cddlc 0.1.1 → 0.1.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cddlc +1 -44
- data/cddlc.gemspec +1 -1
- data/data/rfc8727.cddl +946 -0
- data/data/rfc8927.cddl +96 -0
- data/data/rfc8990.cddl +213 -0
- data/data/rfc9053.cddl +21 -0
- data/data/rfc9054.cddl +13 -0
- data/data/rfc9090.cddl +14 -0
- data/data/rfc9115.cddl +99 -0
- data/data/rfc9164.cddl +32 -0
- data/data/rfc9165.cddl +35 -0
- data/data/rfc9171.cddl +334 -0
- data/data/rfc9173.cddl +36 -0
- data/data/rfc9177.cddl +6 -0
- data/data/rfc9202.cddl +6 -0
- data/data/rfc9203.cddl +11 -0
- data/data/rfc9237.cddl +27 -0
- data/data/rfc9277.cddl +11 -0
- data/data/rfc9290.cddl +37 -0
- data/data/rfc9321.cddl +67 -0
- data/data/rfc9338.cddl +34 -0
- data/lib/cddlc.rb +138 -6
- data/lib/parser/cddl-util.rb +1 -1
- data/lib/processor/cddl-expander.rb +13 -10
- data/lib/processor/cddl-undefined.rb +25 -16
- data/lib/processor/cddl-visitor.rb +2 -0
- data/lib/writer/cddl-writer.rb +38 -25
- metadata +21 -2
data/data/rfc8727.cddl
ADDED
@@ -0,0 +1,946 @@
|
|
1
|
+
|
2
|
+
start = iodef
|
3
|
+
|
4
|
+
;;; iodef.json: IODEF-Document
|
5
|
+
|
6
|
+
iodef-version = -24
|
7
|
+
iodef-lang = -23
|
8
|
+
iodef-format-id = -22
|
9
|
+
iodef-private-enum-name = -21
|
10
|
+
iodef-private-enum-id = -20
|
11
|
+
iodef-Incident = -19
|
12
|
+
iodef-AdditionalData = -18
|
13
|
+
iodef-value = -17
|
14
|
+
iodef-translation-id = -16
|
15
|
+
iodef-name = -15
|
16
|
+
iodef-dtype = -14
|
17
|
+
iodef-ext-dtype = -13
|
18
|
+
iodef-meaning = -12
|
19
|
+
iodef-formatid = -11
|
20
|
+
iodef-restriction = -10
|
21
|
+
iodef-ext-restriction = -9
|
22
|
+
iodef-observable-id = -8
|
23
|
+
iodef-SoftwareReference = -7
|
24
|
+
iodef-URL = -6
|
25
|
+
iodef-Description = -5
|
26
|
+
iodef-spec-name = -4
|
27
|
+
iodef-ext-spec-name = -3
|
28
|
+
iodef-purpose = -2
|
29
|
+
iodef-ext-purpose = -1
|
30
|
+
iodef-status = 0
|
31
|
+
iodef-ext-status = 1
|
32
|
+
iodef-IncidentID = 2
|
33
|
+
iodef-AlternativeID = 3
|
34
|
+
iodef-RelatedActivity = 4
|
35
|
+
iodef-DetectTime = 5
|
36
|
+
iodef-StartTime = 6
|
37
|
+
iodef-EndTime = 7
|
38
|
+
iodef-RecoveryTime = 8
|
39
|
+
iodef-ReportTime = 9
|
40
|
+
iodef-GenerationTime = 10
|
41
|
+
iodef-Discovery = 11
|
42
|
+
iodef-Assessment = 12
|
43
|
+
iodef-Method = 13
|
44
|
+
iodef-Contact = 14
|
45
|
+
iodef-EventData = 15
|
46
|
+
iodef-Indicator = 16
|
47
|
+
iodef-History = 17
|
48
|
+
iodef-id = 18
|
49
|
+
iodef-instance = 19
|
50
|
+
iodef-ThreatActor = 20
|
51
|
+
iodef-Campaign = 21
|
52
|
+
iodef-IndicatorID = 22
|
53
|
+
iodef-Confidence = 23
|
54
|
+
iodef-ThreatActorID = 24
|
55
|
+
iodef-CampaignID = 25
|
56
|
+
iodef-role = 26
|
57
|
+
iodef-ext-role = 27
|
58
|
+
iodef-type = 28
|
59
|
+
iodef-ext-type = 29
|
60
|
+
iodef-ContactName = 30
|
61
|
+
iodef-ContactTitle = 31
|
62
|
+
iodef-RegistryHandle = 32
|
63
|
+
iodef-PostalAddress = 33
|
64
|
+
iodef-Email = 34
|
65
|
+
iodef-Telephone = 35
|
66
|
+
iodef-Timezone = 36
|
67
|
+
iodef-handle = 37
|
68
|
+
iodef-registry = 38
|
69
|
+
iodef-ext-registry = 39
|
70
|
+
iodef-PAddress = 40
|
71
|
+
iodef-EmailTo = 41
|
72
|
+
iodef-TelephoneNumber = 42
|
73
|
+
iodef-source = 43
|
74
|
+
iodef-ext-source = 44
|
75
|
+
iodef-DetectionPattern = 45
|
76
|
+
iodef-DetectionConfiguration = 46
|
77
|
+
iodef-Application = 47
|
78
|
+
iodef-Reference = 48
|
79
|
+
iodef-AttackPattern = 49
|
80
|
+
iodef-Vulnerability = 50
|
81
|
+
iodef-Weakness = 51
|
82
|
+
iodef-SpecID = 52
|
83
|
+
iodef-ext-SpecID = 53
|
84
|
+
iodef-ContentID = 54
|
85
|
+
iodef-RawData = 55
|
86
|
+
iodef-Platform = 56
|
87
|
+
iodef-Scoring = 57
|
88
|
+
iodef-ReferenceName = 58
|
89
|
+
iodef-specIndex = 59
|
90
|
+
iodef-ID = 60
|
91
|
+
iodef-occurrence = 61
|
92
|
+
iodef-IncidentCategory = 62
|
93
|
+
iodef-Impact = 63
|
94
|
+
iodef-SystemImpact = 64
|
95
|
+
iodef-BusinessImpact = 65
|
96
|
+
iodef-TimeImpact = 66
|
97
|
+
iodef-MonetaryImpact = 67
|
98
|
+
iodef-IntendedImpact = 68
|
99
|
+
iodef-Counter = 69
|
100
|
+
iodef-MitigatingFactor = 70
|
101
|
+
iodef-Cause = 71
|
102
|
+
iodef-severity = 72
|
103
|
+
iodef-completion = 73
|
104
|
+
iodef-ext-severity = 74
|
105
|
+
iodef-metric = 75
|
106
|
+
iodef-ext-metric = 76
|
107
|
+
iodef-duration = 77
|
108
|
+
iodef-ext-duration = 78
|
109
|
+
iodef-currency = 79
|
110
|
+
iodef-rating = 80
|
111
|
+
iodef-ext-rating = 81
|
112
|
+
iodef-HistoryItem = 82
|
113
|
+
iodef-action = 83
|
114
|
+
iodef-ext-action = 84
|
115
|
+
iodef-DateTime = 85
|
116
|
+
iodef-DefinedCOA = 86
|
117
|
+
iodef-System = 87
|
118
|
+
iodef-Expectation = 88
|
119
|
+
iodef-RecordData = 89
|
120
|
+
iodef-category = 90
|
121
|
+
iodef-ext-category = 91
|
122
|
+
iodef-interface = 92
|
123
|
+
iodef-spoofed = 93
|
124
|
+
iodef-virtual = 94
|
125
|
+
iodef-ownership = 95
|
126
|
+
iodef-ext-ownership = 96
|
127
|
+
iodef-Node = 97
|
128
|
+
iodef-NodeRole = 98
|
129
|
+
iodef-Service = 99
|
130
|
+
iodef-OperatingSystem = 100
|
131
|
+
iodef-AssetID = 101
|
132
|
+
iodef-DomainData = 102
|
133
|
+
iodef-Address = 103
|
134
|
+
iodef-Location = 104
|
135
|
+
iodef-vlan-name = 105
|
136
|
+
iodef-vlan-num = 106
|
137
|
+
iodef-unit = 107
|
138
|
+
iodef-ext-unit = 108
|
139
|
+
iodef-system-status = 109
|
140
|
+
iodef-ext-system-status = 110
|
141
|
+
iodef-domain-status = 111
|
142
|
+
iodef-ext-domain-status = 112
|
143
|
+
iodef-Name = 113
|
144
|
+
iodef-DateDomainWasChecked = 114
|
145
|
+
iodef-RegistrationDate = 115
|
146
|
+
iodef-ExpirationDate = 116
|
147
|
+
iodef-RelatedDNS = 117
|
148
|
+
iodef-NameServers = 118
|
149
|
+
iodef-DomainContacts = 119
|
150
|
+
iodef-Server = 120
|
151
|
+
iodef-SameDomainContact = 121
|
152
|
+
iodef-ip-protocol = 122
|
153
|
+
iodef-ServiceName = 123
|
154
|
+
iodef-Port = 124
|
155
|
+
iodef-Portlist = 125
|
156
|
+
iodef-ProtoCode = 126
|
157
|
+
iodef-ProtoType = 127
|
158
|
+
iodef-ProtoField = 128
|
159
|
+
iodef-ApplicationHeaderField = 129
|
160
|
+
iodef-EmailData = 130
|
161
|
+
iodef-IANAService = 131
|
162
|
+
iodef-EmailFrom = 132
|
163
|
+
iodef-EmailSubject = 133
|
164
|
+
iodef-EmailX-Mailer = 134
|
165
|
+
iodef-EmailHeaderField = 135
|
166
|
+
iodef-EmailHeaders = 136
|
167
|
+
iodef-EmailBody = 137
|
168
|
+
iodef-EmailMessage = 138
|
169
|
+
iodef-HashData = 139
|
170
|
+
iodef-Signature = 140
|
171
|
+
iodef-RecordPattern = 141
|
172
|
+
iodef-RecordItem = 142
|
173
|
+
iodef-FileData = 143
|
174
|
+
iodef-WindowsRegistryKeysModified = 144
|
175
|
+
iodef-CertificateData = 145
|
176
|
+
iodef-offset = 146
|
177
|
+
iodef-offsetunit = 147
|
178
|
+
iodef-ext-offsetunit = 148
|
179
|
+
iodef-Key = 149
|
180
|
+
iodef-registryaction = 150
|
181
|
+
iodef-ext-registryaction = 151
|
182
|
+
iodef-KeyName = 152
|
183
|
+
iodef-KeyValue = 153
|
184
|
+
iodef-Certificate = 154
|
185
|
+
iodef-X509Data = 155
|
186
|
+
iodef-File = 156
|
187
|
+
iodef-FileName = 157
|
188
|
+
iodef-FileSize = 158
|
189
|
+
iodef-FileType = 159
|
190
|
+
iodef-AssociatedSoftware = 160
|
191
|
+
iodef-FileProperties = 161
|
192
|
+
iodef-scope = 162
|
193
|
+
iodef-HashTargetID = 163
|
194
|
+
iodef-Hash = 164
|
195
|
+
iodef-FuzzyHash = 165
|
196
|
+
iodef-DigestMethod = 166
|
197
|
+
iodef-DigestValue = 167
|
198
|
+
iodef-CanonicalizationMethod = 168
|
199
|
+
iodef-FuzzyHashValue = 169
|
200
|
+
iodef-AlternativeIndicatorID = 170
|
201
|
+
iodef-Observable = 171
|
202
|
+
iodef-uid-ref = 172
|
203
|
+
iodef-IndicatorExpression = 173
|
204
|
+
iodef-IndicatorReference = 174
|
205
|
+
iodef-AttackPhase = 175
|
206
|
+
iodef-BulkObservable = 176
|
207
|
+
iodef-BulkObservableFormat = 177
|
208
|
+
iodef-BulkObservableList = 178
|
209
|
+
iodef-operator = 179
|
210
|
+
iodef-ext-operator = 180
|
211
|
+
iodef-euid-ref = 181
|
212
|
+
iodef-AttackPhaseID = 182
|
213
|
+
|
214
|
+
iodef = {
|
215
|
+
iodef-version => text,
|
216
|
+
? iodef-lang => lang,
|
217
|
+
? iodef-format-id => text
|
218
|
+
? iodef-private-enum-name => text,
|
219
|
+
? iodef-private-enum-id => text,
|
220
|
+
iodef-Incident => [+ Incident],
|
221
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
222
|
+
}
|
223
|
+
|
224
|
+
duration = "second" / "minute" / "hour" / "day" / "month" /
|
225
|
+
"quarter" / "year" / "ext-value"
|
226
|
+
lang = "" / text .regexp "[a-zA-Z]{1,8}(-[a-zA-Z0-9]{1,8})*"
|
227
|
+
|
228
|
+
restriction = "public" / "partner" / "need-to-know" / "private" /
|
229
|
+
"default" / "white" / "green" / "amber" / "red" /
|
230
|
+
"ext-value"
|
231
|
+
SpecID = "urn:ietf:params:xml:ns:mile:mmdef:1.2" / "private"
|
232
|
+
IDtype = text .regexp "[a-zA-Z_][a-zA-Z0-9_.-]*"
|
233
|
+
IDREFType = IDtype
|
234
|
+
URLtype = uri
|
235
|
+
TimeZonetype = text .regexp "Z|[\\+\\-](0[0-9]|1[0-4]):[0-5][0-9]"
|
236
|
+
PortlistType = text .regexp
|
237
|
+
"[0-9]+(\\-[0-9]+)?(,[0-9]+(\\-[0-9]+)?)*"
|
238
|
+
action = "nothing" / "contact-source-site" / "contact-target-site" /
|
239
|
+
"contact-sender" / "investigate" / "block-host" /
|
240
|
+
"block-network" / "block-port" / "rate-limit-host" /
|
241
|
+
"rate-limit-network" / "rate-limit-port" / "redirect-traffic" /
|
242
|
+
"honeypot" / "upgrade-software" / "rebuild-asset" /
|
243
|
+
"harden-asset" / "remediate-other" / "status-triage" /
|
244
|
+
"status-new-info" / "watch-and-report" / "training" /
|
245
|
+
"defined-coa" / "other" / "ext-value"
|
246
|
+
|
247
|
+
DATETIME = tdate
|
248
|
+
|
249
|
+
BYTE = eb64legacy
|
250
|
+
|
251
|
+
MLStringType = {
|
252
|
+
iodef-value => text,
|
253
|
+
? iodef-lang => lang,
|
254
|
+
? iodef-translation-id => text
|
255
|
+
} / text
|
256
|
+
|
257
|
+
PositiveFloatType = float32 .gt 0
|
258
|
+
|
259
|
+
PAddressType = MLStringType
|
260
|
+
|
261
|
+
ExtensionType = {
|
262
|
+
iodef-value => text,
|
263
|
+
? iodef-name => text,
|
264
|
+
iodef-dtype => "boolean" / "byte" / "bytes" / "character" /
|
265
|
+
"date-time" / "ntpstamp" / "integer" / "portlist" / "real" /
|
266
|
+
"string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" /
|
267
|
+
"json" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" /
|
268
|
+
"ext-value"
|
269
|
+
.default "string"
|
270
|
+
? iodef-ext-dtype => text,
|
271
|
+
? iodef-meaning => text,
|
272
|
+
? iodef-formatid => text,
|
273
|
+
? iodef-restriction => restriction .default "private",
|
274
|
+
? iodef-ext-restriction => text,
|
275
|
+
? iodef-observable-id => IDtype,
|
276
|
+
}
|
277
|
+
|
278
|
+
SoftwareType = {
|
279
|
+
? iodef-SoftwareReference => SoftwareReference,
|
280
|
+
? iodef-URL => [+ URLtype],
|
281
|
+
? iodef-Description => [+ MLStringType]
|
282
|
+
}
|
283
|
+
|
284
|
+
SoftwareReference = {
|
285
|
+
? iodef-value => text,
|
286
|
+
iodef-spec-name => "custom" / "cpe" / "swid" / "ext-value",
|
287
|
+
? iodef-ext-spec-name => text,
|
288
|
+
? iodef-dtype => "bytes" / "integer" / "real" / "string" / "xml" /
|
289
|
+
"ext-value" .default "string",
|
290
|
+
? iodef-ext-dtype => text
|
291
|
+
}
|
292
|
+
|
293
|
+
Incident = {
|
294
|
+
iodef-purpose => "traceback" / "mitigation" / "reporting" /
|
295
|
+
"watch" / "other" / "ext-value",
|
296
|
+
? iodef-ext-purpose => text,
|
297
|
+
? iodef-status => "new" / "in-progress"/ "forwarded" / "resolved" /
|
298
|
+
"future" / "ext-value",
|
299
|
+
? iodef-ext-status => text,
|
300
|
+
? iodef-lang => lang,
|
301
|
+
? iodef-restriction => restriction .default "private",
|
302
|
+
? iodef-ext-restriction => text,
|
303
|
+
? iodef-observable-id => IDtype,
|
304
|
+
iodef-IncidentID => IncidentID,
|
305
|
+
? iodef-AlternativeID => AlternativeID,
|
306
|
+
? iodef-RelatedActivity => [+ RelatedActivity],
|
307
|
+
? iodef-DetectTime => DATETIME,
|
308
|
+
? iodef-StartTime => DATETIME,
|
309
|
+
? iodef-EndTime => DATETIME,
|
310
|
+
? iodef-RecoveryTime => DATETIME,
|
311
|
+
? iodef-ReportTime => DATETIME,
|
312
|
+
iodef-GenerationTime => DATETIME,
|
313
|
+
? iodef-Description => [+ MLStringType],
|
314
|
+
? iodef-Discovery => [+ Discovery],
|
315
|
+
? iodef-Assessment => [+ Assessment],
|
316
|
+
? iodef-Method => [+ Method],
|
317
|
+
iodef-Contact => [+ Contact],
|
318
|
+
? iodef-EventData => [+ EventData],
|
319
|
+
? iodef-Indicator => [+ Indicator],
|
320
|
+
? iodef-History => History,
|
321
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
322
|
+
}
|
323
|
+
|
324
|
+
IncidentID = {
|
325
|
+
iodef-id => text,
|
326
|
+
iodef-name => text,
|
327
|
+
? iodef-instance => text,
|
328
|
+
? iodef-restriction => restriction .default "private",
|
329
|
+
? iodef-ext-restriction => text
|
330
|
+
}
|
331
|
+
|
332
|
+
AlternativeID = {
|
333
|
+
? iodef-restriction => restriction .default "private",
|
334
|
+
? iodef-ext-restriction => text,
|
335
|
+
iodef-IncidentID => [+ IncidentID]
|
336
|
+
}
|
337
|
+
|
338
|
+
RelatedActivity = {
|
339
|
+
? iodef-restriction => restriction .default "private",
|
340
|
+
? iodef-ext-restriction => text,
|
341
|
+
? iodef-IncidentID => [+ IncidentID],
|
342
|
+
? iodef-URL => [+ URLtype],
|
343
|
+
? iodef-ThreatActor => [+ ThreatActor],
|
344
|
+
? iodef-Campaign => [+ Campaign],
|
345
|
+
? iodef-IndicatorID => [+ IndicatorID],
|
346
|
+
? iodef-Confidence => Confidence,
|
347
|
+
? iodef-Description => [+ text],
|
348
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
349
|
+
}
|
350
|
+
|
351
|
+
ThreatActor = {
|
352
|
+
? iodef-restriction => restriction .default "private",
|
353
|
+
? iodef-ext-restriction => text,
|
354
|
+
? iodef-ThreatActorID => [+ text],
|
355
|
+
? iodef-URL => [+ URLtype],
|
356
|
+
? iodef-Description => [+ MLStringType],
|
357
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
358
|
+
}
|
359
|
+
|
360
|
+
Campaign = {
|
361
|
+
? iodef-restriction => restriction .default "private",
|
362
|
+
? iodef-ext-restriction => text,
|
363
|
+
? iodef-CampaignID => [+ text],
|
364
|
+
? iodef-URL => [+ URLtype],
|
365
|
+
? iodef-Description => [+ MLStringType],
|
366
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
367
|
+
}
|
368
|
+
|
369
|
+
Contact = {
|
370
|
+
iodef-role => "creator" / "reporter" / "admin" / "tech" /
|
371
|
+
"provider" / "user" / "billing" / "legal" / "irt" / "abuse" /
|
372
|
+
"cc" / "cc-irt" / "leo" / "vendor" / "vendor-support" /
|
373
|
+
"victim" / "victim-notified" / "ext-value",
|
374
|
+
? iodef-ext-role => text,
|
375
|
+
iodef-type => "person" / "organization" / "ext-value",
|
376
|
+
? iodef-ext-type => text,
|
377
|
+
? iodef-restriction => restriction .default "private",
|
378
|
+
? iodef-ext-restriction => text,
|
379
|
+
? iodef-ContactName => [+ MLStringType],
|
380
|
+
? iodef-ContactTitle => [+ MLStringType],
|
381
|
+
? iodef-Description => [+ MLStringType],
|
382
|
+
? iodef-RegistryHandle => [+ RegistryHandle],
|
383
|
+
? iodef-PostalAddress => [+ PostalAddress],
|
384
|
+
? iodef-Email => [+ Email],
|
385
|
+
? iodef-Telephone => [+ Telephone],
|
386
|
+
? iodef-Timezone => TimeZonetype,
|
387
|
+
? iodef-Contact => [+ Contact],
|
388
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
389
|
+
}
|
390
|
+
|
391
|
+
RegistryHandle = {
|
392
|
+
iodef-handle => text,
|
393
|
+
iodef-registry => "internic" / "apnic" / "arin" / "lacnic" /
|
394
|
+
"ripe" / "afrinic" / "local" / "ext-value",
|
395
|
+
? iodef-ext-registry => text
|
396
|
+
}
|
397
|
+
|
398
|
+
PostalAddress = {
|
399
|
+
? iodef-type => "street" / "mailing" / "ext-value",
|
400
|
+
? iodef-ext-type => text,
|
401
|
+
iodef-PAddress => PAddressType,
|
402
|
+
? iodef-Description => [+ MLStringType]
|
403
|
+
}
|
404
|
+
|
405
|
+
Email = {
|
406
|
+
? iodef-type => "direct" / "hotline" / "ext-value",
|
407
|
+
? iodef-ext-type => text,
|
408
|
+
iodef-EmailTo => text,
|
409
|
+
? iodef-Description => [+ MLStringType]
|
410
|
+
}
|
411
|
+
|
412
|
+
Telephone = {
|
413
|
+
? iodef-type => "wired" / "mobile" / "fax" / "hotline" /
|
414
|
+
"ext-value",
|
415
|
+
? iodef-ext-type => text,
|
416
|
+
iodef-TelephoneNumber => text,
|
417
|
+
? iodef-Description => [+ MLStringType]
|
418
|
+
}
|
419
|
+
|
420
|
+
Discovery = {
|
421
|
+
? iodef-source => "nidps" / "hips" / "siem" / "av" /
|
422
|
+
"third-party-monitoring" / "incident" / "os-log" /
|
423
|
+
"application-log" / "device-log" / "network-flow" /
|
424
|
+
"passive-dns" / "investigation" / "audit" /
|
425
|
+
"internal-notification" / "external-notification" /
|
426
|
+
"leo" / "partner" / "actor" / "unknown" / "ext-value",
|
427
|
+
? iodef-ext-source => text,
|
428
|
+
? iodef-restriction => restriction .default "private",
|
429
|
+
? iodef-ext-restriction => text,
|
430
|
+
? iodef-Description => [+ MLStringType],
|
431
|
+
? iodef-Contact => [+ Contact],
|
432
|
+
? iodef-DetectionPattern => [+ DetectionPattern]
|
433
|
+
}
|
434
|
+
|
435
|
+
DetectionPattern = {
|
436
|
+
? iodef-restriction => restriction .default "private",
|
437
|
+
? iodef-ext-restriction => text,
|
438
|
+
? iodef-observable-id => IDtype,
|
439
|
+
(iodef-Description => [+ MLStringType] //
|
440
|
+
iodef-DetectionConfiguration => [+ text]),
|
441
|
+
iodef-Application => SoftwareType
|
442
|
+
}
|
443
|
+
|
444
|
+
Method = {
|
445
|
+
? iodef-restriction => restriction .default "private",
|
446
|
+
? iodef-ext-restriction => text,
|
447
|
+
? iodef-Reference => [+ Reference],
|
448
|
+
? iodef-Description => [+ MLStringType],
|
449
|
+
? iodef-AttackPattern => [+ STRUCTUREDINFO],
|
450
|
+
? iodef-Vulnerability => [+ STRUCTUREDINFO],
|
451
|
+
? iodef-Weakness => [+ STRUCTUREDINFO],
|
452
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
453
|
+
}
|
454
|
+
|
455
|
+
STRUCTUREDINFO = {
|
456
|
+
iodef-SpecID => SpecID,
|
457
|
+
? iodef-ext-SpecID => text,
|
458
|
+
? iodef-ContentID => text,
|
459
|
+
? (iodef-RawData => [+ BYTE] // iodef-Reference => [+ Reference]),
|
460
|
+
? iodef-Platform => [+ Platform],
|
461
|
+
? iodef-Scoring => [+ Scoring]
|
462
|
+
}
|
463
|
+
|
464
|
+
Platform = {
|
465
|
+
iodef-SpecID => SpecID,
|
466
|
+
? iodef-ext-SpecID => text,
|
467
|
+
? iodef-ContentID => text,
|
468
|
+
? iodef-RawData => [+ BYTE],
|
469
|
+
? iodef-Reference => [+ Reference]
|
470
|
+
}
|
471
|
+
Scoring = {
|
472
|
+
iodef-SpecID => SpecID,
|
473
|
+
? iodef-ext-SpecID => text,
|
474
|
+
? iodef-ContentID => text,
|
475
|
+
? iodef-RawData => [+ BYTE],
|
476
|
+
? iodef-Reference => [+ Reference]
|
477
|
+
}
|
478
|
+
Reference = {
|
479
|
+
? iodef-observable-id => IDtype,
|
480
|
+
? iodef-ReferenceName => ReferenceName,
|
481
|
+
? iodef-URL => [+ URLtype],
|
482
|
+
? iodef-Description => [+ MLStringType]
|
483
|
+
}
|
484
|
+
|
485
|
+
ReferenceName = {
|
486
|
+
iodef-specIndex => integer,
|
487
|
+
iodef-ID => IDtype
|
488
|
+
}
|
489
|
+
|
490
|
+
Assessment = {
|
491
|
+
? iodef-occurrence => "actual" / "potential",
|
492
|
+
? iodef-restriction => restriction .default "private",
|
493
|
+
? iodef-ext-restriction => text,
|
494
|
+
? iodef-observable-id => IDtype,
|
495
|
+
? iodef-IncidentCategory => [+ MLStringType],
|
496
|
+
iodef-Impact => [+ {iodef-SystemImpact => SystemImpact} /
|
497
|
+
{iodef-BusinessImpact => BusinessImpact} /
|
498
|
+
{iodef-TimeImpact => TimeImpact} /
|
499
|
+
{iodef-MonetaryImpact => MonetaryImpact} /
|
500
|
+
{iodef-IntendedImpact => BusinessImpact}],
|
501
|
+
? iodef-Counter => [+ Counter],
|
502
|
+
? iodef-MitigatingFactor => [+ MLStringType],
|
503
|
+
? iodef-Cause => [+ MLStringType],
|
504
|
+
? iodef-Confidence => Confidence,
|
505
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
506
|
+
}
|
507
|
+
|
508
|
+
SystemImpact = {
|
509
|
+
? iodef-severity => "low" / "medium" / "high",
|
510
|
+
? iodef-completion => "failed" / "succeeded",
|
511
|
+
iodef-type => "takeover-account" / "takeover-service" /
|
512
|
+
"takeover-system" / "cps-manipulation" / "cps-damage" /
|
513
|
+
"availability-data" / "availability-account" /
|
514
|
+
"availability-service" / "availability-system" / "damaged-system" /
|
515
|
+
"damaged-data" / "breach-proprietary" / "breach-privacy" /
|
516
|
+
"breach-credential" / "breach-configuration" / "integrity-data" /
|
517
|
+
"integrity-configuration" / "integrity-hardware" /
|
518
|
+
"traffic-redirection" / "monitoring-traffic" / "monitoring-host" /
|
519
|
+
"policy" / "unknown" / "ext-value" .default "unknown",
|
520
|
+
? iodef-ext-type => text,
|
521
|
+
? iodef-Description => [+ MLStringType]
|
522
|
+
}
|
523
|
+
|
524
|
+
BusinessImpact = {
|
525
|
+
? iodef-severity => "none" / "low" / "medium" / "high" / "unknown" /
|
526
|
+
"ext-value" .default "unknown",
|
527
|
+
? iodef-ext-severity => text,
|
528
|
+
iodef-type => "breach-proprietary" / "breach-privacy" /
|
529
|
+
"breach-credential" / "loss-of-integrity" / "loss-of-service" /
|
530
|
+
"theft-financial" / "theft-service" / "degraded-reputation" /
|
531
|
+
"asset-damage" / "asset-manipulation" / "legal" / "extortion" /
|
532
|
+
"unknown" / "ext-value" .default "unknown",
|
533
|
+
? iodef-ext-type => text,
|
534
|
+
? iodef-Description => [+ MLStringType]
|
535
|
+
}
|
536
|
+
|
537
|
+
TimeImpact = {
|
538
|
+
iodef-value => PositiveFloatType,
|
539
|
+
? iodef-severity => "low" / "medium" / "high",
|
540
|
+
iodef-metric => "labor" / "elapsed" / "downtime" / "ext-value",
|
541
|
+
? iodef-ext-metric => text,
|
542
|
+
? iodef-duration => duration .default "hour",
|
543
|
+
? iodef-ext-duration => text
|
544
|
+
}
|
545
|
+
|
546
|
+
MonetaryImpact = {
|
547
|
+
iodef-value => PositiveFloatType,
|
548
|
+
? iodef-severity => "low" / "medium" / "high",
|
549
|
+
? iodef-currency => text
|
550
|
+
}
|
551
|
+
|
552
|
+
Confidence = {
|
553
|
+
iodef-value => float32,
|
554
|
+
iodef-rating => "low" / "medium" / "high" / "numeric" / "unknown" /
|
555
|
+
"ext-value",
|
556
|
+
? iodef-ext-rating => text
|
557
|
+
}
|
558
|
+
|
559
|
+
History = {
|
560
|
+
? iodef-restriction => restriction .default "private",
|
561
|
+
? iodef-ext-restriction => text,
|
562
|
+
iodef-HistoryItem => [+ HistoryItem]
|
563
|
+
}
|
564
|
+
|
565
|
+
HistoryItem = {
|
566
|
+
iodef-action => action .default "other",
|
567
|
+
? iodef-ext-action => text,
|
568
|
+
? iodef-restriction => restriction .default "private",
|
569
|
+
? iodef-ext-restriction => text,
|
570
|
+
? iodef-observable-id => IDtype,
|
571
|
+
iodef-DateTime => DATETIME,
|
572
|
+
? iodef-IncidentID => IncidentID,
|
573
|
+
? iodef-Contact => Contact,
|
574
|
+
? iodef-Description => [+ MLStringType],
|
575
|
+
? iodef-DefinedCOA => [+ text],
|
576
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
577
|
+
}
|
578
|
+
|
579
|
+
EventData = {
|
580
|
+
? iodef-restriction => restriction .default "default",
|
581
|
+
? iodef-ext-restriction => text,
|
582
|
+
? iodef-observable-id => IDtype,
|
583
|
+
? iodef-Description => [+ MLStringType],
|
584
|
+
? iodef-DetectTime => DATETIME,
|
585
|
+
? iodef-StartTime => DATETIME,
|
586
|
+
? iodef-EndTime => DATETIME,
|
587
|
+
? iodef-RecoveryTime => DATETIME,
|
588
|
+
? iodef-ReportTime => DATETIME,
|
589
|
+
? iodef-Contact => [+ Contact],
|
590
|
+
? iodef-Discovery => [+ Discovery],
|
591
|
+
? iodef-Assessment => Assessment,
|
592
|
+
? iodef-Method => [+ Method],
|
593
|
+
? iodef-System => [+ System],
|
594
|
+
? iodef-Expectation => [+ Expectation],
|
595
|
+
? iodef-RecordData => [+ RecordData],
|
596
|
+
? iodef-EventData => [+ EventData],
|
597
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
598
|
+
}
|
599
|
+
|
600
|
+
Expectation = {
|
601
|
+
? iodef-action => action .default "other",
|
602
|
+
? iodef-ext-action => text,
|
603
|
+
? iodef-severity => "low" / "medium" / "high",
|
604
|
+
? iodef-restriction => restriction .default "default",
|
605
|
+
? iodef-ext-restriction => text,
|
606
|
+
? iodef-observable-id => IDtype,
|
607
|
+
? iodef-Description => [+ MLStringType],
|
608
|
+
? iodef-DefinedCOA => [+ text],
|
609
|
+
? iodef-StartTime => DATETIME,
|
610
|
+
? iodef-EndTime => DATETIME,
|
611
|
+
? iodef-Contact => Contact
|
612
|
+
}
|
613
|
+
|
614
|
+
System = {
|
615
|
+
? iodef-category => "source" / "target" / "intermediate" /
|
616
|
+
"sensor" / "infrastructure" / "ext-value",
|
617
|
+
? iodef-ext-category => text,
|
618
|
+
? iodef-interface => text,
|
619
|
+
? iodef-spoofed => "unknown" / "yes" / "no" .default "unknown",
|
620
|
+
? iodef-virtual => "yes" / "no" / "unknown" .default "unknown",
|
621
|
+
? iodef-ownership => "organization" / "personal" / "partner" /
|
622
|
+
"customer" / "no-relationship" / "unknown" / "ext-value",
|
623
|
+
? iodef-ext-ownership => text,
|
624
|
+
? iodef-restriction => restriction .default "private",
|
625
|
+
? iodef-ext-restriction => text,
|
626
|
+
? iodef-observable-id => IDtype,
|
627
|
+
iodef-Node => Node,
|
628
|
+
? iodef-NodeRole => [+ NodeRole],
|
629
|
+
? iodef-Service => [+ Service],
|
630
|
+
? iodef-OperatingSystem => [+ SoftwareType],
|
631
|
+
? iodef-Counter => [+ Counter],
|
632
|
+
? iodef-AssetID => [+ text],
|
633
|
+
? iodef-Description => [+ MLStringType],
|
634
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
635
|
+
}
|
636
|
+
|
637
|
+
Node = {
|
638
|
+
(iodef-DomainData => [+ DomainData] //
|
639
|
+
iodef-Address => [+ Address]),
|
640
|
+
? iodef-PostalAddress => PostalAddress,
|
641
|
+
? iodef-Location => [+ MLStringType],
|
642
|
+
? iodef-Counter => [+ Counter]
|
643
|
+
}
|
644
|
+
|
645
|
+
Address = {
|
646
|
+
iodef-value => text,
|
647
|
+
iodef-category => "asn" / "atm" / "e-mail" / "ipv4-addr" /
|
648
|
+
"ipv4-net" / "ipv4-net-masked" / "ipv4-net-mask" / "ipv6-addr" /
|
649
|
+
"ipv6-net" / "ipv6-net-masked" / "mac" / "site-uri" /
|
650
|
+
"ext-value" .default "ipv6-addr",
|
651
|
+
? iodef-ext-category => text,
|
652
|
+
? iodef-vlan-name => text,
|
653
|
+
? iodef-vlan-num => integer,
|
654
|
+
? iodef-observable-id => IDtype
|
655
|
+
}
|
656
|
+
|
657
|
+
NodeRole = {
|
658
|
+
iodef-category => "client" / "client-enterprise" /
|
659
|
+
"client-partner" / "client-remote" / "client-kiosk" /
|
660
|
+
"client-mobile" / "server-internal" / "server-public" /
|
661
|
+
"www" / "mail" / "webmail" / "messaging" / "streaming" /
|
662
|
+
"voice" / "file" / "ftp" / "p2p" / "name" / "directory" /
|
663
|
+
"credential" / "print" / "application" / "database" /
|
664
|
+
"backup" / "dhcp" / "assessment" / "source-control" /
|
665
|
+
"config-management" / "monitoring" / "infra" / "infra-firewall" /
|
666
|
+
"infra-router" / "infra-switch" / "camera" / "proxy" /
|
667
|
+
"remote-access" / "log" / "virtualization" / "pos" / "scada" /
|
668
|
+
"scada-supervisory" / "sinkhole" / "honeypot" /
|
669
|
+
"anomyzation" / "c2-server" / "malware-distribution" /
|
670
|
+
"drop-server" / "hop-point" / "reflector" /
|
671
|
+
"phishing-site" / "spear-phishing-site" / "recruiting-site" /
|
672
|
+
"fraudulent-site" / "ext-value",
|
673
|
+
? iodef-ext-category => text,
|
674
|
+
? iodef-Description => [+ MLStringType]
|
675
|
+
}
|
676
|
+
|
677
|
+
Counter = {
|
678
|
+
iodef-value => float32,
|
679
|
+
iodef-type => "count" / "peak" / "average" / "ext-value",
|
680
|
+
? iodef-ext-type => text,
|
681
|
+
iodef-unit => "byte" / "mbit" / "packet" / "flow" / "session" /
|
682
|
+
"alert" / "message" / "event" / "host" / "site" / "organization" /
|
683
|
+
"ext-value",
|
684
|
+
? iodef-ext-unit => text,
|
685
|
+
? iodef-meaning => text,
|
686
|
+
? iodef-duration => duration .default "hour",
|
687
|
+
? iodef-ext-duration => text
|
688
|
+
}
|
689
|
+
|
690
|
+
DomainData = {
|
691
|
+
iodef-system-status => "spoofed" / "fraudulent" /
|
692
|
+
"innocent-hacked" / "innocent-hijacked" / "unknown" / "ext-value",
|
693
|
+
? iodef-ext-system-status => text,
|
694
|
+
iodef-domain-status => "reservedDelegation" / "assignedAndActive" /
|
695
|
+
"assignedAndInactive" / "assignedAndOnHold" /
|
696
|
+
"revoked" / "transferPending" / "registryLock" /
|
697
|
+
"registrarLock" / "other" / "unknown" / "ext-value",
|
698
|
+
? iodef-ext-domain-status => text,
|
699
|
+
? iodef-observable-id => IDtype,
|
700
|
+
iodef-Name => text,
|
701
|
+
? iodef-DateDomainWasChecked => DATETIME,
|
702
|
+
? iodef-RegistrationDate => DATETIME,
|
703
|
+
? iodef-ExpirationDate => DATETIME,
|
704
|
+
? iodef-RelatedDNS => [+ ExtensionType],
|
705
|
+
? iodef-NameServers => [+ NameServers],
|
706
|
+
? iodef-DomainContacts => DomainContacts
|
707
|
+
}
|
708
|
+
|
709
|
+
NameServers = {
|
710
|
+
iodef-Server => text,
|
711
|
+
iodef-Address => [+ Address]
|
712
|
+
}
|
713
|
+
|
714
|
+
DomainContacts = {
|
715
|
+
(iodef-SameDomainContact => text // iodef-Contact => [+ Contact])
|
716
|
+
}
|
717
|
+
|
718
|
+
Service = {
|
719
|
+
? iodef-ip-protocol => integer,
|
720
|
+
? iodef-observable-id => IDtype,
|
721
|
+
? iodef-ServiceName => ServiceName,
|
722
|
+
? iodef-Port => integer,
|
723
|
+
? iodef-Portlist => PortlistType,
|
724
|
+
? iodef-ProtoCode => integer,
|
725
|
+
? iodef-ProtoType => integer,
|
726
|
+
? iodef-ProtoField => integer,
|
727
|
+
? iodef-ApplicationHeaderField => [+ ExtensionType],
|
728
|
+
? iodef-EmailData => EmailData,
|
729
|
+
? iodef-Application => SoftwareType
|
730
|
+
}
|
731
|
+
|
732
|
+
ServiceName = {
|
733
|
+
? iodef-IANAService => text,
|
734
|
+
? iodef-URL => [+ URLtype],
|
735
|
+
? iodef-Description => [+ MLStringType]
|
736
|
+
}
|
737
|
+
|
738
|
+
EmailData = {
|
739
|
+
? iodef-observable-id => IDtype,
|
740
|
+
? iodef-EmailTo => [+ text],
|
741
|
+
? iodef-EmailFrom => text,
|
742
|
+
? iodef-EmailSubject => text,
|
743
|
+
? iodef-EmailX-Mailer => text,
|
744
|
+
? iodef-EmailHeaderField => [+ ExtensionType],
|
745
|
+
? iodef-EmailHeaders => text,
|
746
|
+
? iodef-EmailBody => text,
|
747
|
+
? iodef-EmailMessage => text,
|
748
|
+
? iodef-HashData => [+ HashData],
|
749
|
+
? iodef-Signature => [+ BYTE]
|
750
|
+
}
|
751
|
+
|
752
|
+
RecordData = {
|
753
|
+
? iodef-restriction => restriction .default "private",
|
754
|
+
? iodef-ext-restriction => text,
|
755
|
+
? iodef-observable-id => IDtype,
|
756
|
+
? iodef-DateTime => DATETIME,
|
757
|
+
? iodef-Description => [+ MLStringType],
|
758
|
+
? iodef-Application => SoftwareType,
|
759
|
+
? iodef-RecordPattern => [+ RecordPattern],
|
760
|
+
? iodef-RecordItem => [+ ExtensionType],
|
761
|
+
? iodef-URL => [+ URLtype],
|
762
|
+
? iodef-FileData => [+ FileData],
|
763
|
+
? iodef-WindowsRegistryKeysModified =>
|
764
|
+
[+ WindowsRegistryKeysModified],
|
765
|
+
? iodef-CertificateData => [+ CertificateData],
|
766
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
767
|
+
}
|
768
|
+
|
769
|
+
RecordPattern = {
|
770
|
+
iodef-value => text,
|
771
|
+
iodef-type => "regex" / "binary" / "xpath" /
|
772
|
+
"ext-value" .default "regex",
|
773
|
+
? iodef-ext-type => text,
|
774
|
+
? iodef-offset => integer,
|
775
|
+
? iodef-offsetunit => "line" / "byte" /
|
776
|
+
"ext-value" .default "line",
|
777
|
+
? iodef-ext-offsetunit => text,
|
778
|
+
? iodef-instance => integer
|
779
|
+
}
|
780
|
+
|
781
|
+
WindowsRegistryKeysModified = {
|
782
|
+
? iodef-observable-id => IDtype,
|
783
|
+
iodef-Key => [+ Key]
|
784
|
+
}
|
785
|
+
|
786
|
+
Key = {
|
787
|
+
? iodef-registryaction => "add-key" / "add-value" / "delete-key" /
|
788
|
+
"delete-value" / "modify-key" / "modify-value" /
|
789
|
+
"ext-value",
|
790
|
+
? iodef-ext-registryaction => text,
|
791
|
+
? iodef-observable-id => IDtype,
|
792
|
+
iodef-KeyName => text,
|
793
|
+
? iodef-KeyValue => text
|
794
|
+
}
|
795
|
+
|
796
|
+
CertificateData = {
|
797
|
+
? iodef-restriction => restriction .default "private",
|
798
|
+
? iodef-ext-restriction => text,
|
799
|
+
? iodef-observable-id => IDtype,
|
800
|
+
iodef-Certificate => [+ Certificate]
|
801
|
+
}
|
802
|
+
|
803
|
+
Certificate = {
|
804
|
+
? iodef-observable-id => IDtype,
|
805
|
+
iodef-X509Data => BYTE,
|
806
|
+
? iodef-Description => [+ MLStringType]
|
807
|
+
}
|
808
|
+
|
809
|
+
FileData = {
|
810
|
+
? iodef-restriction => restriction .default "private",
|
811
|
+
? iodef-ext-restriction => text,
|
812
|
+
? iodef-observable-id => IDtype,
|
813
|
+
iodef-File => [+ File]
|
814
|
+
}
|
815
|
+
|
816
|
+
File = {
|
817
|
+
? iodef-observable-id => IDtype,
|
818
|
+
? iodef-FileName => text,
|
819
|
+
? iodef-FileSize => integer,
|
820
|
+
? iodef-FileType => text,
|
821
|
+
? iodef-URL => [+ URLtype],
|
822
|
+
? iodef-HashData => HashData,
|
823
|
+
? iodef-Signature => [+ BYTE],
|
824
|
+
? iodef-AssociatedSoftware => SoftwareType,
|
825
|
+
? iodef-FileProperties => [+ ExtensionType]
|
826
|
+
}
|
827
|
+
|
828
|
+
HashData = {
|
829
|
+
iodef-scope => "file-contents" / "file-pe-section" /
|
830
|
+
"file-pe-iat" / "file-pe-resource" / "file-pdf-object" /
|
831
|
+
"email-hash" / "email-headers-hash" / "email-body-hash" /
|
832
|
+
"ext-value",
|
833
|
+
? iodef-HashTargetID => text,
|
834
|
+
? iodef-Hash => [+ Hash],
|
835
|
+
? iodef-FuzzyHash => [+ FuzzyHash]
|
836
|
+
}
|
837
|
+
|
838
|
+
Hash = {
|
839
|
+
iodef-DigestMethod => BYTE,
|
840
|
+
iodef-DigestValue => BYTE,
|
841
|
+
? iodef-CanonicalizationMethod => BYTE,
|
842
|
+
? iodef-Application => SoftwareType
|
843
|
+
}
|
844
|
+
|
845
|
+
FuzzyHash = {
|
846
|
+
iodef-FuzzyHashValue => [+ ExtensionType],
|
847
|
+
? iodef-Application => SoftwareType,
|
848
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
849
|
+
}
|
850
|
+
|
851
|
+
Indicator = {
|
852
|
+
? iodef-restriction => restriction .default "private",
|
853
|
+
? iodef-ext-restriction => text,
|
854
|
+
iodef-IndicatorID => IndicatorID,
|
855
|
+
? iodef-AlternativeIndicatorID => [+ AlternativeIndicatorID],
|
856
|
+
? iodef-Description => [+ MLStringType],
|
857
|
+
? iodef-StartTime => DATETIME,
|
858
|
+
? iodef-EndTime => DATETIME,
|
859
|
+
? iodef-Confidence => Confidence,
|
860
|
+
? iodef-Contact => [+ Contact],
|
861
|
+
(iodef-Observable => Observable // iodef-uid-ref => IDREFType //
|
862
|
+
iodef-IndicatorExpression => IndicatorExpression //
|
863
|
+
iodef-IndicatorReference => IndicatorReference),
|
864
|
+
? iodef-NodeRole => [+ NodeRole],
|
865
|
+
? iodef-AttackPhase => [+ AttackPhase],
|
866
|
+
? iodef-Reference => [+ Reference],
|
867
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
868
|
+
}
|
869
|
+
|
870
|
+
IndicatorID = {
|
871
|
+
iodef-id => IDtype,
|
872
|
+
iodef-name => text,
|
873
|
+
iodef-version => text
|
874
|
+
}
|
875
|
+
|
876
|
+
AlternativeIndicatorID = {
|
877
|
+
? iodef-restriction => restriction .default "private",
|
878
|
+
? iodef-ext-restriction => text,
|
879
|
+
iodef-IndicatorID => [+ IndicatorID]
|
880
|
+
}
|
881
|
+
|
882
|
+
Observable = {
|
883
|
+
? iodef-restriction => restriction .default "private",
|
884
|
+
? iodef-ext-restriction => text,
|
885
|
+
? (iodef-System => System // iodef-Address => Address //
|
886
|
+
iodef-DomainData => DomainData //
|
887
|
+
iodef-EmailData => EmailData //
|
888
|
+
iodef-Service => Service //
|
889
|
+
iodef-WindowsRegistryKeysModified =>
|
890
|
+
WindowsRegistryKeysModified //
|
891
|
+
iodef-FileData => FileData //iodef-CertificateData =>
|
892
|
+
CertificateData //
|
893
|
+
iodef-RegistryHandle =>RegistryHandle// iodef-RecordData =>
|
894
|
+
RecordData //
|
895
|
+
iodef-EventData => EventData // iodef-Incident => Incident //
|
896
|
+
iodef-Expectation => Expectation // iodef-Reference =>
|
897
|
+
Reference //
|
898
|
+
iodef-Assessment => Assessment //
|
899
|
+
iodef-DetectionPattern => DetectionPattern //
|
900
|
+
iodef-HistoryItem => HistoryItem //
|
901
|
+
iodef-BulkObservable => BulkObservable //
|
902
|
+
iodef-AdditionalData => [+ ExtensionType])
|
903
|
+
}
|
904
|
+
|
905
|
+
BulkObservable = {
|
906
|
+
? iodef-type => "asn" / "atm" / "e-mail" / "ipv4-addr" /
|
907
|
+
"ipv4-net" / "ipv4-net-mask" / "ipv6-addr" / "ipv6-net" /
|
908
|
+
"ipv6-net-mask" / "mac" / "site-uri" / "domain-name" /
|
909
|
+
"domain-to-ipv4" / "domain-to-ipv6" /
|
910
|
+
"domain-to-ipv4-timestamp" / "domain-to-ipv6-timestamp" /
|
911
|
+
"ipv4-port" / "ipv6-port" / "windows-reg-key" / "file-hash" /
|
912
|
+
"email-x-mailer" / "email-subject" / "http-user-agent" /
|
913
|
+
"http-request-uri" / "mutex" / "file-path" / "user-name" /
|
914
|
+
"ext-value",
|
915
|
+
? iodef-ext-type => text,
|
916
|
+
? iodef-BulkObservableFormat => BulkObservableFormat,
|
917
|
+
iodef-BulkObservableList => text,
|
918
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
919
|
+
}
|
920
|
+
|
921
|
+
BulkObservableFormat = {
|
922
|
+
(iodef-Hash => Hash // iodef-AdditionalData => [+ ExtensionType])
|
923
|
+
}
|
924
|
+
|
925
|
+
IndicatorExpression = {
|
926
|
+
? iodef-operator => "not" / "and" / "or" / "xor" .default "and",
|
927
|
+
? iodef-ext-operator => text,
|
928
|
+
? iodef-IndicatorExpression => [+ IndicatorExpression],
|
929
|
+
? iodef-Observable => [+ Observable],
|
930
|
+
? iodef-uid-ref => [+ IDREFType],
|
931
|
+
? iodef-IndicatorReference => [+ IndicatorReference],
|
932
|
+
? iodef-Confidence => Confidence,
|
933
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
934
|
+
}
|
935
|
+
|
936
|
+
IndicatorReference = {
|
937
|
+
(iodef-uid-ref => IDREFType // iodef-euid-ref => text),
|
938
|
+
? iodef-version => text
|
939
|
+
}
|
940
|
+
|
941
|
+
AttackPhase = {
|
942
|
+
? iodef-AttackPhaseID => [+ text],
|
943
|
+
? iodef-URL => [+ URLtype],
|
944
|
+
? iodef-Description => [+ MLStringType],
|
945
|
+
? iodef-AdditionalData => [+ ExtensionType]
|
946
|
+
}
|