{
"$schema": "http://json-schema.org/draft-04/schema#",
"description": "IDEA0 basic objects - warning schema",
"type": "object",
"required": ["Format", "ID", "DetectTime", "Category"],
"additionalProperties": false,
"definitions": {
"UUID": {
"description": "ID should be UUID version 4 (random) or 5 (SHA-1).",
"type": "string",
"pattern": "^[a-f0-9]{8}-[a-f0-9]{4}-[45][a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}$"
},
"Count": {
"description": "Negative count or size makes no sense.",
"type": "integer",
"minimum": 0
},
"EventTagValues": {
"description": "Event tag does not bear taxonomy value.",
"type": "string",
"enum": [
"Abusive",
"Abusive.Spam",
"Abusive.Harassment",
"Abusive.Child",
"Abusive.Sexual",
"Abusive.Violence",
"Malware",
"Malware.Virus",
"Malware.Worm",
"Malware.Trojan",
"Malware.Spyware",
"Malware.Dialer",
"Malware.Rootkit",
"Recon",
"Recon.Scanning",
"Recon.Sniffing",
"Recon.SocialEngineering",
"Recon.Searching",
"Attempt",
"Attempt.Exploit",
"Attempt.Login",
"Attempt.NewSignature",
"Intrusion",
"Intrusion.AdminCompromise",
"Intrusion.UserCompromise",
"Intrusion.AppCompromise",
"Intrusion.Botnet",
"Availability",
"Availability.DoS",
"Availability.DDoS",
"Availability.Sabotage",
"Availability.Outage",
"Information",
"Information.UnauthorizedAccess",
"Information.UnauthorizedModification",
"Fraud",
"Fraud.UnauthorizedUsage",
"Fraud.Copyright",
"Fraud.Masquerade",
"Fraud.Phishing",
"Fraud.Scam",
"Vulnerable",
"Vulnerable.Open",
"Anomaly",
"Anomaly.Traffic",
"Anomaly.Connection",
"Anomaly.Protocol",
"Anomaly.System",
"Anomaly.Application",
"Anomaly.Behaviour",
"Other",
"Test"
]
},
"SourceTargetTagValues": {
"description": "Source/Target classification does not bear taxonomy value.",
"type": "string",
"enum": [
"Proxy",
"OriginMalware",
"OriginSandbox",
"OriginSpam",
"Phishing",
"Malware",
"MITM",
"Spam",
"Backscatter",
"Open",
"Poisoned",
"FastFlux",
"Botnet",
"CC"
]
},
"PortNumber": {
"description": "Port number out of range.",
"type": "integer",
"minimum": 1,
"maximum": 65535
},
"ASN": {
"description": "ASN invalid.",
"type": "integer",
"anyOf": [
{
"minimum": 1,
"maximum": 65534
},
{
"minimum": 65536,
"maximum": 4294967294
}
]
},
"RIRNetname": {
"description": "Netname contains unknown RIR identifier.",
"type": "string",
"pattern": "^(?:ripe|arin|apnic|lacnic|afrinic):"
},
"AttachmentTagValues": {
"description": "Attachment description does not bear taxonomy value.",
"type": "string",
"enum": [
"WinLog",
"Syslog",
"Malware",
"ShellCode",
"Exploit"
]
},
"HashHex": {
"description": "Unusual hash or hash value not hexadecimal.",
"type": "string",
"pattern": "^(?:sha1|sha224|sha256|sha384|sha512|md2|md4|md5|crc32|adler32):[0-9a-fA-F]+$"
},
"NodeTagValues": {
"description": "Node description does not bear taxonomy value.",
"type": "string",
"enum": [
"Connection",
"Datagram",
"Content",
"Data",
"File",
"Flow",
"Log",
"Protocol",
"Host",
"Network",
"Correlation",
"External",
"Reporting",
"Blackhole",
"Signature",
"Statistical",
"Heuristic",
"Integrity",
"Policy",
"Honeypot",
"Tarpit",
"Recon",
"Monitor"
]
}
},
"properties": {
"Format": {},
"ID": {
"$ref": "#/definitions/UUID"
},
"AltNames": {
"type": "array"
},
"CorrelID": {
"type": "array",
"items": {
"$ref": "#/definitions/UUID"
}
},
"AggrID": {
"type": "array",
"items": {
"$ref": "#/definitions/UUID"
}
},
"PredID": {
"type": "array",
"items": {
"$ref": "#/definitions/UUID"
}
},
"RelID": {
"type": "array",
"items": {
"$ref": "#/definitions/UUID"
}
},
"CreateTime": {},
"DetectTime": {},
"EventTime": {},
"CeaseTime": {},
"WinStartTime": {},
"WinEndTime": {},
"ConnCount": {
"$ref": "#/definitions/Count"
},
"FlowCount": {
"$ref": "#/definitions/Count"
},
"PacketCount": {
"$ref": "#/definitions/Count"
},
"ByteCount": {
"$ref": "#/definitions/Count"
},
"Category": {
"type": "array",
"items": {
"$ref": "#/definitions/EventTagValues"
}
},
"Ref": {},
"Confidence": {},
"Description": {},
"Note": {},
"Source": {
"description": "Array of source or target descriptions.",
"type": "array",
"items": {
"type": "object",
"description": "Information concerning particular source or target.",
"additionalProperties": false,
"properties": {
"Type": {
"type": "array",
"items": {
"$ref": "#/definitions/SourceTargetTagValues"
}
},
"Hostname": {},
"IP4": {},
"MAC": {},
"IP6": {},
"Port": {
"type": "array",
"items": {
"$ref": "#/definitions/PortNumber"
}
},
"Proto": {},
"URL": {},
"Email": {},
"AttachHand": {},
"Note": {},
"Spoofed": {},
"Imprecise": {},
"Anonymised": {},
"ASN": {
"type": "array",
"items": {
"$ref": "#/definitions/ASN"
}
},
"Router": {},
"Netname": {
"type": "array",
"items": {
"$ref": "#/definitions/RIRNetname"
}
},
"Ref": {}
}
}
},
"Target": {
"$ref": "#/properties/Source"
},
"Attach": {
"description": "Array of attachment descriptions.",
"type": "array",
"items": {
"description": "Additional attachment information and data.",
"type": "object",
"additionalProperties": false,
"properties": {
"Handle": {},
"FileName": {},
"Type": {
"type": "array",
"items": {
"$ref": "#/definitions/AttachmentTagValues"
}
},
"Hash": {
"type": "array",
"items": {
"$ref": "#/definitions/HashHex"
}
},
"Size": {
"$ref": "#/definitions/Count"
},
"Ref": {},
"Note": {},
"ContentType": {},
"ContentCharset": {},
"ContentEncoding": {},
"Content": {},
"ContentID": {},
"ExternalURI": {}
}
}
},
"Node": {
"description": "Array of detector descriptions.",
"type": "array",
"items": {
"description": "Detector or possible intermediary (event aggregator, correlator, etc.) description.",
"type": "object",
"additionalProperties": false,
"properties": {
"Name": {},
"Realm": {},
"Tags": {
"type": "array",
"items": {
"$ref": "#/definitions/NodeTagValues"
}
},
"SW": {},
"AggrWin": {},
"Note": {}
}
}
}
}
}