cddlc 0.1.0 → 0.1.2

Sign up to get free protection for your applications and to get access to all the features.
data/data/rfc8727.cddl ADDED
@@ -0,0 +1,946 @@
1
+
2
+ start = iodef
3
+
4
+ ;;; iodef.json: IODEF-Document
5
+
6
+ iodef-version = -24
7
+ iodef-lang = -23
8
+ iodef-format-id = -22
9
+ iodef-private-enum-name = -21
10
+ iodef-private-enum-id = -20
11
+ iodef-Incident = -19
12
+ iodef-AdditionalData = -18
13
+ iodef-value = -17
14
+ iodef-translation-id = -16
15
+ iodef-name = -15
16
+ iodef-dtype = -14
17
+ iodef-ext-dtype = -13
18
+ iodef-meaning = -12
19
+ iodef-formatid = -11
20
+ iodef-restriction = -10
21
+ iodef-ext-restriction = -9
22
+ iodef-observable-id = -8
23
+ iodef-SoftwareReference = -7
24
+ iodef-URL = -6
25
+ iodef-Description = -5
26
+ iodef-spec-name = -4
27
+ iodef-ext-spec-name = -3
28
+ iodef-purpose = -2
29
+ iodef-ext-purpose = -1
30
+ iodef-status = 0
31
+ iodef-ext-status = 1
32
+ iodef-IncidentID = 2
33
+ iodef-AlternativeID = 3
34
+ iodef-RelatedActivity = 4
35
+ iodef-DetectTime = 5
36
+ iodef-StartTime = 6
37
+ iodef-EndTime = 7
38
+ iodef-RecoveryTime = 8
39
+ iodef-ReportTime = 9
40
+ iodef-GenerationTime = 10
41
+ iodef-Discovery = 11
42
+ iodef-Assessment = 12
43
+ iodef-Method = 13
44
+ iodef-Contact = 14
45
+ iodef-EventData = 15
46
+ iodef-Indicator = 16
47
+ iodef-History = 17
48
+ iodef-id = 18
49
+ iodef-instance = 19
50
+ iodef-ThreatActor = 20
51
+ iodef-Campaign = 21
52
+ iodef-IndicatorID = 22
53
+ iodef-Confidence = 23
54
+ iodef-ThreatActorID = 24
55
+ iodef-CampaignID = 25
56
+ iodef-role = 26
57
+ iodef-ext-role = 27
58
+ iodef-type = 28
59
+ iodef-ext-type = 29
60
+ iodef-ContactName = 30
61
+ iodef-ContactTitle = 31
62
+ iodef-RegistryHandle = 32
63
+ iodef-PostalAddress = 33
64
+ iodef-Email = 34
65
+ iodef-Telephone = 35
66
+ iodef-Timezone = 36
67
+ iodef-handle = 37
68
+ iodef-registry = 38
69
+ iodef-ext-registry = 39
70
+ iodef-PAddress = 40
71
+ iodef-EmailTo = 41
72
+ iodef-TelephoneNumber = 42
73
+ iodef-source = 43
74
+ iodef-ext-source = 44
75
+ iodef-DetectionPattern = 45
76
+ iodef-DetectionConfiguration = 46
77
+ iodef-Application = 47
78
+ iodef-Reference = 48
79
+ iodef-AttackPattern = 49
80
+ iodef-Vulnerability = 50
81
+ iodef-Weakness = 51
82
+ iodef-SpecID = 52
83
+ iodef-ext-SpecID = 53
84
+ iodef-ContentID = 54
85
+ iodef-RawData = 55
86
+ iodef-Platform = 56
87
+ iodef-Scoring = 57
88
+ iodef-ReferenceName = 58
89
+ iodef-specIndex = 59
90
+ iodef-ID = 60
91
+ iodef-occurrence = 61
92
+ iodef-IncidentCategory = 62
93
+ iodef-Impact = 63
94
+ iodef-SystemImpact = 64
95
+ iodef-BusinessImpact = 65
96
+ iodef-TimeImpact = 66
97
+ iodef-MonetaryImpact = 67
98
+ iodef-IntendedImpact = 68
99
+ iodef-Counter = 69
100
+ iodef-MitigatingFactor = 70
101
+ iodef-Cause = 71
102
+ iodef-severity = 72
103
+ iodef-completion = 73
104
+ iodef-ext-severity = 74
105
+ iodef-metric = 75
106
+ iodef-ext-metric = 76
107
+ iodef-duration = 77
108
+ iodef-ext-duration = 78
109
+ iodef-currency = 79
110
+ iodef-rating = 80
111
+ iodef-ext-rating = 81
112
+ iodef-HistoryItem = 82
113
+ iodef-action = 83
114
+ iodef-ext-action = 84
115
+ iodef-DateTime = 85
116
+ iodef-DefinedCOA = 86
117
+ iodef-System = 87
118
+ iodef-Expectation = 88
119
+ iodef-RecordData = 89
120
+ iodef-category = 90
121
+ iodef-ext-category = 91
122
+ iodef-interface = 92
123
+ iodef-spoofed = 93
124
+ iodef-virtual = 94
125
+ iodef-ownership = 95
126
+ iodef-ext-ownership = 96
127
+ iodef-Node = 97
128
+ iodef-NodeRole = 98
129
+ iodef-Service = 99
130
+ iodef-OperatingSystem = 100
131
+ iodef-AssetID = 101
132
+ iodef-DomainData = 102
133
+ iodef-Address = 103
134
+ iodef-Location = 104
135
+ iodef-vlan-name = 105
136
+ iodef-vlan-num = 106
137
+ iodef-unit = 107
138
+ iodef-ext-unit = 108
139
+ iodef-system-status = 109
140
+ iodef-ext-system-status = 110
141
+ iodef-domain-status = 111
142
+ iodef-ext-domain-status = 112
143
+ iodef-Name = 113
144
+ iodef-DateDomainWasChecked = 114
145
+ iodef-RegistrationDate = 115
146
+ iodef-ExpirationDate = 116
147
+ iodef-RelatedDNS = 117
148
+ iodef-NameServers = 118
149
+ iodef-DomainContacts = 119
150
+ iodef-Server = 120
151
+ iodef-SameDomainContact = 121
152
+ iodef-ip-protocol = 122
153
+ iodef-ServiceName = 123
154
+ iodef-Port = 124
155
+ iodef-Portlist = 125
156
+ iodef-ProtoCode = 126
157
+ iodef-ProtoType = 127
158
+ iodef-ProtoField = 128
159
+ iodef-ApplicationHeaderField = 129
160
+ iodef-EmailData = 130
161
+ iodef-IANAService = 131
162
+ iodef-EmailFrom = 132
163
+ iodef-EmailSubject = 133
164
+ iodef-EmailX-Mailer = 134
165
+ iodef-EmailHeaderField = 135
166
+ iodef-EmailHeaders = 136
167
+ iodef-EmailBody = 137
168
+ iodef-EmailMessage = 138
169
+ iodef-HashData = 139
170
+ iodef-Signature = 140
171
+ iodef-RecordPattern = 141
172
+ iodef-RecordItem = 142
173
+ iodef-FileData = 143
174
+ iodef-WindowsRegistryKeysModified = 144
175
+ iodef-CertificateData = 145
176
+ iodef-offset = 146
177
+ iodef-offsetunit = 147
178
+ iodef-ext-offsetunit = 148
179
+ iodef-Key = 149
180
+ iodef-registryaction = 150
181
+ iodef-ext-registryaction = 151
182
+ iodef-KeyName = 152
183
+ iodef-KeyValue = 153
184
+ iodef-Certificate = 154
185
+ iodef-X509Data = 155
186
+ iodef-File = 156
187
+ iodef-FileName = 157
188
+ iodef-FileSize = 158
189
+ iodef-FileType = 159
190
+ iodef-AssociatedSoftware = 160
191
+ iodef-FileProperties = 161
192
+ iodef-scope = 162
193
+ iodef-HashTargetID = 163
194
+ iodef-Hash = 164
195
+ iodef-FuzzyHash = 165
196
+ iodef-DigestMethod = 166
197
+ iodef-DigestValue = 167
198
+ iodef-CanonicalizationMethod = 168
199
+ iodef-FuzzyHashValue = 169
200
+ iodef-AlternativeIndicatorID = 170
201
+ iodef-Observable = 171
202
+ iodef-uid-ref = 172
203
+ iodef-IndicatorExpression = 173
204
+ iodef-IndicatorReference = 174
205
+ iodef-AttackPhase = 175
206
+ iodef-BulkObservable = 176
207
+ iodef-BulkObservableFormat = 177
208
+ iodef-BulkObservableList = 178
209
+ iodef-operator = 179
210
+ iodef-ext-operator = 180
211
+ iodef-euid-ref = 181
212
+ iodef-AttackPhaseID = 182
213
+
214
+ iodef = {
215
+ iodef-version => text,
216
+ ? iodef-lang => lang,
217
+ ? iodef-format-id => text
218
+ ? iodef-private-enum-name => text,
219
+ ? iodef-private-enum-id => text,
220
+ iodef-Incident => [+ Incident],
221
+ ? iodef-AdditionalData => [+ ExtensionType]
222
+ }
223
+
224
+ duration = "second" / "minute" / "hour" / "day" / "month" /
225
+ "quarter" / "year" / "ext-value"
226
+ lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
227
+
228
+ restriction = "public" / "partner" / "need-to-know" / "private" /
229
+ "default" / "white" / "green" / "amber" / "red" /
230
+ "ext-value"
231
+ SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
232
+ IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
233
+ IDREFType = IDtype
234
+ URLtype = uri
235
+ TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
236
+ PortlistType = text .regexp
237
+ "[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
238
+ action = "nothing" / "contact-source-site" / "contact-target-site" /
239
+ "contact-sender" / "investigate" / "block-host" /
240
+ "block-network" / "block-port" / "rate-limit-host" /
241
+ "rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
242
+ "honeypot" / "upgrade-software" / "rebuild-asset" /
243
+ "harden-asset" / "remediate-other" / "status-triage" /
244
+ "status-new-info" / "watch-and-report" / "training" /
245
+ "defined-coa" / "other" / "ext-value"
246
+
247
+ DATETIME = tdate
248
+
249
+ BYTE = eb64legacy
250
+
251
+ MLStringType = {
252
+ iodef-value => text,
253
+ ? iodef-lang => lang,
254
+ ? iodef-translation-id => text
255
+ } / text
256
+
257
+ PositiveFloatType = float32 .gt 0
258
+
259
+ PAddressType = MLStringType
260
+
261
+ ExtensionType = {
262
+ iodef-value => text,
263
+ ? iodef-name => text,
264
+ iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
265
+ "date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
266
+ "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
267
+ "json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
268
+ "ext-value"
269
+ .default "string"
270
+ ? iodef-ext-dtype => text,
271
+ ? iodef-meaning => text,
272
+ ? iodef-formatid => text,
273
+ ? iodef-restriction => restriction .default "private",
274
+ ? iodef-ext-restriction => text,
275
+ ? iodef-observable-id => IDtype,
276
+ }
277
+
278
+ SoftwareType = {
279
+ ? iodef-SoftwareReference => SoftwareReference,
280
+ ? iodef-URL => [+ URLtype],
281
+ ? iodef-Description => [+ MLStringType]
282
+ }
283
+
284
+ SoftwareReference = {
285
+ ? iodef-value => text,
286
+ iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
287
+ ? iodef-ext-spec-name => text,
288
+ ? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
289
+ "ext-value" .default "string",
290
+ ? iodef-ext-dtype => text
291
+ }
292
+
293
+ Incident = {
294
+ iodef-purpose => "traceback" / "mitigation" / "reporting" /
295
+ "watch" / "other" / "ext-value",
296
+ ? iodef-ext-purpose => text,
297
+ ? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
298
+ "future" / "ext-value",
299
+ ? iodef-ext-status => text,
300
+ ? iodef-lang => lang,
301
+ ? iodef-restriction => restriction .default "private",
302
+ ? iodef-ext-restriction => text,
303
+ ? iodef-observable-id => IDtype,
304
+ iodef-IncidentID => IncidentID,
305
+ ? iodef-AlternativeID => AlternativeID,
306
+ ? iodef-RelatedActivity => [+ RelatedActivity],
307
+ ? iodef-DetectTime => DATETIME,
308
+ ? iodef-StartTime => DATETIME,
309
+ ? iodef-EndTime => DATETIME,
310
+ ? iodef-RecoveryTime => DATETIME,
311
+ ? iodef-ReportTime => DATETIME,
312
+ iodef-GenerationTime => DATETIME,
313
+ ? iodef-Description => [+ MLStringType],
314
+ ? iodef-Discovery => [+ Discovery],
315
+ ? iodef-Assessment => [+ Assessment],
316
+ ? iodef-Method => [+ Method],
317
+ iodef-Contact => [+ Contact],
318
+ ? iodef-EventData => [+ EventData],
319
+ ? iodef-Indicator => [+ Indicator],
320
+ ? iodef-History => History,
321
+ ? iodef-AdditionalData => [+ ExtensionType]
322
+ }
323
+
324
+ IncidentID = {
325
+ iodef-id => text,
326
+ iodef-name => text,
327
+ ? iodef-instance => text,
328
+ ? iodef-restriction => restriction .default "private",
329
+ ? iodef-ext-restriction => text
330
+ }
331
+
332
+ AlternativeID = {
333
+ ? iodef-restriction => restriction .default "private",
334
+ ? iodef-ext-restriction => text,
335
+ iodef-IncidentID => [+ IncidentID]
336
+ }
337
+
338
+ RelatedActivity = {
339
+ ? iodef-restriction => restriction .default "private",
340
+ ? iodef-ext-restriction => text,
341
+ ? iodef-IncidentID => [+ IncidentID],
342
+ ? iodef-URL => [+ URLtype],
343
+ ? iodef-ThreatActor => [+ ThreatActor],
344
+ ? iodef-Campaign => [+ Campaign],
345
+ ? iodef-IndicatorID => [+ IndicatorID],
346
+ ? iodef-Confidence => Confidence,
347
+ ? iodef-Description => [+ text],
348
+ ? iodef-AdditionalData => [+ ExtensionType]
349
+ }
350
+
351
+ ThreatActor = {
352
+ ? iodef-restriction => restriction .default "private",
353
+ ? iodef-ext-restriction => text,
354
+ ? iodef-ThreatActorID => [+ text],
355
+ ? iodef-URL => [+ URLtype],
356
+ ? iodef-Description => [+ MLStringType],
357
+ ? iodef-AdditionalData => [+ ExtensionType]
358
+ }
359
+
360
+ Campaign = {
361
+ ? iodef-restriction => restriction .default "private",
362
+ ? iodef-ext-restriction => text,
363
+ ? iodef-CampaignID => [+ text],
364
+ ? iodef-URL => [+ URLtype],
365
+ ? iodef-Description => [+ MLStringType],
366
+ ? iodef-AdditionalData => [+ ExtensionType]
367
+ }
368
+
369
+ Contact = {
370
+ iodef-role => "creator" / "reporter" / "admin" / "tech" /
371
+ "provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
372
+ "cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
373
+ "victim" / "victim-notified" / "ext-value",
374
+ ? iodef-ext-role => text,
375
+ iodef-type => "person" / "organization" / "ext-value",
376
+ ? iodef-ext-type => text,
377
+ ? iodef-restriction => restriction .default "private",
378
+ ? iodef-ext-restriction => text,
379
+ ? iodef-ContactName => [+ MLStringType],
380
+ ? iodef-ContactTitle => [+ MLStringType],
381
+ ? iodef-Description => [+ MLStringType],
382
+ ? iodef-RegistryHandle => [+ RegistryHandle],
383
+ ? iodef-PostalAddress => [+ PostalAddress],
384
+ ? iodef-Email => [+ Email],
385
+ ? iodef-Telephone => [+ Telephone],
386
+ ? iodef-Timezone => TimeZonetype,
387
+ ? iodef-Contact => [+ Contact],
388
+ ? iodef-AdditionalData => [+ ExtensionType]
389
+ }
390
+
391
+ RegistryHandle = {
392
+ iodef-handle => text,
393
+ iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
394
+ "ripe" / "afrinic" / "local" / "ext-value",
395
+ ? iodef-ext-registry => text
396
+ }
397
+
398
+ PostalAddress = {
399
+ ? iodef-type => "street" / "mailing" / "ext-value",
400
+ ? iodef-ext-type => text,
401
+ iodef-PAddress => PAddressType,
402
+ ? iodef-Description => [+ MLStringType]
403
+ }
404
+
405
+ Email = {
406
+ ? iodef-type => "direct" / "hotline" / "ext-value",
407
+ ? iodef-ext-type => text,
408
+ iodef-EmailTo => text,
409
+ ? iodef-Description => [+ MLStringType]
410
+ }
411
+
412
+ Telephone = {
413
+ ? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
414
+ "ext-value",
415
+ ? iodef-ext-type => text,
416
+ iodef-TelephoneNumber => text,
417
+ ? iodef-Description => [+ MLStringType]
418
+ }
419
+
420
+ Discovery = {
421
+ ? iodef-source => "nidps" / "hips" / "siem" / "av" /
422
+ "third-party-monitoring" / "incident" / "os-log" /
423
+ "application-log" / "device-log" / "network-flow" /
424
+ "passive-dns" / "investigation" / "audit" /
425
+ "internal-notification" / "external-notification" /
426
+ "leo" / "partner" / "actor" / "unknown" / "ext-value",
427
+ ? iodef-ext-source => text,
428
+ ? iodef-restriction => restriction .default "private",
429
+ ? iodef-ext-restriction => text,
430
+ ? iodef-Description => [+ MLStringType],
431
+ ? iodef-Contact => [+ Contact],
432
+ ? iodef-DetectionPattern => [+ DetectionPattern]
433
+ }
434
+
435
+ DetectionPattern = {
436
+ ? iodef-restriction => restriction .default "private",
437
+ ? iodef-ext-restriction => text,
438
+ ? iodef-observable-id => IDtype,
439
+ (iodef-Description => [+ MLStringType] //
440
+ iodef-DetectionConfiguration => [+ text]),
441
+ iodef-Application => SoftwareType
442
+ }
443
+
444
+ Method = {
445
+ ? iodef-restriction => restriction .default "private",
446
+ ? iodef-ext-restriction => text,
447
+ ? iodef-Reference => [+ Reference],
448
+ ? iodef-Description => [+ MLStringType],
449
+ ? iodef-AttackPattern => [+ STRUCTUREDINFO],
450
+ ? iodef-Vulnerability => [+ STRUCTUREDINFO],
451
+ ? iodef-Weakness => [+ STRUCTUREDINFO],
452
+ ? iodef-AdditionalData => [+ ExtensionType]
453
+ }
454
+
455
+ STRUCTUREDINFO = {
456
+ iodef-SpecID => SpecID,
457
+ ? iodef-ext-SpecID => text,
458
+ ? iodef-ContentID => text,
459
+ ? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
460
+ ? iodef-Platform => [+ Platform],
461
+ ? iodef-Scoring => [+ Scoring]
462
+ }
463
+
464
+ Platform = {
465
+ iodef-SpecID => SpecID,
466
+ ? iodef-ext-SpecID => text,
467
+ ? iodef-ContentID => text,
468
+ ? iodef-RawData => [+ BYTE],
469
+ ? iodef-Reference => [+ Reference]
470
+ }
471
+ Scoring = {
472
+ iodef-SpecID => SpecID,
473
+ ? iodef-ext-SpecID => text,
474
+ ? iodef-ContentID => text,
475
+ ? iodef-RawData => [+ BYTE],
476
+ ? iodef-Reference => [+ Reference]
477
+ }
478
+ Reference = {
479
+ ? iodef-observable-id => IDtype,
480
+ ? iodef-ReferenceName => ReferenceName,
481
+ ? iodef-URL => [+ URLtype],
482
+ ? iodef-Description => [+ MLStringType]
483
+ }
484
+
485
+ ReferenceName = {
486
+ iodef-specIndex => integer,
487
+ iodef-ID => IDtype
488
+ }
489
+
490
+ Assessment = {
491
+ ? iodef-occurrence => "actual" / "potential",
492
+ ? iodef-restriction => restriction .default "private",
493
+ ? iodef-ext-restriction => text,
494
+ ? iodef-observable-id => IDtype,
495
+ ? iodef-IncidentCategory => [+ MLStringType],
496
+ iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
497
+ {iodef-BusinessImpact => BusinessImpact} /
498
+ {iodef-TimeImpact => TimeImpact} /
499
+ {iodef-MonetaryImpact => MonetaryImpact} /
500
+ {iodef-IntendedImpact => BusinessImpact}],
501
+ ? iodef-Counter => [+ Counter],
502
+ ? iodef-MitigatingFactor => [+ MLStringType],
503
+ ? iodef-Cause => [+ MLStringType],
504
+ ? iodef-Confidence => Confidence,
505
+ ? iodef-AdditionalData => [+ ExtensionType]
506
+ }
507
+
508
+ SystemImpact = {
509
+ ? iodef-severity => "low" / "medium" / "high",
510
+ ? iodef-completion => "failed" / "succeeded",
511
+ iodef-type => "takeover-account" / "takeover-service" /
512
+ "takeover-system" / "cps-manipulation" / "cps-damage" /
513
+ "availability-data" / "availability-account" /
514
+ "availability-service" / "availability-system" / "damaged-system" /
515
+ "damaged-data" / "breach-proprietary" / "breach-privacy" /
516
+ "breach-credential" / "breach-configuration" / "integrity-data" /
517
+ "integrity-configuration" / "integrity-hardware" /
518
+ "traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
519
+ "policy" / "unknown" / "ext-value" .default "unknown",
520
+ ? iodef-ext-type => text,
521
+ ? iodef-Description => [+ MLStringType]
522
+ }
523
+
524
+ BusinessImpact = {
525
+ ? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
526
+ "ext-value" .default "unknown",
527
+ ? iodef-ext-severity => text,
528
+ iodef-type => "breach-proprietary" / "breach-privacy" /
529
+ "breach-credential" / "loss-of-integrity" / "loss-of-service" /
530
+ "theft-financial" / "theft-service" / "degraded-reputation" /
531
+ "asset-damage" / "asset-manipulation" / "legal" / "extortion" /
532
+ "unknown" / "ext-value" .default "unknown",
533
+ ? iodef-ext-type => text,
534
+ ? iodef-Description => [+ MLStringType]
535
+ }
536
+
537
+ TimeImpact = {
538
+ iodef-value => PositiveFloatType,
539
+ ? iodef-severity => "low" / "medium" / "high",
540
+ iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
541
+ ? iodef-ext-metric => text,
542
+ ? iodef-duration => duration .default "hour",
543
+ ? iodef-ext-duration => text
544
+ }
545
+
546
+ MonetaryImpact = {
547
+ iodef-value => PositiveFloatType,
548
+ ? iodef-severity => "low" / "medium" / "high",
549
+ ? iodef-currency => text
550
+ }
551
+
552
+ Confidence = {
553
+ iodef-value => float32,
554
+ iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
555
+ "ext-value",
556
+ ? iodef-ext-rating => text
557
+ }
558
+
559
+ History = {
560
+ ? iodef-restriction => restriction .default "private",
561
+ ? iodef-ext-restriction => text,
562
+ iodef-HistoryItem => [+ HistoryItem]
563
+ }
564
+
565
+ HistoryItem = {
566
+ iodef-action => action .default "other",
567
+ ? iodef-ext-action => text,
568
+ ? iodef-restriction => restriction .default "private",
569
+ ? iodef-ext-restriction => text,
570
+ ? iodef-observable-id => IDtype,
571
+ iodef-DateTime => DATETIME,
572
+ ? iodef-IncidentID => IncidentID,
573
+ ? iodef-Contact => Contact,
574
+ ? iodef-Description => [+ MLStringType],
575
+ ? iodef-DefinedCOA => [+ text],
576
+ ? iodef-AdditionalData => [+ ExtensionType]
577
+ }
578
+
579
+ EventData = {
580
+ ? iodef-restriction => restriction .default "default",
581
+ ? iodef-ext-restriction => text,
582
+ ? iodef-observable-id => IDtype,
583
+ ? iodef-Description => [+ MLStringType],
584
+ ? iodef-DetectTime => DATETIME,
585
+ ? iodef-StartTime => DATETIME,
586
+ ? iodef-EndTime => DATETIME,
587
+ ? iodef-RecoveryTime => DATETIME,
588
+ ? iodef-ReportTime => DATETIME,
589
+ ? iodef-Contact => [+ Contact],
590
+ ? iodef-Discovery => [+ Discovery],
591
+ ? iodef-Assessment => Assessment,
592
+ ? iodef-Method => [+ Method],
593
+ ? iodef-System => [+ System],
594
+ ? iodef-Expectation => [+ Expectation],
595
+ ? iodef-RecordData => [+ RecordData],
596
+ ? iodef-EventData => [+ EventData],
597
+ ? iodef-AdditionalData => [+ ExtensionType]
598
+ }
599
+
600
+ Expectation = {
601
+ ? iodef-action => action .default "other",
602
+ ? iodef-ext-action => text,
603
+ ? iodef-severity => "low" / "medium" / "high",
604
+ ? iodef-restriction => restriction .default "default",
605
+ ? iodef-ext-restriction => text,
606
+ ? iodef-observable-id => IDtype,
607
+ ? iodef-Description => [+ MLStringType],
608
+ ? iodef-DefinedCOA => [+ text],
609
+ ? iodef-StartTime => DATETIME,
610
+ ? iodef-EndTime => DATETIME,
611
+ ? iodef-Contact => Contact
612
+ }
613
+
614
+ System = {
615
+ ? iodef-category => "source" / "target" / "intermediate" /
616
+ "sensor" / "infrastructure" / "ext-value",
617
+ ? iodef-ext-category => text,
618
+ ? iodef-interface => text,
619
+ ? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
620
+ ? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
621
+ ? iodef-ownership => "organization" / "personal" / "partner" /
622
+ "customer" / "no-relationship" / "unknown" / "ext-value",
623
+ ? iodef-ext-ownership => text,
624
+ ? iodef-restriction => restriction .default "private",
625
+ ? iodef-ext-restriction => text,
626
+ ? iodef-observable-id => IDtype,
627
+ iodef-Node => Node,
628
+ ? iodef-NodeRole => [+ NodeRole],
629
+ ? iodef-Service => [+ Service],
630
+ ? iodef-OperatingSystem => [+ SoftwareType],
631
+ ? iodef-Counter => [+ Counter],
632
+ ? iodef-AssetID => [+ text],
633
+ ? iodef-Description => [+ MLStringType],
634
+ ? iodef-AdditionalData => [+ ExtensionType]
635
+ }
636
+
637
+ Node = {
638
+ (iodef-DomainData => [+ DomainData] //
639
+ iodef-Address => [+ Address]),
640
+ ? iodef-PostalAddress => PostalAddress,
641
+ ? iodef-Location => [+ MLStringType],
642
+ ? iodef-Counter => [+ Counter]
643
+ }
644
+
645
+ Address = {
646
+ iodef-value => text,
647
+ iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
648
+ "ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
649
+ "ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
650
+ "ext-value" .default "ipv6-addr",
651
+ ? iodef-ext-category => text,
652
+ ? iodef-vlan-name => text,
653
+ ? iodef-vlan-num => integer,
654
+ ? iodef-observable-id => IDtype
655
+ }
656
+
657
+ NodeRole = {
658
+ iodef-category => "client" / "client-enterprise" /
659
+ "client-partner" / "client-remote" / "client-kiosk" /
660
+ "client-mobile" / "server-internal" / "server-public" /
661
+ "www" / "mail" / "webmail" / "messaging" / "streaming" /
662
+ "voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
663
+ "credential" / "print" / "application" / "database" /
664
+ "backup" / "dhcp" / "assessment" / "source-control" /
665
+ "config-management" / "monitoring" / "infra" / "infra-firewall" /
666
+ "infra-router" / "infra-switch" / "camera" / "proxy" /
667
+ "remote-access" / "log" / "virtualization" / "pos" / "scada" /
668
+ "scada-supervisory" / "sinkhole" / "honeypot" /
669
+ "anomyzation" / "c2-server" / "malware-distribution" /
670
+ "drop-server" / "hop-point" / "reflector" /
671
+ "phishing-site" / "spear-phishing-site" / "recruiting-site" /
672
+ "fraudulent-site" / "ext-value",
673
+ ? iodef-ext-category => text,
674
+ ? iodef-Description => [+ MLStringType]
675
+ }
676
+
677
+ Counter = {
678
+ iodef-value => float32,
679
+ iodef-type => "count" / "peak" / "average" / "ext-value",
680
+ ? iodef-ext-type => text,
681
+ iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
682
+ "alert" / "message" / "event" / "host" / "site" / "organization" /
683
+ "ext-value",
684
+ ? iodef-ext-unit => text,
685
+ ? iodef-meaning => text,
686
+ ? iodef-duration => duration .default "hour",
687
+ ? iodef-ext-duration => text
688
+ }
689
+
690
+ DomainData = {
691
+ iodef-system-status => "spoofed" / "fraudulent" /
692
+ "innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
693
+ ? iodef-ext-system-status => text,
694
+ iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
695
+ "assignedAndInactive" / "assignedAndOnHold" /
696
+ "revoked" / "transferPending" / "registryLock" /
697
+ "registrarLock" / "other" / "unknown" / "ext-value",
698
+ ? iodef-ext-domain-status => text,
699
+ ? iodef-observable-id => IDtype,
700
+ iodef-Name => text,
701
+ ? iodef-DateDomainWasChecked => DATETIME,
702
+ ? iodef-RegistrationDate => DATETIME,
703
+ ? iodef-ExpirationDate => DATETIME,
704
+ ? iodef-RelatedDNS => [+ ExtensionType],
705
+ ? iodef-NameServers => [+ NameServers],
706
+ ? iodef-DomainContacts => DomainContacts
707
+ }
708
+
709
+ NameServers = {
710
+ iodef-Server => text,
711
+ iodef-Address => [+ Address]
712
+ }
713
+
714
+ DomainContacts = {
715
+ (iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
716
+ }
717
+
718
+ Service = {
719
+ ? iodef-ip-protocol => integer,
720
+ ? iodef-observable-id => IDtype,
721
+ ? iodef-ServiceName => ServiceName,
722
+ ? iodef-Port => integer,
723
+ ? iodef-Portlist => PortlistType,
724
+ ? iodef-ProtoCode => integer,
725
+ ? iodef-ProtoType => integer,
726
+ ? iodef-ProtoField => integer,
727
+ ? iodef-ApplicationHeaderField => [+ ExtensionType],
728
+ ? iodef-EmailData => EmailData,
729
+ ? iodef-Application => SoftwareType
730
+ }
731
+
732
+ ServiceName = {
733
+ ? iodef-IANAService => text,
734
+ ? iodef-URL => [+ URLtype],
735
+ ? iodef-Description => [+ MLStringType]
736
+ }
737
+
738
+ EmailData = {
739
+ ? iodef-observable-id => IDtype,
740
+ ? iodef-EmailTo => [+ text],
741
+ ? iodef-EmailFrom => text,
742
+ ? iodef-EmailSubject => text,
743
+ ? iodef-EmailX-Mailer => text,
744
+ ? iodef-EmailHeaderField => [+ ExtensionType],
745
+ ? iodef-EmailHeaders => text,
746
+ ? iodef-EmailBody => text,
747
+ ? iodef-EmailMessage => text,
748
+ ? iodef-HashData => [+ HashData],
749
+ ? iodef-Signature => [+ BYTE]
750
+ }
751
+
752
+ RecordData = {
753
+ ? iodef-restriction => restriction .default "private",
754
+ ? iodef-ext-restriction => text,
755
+ ? iodef-observable-id => IDtype,
756
+ ? iodef-DateTime => DATETIME,
757
+ ? iodef-Description => [+ MLStringType],
758
+ ? iodef-Application => SoftwareType,
759
+ ? iodef-RecordPattern => [+ RecordPattern],
760
+ ? iodef-RecordItem => [+ ExtensionType],
761
+ ? iodef-URL => [+ URLtype],
762
+ ? iodef-FileData => [+ FileData],
763
+ ? iodef-WindowsRegistryKeysModified =>
764
+ [+ WindowsRegistryKeysModified],
765
+ ? iodef-CertificateData => [+ CertificateData],
766
+ ? iodef-AdditionalData => [+ ExtensionType]
767
+ }
768
+
769
+ RecordPattern = {
770
+ iodef-value => text,
771
+ iodef-type => "regex" / "binary" / "xpath" /
772
+ "ext-value" .default "regex",
773
+ ? iodef-ext-type => text,
774
+ ? iodef-offset => integer,
775
+ ? iodef-offsetunit => "line" / "byte" /
776
+ "ext-value" .default "line",
777
+ ? iodef-ext-offsetunit => text,
778
+ ? iodef-instance => integer
779
+ }
780
+
781
+ WindowsRegistryKeysModified = {
782
+ ? iodef-observable-id => IDtype,
783
+ iodef-Key => [+ Key]
784
+ }
785
+
786
+ Key = {
787
+ ? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
788
+ "delete-value" / "modify-key" / "modify-value" /
789
+ "ext-value",
790
+ ? iodef-ext-registryaction => text,
791
+ ? iodef-observable-id => IDtype,
792
+ iodef-KeyName => text,
793
+ ? iodef-KeyValue => text
794
+ }
795
+
796
+ CertificateData = {
797
+ ? iodef-restriction => restriction .default "private",
798
+ ? iodef-ext-restriction => text,
799
+ ? iodef-observable-id => IDtype,
800
+ iodef-Certificate => [+ Certificate]
801
+ }
802
+
803
+ Certificate = {
804
+ ? iodef-observable-id => IDtype,
805
+ iodef-X509Data => BYTE,
806
+ ? iodef-Description => [+ MLStringType]
807
+ }
808
+
809
+ FileData = {
810
+ ? iodef-restriction => restriction .default "private",
811
+ ? iodef-ext-restriction => text,
812
+ ? iodef-observable-id => IDtype,
813
+ iodef-File => [+ File]
814
+ }
815
+
816
+ File = {
817
+ ? iodef-observable-id => IDtype,
818
+ ? iodef-FileName => text,
819
+ ? iodef-FileSize => integer,
820
+ ? iodef-FileType => text,
821
+ ? iodef-URL => [+ URLtype],
822
+ ? iodef-HashData => HashData,
823
+ ? iodef-Signature => [+ BYTE],
824
+ ? iodef-AssociatedSoftware => SoftwareType,
825
+ ? iodef-FileProperties => [+ ExtensionType]
826
+ }
827
+
828
+ HashData = {
829
+ iodef-scope => "file-contents" / "file-pe-section" /
830
+ "file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
831
+ "email-hash" / "email-headers-hash" / "email-body-hash" /
832
+ "ext-value",
833
+ ? iodef-HashTargetID => text,
834
+ ? iodef-Hash => [+ Hash],
835
+ ? iodef-FuzzyHash => [+ FuzzyHash]
836
+ }
837
+
838
+ Hash = {
839
+ iodef-DigestMethod => BYTE,
840
+ iodef-DigestValue => BYTE,
841
+ ? iodef-CanonicalizationMethod => BYTE,
842
+ ? iodef-Application => SoftwareType
843
+ }
844
+
845
+ FuzzyHash = {
846
+ iodef-FuzzyHashValue => [+ ExtensionType],
847
+ ? iodef-Application => SoftwareType,
848
+ ? iodef-AdditionalData => [+ ExtensionType]
849
+ }
850
+
851
+ Indicator = {
852
+ ? iodef-restriction => restriction .default "private",
853
+ ? iodef-ext-restriction => text,
854
+ iodef-IndicatorID => IndicatorID,
855
+ ? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
856
+ ? iodef-Description => [+ MLStringType],
857
+ ? iodef-StartTime => DATETIME,
858
+ ? iodef-EndTime => DATETIME,
859
+ ? iodef-Confidence => Confidence,
860
+ ? iodef-Contact => [+ Contact],
861
+ (iodef-Observable => Observable // iodef-uid-ref => IDREFType //
862
+ iodef-IndicatorExpression => IndicatorExpression //
863
+ iodef-IndicatorReference => IndicatorReference),
864
+ ? iodef-NodeRole => [+ NodeRole],
865
+ ? iodef-AttackPhase => [+ AttackPhase],
866
+ ? iodef-Reference => [+ Reference],
867
+ ? iodef-AdditionalData => [+ ExtensionType]
868
+ }
869
+
870
+ IndicatorID = {
871
+ iodef-id => IDtype,
872
+ iodef-name => text,
873
+ iodef-version => text
874
+ }
875
+
876
+ AlternativeIndicatorID = {
877
+ ? iodef-restriction => restriction .default "private",
878
+ ? iodef-ext-restriction => text,
879
+ iodef-IndicatorID => [+ IndicatorID]
880
+ }
881
+
882
+ Observable = {
883
+ ? iodef-restriction => restriction .default "private",
884
+ ? iodef-ext-restriction => text,
885
+ ? (iodef-System => System // iodef-Address => Address //
886
+ iodef-DomainData => DomainData //
887
+ iodef-EmailData => EmailData //
888
+ iodef-Service => Service //
889
+ iodef-WindowsRegistryKeysModified =>
890
+ WindowsRegistryKeysModified //
891
+ iodef-FileData => FileData //iodef-CertificateData =>
892
+ CertificateData //
893
+ iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
894
+ RecordData //
895
+ iodef-EventData => EventData // iodef-Incident => Incident //
896
+ iodef-Expectation => Expectation // iodef-Reference =>
897
+ Reference //
898
+ iodef-Assessment => Assessment //
899
+ iodef-DetectionPattern => DetectionPattern //
900
+ iodef-HistoryItem => HistoryItem //
901
+ iodef-BulkObservable => BulkObservable //
902
+ iodef-AdditionalData => [+ ExtensionType])
903
+ }
904
+
905
+ BulkObservable = {
906
+ ? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
907
+ "ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
908
+ "ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
909
+ "domain-to-ipv4" / "domain-to-ipv6" /
910
+ "domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
911
+ "ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
912
+ "email-x-mailer" / "email-subject" / "http-user-agent" /
913
+ "http-request-uri" / "mutex" / "file-path" / "user-name" /
914
+ "ext-value",
915
+ ? iodef-ext-type => text,
916
+ ? iodef-BulkObservableFormat => BulkObservableFormat,
917
+ iodef-BulkObservableList => text,
918
+ ? iodef-AdditionalData => [+ ExtensionType]
919
+ }
920
+
921
+ BulkObservableFormat = {
922
+ (iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
923
+ }
924
+
925
+ IndicatorExpression = {
926
+ ? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
927
+ ? iodef-ext-operator => text,
928
+ ? iodef-IndicatorExpression => [+ IndicatorExpression],
929
+ ? iodef-Observable => [+ Observable],
930
+ ? iodef-uid-ref => [+ IDREFType],
931
+ ? iodef-IndicatorReference => [+ IndicatorReference],
932
+ ? iodef-Confidence => Confidence,
933
+ ? iodef-AdditionalData => [+ ExtensionType]
934
+ }
935
+
936
+ IndicatorReference = {
937
+ (iodef-uid-ref => IDREFType // iodef-euid-ref => text),
938
+ ? iodef-version => text
939
+ }
940
+
941
+ AttackPhase = {
942
+ ? iodef-AttackPhaseID => [+ text],
943
+ ? iodef-URL => [+ URLtype],
944
+ ? iodef-Description => [+ MLStringType],
945
+ ? iodef-AdditionalData => [+ ExtensionType]
946
+ }