------------+ | ENUM action |<>--{0..*}--[ Description ] | STRING ext-action |<>--{0..*}--[ DefinedCOA ] | ENUM severity |<>--{0..1}--[ StartTime ] | ENUM restriction |<>--{0..1}--[ EndTime ] | STRING ext-restriction |<>--{0..1}--[ Contact ] | ID observable-id | +-------------------------+ Figure 31: The Expectation Class The aggregate classes of the Expectation class are: Description Zero or more. ML_STRING. A free-form text description of the desired action(s). DefinedCOA Zero or more. STRING. A unique identifier meaningful to the sender and recipient of this document that references a course of action. This class MUST be present if the action attribute is set to "defined-coa".
Top   ToC   RFC7970 - Page 61
   StartTime
      Zero or one.  DATETIME.  The time at which the sender would like
      the action performed.  A timestamp that is earlier than the
      ReportTime specified in the Incident class denotes that the sender
      would like the action performed as soon as possible.  The absence
      of this element indicates no expectations of when the recipient
      would like the action performed.

   EndTime
      Zero or one.  DATETIME.  The time by which the sender expects the
      recipient to complete the action.  If the recipient cannot
      complete the action before EndTime, the recipient MUST NOT carry
      out the action.  Because of transit delays and clock drift, the
      sender MUST be prepared for the recipient to have carried out the
      action, even if it completes past EndTime.

   Contact
      Zero or one.  The entity expected to perform the action.  See
      Section 3.9.

   The attributes of the Expectation class are:

   action
      Optional.  ENUM.  Classifies the type of action requested.  The
      default value of "other".  These values are maintained in the
      "Expectation-action" IANA registry per Section 10.2.

      1.   nothing.  No action is requested.  Do nothing with the
           information.

      2.   contact-source-site.  Contact the site(s) identified as the
           source of the activity.

      3.   contact-target-site.  Contact the site(s) identified as the
           target of the activity.

      4.   contact-sender.  Contact the originator of the document.

      5.   investigate.  Investigate the system(s) listed in the event.

      6.   block-host.  Block traffic from the machine(s) listed as
           sources in the event.

      7.   block-network.  Block traffic from the network(s) lists as
           sources in the event.

      8.   block-port.  Block the port listed as sources in the event.
Top   ToC   RFC7970 - Page 62
      9.   rate-limit-host.  Rate-limit the traffic from the machine(s)
           listed as sources in the event.

      10.  rate-limit-network.  Rate-limit the traffic from the
           network(s) lists as sources in the event.

      11.  rate-limit-port.  Rate-limit the port(s) listed as sources in
           the event.

      12.  redirect-traffic.  Redirect traffic from the intended
           recipient for further analysis.

      13.  honeypot.  Redirect traffic from systems listed in the event
           to a honeypot for further analysis.

      14.  upgrade-software.  Upgrade or patch the software or firmware
           on an asset listed in the event.

      15.  rebuild-asset.  Reinstall the operating system or
           applications on an asset listed in the event.

      16.  harden-asset.  Change the configuration of an asset listed in
           the event to reduce the attack surface.

      17.  remediate-other.  Remediate the activity in a way other than
           by rate-limiting or blocking.

      18.  status-triage.  Confirm receipt and begin triaging the
           incident.

      19.  status-new-info.  Notify the sender when new information is
           received for this incident.

      20.  watch-and-report.  Watch for the described activity or
           indicators, and notify the sender when seen.

      21.  training.  Train user to identify or mitigate the described
           threat.

      22.  defined-coa.  Perform a predefined course of action (COA).
           The COA is named in the DefinedCOA class.

      23.  other.  Perform a custom action described in the Description
           class.

      24.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 63
   ext-action
      Optional.  STRING.  A means by which to extend the action
      attribute.  See Section 5.1.1.

   severity
      Optional.  ENUM.  Indicates the desired priority of the action.
      This attribute is an enumerated list with no default value, and
      the semantics of these relative measures are context dependent.

      1.  low.  Low priority

      2.  medium.  Medium priority

      3.  high.  High priority

   restriction
      Optional.  ENUM.  See Section 3.3.1.  The default value is
      "default".

   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.16. Flow Class

The Flow class describes the systems and networks involved in the incident and the relationships between them. +------------------+ | Flow | +------------------+ | |<>--{1..*}--[ System ] +------------------+ Figure 32: The Flow Class The aggregate class of the Flow class is: System One or More. A host or network involved in an event. See Section 3.17. The Flow class has no attributes.
Top   ToC   RFC7970 - Page 64

3.17. System Class

The System class describes a system or network involved in an event. +------------------------+ | System | +------------------------+ | ENUM category |<>----------[ Node ] | STRING ext-category |<>--{0..*}--[ NodeRole ] | STRING interface |<>--{0..*}--[ Service ] | ENUM spoofed |<>--{0..*}--[ OperatingSystem ] | ENUM virtual |<>--{0..*}--[ Counter ] | ENUM ownership |<>--{0..*}--[ AssetID ] | STRING ext-ownership |<>--{0..*}--[ Description ] | ENUM restriction |<>--{0..*}--[ AdditionalData ] | STRING ext-restriction | | ID observable-id | +------------------------+ Figure 33: The System Class The aggregate classes of the System class are: Node One. A host or network involved in the incident. See Section 3.18. NodeRole Zero or more. The intended purpose of the system. See Section 3.18.2. Service Zero or more. A network service running on the system. See Section 3.20. OperatingSystem Zero or more. SOFTWARE. The operating system running on the system. Counter Zero or more. A counter with which to summarize properties of this host or network. See Section 3.18.3. AssetID Zero or more. STRING. An asset identifier for the System.
Top   ToC   RFC7970 - Page 65
   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      System.

   AdditionalData
      Zero or more.  EXTENSION.  A mechanism by which to extend the data
      model.

   The attributes of the System class are:

   category
      Optional.  ENUM.  Classifies the role the host or network played
      in the incident.  These values are maintained in the "System-
      category" IANA registry per Section 10.2.

      1.  source.  The System was the source of the event.

      2.  target.  The System was the target of the event.

      3.  intermediate.  The System was an intermediary in the event.

      4.  sensor.  The System was a sensor monitoring the event.

      5.  infrastructure.  The System was an infrastructure node of the
          IODEF document exchange.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.

   interface
      Optional.  STRING.  Specifies the interface on which the event(s)
      on this System originated.  If the Node class specifies a network
      rather than a host, this attribute has no meaning.

   spoofed
      Optional.  ENUM.  An indication of confidence in whether this
      System was the true target or attacking host.  The permitted
      values for this attribute are shown below.  The default value is
      "unknown".

      1.  unknown.  The accuracy of the category attribute value is
          unknown.
Top   ToC   RFC7970 - Page 66
      2.  yes.  The category attribute value is likely incorrect.  In
          the case of a source, the System is likely a decoy; with a
          target, the System was likely not the intended victim.

      3.  no.  The category attribute value is believed to be correct.

   virtual
      Optional.  ENUM.  Indicates whether this System is a virtual or
      physical device.  The default value is "unknown".

      1.  yes.  The System is a virtual device.

      2.  no.  The System is a physical device.

      3.  unknown.  It is not known if the System is virtual.

   ownership
      Optional.  ENUM.  Describes the ownership of this System relative
      to the victim in the incident.  These values are maintained in the
      "System-ownership" IANA registry per Section 10.2.

      1.  organization.  Corporate or enterprise owned.

      2.  personal.  Personally owned by an employee or affiliate of the
          corporation or enterprise.

      3.  partner.  Owned by a partner of the corporation or enterprise.

      4.  customer.  Owned by a customer of the corporation or
          enterprise.

      5.  no-relationship.  Owned by an entity that has no known
          relationship with the victim organization.

      6.  unknown.  Ownership is unknown.

      7.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-ownership
      Optional.  STRING.  A means by which to extend the ownership
      attribute.  See Section 5.1.1.

   restriction
      Optional.  ENUM.  See Section 3.3.1.
Top   ToC   RFC7970 - Page 67
   ext-restriction
      Optional.  STRING.  A means by which to extend the restriction
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.18. Node Class

The Node class identifies a system, asset, or network and its location. +---------------+ | Node | +---------------+ | |<>--{0..*}--[ DomainData ] | |<>--{0..*}--[ Address ] | |<>--{0..1}--[ PostalAddress ] | |<>--{0..*}--[ Location ] | |<>--{0..*}--[ Counter ] +---------------+ Figure 34: The Node Class The aggregate classes of the Node class are: DomainData Zero or more. The domain (DNS) information associated with this node. If an Address is not provided, at least one DomainData MUST be specified. See Section 3.19. Address Zero or more. The hardware, network, or application address of the node. If a DomainData is not provided, at least one Address MUST be specified. See Section 3.18.1. PostalAddress Zero or one. POSTAL. The postal address of the node. Location Zero or more. ML_STRING. A free-form text description of the physical location of the node. This description may provide a more detailed description of where at the address specified by the PostalAddress class this node is found (e.g., room number, rack number, or slot number in a chassis).
Top   ToC   RFC7970 - Page 68
   Counter
      Zero or more.  A counter with which to summarize properties of
      this host or network.  See Section 3.18.3.

   The Node class has no attributes.

3.18.1. Address Class

The Address class represents a hardware (Layer 2), network (Layer 3), or application (Layer 7) address. +-------------------------+ | Address | +-------------------------+ | STRING | | | | ENUM category | | STRING ext-category | | STRING vlan-name | | INTEGER vlan-num | | ID observable-id | +-------------------------+ Figure 35: The Address Class The content of the class is an address of type STRING whose semantics are determined by the category attribute. The attributes of the Address class are: category Required. ENUM. The type of address represented. The default value is "ipv6-addr". These values are maintained in the "Address-category" IANA registry per Section 10.2. 1. asn. Autonomous System Number. 2. atm. Asynchronous Transfer Mode (ATM) address. 3. e-mail. Email address, per the EMAIL data type. 4. ipv4-addr. IPv4 host address in dotted-decimal notation (i.e., a.b.c.d). 5. ipv4-net. IPv4 network address in dotted-decimal notation, slash, significant bits (i.e., a.b.c.d/nn).
Top   ToC   RFC7970 - Page 69
      6.   ipv4-net-masked.  A sanitized IPv4 address with significant
           bits per "ipv4-net" but with the character 'x' replacing any
           digit(s) in the address or prefix.

      7.   ipv4-net-mask.  IPv4 network address in dotted-decimal
           notation, slash, network mask in dotted-decimal notation
           (i.e., a.b.c.d/w.x.y.z).

      8.   ipv6-addr.  IPv6 host address per Section 4 of [RFC5952].

      9.   ipv6-net.  IPv6 network address, slash, prefix per
           Section 2.3 of [RFC4291].

      10.  ipv6-net-masked.  A sanitized IPv6 address and prefix per
           "ipv6-net" but with the character 'x' replacing any
           hexadecimal digit(s) in the address or digit(s) in the
           prefix.

      11.  mac.  Media Access Control (MAC) address (i.e.,
           aa:bb:cc:dd:ee:ff).

      12.  site-uri.  A URL or URI for a resource, per the URL data
           type.

      13.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.

   vlan-name
      Optional.  STRING.  The name of the Virtual LAN to which the
      address belongs.

   vlan-num
      Optional.  INTEGER.  The number of the Virtual LAN to which the
      address belongs.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.18.2. NodeRole Class

The NodeRole class describes the function performed by or role of a particular system, asset, or network.
Top   ToC   RFC7970 - Page 70
   +-----------------------+
   | NodeRole              |
   +-----------------------+
   | ENUM category         |<>--{0..*}--[ Description ]
   | STRING ext-category   |
   +-----------------------+

                       Figure 36: The NodeRole Class

   The aggregate class of the NodeRole class is:

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      role of the system.

   The attributes of the NodeRole class are:

   category
      Required.  ENUM.  Function or role of a node.  These values are
      maintained in the "NodeRole-category" IANA registry per
      Section 10.2.

      1.   client.  Client computer.

      2.   client-enterprise.  Client computer on the enterprise
           network.

      3.   client-partner.  Client computer on network of a partner.

      4.   client-remote.  Client computer remotely connected to the
           enterprise network.

      5.   client-kiosk.  Client computer serving as a kiosk.

      6.   client-mobile.  Mobile device.

      7.   server-internal.  Server with internal services.

      8.   server-public.  Server with public services.

      9.   www.  WWW server.

      10.  mail.  Mail server.

      11.  webmail.  Web mail server.

      12.  messaging.  Messaging server (e.g., NNTP, IRC, IM).
Top   ToC   RFC7970 - Page 71
      13.  streaming.  Streaming-media server.

      14.  voice.  Voice server (e.g., SIP, H.323).

      15.  file.  File server.

      16.  ftp.  FTP server.

      17.  p2p.  Peer-to-peer node.

      18.  name.  Name server (e.g., DNS, WINS).

      19.  directory.  Directory server (e.g., LDAP, finger, whois).

      20.  credential.  Credential server (e.g., domain controller,
           Kerberos).

      21.  print.  Print server.

      22.  application.  Application server.

      23.  database.  Database server.

      24.  backup.  Backup server.

      25.  dhcp.  DHCP server.

      26.  assessment.  Assessment server (e.g., vulnerability scanner,
           endpoint assessment).

      27.  source-control.  Source code control server.

      28.  config-management.  Configuration management server.

      29.  monitoring.  Security monitoring server (e.g., IDS).

      30.  infra.  Infrastructure server (e.g., router, firewall, DHCP).

      31.  infra-firewall.  Firewall.

      32.  infra-router.  Router.

      33.  infra-switch.  Switch.

      34.  camera.  Camera and video system.

      35.  proxy.  Proxy server.
Top   ToC   RFC7970 - Page 72
      36.  remote-access.  Remote access server.

      37.  log.  Log server (e.g., syslog).

      38.  virtualization.  Server running virtual machines.

      39.  pos.  Point-of-sale device.

      40.  scada.  Supervisory control and data acquisition (SCADA)
           system.

      41.  scada-supervisory.  Supervisory system for a SCADA.

      42.  sinkhole.  Traffic sinkhole destination.

      43.  honeypot.  Honeypot server.

      44.  anonymization.  Anonymization server (e.g., Tor node).

      45.  c2-server.  Malicious command and control server.

      46.  malware-distribution.  Server that distributes malware

      47.  drop-server.  Server to which exfiltrated content is
           uploaded.

      48.  hop-point.  Intermediary server used to get to a victim.

      49.  reflector.  A system used in a reflector attack.

      50.  phishing-site.  Site hosting phishing content.

      51.  spear-phishing-site.  Site hosting spear-phishing content.

      52.  recruiting-site.  Site to recruit.

      53.  fraudulent-site.  Fraudulent site.

      54.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-category
      Optional.  STRING.  A means by which to extend the category
      attribute.  See Section 5.1.1.
Top   ToC   RFC7970 - Page 73

3.18.3. Counter Class

The Counter class summarizes multiple occurrences of an event or conveys counts or rates of various features. The complete semantics of this class are context dependent based on the class in which it is aggregated. +---------------------+ | Counter | +---------------------+ | REAL | | | | ENUM type | | STRING ext-type | | ENUM unit | | STRING ext-unit | | STRING meaning | | ENUM duration | | STRING ext-duration | +---------------------+ Figure 37: The Counter Class The content of the class is a value of type REAL whose meaning and units are determined by the type and duration attributes, respectively. If the duration attribute is present, the element content is a rate. Otherwise, it is a simple counter. The attributes of the Counter class are: type Required. ENUM. Specifies the type of counter specified in the element content. These values are maintained in the "Counter- type" IANA registry per Section 10.2. 1. count. The Counter class value is a counter. 2. peak. The Counter class value is a peak value. 3. average. The Counter class value is an average. 4. ext-value. A value used to indicate that this attribute is extended and the actual value is provided using the corresponding ext-* attribute. See Section 5.1.1.
Top   ToC   RFC7970 - Page 74
   ext-type
      Optional.  STRING.  A means by which to extend the type attribute.
      See Section 5.1.1.

   unit
      Required.  ENUM.  Specifies the units of the element content.
      These values are maintained in the "Counter-unit" IANA registry
      per Section 10.2.

      1.   byte.  Bytes transferred.

      2.   mbit.  Megabits (Mbits) transferred.

      3.   packet.  Packets.

      4.   flow.  Network flow records.

      5.   session.  Sessions.

      6.   alert.  Notifications generated by another system (e.g., IDS
           or SIEM system).

      7.   message.  Messages (e.g., mail messages).

      8.   event.  Events.

      9.   host.  Hosts.

      10.  site.  Site.

      11.  organization.  Organizations.

      12.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-unit
      Optional.  STRING.  A means by which to extend the unit attribute.
      See Section 5.1.1.

   meaning
      Optional.  STRING.  A free-form text description of the metric
      represented by the Counter.
Top   ToC   RFC7970 - Page 75
   duration
      Optional.  ENUM.  If present, the Counter class represents a rate.
      This attribute specifies a unit of time over which the rate whose
      units are specified in the unit attribute is being conveyed.  This
      attribute is the denominator of the rate (where the unit attribute
      specified the nominator).  The possible values of this attribute
      are defined in the duration attribute of Section 3.12.3

   ext-duration
      Optional.  STRING.  A means by which to extend the duration
      attribute.  See Section 5.1.1.

3.19. DomainData Class

The DomainData class describes a domain name and metadata associated with this domain. +--------------------------+ | DomainData | +--------------------------+ | ENUM system-status |<>----------[ Name ] | STRING ext-system-status |<>--{0..1}--[ DateDomainWasChecked ] | ENUM domain-status |<>--{0..1}--[ RegistrationDate ] | STRING ext-domain-status |<>--{0..1}--[ ExpirationDate ] | ID observable-id |<>--{0..*}--[ RelatedDNS ] | |<>--{0..*}--[ Nameservers ] | |<>--{0..1}--[ DomainContacts ] +--------------------------+ Figure 38: The DomainData Class The aggregate classes of the DomainData class are: Name One. STRING. The domain name of a system. DateDomainWasChecked Zero or one. DATETIME. A timestamp of when the domain listed in the Name class was resolved. RegistrationDate Zero or one. DATETIME. A timestamp of when domain listed in the Name class was registered. ExpirationDate Zero or one. DATETIME. A timestamp of when the domain listed in the Name class is set to expire.
Top   ToC   RFC7970 - Page 76
   RelatedDNS
      Zero or more.  EXTENSION.  Additional DNS records associated with
      this domain.

   Nameservers
      Zero or more.  The nameservers identified for the domain listed in
      the Name class.  See Section 3.19.1.

   DomainContacts
      Zero or one.  Contact information for the domain listed in the
      Name class supplied by the registrar or through a whois query.

   The attributes of the DomainData class are:

   system-status
      Required.  ENUM.  Assesses the domain's involvement in the event.
      These values are maintained in the "DomainData-system-status" IANA
      registry per Section 10.2.

      1.  spoofed.  This domain was spoofed.

      2.  fraudulent.  This domain was operated with fraudulent
          intentions.

      3.  innocent-hacked.  This domain was compromised by a third
          party.

      4.  innocent-hijacked.  This domain was deliberately hijacked.

      5.  unknown.  No categorization for this domain known.

      6.  ext-value.  A value used to indicate that this attribute is
          extended and the actual value is provided using the
          corresponding ext-* attribute.  See Section 5.1.1.

   ext-system-status
      Optional.  STRING.  A means by which to extend the system-status
      attribute.  See Section 5.1.1.

   domain-status
      Required.  ENUM.  Categorizes the registry status of the domain at
      the time the document was generated.  These values and their
      associated descriptions are derived from Section 3.2.2 of
      [RFC3982].  These values are maintained in the
      "DomainData-domain-status" IANA registry per Section 10.2.

      1.   reservedDelegation.  The domain is permanently inactive.
Top   ToC   RFC7970 - Page 77
      2.   assignedAndActive.  The domain is in a normal state.

      3.   assignedAndInactive.  The domain has an assigned
           registration, but the delegation is inactive.

      4.   assignedAndOnHold.  The domain is in dispute.

      5.   revoked.  The domain is in the process of being purged from
           the database.

      6.   transferPending.  The domain is pending a change in
           authority.

      7.   registryLock.  The domain is on hold by the registry.

      8.   registrarLock.  Same as "registryLock".

      9.   other.  The domain has a known status, but it is not one of
           the redefined enumerated values.

      10.  unknown.  The domain has an unknown status.

      11.  ext-value.  A value used to indicate that this attribute is
           extended and the actual value is provided using the
           corresponding ext-* attribute.  See Section 5.1.1.

   ext-domain-status
      Optional.  STRING.  A means by which to extend the domain-status
      attribute.  See Section 5.1.1.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.19.1. Nameservers Class

The Nameservers class describes the nameservers associated with a given domain. +--------------------+ | Nameservers | +--------------------+ | |<>----------[ Server ] | |<>--{1..*}--[ Address ] +--------------------+ Figure 39: The Nameservers Class
Top   ToC   RFC7970 - Page 78
   The aggregate classes of the Nameservers class are:

   Server
      One.  STRING.  The domain name of the nameserver.

   Address
      One or more.  The address of the nameserver.  The value of the
      category attribute MUST be either "ipv4-addr" or "ipv6-addr".  See
      Section 3.18.1.

   The Nameservers class has no attributes.

3.19.2. DomainContacts Class

The DomainContacts class describes the contact information for a given domain provided either by the registrar or through a whois query. This contact information can be explicitly described through a Contact class, or a reference can be provided to a domain with identical contact information. Either a single SameDomainContact or one or more Contact classes MUST be present. +--------------------+ | DomainContacts | +--------------------+ | |<>--{0..1}--[ SameDomainContact ] | |<>--{1..*}--[ Contact ] +--------------------+ Figure 40: The DomainContacts Class The aggregate classes of the DomainContacts class are: SameDomainContact Zero or one. STRING. A domain name already cited in this document or through previous exchange that contains the identical contact information as the domain name in question. The domain contact information associated with this domain should be used instead of an explicit definition with the Contact class. Contact One or more. Contact information for the domain. See Section 3.9. The DomainContacts class has no attributes.
Top   ToC   RFC7970 - Page 79

3.20. Service Class

The Service class describes a network service. The service is described by a protocol, port, protocol header field, and application providing or using the service. +-------------------------+ | Service | +-------------------------+ | INTEGER ip-protocol |<>--{0..1}--[ ServiceName ] | ID observable-id |<>--{0..1}--[ Port ] | |<>--{0..1}--[ Portlist ] | |<>--{0..1}--[ ProtoCode ] | |<>--{0..1}--[ ProtoType ] | |<>--{0..1}--[ ProtoField ] | |<>--{0..1}--[ ApplicationHeader ] | |<>--{0..1}--[ EmailData ] | |<>--{0..1}--[ Application ] +-------------------------+ Figure 41: The Service Class The aggregate classes of the Service class are: ServiceName Zero or one. A protocol name. Port Zero or one. INTEGER. A port number. Portlist Zero or one. PORTLIST. A list of port numbers. ProtoCode Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific code field (e.g., ICMP code field). ProtoType Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific type field (e.g., ICMP type field). ProtoField Zero or one. INTEGER. A transport-layer (Layer 4) protocol- specific flag field (e.g., TCP flag field). ApplicationHeader Zero or one. A protocol header. See Section 3.20.2.
Top   ToC   RFC7970 - Page 80
   EmailData
      Zero or one.  Headers associated with an email message.  See
      Section 3.21.

   Application
      Zero or one.  SOFTWARE.  The application acting as either the
      client or the server for the service.

   At least one of these classes MUST be present.

   When a given System class with category="source" and another with
   category="target" are aggregated into a single Flow class, and each
   of these System classes has a Service and Portlist class, an implicit
   relationship between these Portlists exists.  If N ports are listed
   for a System@category="source", and M ports are listed for
   System@category="target", the number of ports in N must be equal to
   M.  Likewise, the ports MUST be listed in an identical sequence such
   that the n-th port in the source corresponds to the n-th port of the
   target.  If N is greater than 1, a given instance of a Flow class
   MUST only have a single instance of a System@category="source" and
   System@category="target".

   The attributes of the Service class are:

   ip-protocol
      Optional.  INTEGER.  The IANA-assigned IP protocol number per
      [IANA.Protocols].  The attribute MUST be set if a Port, Portlist,
      ProtoCode, ProtoType, or ProtoField class is present.

   observable-id
      Optional.  ID.  See Section 3.3.2.

3.20.1. ServiceName Class

The ServiceName class identifies an application protocol. It can be described by referencing an IANA-registered protocol, by referencing a URL, or with free-form text. +--------------------+ | ServiceName | +--------------------+ | |<>--{0..1}--[ IANAService ] | |<>--{0..*}--[ URL ] | |<>--{0..*}--[ Description ] +--------------------+ Figure 42: The ServiceName Class
Top   ToC   RFC7970 - Page 81
   The aggregate classes of the ServiceName class are:

   IANAService
      Zero or one.  STRING.  The name of the service per the "Service
      Name" field of the registry [IANA.Ports].

   URL
      Zero or more.  URL.  A URL to a resource describing the service.

   Description
      Zero or more.  ML_STRING.  A free-form text description of the
      service.

   At least one of these classes MUST be present.

   The ServiceName class has no attributes.

3.20.2. ApplicationHeader Class

The ApplicationHeader class describes arbitrary fields from a protocol header and its corresponding value. +--------------------------+ | ApplicationHeader | +--------------------------+ | |<>--{1..*}--[ ApplicationHeaderField ] +--------------------------+ Figure 43: The ApplicationHeader Class The aggregate class of the ApplicationHeader class is: ApplicationHeaderField One or more. EXTENSION. A field name and value in a protocol header. The name attribute MUST be set to the field name. The field value MUST be set in the element content. The ApplicationHeader class has no attributes.


(next page on part 5)

Next Section