981 lines
39 KiB
XML
Executable File
981 lines
39 KiB
XML
Executable File
<?xml version="1.0" encoding="UTF-8"?>
|
|
<xs:schema targetNamespace="urn:ietf:params:xml:ns:iodef-1.0"
|
|
xmlns="urn:ietf:params:xml:ns:iodef-1.0"
|
|
xmlns:iodef="urn:ietf:params:xml:ns:iodef-1.0"
|
|
xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
|
elementFormDefault="qualified"
|
|
attributeFormDefault="unqualified">
|
|
|
|
<xs:annotation>
|
|
<xs:documentation>
|
|
Incident Object Description Exchange Format v1.00, see RFC XXX
|
|
</xs:documentation>
|
|
</xs:annotation>
|
|
|
|
<!--
|
|
====================================================================
|
|
== IODEF-Document class ==
|
|
====================================================================
|
|
-->
|
|
<xs:element name="IODEF-Document">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:Incident"
|
|
maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="version"
|
|
type="xs:string" fixed="1.00"/>
|
|
<xs:attribute name="lang"
|
|
type="xs:language" use="required"/>
|
|
<xs:attribute name="formatid"
|
|
type="xs:string"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Incident class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Incident">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:IncidentID"/>
|
|
<xs:element ref="iodef:AlternativeID"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:RelatedActivity"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:DetectTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:StartTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:EndTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:ReportTime"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Assessment"
|
|
maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Method"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Contact"
|
|
maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:EventData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:History"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="purpose" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="traceback"/>
|
|
<xs:enumeration value="mitigation"/>
|
|
<xs:enumeration value="reporting"/>
|
|
<xs:enumeration value="other"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-purpose"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="lang"
|
|
type="xs:language"/>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type" default="private"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
== IncidentID class ==
|
|
====================================================================
|
|
-->
|
|
<xs:element name="IncidentID" type="iodef:IncidentIDType"/>
|
|
<xs:complexType name="IncidentIDType">
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="name"
|
|
type="xs:string" use="required"/>
|
|
<xs:attribute name="instance"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type" default="public"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
<!--
|
|
====================================================================
|
|
== AlternativeID class ==
|
|
====================================================================
|
|
-->
|
|
<xs:element name="AlternativeID">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:IncidentID"
|
|
maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
== RelatedActivity class ==
|
|
====================================================================
|
|
-->
|
|
<xs:element name="RelatedActivity">
|
|
<xs:complexType>
|
|
<xs:choice>
|
|
<xs:element ref="iodef:IncidentID"
|
|
maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:URL"
|
|
maxOccurs="unbounded"/>
|
|
</xs:choice>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== AdditionalData class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="AdditionalData" type="iodef:ExtensionType"/>
|
|
<!--
|
|
====================================================================
|
|
=== Contact class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Contact">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:ContactName"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:RegistryHandle"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:PostalAddress"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Email"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Telephone"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Fax"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Timezone"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Contact"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="role" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="creator"/>
|
|
<xs:enumeration value="admin"/>
|
|
<xs:enumeration value="tech"/>
|
|
<xs:enumeration value="irt"/>
|
|
<xs:enumeration value="cc"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-role"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="type" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="person"/>
|
|
<xs:enumeration value="organization"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-type"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="ContactName"
|
|
type="iodef:MLStringType"/>
|
|
<xs:element name="RegistryHandle">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="registry">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="internic"/>
|
|
<xs:enumeration value="apnic"/>
|
|
<xs:enumeration value="arin"/>
|
|
<xs:enumeration value="lacnic"/>
|
|
<xs:enumeration value="ripe"/>
|
|
<xs:enumeration value="afrinic"/>
|
|
<xs:enumeration value="local"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-registry"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
|
|
<xs:element name="PostalAddress">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="iodef:MLStringType">
|
|
<xs:attribute name="meaning"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Email" type="iodef:ContactMeansType"/>
|
|
<xs:element name="Telephone" type="iodef:ContactMeansType"/>
|
|
<xs:element name="Fax" type="iodef:ContactMeansType"/>
|
|
|
|
<xs:complexType name="ContactMeansType">
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="meaning"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
|
|
<!--
|
|
====================================================================
|
|
=== Time-based classes ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="DateTime"
|
|
type="xs:dateTime"/>
|
|
<xs:element name="ReportTime"
|
|
type="xs:dateTime"/>
|
|
<xs:element name="DetectTime"
|
|
type="xs:dateTime"/>
|
|
<xs:element name="StartTime"
|
|
type="xs:dateTime"/>
|
|
<xs:element name="EndTime"
|
|
type="xs:dateTime"/>
|
|
<xs:element name="Timezone"
|
|
type="iodef:TimezoneType"/>
|
|
<xs:simpleType name="TimezoneType">
|
|
<xs:restriction base="xs:string">
|
|
<xs:pattern value="Z|[\+\-](0[0-9]|1[0-4]):[0-5][0-9]"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
<!--
|
|
====================================================================
|
|
=== History class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="History">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:HistoryItem"
|
|
maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type" default="default"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="HistoryItem">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:DateTime"/>
|
|
<xs:element ref="iodef:IncidentID"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Contact"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
<xs:attribute name="action"
|
|
type="iodef:action-type" use="required"/>
|
|
<xs:attribute name="ext-action"
|
|
type="xs:string" use="optional"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Expectation class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Expectation">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:StartTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:EndTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Contact"
|
|
minOccurs="0"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type" default="default"/>
|
|
<xs:attribute name="severity"
|
|
type="iodef:severity-type"/>
|
|
<xs:attribute name="action"
|
|
type="iodef:action-type" default="other"/>
|
|
<xs:attribute name="ext-action"
|
|
type="xs:string" use="optional"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Method class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Method">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:choice maxOccurs="unbounded">
|
|
<xs:element ref="iodef:Reference"/>
|
|
<xs:element ref="iodef:Description"/>
|
|
</xs:choice>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Reference">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element name="ReferenceName"
|
|
type="iodef:MLStringType"/>
|
|
<xs:element ref="iodef:URL"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Assessment class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Assessment">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:choice maxOccurs="unbounded">
|
|
<xs:element ref="iodef:Impact"/>
|
|
<xs:element ref="iodef:TimeImpact"/>
|
|
<xs:element ref="iodef:MonetaryImpact"/>
|
|
</xs:choice>
|
|
<xs:element ref="iodef:Counter"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Confidence" minOccurs="0"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="occurrence">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="actual"/>
|
|
<xs:enumeration value="potential"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Impact">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="iodef:MLStringType">
|
|
<xs:attribute name="severity"
|
|
type="iodef:severity-type"/>
|
|
<xs:attribute name="completion">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="failed"/>
|
|
<xs:enumeration value="succeeded"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="type"
|
|
use="optional" default="unknown">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="admin"/>
|
|
<xs:enumeration value="dos"/>
|
|
<xs:enumeration value="extortion"/>
|
|
<xs:enumeration value="file"/>
|
|
<xs:enumeration value="info-leak"/>
|
|
<xs:enumeration value="misconfiguration"/>
|
|
<xs:enumeration value="recon"/>
|
|
<xs:enumeration value="policy"/>
|
|
<xs:enumeration value="social-engineering"/>
|
|
<xs:enumeration value="user"/>
|
|
<xs:enumeration value="unknown"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-type"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="TimeImpact">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="iodef:PositiveFloatType">
|
|
<xs:attribute name="severity"
|
|
type="iodef:severity-type"/>
|
|
<xs:attribute name="metric"
|
|
use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="labor"/>
|
|
<xs:enumeration value="elapsed"/>
|
|
<xs:enumeration value="downtime"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-metric"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="duration"
|
|
type="iodef:duration-type"/>
|
|
<xs:attribute name="ext-duration"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="MonetaryImpact">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="iodef:PositiveFloatType">
|
|
<xs:attribute name="severity"
|
|
type="iodef:severity-type"/>
|
|
<xs:attribute name="currency"
|
|
type="xs:string"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Confidence">
|
|
<xs:complexType mixed="true">
|
|
<xs:attribute name="rating" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="low"/>
|
|
<xs:enumeration value="medium"/>
|
|
<xs:enumeration value="high"/>
|
|
<xs:enumeration value="numeric"/>
|
|
<xs:enumeration value="unknown"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== EventData class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="EventData">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:DetectTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:StartTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:EndTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Contact"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Assessment"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Method"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Flow"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Expectation"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Record"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:EventData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type" default="default"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Flow class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Flow">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:System"
|
|
maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== System class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="System">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:Node"/>
|
|
<xs:element ref="iodef:Service"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:OperatingSystem"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Counter"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
<xs:attribute name="interface"
|
|
type="xs:string"/>
|
|
<xs:attribute name="category">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="source"/>
|
|
<xs:enumeration value="target"/>
|
|
<xs:enumeration value="intermediate"/>
|
|
<xs:enumeration value="sensor"/>
|
|
<xs:enumeration value="infrastructure"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-category"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="spoofed"
|
|
default="unknown">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="unknown"/>
|
|
<xs:enumeration value="yes"/>
|
|
<xs:enumeration value="no"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Node class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Node">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:choice maxOccurs="unbounded">
|
|
<xs:element name="NodeName"
|
|
type="iodef:MLStringType" minOccurs="0"/>
|
|
<xs:element ref="iodef:Address"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:choice>
|
|
<xs:element ref="iodef:Location"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:DateTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:NodeRole"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Counter"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Address">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="category" default="ipv4-addr">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="asn"/>
|
|
<xs:enumeration value="atm"/>
|
|
<xs:enumeration value="e-mail"/>
|
|
<xs:enumeration value="mac"/>
|
|
<xs:enumeration value="ipv4-addr"/>
|
|
<xs:enumeration value="ipv4-net"/>
|
|
<xs:enumeration value="ipv4-net-mask"/>
|
|
<xs:enumeration value="ipv6-addr"/>
|
|
<xs:enumeration value="ipv6-net"/>
|
|
<xs:enumeration value="ipv6-net-mask"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-category"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="vlan-name"
|
|
type="xs:string"/>
|
|
<xs:attribute name="vlan-num"
|
|
type="xs:integer"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="Location" type="iodef:MLStringType"/>
|
|
<xs:element name="NodeRole">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="iodef:MLStringType">
|
|
<xs:attribute name="category" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="client"/>
|
|
<xs:enumeration value="server-internal"/>
|
|
<xs:enumeration value="server-public"/>
|
|
<xs:enumeration value="www"/>
|
|
<xs:enumeration value="mail"/>
|
|
<xs:enumeration value="messaging"/>
|
|
<xs:enumeration value="streaming"/>
|
|
<xs:enumeration value="voice"/>
|
|
<xs:enumeration value="file"/>
|
|
<xs:enumeration value="ftp"/>
|
|
<xs:enumeration value="p2p"/>
|
|
<xs:enumeration value="name"/>
|
|
<xs:enumeration value="directory"/>
|
|
<xs:enumeration value="credential"/>
|
|
<xs:enumeration value="print"/>
|
|
<xs:enumeration value="application"/>
|
|
<xs:enumeration value="database"/>
|
|
<xs:enumeration value="infra"/>
|
|
<xs:enumeration value="log"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-category"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Service Class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Service">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:choice minOccurs="0">
|
|
<xs:element name="Port"
|
|
type="xs:integer"/>
|
|
<xs:element name="Portlist"
|
|
type="iodef:PortlistType"/>
|
|
</xs:choice>
|
|
<xs:element name="ProtoType"
|
|
type="xs:integer" minOccurs="0"/>
|
|
<xs:element name="ProtoCode"
|
|
type="xs:integer" minOccurs="0"/>
|
|
<xs:element name="ProtoField"
|
|
type="xs:integer" minOccurs="0"/>
|
|
<xs:element ref="iodef:Application"
|
|
minOccurs="0"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="ip_protocol"
|
|
type="xs:integer" use="required"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:simpleType name="PortlistType">
|
|
<xs:restriction base="xs:string">
|
|
<xs:pattern value="\d+(\-\d+)?(,\d+(\-\d+)?)*"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
<!--
|
|
====================================================================
|
|
=== Counter class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Counter">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:double">
|
|
<xs:attribute name="type" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="byte"/>
|
|
<xs:enumeration value="packet"/>
|
|
<xs:enumeration value="flow"/>
|
|
<xs:enumeration value="session"/>
|
|
<xs:enumeration value="event"/>
|
|
<xs:enumeration value="alert"/>
|
|
<xs:enumeration value="message"/>
|
|
<xs:enumeration value="host"/>
|
|
<xs:enumeration value="site"/>
|
|
<xs:enumeration value="organization"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-type"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="meaning"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="duration"
|
|
type="iodef:duration-type"/>
|
|
<xs:attribute name="ext-duration"
|
|
type="xs:string" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<!--
|
|
====================================================================
|
|
=== Record class ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Record">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:RecordData"
|
|
maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="RecordData">
|
|
<xs:complexType>
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:DateTime"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:Description"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:Application"
|
|
minOccurs="0"/>
|
|
<xs:element ref="iodef:RecordPattern"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:RecordItem"
|
|
maxOccurs="unbounded"/>
|
|
<xs:element ref="iodef:AdditionalData"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="RecordPattern">
|
|
<xs:complexType>
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="type" use="required">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="regex"/>
|
|
<xs:enumeration value="binary"/>
|
|
<xs:enumeration value="xpath"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-type"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="offset"
|
|
type="xs:integer" use="optional"/>
|
|
<xs:attribute name="offsetunit"
|
|
use="optional" default="line">
|
|
<xs:simpleType>
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="line"/>
|
|
<xs:enumeration value="byte"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:attribute>
|
|
<xs:attribute name="ext-offsetunit"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="instance"
|
|
type="xs:integer" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
</xs:element>
|
|
<xs:element name="RecordItem"
|
|
type="iodef:ExtensionType"/>
|
|
<!--
|
|
====================================================================
|
|
=== Classes that describe software ===
|
|
====================================================================
|
|
-->
|
|
<xs:complexType name="SoftwareType">
|
|
<xs:sequence>
|
|
<xs:element ref="iodef:URL"
|
|
minOccurs="0"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="swid"
|
|
type="xs:string" default="0"/>
|
|
<xs:attribute name="configid"
|
|
type="xs:string" default="0"/>
|
|
<xs:attribute name="vendor"
|
|
type="xs:string"/>
|
|
<xs:attribute name="family"
|
|
type="xs:string"/>
|
|
<xs:attribute name="name"
|
|
type="xs:string"/>
|
|
<xs:attribute name="version"
|
|
type="xs:string"/>
|
|
<xs:attribute name="patch"
|
|
type="xs:string"/>
|
|
</xs:complexType>
|
|
<xs:element name="Application"
|
|
type="iodef:SoftwareType"/>
|
|
<xs:element name="OperatingSystem"
|
|
type="iodef:SoftwareType"/>
|
|
<!--
|
|
====================================================================
|
|
=== Miscellaneous simple classes ===
|
|
====================================================================
|
|
-->
|
|
<xs:element name="Description"
|
|
type="iodef:MLStringType"/>
|
|
<xs:element name="URL"
|
|
type="xs:anyURI"/>
|
|
<!--
|
|
====================================================================
|
|
=== Data Types ===
|
|
====================================================================
|
|
-->
|
|
<xs:simpleType name="PositiveFloatType">
|
|
<xs:restriction base="xs:float">
|
|
<xs:minExclusive value="0"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
<xs:complexType name="MLStringType">
|
|
<xs:simpleContent>
|
|
<xs:extension base="xs:string">
|
|
<xs:attribute name="lang"
|
|
type="xs:language" use="optional"/>
|
|
</xs:extension>
|
|
</xs:simpleContent>
|
|
</xs:complexType>
|
|
<xs:complexType name="ExtensionType" mixed="true">
|
|
<xs:sequence>
|
|
<xs:any namespace="##any" processContents="lax"
|
|
minOccurs="0" maxOccurs="unbounded"/>
|
|
</xs:sequence>
|
|
<xs:attribute name="dtype"
|
|
type="iodef:dtype-type" use="required"/>
|
|
<xs:attribute name="ext-dtype"
|
|
type="xs:string" use="optional"/>
|
|
<xs:attribute name="meaning"
|
|
type="xs:string"/>
|
|
<xs:attribute name="formatid"
|
|
type="xs:string"/>
|
|
<xs:attribute name="restriction"
|
|
type="iodef:restriction-type"/>
|
|
</xs:complexType>
|
|
<!--
|
|
====================================================================
|
|
=== Global attribute type declarations ===
|
|
====================================================================
|
|
-->
|
|
<xs:simpleType name="restriction-type">
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="default"/>
|
|
<xs:enumeration value="public"/>
|
|
<xs:enumeration value="need-to-know"/>
|
|
<xs:enumeration value="private"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="severity-type">
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="low"/>
|
|
<xs:enumeration value="medium"/>
|
|
<xs:enumeration value="high"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="duration-type">
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="second"/>
|
|
<xs:enumeration value="minute"/>
|
|
<xs:enumeration value="hour"/>
|
|
<xs:enumeration value="day"/>
|
|
<xs:enumeration value="month"/>
|
|
<xs:enumeration value="quarter"/>
|
|
<xs:enumeration value="year"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="action-type">
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="nothing"/>
|
|
<xs:enumeration value="contact-source-site"/>
|
|
<xs:enumeration value="contact-target-site"/>
|
|
<xs:enumeration value="contact-sender"/>
|
|
<xs:enumeration value="investigate"/>
|
|
<xs:enumeration value="block-host"/>
|
|
<xs:enumeration value="block-network"/>
|
|
<xs:enumeration value="block-port"/>
|
|
<xs:enumeration value="rate-limit-host"/>
|
|
<xs:enumeration value="rate-limit-network"/>
|
|
<xs:enumeration value="rate-limit-port"/>
|
|
<xs:enumeration value="remediate-other"/>
|
|
<xs:enumeration value="status-triage"/>
|
|
<xs:enumeration value="status-new-info"/>
|
|
<xs:enumeration value="other"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
|
|
<xs:simpleType name="dtype-type">
|
|
<xs:restriction base="xs:NMTOKEN">
|
|
<xs:enumeration value="boolean"/>
|
|
<xs:enumeration value="byte"/>
|
|
<xs:enumeration value="character"/>
|
|
<xs:enumeration value="date-time"/>
|
|
<xs:enumeration value="integer"/>
|
|
<xs:enumeration value="ntpstamp"/>
|
|
<xs:enumeration value="portlist"/>
|
|
<xs:enumeration value="real"/>
|
|
<xs:enumeration value="string"/>
|
|
<xs:enumeration value="file"/>
|
|
<xs:enumeration value="path"/>
|
|
<xs:enumeration value="frame"/>
|
|
<xs:enumeration value="packet"/>
|
|
<xs:enumeration value="ipv4-packet"/>
|
|
<xs:enumeration value="ipv6-packet"/>
|
|
<xs:enumeration value="url"/>
|
|
<xs:enumeration value="csv"/>
|
|
<xs:enumeration value="winreg"/>
|
|
<xs:enumeration value="xml"/>
|
|
<xs:enumeration value="ext-value"/>
|
|
</xs:restriction>
|
|
</xs:simpleType>
|
|
</xs:schema>
|