cddl 0.8.7 → 0.8.12
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/cddl.gemspec +2 -1
- data/data/cddl.abnf +1 -0
- data/lib/cddl.rb +63 -12
- data/test-data/7807.cddl +14 -0
- data/test-data/abignum.cddl +1 -0
- data/test-data/bpv7.cddl +136 -0
- data/test-data/bpv7a.cddl +181 -0
- data/test-data/bpv7b.cddl +167 -0
- data/test-data/coral.cddl +10 -0
- data/test-data/coral1.cddl +5 -0
- data/test-data/coral2.cddl +7 -0
- data/test-data/coral3.cddl +7 -0
- data/test-data/dotsize.cddl +7 -0
- data/test-data/feat1.cddl +4 -0
- data/test-data/foo.cddl +1 -0
- data/test-data/jim-cut-2.cddl +11 -0
- data/test-data/jim-cut.cddl +12 -0
- data/test-data/jsoniodef.cddl +719 -0
- data/test-data/mdl-ble.cddl +9 -0
- data/test-data/mdl-deve.cddl +54 -0
- data/test-data/mdl-dp.cddl +11 -0
- data/test-data/mdl-mso.cddl +20 -0
- data/test-data/mdl-request.cddl +26 -0
- data/test-data/mdl-response.cddl +66 -0
- data/test-data/mdl.cddl +11 -0
- data/test-data/mon-val.cddl +1 -0
- data/test-data/multipart-ct.cddl +2 -0
- data/test-data/named-group.cddl +7 -0
- data/test-data/test-gen.cddl +3 -0
- data/test/test-cddl.rb +51 -0
- metadata +32 -7
@@ -0,0 +1,167 @@
|
|
1
|
+
start = bundle / #6.55799(bundle)
|
2
|
+
|
3
|
+
; Times before 2000 are invalid
|
4
|
+
dtn-time = uint
|
5
|
+
|
6
|
+
; CRC enumerated type
|
7
|
+
crc-type = 0 / 1 / 2
|
8
|
+
; Either 16-bit or 32-bit
|
9
|
+
crc-value = (bstr .size 2) / (bstr .size 4)
|
10
|
+
|
11
|
+
creation-timestamp = [dtn-time, sequence: uint]
|
12
|
+
|
13
|
+
eid = $eid-choice .within eid-structure
|
14
|
+
eid-structure = [
|
15
|
+
uri-code: uint,
|
16
|
+
SSP: any
|
17
|
+
]
|
18
|
+
$eid-choice /= [
|
19
|
+
uri-code: 1,
|
20
|
+
SSP: (tstr / 0)
|
21
|
+
]
|
22
|
+
$eid-choice /= [
|
23
|
+
uri-code: 2,
|
24
|
+
SSP: [
|
25
|
+
nodenum: uint,
|
26
|
+
servicenum: uint
|
27
|
+
]
|
28
|
+
]
|
29
|
+
|
30
|
+
; The root bundle array
|
31
|
+
bundle = [primary-block, *extension-block, payload-block]
|
32
|
+
|
33
|
+
primary-block = [
|
34
|
+
version: 7,
|
35
|
+
bundle-control-flags,
|
36
|
+
crc-type,
|
37
|
+
destination: eid,
|
38
|
+
source-node: eid,
|
39
|
+
report-to: eid,
|
40
|
+
creation-timestamp,
|
41
|
+
lifetime: uint,
|
42
|
+
? (
|
43
|
+
fragment-offset: uint,
|
44
|
+
total-application-data-length: uint,
|
45
|
+
)
|
46
|
+
? crc-value,
|
47
|
+
]
|
48
|
+
bundle-control-flags = uint .bits bundleflagbits
|
49
|
+
bundleflagbits = &(
|
50
|
+
reserved: 15,
|
51
|
+
reserved: 14,
|
52
|
+
reserved: 13,
|
53
|
+
bundle-deletion-status-reports-are-requested: 12,
|
54
|
+
bundle-delivery-status-reports-are-requested: 11,
|
55
|
+
bundle-forwarding-status-reports-are-requested: 10,
|
56
|
+
reserved: 9,
|
57
|
+
bundle-reception-status-reports-are-requested: 8,
|
58
|
+
bundle-contains-a-Manifest-block: 7,
|
59
|
+
status-time-is-requested-in-all-status-reports: 6,
|
60
|
+
user-application-acknowledgement-is-requested: 5,
|
61
|
+
reserved: 4,
|
62
|
+
reserved: 3,
|
63
|
+
bundle-must-not-be-fragmented: 2,
|
64
|
+
payload-is-an-administrative-record: 1,
|
65
|
+
bundle-is-a-fragment: 0
|
66
|
+
)
|
67
|
+
|
68
|
+
; Abstract shared structure of all non-primary blocks
|
69
|
+
canonical-block-structure = [
|
70
|
+
block-type-code: uint,
|
71
|
+
block-number: uint,
|
72
|
+
block-control-flags,
|
73
|
+
crc-type,
|
74
|
+
; Each block type defines the content within the bytestring
|
75
|
+
block-type-specific-data,
|
76
|
+
? crc-value
|
77
|
+
]
|
78
|
+
block-control-flags = uint .bits blockflagbits
|
79
|
+
blockflagbits = &(
|
80
|
+
reserved: 7,
|
81
|
+
reserved: 6,
|
82
|
+
reserved: 5,
|
83
|
+
reserved: 4,
|
84
|
+
bundle-must-be-deleted-if-block-cannot-be-processed: 3,
|
85
|
+
status-report-must-be-transmitted-if-block-cannot-be-processed: 2,
|
86
|
+
block-must-be-removed-from-bundle-if-it-cannot-be-processed: 1,
|
87
|
+
block-must-be-replicated-in-every-fragment: 0
|
88
|
+
)
|
89
|
+
block-type-specific-data = bstr / #6.24(bstr)
|
90
|
+
; Actual CBOR data embedded in a bytestring, with optional tag to indicate so
|
91
|
+
embedded-cbor<Item> = (bstr .cbor Item) / #6.24(bstr .cbor Item)
|
92
|
+
|
93
|
+
; Extension block type, which does not specialize other than the code/number
|
94
|
+
extension-block = $extension-block-structure .within canonical-block-structure
|
95
|
+
; Generic shared structure of all non-primary blocks
|
96
|
+
extension-block-use<CodeValue, BlockData> = [
|
97
|
+
block-type-code: CodeValue,
|
98
|
+
block-number: (uint .ne 0),
|
99
|
+
block-control-flags,
|
100
|
+
crc-type,
|
101
|
+
BlockData,
|
102
|
+
? crc-value
|
103
|
+
]
|
104
|
+
|
105
|
+
; Payload block type
|
106
|
+
payload-block = payload-block-structure .within canonical-block-structure
|
107
|
+
payload-block-structure = [
|
108
|
+
block-type-code: 1,
|
109
|
+
block-number: 0,
|
110
|
+
block-control-flags,
|
111
|
+
crc-type,
|
112
|
+
$payload-block-data,
|
113
|
+
? crc-value
|
114
|
+
]
|
115
|
+
|
116
|
+
; Arbitrary payload data, including non-CBOR bytestring
|
117
|
+
$payload-block-data /= block-type-specific-data
|
118
|
+
|
119
|
+
|
120
|
+
; Administrative record as a payload data specialization
|
121
|
+
$payload-block-data /= embedded-cbor<admin-record>
|
122
|
+
admin-record = $admin-record .within admin-record-structure
|
123
|
+
admin-record-structure = [
|
124
|
+
record-type-code: uint,
|
125
|
+
record-content: any
|
126
|
+
]
|
127
|
+
; Only one defined record type
|
128
|
+
$admin-record /= [1, status-record-content]
|
129
|
+
status-record-content = [
|
130
|
+
bundle-status-information,
|
131
|
+
status-report-reason-code: uint,
|
132
|
+
source-node-eid: eid,
|
133
|
+
subject-creation-timestamp: creation-timestamp,
|
134
|
+
? (
|
135
|
+
subject-payload-offset: uint,
|
136
|
+
subject-payload-length: uint
|
137
|
+
)
|
138
|
+
]
|
139
|
+
bundle-status-information = [
|
140
|
+
reporting-node-received-bundle: status-info-content,
|
141
|
+
reporting-node-forwarded-bundle: status-info-content,
|
142
|
+
reporting-node-delivered-bundle: status-info-content,
|
143
|
+
reporting-node-deleted-bundle: status-info-content
|
144
|
+
]
|
145
|
+
status-info-content = [
|
146
|
+
status-indicator: bool,
|
147
|
+
? timestamp: dtn-time
|
148
|
+
]
|
149
|
+
|
150
|
+
|
151
|
+
; Previous Node extension block
|
152
|
+
$extension-block-structure /=
|
153
|
+
extension-block-use<7, embedded-cbor<ext-data-previous-node>>
|
154
|
+
ext-data-previous-node = eid
|
155
|
+
|
156
|
+
; Bundle Age extension block
|
157
|
+
$extension-block-structure /=
|
158
|
+
extension-block-use<8, embedded-cbor<ext-data-bundle-age>>
|
159
|
+
ext-data-bundle-age = uint
|
160
|
+
|
161
|
+
; Hop Count extension block
|
162
|
+
$extension-block-structure /=
|
163
|
+
extension-block-use<9, embedded-cbor<ext-data-hop-count>>
|
164
|
+
ext-data-hop-count = [
|
165
|
+
hop-limit: uint,
|
166
|
+
hop-count: uint
|
167
|
+
]
|
@@ -0,0 +1,10 @@
|
|
1
|
+
coral = [+ s-exp]
|
2
|
+
s-exp = ((text, value, ?coral) // directive)
|
3
|
+
value = ctext / cbytes / cint / cfloat / cboolean / cdatetime / null / {"_link": tstr} / {"_form": tstr}
|
4
|
+
ctext = text / {"_text": text}
|
5
|
+
cint = {"_int": int}
|
6
|
+
cfloat = float / {"_float": float}
|
7
|
+
cboolean = bool / {"_bool": bool}
|
8
|
+
cdatetime = {"_datetime": text}
|
9
|
+
cbytes = {"_bytes": text} ; base64url no padding
|
10
|
+
directive = (("_using", {* text => text}) // ("_base", text))
|
@@ -0,0 +1,7 @@
|
|
1
|
+
document = {*element}
|
2
|
+
element = (text => value / [2*value])
|
3
|
+
value = text / float / bool / tagged
|
4
|
+
tagged = {"_int":int,*element} / {"_float":float,*element} / {"_text":text,*element} / {"_bytes":bytes,*element} / {"_datetime":text,*element} / {"_bool":bool,*element} / {"_link":ciri,*element} / {"_form":ciri,*element}
|
5
|
+
ciri = text ; full IRI given
|
6
|
+
/ [text] ; suffix for default prefix
|
7
|
+
/ [text, text] ; prefix, suffix for that prefix
|
@@ -0,0 +1,7 @@
|
|
1
|
+
document = {? ("_using" => {* text => text}), *element}
|
2
|
+
element = (text => value / [2*value])
|
3
|
+
value = text / float / bool / tagged / {*element}
|
4
|
+
tagged = {"_int": int, *element} / {"_float": float, *element} / {"_text": text, *element} / {"_bytes": bytes, *element} / {"_datetime": text, *element} / {"_bool": bool, *element} / {"_link": ciri, *element} / {"_form": ciri, *element}
|
5
|
+
ciri = text ; full IRI given
|
6
|
+
/ [text] ; suffix for default prefix
|
7
|
+
/ [text, text] ; prefix, suffix for that prefix
|
data/test-data/foo.cddl
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
foo=bar=int
|
@@ -0,0 +1,719 @@
|
|
1
|
+
start = iodef
|
2
|
+
|
3
|
+
;;; iodef.json: IODEF-Document
|
4
|
+
|
5
|
+
iodef = {
|
6
|
+
version: text
|
7
|
+
? lang: lang
|
8
|
+
? format-id: text
|
9
|
+
? private-enum-name: text
|
10
|
+
? private-enum-id: text
|
11
|
+
Incident: [+ Incident]
|
12
|
+
? AdditionalData: [+ ExtensionType]
|
13
|
+
}
|
14
|
+
|
15
|
+
duration = "second" / "minute" / "hour" / "day" / "month" / "quarter" /
|
16
|
+
"year" / "ext-value"
|
17
|
+
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
|
18
|
+
|
19
|
+
restriction = "public" / "partner" / "need-to-know" / "private" /
|
20
|
+
"default" / "white" / "green" / "amber" / "red" /
|
21
|
+
"ext-value"
|
22
|
+
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
|
23
|
+
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
|
24
|
+
IDREFType = IDtype
|
25
|
+
URLtype = uri
|
26
|
+
TimeZonetype = text .regexp "Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"
|
27
|
+
PortlistType = text .regexp "\\d+(\\-\\d+)?(,\\d+(\\-\\d+)?)*"
|
28
|
+
action = "nothing" / "contact-source-site" / "contact-target-site" /
|
29
|
+
"contact-sender" / "investigate" / "block-host" /
|
30
|
+
"block-network" / "block-port" / "rate-limit-host" /
|
31
|
+
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
|
32
|
+
"honeypot" / "upgrade-software" / "rebuild-asset" /
|
33
|
+
"harden-asset" / "remediate-other" / "status-triage" /
|
34
|
+
"status-new-info" / "watch-and-report" / "training" /
|
35
|
+
"defined-coa" / "other" / "ext-value"
|
36
|
+
|
37
|
+
DATETIME = tdate
|
38
|
+
|
39
|
+
BYTE = eb64legacy
|
40
|
+
|
41
|
+
MLStringType = {
|
42
|
+
value: text
|
43
|
+
? lang: lang
|
44
|
+
? translation-id: text
|
45
|
+
} / text
|
46
|
+
|
47
|
+
PositiveFloatType = float32 .gt 0
|
48
|
+
|
49
|
+
PAddressType = MLStringType
|
50
|
+
|
51
|
+
ExtensionType = {
|
52
|
+
value: text
|
53
|
+
? name: text
|
54
|
+
dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
|
55
|
+
"ntpstamp" / "integer" / "portlist" / "real" / "string" /
|
56
|
+
"file" / "path" / "frame" / "packet" / "ipv4-packet" / "json"/
|
57
|
+
"ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value"
|
58
|
+
.default "string"
|
59
|
+
? ext-dtype: text
|
60
|
+
? meaning: text
|
61
|
+
? formatid: text
|
62
|
+
? restriction: restriction .default "private"
|
63
|
+
? ext-restriction: text
|
64
|
+
? observable-id: IDtype
|
65
|
+
}
|
66
|
+
|
67
|
+
SoftwareType = {
|
68
|
+
? SoftwareReference: SoftwareReference
|
69
|
+
? URL: [+ URLtype]
|
70
|
+
? Description: [+ MLStringType]
|
71
|
+
}
|
72
|
+
|
73
|
+
SoftwareReference = {
|
74
|
+
? value: text
|
75
|
+
spec-name: "custom" / "cpe" / "swid" / "ext-value"
|
76
|
+
? ext-spec-name: text
|
77
|
+
? dtype: "bytes" / "integer" / "real" / "string" / "xml" / "ext-value"
|
78
|
+
.default "string"
|
79
|
+
? ext-dtype: text
|
80
|
+
}
|
81
|
+
|
82
|
+
Incident = {
|
83
|
+
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
|
84
|
+
"ext-value"
|
85
|
+
? ext-purpose: text
|
86
|
+
? status: "new" / "in-progress"/ "forwarded" / "resolved" / "future" /
|
87
|
+
"ext-value"
|
88
|
+
? ext-status: text
|
89
|
+
? lang: lang
|
90
|
+
? restriction: restriction .default "private"
|
91
|
+
? ext-restriction: text
|
92
|
+
? observable-id: IDtype
|
93
|
+
IncidentID: IncidentID
|
94
|
+
? AlternativeID: AlternativeID
|
95
|
+
? RelatedActivity: [+ RelatedActivity]
|
96
|
+
? DetectTime: DATETIME
|
97
|
+
? StartTime: DATETIME
|
98
|
+
? EndTime: DATETIME
|
99
|
+
? RecoveryTime: DATETIME
|
100
|
+
? ReportTime: DATETIME
|
101
|
+
GenerationTime: DATETIME
|
102
|
+
? Description: [+ MLStringType]
|
103
|
+
? Discovery: [+ Discovery]
|
104
|
+
? Assessment: [+ Assessment]
|
105
|
+
? Method: [+ Method]
|
106
|
+
Contact: [+ Contact]
|
107
|
+
? EventData: [+ EventData]
|
108
|
+
? Indicator: [+ Indicator]
|
109
|
+
? History: History
|
110
|
+
? AdditionalData: [+ ExtensionType]
|
111
|
+
}
|
112
|
+
|
113
|
+
IncidentID = {
|
114
|
+
id: text
|
115
|
+
name: text
|
116
|
+
? instance: text
|
117
|
+
? restriction: restriction .default "private"
|
118
|
+
? ext-restriction: text
|
119
|
+
}
|
120
|
+
|
121
|
+
AlternativeID = {
|
122
|
+
? restriction: restriction .default "private"
|
123
|
+
? ext-restriction: text
|
124
|
+
IncidentID: [+ IncidentID]
|
125
|
+
}
|
126
|
+
|
127
|
+
RelatedActivity = {
|
128
|
+
? restriction: restriction .default "private"
|
129
|
+
? ext-restriction: text
|
130
|
+
? IncidentID: [+ IncidentID]
|
131
|
+
? URL: [+ URLtype]
|
132
|
+
? ThreatActor: [+ ThreatActor]
|
133
|
+
? Campaign: [+ Campaign]
|
134
|
+
? IndicatorID: [+ IndicatorID]
|
135
|
+
? Confidence: Confidence
|
136
|
+
? Description: [+ text]
|
137
|
+
? AdditionalData: [+ ExtensionType]
|
138
|
+
}
|
139
|
+
|
140
|
+
ThreatActor = {
|
141
|
+
? restriction: restriction .default "private"
|
142
|
+
? ext-restriction: text
|
143
|
+
? ThreatActorID: [+ text]
|
144
|
+
? URL: [+ URLtype]
|
145
|
+
? Description: [+ MLStringType]
|
146
|
+
? AdditionalData: [+ ExtensionType]
|
147
|
+
}
|
148
|
+
|
149
|
+
Campaign = {
|
150
|
+
? restriction: restriction .default "private"
|
151
|
+
? ext-restriction: text
|
152
|
+
? CampaignID: [+ text]
|
153
|
+
? URL: [+ URLtype]
|
154
|
+
? Description: [+ MLStringType]
|
155
|
+
? AdditionalData: [+ ExtensionType]
|
156
|
+
}
|
157
|
+
|
158
|
+
Contact = {
|
159
|
+
role: "creator" / "reporter" / "admin" / "tech" / "provider" / "user" /
|
160
|
+
"billing" / "legal" / "irt" / "abuse" / "cc" / "cc-irt" / "leo" /
|
161
|
+
"vendor" / "vendor-support" / "victim" / "victim-notified" /
|
162
|
+
"ext-value"
|
163
|
+
? ext-role: text
|
164
|
+
type: "person" / "organization" / "ext-value"
|
165
|
+
? ext-type: text
|
166
|
+
? restriction: restriction .default "private"
|
167
|
+
? ext-restriction: text
|
168
|
+
? ContactName: [+ MLStringType]
|
169
|
+
? ContactTitle: [+ MLStringType]
|
170
|
+
? Description: [+ MLStringType]
|
171
|
+
? RegistryHandle: [+ RegistryHandle]
|
172
|
+
? PostalAddress: [+ PostalAddress]
|
173
|
+
? Email: [+ Email]
|
174
|
+
? Telephone: [+ Telephone]
|
175
|
+
? Timezone: TimeZonetype
|
176
|
+
? Contact: [+ Contact]
|
177
|
+
? AdditionalData: [+ ExtensionType]
|
178
|
+
}
|
179
|
+
|
180
|
+
RegistryHandle = {
|
181
|
+
handle: text
|
182
|
+
registry: "internic" / "apnic" / "arin" / "lacnic" / "ripe" /
|
183
|
+
"afrinic" / "local" / "ext-value"
|
184
|
+
? ext-registry: text
|
185
|
+
}
|
186
|
+
|
187
|
+
PostalAddress = {
|
188
|
+
? type: "street" / "mailing" / "ext-value"
|
189
|
+
? ext-type: text
|
190
|
+
PAddress: PAddressType
|
191
|
+
? Description: [+ MLStringType]
|
192
|
+
}
|
193
|
+
|
194
|
+
Email = {
|
195
|
+
? type: "direct" / "hotline" / "ext-value"
|
196
|
+
? ext-type: text
|
197
|
+
EmailTo: text
|
198
|
+
? Description: [+ MLStringType]
|
199
|
+
}
|
200
|
+
|
201
|
+
Telephone = {
|
202
|
+
? type: "wired" / "mobile" / "fax" / "hotline" / "ext-value"
|
203
|
+
? ext-type: text
|
204
|
+
TelephoneNumber: text
|
205
|
+
? Description: [+ MLStringType]
|
206
|
+
}
|
207
|
+
|
208
|
+
Discovery = {
|
209
|
+
? source: "nidps" / "hips" / "siem" / "av" / "third-party-monitoring" /
|
210
|
+
"incident" / "os-log" / "application-log" / "device-log" /
|
211
|
+
"network-flow" / "passive-dns" / "investigation" / "audit" /
|
212
|
+
"internal-notification" / "external-notification" /
|
213
|
+
"leo" / "partner" / "actor" / "unknown" / "ext-value"
|
214
|
+
? ext-source: text
|
215
|
+
? restriction: restriction .default "private"
|
216
|
+
? ext-restriction: text
|
217
|
+
? Description: [+ MLStringType]
|
218
|
+
? Contact: [+ Contact]
|
219
|
+
? DetectionPattern: [+ DetectionPattern]
|
220
|
+
}
|
221
|
+
|
222
|
+
DetectionPattern = {
|
223
|
+
? restriction: restriction .default "private"
|
224
|
+
? ext-restriction: text
|
225
|
+
? observable-id: IDtype
|
226
|
+
(Description: [+ MLStringType] // DetectionConfiguration: [+ text])
|
227
|
+
Application: SoftwareType
|
228
|
+
}
|
229
|
+
|
230
|
+
Method = {
|
231
|
+
? restriction: restriction .default "private"
|
232
|
+
? ext-restriction: text
|
233
|
+
? Reference: [+ Reference]
|
234
|
+
? Description: [+ MLStringType]
|
235
|
+
? AttackPattern: [+ StructuredInfo]
|
236
|
+
? Vulnerability: [+ StructuredInfo]
|
237
|
+
? Weakness: [+ StructuredInfo]
|
238
|
+
? AdditionalData: [+ ExtensionType]
|
239
|
+
}
|
240
|
+
|
241
|
+
StructuredInfo = {
|
242
|
+
SpecID: SpecID
|
243
|
+
? ext-SpecID: text
|
244
|
+
? ContentID: text
|
245
|
+
? (RawData: [+ BYTE] // Reference:[+ Reference])
|
246
|
+
? Platform:[+ Platform]
|
247
|
+
? Scoring:[+ Scoring]
|
248
|
+
}
|
249
|
+
|
250
|
+
Platform = {
|
251
|
+
SpecID: SpecID
|
252
|
+
? ext-SpecID: text
|
253
|
+
? ContentID: text
|
254
|
+
? RawData: [+ BYTE]
|
255
|
+
? Reference: [+ Reference]
|
256
|
+
}
|
257
|
+
Scoring = {
|
258
|
+
SpecID: SpecID
|
259
|
+
? ext-SpecID: text
|
260
|
+
? ContentID: text
|
261
|
+
? RawData: [+ BYTE]
|
262
|
+
? Reference: [+ Reference]
|
263
|
+
}
|
264
|
+
Reference = {
|
265
|
+
? observable-id: IDtype
|
266
|
+
? ReferenceName: ReferenceName
|
267
|
+
? URL: [+ URLtype]
|
268
|
+
? Description: [+ MLStringType]
|
269
|
+
}
|
270
|
+
|
271
|
+
ReferenceName = {
|
272
|
+
specIndex: integer
|
273
|
+
ID: IDtype
|
274
|
+
}
|
275
|
+
|
276
|
+
Assessment = {
|
277
|
+
? occurrence: "actual" / "potential"
|
278
|
+
? restriction: restriction .default "private"
|
279
|
+
? ext-restriction: text
|
280
|
+
? observable-id: IDtype
|
281
|
+
? IncidentCategory: [+ MLStringType]
|
282
|
+
Impact: [+ {SystemImpact: SystemImpact} /
|
283
|
+
{BusinessImpact: BusinessImpact} / {TimeImpact: TimeImpact} /
|
284
|
+
{MonetaryImpact: MonetaryImpact} /
|
285
|
+
{IntendedImpact: BusinessImpact}]
|
286
|
+
? Counter: [+ Counter]
|
287
|
+
? MitigatingFactor: [+ MLStringType]
|
288
|
+
? Cause: [+ MLStringType]
|
289
|
+
? Confidence: Confidence
|
290
|
+
? AdditionalData: [+ ExtensionType]
|
291
|
+
}
|
292
|
+
|
293
|
+
SystemImpact = {
|
294
|
+
? severity: "low" / "medium" / "high"
|
295
|
+
? completion: "failed" / "succeeded"
|
296
|
+
type: "takeover-account" / "takeover-service" / "takeover-system" /
|
297
|
+
"cps-manipulation" / "cps-damage" / "availability-data" /
|
298
|
+
"availability-account" / "availability-service" /
|
299
|
+
"availability-system" / "damaged-system" / "damaged-data" /
|
300
|
+
"breach-proprietary" / "breach-privacy" / "breach-credential" /
|
301
|
+
"breach-configuration" / "integrity-data" /
|
302
|
+
"integrity-configuration" / "integrity-hardware" /
|
303
|
+
"traffic-redirection" / "monitoring-traffic" / "monitoring-host"/
|
304
|
+
"policy" / "unknown" / "ext-value" .default "unknown"
|
305
|
+
? ext-type: text
|
306
|
+
? Description: [+ MLStringType]
|
307
|
+
}
|
308
|
+
|
309
|
+
BusinessImpact = {
|
310
|
+
? severity:"none" / "low" / "medium" / "high" / "unknown" / "ext-value"
|
311
|
+
.default "unknown"
|
312
|
+
? ext-severity: text
|
313
|
+
type: "breach-proprietary" / "breach-privacy" / "breach-credential" /
|
314
|
+
"loss-of-integrity" / "loss-of-service" / "theft-financial" /
|
315
|
+
"theft-service" / "degraded-reputation" / "asset-damage" /
|
316
|
+
"asset-manipulation" / "legal" / "extortion" / "unknown" /
|
317
|
+
"ext-value" .default "unknown"
|
318
|
+
? ext-type: text
|
319
|
+
? Description: [+ MLStringType]
|
320
|
+
}
|
321
|
+
|
322
|
+
TimeImpact = {
|
323
|
+
value: PositiveFloatType
|
324
|
+
? severity: "low" / "medium" / "high"
|
325
|
+
metric: "labor" / "elapsed" / "downtime" / "ext-value"
|
326
|
+
? ext-metric: text
|
327
|
+
? duration: duration .default "hour"
|
328
|
+
? ext-duration: text
|
329
|
+
}
|
330
|
+
|
331
|
+
MonetaryImpact = {
|
332
|
+
value: PositiveFloatType
|
333
|
+
? severity: "low" / "medium" / "high"
|
334
|
+
? currency: text
|
335
|
+
}
|
336
|
+
|
337
|
+
Confidence = {
|
338
|
+
value: float32
|
339
|
+
rating: "low" / "medium" / "high" / "numeric" / "unknown" / "ext-value"
|
340
|
+
? ext-rating: text
|
341
|
+
}
|
342
|
+
|
343
|
+
History = {
|
344
|
+
? restriction: restriction .default "private"
|
345
|
+
? ext-restriction: text
|
346
|
+
HistoryItem: [+ HistoryItem]
|
347
|
+
}
|
348
|
+
|
349
|
+
HistoryItem = {
|
350
|
+
action: action .default "other"
|
351
|
+
? ext-action: text
|
352
|
+
? restriction: restriction .default "private"
|
353
|
+
? ext-restriction: text
|
354
|
+
? observable-id: IDtype
|
355
|
+
DateTime: DATETIME
|
356
|
+
? IncidentID: IncidentID
|
357
|
+
? Contact: Contact
|
358
|
+
? Description: [+ MLStringType]
|
359
|
+
? DefinedCOA: [+ text]
|
360
|
+
? AdditionalData: [+ ExtensionType]
|
361
|
+
}
|
362
|
+
|
363
|
+
EventData = {
|
364
|
+
? restriction: restriction .default "default"
|
365
|
+
? ext-restriction: text
|
366
|
+
? observable-id: IDtype
|
367
|
+
? Description: [+ MLStringType]
|
368
|
+
? DetectTime: DATETIME
|
369
|
+
? StartTime: DATETIME
|
370
|
+
? EndTime: DATETIME
|
371
|
+
? RecoveryTime: DATETIME
|
372
|
+
? ReportTime: DATETIME
|
373
|
+
? Contact: [+ Contact]
|
374
|
+
? Discovery: [+ Discovery]
|
375
|
+
? Assessment: Assessment
|
376
|
+
? Method: [+ Method]
|
377
|
+
? System: [+ System]
|
378
|
+
? Expectation: [+ Expectation]
|
379
|
+
? RecordData: [+ RecordData]
|
380
|
+
? EventData: [+ EventData]
|
381
|
+
? AdditionalData: [+ ExtensionType]
|
382
|
+
}
|
383
|
+
|
384
|
+
Expectation = {
|
385
|
+
? action: action .default "other"
|
386
|
+
? ext-action: text
|
387
|
+
? severity: "low" / "medium" / "high"
|
388
|
+
? restriction: restriction .default "default"
|
389
|
+
? ext-restriction: text
|
390
|
+
? observable-id: IDtype
|
391
|
+
? Description: [+ MLStringType]
|
392
|
+
? DefinedCOA: [+ text]
|
393
|
+
? StartTime: DATETIME
|
394
|
+
? EndTime: DATETIME
|
395
|
+
? Contact: Contact
|
396
|
+
}
|
397
|
+
|
398
|
+
System = {
|
399
|
+
? category: "source" / "target" / "intermediate" / "sensor" /
|
400
|
+
"infrastructure" / "ext-value"
|
401
|
+
? ext-category: text
|
402
|
+
? interface: text
|
403
|
+
? spoofed: "unknown" / "yes" / "no" .default "unknown"
|
404
|
+
? virtual: "yes" / "no" / "unknown" .default "unknown"
|
405
|
+
? ownership: "organization" / "personal" / "partner" / "customer" /
|
406
|
+
"no-relationship" / "unknown" / "ext-value"
|
407
|
+
? ext-ownership: text
|
408
|
+
? restriction: restriction .default "private"
|
409
|
+
? ext-restriction: text
|
410
|
+
? observable-id: IDtype
|
411
|
+
Node: Node
|
412
|
+
? NodeRole: [+ NodeRole]
|
413
|
+
? Service: [+ Service]
|
414
|
+
? OperatingSystem: [+ SoftwareType]
|
415
|
+
? Counter: [+ Counter]
|
416
|
+
? AssetID: [+ text]
|
417
|
+
? Description: [+ MLStringType]
|
418
|
+
? AdditionalData: [+ ExtensionType]
|
419
|
+
}
|
420
|
+
|
421
|
+
Node = {
|
422
|
+
(DomainData:[+ DomainData]
|
423
|
+
? Address:[+ Address] //
|
424
|
+
? DomainData:[+ DomainData]
|
425
|
+
Address:[+ Address])
|
426
|
+
? PostalAddress: PostalAddress
|
427
|
+
? Location: [+ MLStringType]
|
428
|
+
? Counter: [+ Counter]
|
429
|
+
}
|
430
|
+
|
431
|
+
Address = {
|
432
|
+
value: text
|
433
|
+
category: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
|
434
|
+
"ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
|
435
|
+
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
|
436
|
+
"ext-value" .default "ipv6-addr"
|
437
|
+
? ext-category: text
|
438
|
+
? vlan-name: text
|
439
|
+
? vlan-num: integer
|
440
|
+
? observable-id: IDtype
|
441
|
+
}
|
442
|
+
|
443
|
+
NodeRole = {
|
444
|
+
category: "client" / "client-enterprise" / "client-partner" /
|
445
|
+
"client-remote" / "client-kiosk" / "client-mobile" /
|
446
|
+
"server-internal" / "server-public" / "www" / "mail" /
|
447
|
+
"webmail" / "messaging" / "streaming" / "voice" / "file" /
|
448
|
+
"ftp" / "p2p" / "name" / "directory" / "credential" /
|
449
|
+
"print" / "application" / "database" / "backup" / "dhcp" /
|
450
|
+
"assessment" / "source-control" / "config-management" /
|
451
|
+
"monitoring" / "infra" / "infra-firewall" / "infra-router" /
|
452
|
+
"infra-switch" / "camera" / "proxy" / "remote-access" /
|
453
|
+
"log" / "virtualization" / "pos" / "scada" /
|
454
|
+
"scada-supervisory" / "sinkhole" / "honeypot" /
|
455
|
+
"anomyzation" / "c2-server" / "malware-distribution" /
|
456
|
+
"drop-server" / "hop-point" / "reflector" /
|
457
|
+
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
|
458
|
+
"fraudulent-site" / "ext-value"
|
459
|
+
? ext-category: text
|
460
|
+
? Description: [+ MLStringType]
|
461
|
+
}
|
462
|
+
|
463
|
+
Counter = {
|
464
|
+
value: float32
|
465
|
+
type: "count" / "peak" / "average" / "ext-value"
|
466
|
+
? ext-type: text
|
467
|
+
unit: "byte" / "mbit" / "packet" / "flow" / "session" / "alert" /
|
468
|
+
"message" / "event" / "host" / "site" / "organization" /
|
469
|
+
"ext-value"
|
470
|
+
? ext-unit: text
|
471
|
+
? meaning: text
|
472
|
+
? duration: duration .default "hour"
|
473
|
+
? ext-duration: text
|
474
|
+
}
|
475
|
+
|
476
|
+
DomainData = {
|
477
|
+
system-status: "spoofed" / "fraudulent" / "innocent-hacked" /
|
478
|
+
"innocent-hijacked" / "unknown" / "ext-value"
|
479
|
+
? ext-system-status: text
|
480
|
+
domain-status: "reservedDelegation" / "assignedAndActive" /
|
481
|
+
"assignedAndInactive" / "assignedAndOnHold" /
|
482
|
+
"revoked" / "transferPending" / "registryLock" /
|
483
|
+
"registrarLock" / "other" / "unknown" / "ext-value"
|
484
|
+
? ext-domain-status: text
|
485
|
+
? observable-id: IDtype
|
486
|
+
Name: text
|
487
|
+
? DateDomainWasChecked: DATETIME
|
488
|
+
? RegistrationDate: DATETIME
|
489
|
+
? ExpirationDate: DATETIME
|
490
|
+
? RelatedDNS: [+ ExtensionType]
|
491
|
+
? NameServers: [+ NameServers]
|
492
|
+
? DomainContacts: DomainContacts
|
493
|
+
}
|
494
|
+
|
495
|
+
NameServers = {
|
496
|
+
Server: text
|
497
|
+
Address: [+ Address]
|
498
|
+
}
|
499
|
+
|
500
|
+
DomainContacts = {
|
501
|
+
(SameDomainContact: text // Contact: [+ Contact])
|
502
|
+
}
|
503
|
+
|
504
|
+
Service = {
|
505
|
+
? ip-protocol: integer
|
506
|
+
? observable-id: IDtype
|
507
|
+
? ServiceName: ServiceName
|
508
|
+
? Port: integer
|
509
|
+
? Portlist: PortlistType
|
510
|
+
? ProtoCode: integer
|
511
|
+
? ProtoType: integer
|
512
|
+
? ProtoField: integer
|
513
|
+
? ApplicationHeaderField: [+ ExtensionType]
|
514
|
+
? EmailData: EmailData
|
515
|
+
? Application: SoftwareType
|
516
|
+
}
|
517
|
+
|
518
|
+
ServiceName = {
|
519
|
+
? IANAService: text
|
520
|
+
? URL: [+ URLtype]
|
521
|
+
? Description: [+ MLStringType]
|
522
|
+
}
|
523
|
+
|
524
|
+
EmailData = {
|
525
|
+
? observable-id: IDtype
|
526
|
+
? EmailTo: [+ text]
|
527
|
+
? EmailFrom: text
|
528
|
+
? EmailSubject: text
|
529
|
+
? EmailX-Mailer: text
|
530
|
+
? EmailHeaderField: [+ ExtensionType]
|
531
|
+
? EmailHeaders: text
|
532
|
+
? EmailBody: text
|
533
|
+
? EmailMessage: text
|
534
|
+
? HashData: [+ HashData]
|
535
|
+
? Signature: [+ BYTE]
|
536
|
+
}
|
537
|
+
|
538
|
+
RecordData = {
|
539
|
+
? restriction: restriction .default "private"
|
540
|
+
? ext-restriction: text
|
541
|
+
? observable-id: IDtype
|
542
|
+
? DateTime: DATETIME
|
543
|
+
? Description: [+ MLStringType]
|
544
|
+
? Application: SoftwareType
|
545
|
+
? RecordPattern: [+ RecordPattern]
|
546
|
+
? RecordItem: [+ ExtensionType]
|
547
|
+
? URL: [+ URLtype]
|
548
|
+
? FileData: [+ FileData]
|
549
|
+
? WindowsRegistryKeysModified: [+ WindowsRegistryKeysModified]
|
550
|
+
? CertificateData: [+ CertificateData]
|
551
|
+
? AdditionalData: [+ ExtensionType]
|
552
|
+
}
|
553
|
+
|
554
|
+
RecordPattern = {
|
555
|
+
value: text
|
556
|
+
type: "regex" / "binary" / "xpath" / "ext-value" .default "regex"
|
557
|
+
? ext-type: text
|
558
|
+
? offset: integer
|
559
|
+
? offsetunit: "line" / "byte" / "ext-value" .default "line"
|
560
|
+
? ext-offsetunit: text
|
561
|
+
? instance: integer
|
562
|
+
}
|
563
|
+
|
564
|
+
WindowsRegistryKeysModified = {
|
565
|
+
? observable-id: IDtype
|
566
|
+
Key: [+ Key]
|
567
|
+
}
|
568
|
+
|
569
|
+
Key = {
|
570
|
+
? registryaction: "add-key" / "add-value" / "delete-key" /
|
571
|
+
"delete-value" / "modify-key" / "modify-value" /
|
572
|
+
"ext-value"
|
573
|
+
? ext-registryaction: text
|
574
|
+
? observable-id: IDtype
|
575
|
+
KeyName: text
|
576
|
+
? KeyValue: text
|
577
|
+
}
|
578
|
+
|
579
|
+
CertificateData = {
|
580
|
+
? restriction: restriction .default "private"
|
581
|
+
? ext-restriction: text
|
582
|
+
? observable-id: IDtype
|
583
|
+
Certificate: [+ Certificate]
|
584
|
+
}
|
585
|
+
|
586
|
+
Certificate = {
|
587
|
+
? observable-id: IDtype
|
588
|
+
X509Data: BYTE
|
589
|
+
? Description: [+ MLStringType]
|
590
|
+
}
|
591
|
+
|
592
|
+
FileData = {
|
593
|
+
? restriction: restriction .default "private"
|
594
|
+
? ext-restriction: text
|
595
|
+
? observable-id: IDtype
|
596
|
+
File: [+ File]
|
597
|
+
}
|
598
|
+
|
599
|
+
File = {
|
600
|
+
? observable-id: IDtype
|
601
|
+
? FileName: text
|
602
|
+
? FileSize: integer
|
603
|
+
? FileType: text
|
604
|
+
? URL: [+ URLtype]
|
605
|
+
? HashData: HashData
|
606
|
+
? Signature: [+ BYTE]
|
607
|
+
? AssociatedSoftware: SoftwareType
|
608
|
+
? FileProperties: [+ ExtensionType]
|
609
|
+
}
|
610
|
+
|
611
|
+
HashData = {
|
612
|
+
scope: "file-contents" / "file-pe-section" / "file-pe-iat" /
|
613
|
+
"file-pe-resource" / "file-pdf-object" / "email-hash" /
|
614
|
+
"email-headers-hash" / "email-body-hash" / "ext-value"
|
615
|
+
? HashTargetID: text
|
616
|
+
? Hash: [+ Hash]
|
617
|
+
? FuzzyHash: [+ FuzzyHash]
|
618
|
+
}
|
619
|
+
|
620
|
+
Hash = {
|
621
|
+
DigestMethod: BYTE
|
622
|
+
DigestValue: BYTE
|
623
|
+
? CanonicalizationMethod: BYTE
|
624
|
+
? Application: SoftwareType
|
625
|
+
}
|
626
|
+
|
627
|
+
FuzzyHash = {
|
628
|
+
FuzzyHashValue: [+ ExtensionType]
|
629
|
+
? Application: SoftwareType
|
630
|
+
? AdditionalData: [+ ExtensionType]
|
631
|
+
}
|
632
|
+
|
633
|
+
Indicator = {
|
634
|
+
? restriction: restriction .default "private"
|
635
|
+
? ext-restriction: text
|
636
|
+
IndicatorID: IndicatorID
|
637
|
+
? AlternativeIndicatorID: [+ AlternativeIndicatorID]
|
638
|
+
? Description: [+ MLStringType]
|
639
|
+
? StartTime: DATETIME
|
640
|
+
? EndTime: DATETIME
|
641
|
+
? Confidence: Confidence
|
642
|
+
? Contact: [+ Contact]
|
643
|
+
(Observable: Observable // uid-ref: IDREFType //
|
644
|
+
IndicatorExpression: IndicatorExpression //
|
645
|
+
IndicatorReference: IndicatorReference)
|
646
|
+
? NodeRole: [+ NodeRole]
|
647
|
+
? AttackPhase: [+ AttackPhase]
|
648
|
+
? Reference: [+ Reference]
|
649
|
+
? AdditionalData: [+ ExtensionType]
|
650
|
+
}
|
651
|
+
|
652
|
+
IndicatorID = {
|
653
|
+
id: IDtype
|
654
|
+
name: text
|
655
|
+
version: text
|
656
|
+
}
|
657
|
+
|
658
|
+
AlternativeIndicatorID = {
|
659
|
+
? restriction: restriction .default "private"
|
660
|
+
? ext-restriction: text
|
661
|
+
IndicatorID: [+ IndicatorID]
|
662
|
+
}
|
663
|
+
|
664
|
+
Observable = {
|
665
|
+
? restriction: restriction .default "private"
|
666
|
+
? ext-restriction: text
|
667
|
+
? (System: System // Address: Address // DomainData: DomainData //
|
668
|
+
EmailData: EmailData // Service: Service //
|
669
|
+
WindowsRegistryKeysModified: WindowsRegistryKeysModified //
|
670
|
+
FileData: FileData // CertificateData: CertificateData //
|
671
|
+
RegistryHandle: RegistryHandle // RecordData: RecordData //
|
672
|
+
EventData: EventData // Incident: Incident //
|
673
|
+
Expectation: Expectation // Reference: Reference //
|
674
|
+
Assessment: Assessment // DetectionPattern: DetectionPattern //
|
675
|
+
HistoryItem: HistoryItem // BulkObservable: BulkObservable //
|
676
|
+
AdditionalData: [+ ExtensionType])
|
677
|
+
}
|
678
|
+
|
679
|
+
BulkObservable = {
|
680
|
+
? type: "asn" / "atm" / "e-mail" / "ipv4-addr" / "ipv4-net" /
|
681
|
+
"ipv4-net-mask" / "ipv6-addr" / "ipv6-net" / "ipv6-net-mask" /
|
682
|
+
"mac" / "site-uri" / "domain-name" / "domain-to-ipv4" /
|
683
|
+
"domain-to-ipv6" / "domain-to-ipv4-timestamp" /
|
684
|
+
"domain-to-ipv6-timestamp" / "ipv4-port" / "ipv6-port" /
|
685
|
+
"windows-reg-key" / "file-hash" / "email-x-mailer" /
|
686
|
+
"email-subject" / "http-user-agent" / "http-request-uri" /
|
687
|
+
"mutex" / "file-path" / "user-name" / "ext-value"
|
688
|
+
? ext-type: text
|
689
|
+
? BulkObservableFormat: BulkObservableFormat
|
690
|
+
BulkObservableList: text
|
691
|
+
? AdditionalData: [+ ExtensionType]
|
692
|
+
}
|
693
|
+
|
694
|
+
BulkObservableFormat = {
|
695
|
+
(Hash: Hash // AdditionalData: [+ ExtensionType])
|
696
|
+
}
|
697
|
+
|
698
|
+
IndicatorExpression = {
|
699
|
+
? operator: "not" / "and" / "or" / "xor" .default "and"
|
700
|
+
? ext-operator: text
|
701
|
+
? IndicatorExpression: [+ IndicatorExpression]
|
702
|
+
? Observable: [+ Observable]
|
703
|
+
? uid-ref: [+ IDREFType]
|
704
|
+
? IndicatorReference: [+ IndicatorReference]
|
705
|
+
? Confidence: Confidence
|
706
|
+
? AdditionalData: [+ ExtensionType]
|
707
|
+
}
|
708
|
+
|
709
|
+
IndicatorReference = {
|
710
|
+
(uid-ref: IDREFType // euid-ref: text)
|
711
|
+
? version: text
|
712
|
+
}
|
713
|
+
|
714
|
+
AttackPhase = {
|
715
|
+
? AttackPhaseID: [+ text]
|
716
|
+
? URL: [+ URLtype]
|
717
|
+
? Description: [+ MLStringType]
|
718
|
+
? AdditionalData: [+ ExtensionType]
|
719
|
+
}
|