Re: [mile] JSON representation of IODEF (FW: New Version Notification for draft-takahashi-mile-jsoniodef-00.txt)
Carsten Bormann <cabo@tzi.org> Wed, 08 June 2016 18:06 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DF912D650 for <mile@ietfa.amsl.com>; Wed, 8 Jun 2016 11:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phnpKR4rrSH6 for <mile@ietfa.amsl.com>; Wed, 8 Jun 2016 11:06:30 -0700 (PDT)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E7E12D740 for <mile@ietf.org>; Wed, 8 Jun 2016 11:06:29 -0700 (PDT)
Received: from dynamic-218-3.informatik.uni-bremen.de (unknown [IPv6:2001:638:708:30da:90b4:85d:694c:26f8]) (Authenticated sender: cabo@cabo.im) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 9EAFF17209C; Wed, 8 Jun 2016 20:06:27 +0200 (CEST)
Message-ID: <57585EA0.7010408@tzi.org>
Date: Wed, 08 Jun 2016 20:06:24 +0200
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
References: <063a01d1c166$c6f58860$54e09920$@nict.go.jp> <CAA=AuEcPmMAtPgWcbVYjbM+XMhF7W+NpZDOomQ=m38xjKuHySA@mail.gmail.com> <57584349.8000803@tzi.org>
In-Reply-To: <57584349.8000803@tzi.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/0haZ2KWWOjLTDx1Aro8FnJSchjk>
Cc: "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] JSON representation of IODEF (FW: New Version Notification for draft-takahashi-mile-jsoniodef-00.txt)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2016 18:06:33 -0000
Carsten Bormann wrote: > a couple of errors I think I worked around most of them. I fed this into my experimental "JSON-Schema"-to-CDDL converter. (While CDDL has been designed for CBOR, JSON's data model is a subset of CBOR's, so CDDL can be used for JSON as well.) Here are a few observations: *** Unused rule RegistryHandle *** Unused rule PostalAddress *** Unused rule Email *** Unused rule BusinessImpact *** Unused rule HistoryItem *** Unused rule ServiceName *** Unused rule ApplicationHeader *** Unused rule EmailData *** Unused rule RecordPattern *** Unused rule WindowsRegistryKeysModified *** Unused rule Key *** Unused rule Observable *** Unused rule BulkObservable *** Unused rule BulkObservableFormat For your perusal, the CDDL is reproduced below. Since "JSON-Schema" isn't always very well-defined, I don't know whether what my tool reads from it indeed was the intended definition. (See also a few weird cases marked with @@@.) I'm not also sure that ExtensionType and Campaign are exactly the two JSON objects that are extensible, and that Incident's AlternativeID field is as loosely defined as it seems. (There are also a lot of "any" types I have guessed.) Finally, I can't parse "properties": { "Signature": { "SignatureValue": "xxxxxxxx", "id": "xxxxxxxx" } }, Without further ado, here is the automatically generated CDDL: Grüße, Carsten start = iodef ;;; iodef.json: IODEF-Document iodef = { version: text ? lang: lang ? format-id: text ? private-enum-name: text ? private-enum-id: text Incidents: [* Incident] ? AdditionalData: [* ExtensionType] } lang = "en" / "jp" restriction = "public" / "partner" / "need-to-know" / "private" / "default" / "white" / "green" / "amber" / "red" / "ext-value" URLtype = text IDtype = text ExtensionType = { ? Name: text ? dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" / "ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" / "path" / "frame" / "packet" / "ipv4-packet" / "ipv6-packet" / "url" / "csv" / "winreg" / "xml" / "ext-value" ? ext-dtype: text ? meaning: text ? formatid: text ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype * text => any } SoftwareType = { ? SoftwareReference: SoftwareReference ? URL: URLtype ? Description: text } SoftwareReference = { ? value: text spec-name: text ? ext-spec-name: text ? dtype: text ? ext-dtype: text } Incident = { purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" / "ext-value" ? ext-purpose: text ? status: "blabla" ? ext-status: text ? lang: lang ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype IncidentID: IncidentID ? AlternativeID: anymap ; @@@ object not well-defined @@@ ? RelatedActivity: [* RelatedActivity] ? DetectTime: text ? StartTime: text ? EndTime: text ? RecoveryTime: text ? ReportTime: text GenerationTime: text ? Description: [* text] ? Discovery: [* Discovery] ? Assessment: [* Assessment] ? Methods: [* Method] Contacts: [* Contact] ? EventData: [* EventData] ? IndicatorList: [* Indicator] ? History: History ? AdditionalData: [* ExtensionType] } IncidentID = { ? id: text name: text ? instance: text ? restriction: restriction ? ext-restriction: text } RelatedActivity = { ? restriction: restriction ? ext-restriction: text ? IncidentID: [* IncidentID] ? URL: [* URLtype] ? ThreatActor: [* ThreatActor] ? Campaign: [* Campaign] ? IndicatorID: [* IndicatorID] ? Confidence: Confidence ? Description: [* text] ? AdditionalData: [* ExtensionType] } ThreatActor = { ? restriction: restriction ? ext-restriction: text ? ThreatActorID: text ? Description: text ? URL: URLtype ? AdditionalData: [* ExtensionType] } Campaign = { ? restriction: restriction ? ext-restriction: text ? CampaignID: any ? URL: URLtype ? Description: text ? AdditionalData: [* ExtensionType] * text => any } Contact = { role: any ? ext-role: any type: any ? ext-type: any ? restriction: restriction ? ext-restriction: text ? ContactName: any ? ContactTitle: any ? Description: text ? RegistryHandle: any ? PostalAddress: any ? Email: any ? Telephone: Telephone ? Timezone: any ? Contact: Contact ? AdditionalData: [* ExtensionType] } RegistryHandle = { ? RegistryHandleName: any registry: any ? ext-registry: any } PostalAddress = { ? type: text ? ext-type: text PAddress: text ? Description: text } Email = { ? type: any ? ext-type: any EmailTo: any ? Description: text } Telephone = { ? type: any ? ext-type: any TelephoneNumber: any ? Description: text } Discovery = { ? source: any ? ext-source: any ? restriction: restriction ? ext-restriction: text ? Description: text ? Contact: Contact ? DetectionPattern: DetectionPattern } DetectionPattern = { ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype Application: SoftwareType ? Description: text ? DetectionConfiguration: any } Method = { ? restriction: restriction ? ext-restriction: text ? References: [* Reference] ? Description: text ? AttackPattern: any ? Vulnerability: any ? Weakness: any ? AdditionalData: [* ExtensionType] } Reference = { ? observable-id: IDtype ? ReferenceName: any ? URL: URLtype ? Description: text } Assessment = { ? occurrence: any ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype ? IncidentCategory: any ? SystemImpact: SystemImpact ? BusinessImpact: any ? TimeImpact: TimeImpact ? MonetaryImpact: MonetaryImpact ? IntendedImpact: any ? Counter: Counter ? MitigatingFactor: any ? Cause: any ? Confidence: Confidence ? AdditionalData: [* ExtensionType] } SystemImpact = { ? severity: any ? completion: any type: any ? ext-type: any ? Description: text } BusinessImpact = { ? severity: any ? ext-severity: any type: any ? ext-type: any ? Description: text } TimeImpact = { ? value: any ? severity: any metric: any ? ext-metric: any ? duration: any ? ext-duration: any } MonetaryImpact = { ? MonetaryImpactValue: any ? severity: any ? currency: any } Confidence = { ? ConfidenceValue: any rating: any ? ext-rating: any } History = { ? restriction: restriction ? ext-restriction: text HistoryItem: any } HistoryItem = { action: any ? ext-action: any ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype DateTime: any ? IncidentID: any ? Contact: Contact ? Description: text ? DefinedCOA: any ? AdditionalData: [* ExtensionType] } EventData = { ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype ? Description: text ? DetectTime: any ? StartTime: any ? EndTime: any ? RecoveryTime: any ReportTime: text ? Contact: Contact ? Discovery: Discovery ? Assessment: any ? Method: Method ? System: System ? Expectation: Expectation ? Record: Record ? EventData: EventData ? AdditionalData: [* ExtensionType] } Expectation = { ? action: any ? ext-action: any ? severity: any ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype ? Description: text ? DefinedCOA: any ? StartTime: any ? EndTime: any ? Contact: Contact } System = { ? category: "source" / "target" / "intermediate" / "sensor" / "infrastructure" / "ext-value" ? ext-category: any ? interface: any ? spoofed: any ? virtual: any ? ownership: any ? ext-ownership: any ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype Node: Node ? NodeRole: NodeRole ? Service: Service ? OperatingSystem: any ? Counter: Counter ? AssetID: any ? Description: text ? AdditionalData: [* ExtensionType] } Node = { ? DomainData: DomainData ? Address: Address ? PostalAddress: any ? Location: text ? Counter: Counter } Address = { ? AddressValue: any category: any ? ext-category: any ? vlan-name: any ? vlan-num: int ? observable-id: IDtype } NodeRole = { category: any ? ext-category: any ? Description: text } Counter = { ? value: text type: any ? ext-type: any unit: any ? ext-unit: any ? meaning: any ? duration: any ? ext-duration: any } DomainData = { system-status: any ? ext-system-status: any domain-status: any ? ext-domain-status: any ? observable-id: IDtype Name: any ? DateDomainWasChecked: any ? RegistrationDate: any ? ExpirationDate: any ? RelatedDNS: any ? NameServers: NameServers ? DomainContacts: DomainContacts } NameServers = { Server: any Address: Address } DomainContacts = { ? SameDomainContact: any Contact: Contact } Service = { ? ip-protocol: any ? observable-id: IDtype ? ServiceName: any ? Port: any ? Portlist: any ? ProtoCode: any ? ProtoType: any ? ProtoField: any ? ApplicationHeader: any ? EmailData: any ? Application: any } ServiceName = { ? IANAService: any ? URL: URLtype ? Description: text } ApplicationHeader = { ? ApplicationHeaderField: any } EmailData = { ? EmailTo: any ? EmailFrom: any ? EmailSubject: any ? EmailX-Mailer: any ? EmailHeaderField: any ? EmailHeaders: any ? EmailBody: any ? EmailMessage: any ? HashData: HashData ? SignatureData: SignatureData } Record = { ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype ? DateTime: any ? Description: text ? Applicadtion: any ? RecordPattern: any ? RecordItem: any ? URL: URLtype ? FileData: FileData ? WindowsRegistryKeysModified: any ? CertificateData: CertificateData ? AdditionalData: [* ExtensionType] } RecordPattern = { ? RecordPatternValue: any type: any ? ext-type: any ? offset: any ? offsetunit: any ? ext-offsetunit: any ? instance: int } WindowsRegistryKeysModified = { ? observabile-id: any ; @@@ typo @@@ Key: any } Key = { ? registryaction: any ? ext-registryaction: any ? observable-id: IDtype KeyName: any ? KeyValue: any } CertificateData = { ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype Certificate: Certificate } Certificate = { ? observable-id: IDtype X509Data: any ? Description: text } FileData = { ? restriction: restriction ? ext-restriction: text ? observable-id: IDtype File: File } File = { ? FileName: text ? FileSize: any ? FileType: any ? URL: URLtype ? HashData: HashData ? SignatureData: SignatureData ? AssociatedSoftware: any ? FileProperties: any } HashData = { scope: any ? HashTargetID: any ? Hash: Hash ? FuzzyHash: FuzzyHash } Hash = { DigestMethod: text DigestValue: text ? CanonicalizationMethod: any ? Application: any } FuzzyHash = { FuzzyHashValue: ExtensionType ? Application: any ? AdditionalData: [* ExtensionType] } ; ** unused: {"SignatureValue"=>"xxxxxxxx", "id"=>"xxxxxxxx"} SignatureData = { Signature: any } Indicator = { ? restriction: restriction ? ext-restriction: text IndicatorID: IndicatorID ? AlternativeIndicatorID: AlternativeIndicatorID ? Description: text ? StartTime: any ? EndTime: any ? Confidence: Confidence ? Contact: Contact ? Observable: any ? ObservableReference: ObservableReference ? IndicatorExpression: IndicatorExpression ? IndicatorReference: IndicatorReference ? NodeRole: NodeRole ? AttackPhase: AttackPhase ? Reference: Reference ? AdditionalData: [* ExtensionType] } IndicatorID = { ? id: any name: text version: text } AlternativeIndicatorID = { ? restriction: restriction ? ext-restriction: text IndicatorReference: IndicatorReference } Observable = { ? restriction: restriction ? ext-restriction: text ? System: any ? Address: any ? DomainData: DomainData ? EmailData: any ? Service: Service ? WindowsRegistryKeysModified: any ? FileData: FileData ? CertificateData: CertificateData ? RegistryHandle: any ? Record: Record ? EventData: any ? Incident: any ? Expectation: Expectation ? Reference: Reference ? Assessment: any ? DetectionPattern: any ? HistoryItem: any ? BulkObservable: text ? AdditionalData: [* ExtensionType] } BulkObservable = { ? type: any ? ext-type: any ? BulkObservableFormant: any ? BulkObservableList: text ? AdditionalData: [* ExtensionType] } BulkObservableFormat = { ? Hash: Hash ? AdditionalData: [* ExtensionType] } IndicatorExpression = { ? operator: any ? ext-operator: text ? IndicatorExpression: IndicatorExpression ? Observable: any ? ObservableReference: ObservableReference ? IndicatorReference: IndicatorReference ? AdditionalData: [* ExtensionType] } ObservableReference = { uid-ref: any } IndicatorReference = { ? uid-ref: any ? euid-ref: text ? version: text } AttackPhase = { ? AttackPhaseID: text ? URL: URLtype ? Description: text ? AdditionalData: [* ExtensionType] } anymap = { * text => any }
- [mile] JSON representation of IODEF (FW: New Vers… Takeshi Takahashi
- Re: [mile] JSON representation of IODEF (FW: New … Jerome Athias
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Takeshi Takahashi
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Jerome Athias