Tech-invite3GPPspaceIETFspace
96959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 4765

The Intrusion Detection Message Exchange Format (IDMEF)

Pages: 157
Experimental
Part 3 of 6 – Pages 47 to 79
First   Prev   Next

Top   ToC   RFC4765 - Page 47   prevText

4.2.7. The Support Classes

The support classes make up the major parts of the core classes, and are shared between them.
4.2.7.1. The Reference Class
The Reference class provides the "name" of an alert, or other information allowing the manager to determine what it is. The Reference class is composed of two aggregate classes, as shown in Figure 13. +----------------+ | Reference | +----------------+ +------+ | STRING origin |<>----------| name | | STRING meaning | +------+ | | +------+ | |<>----------| url | | | +------+ +----------------+ Figure 13: The Reference Class The aggregate classes that make up Reference are: name Exactly one. STRING. The name of the alert, from one of the origins listed below. url Exactly one. STRING. A URL at which the manager (or the human operator of the manager) can find additional information about the alert. The document pointed to by the URL may include an in-depth description of the attack, appropriate countermeasures, or other information deemed relevant by the vendor.
Top   ToC   RFC4765 - Page 48
   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.origin               "
       ( unknown | vendor-specific | user-specific | bugtraqid | cve |
         osvdb )
     ">

   <!ELEMENT Reference                (
       name, url
     )>
   <!ATTLIST Reference
       origin              %attvals.origin;        'unknown'
       meaning             CDATA                   #IMPLIED
     >

   The Reference class has two attributes:

   origin

      Required.  The source from which the name of the alert originates.
      The permitted values for this attribute are shown below.  The
      default value is "unknown".  (See also Section 10.)

   +------+-----------------+------------------------------------------+
   | Rank | Keyword         | Description                              |
   +------+-----------------+------------------------------------------+
   |    0 | unknown         | Origin of the name is not known          |
   |      |                 |                                          |
   |    1 | vendor-specific | A vendor-specific name (and hence, URL); |
   |      |                 | this can be used to provide              |
   |      |                 | product-specific information             |
   |      |                 |                                          |
   |    2 | user-specific   | A user-specific name (and hence, URL);   |
   |      |                 | this can be used to provide              |
   |      |                 | installation-specific information        |
   |      |                 |                                          |
   |    3 | bugtraqid       | The SecurityFocus ("Bugtraq")            |
   |      |                 | vulnerability database identifier        |
   |      |                 | (http://www.securityfocus.com/bid)       |
   |      |                 |                                          |
   |    4 | cve             | The Common Vulnerabilities and Exposures |
   |      |                 | (CVE) name (http://www.cve.mitre.org/)   |
   |      |                 |                                          |
   |    5 | osvdb           | The Open Source Vulnerability Database   |
   |      |                 | (http://www.osvdb.org)                   |
   +------+-----------------+------------------------------------------+
Top   ToC   RFC4765 - Page 49
   meaning

      Optional.  The meaning of the reference, as understood by the
      alert provider.  This field is only valid if the value of the
      <origin> attribute is set to "vendor-specific" or "user-specific".

4.2.7.2. The Node Class
The Node class is used to identify hosts and other network devices (routers, switches, etc.). The Node class is composed of three aggregate classes, as shown in Figure 14. +---------------+ | Node | +---------------+ 0..1 +----------+ | STRING ident |<>----------| location | | ENUM category | +----------+ | | 0..1 +----------+ | |<>----------| name | | | +----------+ | | 0..* +----------+ | |<>----------| Address | | | +----------+ +---------------+ Figure 14: The Node Class The aggregate classes that make up Node are: location Zero or one. STRING. The location of the equipment. name Zero or one. STRING. The name of the equipment. This information MUST be provided if no Address information is given. Address Zero or more. The network or hardware address of the equipment. Unless a name (above) is provided, at least one address must be specified.
Top   ToC   RFC4765 - Page 50
   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.nodecat              "
       ( unknown | ads | afs | coda | dfs | dns | hosts | kerberos |
         nds | nis | nisplus | nt | wfw )
     ">

   <!ELEMENT Node                          (
       location?, (name | Address), Address*
     )>
   <!ATTLIST Node
       ident               CDATA                   '0'
       category            %attvals.nodecat;       'unknown'
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 51
   The Node class has two attributes:

   ident

      Optional.  A unique identifier for the node; see Section 3.2.9.

   category

      Optional.  The "domain" from which the name information was
      obtained, if relevant.  The permitted values for this attribute
      are shown in the table below.  The default value is "unknown".
      (See also Section 10 for extensions to the table.)

      +------+----------+------------------------------------------+
      | Rank | Keyword  | Description                              |
      +------+----------+------------------------------------------+
      |    0 | unknown  | Domain unknown or not relevant           |
      |      |          |                                          |
      |    1 | ads      | Windows 2000 Advanced Directory Services |
      |      |          |                                          |
      |    2 | afs      | Andrew File System (Transarc)            |
      |      |          |                                          |
      |    3 | coda     | Coda Distributed File System             |
      |      |          |                                          |
      |    4 | dfs      | Distributed File System (IBM)            |
      |      |          |                                          |
      |    5 | dns      | Domain Name System                       |
      |      |          |                                          |
      |    6 | hosts    | Local hosts file                         |
      |      |          |                                          |
      |    7 | kerberos | Kerberos realm                           |
      |      |          |                                          |
      |    8 | nds      | Novell Directory Services                |
      |      |          |                                          |
      |    9 | nis      | Network Information Services (Sun)       |
      |      |          |                                          |
      |   10 | nisplus  | Network Information Services Plus (Sun)  |
      |      |          |                                          |
      |   11 | nt       | Windows NT domain                        |
      |      |          |                                          |
      |   12 | wfw      | Windows for Workgroups                   |
      +------+----------+------------------------------------------+
Top   ToC   RFC4765 - Page 52
4.2.7.2.1. The Address Class
The Address class is used to represent network, hardware, and application addresses. The Address class is composed of two aggregate classes, as shown in Figure 15. +------------------+ | Address | +------------------+ +---------+ | STRING ident |<>----------| address | | ENUM category | +---------+ | STRING vlan-name | 0..1 +---------+ | INTEGER vlan-num |<>----------| netmask | | | +---------+ +------------------+ Figure 15: The Address Class The aggregate classes that make up Address are: address Exactly one. STRING. The address information. The format of this data is governed by the category attribute. netmask Zero or one. STRING. The network mask for the address, if appropriate.
Top   ToC   RFC4765 - Page 53
   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.addrcat              "
       ( unknown | atm | e-mail | lotus-notes | mac | sna | vm |
         ipv4-addr | ipv4-addr-hex | ipv4-net | ipv4-net-mask |
         ipv6-addr | ipv6-addr-hex | ipv6-net | ipv6-net-mask )
     ">

   <!ELEMENT Address                       (
       address, netmask?
     )>
   <!ATTLIST Address
       ident               CDATA                   '0'
       category            %attvals.addrcat;       'unknown'
       vlan-name           CDATA                   #IMPLIED
       vlan-num            CDATA                   #IMPLIED
       %attlist.global;
     >

   The Address class has four attributes:

   ident

      Optional.  A unique identifier for the address; see Section 3.2.9.

   category

      Optional.  The type of address represented.  The permitted values
      for this attribute are shown below.  The default value is
      "unknown".  (See also Section 10.)
Top   ToC   RFC4765 - Page 54
   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | unknown       | Address type unknown                       |
   |      |               |                                            |
   |    1 | atm           | Asynchronous Transfer Mode network address |
   |      |               |                                            |
   |    2 | e-mail        | Electronic mail address (RFC 2822 [12])    |
   |      |               |                                            |
   |    3 | lotus-notes   | Lotus Notes e-mail address                 |
   |      |               |                                            |
   |    4 | mac           | Media Access Control (MAC) address         |
   |      |               |                                            |
   |    5 | sna           | IBM Shared Network Architecture (SNA)      |
   |      |               | address                                    |
   |      |               |                                            |
   |    6 | vm            | IBM VM ("PROFS") e-mail address            |
   |      |               |                                            |
   |    7 | ipv4-addr     | IPv4 host address in dotted-decimal        |
   |      |               | notation (a.b.c.d)                         |
   |      |               |                                            |
   |    8 | ipv4-addr-hex | IPv4 host address in hexadecimal notation  |
   |      |               |                                            |
   |    9 | ipv4-net      | IPv4 network address in dotted-decimal     |
   |      |               | notation, slash, significant bits          |
   |      |               | (a.b.c.d/nn)                               |
   |      |               |                                            |
   |   10 | ipv4-net-mask | IPv4 network address in dotted-decimal     |
   |      |               | notation, slash, network mask in           |
   |      |               | dotted-decimal notation (a.b.c.d/w.x.y.z)  |
   |      |               |                                            |
   |   11 | ipv6-addr     | IPv6 host address                          |
   |      |               |                                            |
   |   12 | ipv6-addr-hex | IPv6 host address in hexadecimal notation  |
   |      |               |                                            |
   |   13 | ipv6-net      | IPv6 network address, slash, significant   |
   |      |               | bits                                       |
   |      |               |                                            |
   |   14 | ipv6-net-mask | IPv6 network address, slash, network mask  |
   +------+---------------+--------------------------------------------+

   vlan-name

      Optional.  The name of the Virtual LAN to which the address
      belongs.
Top   ToC   RFC4765 - Page 55
   vlan-num

      Optional.  The number of the Virtual LAN to which the address
      belongs.

4.2.7.3. The User Class
The User class is used to describe users. It is primarily used as a "container" class for the UserId aggregate class, as shown in Figure 16. +---------------+ | User | +---------------+ 1..* +--------+ | STRING ident |<>----------| UserId | | ENUM category | +--------+ +---------------+ Figure 16: The User Class The aggregate class contained in User is: UserId One or more. Identification of a user, as indicated by its type attribute (see Section 4.2.7.3.1). This is represented in the IDMEF DTD as follows: <!ENTITY % attvals.usercat " ( unknown | application | os-device ) "> <!ELEMENT User ( UserId+ )> <!ATTLIST User ident CDATA '0' category %attvals.usercat; 'unknown' %attlist.global; >
Top   ToC   RFC4765 - Page 56
   The User class has two attributes:

   ident

      Optional.  A unique identifier for the user; see Section 3.2.9.

   category

      Optional.  The type of user represented.  The permitted values for
      this attribute are shown below.  The default value is "unknown".
      (See also Section 10.)

        +------+-------------+------------------------------------+
        | Rank | Keyword     | Description                        |
        +------+-------------+------------------------------------+
        |    0 | unknown     | User type unknown                  |
        |      |             |                                    |
        |    1 | application | An application user                |
        |      |             |                                    |
        |    2 | os-device   | An operating system or device user |
        +------+-------------+------------------------------------+

4.2.7.3.1. The UserId Class
The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. The UserId class is composed of two aggregate classes, as shown in Figure 17. +--------------+ | UserId | +--------------+ 0..1 +--------+ | STRING ident |<>----------| name | | ENUM type | +--------+ | STRING tty | 0..1 +--------+ | |<>----------| number | | | +--------+ +--------------+ Figure 17: The UserId Class
Top   ToC   RFC4765 - Page 57
   The aggregate classes that make up UserId are:

   name

      Zero or one.  STRING.  A user or group name.

   number

      Zero or one.  INTEGER.  A user or group number.

   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.idtype               "
       ( current-user | original-user | target-user | user-privs |
         current-group | group-privs | other-privs )
     ">

   <!ELEMENT UserId                        (
       (name, number?) | (number, name?)
     )>
   <!ATTLIST UserId
       ident               CDATA                   '0'
       type                %attvals.idtype;        'original-user'
       tty                 CDATA                   #IMPLIED
       %attlist.global;
     >

   The UserId class has three attributes:

   ident

      Optional.  A unique identifier for the user id, see Section 3.2.9.

   type

      Optional.  The type of user information represented.  The
      permitted values for this attribute are shown below.  The default
      value is "original-user".  (See also Section 10.)
Top   ToC   RFC4765 - Page 58
   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | current-user  | The current user id being used by the user |
   |      |               | or process.  On Unix systems, this would   |
   |      |               | be the "real" user id, in general.         |
   |      |               |                                            |
   |    1 | original-user | The actual identity of the user or process |
   |      |               | being reported on.  On those systems that  |
   |      |               | (a) do some type of auditing and (b)       |
   |      |               | support extracting a user id from the      |
   |      |               | "audit id" token, that value should be     |
   |      |               | used.  On those systems that do not        |
   |      |               | support this, and where the user has       |
   |      |               | logged into the system, the "login id"     |
   |      |               | should be used.                            |
   |      |               |                                            |
   |    2 | target-user   | The user id the user or process is         |
   |      |               | attempting to become.  This would apply,   |
   |      |               | on Unix systems for example, when the user |
   |      |               | attempts to use "su", "rlogin", "telnet",  |
   |      |               | etc.                                       |
   |      |               |                                            |
   |    3 | user-privs    | Another user id the user or process has    |
   |      |               | the ability to use, or a user id           |
   |      |               | associated with a file permission.  On     |
   |      |               | Unix systems, this would be the            |
   |      |               | "effective" user id in a user or process   |
   |      |               | context, and the owner permissions in a    |
   |      |               | file context.  Multiple UserId elements of |
   |      |               | this type may be used to specify a list of |
   |      |               | privileges.                                |
   |      |               |                                            |
   |    4 | current-group | The current group id (if applicable) being |
   |      |               | used by the user or process.  On Unix      |
   |      |               | systems, this would be the "real" group    |
   |      |               | id, in general.                            |
   |      |               |                                            |
   |    5 | group-privs   | Another group id the group or process has  |
   |      |               | the ability to use, or a group id          |
   |      |               | associated with a file permission.  On     |
   |      |               | Unix systems, this would be the            |
   |      |               | "effective" group id in a group or process |
   |      |               | context, and the group permissions in a    |
   |      |               | file context.  On BSD-derived Unix         |
   |      |               | systems, multiple UserId elements of this  |
   |      |               | type would be used to include all the      |
   |      |               | group ids on the "group list".             |
Top   ToC   RFC4765 - Page 59
   |    6 | other-privs   | Not used in a user, group, or process      |
   |      |               | context, only used in the file context.    |
   |      |               | The file permissions assigned to users who |
   |      |               | do not match either the user or group      |
   |      |               | permissions on the file.  On Unix systems, |
   |      |               | this would be the "world" permissions.     |
   +------+---------------+--------------------------------------------+

   tty

      Optional.  STRING.  The tty the user is using.

4.2.7.4. The Process Class
The Process class is used to describe processes being executed on sources, targets, and analyzers. The Process class is composed of five aggregate classes, as shown in Figure 18. +--------------+ | Process | +--------------+ +------+ | STRING ident |<>----------| name | | | +------+ | | 0..1 +------+ | |<>----------| pid | | | +------+ | | 0..1 +------+ | |<>----------| path | | | +------+ | | 0..* +------+ | |<>----------| arg | | | +------+ | | 0..* +------+ | |<>----------| env | | | +------+ +--------------+ Figure 18: The Process Class
Top   ToC   RFC4765 - Page 60
   The aggregate classes that make up Process are:

   name

      Exactly one.  STRING.  The name of the program being executed.
      This is a short name; path and argument information are provided
      elsewhere.

   pid

      Zero or one.  INTEGER.  The process identifier of the process.

   path

      Zero or one.  STRING.  The full path of the program being
      executed.

   arg

      Zero or more.  STRING.  A command-line argument to the program.
      Multiple arguments may be specified (they are assumed to have
      occurred in the same order they are provided) with multiple uses
      of arg.

   env

      Zero or more.  STRING.  An environment string associated with the
      process; generally of the format "VARIABLE=value".  Multiple
      environment strings may be specified with multiple uses of env.

   This is represented in the IDMEF DTD as follows:

    <!ELEMENT Process                       (
       name, pid?, path?, arg*, env*
     )>
   <!ATTLIST Process
       ident               CDATA                   '0'
       %attlist.global;
     >

   The Process class has one attribute:

   ident

      Optional.  A unique identifier for the process; see Section 3.2.9.
Top   ToC   RFC4765 - Page 61
4.2.7.5. The Service Class
The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is "attached" to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class. The Service class is composed of four aggregate classes, as shown in Figure 19. +-----------------------------+ | Service | +-----------------------------+ 0..1 +----------+ | STRING ident |<>----------| name | | INTEGER ip_version | +----------+ | INTEGER iana_protocol_number| 0..1 +----------+ | STRING iana_protocol_name |<>----------| port | | | +----------+ | | 0..1 +----------+ | |<>----------| portlist | | | +----------+ | | 0..1 +----------+ | |<>----------| protocol | | | +----------+ +-----------------------------+ /_\ | +---------+--------+ | | +-------------+ +-------------+ | SNMPService | | WebService | +-------------+ +-------------+ Figure 19: The Service Class
Top   ToC   RFC4765 - Page 62
   The aggregate classes that make up Service are:

   name

      Zero or one.  STRING.  The name of the service.  Whenever
      possible, the name from the IANA list of well-known ports SHOULD
      be used.

   port

      Zero or one.  INTEGER.  The port number being used.

   portlist

      Zero or one.  PORTLIST.  A list of port numbers being used; see
      Section 3.2.8 for formatting rules.  If a portlist is given, the
      iana_protocol_number and iana_protocol_name MUST apply to all the
      elements of the list.

   protocol

      Zero or one.  STRING.  Additional information about the protocol
      being used.  The intent of the protocol field is to carry
      additional information related to the protocol being used when the
      <Service> attributes iana_protocol_number or/and
      iana_protocol_name are filed.

   A Service MUST be specified as either (a) a name or a port or (b) a
   portlist.  The protocol is optional in all cases, but no other
   combinations are permitted.

   Service is represented in the IDMEF DTD as follows:

   <!ELEMENT Service                       (
       (((name, port?) | (port, name?)) | portlist), protocol?,
       SNMPService?, WebService?
     )>
   <!ATTLIST Service
       ident                CDATA                   '0'
   ip_version           CDATA                   #IMPLIED
   iana_protocol_number CDATA                  #IMPLIED
   iana_protocol_name   CDATA                  #IMPLIED
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 63
   The Service class has four attributes:

   ident

      Optional.  A unique identifier for the service; see Section 3.2.9.

   ip_version

      Optional.  INTEGER.  The IP version number.

   iana_protocol_number

      Optional.  INTEGER.  The IANA protocol number.

   iana_protocol_name

      Optional.  STRING.  The IANA protocol name.

4.2.7.5.1. The WebService Class
The WebService class carries additional information related to web traffic. The WebService class is composed of four aggregate classes, as shown in Figure 20. +-------------+ | Service | +-------------+ /_\ | +-------------+ | WebService | +-------------+ +-------------+ | |<>----------| url | | | +-------------+ | | 0..1 +-------------+ | |<>----------| cgi | | | +-------------+ | | 0..1 +-------------+ | |<>----------| http-method | | | +-------------+ | | 0..* +-------------+ | |<>----------| arg | | | +-------------+ +-------------+ Figure 20: The WebService Class
Top   ToC   RFC4765 - Page 64
   The aggregate classes that make up WebService are:

   url

      Exactly one.  STRING.  The URL in the request.

   cgi

      Zero or one.  STRING.  The CGI script in the request, without
      arguments.

   http-method

      Zero or one.  STRING.  The HTTP method (PUT, GET) used in the
      request.

   arg

      Zero or more.  STRING.  The arguments to the CGI script.

   This is represented in the IDMEF DTD as follows:

   <!ELEMENT WebService                    (
       url, cgi?, http-method?, arg*
     )>
   <!ATTLIST WebService
       %attlist.global;
     >

4.2.7.5.2. The SNMPService Class
The SNMPService class carries additional information related to SNMP traffic. The aggregate classes composing SNMPService must be interpreted as described in RFC 3411 [15] and RFC 3584 [16]. The SNMPService class is composed of eight aggregate classes, as shown in Figure 21.
Top   ToC   RFC4765 - Page 65
                +-------------+
                |   Service   |
                +-------------+
                      /_\
                       |
                +-------------+
                | SNMPService |
                +-------------+       0..1 +----------------------+
                |             |<>----------|       oid            |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|messageProcessingModel|
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|    securityModel     |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|    securityName      |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|   securityLevel      |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|    contextName       |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|   contextEngineID    |
                |             |            +----------------------+
                |             |       0..1 +----------------------+
                |             |<>----------|     command          |
                |             |            +----------------------+
                +-------------+

                     Figure 21: The SNMPService Class

   The aggregate classes that make up SNMPService are:

   oid

      Zero or one.  STRING.  The object identifier in the request.

   messageProcessingModel

      Zero or one.  INTEGER.  The SNMP version, typically 0 for SNMPv1,
      1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see
      RFC 3411 [15] Section 5 for appropriate values.
Top   ToC   RFC4765 - Page 66
   securityModel

      Zero or one.  INTEGER.  The identification of the security model
      in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3
      for USM; see RFC 3411 [15] Section 5 for appropriate values.

   securityName

      Zero or one.  STRING.  The object's security name; see RFC 3411
      [15] Section 3.2.2.

   securityLevel

      Zero or one.  INTEGER.  The security level of the SNMP request;
      see RFC 3411 [15] Section 3.4.3.

   contextName

      Zero or one.  STRING.  The object's context name; see RFC 3411
      [15] Section 3.3.3.

   contextEngineID

      Zero or one.  STRING.  The object's context engine identifier; see
      RFC 3411 [15] Section 3.3.2.

   command

      Zero or one.  STRING.  The command sent to the SNMP server (GET,
      SET, etc.).

   If other fields of an SNMP message are available and should be
   incorporated in the IDMEF alert, they must be located in the
   additionaldata structure with the meaning being an object definition
   defined in RFC 3411 [15] Section 5 and the value located within the
   additionaldata payload.

   This is represented in the IDMEF DTD as follows:

   <!ELEMENT SNMPService                   (
       oid?, messageProcessingModel?, securityModel?, securityName?,
       securityLevel?, contextName?, contextEngineID?, command?
     )>
   <!ATTLIST SNMPService
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 67
4.2.7.6. The File Class
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. The File class is composed of eleven aggregate classes, as shown in Figure 22. +--------------+ | File | +--------------+ +-------------+ | |<>----------| name | | | +-------------+ | | +-------------+ | |<>----------| path | | | +-------------+ | | 0..1 +-------------+ | |<>----------| create-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| modify-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| access-time | | | +-------------+ | | 0..1 +-------------+ | |<>----------| data-size | | | +-------------+ | | 0..1 +-------------+ | |<>----------| disk-size | | | +-------------+ | | 0..* +-------------+ | |<>----------| FileAccess | | | +-------------+ | | 0..* +-------------+ | |<>----------| Linkage | | | +-------------+ | | 0..1 +-------------+ | |<>----------| Inode | | | +-------------+ | | 0..* +-------------+ | |<>----------| Checksum | | | +-------------+ +--------------+ Figure 22: The File Class
Top   ToC   RFC4765 - Page 68
   The aggregate classes that make up File are:

   name

      Exactly one.  STRING.  The name of the file to which the alert
      applies, not including the path to the file.

   path

      Exactly one.  STRING.  The full path to the file, including the
      name.  The path name should be represented in as "universal" a
      manner as possible, to facilitate processing of the alert.

      For Windows systems, the path should be specified using the
      Universal Naming Convention (UNC) for remote files, and using a
      drive letter for local files (e.g., "C:\boot.ini").  For Unix
      systems, paths on network file systems should use the name of the
      mounted resource instead of the local mount point (e.g.,
      "fileserver:/usr/local/bin/foo").  The mount point can be provided
      using the <Linkage> element.

   create-time

      Zero or one.  DATETIME.  Time the file was created.  Note that
      this is *not* the Unix "st_ctime" file attribute (which is not
      file creation time).  The Unix "st_ctime" attribute is contained
      in the "Inode" class.

   modify-time

      Zero or one.  DATETIME.  Time the file was last modified.

   access-time

      Zero or one.  DATETIME.  Time the file was last accessed.

   data-size

      Zero or one.  INTEGER.  The size of the data, in bytes.  Typically
      what is meant when referring to file size.  On Unix UFS file
      systems, this value corresponds to stat.st_size.  On Windows NTFS,
      this value corresponds to Valid Data Length (VDL).
Top   ToC   RFC4765 - Page 69
   disk-size

      Zero or one.  INTEGER.  The physical space on disk consumed by the
      file, in bytes.  On Unix UFS file systems, this value corresponds
      to 512 * stat.st_blocks.  On Windows NTFS, this value corresponds
      to End of File (EOF).

   FileAccess

      Zero or more.  Access permissions on the file.

   Linkage

      Zero or more.  File system objects to which this file is linked
      (other references for the file).

   Inode

      Zero or one.  Inode information for this file (relevant to Unix).

   Checksum

      Zero or more.  Checksum information for this file.

   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.filecat              "
       ( current | original )
     ">

   <!ELEMENT File                          (
       name, path, create-time?, modify-time?, access-time?,
       data-size?, disk-size?, FileAccess*, Linkage*, Inode?,
       Checksum*
     )>
   <!ATTLIST File
       ident               CDATA                   '0'
       category            %attvals.filecat;       #REQUIRED
       fstype              CDATA                   #IMPLIED
       file-type           CDATA                   #IMPLIED
       %attlist.global;
     >

   The File class has four attributes (one required and three optional):

   ident

      Optional.  A unique identifier for this file; see Section 3.2.9.
Top   ToC   RFC4765 - Page 70
   category

      Required.  The context for the information being provided.  The
      permitted values are shown below.  There is no default value.
      (See also Section 10.)

   +------+----------+-------------------------------------------------+
   | Rank | Keyword  | Description                                     |
   +------+----------+-------------------------------------------------+
   |    0 | current  | The file information is from after the reported |
   |      |          | change                                          |
   |      |          |                                                 |
   |    1 | original | The file information is from before the         |
   |      |          | reported change                                 |
   +------+----------+-------------------------------------------------+

   fstype

      Optional.  The type of file system the file resides on.  This
      attribute governs how path names and other attributes are
      interpreted.

                +------+---------+-------------------------------------+
                | Rank | Keyword | Description                         |
                +------+---------+-------------------------------------+
                |    0 | ufs     | Berkeley Unix Fast File System      |
                |    1 | efs     | Linux "efs" file system             |
                |    2 | nfs     | Network File System                 |
                |    3 | afs     | Andrew File System                  |
                |    4 | ntfs    | Windows NT File System              |
                |    5 | fat16   | 16-bit Windows FAT File System      |
                |    6 | fat32   | 32-bit Windows FAT File System      |
                |    7 | pcfs    | "PC" (MS-DOS) file system on CD-ROM |
                |    8 | joliet  | Joliet CD-ROM file system           |
                |    9 | iso9660 | ISO 9660 CD-ROM file system         |
                +------+---------+-------------------------------------+

   file-type

      Optional.  The type of file, as a mime-type.
Top   ToC   RFC4765 - Page 71
4.2.7.6.1. The FileAccess Class
The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. The FileAccess class is composed of two aggregate classes, as shown in Figure 23. +--------------+ | FileAccess | +--------------+ +------------+ | |<>----------| UserId | | | +------------+ | | 1..* +------------+ | |<>----------| Permission | | | +------------+ +--------------+ Figure 23: The FileAccess Class The aggregate classes that make up FileAccess are: UserId Exactly one. The user (or group) to which these permissions apply. The value of the "type" attribute must be "user-privs", "group-privs", or "other-privs" as appropriate. Other values for "type" MUST NOT be used in this context.
Top   ToC   RFC4765 - Page 72
   Permission

      One or more.  ENUM.  Level of access allowed.  The permitted
      values are shown below.  There is no default value.  (See also
      Section 10.)

   +------+-------------------+----------------------------------------+
   | Rank | Keyword           | Description                            |
   +------+-------------------+----------------------------------------+
   |    0 | noAccess          | No access at all is allowed for this   |
   |      |                   | user                                   |
   |      |                   |                                        |
   |    1 | read              | This user has read access to the file  |
   |      |                   |                                        |
   |    2 | write             | This user has write access to the file |
   |      |                   |                                        |
   |    3 | execute           | This user has the ability to execute   |
   |      |                   | the file                               |
   |      |                   |                                        |
   |    4 | search            | This user has the ability to search    |
   |      |                   | this file (applies to "execute"        |
   |      |                   | permission on directories in Unix)     |
   |      |                   |                                        |
   |    5 | delete            | This user has the ability to delete    |
   |      |                   | this file                              |
   |      |                   |                                        |
   |    6 | executeAs         | This user has the ability to execute   |
   |      |                   | this file as another user              |
   |      |                   |                                        |
   |    7 | changePermissions | This user has the ability to change    |
   |      |                   | the access permissions on this file    |
   |      |                   |                                        |
   |    8 | takeOwnership     | This user has the ability to take      |
   |      |                   | ownership of this file                 |
   +------+-------------------+----------------------------------------+

   The "changePermissions" and "takeOwnership" strings represent those
   concepts in Windows.  On Unix, the owner of the file always has
   "changePermissions" access, even if no other access is allowed for
   that user.  "Full Control" in Windows is represented by enumerating
   the permissions it contains.  The "executeAs" string represents the
   set-user-id and set-group-id features in Unix.
Top   ToC   RFC4765 - Page 73
   This is represented in the IDMEF DTD as follows:

   <!ELEMENT Permission EMPTY >
   <!ATTLIST Permission
       perms               %attvals.fileperm;      #REQUIRED
       %attlist.global;
   >

   <!ENTITY % attvals.fileperm "( noAccess | read | write | execute |
     search | delete | executeAs | changePermissions |
     takeOwnership)" >

4.2.7.6.2. The Linkage Class
The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. The Linkage class is composed of three aggregate classes, as shown in Figure 24. +--------------+ | Linkage | +--------------+ +------+ | |<>----------| name | | | +------+ | | +------+ | |<>----------| path | | | +------+ | | +------+ | |<>----------| File | | | +------+ +--------------+ Figure 24: The Linkage Class The aggregate classes that make up Linkage are: name Exactly one. STRING. The name of the file system object, not including the path.
Top   ToC   RFC4765 - Page 74
   path

      Exactly one.  STRING.  The full path to the file system object,
      including the name.  The path name should be represented in as
      "universal" a manner as possible, to facilitate processing of the
      alert.

   File

      Exactly one.  A <File> element may be used in place of the <name>
      and <path> elements if additional information about the file is to
      be included.

   This is represented in the IDMEF DTD as follows:

   <!ENTITY % attvals.linkcat              "
       ( hard-link | mount-point | reparse-point | shortcut | stream |
         symbolic-link )
     ">

   <!ELEMENT Linkage                       (
       (name, path) | File
     )>
   <!ATTLIST Linkage
       category            %attvals.linkcat;       #REQUIRED
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 75
   The Linkage class has one attribute:

   category

      The type of object that the link describes.  The permitted values
      are shown below.  There is no default value.  (See also
      Section 10.)

   +------+---------------+--------------------------------------------+
   | Rank | Keyword       | Description                                |
   +------+---------------+--------------------------------------------+
   |    0 | hard-link     | The <name> element represents another name |
   |      |               | for this file.  This information may be    |
   |      |               | more easily obtainable on NTFS file        |
   |      |               | systems than others.                       |
   |      |               |                                            |
   |    1 | mount-point   | An alias for the directory specified by    |
   |      |               | the parent's <name> and <path> elements.   |
   |      |               |                                            |
   |    2 | reparse-point | Applies only to Windows; excludes symbolic |
   |      |               | links and mount points, which are specific |
   |      |               | types of reparse points.                   |
   |      |               |                                            |
   |    3 | shortcut      | The file represented by a Windows          |
   |      |               | "shortcut".  A shortcut is distinguished   |
   |      |               | from a symbolic link because of the        |
   |      |               | difference in their contents, which may be |
   |      |               | of importance to the manager.              |
   |      |               |                                            |
   |    4 | stream        | An Alternate Data Stream (ADS) in Windows; |
   |      |               | a fork on MacOS.  Separate file system     |
   |      |               | entity that is considered an extension of  |
   |      |               | the main <File>.                           |
   |    5 | symbolic-link | The <name> element represents the file to  |
   |      |               | which the link points.                     |
   +------+---------------+--------------------------------------------+
Top   ToC   RFC4765 - Page 76
4.2.7.6.3. The Inode Class
The Inode class is used to represent the additional information contained in a Unix file system i-node. The Inode class is composed of six aggregate classes, as shown in Figure 25. +--------------+ | Inode | +--------------+ +----------------+ | |<>----------| change-time | | | +----------------+ | | +----------------+ | |<>----------| number | | | +----------------+ | | +----------------+ | |<>----------| major-device | | | +----------------+ | | +----------------+ | |<>----------| minor-device | | | +----------------+ | | +----------------+ | |<>----------| c-major-device | | | +----------------+ | | +----------------+ | |<>----------| c-minor-device | | | +----------------+ +--------------+ Figure 25: The Inode Class The aggregate classes that make up Inode are: change-time Zero or one. DATETIME. The time of the last inode change, given by the st_ctime element of "struct stat". number Zero or one. INTEGER. The inode number. major-device Zero or one. INTEGER. The major device number of the device the file resides on.
Top   ToC   RFC4765 - Page 77
   minor-device

      Zero or one.  INTEGER.  The minor device number of the device the
      file resides on.

   c-major-device

      Zero or one.  INTEGER.  The major device of the file itself, if it
      is a character special device.

   c-minor-device

      Zero or one.  INTEGER.  The minor device of the file itself, if it
      is a character special device.

   Note that <number>, <major-device>, and <minor-device> must be given
   together, and the <c-major-device> and <c-minor-device> must be given
   together.

   This is represented in the IDMEF DTD as follows:

   <!ELEMENT Inode                         (
       change-time?, (number, major-device, minor-device)?,
       (c-major-device, c-minor-device)?
     )>
   <!ATTLIST Inode
       %attlist.global;
     >
Top   ToC   RFC4765 - Page 78
4.2.7.6.4. The Checksum Class
The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. The checksum class is composed of two aggregate classes, as shown in Figure 26. +--------------+ | Checksum | +--------------+ +-------+ | algorithm |<>----------| value | | | +-------+ | | 0..1+-------+ | |<>----------| key | | | +-------+ +--------------+ Figure 26: The Checksum Class The aggregate classes that make up Checksum are: value Exactly one. STRING. The value of the checksum. key Zero or one. STRING. The key to the checksum, if appropriate. This is represented in the IDMEF DTD as follows: <!ENTITY % attvals.checksumalgos " ( MD4 | MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512 | CRC-32 | Haval | Tiger | Gost ) "> <!ELEMENT Checksum ( value, key? )> <!ATTLIST Checksum algorithm %attvals.checksumalgos; #REQUIRED %attlist.global; >
Top   ToC   RFC4765 - Page 79
   The Checksum class has one attribute:

   algorithm

      The cryptographic algorithm used for the computation of the
      checksum.  The permitted values are shown below.  There is no
      default value.  (See also Section 10.)

      +------+----------+------------------------------------------+
      | Rank | Keyword  | Description                              |
      +------+----------+------------------------------------------+
      |    0 | MD4      | The MD4 algorithm.                       |
      |      |          |                                          |
      |    1 | MD5      | The MD5 algorithm.                       |
      |      |          |                                          |
      |    2 | SHA1     | The SHA1 algorithm.                      |
      |      |          |                                          |
      |    3 | SHA2-256 | The SHA2 algorithm with 256 bits length. |
      |      |          |                                          |
      |    4 | SHA2-384 | The SHA2 algorithm with 384 bits length. |
      |      |          |                                          |
      |    5 | SHA2-512 | The SHA2 algorithm with 512 bits length. |
      |      |          |                                          |
      |    6 | CRC-32   | The CRC algorithm with 32 bits length.   |
      |      |          |                                          |
      |    7 | Haval    | The Haval algorithm.                     |
      |      |          |                                          |
      |    8 | Tiger    | The Tiger algorithm.                     |
      |      |          |                                          |
      |    9 | Gost     | The Gost algorithm.                      |
      +------+----------+------------------------------------------+



(page 79 continued on part 4)

Next Section