logstash-codec-idmef 0.9.2 → 0.9.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/docs/index.asciidoc +61 -22
  4. data/lib/logstash/codecs/idmef-message.dtd +661 -0
  5. data/lib/logstash/codecs/idmef.rb +283 -202
  6. data/logstash-codec-idmef.gemspec +1 -1
  7. data/spec/codecs/idmef_spec.rb +102 -12
  8. metadata +17 -17
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: bee9b9f0182fef0bcd42950cca6f2054c1ae67ae930af3f595de7c5585e469a3
4
- data.tar.gz: a01247e5d91019463034e22409f78ebb5edc3070da618af8d3aad975457bb9e5
3
+ metadata.gz: 369de7d0aa661ce5611b92b82d7298189bd0800c3bc402cf31c1b7374fd74829
4
+ data.tar.gz: e90a133097762767201e70d8f217ff000b5c253b5322c70addc8808311ac5543
5
5
  SHA512:
6
- metadata.gz: 9d4c5fd3c37b23c0ac9a640353d61a3d1466832cd4260b577410b3f9edf891b61c382b12f238d43e8608dcc38bd06f108c5b483c742d16b85e4794e623f6ed87
7
- data.tar.gz: 141900ff71dc0067a6d80eb6fdee557ebfd034792abe859cb87fbfce914be00183fd428cf541e5f4d2282829fee0f68287326f3e22c3d3a49b89983bf716b09a
6
+ metadata.gz: 97e0fe7e14207bc49950e241b7afdefa77135cdd539785c8e0f448677b6e864b649da848b75245994aa72318ac911534c7bdf60ee419ac8a0a3a9771a1f7c87b
7
+ data.tar.gz: a721069ce3cb1701643395f0f6753ac06511cb50dd87f878092dd6500ef244229e1421aa3ad316a3f9bb0ca14698905fa2b0c63047e9cb738536a4db91cb7315
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 0.9.3
2
+ - Rework templating. Add XML validation.
3
+
1
4
  ## 0.9.2
2
5
  - Fix empty AdditionalData
3
6
 
data/docs/index.asciidoc CHANGED
@@ -41,14 +41,18 @@ https://tools.ietf.org/html/rfc4765
41
41
  ===== `paths`
42
42
 
43
43
  * Value type is <<hash,hash>>
44
+
44
45
  * The defautl value is an empty `hash`.
45
46
 
46
47
  This parameter let you add IDMEF paths to map from logstash event to IDMEF
47
48
  field.
48
49
 
49
50
  For example, if:
51
+
50
52
  * the name of your alert is in `event.get('message')`
53
+
51
54
  * the target host is in `event.get('host')`
55
+
52
56
  * the name of your analyzer is "ACME"
53
57
 
54
58
  you probably want to put this:
@@ -69,56 +73,91 @@ you probably want to put this:
69
73
  The keys of the hash are IDMEF path as described here:
70
74
  https://redmine.secef.net/projects/secef/wiki/LibPrelude_IDMEF_path
71
75
 
72
- The values of the hash are values to set in final IDMEF. If a value starts with
73
- a `$`, then the plugin try to retrieve the value from the event.
76
+ The values of the hash are values to set in final IDMEF. If there is %{name}
77
+ inside the string, the plugin try to retrieve the value from the event and
78
+ create the final string.
74
79
 
75
80
  [id="plugins-{type}s-{plugin}-defaults"]
76
81
  ===== `defaults`
77
82
 
78
83
  * Value type is <<boolean,boolean>>
84
+
79
85
  * Default value is `true`
80
86
 
81
87
  Try to use default paths mapping or not.
82
88
 
83
89
  Default paths are:
84
- * alert.classification.text: ["$rule_name", "$event", "$message"]
85
- * alert.detect_time: "$@timestamp"
86
- * alert.create_time: "$@timestamp"
87
- * alert.analyzer_time: "$@timestamp"
88
- * alert.analyzer(0).name: ["$product", "$devname"]
89
- * alert.analyzer(0).manufacturer: "$vendor"
90
- * alert.source(0).node.address(0).address: ["$srcip", "$src"]
91
- * alert.source(0).node.name: ["$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"]
92
- * alert.source(0).service.port: ["$spt", "$sport", "$s_port"]
93
- * alert.source(0).service.name: ["$sservice", "$srcservice"]
94
- * alert.target(0).node.address(0).address: ["$hostip", "$dstip", "$dst", "$ip"]
95
- * alert.target(0).node.name: ["$host", "$hostname", "$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"]
96
- * alert.target(0).service.port: ["$dpt", "$dport", "$d_port"]
97
- * alert.target(0).service.name: ["$service", "$service_id", "$dservice", "$dstservice",]
98
- * alert.target(0).user.user_id(0).name: ["$user", "$dstuser", "$duser"]
99
- * alert.target(0).user.user_id(0).number: ["$uid", "$dstuid", "$duid"]
100
- * alert.target(0).process.name: ["$proc", "$process"]
101
- * alert.target(0).process.pid: ["$dpid", "$pid"]
102
- * alert.assessment.impact.severity: ["$severity", "$level"]
103
- * alert.assessment.action.description: ["$action"]
90
+
91
+ * alert.analyzer(0).name: ["%{product}", "%{devname}"]
92
+
93
+ * alert.analyzer(0).manufacturer: ["%{vendor}"]
94
+
95
+ * alert.create_time: ["%{@timestamp}"]
96
+
97
+ * alert.detect_time: ["%{@timestamp}"]
98
+
99
+ * alert.analyzer_time: ["%{@timestamp}"]
100
+
101
+ * alert.source(0).node.address(0).address: ["%{srcip}", "%{src}"]
102
+
103
+ * alert.source(0).node.name: ["%{shost}", "%{srchost}", "%{shostname}", "%{srchostname}", "%{sname}", "%{srcname}"]
104
+
105
+ * alert.source(0).service.port: ["%{spt}", "%{sport}", "%{s_port}"]
106
+
107
+ * alert.source(0).service.name: ["%{sservice}", "%{srcservice}"]
108
+
109
+ * alert.target(0).node.address(0).address: ["%{hostip}", "%{dstip}", "%{dst}", "%{ip}"]
110
+
111
+ * alert.target(0).node.name: ["%{host}", "%{hostname}", "%{shost}", "%{srchost}", "%{shostname}", "%{srchostname}", "%{sname}", "%{srcname}"]
112
+
113
+ * alert.target(0).service.port: ["%{dpt}", "%{dport}", "%{d_port}"]
114
+
115
+ * alert.target(0).service.name: ["%{service}", "%{service_id}", "%{dservice}", "%{dstservice}"]
116
+
117
+ * alert.target(0).user.user_id(0).name: ["%{user}", "%{dstuser}", "%{duser}"]
118
+
119
+ * alert.target(0).user.user_id(0).number: ["%{uid}", "%{dstuid}", "%{duid}"]
120
+
121
+ * alert.target(0).process.name: ["%{proc}", "%{process}"]
122
+
123
+ * alert.target(0).process.pid: ["%{dpid}", "%{pid}"]
124
+
125
+ * alert.classification.text: ["%{rule_name}", "%{event}", "%{message}"]
126
+
127
+ * alert.assessment.impact.severity: ["%{severity}", "%{level}"]
128
+
129
+ * alert.assessment.action.description: ["%{action}"]
130
+
104
131
 
105
132
  [id="plugins-{type}s-{plugin}-additionaldata"]
106
133
  ===== `additionaldata`
107
134
 
108
135
  * Value type is <<boolean,boolean>>
136
+
109
137
  * Default value is `true`
110
138
 
111
139
  When an alert is transformed in IDMEF, the remaining fields of the initial
112
140
  event are translated into IDMEF's Additional Data. If you don't want to do this
113
141
  translation, set this setting to `false`.
114
142
 
143
+ [id="plugins-{type}s-{plugin}-validate_xml"]
144
+ ===== `validate_xml`
145
+
146
+ * Value type is <<boolean,boolean>>
147
+
148
+ * Default value is `false`
149
+
150
+ Validate the generated XML with IDMEF DTD.
151
+
115
152
  [id="plugins-{type}s-{plugin}-type"]
116
153
  ===== `type`
117
154
 
118
155
  * Value type is <<string,string>>
156
+
119
157
  * Default value is `"alert"`
120
158
 
121
159
  IDMEF can defined two types of message:
160
+
122
161
  * alert
123
162
 
124
163
  RFC definition: Generally, every time an analyzer detects an event that it has
data/lib/logstash/codecs/idmef-message.dtd ADDED
@@ -0,0 +1,661 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+
3
+ <!-- ***************************************************************
4
+ *******************************************************************
5
+ *** Intrusion Detection Message Exchange Format (IDMEF) XML DTD ***
6
+ *** Version 1.0, 07 March 2006 ***
7
+ *** ***
8
+ *** The use and extension of the IDMEF XML DTD are described in ***
9
+ *** RFC XXXX, "Intrusion Detection Message Exchange Format Data ***
10
+ *** Model and Extensible Markup Language (XML) Document Type ***
11
+ *** Definition," D. Curry, H. Debar, B. Feinstein. ***
12
+ *******************************************************************
13
+ *************************************************************** -->
14
+
15
+ <!-- ===============================================================
16
+ ===================================================================
17
+ === SECTION 1. Attribute list declarations.
18
+ ===================================================================
19
+ =============================================================== -->
20
+
21
+ <!--
22
+ | Attributes of the IDMEF element. In general, the fixed values of
23
+ | these attributes will change each time a new version of the DTD
24
+ | is released.
25
+ -->
26
+
27
+ <!ENTITY % attlist.idmef "
28
+ version CDATA #FIXED '1.0'
29
+ ">
30
+
31
+ <!--
32
+ | Attributes of all elements. These are the "XML" attributes that
33
+ | every element should have. Space handling, language, and name
34
+ | space.
35
+ -->
36
+ <!ENTITY % attlist.global "
37
+ xmlns:idmef CDATA #FIXED
38
+ 'http://iana.org/idmef'
39
+ xmlns CDATA #FIXED
40
+ 'http://iana.org/idmef'
41
+ xml:space (default | preserve) 'default'
42
+ xml:lang NMTOKEN #IMPLIED
43
+ ">
44
+
45
+ <!-- ===============================================================
46
+ ===================================================================
47
+ === SECTION 2. Attribute value declarations. Enumerated values for
48
+ === many of the element-specific attribute lists.
49
+ ===================================================================
50
+ =============================================================== -->
51
+
52
+ <!--
53
+ | Values for the Action.category attribute.
54
+ -->
55
+ <!ENTITY % attvals.actioncat "
56
+ ( block-installed | notification-sent | taken-offline | other )
57
+ ">
58
+
59
+ <!--
60
+ | Values for the Address.category attribute.
61
+ -->
62
+ <!ENTITY % attvals.addrcat "
63
+ ( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
64
+ ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
65
+ ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
66
+ ">
67
+
68
+ <!--
69
+ | Values for the AdditionalData.type attribute.
70
+ -->
71
+ <!ENTITY % attvals.adtype "
72
+ ( boolean | byte | character | date-time | integer | ntpstamp |
73
+ portlist | real | string | byte-string | xmltext )
74
+ ">
75
+
76
+ <!--
77
+ | Values for the Impact.completion attribute.
78
+ -->
79
+ <!ENTITY % attvals.completion "
80
+ ( failed | succeeded )
81
+ ">
82
+
83
+ <!--
84
+ | Values for the File.category attribute.
85
+ -->
86
+ <!ENTITY % attvals.filecat "
87
+ ( current | original )
88
+ ">
89
+
90
+ <!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
91
+ search | delete | executeAs | changePermissions |
92
+ takeOwnership)" >
93
+
94
+ <!--
95
+ | Values for the UserId.type attribute.
96
+ -->
97
+ <!ENTITY % attvals.idtype "
98
+ ( current-user | original-user | target-user | user-privs |
99
+ current-group | group-privs | other-privs )
100
+ ">
101
+
102
+ <!--
103
+ | Values for the Impact.type attribute.
104
+ -->
105
+ <!ENTITY % attvals.impacttype "
106
+ ( admin | dos | file | recon | user | other )
107
+ ">
108
+
109
+ <!--
110
+ | Values for the Linkage.category attribute.
111
+ -->
112
+ <!ENTITY % attvals.linkcat "
113
+ ( hard-link | mount-point | reparse-point | shortcut | stream |
114
+ symbolic-link )
115
+ ">
116
+
117
+ <!--
118
+ | Values for the Checksum.algorithm attribute
119
+ -->
120
+ <!ENTITY % attvals.checksumalgos "
121
+ ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |
122
+ Haval | Tiger | Gost )
123
+ ">
124
+
125
+ <!--
126
+ | Values for the Node.category attribute.
127
+ -->
128
+ <!ENTITY % attvals.nodecat "
129
+ ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
130
+ nds | nis | nisplus | nt | wfw )
131
+ ">
132
+
133
+ <!--
134
+ | Values for the Reference.origin attribute.
135
+ -->
136
+ <!ENTITY % attvals.origin "
137
+ ( unknown | vendor-specific | user-specific | bugtraqid | cve |
138
+ osvdb )
139
+ ">
140
+
141
+ <!--
142
+ | Values for the Confidence.rating attribute.
143
+
144
+ -->
145
+ <!ENTITY % attvals.rating "
146
+ ( low | medium | high | numeric )
147
+ ">
148
+
149
+ <!--
150
+ | Values for the Impact.severity attribute.
151
+ -->
152
+ <!ENTITY % attvals.severity "
153
+ ( info | low | medium | high )
154
+ ">
155
+
156
+ <!--
157
+ | Values for the User.category attribute.
158
+ -->
159
+ <!ENTITY % attvals.usercat "
160
+ ( unknown | application | os-device )
161
+ ">
162
+
163
+ <!--
164
+ | Values for yes/no attributes such as Source.spoofed and
165
+ | Target.decoy.
166
+ -->
167
+ <!ENTITY % attvals.yesno "
168
+ ( unknown | yes | no )
169
+ ">
170
+
171
+ <!-- ===============================================================
172
+ ===================================================================
173
+ === SECTION 3. Top-level element declarations. The IDMEF-Message
174
+ === element and the types of messages it can include.
175
+ ===================================================================
176
+ =============================================================== -->
177
+
178
+ <!ELEMENT IDMEF-Message (
179
+ (Alert | Heartbeat)*
180
+ )>
181
+ <!ATTLIST IDMEF-Message
182
+ %attlist.global;
183
+ %attlist.idmef;
184
+ >
185
+
186
+ <!ELEMENT Alert (
187
+ Analyzer, CreateTime, DetectTime?, AnalyzerTime?,
188
+ Source*, Target*, Classification, Assessment?, (ToolAlert |
189
+ OverflowAlert | CorrelationAlert)?, AdditionalData*
190
+ )>
191
+ <!ATTLIST Alert
192
+ messageid CDATA '0'
193
+ %attlist.global;
194
+ >
195
+
196
+ <!ELEMENT Heartbeat (
197
+ Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?,
198
+ AdditionalData*
199
+ )>
200
+ <!ATTLIST Heartbeat
201
+ messageid CDATA '0'
202
+ %attlist.global;
203
+ >
204
+
205
+ <!-- ===============================================================
206
+ ===================================================================
207
+ === SECTION 4. Subclasses of the Alert element that provide more
208
+ === data for specific types of alerts.
209
+ ===================================================================
210
+ =============================================================== -->
211
+
212
+ <!ELEMENT CorrelationAlert (
213
+ name, alertident+
214
+ )>
215
+ <!ATTLIST CorrelationAlert
216
+ %attlist.global;
217
+ >
218
+
219
+ <!ELEMENT OverflowAlert (
220
+ program, size?, buffer?
221
+ )>
222
+ <!ATTLIST OverflowAlert
223
+ %attlist.global;
224
+ >
225
+
226
+ <!ELEMENT ToolAlert (
227
+ name, command?, alertident+
228
+ )>
229
+ <!ATTLIST ToolAlert
230
+ %attlist.global;
231
+ >
232
+
233
+ <!-- ===============================================================
234
+ ===================================================================
235
+ === SECTION 5. The AdditionalData element. This element allows an
236
+ === alert to include additional information that cannot
237
+ === be encoded elsewhere in the data model.
238
+ ===================================================================
239
+ =============================================================== -->
240
+
241
+
242
+ <!ELEMENT AdditionalData (
243
+ (boolean | byte | character | date-time |
244
+ integer | ntpstamp | portlist | real |
245
+ string | byte-string | xmltext )
246
+ )>
247
+
248
+ <!ATTLIST AdditionalData
249
+ type %attvals.adtype; 'string'
250
+ meaning CDATA #IMPLIED
251
+ %attlist.global;
252
+ >
253
+
254
+ <!-- ===============================================================
255
+ ===================================================================
256
+ === SECTION 6. Elements related to identifying entities - analyzers
257
+ === (the senders of these messages), sources (of
258
+ === attacks), and targets (of attacks).
259
+ ===================================================================
260
+ =============================================================== -->
261
+
262
+ <!ELEMENT Analyzer (
263
+ Node?, Process?, Analyzer?
264
+ )>
265
+ <!ATTLIST Analyzer
266
+ analyzerid CDATA '0'
267
+ name CDATA #IMPLIED
268
+ manufacturer CDATA #IMPLIED
269
+ model CDATA #IMPLIED
270
+ version CDATA #IMPLIED
271
+ class CDATA #IMPLIED
272
+ ostype CDATA #IMPLIED
273
+ osversion CDATA #IMPLIED
274
+ %attlist.global;
275
+ >
276
+
277
+ <!ELEMENT Classification (
278
+ Reference*
279
+ )>
280
+ <!ATTLIST Classification
281
+ ident CDATA '0'
282
+ text CDATA #REQUIRED
283
+ >
284
+
285
+ <!ELEMENT Source (
286
+ Node?, User?, Process?, Service?
287
+ )>
288
+ <!ATTLIST Source
289
+ ident CDATA '0'
290
+ spoofed %attvals.yesno; 'unknown'
291
+ interface CDATA #IMPLIED
292
+ %attlist.global;
293
+ >
294
+
295
+ <!ELEMENT Target (
296
+ Node?, User?, Process?, Service?, File*
297
+ )>
298
+ <!ATTLIST Target
299
+ ident CDATA '0'
300
+ decoy %attvals.yesno; 'unknown'
301
+ interface CDATA #IMPLIED
302
+ %attlist.global;
303
+ >
304
+
305
+ <!ELEMENT Assessment (
306
+ Impact?, Action*, Confidence?
307
+ )>
308
+ <!ATTLIST Assessment
309
+ %attlist.global;
310
+ >
311
+
312
+ <!-- ===============================================================
313
+ ===================================================================
314
+ === SECTION 7. Support elements used for providing detailed info
315
+ === about entities - addresses, names, etc.
316
+ ===================================================================
317
+ =============================================================== -->
318
+
319
+ <!ELEMENT Reference (
320
+ name, url
321
+ )>
322
+ <!ATTLIST Reference
323
+ origin %attvals.origin; 'unknown'
324
+ meaning CDATA #IMPLIED
325
+ >
326
+
327
+ <!ELEMENT Node (
328
+ location?, (name | Address), Address*
329
+ )>
330
+ <!ATTLIST Node
331
+ ident CDATA '0'
332
+ category %attvals.nodecat; 'unknown'
333
+ %attlist.global;
334
+ >
335
+
336
+ <!ELEMENT Address (
337
+ address, netmask?
338
+ )>
339
+ <!ATTLIST Address
340
+ ident CDATA '0'
341
+ category %attvals.addrcat; 'unknown'
342
+ vlan-name CDATA #IMPLIED
343
+ vlan-num CDATA #IMPLIED
344
+ %attlist.global;
345
+ >
346
+
347
+ <!ELEMENT File (
348
+ name, path, create-time?, modify-time?, access-time?,
349
+ data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
350
+ Checksum*
351
+ )>
352
+ <!ATTLIST File
353
+ ident CDATA '0'
354
+ category %attvals.filecat; #REQUIRED
355
+ fstype CDATA #IMPLIED
356
+ file-type CDATA #IMPLIED
357
+ %attlist.global;
358
+ >
359
+
360
+ <!ELEMENT Permission EMPTY >
361
+ <!ATTLIST Permission
362
+ perms %attvals.fileperm; #REQUIRED
363
+ %attlist.global;
364
+ >
365
+
366
+ <!ELEMENT FileAccess (
367
+ UserId, Permission+
368
+ )>
369
+ <!ATTLIST FileAccess
370
+ %attlist.global;
371
+ >
372
+
373
+ <!ELEMENT Inode (
374
+ change-time?, (number, major-device, minor-device)?,
375
+ (c-major-device, c-minor-device)?
376
+ )>
377
+ <!ATTLIST Inode
378
+ %attlist.global;
379
+ >
380
+
381
+ <!ELEMENT Linkage (
382
+ (name, path) | File
383
+ )>
384
+ <!ATTLIST Linkage
385
+ category %attvals.linkcat; #REQUIRED
386
+ %attlist.global;
387
+ >
388
+
389
+ <!ELEMENT Checksum (
390
+ value, key?
391
+ )>
392
+ <!ATTLIST Checksum
393
+ algorithm %attvals.checksumalgos; #REQUIRED
394
+ %attlist.global;
395
+ >
396
+
397
+ <!ELEMENT Process (
398
+ name, pid?, path?, arg*, env*
399
+ )>
400
+ <!ATTLIST Process
401
+ ident CDATA '0'
402
+ %attlist.global;
403
+ >
404
+
405
+ <!ELEMENT Service (
406
+ (((name, port?) | (port, name?)) | portlist), protocol?,
407
+ SNMPService?, WebService?
408
+ )>
409
+ <!ATTLIST Service
410
+ ident CDATA '0'
411
+ ip_version CDATA #IMPLIED
412
+ iana_protocol_number CDATA #IMPLIED
413
+ iana_protocol_name CDATA #IMPLIED
414
+ %attlist.global;
415
+ >
416
+
417
+ <!ELEMENT SNMPService (
418
+ oid?, messageProcessingModel?, securityModel?, securityName?,
419
+ securityLevel?, contextName?, contextEngineID?, command?
420
+ )>
421
+ <!ATTLIST SNMPService
422
+ %attlist.global;
423
+ >
424
+
425
+ <!ELEMENT User (
426
+ UserId+
427
+ )>
428
+ <!ATTLIST User
429
+ ident CDATA '0'
430
+ category %attvals.usercat; 'unknown'
431
+ %attlist.global;
432
+ >
433
+
434
+ <!ELEMENT UserId (
435
+ (name, number?) | (number, name?)
436
+ )>
437
+ <!ATTLIST UserId
438
+ ident CDATA '0'
439
+ type %attvals.idtype; 'original-user'
440
+ tty CDATA #IMPLIED
441
+ %attlist.global;
442
+ >
443
+
444
+ <!ELEMENT WebService (
445
+ url, cgi?, http-method?, arg*
446
+ )>
447
+ <!ATTLIST WebService
448
+ %attlist.global;
449
+ >
450
+
451
+ <!-- ===============================================================
452
+ ===================================================================
453
+ === SECTION 8. Simple elements with sub-elements or attributes of a
454
+ === special nature.
455
+ ===================================================================
456
+ =============================================================== -->
457
+
458
+ <!ELEMENT Action (#PCDATA) >
459
+ <!ATTLIST Action
460
+ category %attvals.actioncat; 'other'
461
+ %attlist.global;
462
+ >
463
+
464
+ <!ELEMENT CreateTime (#PCDATA) >
465
+ <!ATTLIST CreateTime
466
+ ntpstamp CDATA #REQUIRED
467
+ %attlist.global;
468
+ >
469
+
470
+ <!ELEMENT DetectTime (#PCDATA) >
471
+ <!ATTLIST DetectTime
472
+ ntpstamp CDATA #REQUIRED
473
+ %attlist.global;
474
+
475
+ >
476
+
477
+ <!ELEMENT AnalyzerTime (#PCDATA) >
478
+ <!ATTLIST AnalyzerTime
479
+ ntpstamp CDATA #REQUIRED
480
+ %attlist.global;
481
+ >
482
+
483
+ <!ELEMENT Confidence (#PCDATA) >
484
+ <!ATTLIST Confidence
485
+ rating %attvals.rating; 'numeric'
486
+ %attlist.global;
487
+ >
488
+
489
+ <!ELEMENT Impact (#PCDATA) >
490
+ <!ATTLIST Impact
491
+ severity %attvals.severity; #IMPLIED
492
+ completion %attvals.completion; #IMPLIED
493
+ type %attvals.impacttype; 'other'
494
+ %attlist.global;
495
+ >
496
+
497
+ <!ELEMENT alertident (#PCDATA) >
498
+ <!ATTLIST alertident
499
+ analyzerid CDATA #IMPLIED
500
+ %attlist.global;
501
+ >
502
+
503
+ <!-- ===============================================================
504
+ ===================================================================
505
+ === SECTION 9. Simple elements with no sub-elements and no special
506
+ === attributes.
507
+ ===================================================================
508
+ =============================================================== -->
509
+
510
+ <!ELEMENT boolean (#PCDATA) >
511
+ <!ATTLIST boolean %attlist.global; >
512
+
513
+ <!ELEMENT byte (#PCDATA) >
514
+ <!ATTLIST byte %attlist.global; >
515
+
516
+ <!ELEMENT character (#PCDATA) >
517
+ <!ATTLIST character %attlist.global; >
518
+
519
+ <!ELEMENT date-time (#PCDATA) >
520
+ <!ATTLIST date-time %attlist.global; >
521
+
522
+ <!ELEMENT integer (#PCDATA) >
523
+ <!ATTLIST integer %attlist.global; >
524
+
525
+ <!ELEMENT ntpstamp (#PCDATA) >
526
+ <!ATTLIST ntpstamp %attlist.global; >
527
+
528
+ <!ELEMENT real (#PCDATA) >
529
+ <!ATTLIST real %attlist.global; >
530
+
531
+ <!ELEMENT string (#PCDATA) >
532
+ <!ATTLIST string %attlist.global; >
533
+
534
+ <!ELEMENT byte-string (#PCDATA) >
535
+ <!ATTLIST byte-string %attlist.global; >
536
+
537
+ <!ELEMENT xmltext ANY >
538
+ <!ATTLIST xmltext %attlist.global; >
539
+
540
+ <!ELEMENT access-time (#PCDATA) >
541
+ <!ATTLIST access-time %attlist.global; >
542
+
543
+ <!ELEMENT address (#PCDATA) >
544
+ <!ATTLIST address %attlist.global; >
545
+
546
+ <!ELEMENT arg (#PCDATA) >
547
+ <!ATTLIST arg %attlist.global; >
548
+
549
+ <!ELEMENT buffer (#PCDATA) >
550
+ <!ATTLIST buffer %attlist.global; >
551
+
552
+ <!ELEMENT c-major-device (#PCDATA) >
553
+ <!ATTLIST c-major-device %attlist.global; >
554
+
555
+ <!ELEMENT c-minor-device (#PCDATA) >
556
+ <!ATTLIST c-minor-device %attlist.global; >
557
+
558
+ <!ELEMENT cgi (#PCDATA) >
559
+ <!ATTLIST cgi %attlist.global; >
560
+
561
+ <!ELEMENT change-time (#PCDATA) >
562
+ <!ATTLIST change-time %attlist.global; >
563
+
564
+ <!ELEMENT command (#PCDATA) >
565
+ <!ATTLIST command %attlist.global; >
566
+
567
+ <!ELEMENT create-time (#PCDATA) >
568
+ <!ATTLIST create-time %attlist.global; >
569
+
570
+ <!ELEMENT data-size (#PCDATA) >
571
+ <!ATTLIST data-size %attlist.global; >
572
+
573
+ <!ELEMENT disk-size (#PCDATA) >
574
+ <!ATTLIST disk-size %attlist.global; >
575
+
576
+ <!ELEMENT env (#PCDATA) >
577
+ <!ATTLIST env %attlist.global; >
578
+
579
+
580
+ <!ELEMENT http-method (#PCDATA) >
581
+ <!ATTLIST http-method %attlist.global; >
582
+
583
+ <!ELEMENT location (#PCDATA) >
584
+ <!ATTLIST location %attlist.global; >
585
+
586
+ <!ELEMENT major-device (#PCDATA) >
587
+ <!ATTLIST major-device %attlist.global; >
588
+
589
+ <!ELEMENT minor-device (#PCDATA) >
590
+ <!ATTLIST minor-device %attlist.global; >
591
+
592
+ <!ELEMENT modify-time (#PCDATA) >
593
+ <!ATTLIST modify-time %attlist.global; >
594
+
595
+ <!ELEMENT name (#PCDATA) >
596
+ <!ATTLIST name %attlist.global; >
597
+
598
+ <!ELEMENT netmask (#PCDATA) >
599
+ <!ATTLIST netmask %attlist.global; >
600
+
601
+ <!ELEMENT number (#PCDATA) >
602
+ <!ATTLIST number %attlist.global; >
603
+
604
+ <!ELEMENT oid (#PCDATA) >
605
+ <!ATTLIST oid %attlist.global; >
606
+
607
+ <!ELEMENT path (#PCDATA) >
608
+ <!ATTLIST path %attlist.global; >
609
+
610
+ <!ELEMENT permission (#PCDATA) >
611
+ <!ATTLIST permission %attlist.global; >
612
+
613
+ <!ELEMENT pid (#PCDATA) >
614
+ <!ATTLIST pid %attlist.global; >
615
+
616
+ <!ELEMENT port (#PCDATA) >
617
+ <!ATTLIST port %attlist.global; >
618
+
619
+ <!ELEMENT portlist (#PCDATA) >
620
+ <!ATTLIST portlist %attlist.global; >
621
+
622
+ <!ELEMENT program (#PCDATA) >
623
+ <!ATTLIST program %attlist.global; >
624
+
625
+ <!ELEMENT protocol (#PCDATA) >
626
+ <!ATTLIST protocol %attlist.global; >
627
+
628
+ <!ELEMENT size (#PCDATA) >
629
+ <!ATTLIST size %attlist.global; >
630
+
631
+ <!ELEMENT url (#PCDATA) >
632
+ <!ATTLIST url %attlist.global; >
633
+
634
+ <!ELEMENT HeartbeatInterval (#PCDATA) >
635
+ <!ATTLIST HeartbeatInterval %attlist.global; >
636
+
637
+ <!ELEMENT messageProcessingModel (#PCDATA) >
638
+ <!ATTLIST messageProcessingModel %attlist.global;>
639
+
640
+ <!ELEMENT securityModel (#PCDATA) >
641
+ <!ATTLIST securityModel %attlist.global; >
642
+
643
+ <!ELEMENT securityName (#PCDATA) >
644
+ <!ATTLIST securityName %attlist.global; >
645
+
646
+ <!ELEMENT securityLevel (#PCDATA) >
647
+ <!ATTLIST securityLevel %attlist.global; >
648
+
649
+ <!ELEMENT contextName (#PCDATA) >
650
+ <!ATTLIST contextName %attlist.global; >
651
+
652
+ <!ELEMENT contextEngineID (#PCDATA) >
653
+ <!ATTLIST contextEngineID %attlist.global; >
654
+
655
+ <!ELEMENT value (#PCDATA) >
656
+ <!ATTLIST value %attlist.global; >
657
+
658
+ <!ELEMENT key (#PCDATA) >
659
+ <!ATTLIST key %attlist.global; >
660
+
661
+ <!-- End of IDMEF DTD -->