cddl 0.8.6 → 0.8.11

data/test-data/bpv7b.cddl

@@ -0,0 +1,167 @@
+start = bundle / #6.55799(bundle)
+
+; Times before 2000 are invalid
+dtn-time = uint
+
+; CRC enumerated type
+crc-type = 0 / 1 / 2
+; Either 16-bit or 32-bit
+crc-value = (bstr .size 2) / (bstr .size 4)
+
+creation-timestamp = [dtn-time, sequence: uint]
+
+eid = $eid-choice .within eid-structure
+eid-structure = [
+  uri-code: uint,
+  SSP: any
+]
+$eid-choice /= [
+  uri-code: 1,
+  SSP: (tstr / 0)
+]
+$eid-choice /= [
+  uri-code: 2,
+  SSP: [
+    nodenum: uint,
+    servicenum: uint
+  ]
+]
+
+; The root bundle array
+bundle = [primary-block, *extension-block, payload-block]
+
+primary-block = [
+  version: 7,
+  bundle-control-flags,
+  crc-type,
+  destination: eid,
+  source-node: eid,
+  report-to: eid,
+  creation-timestamp,
+  lifetime: uint,
+  ? (
+    fragment-offset: uint,
+    total-application-data-length: uint,
+  )
+  ? crc-value,
+]
+bundle-control-flags = uint .bits bundleflagbits
+bundleflagbits = &(
+  reserved: 15,
+  reserved: 14,
+  reserved: 13,
+  bundle-deletion-status-reports-are-requested: 12,
+  bundle-delivery-status-reports-are-requested: 11,
+  bundle-forwarding-status-reports-are-requested: 10,
+  reserved: 9,
+  bundle-reception-status-reports-are-requested: 8,
+  bundle-contains-a-Manifest-block: 7,
+  status-time-is-requested-in-all-status-reports: 6,
+  user-application-acknowledgement-is-requested: 5,
+  reserved: 4,
+  reserved: 3,
+  bundle-must-not-be-fragmented: 2,
+  payload-is-an-administrative-record: 1,
+  bundle-is-a-fragment: 0
+)
+
+; Abstract shared structure of all non-primary blocks
+canonical-block-structure = [
+  block-type-code: uint,
+  block-number: uint,
+  block-control-flags,
+  crc-type,
+  ; Each block type defines the content within the bytestring
+  block-type-specific-data,
+  ? crc-value
+]
+block-control-flags = uint .bits blockflagbits
+blockflagbits = &(
+  reserved: 7,
+  reserved: 6,
+  reserved: 5,
+  reserved: 4,
+  bundle-must-be-deleted-if-block-cannot-be-processed: 3,
+  status-report-must-be-transmitted-if-block-cannot-be-processed: 2,
+  block-must-be-removed-from-bundle-if-it-cannot-be-processed: 1,
+  block-must-be-replicated-in-every-fragment: 0
+)
+block-type-specific-data = bstr / #6.24(bstr)
+; Actual CBOR data embedded in a bytestring, with optional tag to indicate so
+embedded-cbor<Item> = (bstr .cbor Item) / #6.24(bstr .cbor Item)
+
+; Extension block type, which does not specialize other than the code/number
+extension-block = $extension-block-structure .within canonical-block-structure
+; Generic shared structure of all non-primary blocks
+extension-block-use<CodeValue, BlockData> = [
+  block-type-code: CodeValue,
+  block-number: (uint .ne 0),
+  block-control-flags,
+  crc-type,
+  BlockData,
+  ? crc-value
+]
+
+; Payload block type
+payload-block = payload-block-structure .within canonical-block-structure
+payload-block-structure = [
+  block-type-code: 1,
+  block-number: 0,
+  block-control-flags,
+  crc-type,
+  $payload-block-data,
+  ? crc-value
+]
+
+; Arbitrary payload data, including non-CBOR bytestring
+$payload-block-data /= block-type-specific-data
+
+
+; Administrative record as a payload data specialization
+$payload-block-data /= embedded-cbor<admin-record>
+admin-record = $admin-record .within admin-record-structure
+admin-record-structure = [
+  record-type-code: uint,
+  record-content: any
+]
+; Only one defined record type
+$admin-record /= [1, status-record-content]
+status-record-content = [
+  bundle-status-information,
+  status-report-reason-code: uint,
+  source-node-eid: eid,
+  subject-creation-timestamp: creation-timestamp,
+  ? (
+    subject-payload-offset: uint,
+    subject-payload-length: uint
+  )
+]
+bundle-status-information = [
+  reporting-node-received-bundle: status-info-content,
+  reporting-node-forwarded-bundle: status-info-content,
+  reporting-node-delivered-bundle: status-info-content,
+  reporting-node-deleted-bundle: status-info-content
+]
+status-info-content = [
+  status-indicator: bool,
+  ? timestamp: dtn-time
+]
+
+
+; Previous Node extension block
+$extension-block-structure /=
+  extension-block-use<7, embedded-cbor<ext-data-previous-node>>
+ext-data-previous-node = eid
+
+; Bundle Age extension block
+$extension-block-structure /= 
+  extension-block-use<8, embedded-cbor<ext-data-bundle-age>>
+ext-data-bundle-age = uint
+
+; Hop Count extension block
+$extension-block-structure /=
+  extension-block-use<9, embedded-cbor<ext-data-hop-count>>
+ext-data-hop-count = [
+  hop-limit: uint,
+  hop-count: uint
+]

data/test-data/coral.cddl

@@ -0,0 +1,10 @@
+coral = [+ s-exp]
+s-exp = ((text, value, ?coral) // directive)
+value = ctext / cbytes / cint / cfloat / cboolean / cdatetime / null / {"_link": tstr} / {"_form": tstr}
+ctext = text / {"_text": text}
+cint = {"_int": int}
+cfloat = float / {"_float": float}
+cboolean = bool / {"_bool": bool}
+cdatetime = {"_datetime": text}
+cbytes = {"_bytes": text} ; base64url no padding
+directive = (("_using", {* text => text}) // ("_base", text))

data/test-data/coral1.cddl

@@ -0,0 +1,5 @@
+document = {*element}
+element = (relation => value / [2*value])
+
+relation = text
+value = text

data/test-data/coral2.cddl

@@ -0,0 +1,7 @@
+document = {*element}
+element = (text => value / [2*value])
+value = text / float / bool / tagged
+tagged = {"_int":int,*element} / {"_float":float,*element} / {"_text":text,*element} / {"_bytes":bytes,*element} / {"_datetime":text,*element} / {"_bool":bool,*element} / {"_link":ciri,*element} / {"_form":ciri,*element}
+ciri = text ; full IRI given
+     / [text] ; suffix for default prefix
+     / [text, text] ; prefix, suffix for that prefix

data/test-data/coral3.cddl

@@ -0,0 +1,7 @@
+document = {? ("_using" => {* text => text}), *element}
+element = (text => value / [2*value])
+value = text / float / bool / tagged / {*element}
+tagged = {"_int": int, *element} / {"_float": float, *element} / {"_text": text, *element} / {"_bytes": bytes, *element} / {"_datetime": text, *element} / {"_bool": bool, *element} / {"_link": ciri, *element} / {"_form": ciri, *element}
+ciri = text ; full IRI given
+     / [text] ; suffix for default prefix
+     / [text, text] ; prefix, suffix for that prefix

data/test-data/dotsize.cddl

@@ -0,0 +1,7 @@
+foo = [a, b, c]
+
+a = uint .size 4
+
+b = bytes .size 4
+
+c = text .size (0..30)

data/test-data/feat1.cddl

@@ -0,0 +1,4 @@
+foo = {
+    a: int
+    ? ("b" .feature "foo") => float
+}

data/test-data/foo.cddl

@@ -0,0 +1 @@
+foo=bar=int

data/test-data/jim-cut-2.cddl

@@ -0,0 +1,11 @@
+
+map-example = {
+  ? optional-key : int,
+  * map-example-extension,
+  * tstr => any
+}
+
+map-example-extension = ()
+
+map-example-extension //= (another-optional-key : tstr,)
+map-example-extension //= ("and a third" : bstr,)

data/test-data/jim-cut.cddl

@@ -0,0 +1,12 @@
+map-example = {
+  ? "optional-key" : int,
+  map-example-extensions,
+  * tstr => any
+}
+
+map-example-extensions = ()
+
+map-example-extensions //= (
+  "another-optional-key" : tstr,
+ "and a third": bstr
+)

data/test-data/jsoniodef.cddl

@@ -0,0 +1,719 @@
+start = iodef
+
+;;; iodef.json: IODEF-Document
+
+iodef = {
+ version: text
+ ? lang: lang
+ ? format-id: text
+ ? private-enum-name: text
+ ? private-enum-id: text
+ Incident: [+ Incident]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
+           "year" / "ext-value"
+lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
+
+restriction = "public" / "partner" / "need-to-know" / "private" /
+              "default" / "white" / "green" / "amber" / "red" /
+              "ext-value"
+SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" /  "private"
+IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
+IDREFType = IDtype
+URLtype = uri
+TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"
+PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"
+action = "nothing" / "contact-source-site" / "contact-target-site" /
+         "contact-sender" / "investigate" / "block-host" /
+         "block-network" / "block-port" / "rate-limit-host" /
+         "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
+         "honeypot" / "upgrade-software" / "rebuild-asset" /
+         "harden-asset" / "remediate-other" / "status-triage" /
+         "status-new-info" / "watch-and-report" / "training" /
+         "defined-coa" / "other" / "ext-value"
+
+DATETIME = tdate
+
+BYTE = eb64legacy
+
+MLStringType = {
+    value: text
+    ? lang: lang
+    ? translation-id: text
+} / text
+
+PositiveFloatType = float32 .gt 0
+
+PAddressType = MLStringType
+
+ExtensionType  = {
+ value: text
+ ? name: text
+ dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
+          "ntpstamp" / "integer" / "portlist" / "real" / "string" /
+          "file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/
+          "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
+          .default "string"
+ ? ext-dtype: text
+ ? meaning: text
+ ? formatid: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+}
+
+SoftwareType = {
+ ? SoftwareReference: SoftwareReference
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+}
+
+SoftwareReference = {
+ ? value: text
+ spec-name: "custom" / "cpe" / "swid" / "ext-value"
+ ? ext-spec-name: text
+ ? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
+          .default "string"
+ ? ext-dtype: text
+}
+
+Incident = {
+ purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
+          "ext-value"
+ ? ext-purpose: text
+ ? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
+           "ext-value"
+ ? ext-status: text
+ ? lang: lang
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ IncidentID: IncidentID
+ ? AlternativeID: AlternativeID
+ ? RelatedActivity: [+ RelatedActivity]
+ ? DetectTime: DATETIME
+ ? StartTime: DATETIME
+ ? EndTime: DATETIME
+ ? RecoveryTime: DATETIME
+ ? ReportTime: DATETIME
+ GenerationTime: DATETIME
+ ? Description: [+ MLStringType]
+ ? Discovery: [+ Discovery]
+ ? Assessment: [+ Assessment]
+ ? Method: [+ Method]
+ Contact: [+ Contact]
+ ? EventData: [+ EventData]
+ ? Indicator: [+ Indicator]
+ ? History: History
+ ? AdditionalData: [+ ExtensionType]
+}
+
+IncidentID = {
+ id: text
+ name: text
+ ? instance: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+}
+
+AlternativeID = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ IncidentID: [+ IncidentID]
+}
+
+RelatedActivity = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? IncidentID: [+ IncidentID]
+ ? URL: [+ URLtype]
+ ? ThreatActor: [+ ThreatActor]
+ ? Campaign: [+ Campaign]
+ ? IndicatorID: [+ IndicatorID]
+ ? Confidence: Confidence
+ ? Description: [+ text]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+ThreatActor = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? ThreatActorID: [+ text]
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+Campaign  = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? CampaignID: [+ text]
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+Contact = {
+ role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
+       "billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
+       "vendor" / "vendor-support" / "victim" / "victim-notified" /
+       "ext-value"
+ ? ext-role: text
+ type: "person" / "organization" / "ext-value"
+ ? ext-type: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? ContactName: [+ MLStringType]
+ ? ContactTitle: [+ MLStringType]
+ ? Description: [+ MLStringType]
+ ? RegistryHandle: [+ RegistryHandle]
+ ? PostalAddress: [+ PostalAddress]
+ ? Email: [+ Email]
+ ? Telephone: [+ Telephone]
+ ? Timezone: TimeZonetype
+ ? Contact: [+ Contact]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+RegistryHandle = {
+ handle: text
+ registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
+           "afrinic" / "local" / "ext-value"
+ ? ext-registry: text
+}
+
+PostalAddress = {
+ ? type: "street" / "mailing" / "ext-value"
+ ? ext-type: text
+ PAddress: PAddressType
+ ? Description: [+ MLStringType]
+}
+
+Email = {
+ ? type: "direct" / "hotline" / "ext-value"
+ ? ext-type: text
+ EmailTo: text
+ ? Description: [+ MLStringType]
+}
+
+Telephone = {
+ ? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
+ ? ext-type: text
+ TelephoneNumber: text
+ ? Description: [+ MLStringType]
+}
+
+Discovery = {
+ ? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
+           "incident" / "os-log" / "application-log" / "device-log" /
+           "network-flow" / "passive-dns" / "investigation" / "audit" /
+           "internal-notification" / "external-notification" /
+           "leo" / "partner" / "actor" / "unknown" / "ext-value"
+ ? ext-source: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? Description: [+ MLStringType]
+ ? Contact: [+ Contact]
+ ? DetectionPattern: [+ DetectionPattern]
+}
+
+DetectionPattern = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ (Description: [+ MLStringType] // DetectionConfiguration: [+ text])
+ Application: SoftwareType
+}
+
+Method = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? Reference: [+ Reference]
+ ? Description: [+ MLStringType]
+ ? AttackPattern: [+ StructuredInfo]
+ ? Vulnerability: [+ StructuredInfo]
+ ? Weakness: [+ StructuredInfo]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+StructuredInfo = {
+ SpecID: SpecID
+ ? ext-SpecID: text
+ ? ContentID: text
+ ? (RawData: [+ BYTE] // Reference:[+ Reference])
+ ? Platform:[+ Platform]
+ ? Scoring:[+ Scoring]
+}
+
+Platform = {
+    SpecID: SpecID
+    ? ext-SpecID: text
+    ? ContentID: text
+    ? RawData: [+ BYTE]
+    ? Reference: [+ Reference]
+}
+Scoring = {
+    SpecID: SpecID
+    ? ext-SpecID: text
+    ? ContentID: text
+    ? RawData: [+ BYTE]
+    ? Reference: [+ Reference]
+}
+Reference = {
+ ? observable-id: IDtype
+ ? ReferenceName: ReferenceName
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+}
+
+ReferenceName = {
+ specIndex: integer
+ ID: IDtype
+}
+
+Assessment = {
+ ? occurrence: "actual" / "potential"
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ ? IncidentCategory: [+ MLStringType]
+ Impact: [+ {SystemImpact: SystemImpact} /
+          {BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} /
+          {MonetaryImpact: MonetaryImpact} /
+          {IntendedImpact: BusinessImpact}]
+ ? Counter: [+ Counter]
+ ? MitigatingFactor: [+ MLStringType]
+ ? Cause: [+ MLStringType]
+ ? Confidence: Confidence
+ ? AdditionalData: [+ ExtensionType]
+}
+
+SystemImpact = {
+ ? severity: "low" / "medium" / "high"
+ ? completion: "failed" / "succeeded"
+ type: "takeover-account" / "takeover-service" / "takeover-system" /
+       "cps-manipulation" / "cps-damage" / "availability-data" /
+       "availability-account" / "availability-service" /
+       "availability-system" / "damaged-system" / "damaged-data" /
+       "breach-proprietary" / "breach-privacy" / "breach-credential" /
+       "breach-configuration" / "integrity-data" /
+       "integrity-configuration" / "integrity-hardware" /
+       "traffic-redirection" / "monitoring-traffic" / "monitoring-host"/
+       "policy" / "unknown" / "ext-value" .default "unknown"
+ ? ext-type: text
+ ? Description: [+ MLStringType]
+}
+
+BusinessImpact = {
+ ? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value"
+            .default "unknown"
+ ? ext-severity: text
+ type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
+       "loss-of-integrity" / "loss-of-service" / "theft-financial" /
+       "theft-service" / "degraded-reputation" / "asset-damage" /
+       "asset-manipulation" / "legal" / "extortion" / "unknown" /
+       "ext-value" .default "unknown"
+ ? ext-type: text
+ ? Description: [+ MLStringType]
+}
+
+TimeImpact = {
+ value: PositiveFloatType
+ ? severity: "low" / "medium" / "high"
+ metric: "labor" / "elapsed" / "downtime" / "ext-value"
+ ? ext-metric: text
+ ? duration: duration .default "hour"
+ ? ext-duration: text
+}
+
+MonetaryImpact = {
+ value: PositiveFloatType
+ ? severity: "low" / "medium" / "high"
+ ? currency: text
+}
+
+Confidence = {
+ value: float32
+ rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value"
+ ? ext-rating: text
+}
+
+History = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ HistoryItem: [+ HistoryItem]
+}
+
+HistoryItem = {
+ action: action .default "other"
+ ? ext-action: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ DateTime: DATETIME
+ ? IncidentID: IncidentID
+ ? Contact: Contact
+ ? Description: [+ MLStringType]
+ ? DefinedCOA: [+ text]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+EventData = {
+ ? restriction: restriction .default "default"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ ? Description: [+ MLStringType]
+ ? DetectTime: DATETIME
+ ? StartTime: DATETIME
+ ? EndTime: DATETIME
+ ? RecoveryTime: DATETIME
+ ? ReportTime: DATETIME
+ ? Contact: [+ Contact]
+ ? Discovery: [+ Discovery]
+ ? Assessment: Assessment
+ ? Method: [+ Method]
+ ? System: [+ System]
+ ? Expectation: [+ Expectation]
+ ? RecordData: [+ RecordData]
+ ? EventData: [+ EventData]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+Expectation = {
+ ? action: action .default "other"
+ ? ext-action: text
+ ? severity: "low" / "medium" / "high"
+ ? restriction: restriction .default "default"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ ? Description: [+ MLStringType]
+ ? DefinedCOA: [+ text]
+ ? StartTime: DATETIME
+ ? EndTime: DATETIME
+ ? Contact: Contact
+}
+
+System = {
+ ? category: "source" / "target" / "intermediate" / "sensor" /
+             "infrastructure" / "ext-value"
+ ? ext-category: text
+ ? interface: text
+ ? spoofed: "unknown" / "yes" / "no" .default "unknown"
+ ? virtual: "yes" / "no" / "unknown" .default "unknown"
+ ? ownership: "organization" / "personal" / "partner" / "customer" /
+              "no-relationship" / "unknown" / "ext-value"
+ ? ext-ownership: text
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ Node: Node
+ ? NodeRole: [+ NodeRole]
+ ? Service: [+ Service]
+ ? OperatingSystem: [+ SoftwareType]
+ ? Counter: [+ Counter]
+ ? AssetID: [+ text]
+ ? Description: [+ MLStringType]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+Node = {
+ (DomainData:[+ DomainData]
+  ? Address:[+ Address] //
+  ? DomainData:[+ DomainData]
+  Address:[+ Address])
+ ? PostalAddress: PostalAddress
+ ? Location: [+ MLStringType]
+ ? Counter: [+ Counter]
+}
+
+Address = {
+ value: text
+ category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
+           "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
+           "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
+           "ext-value" .default "ipv6-addr"
+ ? ext-category: text
+ ? vlan-name: text
+ ? vlan-num: integer
+ ? observable-id: IDtype
+}
+
+NodeRole = {
+ category: "client" / "client-enterprise" / "client-partner" /
+           "client-remote" / "client-kiosk" / "client-mobile" /
+           "server-internal" / "server-public" / "www" / "mail" /
+           "webmail" / "messaging" / "streaming" / "voice" / "file" /
+           "ftp" / "p2p" / "name" / "directory" / "credential" /
+           "print" / "application" / "database" / "backup" / "dhcp" /
+           "assessment" / "source-control" / "config-management" /
+           "monitoring" / "infra" / "infra-firewall" / "infra-router" /
+           "infra-switch" / "camera" / "proxy" / "remote-access" /
+           "log" / "virtualization" / "pos" /  "scada" /
+           "scada-supervisory" / "sinkhole" / "honeypot" /
+           "anomyzation" / "c2-server" / "malware-distribution" /
+           "drop-server" / "hop-point" / "reflector" /
+           "phishing-site" / "spear-phishing-site" / "recruiting-site" /
+           "fraudulent-site" / "ext-value"
+ ? ext-category: text
+ ? Description: [+ MLStringType]
+}
+
+Counter = {
+ value: float32
+ type: "count" / "peak" / "average" / "ext-value"
+ ? ext-type: text
+ unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
+       "message" / "event" / "host" / "site" / "organization" /
+       "ext-value"
+ ? ext-unit: text
+ ? meaning: text
+ ? duration: duration .default "hour"
+ ? ext-duration: text
+}
+
+DomainData = {
+ system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
+                "innocent-hijacked" / "unknown" / "ext-value"
+ ? ext-system-status: text
+ domain-status: "reservedDelegation" / "assignedAndActive" /
+                "assignedAndInactive" / "assignedAndOnHold" /
+                "revoked" / "transferPending" / "registryLock" /
+                "registrarLock" / "other" / "unknown" / "ext-value"
+ ? ext-domain-status: text
+ ? observable-id: IDtype
+ Name: text
+ ? DateDomainWasChecked: DATETIME
+ ? RegistrationDate: DATETIME
+ ? ExpirationDate: DATETIME
+ ? RelatedDNS: [+ ExtensionType]
+ ? NameServers: [+ NameServers]
+ ? DomainContacts: DomainContacts
+}
+
+NameServers = {
+ Server: text
+ Address: [+ Address]
+}
+
+DomainContacts = {
+ (SameDomainContact: text // Contact: [+ Contact])
+}
+
+Service = {
+ ? ip-protocol: integer
+ ? observable-id: IDtype
+ ? ServiceName: ServiceName
+ ? Port: integer
+ ? Portlist: PortlistType
+ ? ProtoCode: integer
+ ? ProtoType: integer
+ ? ProtoField: integer
+ ? ApplicationHeaderField: [+ ExtensionType]
+ ? EmailData: EmailData
+ ? Application: SoftwareType
+}
+
+ServiceName = {
+ ? IANAService: text
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+}
+
+EmailData = {
+ ? observable-id: IDtype
+ ? EmailTo: [+ text]
+ ? EmailFrom: text
+ ? EmailSubject: text
+ ? EmailX-Mailer: text
+ ? EmailHeaderField: [+ ExtensionType]
+ ? EmailHeaders: text
+ ? EmailBody: text
+ ? EmailMessage: text
+ ? HashData: [+ HashData]
+ ? Signature: [+ BYTE]
+}
+
+RecordData = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ ? DateTime: DATETIME
+ ? Description: [+ MLStringType]
+ ? Application: SoftwareType
+ ? RecordPattern: [+ RecordPattern]
+ ? RecordItem: [+ ExtensionType]
+ ? URL: [+ URLtype]
+ ? FileData: [+ FileData]
+ ? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
+ ? CertificateData: [+ CertificateData]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+RecordPattern = {
+ value: text
+ type: "regex" / "binary" / "xpath" / "ext-value"  .default "regex"
+ ? ext-type: text
+ ? offset: integer
+ ? offsetunit: "line" / "byte" / "ext-value" .default "line"
+ ? ext-offsetunit: text
+ ? instance: integer
+}
+
+WindowsRegistryKeysModified = {
+ ? observable-id: IDtype
+ Key: [+ Key]
+}
+
+Key = {
+ ? registryaction: "add-key" / "add-value" / "delete-key" /
+                   "delete-value" / "modify-key" / "modify-value" /
+                   "ext-value"
+ ? ext-registryaction: text
+ ? observable-id: IDtype
+ KeyName: text
+ ? KeyValue: text
+}
+
+CertificateData = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ Certificate: [+ Certificate]
+}
+
+Certificate = {
+ ? observable-id: IDtype
+ X509Data: BYTE
+ ? Description: [+ MLStringType]
+}
+
+FileData = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? observable-id: IDtype
+ File: [+ File]
+}
+
+File = {
+ ? observable-id: IDtype
+ ? FileName: text
+ ? FileSize: integer
+ ? FileType: text
+ ? URL: [+ URLtype]
+ ? HashData: HashData
+ ? Signature: [+ BYTE]
+ ? AssociatedSoftware: SoftwareType
+ ? FileProperties: [+ ExtensionType]
+}
+
+HashData = {
+ scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
+        "file-pe-resource" / "file-pdf-object" / "email-hash" /
+        "email-headers-hash" / "email-body-hash" / "ext-value"
+ ? HashTargetID: text
+ ? Hash: [+ Hash]
+ ? FuzzyHash: [+ FuzzyHash]
+}
+
+Hash = {
+ DigestMethod: BYTE
+ DigestValue: BYTE
+ ? CanonicalizationMethod: BYTE
+ ? Application: SoftwareType
+}
+
+FuzzyHash = {
+ FuzzyHashValue: [+ ExtensionType]
+ ? Application: SoftwareType
+ ? AdditionalData: [+ ExtensionType]
+}
+
+Indicator = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ IndicatorID: IndicatorID
+ ? AlternativeIndicatorID: [+ AlternativeIndicatorID]
+ ? Description: [+ MLStringType]
+ ? StartTime: DATETIME
+ ? EndTime: DATETIME
+ ? Confidence: Confidence
+ ? Contact: [+ Contact]
+ (Observable: Observable // uid-ref: IDREFType //
+  IndicatorExpression: IndicatorExpression //
+  IndicatorReference: IndicatorReference)
+ ? NodeRole: [+ NodeRole]
+ ? AttackPhase: [+ AttackPhase]
+ ? Reference: [+ Reference]
+ ? AdditionalData: [+ ExtensionType]
+}
+
+IndicatorID = {
+ id: IDtype
+ name: text
+ version: text
+}
+
+AlternativeIndicatorID = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ IndicatorID: [+ IndicatorID]
+}
+
+Observable = {
+ ? restriction: restriction .default "private"
+ ? ext-restriction: text
+ ? (System: System // Address: Address // DomainData: DomainData //
+  EmailData: EmailData // Service: Service //
+  WindowsRegistryKeysModified: WindowsRegistryKeysModified //
+  FileData: FileData // CertificateData: CertificateData //
+  RegistryHandle: RegistryHandle // RecordData: RecordData //
+  EventData: EventData // Incident: Incident //
+  Expectation: Expectation // Reference: Reference //
+  Assessment: Assessment // DetectionPattern: DetectionPattern //
+  HistoryItem: HistoryItem // BulkObservable: BulkObservable //
+  AdditionalData: [+ ExtensionType])
+}
+
+BulkObservable = {
+ ? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
+         "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
+         "mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
+         "domain-to-ipv6" / "domain-to-ipv4-timestamp" /
+         "domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
+         "windows-reg-key" / "file-hash" / "email-x-mailer" /
+         "email-subject" / "http-user-agent" / "http-request-uri" /
+         "mutex" / "file-path" / "user-name" / "ext-value"
+ ? ext-type: text
+ ? BulkObservableFormat: BulkObservableFormat
+ BulkObservableList: text
+ ? AdditionalData: [+ ExtensionType]
+}
+
+BulkObservableFormat = {
+ (Hash: Hash // AdditionalData: [+ ExtensionType])
+}
+
+IndicatorExpression = {
+ ? operator: "not" / "and" / "or" / "xor" .default "and"
+ ? ext-operator: text
+ ? IndicatorExpression: [+ IndicatorExpression]
+ ? Observable: [+ Observable]
+ ? uid-ref: [+ IDREFType]
+ ? IndicatorReference: [+ IndicatorReference]
+ ? Confidence: Confidence
+ ? AdditionalData: [+ ExtensionType]
+}
+
+IndicatorReference = {
+ (uid-ref: IDREFType // euid-ref: text)
+ ? version: text
+}
+
+AttackPhase = {
+ ? AttackPhaseID: [+ text]
+ ? URL: [+ URLtype]
+ ? Description: [+ MLStringType]
+ ? AdditionalData: [+ ExtensionType]
+}