Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "IDEA0 basic object",
"type": "object",
"required": ["Format", "ID", "DetectTime", "Category"],
"definitions": {
"Boolean": {
"description": "JSON \"true\" or \"false\" value.",
"type": "boolean"
},
"Integer": {
"description": "JSON \"number\" with no fractional and exponential part.",
"type": "integer"
},
"Version": {
"description": "Must contain string “IDEA0”. (Trailing zero denotes draft version, after review/discussion and specification finalisation the name will change.)",
"type": "string",
"enum": ["IDEA0"]
},
"MediaType": {
"description": "Internet media type without parameters. Format is type and subtype, separated by slash, where type can contain only alphanumeric, underscore and minus sign, and subtype can contain only alphanumeric, plus and minus sign, underscore and dot.",
"type": "string",
"pattern": "^[a-zA-Z0-9_-]+/[a-zA-Z0-9_+.-]+$"
},
"Charset": {
"description": "Character set name may consist of alphanumeric, dot, colon, minus sign, underscore and parentheses (round brackets).",
"type": "string",
"pattern": "^[a-zA-Z0-9.:_()-]+$"
},
"Encoding": {
"description": "May contain only string \"base64\" (however note that key can be nonexistent, which means native encoding).",
"type": "string",
"enum": ["base64"]
},
"EventTag": {
"description": "Category name consists of one or two abbreviated parts - category and optional subcategory, separated by dot. If unsure of more precise nature of the incident, subcategory and dot may be omitted. Category and subcategory name must contain only alphanumeric, underscore and minus sign.\n\nFor semantics and taxonomy see [[IDEA/Classifications#EventTag|security event types classification]].",
"type": "string",
"pattern": "^[a-zA-Z0-9_-]+(?:\\.[a-zA-Z0-9_-]+)?$"
},
"ProtocolName": {
"description": "Name must not be empty, must contain only alphanumeric and minus sign, must contain at least one letter, must not begin or end with a hyphen and two hyphens must not be adjacent.\n\nFor semantics and applicable strings see [[IDEA/Classifications#ProtocolName|protocols classification]].",
"type": "string",
"allOf": [
{
"description": "Protocol name must contain at least one letter.",
"pattern": "[a-zA-Z]"
},
{
"description": "Protocol name must contain only alphanumeric and minus sign.",
"pattern": "^[a-zA-Z0-9-]*$"
},
{
"description": "Protocol name must begin with alphanumeric.",
"pattern": "^[a-zA-Z0-9]"
},
{
"description": "Protocol name must end with alphanumeric.",
"pattern": "[a-zA-Z0-9]$"
},
{
"description": "There must not be two adjacent hyphens in protocol name.",
"not": {
"pattern": "--"
}
}
]
},
"SourceTargetTag": {
"description": "Tag name must contain only alphanumeric, underscore and minus sign.\n\nFor semantics and taxonomy see [[IDEA/Classifications#SourceTargetTag|source/target classification]].",
"type": "string",
"pattern": "^[a-zA-Z0-9_-]+$"
},
"NodeTag": {
"description": "Tag name must contain only alphanumeric, underscore and minus sign.\n\nFor semantics and taxonomy see [[IDEA/Classifications#NodeTag|classification of detection nodes]].",
"type": "string",
"pattern": "^[a-zA-Z0-9_-]+$"
},
"AttachmentTag": {
"description": "Tag name must contain only alphanumeric, underscore and minus sign.\n\nFor semantics and taxonomy see [[IDEA/Classifications#AttachmentTag|attachment description]].",
"type": "string",
"pattern": "^[a-zA-Z0-9_-]+$"
},
"Handle": {
"description": "String value unique among all \"Handle\" element values. May contain only alphanumeric or underscore, must not start with number and must not be empty.",
"type": "string",
"pattern": "^[a-zA-Z_][a-zA-Z0-9_]*$"
},
"ID": {
"description": "String, containing reasonably globally unique identifier. UUID version 4 (random) or 5 (SHA-1) is recommended. As IDs are meant to be used at other mediums, transfer protocols and formats (an example being query string fields in URL), they are allowed to contain only reasonably safe subset of characters. May thus contain only alphanumeric, dot, minus sign and underscore and must not be empty.",
"type": "string",
"pattern": "^[a-zA-Z0-9._-]+$"
},
"Timestamp": {
"description": "String, containing timestamp conforming to [[http://tools.ietf.org/html/rfc3339|RFC 3339]].",
"type": "string",
"format": "date-time",
"pattern": "^[0-9]{4}-[0-9]{2}-[0-9]{2}[Tt ][0-9]{2}:[0-9]{2}:[0-9]{2}(?:\\.[0-9]+)?(?:[Zz]|(?:[+-][0-9]{2}:[0-9]{2}))?$"
},
"Duration": {
"description": "String, containing time offset, intended for representing difference between two timestamps. Format is time part of [[http://tools.ietf.org/html/rfc3339|RFC 3339]], optionally prepended by \"D\" or \"d\" separator and number of days (which can have arbitrary number number of digits). \"D\" separator has been chosen to distinguish from internet time, and as a memory aid for \"duration\" or \"days\". For example \"536D10:20:30.5\" means 536 days day, 10 hours, 20 seconds, 30.5 seconds, whereas 00:05:00 represents five minutes.\n\n[[http://tools.ietf.org/html/rfc2234|ABNF]] syntax:\n{{{\ntime-hour = 2DIGIT ; 00-23\ntime-minute = 2DIGIT ; 00-59\ntime-second = 2DIGIT ; 00-59\ntime-secfrac = \".\" 1*DIGIT\nseparator = \"D\" / \"d\"\ndays = 1*DIGIT\n\nduration = [days separator] time-hour \":\" time-minute \":\" time-second [time-secfrac]\n}}}",
"type": "string",
"format": "date-time",
"pattern": "^(?:[0-9]+[Dd])?[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\\.[0-9]+)?$"
},
"URI": {
"description": "String, containing URI as defined in [[http://tools.ietf.org/html/rfc3986|RFC 3986]] and related.",
"type": "string",
"format": "uri",
"pattern": "^[a-zA-Z][a-zA-Z0-9+.-]*:[][a-zA-Z0-9._~:/?#@*'&'()*+,;=%-]*$"
},
"Net4": {
"description": "String, containing IPv4 range in human readable form. Range can be specified as CIDR network (\"192.0.2.0/24\") or two IP addresses in dot-decimal notation, separated by minus sign (\"192.0.2.0-192.0.2.255\").",
"type": "string",
"pattern": "^(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?:(?:/(?:[0-9]|[1-2][0-9]|3[0-2]))|(?:-(?:(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\.){3}(?:[0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])))?$"
},
"Net6": {
"description": "String, containing IPv6 range in human readable form. Range can be specified as CIDR notation (\"2001:db8::/48\") or two IP addresses in colon-hexadecimal notation, separated by minus sign (\"2001:db8::-2001:db8:0:ffff:ffff:ffff:ffff:ffff\").",
"type": "string",
"pattern": "^(?:(?:(?:[0-9A-Fa-f]{1,4}:){7}(?:[0-9A-Fa-f]{1,4}|:))|(?:(?:[0-9A-Fa-f]{1,4}:){6}(?::[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(?:(?:[0-9A-Fa-f]{1,4}:){5}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,2})|:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(?:(?:[0-9A-Fa-f]{1,4}:){4}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,3})|(?:(?::[0-9A-Fa-f]{1,4})?:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){3}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,4})|(?:(?::[0-9A-Fa-f]{1,4}){0,2}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){2}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,5})|(?:(?::[0-9A-Fa-f]{1,4}){0,3}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){1}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,6})|(?:(?::[0-9A-Fa-f]{1,4}){0,4}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?::(?:(?:(?::[0-9A-Fa-f]{1,4}){1,7})|(?:(?::[0-9A-Fa-f]{1,4}){0,5}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(?:(?:/(?:\\d|\\d\\d|1[0-1]\\d|12[0-8]))?|-(?:(?:(?:[0-9A-Fa-f]{1,4}:){7}(?:[0-9A-Fa-f]{1,4}|:))|(?:(?:[0-9A-Fa-f]{1,4}:){6}(?::[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(?:(?:[0-9A-Fa-f]{1,4}:){5}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,2})|:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(?:(?:[0-9A-Fa-f]{1,4}:){4}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,3})|(?:(?::[0-9A-Fa-f]{1,4})?:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){3}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,4})|(?:(?::[0-9A-Fa-f]{1,4}){0,2}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){2}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,5})|(?:(?::[0-9A-Fa-f]{1,4}){0,3}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?:(?:[0-9A-Fa-f]{1,4}:){1}(?:(?:(?::[0-9A-Fa-f]{1,4}){1,6})|(?:(?::[0-9A-Fa-f]{1,4}){0,4}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(?::(?:(?:(?::[0-9A-Fa-f]{1,4}){1,7})|(?:(?::[0-9A-Fa-f]{1,4}){0,5}:(?:(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\\.(?:25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))))$"
},
"FQDN": {
"description": "String, containing fully qualified domain name. See [[https://tools.ietf.org/html/rfc1034#section-3.1|RFC 1034, chapter 3.1]], [[https://tools.ietf.org/html/rfc1035#section-2.3.1|RFC 1035, chapter 2.3.1]], [[https://tools.ietf.org/html/rfc1123#section-2|RFC 1123, section2]] and related.",
"type": "string",
"format": "hostname",
"allOf": [
{
"description": "FQDN label may start and/or end with letter or number, contain letters, numbers or hyphen. Labels must be separated by one dot.",
"pattern": "^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)*(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?)?$"
},
{
"description": "Domain name labels may contain at most 63 characters.",
"pattern": "^(?:[^.]{1,63}\\.)*(?:[^.]{0,63})?$"
},
{
"description": "There can be at most 127 levels of labels.",
"pattern": "^(?:[^.]*\\.[^.]*){1,126}|[^.]*$"
},
{
"description": "Maximum length of domain name is 253 characters.",
"maxLength": 253
}
]
},
"DN": {
"description": "String, containing (possibly relative, not fully qualified) domain name. See [[https://tools.ietf.org/html/rfc1034#section-3.1|RFC 1034, chapter 3.1]], [[https://tools.ietf.org/html/rfc1035#section-2.3.1|RFC 1035, chapter 2.3.1]], [[https://tools.ietf.org/html/rfc1123#section-2|RFC 1123, section2]] and related.",
"type": "string",
"format": "hostname",
"allOf": [
{
"description": "DN label may start and/or end with letter or number, contain letters, numbers or hyphen. Labels must be separated by one dot.",
"pattern": "^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?\\.)*(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]*[a-zA-Z0-9])?)?$"
},
{
"description": "Domain name labels may contain at most 63 characters.",
"pattern": "^(?:[^.]{1,63}\\.)*(?:[^.]{0,63})?$"
},
{
"description": "There can be at most 127 levels of labels.",
"pattern": "^(?:[^.]*\\.[^.]*){1,126}|[^.]*$"
},
{
"description": "Maximum length of domain name is 253 characters.",
"maxLength": 253
}
]
},
"MAC": {
"description": "String, containing MAC address in human friendly form - six groups of two hexadecimal digits, separated by colon.",
"type": "string",
"pattern": "^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$"
},
"Netname": {
"description": "URI string, containing LIR identifier and network identifier within LIR namespace, separated by colon.",
"type": "string",
"format": "uri",
"pattern": "^[a-zA-Z][a-zA-Z0-9+.-]*:[][a-zA-Z0-9._~:/?#@*'&'()*+,;=%-]*$"
},
"Hash": {
"description": "URI string, defining hash type and hash value, separated by colon.",
"type": "string",
"format": "uri",
"pattern": "^[a-zA-Z][a-zA-Z0-9+.-]*:[][a-zA-Z0-9._~:/?#@*'&'()*+,;=%-]*$"
}
},
"properties": {
"Format": {
"description": "Identifier of the IDEA container.",
"$ref": "#/definitions/Version"
},
"ID": {
"description": "Unique message identifier.",
"$ref": "#/definitions/ID"
},
"AltNames": {
"description": "Array of alternative identifiers.",
"type": "array",
"items": {
"description": "Alternative identifiers; strings which help to pair the event to internal system information (for example tickets in request tracker systems).",
"type": "string"
}
},
"CorrelID": {
"description": "Array of correlated messages identifiers.",
"type": "array",
"items": {
"description": "Identifiers of messages, which are information sources for creation of this message in case the message has been created based on correlation/analysis/deduction of other messages.",
"$ref": "#/definitions/ID"
}
},
"AggrID": {
"description": "Array of aggregated messages identifiers.",
"type": "array",
"items": {
"description": "Identifiers of messages, which are aggregated into more concise form by this message. Should be sent mostly by intermediary nodes, which detect duplicates, or aggregate events, spanning multiple detection windows, into one longer.",
"$ref": "#/definitions/ID"
}
},
"PredID": {
"description": "Array of obsoleted messages identifiers.",
"type": "array",
"items": {
"description": "Identifiers of messages, which are obsoleted and information in them is replaced by this message. Should be sent only by detection nodes to incorporate further data about ongoing event.",
"$ref": "#/definitions/ID"
}
},
"RelID": {
"description": "Array of related messages identifiers.",
"type": "array",
"items": {
"description": "Otherwise related messages.",
"$ref": "#/definitions/ID"
}
},
"CreateTime": {
"description": "Timestamp of the creation of the IDEA message. May point out delay between detection and processing of data.",
"$ref": "#/definitions/Timestamp"
},
"DetectTime": {
"description": "Timestamp of the moment of detection of event (not necessarily time of the event taking place). This timestamp is mandatory, because every detector is able to know when it detected the information - for example when line about event appeared in the logfile, or when its information source says the event was detected, or at least when it accepted the information from the source.",
"$ref": "#/definitions/Timestamp"
},
"EventTime": {
"description": "Deduced start of the event/attack, or just time of the event if its solitary.",
"$ref": "#/definitions/Timestamp"
},
"CeaseTime": {
"description": "Deduced end of the event/attack.",
"$ref": "#/definitions/Timestamp"
},
"WinStartTime": {
"description": "Beginning of aggregation window in which event has been observed.",
"$ref": "#/definitions/Timestamp"
},
"WinEndTime": {
"description": "End of aggregation window in which event has been observed.",
"$ref": "#/definitions/Timestamp"
},
"ConnCount": {
"description": "Number of individual connections attempted or taken place.",
"$ref": "#/definitions/Integer"
},
"FlowCount": {
"description": "Number of individual simplex (one direction) flows.",
"$ref": "#/definitions/Integer"
},
"PacketCount": {
"description": "Number of individual packets transferred.",
"$ref": "#/definitions/Integer"
},
"ByteCount": {
"description": "Number of bytes transferred.",
"$ref": "#/definitions/Integer"
},
"Category": {
"description": "Array of event categories.",
"type": "array",
"items": {
"description": "Category of event, for allowed strings see [[IDEA/Classifications#Events|event types classification]].",
"$ref": "#/definitions/EventTag"
}
},
"Ref": {
"description": "Array of references.",
"type": "array",
"items": {
"description": "References to known sources, related to attack and/or vulnerability. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:cve:CVE-2013-5634\".",
"$ref": "#/definitions/URI"
}
},
"Confidence": {
"description": "Confidence of detector in its own reliability of this particular detection. (0 – surely false, 1 – no doubts). If key is not presented, detector does not know (or has no capability to estimate the confidence).",
"type": "number",
"maximum": 1,
"minimum": 0
},
"Description": {
"description": "Short free text human readable description.",
"type": "string"
},
"Note": {
"description": "Free text human readable addidional note, possibly longer description of incident if not obvious.",
"type": "string"
},
"Source": {
"type": "array",
"description": "Array of source or target descriptions.",
"items": {
"description": "Information concerning particular source or target.",
"type": "object",
"properties": {
"Type": {
"description": "Array of source/target categories.",
"type": "array",
"items": {
"description": "Closer category of source/target. For allowed strings see [[IDEA/Classifications#SourceTarget|source/target classification]].",
"$ref": "#/definitions/SourceTargetTag"
}
},
"Hostname": {
"description": "Array of hostnames.",
"type": "array",
"items": {
"description": "Hostname of this source/target. Should be FQDN, but may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed. Empty array can be used to explicitly indicate that value has been inquired and not found (missing DNS name).",
"type": "string"
}
},
"IP4": {
"description": "Array of IPv4 addresses.",
"type": "array",
"items": {
"description": "IPv4 addresses of this source/target.",
"$ref": "#/definitions/Net4"
}
},
"MAC": {
"description": "Array of MAC addresses.",
"type": "array",
"items": {
"description": "MAC addresses of this source/target.",
"$ref": "#/definitions/MAC"
}
},
"IP6": {
"description": "Array of IPv6 addresses.",
"type": "array",
"items": {
"description": "IPv6 addresses of this source/target.",
"$ref": "#/definitions/Net6"
}
},
"Port": {
"description": "Array of port numbers.",
"type": "array",
"items": {
"description": "Source or destination ports affected.",
"$ref": "#/definitions/Integer"
}
},
"Proto": {
"description": "Array of protocol names.",
"type": "array",
"items": {
"description": "Protocols, concerning connections from/to this source/target. See [[IDEA/Classifications#Protocols|protocols classification]].",
"$ref": "#/definitions/ProtocolName"
}
},
"URL": {
"description": "Array of URLs.",
"type": "array",
"items": {
"description": "Unified Resource Locator of this source/target. Should be formatted according to [[http://tools.ietf.org/html/rfc1738|RFC 1738]], [[http://tools.ietf.org/html/rfc1808|RFC 1808]] and related, however may not conform exactly, because values, extracted from logs, messages, etc. may themselves be malformed.",
"type": "string"
}
},
"Email": {
"description": "Array of email addresses.",
"type": "array",
"items": {
"description": "Email address (for example Reply-To address in phishing message). Should be formatted according to [[http://tools.ietf.org/html/rfc5322#section-3.4|RFC 5322, section 3.4]] and related, however may not conform exactly, because values, extracted from logs, messages, DNS, etc. may themselves be malformed.",
"type": "string"
}
},
"AttachHand": {
"description": "Array of attachment identifiers.",
"type" : "array",
"items": {
"description": "Identifiers of attachments related to this source/target - contain \"Handle\"s of related attachments.",
"$ref": "#/definitions/Handle"
}
},
"Note": {
"description": "Free text human readable additional note.",
"type": "string"
},
"Spoofed": {
"description": "Establishes whether this source/target is forged.",
"$ref": "#/definitions/Boolean"
},
"Imprecise": {
"description": "Establishes whether this source/target is knowingly imprecise.",
"$ref": "#/definitions/Boolean"
},
"Anonymised": {
"description": "Establishes whether this source/target is willingly incomplete.",
"$ref": "#/definitions/Boolean"
},
"ASN": {
"description": "Autonomous system numbers.",
"type": "array",
"items": {
"description": "Autonomous system number of this source/target.",
"$ref": "#/definitions/Integer"
}
},
"Router": {
"description": "Array of router/interface paths.",
"type": "array",
"items": {
"description": "Router/interface path information. Intentionally organisation specific, router identifiers have usually no clear meaning outside organisational unit.",
"type": "string"
}
},
"Netname": {
"description": "Array of RIR network identifiers.",
"type": "array",
"items": {
"description": "RIR database reference network identifier (for example \"ripe:CESNET-BB2\" or \"arin:WETEMAA\"). Common network identifiers are: ripe, arin, apnic, lacnic, afrinic. Empty array can be used to explicitly indicate that value has been inquired and not found (IP address from unassigned block).",
"$ref": "#/definitions/Netname"
}
},
"Ref": {
"description": "Array of references.",
"type": "array",
"items": {
"description": "References to known sources, related to attack and/or vulnerability, specific to this source/target. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:cve:CVE-2013-2266\".",
"$ref": "#/definitions/URI"
}
}
}
}
},
"Target": {
"$ref": "#/properties/Source"
},
"Attach": {
"description": "Array of attachment descriptions.",
"type": "array",
"items": {
"type": "object",
"description": "Additional attachment information and data.",
"properties": {
"Handle": {
"description": "Message unique identifier for reference through Attach elements.",
"$ref": "#/definitions/Handle"
},
"FileName": {
"description": "Array of filenames.",
"type": "array",
"items": {
"description": "Names of the attached file.",
"type": "string"
}
},
"Type": {
"description": "Array of attachment type tags.",
"type": "array",
"items": {
"description": "Type of the attached data. For allowed strings see [[IDEA/Classifications#Attachment|attachment description]].",
"$ref": "#/definitions/AttachmentTag"
}
},
"Hash": {
"description": "Array of checksums.",
"type": "array",
"items": {
"description": "Checksum of the content (for example \"sha1:794467071687f7c59d033f4de5ece6b46415b633\" or \"md5:dc89f0b4ff9bd3b061dd66bb66c991b1\").",
"$ref": "#/definitions/Hash"
}
},
"Size": {
"description": "Length of the content.",
"$ref": "#/definitions/Integer"
},
"Ref": {
"description": "Array of references.",
"type": "array",
"items": {
"description": "References to known sources, related to attack and/or vulnerability, specific to this attachment. May be URL of the additional info, or URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:clamav:Win.Trojan.Banker-14334\".",
"$ref": "#/definitions/URI"
}
},
"Note": {
"description": "Free text human readable additional note.",
"type": "string"
},
"ContentType": {
"description": "Internet Media Type of the attachment, according to [[http://tools.ietf.org/html/rfc2046|RFC 2046]] and related. Along with [[http://www.iana.org/assignments/media-types/media-types.xhtml|types standardized by IANA]] also non standard but widely used media types can be used (for examples see [[http://www.freeformatter.com/mime-types-list.html|MIME types list at freeformatter.com]]).",
"$ref": "#/definitions/MediaType"
},
"ContentCharset": {
"description": "Name of the content character set according to [[http://www.iana.org/assignments/character-sets/character-sets.xhtml|IANA list]]. If key is not defined, unspecified binary encoding is assumed.",
"$ref": "#/definitions/Charset"
},
"ContentEncoding": {
"description": "Encoding of the content, if feasible. Nonexistent key means native JSON encoding.",
"$ref": "#/definitions/Encoding"
},
"Content": {
"description": "Attachment content.",
"type": "string"
},
"ContentID": {
"description": "Array of external content IDs.",
"type": "array",
"items": {
"description": "If content of attachment is transferred separately (in underlaying container), this key contains external ID of the content, so it can be paired back to message.",
"type": "string"
}
},
"ExternalURI": {
"description": "Array of external URIs.",
"type": "array",
"items": {
"description": "If content of attachment is available and/or recognizable from external source, this is defining URI (usually URL). May also be URN (according to [[http://tools.ietf.org/html/rfc2141|RFC 2141]]) in registered namespace ([[http://www.iana.org/assignments/urn-namespaces/urn-namespaces.xhtml|IANA]]) or unregistered ad-hoc namespace bearing reasonable information value and uniqueness, such as \"urn:mhr:55eaf7effadc07f866d1eaed9c64e7ee49fe081a\", \"magnet:?xt=urn:sha1:YNCKHTQCWBTRNJIV4WNAE52SJUQCZO5C\".",
"$ref": "#/definitions/URI"
}
}
}
}
},
"Node": {
"description": "Array of detector descriptions.",
"type": "array",
"items": {
"description": "Detector or possible intermediary (event aggregator, correlator, etc.) description.",
"type": "object",
"properties": {
"Name": {
"description": "Name of the detector, chosen by (and local to) organisational unit, within which it should be unique.",
"$ref": "#/definitions/DN"
},
"Realm": {
"description": "Administrative domain string. Usually denotes organisation (or smaller organisational unit) which detector belongs to. The tuple (Name, Realm) thus should be reasonably unique, however still bear some readily meaningful sense.",
"$ref": "#/definitions/FQDN"
},
"Type": {
"description": "Array of detection node types.",
"type": "array",
"items": {
"description": "Tag, describing various facets of the detector. For useable set of strings see [[IDEA/Classifications#Node|detection node classification]].",
"$ref": "#/definitions/NodeTag"
}
},
"SW": {
"description": "Array of detection software names.",
"type": "array",
"items": {
"description": "The name of the detection software (optionally including version). For example \"labrea-2.5-stable-1\" or \"HP TippingPoint 7500NX\".",
"type": "string"
}
},
"AggrWin": {
"description": "The size of the aggregation window, if applicable.",
"$ref": "#/definitions/Duration"
},
"Note": {
"description": "Free text human readable additional description.",
"type": "string"
}
}
}
}
}
}