RFC 4765
The Intrusion Detection Message Exchange Format (IDMEF)
Pages: 157
Experimental
Experimental
Part 3 of 6 – Pages 47 to 79
4.2.7. The Support Classes
The support classes make up the major parts of the core classes, and are shared between them.4.2.7.1. The Reference Class
The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is. The Reference class is composed of two aggregate classes, as shown in Figure 13. +----------------+ | Reference | +----------------+ +------+ | STRING origin |<>----------| name | | STRING meaning | +------+ | | +------+ | |<>----------| url | | | +------+ +----------------+ Figure 13: The Reference Class The aggregate classes that make up Reference are: name Exactly one. STRING. The name of the alert, from one of the origins listed below. url Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.origin "
( unknown | vendor-specific | user-specific | bugtraqid | cve |
osvdb )
">
<!ELEMENT Reference (
name, url
)>
<!ATTLIST Reference
origin %attvals.origin; 'unknown'
meaning CDATA #IMPLIED
>
The Reference class has two attributes:
origin
Required. The source from which the name of the alert originates.
The permitted values for this attribute are shown below. The
default value is "unknown". (See also Section 10.)
+------+-----------------+------------------------------------------+
| Rank | Keyword | Description |
+------+-----------------+------------------------------------------+
| 0 | unknown | Origin of the name is not known |
| | | |
| 1 | vendor-specific | A vendor-specific name (and hence, URL); |
| | | this can be used to provide |
| | | product-specific information |
| | | |
| 2 | user-specific | A user-specific name (and hence, URL); |
| | | this can be used to provide |
| | | installation-specific information |
| | | |
| 3 | bugtraqid | The SecurityFocus ("Bugtraq") |
| | | vulnerability database identifier |
| | | (http://www.securityfocus.com/bid) |
| | | |
| 4 | cve | The Common Vulnerabilities and Exposures |
| | | (CVE) name (http://www.cve.mitre.org/) |
| | | |
| 5 | osvdb | The Open Source Vulnerability Database |
| | | (http://www.osvdb.org) |
+------+-----------------+------------------------------------------+
meaning
Optional. The meaning of the reference, as understood by the
alert provider. This field is only valid if the value of the
<origin> attribute is set to "vendor-specific" or "user-specific".
4.2.7.2. The Node Class
The Node class is used to identify hosts and other network devices
(routers, switches, etc.).
The Node class is composed of three aggregate classes, as shown in
Figure 14.
+---------------+
| Node |
+---------------+ 0..1 +----------+
| STRING ident |<>----------| location |
| ENUM category | +----------+
| | 0..1 +----------+
| |<>----------| name |
| | +----------+
| | 0..* +----------+
| |<>----------| Address |
| | +----------+
+---------------+
Figure 14: The Node Class
The aggregate classes that make up Node are:
location
Zero or one. STRING. The location of the equipment.
name
Zero or one. STRING. The name of the equipment. This
information MUST be provided if no Address information is given.
Address
Zero or more. The network or hardware address of the equipment.
Unless a name (above) is provided, at least one address must be
specified.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.nodecat "
( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
nds | nis | nisplus | nt | wfw )
">
<!ELEMENT Node (
location?, (name | Address), Address*
)>
<!ATTLIST Node
ident CDATA '0'
category %attvals.nodecat; 'unknown'
%attlist.global;
>
The Node class has two attributes:
ident
Optional. A unique identifier for the node; see Section 3.2.9.
category
Optional. The "domain" from which the name information was
obtained, if relevant. The permitted values for this attribute
are shown in the table below. The default value is "unknown".
(See also Section 10 for extensions to the table.)
+------+----------+------------------------------------------+
| Rank | Keyword | Description |
+------+----------+------------------------------------------+
| 0 | unknown | Domain unknown or not relevant |
| | | |
| 1 | ads | Windows 2000 Advanced Directory Services |
| | | |
| 2 | afs | Andrew File System (Transarc) |
| | | |
| 3 | coda | Coda Distributed File System |
| | | |
| 4 | dfs | Distributed File System (IBM) |
| | | |
| 5 | dns | Domain Name System |
| | | |
| 6 | hosts | Local hosts file |
| | | |
| 7 | kerberos | Kerberos realm |
| | | |
| 8 | nds | Novell Directory Services |
| | | |
| 9 | nis | Network Information Services (Sun) |
| | | |
| 10 | nisplus | Network Information Services Plus (Sun) |
| | | |
| 11 | nt | Windows NT domain |
| | | |
| 12 | wfw | Windows for Workgroups |
+------+----------+------------------------------------------+
4.2.7.2.1. The Address Class
The Address class is used to represent network, hardware, and application addresses. The Address class is composed of two aggregate classes, as shown in Figure 15. +------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+ Figure 15: The Address Class The aggregate classes that make up Address are: address Exactly one. STRING. The address information. The format of this data is governed by the category attribute. netmask Zero or one. STRING. The network mask for the address, if appropriate.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.addrcat "
( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
">
<!ELEMENT Address (
address, netmask?
)>
<!ATTLIST Address
ident CDATA '0'
category %attvals.addrcat; 'unknown'
vlan-name CDATA #IMPLIED
vlan-num CDATA #IMPLIED
%attlist.global;
>
The Address class has four attributes:
ident
Optional. A unique identifier for the address; see Section 3.2.9.
category
Optional. The type of address represented. The permitted values
for this attribute are shown below. The default value is
"unknown". (See also Section 10.)
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | unknown | Address type unknown | | | | | | 1 | atm | Asynchronous Transfer Mode network address | | | | | | 2 | e-mail | Electronic mail address (RFC 2822 [12]) | | | | | | 3 | lotus-notes | Lotus Notes e-mail address | | | | | | 4 | mac | Media Access Control (MAC) address | | | | | | 5 | sna | IBM Shared Network Architecture (SNA) | | | | address | | | | | | 6 | vm | IBM VM ("PROFS") e-mail address | | | | | | 7 | ipv4-addr | IPv4 host address in dotted-decimal | | | | notation (a.b.c.d) | | | | | | 8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation | | | | | | 9 | ipv4-net | IPv4 network address in dotted-decimal | | | | notation, slash, significant bits | | | | (a.b.c.d/nn) | | | | | | 10 | ipv4-net-mask | IPv4 network address in dotted-decimal | | | | notation, slash, network mask in | | | | dotted-decimal notation (a.b.c.d/w.x.y.z) | | | | | | 11 | ipv6-addr | IPv6 host address | | | | | | 12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation | | | | | | 13 | ipv6-net | IPv6 network address, slash, significant | | | | bits | | | | | | 14 | ipv6-net-mask | IPv6 network address, slash, network mask | +------+---------------+--------------------------------------------+ vlan-name Optional. The name of the Virtual LAN to which the address belongs.
vlan-num
Optional. The number of the Virtual LAN to which the address
belongs.
4.2.7.3. The User Class
The User class is used to describe users. It is primarily used as a
"container" class for the UserId aggregate class, as shown in
Figure 16.
+---------------+
| User |
+---------------+ 1..* +--------+
| STRING ident |<>----------| UserId |
| ENUM category | +--------+
+---------------+
Figure 16: The User Class
The aggregate class contained in User is:
UserId
One or more. Identification of a user, as indicated by its type
attribute (see Section 4.2.7.3.1).
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.usercat "
( unknown | application | os-device )
">
<!ELEMENT User (
UserId+
)>
<!ATTLIST User
ident CDATA '0'
category %attvals.usercat; 'unknown'
%attlist.global;
>
The User class has two attributes:
ident
Optional. A unique identifier for the user; see Section 3.2.9.
category
Optional. The type of user represented. The permitted values for
this attribute are shown below. The default value is "unknown".
(See also Section 10.)
+------+-------------+------------------------------------+
| Rank | Keyword | Description |
+------+-------------+------------------------------------+
| 0 | unknown | User type unknown |
| | | |
| 1 | application | An application user |
| | | |
| 2 | os-device | An operating system or device user |
+------+-------------+------------------------------------+
4.2.7.3.1. The UserId Class
The UserId class provides specific information about a user. More
than one UserId can be used within the User class to indicate
attempts to transition from one user to another, or to provide
complete information about a user's (or process') privileges.
The UserId class is composed of two aggregate classes, as shown in
Figure 17.
+--------------+
| UserId |
+--------------+ 0..1 +--------+
| STRING ident |<>----------| name |
| ENUM type | +--------+
| STRING tty | 0..1 +--------+
| |<>----------| number |
| | +--------+
+--------------+
Figure 17: The UserId Class
The aggregate classes that make up UserId are:
name
Zero or one. STRING. A user or group name.
number
Zero or one. INTEGER. A user or group number.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.idtype "
( current-user | original-user | target-user | user-privs |
current-group | group-privs | other-privs )
">
<!ELEMENT UserId (
(name, number?) | (number, name?)
)>
<!ATTLIST UserId
ident CDATA '0'
type %attvals.idtype; 'original-user'
tty CDATA #IMPLIED
%attlist.global;
>
The UserId class has three attributes:
ident
Optional. A unique identifier for the user id, see Section 3.2.9.
type
Optional. The type of user information represented. The
permitted values for this attribute are shown below. The default
value is "original-user". (See also Section 10.)
+------+---------------+--------------------------------------------+ | Rank | Keyword | Description | +------+---------------+--------------------------------------------+ | 0 | current-user | The current user id being used by the user | | | | or process. On Unix systems, this would | | | | be the "real" user id, in general. | | | | | | 1 | original-user | The actual identity of the user or process | | | | being reported on. On those systems that | | | | (a) do some type of auditing and (b) | | | | support extracting a user id from the | | | | "audit id" token, that value should be | | | | used. On those systems that do not | | | | support this, and where the user has | | | | logged into the system, the "login id" | | | | should be used. | | | | | | 2 | target-user | The user id the user or process is | | | | attempting to become. This would apply, | | | | on Unix systems for example, when the user | | | | attempts to use "su", "rlogin", "telnet", | | | | etc. | | | | | | 3 | user-privs | Another user id the user or process has | | | | the ability to use, or a user id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" user id in a user or process | | | | context, and the owner permissions in a | | | | file context. Multiple UserId elements of | | | | this type may be used to specify a list of | | | | privileges. | | | | | | 4 | current-group | The current group id (if applicable) being | | | | used by the user or process. On Unix | | | | systems, this would be the "real" group | | | | id, in general. | | | | | | 5 | group-privs | Another group id the group or process has | | | | the ability to use, or a group id | | | | associated with a file permission. On | | | | Unix systems, this would be the | | | | "effective" group id in a group or process | | | | context, and the group permissions in a | | | | file context. On BSD-derived Unix | | | | systems, multiple UserId elements of this | | | | type would be used to include all the | | | | group ids on the "group list". |
| 6 | other-privs | Not used in a user, group, or process |
| | | context, only used in the file context. |
| | | The file permissions assigned to users who |
| | | do not match either the user or group |
| | | permissions on the file. On Unix systems, |
| | | this would be the "world" permissions. |
+------+---------------+--------------------------------------------+
tty
Optional. STRING. The tty the user is using.
4.2.7.4. The Process Class
The Process class is used to describe processes being executed on
sources, targets, and analyzers.
The Process class is composed of five aggregate classes, as shown in
Figure 18.
+--------------+
| Process |
+--------------+ +------+
| STRING ident |<>----------| name |
| | +------+
| | 0..1 +------+
| |<>----------| pid |
| | +------+
| | 0..1 +------+
| |<>----------| path |
| | +------+
| | 0..* +------+
| |<>----------| arg |
| | +------+
| | 0..* +------+
| |<>----------| env |
| | +------+
+--------------+
Figure 18: The Process Class
The aggregate classes that make up Process are:
name
Exactly one. STRING. The name of the program being executed.
This is a short name; path and argument information are provided
elsewhere.
pid
Zero or one. INTEGER. The process identifier of the process.
path
Zero or one. STRING. The full path of the program being
executed.
arg
Zero or more. STRING. A command-line argument to the program.
Multiple arguments may be specified (they are assumed to have
occurred in the same order they are provided) with multiple uses
of arg.
env
Zero or more. STRING. An environment string associated with the
process; generally of the format "VARIABLE=value". Multiple
environment strings may be specified with multiple uses of env.
This is represented in the IDMEF DTD as follows:
<!ELEMENT Process (
name, pid?, path?, arg*, env*
)>
<!ATTLIST Process
ident CDATA '0'
%attlist.global;
>
The Process class has one attribute:
ident
Optional. A unique identifier for the process; see Section 3.2.9.
4.2.7.5. The Service Class
The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is "attached" to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class. The Service class is composed of four aggregate classes, as shown in Figure 19. +-----------------------------+ | Service | +-----------------------------+ 0..1 +----------+ | STRING ident |<>----------| name | | INTEGER ip_version | +----------+ | INTEGER iana_protocol_number| 0..1 +----------+ | STRING iana_protocol_name |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +-----------------------------+ /_\ | +---------+--------+ | | +-------------+ +-------------+ | SNMPService | | WebService | +-------------+ +-------------+ Figure 19: The Service Class
The aggregate classes that make up Service are:
name
Zero or one. STRING. The name of the service. Whenever
possible, the name from the IANA list of well-known ports SHOULD
be used.
port
Zero or one. INTEGER. The port number being used.
portlist
Zero or one. PORTLIST. A list of port numbers being used; see
Section 3.2.8 for formatting rules. If a portlist is given, the
iana_protocol_number and iana_protocol_name MUST apply to all the
elements of the list.
protocol
Zero or one. STRING. Additional information about the protocol
being used. The intent of the protocol field is to carry
additional information related to the protocol being used when the
<Service> attributes iana_protocol_number or/and
iana_protocol_name are filed.
A Service MUST be specified as either (a) a name or a port or (b) a
portlist. The protocol is optional in all cases, but no other
combinations are permitted.
Service is represented in the IDMEF DTD as follows:
<!ELEMENT Service (
(((name, port?) | (port, name?)) | portlist), protocol?,
SNMPService?, WebService?
)>
<!ATTLIST Service
ident CDATA '0'
ip_version CDATA #IMPLIED
iana_protocol_number CDATA #IMPLIED
iana_protocol_name CDATA #IMPLIED
%attlist.global;
>
The Service class has four attributes:
ident
Optional. A unique identifier for the service; see Section 3.2.9.
ip_version
Optional. INTEGER. The IP version number.
iana_protocol_number
Optional. INTEGER. The IANA protocol number.
iana_protocol_name
Optional. STRING. The IANA protocol name.
4.2.7.5.1. The WebService Class
The WebService class carries additional information related to web
traffic.
The WebService class is composed of four aggregate classes, as shown
in Figure 20.
+-------------+
| Service |
+-------------+
/_\
|
+-------------+
| WebService |
+-------------+ +-------------+
| |<>----------| url |
| | +-------------+
| | 0..1 +-------------+
| |<>----------| cgi |
| | +-------------+
| | 0..1 +-------------+
| |<>----------| http-method |
| | +-------------+
| | 0..* +-------------+
| |<>----------| arg |
| | +-------------+
+-------------+
Figure 20: The WebService Class
The aggregate classes that make up WebService are:
url
Exactly one. STRING. The URL in the request.
cgi
Zero or one. STRING. The CGI script in the request, without
arguments.
http-method
Zero or one. STRING. The HTTP method (PUT, GET) used in the
request.
arg
Zero or more. STRING. The arguments to the CGI script.
This is represented in the IDMEF DTD as follows:
<!ELEMENT WebService (
url, cgi?, http-method?, arg*
)>
<!ATTLIST WebService
%attlist.global;
>
4.2.7.5.2. The SNMPService Class
The SNMPService class carries additional information related to SNMP
traffic. The aggregate classes composing SNMPService must be
interpreted as described in RFC 3411 [15] and RFC 3584 [16].
The SNMPService class is composed of eight aggregate classes, as
shown in Figure 21.
+-------------+ | Service | +-------------+ /_\ | +-------------+ | SNMPService | +-------------+ 0..1 +----------------------+ | |<>----------| oid | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------|messageProcessingModel| | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityModel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| securityLevel | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextName | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| contextEngineID | | | +----------------------+ | | 0..1 +----------------------+ | |<>----------| command | | | +----------------------+ +-------------+ Figure 21: The SNMPService Class The aggregate classes that make up SNMPService are: oid Zero or one. STRING. The object identifier in the request. messageProcessingModel Zero or one. INTEGER. The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values.
securityModel
Zero or one. INTEGER. The identification of the security model
in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3
for USM; see RFC 3411 [15] Section 5 for appropriate values.
securityName
Zero or one. STRING. The object's security name; see RFC 3411
[15] Section 3.2.2.
securityLevel
Zero or one. INTEGER. The security level of the SNMP request;
see RFC 3411 [15] Section 3.4.3.
contextName
Zero or one. STRING. The object's context name; see RFC 3411
[15] Section 3.3.3.
contextEngineID
Zero or one. STRING. The object's context engine identifier; see
RFC 3411 [15] Section 3.3.2.
command
Zero or one. STRING. The command sent to the SNMP server (GET,
SET, etc.).
If other fields of an SNMP message are available and should be
incorporated in the IDMEF alert, they must be located in the
additionaldata structure with the meaning being an object definition
defined in RFC 3411 [15] Section 5 and the value located within the
additionaldata payload.
This is represented in the IDMEF DTD as follows:
<!ELEMENT SNMPService (
oid?, messageProcessingModel?, securityModel?, securityName?,
securityLevel?, contextName?, contextEngineID?, command?
)>
<!ATTLIST SNMPService
%attlist.global;
>
4.2.7.6. The File Class
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. The File class is composed of eleven aggregate classes, as shown in Figure 22. +--------------+ | File | +--------------+ +-------------+ | |<>----------| name | | | +-------------+ | | +-------------+ | |<>----------| path | | | +-------------+ | | 0..1 +-------------+ | |<>----------| create-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| modify-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| access-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| data-size | | | +-------------+ | | 0..1 +-------------+ | |<>----------| disk-size | | | +-------------+ | | 0..* +-------------+ | |<>----------| FileAccess | | | +-------------+ | | 0..* +-------------+ | |<>----------| Linkage | | | +-------------+ | | 0..1 +-------------+ | |<>----------| Inode | | | +-------------+ | | 0..* +-------------+ | |<>----------| Checksum | | | +-------------+ +--------------+ Figure 22: The File Class
The aggregate classes that make up File are:
name
Exactly one. STRING. The name of the file to which the alert
applies, not including the path to the file.
path
Exactly one. STRING. The full path to the file, including the
name. The path name should be represented in as "universal" a
manner as possible, to facilitate processing of the alert.
For Windows systems, the path should be specified using the
Universal Naming Convention (UNC) for remote files, and using a
drive letter for local files (e.g., "C:\boot.ini"). For Unix
systems, paths on network file systems should use the name of the
mounted resource instead of the local mount point (e.g.,
"fileserver:/usr/local/bin/foo"). The mount point can be provided
using the <Linkage> element.
create-time
Zero or one. DATETIME. Time the file was created. Note that
this is *not* the Unix "st_ctime" file attribute (which is not
file creation time). The Unix "st_ctime" attribute is contained
in the "Inode" class.
modify-time
Zero or one. DATETIME. Time the file was last modified.
access-time
Zero or one. DATETIME. Time the file was last accessed.
data-size
Zero or one. INTEGER. The size of the data, in bytes. Typically
what is meant when referring to file size. On Unix UFS file
systems, this value corresponds to stat.st_size. On Windows NTFS,
this value corresponds to Valid Data Length (VDL).
disk-size
Zero or one. INTEGER. The physical space on disk consumed by the
file, in bytes. On Unix UFS file systems, this value corresponds
to 512 * stat.st_blocks. On Windows NTFS, this value corresponds
to End of File (EOF).
FileAccess
Zero or more. Access permissions on the file.
Linkage
Zero or more. File system objects to which this file is linked
(other references for the file).
Inode
Zero or one. Inode information for this file (relevant to Unix).
Checksum
Zero or more. Checksum information for this file.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.filecat "
( current | original )
">
<!ELEMENT File (
name, path, create-time?, modify-time?, access-time?,
data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
Checksum*
)>
<!ATTLIST File
ident CDATA '0'
category %attvals.filecat; #REQUIRED
fstype CDATA #IMPLIED
file-type CDATA #IMPLIED
%attlist.global;
>
The File class has four attributes (one required and three optional):
ident
Optional. A unique identifier for this file; see Section 3.2.9.
category
Required. The context for the information being provided. The
permitted values are shown below. There is no default value.
(See also Section 10.)
+------+----------+-------------------------------------------------+
| Rank | Keyword | Description |
+------+----------+-------------------------------------------------+
| 0 | current | The file information is from after the reported |
| | | change |
| | | |
| 1 | original | The file information is from before the |
| | | reported change |
+------+----------+-------------------------------------------------+
fstype
Optional. The type of file system the file resides on. This
attribute governs how path names and other attributes are
interpreted.
+------+---------+-------------------------------------+
| Rank | Keyword | Description |
+------+---------+-------------------------------------+
| 0 | ufs | Berkeley Unix Fast File System |
| 1 | efs | Linux "efs" file system |
| 2 | nfs | Network File System |
| 3 | afs | Andrew File System |
| 4 | ntfs | Windows NT File System |
| 5 | fat16 | 16-bit Windows FAT File System |
| 6 | fat32 | 32-bit Windows FAT File System |
| 7 | pcfs | "PC" (MS-DOS) file system on CD-ROM |
| 8 | joliet | Joliet CD-ROM file system |
| 9 | iso9660 | ISO 9660 CD-ROM file system |
+------+---------+-------------------------------------+
file-type
Optional. The type of file, as a mime-type.
4.2.7.6.1. The FileAccess Class
The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. The FileAccess class is composed of two aggregate classes, as shown in Figure 23. +--------------+ | FileAccess | +--------------+ +------------+ | |<>----------| UserId | | | +------------+ | | 1..* +------------+ | |<>----------| Permission | | | +------------+ +--------------+ Figure 23: The FileAccess Class The aggregate classes that make up FileAccess are: UserId Exactly one. The user (or group) to which these permissions apply. The value of the "type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context.
Permission
One or more. ENUM. Level of access allowed. The permitted
values are shown below. There is no default value. (See also
Section 10.)
+------+-------------------+----------------------------------------+
| Rank | Keyword | Description |
+------+-------------------+----------------------------------------+
| 0 | noAccess | No access at all is allowed for this |
| | | user |
| | | |
| 1 | read | This user has read access to the file |
| | | |
| 2 | write | This user has write access to the file |
| | | |
| 3 | execute | This user has the ability to execute |
| | | the file |
| | | |
| 4 | search | This user has the ability to search |
| | | this file (applies to "execute" |
| | | permission on directories in Unix) |
| | | |
| 5 | delete | This user has the ability to delete |
| | | this file |
| | | |
| 6 | executeAs | This user has the ability to execute |
| | | this file as another user |
| | | |
| 7 | changePermissions | This user has the ability to change |
| | | the access permissions on this file |
| | | |
| 8 | takeOwnership | This user has the ability to take |
| | | ownership of this file |
+------+-------------------+----------------------------------------+
The "changePermissions" and "takeOwnership" strings represent those
concepts in Windows. On Unix, the owner of the file always has
"changePermissions" access, even if no other access is allowed for
that user. "Full Control" in Windows is represented by enumerating
the permissions it contains. The "executeAs" string represents the
set-user-id and set-group-id features in Unix.
This is represented in the IDMEF DTD as follows:
<!ELEMENT Permission EMPTY >
<!ATTLIST Permission
perms %attvals.fileperm; #REQUIRED
%attlist.global;
>
<!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
search | delete | executeAs | changePermissions |
takeOwnership)" >
4.2.7.6.2. The Linkage Class
The Linkage class represents file system connections between the file
described in the <File> element and other objects in the file system.
For example, if the <File> element is a symbolic link or shortcut,
then the <Linkage> element should contain the name of the object the
link points to. Further information can be provided about the object
in the <Linkage> element with another <File> element, if appropriate.
The Linkage class is composed of three aggregate classes, as shown in
Figure 24.
+--------------+
| Linkage |
+--------------+ +------+
| |<>----------| name |
| | +------+
| | +------+
| |<>----------| path |
| | +------+
| | +------+
| |<>----------| File |
| | +------+
+--------------+
Figure 24: The Linkage Class
The aggregate classes that make up Linkage are:
name
Exactly one. STRING. The name of the file system object, not
including the path.
path
Exactly one. STRING. The full path to the file system object,
including the name. The path name should be represented in as
"universal" a manner as possible, to facilitate processing of the
alert.
File
Exactly one. A <File> element may be used in place of the <name>
and <path> elements if additional information about the file is to
be included.
This is represented in the IDMEF DTD as follows:
<!ENTITY % attvals.linkcat "
( hard-link | mount-point | reparse-point | shortcut | stream |
symbolic-link )
">
<!ELEMENT Linkage (
(name, path) | File
)>
<!ATTLIST Linkage
category %attvals.linkcat; #REQUIRED
%attlist.global;
>
The Linkage class has one attribute:
category
The type of object that the link describes. The permitted values
are shown below. There is no default value. (See also
Section 10.)
+------+---------------+--------------------------------------------+
| Rank | Keyword | Description |
+------+---------------+--------------------------------------------+
| 0 | hard-link | The <name> element represents another name |
| | | for this file. This information may be |
| | | more easily obtainable on NTFS file |
| | | systems than others. |
| | | |
| 1 | mount-point | An alias for the directory specified by |
| | | the parent's <name> and <path> elements. |
| | | |
| 2 | reparse-point | Applies only to Windows; excludes symbolic |
| | | links and mount points, which are specific |
| | | types of reparse points. |
| | | |
| 3 | shortcut | The file represented by a Windows |
| | | "shortcut". A shortcut is distinguished |
| | | from a symbolic link because of the |
| | | difference in their contents, which may be |
| | | of importance to the manager. |
| | | |
| 4 | stream | An Alternate Data Stream (ADS) in Windows; |
| | | a fork on MacOS. Separate file system |
| | | entity that is considered an extension of |
| | | the main <File>. |
| 5 | symbolic-link | The <name> element represents the file to |
| | | which the link points. |
+------+---------------+--------------------------------------------+
4.2.7.6.3. The Inode Class
The Inode class is used to represent the additional information contained in a Unix file system i-node. The Inode class is composed of six aggregate classes, as shown in Figure 25. +--------------+ | Inode | +--------------+ +----------------+ | |<>----------| change-time | | | +----------------+ | | +----------------+ | |<>----------| number | | | +----------------+ | | +----------------+ | |<>----------| major-device | | | +----------------+ | | +----------------+ | |<>----------| minor-device | | | +----------------+ | | +----------------+ | |<>----------| c-major-device | | | +----------------+ | | +----------------+ | |<>----------| c-minor-device | | | +----------------+ +--------------+ Figure 25: The Inode Class The aggregate classes that make up Inode are: change-time Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat". number Zero or one. INTEGER. The inode number. major-device Zero or one. INTEGER. The major device number of the device the file resides on.
minor-device
Zero or one. INTEGER. The minor device number of the device the
file resides on.
c-major-device
Zero or one. INTEGER. The major device of the file itself, if it
is a character special device.
c-minor-device
Zero or one. INTEGER. The minor device of the file itself, if it
is a character special device.
Note that <number>, <major-device>, and <minor-device> must be given
together, and the <c-major-device> and <c-minor-device> must be given
together.
This is represented in the IDMEF DTD as follows:
<!ELEMENT Inode (
change-time?, (number, major-device, minor-device)?,
(c-major-device, c-minor-device)?
)>
<!ATTLIST Inode
%attlist.global;
>
4.2.7.6.4. The Checksum Class
The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. The checksum class is composed of two aggregate classes, as shown in Figure 26. +--------------+ | Checksum | +--------------+ +-------+ | algorithm |<>----------| value | | | +-------+ | | 0..1+-------+ | |<>----------| key | | | +-------+ +--------------+ Figure 26: The Checksum Class The aggregate classes that make up Checksum are: value Exactly one. STRING. The value of the checksum. key Zero or one. STRING. The key to the checksum, if appropriate. This is represented in the IDMEF DTD as follows: <!ENTITY % attvals.checksumalgos " ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 | Haval | Tiger | Gost ) "> <!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
The Checksum class has one attribute:
algorithm
The cryptographic algorithm used for the computation of the
checksum. The permitted values are shown below. There is no
default value. (See also Section 10.)
+------+----------+------------------------------------------+
| Rank | Keyword | Description |
+------+----------+------------------------------------------+
| 0 | MD4 | The MD4 algorithm. |
| | | |
| 1 | MD5 | The MD5 algorithm. |
| | | |
| 2 | SHA1 | The SHA1 algorithm. |
| | | |
| 3 | SHA2-256 | The SHA2 algorithm with 256 bits length. |
| | | |
| 4 | SHA2-384 | The SHA2 algorithm with 384 bits length. |
| | | |
| 5 | SHA2-512 | The SHA2 algorithm with 512 bits length. |
| | | |
| 6 | CRC-32 | The CRC algorithm with 32 bits length. |
| | | |
| 7 | Haval | The Haval algorithm. |
| | | |
| 8 | Tiger | The Tiger algorithm. |
| | | |
| 9 | Gost | The Gost algorithm. |
+------+----------+------------------------------------------+
(page 79 continued on part 4)