Tech-invite3GPPspecsGlossariesIETFRFCsGroupsSIPABNFsWorld Map

RFC 8274

 
 
 

Incident Object Description Exchange Format Usage Guidance

Part 2 of 2, p. 14 to 33
Prev Section

 


prevText      Top      ToC       Page 14 
Appendix A.  Indicator Predicate Logic Examples

   In the following example, the EventData class evaluates as a Flow of
   one System with source address 192.0.2.104 OR 192.0.2.106 AND target
   address 198.51.100.1.

   <!-- ...XML code omitted... -->
    <IndicatorData>
      <Indicator>
        <IndicatorID name="csirt.example.com" version="1">
        G90823490
        </IndicatorID>
        <Description>C2 domains</Description>
        <IndicatorExpression operator="and">
          <IndicatorExpression operator="or">
            <Observable>
              <System category="source" spoofed="no">
                <Node>
                  <Address category="ipv4-addr">
                    192.0.2.104
                  </Address>
                </Node>
              </System>
            </Observable>
            <Observable>
              <System category="source" spoofed="no">
                <Node>
                  <Address category="ipv4-addr">
                    192.0.2.106
                  </Address>
                </Node>
              </System>
            </Observable>
          </IndicatorExpression>
          <Observable>
            <System category="target" spoofed="no">
              <Node>
                <Address category="ipv4-addr">
                  198.51.100.1
                </Address>
              </Node>
            </System>
          </Observable>
        </IndicatorExpression>
      </Indicator>
    </IndicatorData>
   <!-- ...XML code omitted... -->

Top      Up      ToC       Page 15 
   Similarly, the FileData Class can be an observable in an
   IndicatorExpression.  The hash values of two files can be used to
   match against an indicator using Boolean "or" logic.  In the
   following example, the indicator consists of either of the two files
   with two different hashes.

   <!-- ...XML code omitted... -->
    <IndicatorData>
      <Indicator>
        <IndicatorID name="csirt.example.com" version="1">
        A4399IWQ
        </IndicatorID>
        <Description>File hash watchlist</Description>
        <IndicatorExpression operator="or">
            <Observable>
              <FileData>
                <File>
                  <FileName>dummy.txt</FileName>
                  <HashData scope="file-contents">
                    <Hash>
                     <ds:DigestMethod Algorithm=
                     "http://www.w3.org/2001/04/xmlenc#sha256"/>
                     <ds:DigestValue>
                      141accec23e7e5157de60853cb1e01bc38042d
                      08f9086040815300b7fe75c184
                     </ds:DigestValue>
                    </Hash>
                  </HashData>
                </File>
              </FileData>
            </Observable>
            <Observable>
              <FileData>
                <File>
                  <FileName>dummy2.txt</FileName>
                  <HashData scope="file-contents">
                    <Hash>
                     <ds:DigestMethod Algorithm=
                     "http://www.w3.org/2001/04/xmlenc#sha256"/>
                     <ds:DigestValue>
                      141accec23e7e5157de60853cb1e01bc38042d
                      08f9086040815300b7fe75c184
                     </ds:DigestValue>
                    </Hash>
                  </HashData>
                </File>
              </FileData>
            </Observable>

Top      Up      ToC       Page 16 
        </IndicatorExpression>
      </Indicator>
    </IndicatorData>
   <!-- ...XML code omitted... -->

Appendix B.  Inter-vendor and Service Provider Exercise Examples

   Below, some of the IODEF example information that was exchanged by
   the vendors as part of this proof-of-concept, inter-vendor and
   service provider exercise.

B.1.  Malware Delivery URL

   This example indicates malware and a related URL for file delivery.

  <?xml version="1.0" encoding="UTF-8"?>
  <IODEF-Document version="2.00"
                  xmlns="urn:ietf:params:xml:ns:iodef-2.0"
                  xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <iodef:Incident purpose="reporting">
      <iodef:IncidentID name="csirt.example.com">
        189801
      </iodef:IncidentID>
      <iodef:ReportTime>2012-12-05T12:20:00+00:00</iodef:ReportTime>
      <iodef:GenerationTime>2012-12-05T12:20:00+00:00
      </iodef:GenerationTime>
      <iodef:Description>Malware and related indicators
      </iodef:Description>
      <iodef:Assessment occurrence="potential">
        <iodef:SystemImpact severity="medium" type="breach-privacy">
          <iodef:Description>Malware with C2
          </iodef:Description>
        </iodef:SystemImpact>
      </iodef:Assessment>
      <iodef:Contact role="creator" type="organization">
        <iodef:ContactName>example.com CSIRT
        </iodef:ContactName>
        <iodef:Email>
          <iodef:EmailTo>contact@csirt.example.com
          </iodef:EmailTo>
        </iodef:Email>
      </iodef:Contact>
      <iodef:EventData>
        <iodef:Flow>
          <iodef:System category="source">
            <iodef:Node>
              <iodef:Address category="ipv4-addr">192.0.2.200

Top      Up      ToC       Page 17 
              </iodef:Address>
                          <iodef:Address category="site-uri">
                /log-bin/lunch_install.php?aff_id=1&amp;lunch_id=1&amp;
                maddr=&amp;action=install
              </iodef:Address>
            </iodef:Node>
            <iodef:NodeRole category="www"/>
          </iodef:System>
        </iodef:Flow>
      </iodef:EventData>
    </iodef:Incident>
  </IODEF-Document>

B.2.  DDoS

   The DDoS test exchanged information that described a DDoS, including
   protocols and ports, bad IP addresses, and HTTP user agent fields.
   The IODEF version used for the data representation was based on
   [RFC7970].

 <?xml version="1.0" encoding="UTF-8"?>
 <IODEF-Document version="2.00"
                 xmlns="urn:ietf:params:xml:ns:iodef-2.0"
                 xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <iodef:Incident purpose="reporting" restriction="default">
     <iodef:IncidentID name="csirt.example.com">
       189701
     </iodef:IncidentID>
     <iodef:DetectTime>2013-02-05T01:15:45+00:00</iodef:DetectTime>
     <iodef:StartTime>2013-02-05T00:34:45+00:00</iodef:StartTime>
     <iodef:ReportTime>2013-02-05T01:34:45+00:00</iodef:ReportTime>
     <iodef:GenerationTime>2013-02-05T01:15:45+00:00
     </iodef:GenerationTime>
     <iodef:Description>DDoS Traffic Seen</iodef:Description>
     <iodef:Assessment occurrence="actual">
       <iodef:SystemImpact severity="medium" type="availability-system">
         <iodef:Description>DDoS Traffic
         </iodef:Description>
       </iodef:SystemImpact>
       <iodef:Confidence rating="high"/>
     </iodef:Assessment>
     <iodef:Contact role="creator" type="organization">
       <iodef:ContactName>Dummy Test</iodef:ContactName>
       <iodef:Email>
         <iodef:EmailTo>contact@dummytest.com
         </iodef:EmailTo>
       </iodef:Email>

Top      Up      ToC       Page 18 
     </iodef:Contact>
     <iodef:EventData>
       <iodef:Description>
         Dummy Test sharing with ISP1
       </iodef:Description>
       <iodef:Method>
         <iodef:Reference>
           <iodef:URL>
             http://blog.spiderlabs.com/2011/01/loic-ddos-
             analysis-and-detection.html
           </iodef:URL>
           <iodef:URL>
             http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon
           </iodef:URL>
           <iodef:Description>
             Low Orbit Ion Cannon User Agent
           </iodef:Description>
         </iodef:Reference>
       </iodef:Method>
       <iodef:Flow>
         <iodef:System category="source" spoofed="no">
           <iodef:Node>
             <iodef:Address category="ipv4-addr">
               192.0.2.104
             </iodef:Address>
           </iodef:Node>
           <iodef:Service ip-protocol="6">
             <iodef:Port>1337</iodef:Port>
           </iodef:Service>
         </iodef:System>
         <iodef:System category="source" spoofed="no">
           <iodef:Node>
             <iodef:Address category="ipv4-addr">
               192.0.2.106
             </iodef:Address>
           </iodef:Node>
           <iodef:Service ip-protocol="6">
             <iodef:Port>1337</iodef:Port>
           </iodef:Service>
         </iodef:System>
         <iodef:System category="source" spoofed="yes">
           <iodef:Node>
             <iodef:Address category="ipv4-net">
               198.51.100.0/24
             </iodef:Address>
           </iodef:Node>
           <iodef:Service ip-protocol="6">
             <iodef:Port>1337</iodef:Port>

Top      Up      ToC       Page 19 
           </iodef:Service>
         </iodef:System>
         <iodef:System category="source" spoofed="yes">
           <iodef:Node>
             <iodef:Address category="ipv6-addr">
               2001:db8:dead:beef::1
             </iodef:Address>
           </iodef:Node>
           <iodef:Service ip-protocol="6">
             <iodef:Port>1337</iodef:Port>
           </iodef:Service>
         </iodef:System>
         <iodef:System category="target">
           <iodef:Node>
             <iodef:Address category="ipv4-addr">
               203.0.113.1
             </iodef:Address>
           </iodef:Node>
           <iodef:Service ip-protocol="6">
             <iodef:Port>80</iodef:Port>
           </iodef:Service>
         </iodef:System>
         <iodef:System category="sensor">
           <iodef:Node>
           </iodef:Node>
           <iodef:Description>
             Information provided in Flow class instance is from
             Inspection of traffic from network tap
           </iodef:Description>
         </iodef:System>
       </iodef:Flow>
       <iodef:Expectation action="other"/>
     </iodef:EventData>
     <iodef:IndicatorData>
       <iodef:Indicator>
         <iodef:IndicatorID name="csirt.example.com" version="1">
           G83345941
         </iodef:IndicatorID>
         <iodef:Description>
           User-Agent string
         </iodef:Description>
         <iodef:Observable>
           <iodef:BulkObservable type="http-user-agent">
             <iodef:BulkObservableList>
               user-agent="Mozilla/5.0 (Macintosh; U;
               Intel Mac OS X 10.5; en-US; rv:1.9.2.12)
               Gecko/20101026 Firefox/3.6.12">
             </iodef:BulkObservableList>

Top      Up      ToC       Page 20 
           </iodef:BulkObservable>
         </iodef:Observable>
       </iodef:Indicator>
     </iodef:IndicatorData>
   </iodef:Incident>
 </IODEF-Document>

B.3.  Spear Phishing

   The spear-phishing test exchanged information that described a spear-
   phishing email, including DNS records and addresses about the sender,
   malicious attached file information, and email data.  The IODEF
   version used for the data representation was based on [RFC7970].

 <?xml version="1.0" encoding="UTF-8"?>
 <IODEF-Document version="2.00"
                 xmlns="urn:ietf:params:xml:ns:iodef-2.0"
                 xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <iodef:Incident purpose="reporting">
     <iodef:IncidentID name="csirt.example.com">
       189601
     </iodef:IncidentID>
     <iodef:DetectTime>2013-01-04T08:06:12+00:00</iodef:DetectTime>
     <iodef:StartTime>2013-01-04T08:01:34+00:00</iodef:StartTime>
     <iodef:EndTime>2013-01-04T08:31:27+00:00</iodef:EndTime>
     <iodef:ReportTime>2013-01-04T09:15:45+00:00</iodef:ReportTime>
     <iodef:GenerationTime>2013-01-04T09:15:45+00:00
     </iodef:GenerationTime>
     <iodef:Description>
       Zeus Spear Phishing E-mail with Malware Attachment
     </iodef:Description>
     <iodef:Assessment occurrence="potential">
       <iodef:SystemImpact severity="medium" type="takeover-system">
         <iodef:Description>
           Malware with Command and Control Server and System Changes
         </iodef:Description>
       </iodef:SystemImpact>
     </iodef:Assessment>
     <iodef:Contact role="creator" type="organization">
       <iodef:ContactName>example.com CSIRT</iodef:ContactName>
       <iodef:Email>
         <iodef:EmailTo>contact@csirt.example.com</iodef:EmailTo>
         </iodef:Email>
     </iodef:Contact>
     <iodef:EventData>
       <iodef:Description>

Top      Up      ToC       Page 21 
         Targeting Defense Contractors,
         specifically board members attending Dummy Con
       </iodef:Description>
       <iodef:Method>
         <iodef:Reference observable-id="ref-1234">
           <iodef:Description>Zeus</iodef:Description>
         </iodef:Reference>
       </iodef:Method>
       <iodef:Flow>
         <iodef:System category="source">
           <iodef:Node>
             <iodef:Address category="site-uri">
               http://www.zeusevil.example.com
             </iodef:Address>
             <iodef:Address category="ipv4-addr">
               192.0.2.166
             </iodef:Address>
             <iodef:Address category="asn">
               65535
             </iodef:Address>
             <iodef:Address category="ext-value"
                            ext-category="as-name">
               EXAMPLE-AS - University of Example
             </iodef:Address>
             <iodef:Address category="ext-value"
                            ext-category="as-prefix">
               192.0.2.0/24
             </iodef:Address>
           </iodef:Node>
           <iodef:NodeRole category="malware-distribution"/>
         </iodef:System>
       </iodef:Flow>
       <iodef:Flow>
         <iodef:System category="source">
           <iodef:Node>
             <iodef:DomainData>
               <Name>mail1.evildave.example.com</Name>
             </iodef:DomainData>
             <iodef:Address category="ipv4-addr">
               198.51.100.6
             </iodef:Address>
             <iodef:Address category="asn">
               65534
             </iodef:Address>
             <iodef:Address category="ext-value"
                            ext-category="as-name">
               EXAMPLE-AS - University of Example
             </iodef:Address>

Top      Up      ToC       Page 22 
             <iodef:DomainData>
               <iodef:Name>evildave.example.com</iodef:Name>
               <iodef:DateDomainWasChecked>2013-01-04T09:10:24+00:00
               </iodef:DateDomainWasChecked>
               <!-- <iodef:RelatedDNS RecordType="MX"> -->
               <iodef:RelatedDNS dtype="string">
                 evildave.example.com MX preference = 10, mail exchanger
                 = mail1.evildave.example.com
               </iodef:RelatedDNS>
               <iodef:RelatedDNS dtype="string">
                 mail1.evildave.example.com
                 internet address = 198.51.100.6
               </iodef:RelatedDNS>
               <iodef:RelatedDNS dtype="string">
                 zuesevil.example.com. IN TXT \"v=spf1 a mx -all\"
               </iodef:RelatedDNS>
             </iodef:DomainData>
           </iodef:Node>
           <iodef:NodeRole category="mail">
             <iodef:Description>
               Sending phishing mails
             </iodef:Description>
           </iodef:NodeRole>
           <iodef:Service>
             <iodef:EmailData>
               <iodef:EmailFrom>
                 emaildave@evildave.example.com
               </iodef:EmailFrom>
               <iodef:EmailSubject>
                 Join us at Dummy Con
               </iodef:EmailSubject>
               <iodef:EmailX-Mailer>
                 StormRider 4.0
               </iodef:EmailX-Mailer>
             </iodef:EmailData>
           </iodef:Service>
         </iodef:System>
         <iodef:System category="target">
           <iodef:Node>
             <iodef:Address category="ipv4-addr">
               203.0.113.2
             </iodef:Address>
           </iodef:Node>
         </iodef:System>
       </iodef:Flow>
       <iodef:Expectation action="other"/>
       <iodef:Record>
         <iodef:RecordData>

Top      Up      ToC       Page 23 
           <iodef:FileData observable-id="fd-1234">
             <iodef:File>
               <iodef:FileName>
                 Dummy Con Sign Up Sheet.txt
               </iodef:FileName>
               <iodef:FileSize>
                 152
               </iodef:FileSize>
               <iodef:HashData scope="file-contents">
                 <iodef:Hash>
                   <ds:DigestMethod Algorithm=
                   "http://www.w3.org/2001/04/xmlenc#sha256"/>
                   <ds:DigestValue>
                     141accec23e7e5157de60853cb1e01bc38042d
                     08f9086040815300b7fe75c184
                   </ds:DigestValue>
                 </iodef:Hash>
               </iodef:HashData>
             </iodef:File>
           </iodef:FileData>
         </iodef:RecordData>
         <iodef:RecordData>
           <iodef:CertificateData>
             <iodef:Certificate>
               <ds:X509Data>
                 <ds:X509IssuerSerial>
                   <ds:X509IssuerName>FakeCA
                   </ds:X509IssuerName>
                   <ds:X509SerialNumber>
                     57482937101
                   </ds:X509SerialNumber>
                 </ds:X509IssuerSerial>
                 <ds:X509SubjectName>EvilDaveExample
                 </ds:X509SubjectName>
               </ds:X509Data>
             </iodef:Certificate>
           </iodef:CertificateData>
         </iodef:RecordData>
       </iodef:Record>
     </iodef:EventData>
   </iodef:Incident>
 </IODEF-Document>

Top      Up      ToC       Page 24 
B.4.  Malware

   In this test, malware information was exchanged using RID and IODEF.
   The information included file hashes, registry setting changes, and
   the C2 servers the malware uses.

<?xml version="1.0" encoding="UTF-8"?>
<IODEF-Document version="2.00"
                xmlns="urn:ietf:params:xml:ns:iodef-2.0"
                xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <iodef:Incident purpose="reporting">
    <iodef:IncidentID name="csirt.example.com">
      189234
    </iodef:IncidentID>
    <iodef:ReportTime>2013-03-07T16:14:56.757+05:30</iodef:ReportTime>
    <iodef:GenerationTime>2013-03-07T16:14:56.757+05:30
    </iodef:GenerationTime>
    <iodef:Description>
      Malware and related indicators identified
    </iodef:Description>
    <iodef:Assessment occurrence="potential">
      <iodef:SystemImpact severity="medium" type="breach-proprietary">
        <iodef:Description>
          Malware with Command and Control Server and System Changes
        </iodef:Description>
      </iodef:SystemImpact>
    </iodef:Assessment>
    <iodef:Contact role="creator" type="organization">
      <iodef:ContactName>example.com CSIRT</iodef:ContactName>
      <iodef:Email>
        <iodef:EmailTo>contact@csirt.example.com</iodef:EmailTo>
      </iodef:Email>
    </iodef:Contact>
    <iodef:EventData>
      <iodef:Method>
        <iodef:Reference>
          <iodef:URL>
            http://www.threatexpert.example.com/report.aspx?
            md5=e2710ceb088dacdcb03678db250742b7
          </iodef:URL>
          <iodef:Description>Zeus</iodef:Description>
        </iodef:Reference>
      </iodef:Method>
      <iodef:Flow>
        <iodef:System category="source">
          <iodef:Node>

Top      Up      ToC       Page 25 
            <iodef:Address category="ipv4-addr"
                           observable-id="addr-c2-91011-001">
              203.0.113.200
            </iodef:Address>
            <iodef:Address category="site-uri"
                           observable-id="addr-c2-91011-002">
              http://zeus.556677889900.example.com/log-bin/
              lunch_install.php?aff_id=1&amp;
              lunch_id=1&amp;maddr=&amp;
              action=install
            </iodef:Address>
          </iodef:Node>
          <iodef:NodeRole category="c2-server"/>
        </iodef:System>
      </iodef:Flow>
      <iodef:Record>
        <iodef:RecordData>
          <iodef:FileData observable-id="file-91011-001">
            <iodef:File>
              <iodef:HashData scope="file-contents">
                <iodef:Hash>
                  <ds:DigestMethod Algorithm=
                          "http://www.w3.org/2001/04/xmlenc#sha1"/>
                  <ds:DigestValue>
                    MHg2NzUxQTI1MzQ4M0E2N0Q4NkUwRjg0NzYwRjYxRjEwQkJDQzJF
                    REZG
                  </ds:DigestValue>
                </iodef:Hash>
              </iodef:HashData>
            </iodef:File>
            <iodef:File>
              <iodef:HashData scope="file-contents">
                <iodef:Hash>
                  <ds:DigestMethod Algorithm=
                          "http://www.w3.org/2001/04/xmlenc#md5"/>
                  <ds:DigestValue>
                    MHgyRTg4ODA5ODBENjI0NDdFOTc5MEFGQTg5NTEzRjBBNA==
                  </ds:DigestValue>
                </iodef:Hash>
              </iodef:HashData>
            </iodef:File>
          </iodef:FileData>
          <iodef:WindowsRegistryKeysModified observable-id=
          "regkey-91011-001">
            <iodef:Key registryaction="add-value">
              <iodef:KeyName>
                HKLM\Software\Microsoft\Windows\
                CurrentVersion\Run\tamg

Top      Up      ToC       Page 26 
              </iodef:KeyName>
              <iodef:Value>
                ?\?\?%System%\wins\mc.exe\?\??
              </iodef:Value>
            </iodef:Key>
            <iodef:Key registryaction="modify-value">
              <iodef:KeyName>HKLM\Software\Microsoft\
                Windows\CurrentVersion\Run\dqo
              </iodef:KeyName>
              <iodef:Value>"\"\"%Windir%\Resources\
                Themes\Luna\km.exe\?\?"
              </iodef:Value>
            </iodef:Key>
          </iodef:WindowsRegistryKeysModified>
        </iodef:RecordData>
      </iodef:Record>
    </iodef:EventData>
    <iodef:EventData>
      <iodef:Method>
        <iodef:Reference>
          <iodef:URL>
            http://www.threatexpert.example.com/report.aspx?
            md5=c3c528c939f9b176c883ae0ce5df0001
          </iodef:URL>
          <iodef:Description>Cridex</iodef:Description>
        </iodef:Reference>
      </iodef:Method>
      <iodef:Flow>
        <iodef:System category="source">
          <iodef:Node>
            <iodef:Address category="ipv4-addr"
                           observable-id="addr-c2-91011-003">
              203.0.113.100
            </iodef:Address>
          </iodef:Node>
          <iodef:NodeRole category="c2-server"/>
          <iodef:Service ip-protocol="6">
            <iodef:Port>8080</iodef:Port>
          </iodef:Service>
        </iodef:System>
      </iodef:Flow>
      <iodef:Record>
        <iodef:RecordData>
          <iodef:FileData observable-id="file-91011-002">
            <iodef:File>
              <iodef:HashData scope="file-contents">
                <iodef:Hash>

Top      Up      ToC       Page 27 
                  <ds:DigestMethod Algorithm=
                          "http://www.w3.org/2001/04/xmlenc#sha1"/>
                  <ds:DigestValue>
                    MHg3MjYzRkUwRDNBMDk1RDU5QzhFMEM4OTVBOUM
                    1ODVFMzQzRTcxNDFD
                  </ds:DigestValue>
                </iodef:Hash>
              </iodef:HashData>
            </iodef:File>
          </iodef:FileData>
          <iodef:FileData observable-id="file-91011-003">
            <iodef:File>
              <iodef:HashData scope="file-contents">
                <iodef:Hash>
                  <ds:DigestMethod Algorithm=
                          "http://www.w3.org/2001/04/xmlenc#md5"/>
                  <ds:DigestValue>
                    MHg0M0NEODUwRkNEQURFNDMzMEE1QkVBNkYxNkVFOTcxQw==
                  </ds:DigestValue>
                </iodef:Hash>
              </iodef:HashData>
            </iodef:File>
          </iodef:FileData>
          <iodef:WindowsRegistryKeysModified observable-id=
                  "regkey-91011-002">
            <iodef:Key registryaction="add-value">
              <iodef:KeyName>
                HKLM\Software\Microsoft\Windows\
                CurrentVersion\Run\KB00121600.exe
              </iodef:KeyName>
              <iodef:Value>
                \?\?%AppData%\KB00121600.exe\?\?
              </iodef:Value>
            </iodef:Key>
          </iodef:WindowsRegistryKeysModified>
        </iodef:RecordData>
      </iodef:Record>
    </iodef:EventData>
    <iodef:IndicatorData>
      <iodef:Indicator>
        <iodef:IndicatorID name="csirt.example.com" version="1">
          ind-91011
        </iodef:IndicatorID>
        <iodef:Description>
          evil c2 server, file hash, and registry key
        </iodef:Description>
        <iodef:IndicatorExpression operator="or">
          <iodef:IndicatorExpression operator="or">

Top      Up      ToC       Page 28 
            <iodef:Observable>
              <iodef:Address category="site-uri"
                             observable-id="addr-qrst">
                http://foo.example.com:12345/evil/cc.php
              </iodef:Address>
            </iodef:Observable>
            <iodef:Observable>
              <iodef:Address category="ipv4-addr"
                             observable-id="addr-stuv">
                192.0.2.1
              </iodef:Address>
            </iodef:Observable>
            <iodef:Observable>
              <iodef:Address category="ipv4-addr"
                             observable-id="addr-tuvw">
                198.51.100.1
              </iodef:Address>
            </iodef:Observable>
            <iodef:Observable>
              <iodef:Address category="ipv6-addr"
                             observable-id="addr-uvwx">
                2001:db8:dead:beef::1
              </iodef:Address>
            </iodef:Observable>
            <iodef:ObservableReference uid-ref="addr-c2-91011-001"/>
            <iodef:ObservableReference uid-ref="addr-c2-91011-002"/>
            <iodef:ObservableReference uid-ref="addr-c2-91011-003"/>
          </iodef:IndicatorExpression>
          <iodef:IndicatorExpression operator="and">
            <iodef:Observable>
              <iodef:FileData observable-id="file-91011-000">
                <iodef:File>
                  <iodef:HashData scope="file-contents">
                    <iodef:Hash>
                      <ds:DigestMethod Algorithm=
                             "http://www.w3.org/2001/04/xmlenc#sha256"/>
                      <ds:DigestValue>
                        141accec23e7e5157de60853cb1e01bc38042d08f
                        9086040815300b7fe75c184
                      </ds:DigestValue>
                    </iodef:Hash>
                  </iodef:HashData>
                </iodef:File>
              </iodef:FileData>
            </iodef:Observable>
            <iodef:Observable>
              <iodef:WindowsRegistryKeysModified observable-id=
                      "regkey-91011-000">

Top      Up      ToC       Page 29 
                <iodef:Key registryaction="add-key"
                           observable-id="regkey-vwxy">
                  <iodef:KeyName>
                    HKLM\SYSTEM\CurrentControlSet\
                    Services\.Net CLR
                  </iodef:KeyName>
                </iodef:Key>
                <iodef:Key registryaction="add-key"
                           observable-id="regkey-wxyz">
                  <iodef:KeyName>
                    HKLM\SYSTEM\CurrentControlSet\
                    Services\.Net CLR\Parameters
                  </iodef:KeyName>
                  <iodef:Value>
                    \"\"%AppData%\KB00121600.exe\"\"
                  </iodef:Value>
                </iodef:Key>
                <iodef:Key registryaction="add-value"
                           observable-id="regkey-xyza">
                  <iodef:KeyName>
                    HKLM\SYSTEM\CurrentControlSet\Services\
                    .Net CLR\Parameters\ServiceDll
                  </iodef:KeyName>
                  <iodef:Value>C:\bad.exe</iodef:Value>
                </iodef:Key>
                <iodef:Key registryaction="modify-value"
                           observable-id="regkey-zabc">
                  <iodef:KeyName>
                    HKLM\SYSTEM\CurrentControlSet\
                    Services\.Net CLR\Parameters\Bar
                  </iodef:KeyName>
                  <iodef:Value>Baz</iodef:Value>
                </iodef:Key>
              </iodef:WindowsRegistryKeysModified>
            </iodef:Observable>
          </iodef:IndicatorExpression>
          <iodef:IndicatorExpression operator="or">
            <iodef:IndicatorExpression operator="and">
              <iodef:ObservableReference uid-ref="file-91011-001"/>
              <iodef:ObservableReference uid-ref="regkey-91011-001"/>
            </iodef:IndicatorExpression>
            <iodef:IndicatorExpression operator="and">
              <iodef:IndicatorExpression operator="or">
                <iodef:ObservableReference uid-ref="file-91011-002"/>
                <iodef:ObservableReference uid-ref="file-91011-003"/>
              </iodef:IndicatorExpression>
              <iodef:ObservableReference uid-ref="regkey-91011-002"/>
            </iodef:IndicatorExpression>

Top      Up      ToC       Page 30 
          </iodef:IndicatorExpression>
        </iodef:IndicatorExpression>
      </iodef:Indicator>
    </iodef:IndicatorData>
  </iodef:Incident>
</IODEF-Document>

B.5.  IoT Malware

   The Internet of Things (IoT) malware test exchanged information that
   described a bad IP address of IoT malware and its scanned ports.
   This example information is extracted from alert messages of a
   darknet monitoring system referred to in [RFC8134].  The IODEF
   version used for the data representation was based on [RFC7970].

  <?xml version="1.0" encoding="UTF-8"?>
  <IODEF-Document version="2.00"
                  xmlns="urn:ietf:params:xml:ns:iodef-2.0"
                  xmlns:iodef="urn:ietf:params:xml:ns:iodef-2.0"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <iodef:Incident purpose="reporting">
      <iodef:IncidentID name="csirt.example.com">
        189802
      </iodef:IncidentID>
      <iodef:ReportTime>2017-03-01T01:15:00+09:00</iodef:ReportTime>
      <iodef:GenerationTime>2017-03-01T01:15:00+09:00
      </iodef:GenerationTime>
      <iodef:Description>IoT Malware and related indicators
      </iodef:Description>
      <iodef:Assessment occurrence="potential">
        <iodef:SystemImpact severity="medium" type="takeover-system">
          <iodef:Description>IoT Malware is scanning other hosts
          </iodef:Description>
        </iodef:SystemImpact>
      </iodef:Assessment>
      <iodef:Contact role="creator" type="organization">
        <iodef:ContactName>example.com CSIRT
        </iodef:ContactName>
        <iodef:Email>
          <iodef:EmailTo>contact@csirt.example.com
          </iodef:EmailTo>
        </iodef:Email>
      </iodef:Contact>
      <iodef:EventData>
        <iodef:Discovery source="nidps">
          <iodef:Description>
            Detected by darknet monitoring
          </iodef:Description>

Top      Up      ToC       Page 31 
        </iodef:Discovery>
        <iodef:Flow>
          <iodef:System category="source">
            <iodef:Node>
              <iodef:Address category="ipv4-addr">
                192.0.2.210
              </iodef:Address>
            </iodef:Node>
            <iodef:NodeRole category="camera"/>
            <iodef:Service ip-protocol="6">
              <iodef:Port>23</iodef:Port>
            </iodef:Service>
            <iodef:OperatingSystem>
              <iodef:Description>
                Example Surveillance Camera OS 2.1.1
              </iodef:Description>
            </iodef:OperatingSystem>
          </iodef:System>
        </iodef:Flow>
        <iodef:EventData>
          <iodef:Flow>
            <iodef:System category="target">
              <iodef:Node>
                <iodef:Address category="ipv4-addr">
                  198.51.100.1
                </iodef:Address>
              </iodef:Node>
              <iodef:NodeRole category="honeypot"/>
              <iodef:Service ip-protocol="6">
                <iodef:Port>23</iodef:Port>
              </iodef:Service>
            </iodef:System>
          </iodef:Flow>
        </iodef:EventData>
        <iodef:EventData>
          <iodef:Flow>
            <iodef:System category="target">
              <iodef:Node>
                <iodef:Address category="ipv4-addr">
                  198.51.100.94
                </iodef:Address>
              </iodef:Node>
              <iodef:NodeRole category="honeypot"/>
              <iodef:Service ip-protocol="6">
                <iodef:Port>23</iodef:Port>
              </iodef:Service>
            </iodef:System>
          </iodef:Flow>

Top      Up      ToC       Page 32 
        </iodef:EventData>
        <iodef:EventData>
          <iodef:Flow>
            <iodef:System category="target">
              <iodef:Node>
                <iodef:Address category="ipv4-addr">
                  198.51.100.237
                </iodef:Address>
              </iodef:Node>
              <iodef:NodeRole category="honeypot"/>
              <iodef:Service ip-protocol="6">
                <iodef:Port>2323</iodef:Port>
              </iodef:Service>
            </iodef:System>
          </iodef:Flow>
        </iodef:EventData>
      </iodef:EventData>
    </iodef:Incident>
  </IODEF-Document>

Top      Up      ToC       Page 33 
Authors' Addresses

   Panos Kampanakis
   Cisco Systems

   Email: pkampana@cisco.com


   Mio Suzuki
   NICT
   4-2-1, Nukui-Kitamachi
   Koganei, Tokyo  184-8795
   Japan

   Email: mio@nict.go.jp