System

The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of "source", then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of "target" or "intermediary", then the machine or service is the one targeted in the activity. A value of "sensor" dictates that this System was part of an instrumentation to monitor the network.

System System System [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] interface (Optional) [ENUM] spoofed (Optional) Node Node [ML_STRING] NodeName (0..*) [ML_STRING] Location (0..1) [] DateTime (0..1) System->Node 1..1 Counter Counter [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] duration (Optional) [STRING] ext-duration (Optional) System->Counter 0..* Service Service [INTEGER] Port (0..1) [PORTLIST] Portlist (0..1) [INTEGER] ProtoCode (0..1) [INTEGER] ProtoType (0..1) [INTEGER] ProtoFlags (0..1) [INTEGER] ip_protocol (Required) System->Service 0..* OperatingSystem OperatingSystem [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) System->OperatingSystem 0..1 AdditionalData AdditionalData [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) System->AdditionalData 0..* Address Address [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] vlan-name (Optional) [STRING] vlan-num (Optional) Node->Address 0..* NodeRole NodeRole [ENUM] category (Required) [STRING] ext-category (Optional) [ENUM] lang (Required) Node->NodeRole 0..* Node->Counter 0..* Application Application [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) Service->Application 0..*

digraph System { graph [rankdir=LR]; node [label="\N"]; graph [bb="0,0,900,822"]; System [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. ">System</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A free-form text description of the System.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Classifies the role the host or network played in the incident. The possible values are:">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.">[STRING] interface (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is &quot;unknown&quot;.">[ENUM] spoofed (Optional) </td></tr>%</table>>, shape=plaintext, pos="129,426", width="3.5833", height="2.0694"]; "Node" [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. ">Node</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name). This information MUST be provided if no Address information is given.">[ML_STRING] NodeName (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A free-from description of the physical location of the equipment.">[ML_STRING] Location (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed. This information SHOULD be provided if both an Address and NodeName are specified.">[] DateTime (0..1) </td></tr>%</table>>, shape=plaintext, pos="451,634", width="3.3333", height="1.2361"]; Address [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. ">Address</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The type of address represented. The permitted values for this attribute are shown below. The default value is &quot;ipv4-addr&quot;.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[STRING] vlan-num (Optional) </td></tr>%</table>>, shape=plaintext, pos="771,768", width="3.5833", height="1.5139"]; NodeRole [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. ">NodeRole</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="Functionality provided by a node.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A means by which to extend the category attribute. See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;. The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>, shape=plaintext, pos="771,652", width="3.5833", height="1.2361"]; Counter [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). ">Counter</td> </tr>" %<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="Specifies the units of the element content.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event. In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator). The possible values of this attribute are defined in Section 3.10.2">[ENUM] duration (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024" HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the duration attribute. See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>, shape=plaintext, pos="771,536", width="3.5556", height="1.5139"]; Service [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. ">Service</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A port number.">[INTEGER] Port (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A list of port numbers formatted according to Section 2.10.">[PORTLIST] Portlist (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field).">[INTEGER] ProtoCode (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field).">[INTEGER] ProtoType (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field).">[INTEGER] ProtoFlags (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] ip_protocol (Required) </td></tr>%</table>>, shape=plaintext, pos="451,426", width="3.5556", height="2.0694"]; Application [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="771,370", width="3.0833", height="2.625"]; OperatingSystem [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). ">OperatingSystem</td> </tr>" %<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>, shape=plaintext, pos="451,240", width="3.0833", height="2.625"]; AdditionalData [label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content. The permitted values for this attribute are shown below. The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute. See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>, shape=plaintext, pos="451,64", width="3.2778", height="1.7917"]; "Node" -> Address [label="0..*", pos="e,641.99,713.98 556.22,678.06 580.64,688.29 606.99,699.32 632.59,710.04", lp="611,713.5"]; "Node" -> NodeRole [label="0..*", pos="e,641.96,644.74 571.07,640.75 590.87,641.87 611.54,643.03 631.76,644.17", lp="611,651.5"]; "Node" -> Counter [label="0..*", pos="e,642.5,575.35 571.07,597.23 591.2,591.06 612.23,584.62 632.78,578.33", lp="611,595.5"]; System -> "Node" [label="1..1", pos="e,347.77,589.8 209.33,500.02 230.24,517.51 253.29,535.31 276,550 295.56,562.65 317.32,574.6 338.66,585.29", lp="290,574.5"]; Service -> Application [label="0..*", pos="e,659.48,389.52 579.77,403.46 602.77,399.44 626.66,395.26 649.44,391.27", lp="611,408.5"]; System -> Service [label="0..*", pos="e,322.38,426 258.11,426 275.89,426 294.22,426 312.16,426", lp="290,434.5"]; System -> OperatingSystem [label="0..1", pos="e,339.37,304.48 257.19,351.95 281.4,337.97 306.64,323.39 330.6,309.55", lp="290,347.5"]; System -> Counter [label="0..*", pos="e,642.04,539.95 258.25,488.77 279.16,496.82 300.88,503.99 322,509 423.88,533.19 542.21,539.44 631.81,539.92", lp="451,546.5"]; System -> AdditionalData [label="0..*", pos="e,332.32,128.04 165.74,351.94 199.73,289 255.03,199.2 322,137 322.82,136.23 323.66,135.47 324.5,134.72", lp="290,194.5"]; }


Aggregates

Node (1..1)

A host or network involved in the incident.

Service (0..*)

A network service running on the system.

OperatingSystem (0..1)

The operating system running on the system.

Counter (0..*)

A counter with which to summarize properties of this host or network.

Description (0..*)

A free-form text description of the System.

AdditionalData (0..*)

A mechanism by which to extend the data model.

Attributes

restriction (Optional)

This attribute is defined in Section 3.2.

category (Required)

Classifies the role the host or network played in the incident. The possible values are:
Rank Keyword Description
1 source The System was the source of the event.
2 target The System was the target of the event.
3 intermediate The System was an intermediary in the event.
4 sensor The System was a sensor monitoring the event.
5 infrastructure The System was an infrastructure node of IODEF document exchange.
6 ext-value An escape value used to extend this attribute. See Section 5.1.

ext-category (Optional)

A means by which to extend the category attribute. See Section 5.1.

interface (Optional)

Specifies the interface on which the event(s) on this System originated. If the Node class specifies a network rather than a host, this attribute has no meaning.

spoofed (Optional)

An indication of confidence in whether this System was the true target or attacking host. The permitted values for this attribute are shown below. The default value is "unknown".
Rank Keyword Description
1 unknown The accuracy of the category attribute value is unknown.
2 yes The category attribute value is probably incorrect. In the case of a source, the System is likely a decoy; with a target, the System was likely not the intended victim.
3 no The category attribute value is believed to be correct.


IDMEF


IODEF