logstash-codec-idmef 0.9.2 → 0.9.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +61 -22
- data/lib/logstash/codecs/idmef-message.dtd +661 -0
- data/lib/logstash/codecs/idmef.rb +283 -202
- data/logstash-codec-idmef.gemspec +1 -1
- data/spec/codecs/idmef_spec.rb +102 -12
- metadata +17 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 369de7d0aa661ce5611b92b82d7298189bd0800c3bc402cf31c1b7374fd74829
|
4
|
+
data.tar.gz: e90a133097762767201e70d8f217ff000b5c253b5322c70addc8808311ac5543
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 97e0fe7e14207bc49950e241b7afdefa77135cdd539785c8e0f448677b6e864b649da848b75245994aa72318ac911534c7bdf60ee419ac8a0a3a9771a1f7c87b
|
7
|
+
data.tar.gz: a721069ce3cb1701643395f0f6753ac06511cb50dd87f878092dd6500ef244229e1421aa3ad316a3f9bb0ca14698905fa2b0c63047e9cb738536a4db91cb7315
|
data/CHANGELOG.md
CHANGED
data/docs/index.asciidoc
CHANGED
@@ -41,14 +41,18 @@ https://tools.ietf.org/html/rfc4765
|
|
41
41
|
===== `paths`
|
42
42
|
|
43
43
|
* Value type is <<hash,hash>>
|
44
|
+
|
44
45
|
* The defautl value is an empty `hash`.
|
45
46
|
|
46
47
|
This parameter let you add IDMEF paths to map from logstash event to IDMEF
|
47
48
|
field.
|
48
49
|
|
49
50
|
For example, if:
|
51
|
+
|
50
52
|
* the name of your alert is in `event.get('message')`
|
53
|
+
|
51
54
|
* the target host is in `event.get('host')`
|
55
|
+
|
52
56
|
* the name of your analyzer is "ACME"
|
53
57
|
|
54
58
|
you probably want to put this:
|
@@ -69,56 +73,91 @@ you probably want to put this:
|
|
69
73
|
The keys of the hash are IDMEF path as described here:
|
70
74
|
https://redmine.secef.net/projects/secef/wiki/LibPrelude_IDMEF_path
|
71
75
|
|
72
|
-
The values of the hash are values to set in final IDMEF. If
|
73
|
-
|
76
|
+
The values of the hash are values to set in final IDMEF. If there is %{name}
|
77
|
+
inside the string, the plugin try to retrieve the value from the event and
|
78
|
+
create the final string.
|
74
79
|
|
75
80
|
[id="plugins-{type}s-{plugin}-defaults"]
|
76
81
|
===== `defaults`
|
77
82
|
|
78
83
|
* Value type is <<boolean,boolean>>
|
84
|
+
|
79
85
|
* Default value is `true`
|
80
86
|
|
81
87
|
Try to use default paths mapping or not.
|
82
88
|
|
83
89
|
Default paths are:
|
84
|
-
|
85
|
-
* alert.
|
86
|
-
|
87
|
-
* alert.
|
88
|
-
|
89
|
-
* alert.
|
90
|
-
|
91
|
-
* alert.
|
92
|
-
|
93
|
-
* alert.
|
94
|
-
|
95
|
-
* alert.
|
96
|
-
|
97
|
-
* alert.
|
98
|
-
|
99
|
-
* alert.
|
100
|
-
|
101
|
-
* alert.
|
102
|
-
|
103
|
-
* alert.
|
90
|
+
|
91
|
+
* alert.analyzer(0).name: ["%{product}", "%{devname}"]
|
92
|
+
|
93
|
+
* alert.analyzer(0).manufacturer: ["%{vendor}"]
|
94
|
+
|
95
|
+
* alert.create_time: ["%{@timestamp}"]
|
96
|
+
|
97
|
+
* alert.detect_time: ["%{@timestamp}"]
|
98
|
+
|
99
|
+
* alert.analyzer_time: ["%{@timestamp}"]
|
100
|
+
|
101
|
+
* alert.source(0).node.address(0).address: ["%{srcip}", "%{src}"]
|
102
|
+
|
103
|
+
* alert.source(0).node.name: ["%{shost}", "%{srchost}", "%{shostname}", "%{srchostname}", "%{sname}", "%{srcname}"]
|
104
|
+
|
105
|
+
* alert.source(0).service.port: ["%{spt}", "%{sport}", "%{s_port}"]
|
106
|
+
|
107
|
+
* alert.source(0).service.name: ["%{sservice}", "%{srcservice}"]
|
108
|
+
|
109
|
+
* alert.target(0).node.address(0).address: ["%{hostip}", "%{dstip}", "%{dst}", "%{ip}"]
|
110
|
+
|
111
|
+
* alert.target(0).node.name: ["%{host}", "%{hostname}", "%{shost}", "%{srchost}", "%{shostname}", "%{srchostname}", "%{sname}", "%{srcname}"]
|
112
|
+
|
113
|
+
* alert.target(0).service.port: ["%{dpt}", "%{dport}", "%{d_port}"]
|
114
|
+
|
115
|
+
* alert.target(0).service.name: ["%{service}", "%{service_id}", "%{dservice}", "%{dstservice}"]
|
116
|
+
|
117
|
+
* alert.target(0).user.user_id(0).name: ["%{user}", "%{dstuser}", "%{duser}"]
|
118
|
+
|
119
|
+
* alert.target(0).user.user_id(0).number: ["%{uid}", "%{dstuid}", "%{duid}"]
|
120
|
+
|
121
|
+
* alert.target(0).process.name: ["%{proc}", "%{process}"]
|
122
|
+
|
123
|
+
* alert.target(0).process.pid: ["%{dpid}", "%{pid}"]
|
124
|
+
|
125
|
+
* alert.classification.text: ["%{rule_name}", "%{event}", "%{message}"]
|
126
|
+
|
127
|
+
* alert.assessment.impact.severity: ["%{severity}", "%{level}"]
|
128
|
+
|
129
|
+
* alert.assessment.action.description: ["%{action}"]
|
130
|
+
|
104
131
|
|
105
132
|
[id="plugins-{type}s-{plugin}-additionaldata"]
|
106
133
|
===== `additionaldata`
|
107
134
|
|
108
135
|
* Value type is <<boolean,boolean>>
|
136
|
+
|
109
137
|
* Default value is `true`
|
110
138
|
|
111
139
|
When an alert is transformed in IDMEF, the remaining fields of the initial
|
112
140
|
event are translated into IDMEF's Additional Data. If you don't want to do this
|
113
141
|
translation, set this setting to `false`.
|
114
142
|
|
143
|
+
[id="plugins-{type}s-{plugin}-validate_xml"]
|
144
|
+
===== `validate_xml`
|
145
|
+
|
146
|
+
* Value type is <<boolean,boolean>>
|
147
|
+
|
148
|
+
* Default value is `false`
|
149
|
+
|
150
|
+
Validate the generated XML with IDMEF DTD.
|
151
|
+
|
115
152
|
[id="plugins-{type}s-{plugin}-type"]
|
116
153
|
===== `type`
|
117
154
|
|
118
155
|
* Value type is <<string,string>>
|
156
|
+
|
119
157
|
* Default value is `"alert"`
|
120
158
|
|
121
159
|
IDMEF can defined two types of message:
|
160
|
+
|
122
161
|
* alert
|
123
162
|
|
124
163
|
RFC definition: Generally, every time an analyzer detects an event that it has
|
@@ -0,0 +1,661 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
|
3
|
+
<!-- ***************************************************************
|
4
|
+
*******************************************************************
|
5
|
+
*** Intrusion Detection Message Exchange Format (IDMEF) XML DTD ***
|
6
|
+
*** Version 1.0, 07 March 2006 ***
|
7
|
+
*** ***
|
8
|
+
*** The use and extension of the IDMEF XML DTD are described in ***
|
9
|
+
*** RFC XXXX, "Intrusion Detection Message Exchange Format Data ***
|
10
|
+
*** Model and Extensible Markup Language (XML) Document Type ***
|
11
|
+
*** Definition," D. Curry, H. Debar, B. Feinstein. ***
|
12
|
+
*******************************************************************
|
13
|
+
*************************************************************** -->
|
14
|
+
|
15
|
+
<!-- ===============================================================
|
16
|
+
===================================================================
|
17
|
+
=== SECTION 1. Attribute list declarations.
|
18
|
+
===================================================================
|
19
|
+
=============================================================== -->
|
20
|
+
|
21
|
+
<!--
|
22
|
+
| Attributes of the IDMEF element. In general, the fixed values of
|
23
|
+
| these attributes will change each time a new version of the DTD
|
24
|
+
| is released.
|
25
|
+
-->
|
26
|
+
|
27
|
+
<!ENTITY % attlist.idmef "
|
28
|
+
version CDATA #FIXED '1.0'
|
29
|
+
">
|
30
|
+
|
31
|
+
<!--
|
32
|
+
| Attributes of all elements. These are the "XML" attributes that
|
33
|
+
| every element should have. Space handling, language, and name
|
34
|
+
| space.
|
35
|
+
-->
|
36
|
+
<!ENTITY % attlist.global "
|
37
|
+
xmlns:idmef CDATA #FIXED
|
38
|
+
'http://iana.org/idmef'
|
39
|
+
xmlns CDATA #FIXED
|
40
|
+
'http://iana.org/idmef'
|
41
|
+
xml:space (default | preserve) 'default'
|
42
|
+
xml:lang NMTOKEN #IMPLIED
|
43
|
+
">
|
44
|
+
|
45
|
+
<!-- ===============================================================
|
46
|
+
===================================================================
|
47
|
+
=== SECTION 2. Attribute value declarations. Enumerated values for
|
48
|
+
=== many of the element-specific attribute lists.
|
49
|
+
===================================================================
|
50
|
+
=============================================================== -->
|
51
|
+
|
52
|
+
<!--
|
53
|
+
| Values for the Action.category attribute.
|
54
|
+
-->
|
55
|
+
<!ENTITY % attvals.actioncat "
|
56
|
+
( block-installed | notification-sent | taken-offline | other )
|
57
|
+
">
|
58
|
+
|
59
|
+
<!--
|
60
|
+
| Values for the Address.category attribute.
|
61
|
+
-->
|
62
|
+
<!ENTITY % attvals.addrcat "
|
63
|
+
( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
|
64
|
+
ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
|
65
|
+
ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
|
66
|
+
">
|
67
|
+
|
68
|
+
<!--
|
69
|
+
| Values for the AdditionalData.type attribute.
|
70
|
+
-->
|
71
|
+
<!ENTITY % attvals.adtype "
|
72
|
+
( boolean | byte | character | date-time | integer | ntpstamp |
|
73
|
+
portlist | real | string | byte-string | xmltext )
|
74
|
+
">
|
75
|
+
|
76
|
+
<!--
|
77
|
+
| Values for the Impact.completion attribute.
|
78
|
+
-->
|
79
|
+
<!ENTITY % attvals.completion "
|
80
|
+
( failed | succeeded )
|
81
|
+
">
|
82
|
+
|
83
|
+
<!--
|
84
|
+
| Values for the File.category attribute.
|
85
|
+
-->
|
86
|
+
<!ENTITY % attvals.filecat "
|
87
|
+
( current | original )
|
88
|
+
">
|
89
|
+
|
90
|
+
<!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
|
91
|
+
search | delete | executeAs | changePermissions |
|
92
|
+
takeOwnership)" >
|
93
|
+
|
94
|
+
<!--
|
95
|
+
| Values for the UserId.type attribute.
|
96
|
+
-->
|
97
|
+
<!ENTITY % attvals.idtype "
|
98
|
+
( current-user | original-user | target-user | user-privs |
|
99
|
+
current-group | group-privs | other-privs )
|
100
|
+
">
|
101
|
+
|
102
|
+
<!--
|
103
|
+
| Values for the Impact.type attribute.
|
104
|
+
-->
|
105
|
+
<!ENTITY % attvals.impacttype "
|
106
|
+
( admin | dos | file | recon | user | other )
|
107
|
+
">
|
108
|
+
|
109
|
+
<!--
|
110
|
+
| Values for the Linkage.category attribute.
|
111
|
+
-->
|
112
|
+
<!ENTITY % attvals.linkcat "
|
113
|
+
( hard-link | mount-point | reparse-point | shortcut | stream |
|
114
|
+
symbolic-link )
|
115
|
+
">
|
116
|
+
|
117
|
+
<!--
|
118
|
+
| Values for the Checksum.algorithm attribute
|
119
|
+
-->
|
120
|
+
<!ENTITY % attvals.checksumalgos "
|
121
|
+
( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 |
|
122
|
+
Haval | Tiger | Gost )
|
123
|
+
">
|
124
|
+
|
125
|
+
<!--
|
126
|
+
| Values for the Node.category attribute.
|
127
|
+
-->
|
128
|
+
<!ENTITY % attvals.nodecat "
|
129
|
+
( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
|
130
|
+
nds | nis | nisplus | nt | wfw )
|
131
|
+
">
|
132
|
+
|
133
|
+
<!--
|
134
|
+
| Values for the Reference.origin attribute.
|
135
|
+
-->
|
136
|
+
<!ENTITY % attvals.origin "
|
137
|
+
( unknown | vendor-specific | user-specific | bugtraqid | cve |
|
138
|
+
osvdb )
|
139
|
+
">
|
140
|
+
|
141
|
+
<!--
|
142
|
+
| Values for the Confidence.rating attribute.
|
143
|
+
|
144
|
+
-->
|
145
|
+
<!ENTITY % attvals.rating "
|
146
|
+
( low | medium | high | numeric )
|
147
|
+
">
|
148
|
+
|
149
|
+
<!--
|
150
|
+
| Values for the Impact.severity attribute.
|
151
|
+
-->
|
152
|
+
<!ENTITY % attvals.severity "
|
153
|
+
( info | low | medium | high )
|
154
|
+
">
|
155
|
+
|
156
|
+
<!--
|
157
|
+
| Values for the User.category attribute.
|
158
|
+
-->
|
159
|
+
<!ENTITY % attvals.usercat "
|
160
|
+
( unknown | application | os-device )
|
161
|
+
">
|
162
|
+
|
163
|
+
<!--
|
164
|
+
| Values for yes/no attributes such as Source.spoofed and
|
165
|
+
| Target.decoy.
|
166
|
+
-->
|
167
|
+
<!ENTITY % attvals.yesno "
|
168
|
+
( unknown | yes | no )
|
169
|
+
">
|
170
|
+
|
171
|
+
<!-- ===============================================================
|
172
|
+
===================================================================
|
173
|
+
=== SECTION 3. Top-level element declarations. The IDMEF-Message
|
174
|
+
=== element and the types of messages it can include.
|
175
|
+
===================================================================
|
176
|
+
=============================================================== -->
|
177
|
+
|
178
|
+
<!ELEMENT IDMEF-Message (
|
179
|
+
(Alert | Heartbeat)*
|
180
|
+
)>
|
181
|
+
<!ATTLIST IDMEF-Message
|
182
|
+
%attlist.global;
|
183
|
+
%attlist.idmef;
|
184
|
+
>
|
185
|
+
|
186
|
+
<!ELEMENT Alert (
|
187
|
+
Analyzer, CreateTime, DetectTime?, AnalyzerTime?,
|
188
|
+
Source*, Target*, Classification, Assessment?, (ToolAlert |
|
189
|
+
OverflowAlert | CorrelationAlert)?, AdditionalData*
|
190
|
+
)>
|
191
|
+
<!ATTLIST Alert
|
192
|
+
messageid CDATA '0'
|
193
|
+
%attlist.global;
|
194
|
+
>
|
195
|
+
|
196
|
+
<!ELEMENT Heartbeat (
|
197
|
+
Analyzer, CreateTime, HeartbeatInterval?, AnalyzerTime?,
|
198
|
+
AdditionalData*
|
199
|
+
)>
|
200
|
+
<!ATTLIST Heartbeat
|
201
|
+
messageid CDATA '0'
|
202
|
+
%attlist.global;
|
203
|
+
>
|
204
|
+
|
205
|
+
<!-- ===============================================================
|
206
|
+
===================================================================
|
207
|
+
=== SECTION 4. Subclasses of the Alert element that provide more
|
208
|
+
=== data for specific types of alerts.
|
209
|
+
===================================================================
|
210
|
+
=============================================================== -->
|
211
|
+
|
212
|
+
<!ELEMENT CorrelationAlert (
|
213
|
+
name, alertident+
|
214
|
+
)>
|
215
|
+
<!ATTLIST CorrelationAlert
|
216
|
+
%attlist.global;
|
217
|
+
>
|
218
|
+
|
219
|
+
<!ELEMENT OverflowAlert (
|
220
|
+
program, size?, buffer?
|
221
|
+
)>
|
222
|
+
<!ATTLIST OverflowAlert
|
223
|
+
%attlist.global;
|
224
|
+
>
|
225
|
+
|
226
|
+
<!ELEMENT ToolAlert (
|
227
|
+
name, command?, alertident+
|
228
|
+
)>
|
229
|
+
<!ATTLIST ToolAlert
|
230
|
+
%attlist.global;
|
231
|
+
>
|
232
|
+
|
233
|
+
<!-- ===============================================================
|
234
|
+
===================================================================
|
235
|
+
=== SECTION 5. The AdditionalData element. This element allows an
|
236
|
+
=== alert to include additional information that cannot
|
237
|
+
=== be encoded elsewhere in the data model.
|
238
|
+
===================================================================
|
239
|
+
=============================================================== -->
|
240
|
+
|
241
|
+
|
242
|
+
<!ELEMENT AdditionalData (
|
243
|
+
(boolean | byte | character | date-time |
|
244
|
+
integer | ntpstamp | portlist | real |
|
245
|
+
string | byte-string | xmltext )
|
246
|
+
)>
|
247
|
+
|
248
|
+
<!ATTLIST AdditionalData
|
249
|
+
type %attvals.adtype; 'string'
|
250
|
+
meaning CDATA #IMPLIED
|
251
|
+
%attlist.global;
|
252
|
+
>
|
253
|
+
|
254
|
+
<!-- ===============================================================
|
255
|
+
===================================================================
|
256
|
+
=== SECTION 6. Elements related to identifying entities - analyzers
|
257
|
+
=== (the senders of these messages), sources (of
|
258
|
+
=== attacks), and targets (of attacks).
|
259
|
+
===================================================================
|
260
|
+
=============================================================== -->
|
261
|
+
|
262
|
+
<!ELEMENT Analyzer (
|
263
|
+
Node?, Process?, Analyzer?
|
264
|
+
)>
|
265
|
+
<!ATTLIST Analyzer
|
266
|
+
analyzerid CDATA '0'
|
267
|
+
name CDATA #IMPLIED
|
268
|
+
manufacturer CDATA #IMPLIED
|
269
|
+
model CDATA #IMPLIED
|
270
|
+
version CDATA #IMPLIED
|
271
|
+
class CDATA #IMPLIED
|
272
|
+
ostype CDATA #IMPLIED
|
273
|
+
osversion CDATA #IMPLIED
|
274
|
+
%attlist.global;
|
275
|
+
>
|
276
|
+
|
277
|
+
<!ELEMENT Classification (
|
278
|
+
Reference*
|
279
|
+
)>
|
280
|
+
<!ATTLIST Classification
|
281
|
+
ident CDATA '0'
|
282
|
+
text CDATA #REQUIRED
|
283
|
+
>
|
284
|
+
|
285
|
+
<!ELEMENT Source (
|
286
|
+
Node?, User?, Process?, Service?
|
287
|
+
)>
|
288
|
+
<!ATTLIST Source
|
289
|
+
ident CDATA '0'
|
290
|
+
spoofed %attvals.yesno; 'unknown'
|
291
|
+
interface CDATA #IMPLIED
|
292
|
+
%attlist.global;
|
293
|
+
>
|
294
|
+
|
295
|
+
<!ELEMENT Target (
|
296
|
+
Node?, User?, Process?, Service?, File*
|
297
|
+
)>
|
298
|
+
<!ATTLIST Target
|
299
|
+
ident CDATA '0'
|
300
|
+
decoy %attvals.yesno; 'unknown'
|
301
|
+
interface CDATA #IMPLIED
|
302
|
+
%attlist.global;
|
303
|
+
>
|
304
|
+
|
305
|
+
<!ELEMENT Assessment (
|
306
|
+
Impact?, Action*, Confidence?
|
307
|
+
)>
|
308
|
+
<!ATTLIST Assessment
|
309
|
+
%attlist.global;
|
310
|
+
>
|
311
|
+
|
312
|
+
<!-- ===============================================================
|
313
|
+
===================================================================
|
314
|
+
=== SECTION 7. Support elements used for providing detailed info
|
315
|
+
=== about entities - addresses, names, etc.
|
316
|
+
===================================================================
|
317
|
+
=============================================================== -->
|
318
|
+
|
319
|
+
<!ELEMENT Reference (
|
320
|
+
name, url
|
321
|
+
)>
|
322
|
+
<!ATTLIST Reference
|
323
|
+
origin %attvals.origin; 'unknown'
|
324
|
+
meaning CDATA #IMPLIED
|
325
|
+
>
|
326
|
+
|
327
|
+
<!ELEMENT Node (
|
328
|
+
location?, (name | Address), Address*
|
329
|
+
)>
|
330
|
+
<!ATTLIST Node
|
331
|
+
ident CDATA '0'
|
332
|
+
category %attvals.nodecat; 'unknown'
|
333
|
+
%attlist.global;
|
334
|
+
>
|
335
|
+
|
336
|
+
<!ELEMENT Address (
|
337
|
+
address, netmask?
|
338
|
+
)>
|
339
|
+
<!ATTLIST Address
|
340
|
+
ident CDATA '0'
|
341
|
+
category %attvals.addrcat; 'unknown'
|
342
|
+
vlan-name CDATA #IMPLIED
|
343
|
+
vlan-num CDATA #IMPLIED
|
344
|
+
%attlist.global;
|
345
|
+
>
|
346
|
+
|
347
|
+
<!ELEMENT File (
|
348
|
+
name, path, create-time?, modify-time?, access-time?,
|
349
|
+
data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
|
350
|
+
Checksum*
|
351
|
+
)>
|
352
|
+
<!ATTLIST File
|
353
|
+
ident CDATA '0'
|
354
|
+
category %attvals.filecat; #REQUIRED
|
355
|
+
fstype CDATA #IMPLIED
|
356
|
+
file-type CDATA #IMPLIED
|
357
|
+
%attlist.global;
|
358
|
+
>
|
359
|
+
|
360
|
+
<!ELEMENT Permission EMPTY >
|
361
|
+
<!ATTLIST Permission
|
362
|
+
perms %attvals.fileperm; #REQUIRED
|
363
|
+
%attlist.global;
|
364
|
+
>
|
365
|
+
|
366
|
+
<!ELEMENT FileAccess (
|
367
|
+
UserId, Permission+
|
368
|
+
)>
|
369
|
+
<!ATTLIST FileAccess
|
370
|
+
%attlist.global;
|
371
|
+
>
|
372
|
+
|
373
|
+
<!ELEMENT Inode (
|
374
|
+
change-time?, (number, major-device, minor-device)?,
|
375
|
+
(c-major-device, c-minor-device)?
|
376
|
+
)>
|
377
|
+
<!ATTLIST Inode
|
378
|
+
%attlist.global;
|
379
|
+
>
|
380
|
+
|
381
|
+
<!ELEMENT Linkage (
|
382
|
+
(name, path) | File
|
383
|
+
)>
|
384
|
+
<!ATTLIST Linkage
|
385
|
+
category %attvals.linkcat; #REQUIRED
|
386
|
+
%attlist.global;
|
387
|
+
>
|
388
|
+
|
389
|
+
<!ELEMENT Checksum (
|
390
|
+
value, key?
|
391
|
+
)>
|
392
|
+
<!ATTLIST Checksum
|
393
|
+
algorithm %attvals.checksumalgos; #REQUIRED
|
394
|
+
%attlist.global;
|
395
|
+
>
|
396
|
+
|
397
|
+
<!ELEMENT Process (
|
398
|
+
name, pid?, path?, arg*, env*
|
399
|
+
)>
|
400
|
+
<!ATTLIST Process
|
401
|
+
ident CDATA '0'
|
402
|
+
%attlist.global;
|
403
|
+
>
|
404
|
+
|
405
|
+
<!ELEMENT Service (
|
406
|
+
(((name, port?) | (port, name?)) | portlist), protocol?,
|
407
|
+
SNMPService?, WebService?
|
408
|
+
)>
|
409
|
+
<!ATTLIST Service
|
410
|
+
ident CDATA '0'
|
411
|
+
ip_version CDATA #IMPLIED
|
412
|
+
iana_protocol_number CDATA #IMPLIED
|
413
|
+
iana_protocol_name CDATA #IMPLIED
|
414
|
+
%attlist.global;
|
415
|
+
>
|
416
|
+
|
417
|
+
<!ELEMENT SNMPService (
|
418
|
+
oid?, messageProcessingModel?, securityModel?, securityName?,
|
419
|
+
securityLevel?, contextName?, contextEngineID?, command?
|
420
|
+
)>
|
421
|
+
<!ATTLIST SNMPService
|
422
|
+
%attlist.global;
|
423
|
+
>
|
424
|
+
|
425
|
+
<!ELEMENT User (
|
426
|
+
UserId+
|
427
|
+
)>
|
428
|
+
<!ATTLIST User
|
429
|
+
ident CDATA '0'
|
430
|
+
category %attvals.usercat; 'unknown'
|
431
|
+
%attlist.global;
|
432
|
+
>
|
433
|
+
|
434
|
+
<!ELEMENT UserId (
|
435
|
+
(name, number?) | (number, name?)
|
436
|
+
)>
|
437
|
+
<!ATTLIST UserId
|
438
|
+
ident CDATA '0'
|
439
|
+
type %attvals.idtype; 'original-user'
|
440
|
+
tty CDATA #IMPLIED
|
441
|
+
%attlist.global;
|
442
|
+
>
|
443
|
+
|
444
|
+
<!ELEMENT WebService (
|
445
|
+
url, cgi?, http-method?, arg*
|
446
|
+
)>
|
447
|
+
<!ATTLIST WebService
|
448
|
+
%attlist.global;
|
449
|
+
>
|
450
|
+
|
451
|
+
<!-- ===============================================================
|
452
|
+
===================================================================
|
453
|
+
=== SECTION 8. Simple elements with sub-elements or attributes of a
|
454
|
+
=== special nature.
|
455
|
+
===================================================================
|
456
|
+
=============================================================== -->
|
457
|
+
|
458
|
+
<!ELEMENT Action (#PCDATA) >
|
459
|
+
<!ATTLIST Action
|
460
|
+
category %attvals.actioncat; 'other'
|
461
|
+
%attlist.global;
|
462
|
+
>
|
463
|
+
|
464
|
+
<!ELEMENT CreateTime (#PCDATA) >
|
465
|
+
<!ATTLIST CreateTime
|
466
|
+
ntpstamp CDATA #REQUIRED
|
467
|
+
%attlist.global;
|
468
|
+
>
|
469
|
+
|
470
|
+
<!ELEMENT DetectTime (#PCDATA) >
|
471
|
+
<!ATTLIST DetectTime
|
472
|
+
ntpstamp CDATA #REQUIRED
|
473
|
+
%attlist.global;
|
474
|
+
|
475
|
+
>
|
476
|
+
|
477
|
+
<!ELEMENT AnalyzerTime (#PCDATA) >
|
478
|
+
<!ATTLIST AnalyzerTime
|
479
|
+
ntpstamp CDATA #REQUIRED
|
480
|
+
%attlist.global;
|
481
|
+
>
|
482
|
+
|
483
|
+
<!ELEMENT Confidence (#PCDATA) >
|
484
|
+
<!ATTLIST Confidence
|
485
|
+
rating %attvals.rating; 'numeric'
|
486
|
+
%attlist.global;
|
487
|
+
>
|
488
|
+
|
489
|
+
<!ELEMENT Impact (#PCDATA) >
|
490
|
+
<!ATTLIST Impact
|
491
|
+
severity %attvals.severity; #IMPLIED
|
492
|
+
completion %attvals.completion; #IMPLIED
|
493
|
+
type %attvals.impacttype; 'other'
|
494
|
+
%attlist.global;
|
495
|
+
>
|
496
|
+
|
497
|
+
<!ELEMENT alertident (#PCDATA) >
|
498
|
+
<!ATTLIST alertident
|
499
|
+
analyzerid CDATA #IMPLIED
|
500
|
+
%attlist.global;
|
501
|
+
>
|
502
|
+
|
503
|
+
<!-- ===============================================================
|
504
|
+
===================================================================
|
505
|
+
=== SECTION 9. Simple elements with no sub-elements and no special
|
506
|
+
=== attributes.
|
507
|
+
===================================================================
|
508
|
+
=============================================================== -->
|
509
|
+
|
510
|
+
<!ELEMENT boolean (#PCDATA) >
|
511
|
+
<!ATTLIST boolean %attlist.global; >
|
512
|
+
|
513
|
+
<!ELEMENT byte (#PCDATA) >
|
514
|
+
<!ATTLIST byte %attlist.global; >
|
515
|
+
|
516
|
+
<!ELEMENT character (#PCDATA) >
|
517
|
+
<!ATTLIST character %attlist.global; >
|
518
|
+
|
519
|
+
<!ELEMENT date-time (#PCDATA) >
|
520
|
+
<!ATTLIST date-time %attlist.global; >
|
521
|
+
|
522
|
+
<!ELEMENT integer (#PCDATA) >
|
523
|
+
<!ATTLIST integer %attlist.global; >
|
524
|
+
|
525
|
+
<!ELEMENT ntpstamp (#PCDATA) >
|
526
|
+
<!ATTLIST ntpstamp %attlist.global; >
|
527
|
+
|
528
|
+
<!ELEMENT real (#PCDATA) >
|
529
|
+
<!ATTLIST real %attlist.global; >
|
530
|
+
|
531
|
+
<!ELEMENT string (#PCDATA) >
|
532
|
+
<!ATTLIST string %attlist.global; >
|
533
|
+
|
534
|
+
<!ELEMENT byte-string (#PCDATA) >
|
535
|
+
<!ATTLIST byte-string %attlist.global; >
|
536
|
+
|
537
|
+
<!ELEMENT xmltext ANY >
|
538
|
+
<!ATTLIST xmltext %attlist.global; >
|
539
|
+
|
540
|
+
<!ELEMENT access-time (#PCDATA) >
|
541
|
+
<!ATTLIST access-time %attlist.global; >
|
542
|
+
|
543
|
+
<!ELEMENT address (#PCDATA) >
|
544
|
+
<!ATTLIST address %attlist.global; >
|
545
|
+
|
546
|
+
<!ELEMENT arg (#PCDATA) >
|
547
|
+
<!ATTLIST arg %attlist.global; >
|
548
|
+
|
549
|
+
<!ELEMENT buffer (#PCDATA) >
|
550
|
+
<!ATTLIST buffer %attlist.global; >
|
551
|
+
|
552
|
+
<!ELEMENT c-major-device (#PCDATA) >
|
553
|
+
<!ATTLIST c-major-device %attlist.global; >
|
554
|
+
|
555
|
+
<!ELEMENT c-minor-device (#PCDATA) >
|
556
|
+
<!ATTLIST c-minor-device %attlist.global; >
|
557
|
+
|
558
|
+
<!ELEMENT cgi (#PCDATA) >
|
559
|
+
<!ATTLIST cgi %attlist.global; >
|
560
|
+
|
561
|
+
<!ELEMENT change-time (#PCDATA) >
|
562
|
+
<!ATTLIST change-time %attlist.global; >
|
563
|
+
|
564
|
+
<!ELEMENT command (#PCDATA) >
|
565
|
+
<!ATTLIST command %attlist.global; >
|
566
|
+
|
567
|
+
<!ELEMENT create-time (#PCDATA) >
|
568
|
+
<!ATTLIST create-time %attlist.global; >
|
569
|
+
|
570
|
+
<!ELEMENT data-size (#PCDATA) >
|
571
|
+
<!ATTLIST data-size %attlist.global; >
|
572
|
+
|
573
|
+
<!ELEMENT disk-size (#PCDATA) >
|
574
|
+
<!ATTLIST disk-size %attlist.global; >
|
575
|
+
|
576
|
+
<!ELEMENT env (#PCDATA) >
|
577
|
+
<!ATTLIST env %attlist.global; >
|
578
|
+
|
579
|
+
|
580
|
+
<!ELEMENT http-method (#PCDATA) >
|
581
|
+
<!ATTLIST http-method %attlist.global; >
|
582
|
+
|
583
|
+
<!ELEMENT location (#PCDATA) >
|
584
|
+
<!ATTLIST location %attlist.global; >
|
585
|
+
|
586
|
+
<!ELEMENT major-device (#PCDATA) >
|
587
|
+
<!ATTLIST major-device %attlist.global; >
|
588
|
+
|
589
|
+
<!ELEMENT minor-device (#PCDATA) >
|
590
|
+
<!ATTLIST minor-device %attlist.global; >
|
591
|
+
|
592
|
+
<!ELEMENT modify-time (#PCDATA) >
|
593
|
+
<!ATTLIST modify-time %attlist.global; >
|
594
|
+
|
595
|
+
<!ELEMENT name (#PCDATA) >
|
596
|
+
<!ATTLIST name %attlist.global; >
|
597
|
+
|
598
|
+
<!ELEMENT netmask (#PCDATA) >
|
599
|
+
<!ATTLIST netmask %attlist.global; >
|
600
|
+
|
601
|
+
<!ELEMENT number (#PCDATA) >
|
602
|
+
<!ATTLIST number %attlist.global; >
|
603
|
+
|
604
|
+
<!ELEMENT oid (#PCDATA) >
|
605
|
+
<!ATTLIST oid %attlist.global; >
|
606
|
+
|
607
|
+
<!ELEMENT path (#PCDATA) >
|
608
|
+
<!ATTLIST path %attlist.global; >
|
609
|
+
|
610
|
+
<!ELEMENT permission (#PCDATA) >
|
611
|
+
<!ATTLIST permission %attlist.global; >
|
612
|
+
|
613
|
+
<!ELEMENT pid (#PCDATA) >
|
614
|
+
<!ATTLIST pid %attlist.global; >
|
615
|
+
|
616
|
+
<!ELEMENT port (#PCDATA) >
|
617
|
+
<!ATTLIST port %attlist.global; >
|
618
|
+
|
619
|
+
<!ELEMENT portlist (#PCDATA) >
|
620
|
+
<!ATTLIST portlist %attlist.global; >
|
621
|
+
|
622
|
+
<!ELEMENT program (#PCDATA) >
|
623
|
+
<!ATTLIST program %attlist.global; >
|
624
|
+
|
625
|
+
<!ELEMENT protocol (#PCDATA) >
|
626
|
+
<!ATTLIST protocol %attlist.global; >
|
627
|
+
|
628
|
+
<!ELEMENT size (#PCDATA) >
|
629
|
+
<!ATTLIST size %attlist.global; >
|
630
|
+
|
631
|
+
<!ELEMENT url (#PCDATA) >
|
632
|
+
<!ATTLIST url %attlist.global; >
|
633
|
+
|
634
|
+
<!ELEMENT HeartbeatInterval (#PCDATA) >
|
635
|
+
<!ATTLIST HeartbeatInterval %attlist.global; >
|
636
|
+
|
637
|
+
<!ELEMENT messageProcessingModel (#PCDATA) >
|
638
|
+
<!ATTLIST messageProcessingModel %attlist.global;>
|
639
|
+
|
640
|
+
<!ELEMENT securityModel (#PCDATA) >
|
641
|
+
<!ATTLIST securityModel %attlist.global; >
|
642
|
+
|
643
|
+
<!ELEMENT securityName (#PCDATA) >
|
644
|
+
<!ATTLIST securityName %attlist.global; >
|
645
|
+
|
646
|
+
<!ELEMENT securityLevel (#PCDATA) >
|
647
|
+
<!ATTLIST securityLevel %attlist.global; >
|
648
|
+
|
649
|
+
<!ELEMENT contextName (#PCDATA) >
|
650
|
+
<!ATTLIST contextName %attlist.global; >
|
651
|
+
|
652
|
+
<!ELEMENT contextEngineID (#PCDATA) >
|
653
|
+
<!ATTLIST contextEngineID %attlist.global; >
|
654
|
+
|
655
|
+
<!ELEMENT value (#PCDATA) >
|
656
|
+
<!ATTLIST value %attlist.global; >
|
657
|
+
|
658
|
+
<!ELEMENT key (#PCDATA) >
|
659
|
+
<!ATTLIST key %attlist.global; >
|
660
|
+
|
661
|
+
<!-- End of IDMEF DTD -->
|