Re: [mile] JSON representation of IODEF (FW: New Version Notification for draft-takahashi-mile-jsoniodef-00.txt)
Carsten Bormann <cabo@tzi.org> Wed, 08 June 2016 18:06 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DF912D650 for <mile@ietfa.amsl.com>; Wed, 8 Jun 2016 11:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id phnpKR4rrSH6 for <mile@ietfa.amsl.com>; Wed, 8 Jun 2016 11:06:30 -0700 (PDT)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7E7E12D740 for <mile@ietf.org>; Wed, 8 Jun 2016 11:06:29 -0700 (PDT)
Received: from dynamic-218-3.informatik.uni-bremen.de (unknown [IPv6:2001:638:708:30da:90b4:85d:694c:26f8]) (Authenticated sender: cabo@cabo.im) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 9EAFF17209C; Wed, 8 Jun 2016 20:06:27 +0200 (CEST)
Message-ID: <57585EA0.7010408@tzi.org>
Date: Wed, 08 Jun 2016 20:06:24 +0200
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
References: <063a01d1c166$c6f58860$54e09920$@nict.go.jp> <CAA=AuEcPmMAtPgWcbVYjbM+XMhF7W+NpZDOomQ=m38xjKuHySA@mail.gmail.com> <57584349.8000803@tzi.org>
In-Reply-To: <57584349.8000803@tzi.org>
X-Enigmail-Version: 1.2.3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/0haZ2KWWOjLTDx1Aro8FnJSchjk>
Cc: "mile@ietf.org" <mile@ietf.org>
Subject: Re: [mile] JSON representation of IODEF (FW: New Version Notification for draft-takahashi-mile-jsoniodef-00.txt)
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2016 18:06:33 -0000
Carsten Bormann wrote:
> a couple of errors
I think I worked around most of them.
I fed this into my experimental "JSON-Schema"-to-CDDL converter.
(While CDDL has been designed for CBOR, JSON's data model is a subset of
CBOR's, so CDDL can be used for JSON as well.)
Here are a few observations:
*** Unused rule RegistryHandle
*** Unused rule PostalAddress
*** Unused rule Email
*** Unused rule BusinessImpact
*** Unused rule HistoryItem
*** Unused rule ServiceName
*** Unused rule ApplicationHeader
*** Unused rule EmailData
*** Unused rule RecordPattern
*** Unused rule WindowsRegistryKeysModified
*** Unused rule Key
*** Unused rule Observable
*** Unused rule BulkObservable
*** Unused rule BulkObservableFormat
For your perusal, the CDDL is reproduced below.
Since "JSON-Schema" isn't always very well-defined, I don't know whether
what my tool reads from it indeed was the intended definition. (See
also a few weird cases marked with @@@.)
I'm not also sure that ExtensionType and Campaign are exactly the two
JSON objects that are extensible, and that Incident's AlternativeID
field is as loosely defined as it seems. (There are also a lot of "any"
types I have guessed.) Finally, I can't parse
"properties": {
"Signature": {
"SignatureValue": "xxxxxxxx",
"id": "xxxxxxxx"
}
},
Without further ado, here is the automatically generated CDDL:
Grüße, Carsten
start = iodef
;;; iodef.json: IODEF-Document
iodef = {
version: text
? lang: lang
? format-id: text
? private-enum-name: text
? private-enum-id: text
Incidents: [* Incident]
? AdditionalData: [* ExtensionType]
}
lang = "en" / "jp"
restriction = "public" / "partner" / "need-to-know" / "private" /
"default" / "white" / "green" / "amber" / "red" /
"ext-value"
URLtype = text
IDtype = text
ExtensionType = {
? Name: text
? dtype: "boolean" / "byte" / "bytes" / "character" / "date-time" /
"ntpstamp" / "integer" / "portlist" / "real" / "string" / "file" /
"path" / "frame" / "packet" / "ipv4-packet" / "ipv6-packet" /
"url" /
"csv" / "winreg" / "xml" / "ext-value"
? ext-dtype: text
? meaning: text
? formatid: text
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
* text => any
}
SoftwareType = {
? SoftwareReference: SoftwareReference
? URL: URLtype
? Description: text
}
SoftwareReference = {
? value: text
spec-name: text
? ext-spec-name: text
? dtype: text
? ext-dtype: text
}
Incident = {
purpose: "traceback" / "mitigation" / "reporting" / "watch" / "other" /
"ext-value"
? ext-purpose: text
? status: "blabla"
? ext-status: text
? lang: lang
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
IncidentID: IncidentID
? AlternativeID: anymap ; @@@ object not well-defined @@@
? RelatedActivity: [* RelatedActivity]
? DetectTime: text
? StartTime: text
? EndTime: text
? RecoveryTime: text
? ReportTime: text
GenerationTime: text
? Description: [* text]
? Discovery: [* Discovery]
? Assessment: [* Assessment]
? Methods: [* Method]
Contacts: [* Contact]
? EventData: [* EventData]
? IndicatorList: [* Indicator]
? History: History
? AdditionalData: [* ExtensionType]
}
IncidentID = {
? id: text
name: text
? instance: text
? restriction: restriction
? ext-restriction: text
}
RelatedActivity = {
? restriction: restriction
? ext-restriction: text
? IncidentID: [* IncidentID]
? URL: [* URLtype]
? ThreatActor: [* ThreatActor]
? Campaign: [* Campaign]
? IndicatorID: [* IndicatorID]
? Confidence: Confidence
? Description: [* text]
? AdditionalData: [* ExtensionType]
}
ThreatActor = {
? restriction: restriction
? ext-restriction: text
? ThreatActorID: text
? Description: text
? URL: URLtype
? AdditionalData: [* ExtensionType]
}
Campaign = {
? restriction: restriction
? ext-restriction: text
? CampaignID: any
? URL: URLtype
? Description: text
? AdditionalData: [* ExtensionType]
* text => any
}
Contact = {
role: any
? ext-role: any
type: any
? ext-type: any
? restriction: restriction
? ext-restriction: text
? ContactName: any
? ContactTitle: any
? Description: text
? RegistryHandle: any
? PostalAddress: any
? Email: any
? Telephone: Telephone
? Timezone: any
? Contact: Contact
? AdditionalData: [* ExtensionType]
}
RegistryHandle = {
? RegistryHandleName: any
registry: any
? ext-registry: any
}
PostalAddress = {
? type: text
? ext-type: text
PAddress: text
? Description: text
}
Email = {
? type: any
? ext-type: any
EmailTo: any
? Description: text
}
Telephone = {
? type: any
? ext-type: any
TelephoneNumber: any
? Description: text
}
Discovery = {
? source: any
? ext-source: any
? restriction: restriction
? ext-restriction: text
? Description: text
? Contact: Contact
? DetectionPattern: DetectionPattern
}
DetectionPattern = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Application: SoftwareType
? Description: text
? DetectionConfiguration: any
}
Method = {
? restriction: restriction
? ext-restriction: text
? References: [* Reference]
? Description: text
? AttackPattern: any
? Vulnerability: any
? Weakness: any
? AdditionalData: [* ExtensionType]
}
Reference = {
? observable-id: IDtype
? ReferenceName: any
? URL: URLtype
? Description: text
}
Assessment = {
? occurrence: any
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? IncidentCategory: any
? SystemImpact: SystemImpact
? BusinessImpact: any
? TimeImpact: TimeImpact
? MonetaryImpact: MonetaryImpact
? IntendedImpact: any
? Counter: Counter
? MitigatingFactor: any
? Cause: any
? Confidence: Confidence
? AdditionalData: [* ExtensionType]
}
SystemImpact = {
? severity: any
? completion: any
type: any
? ext-type: any
? Description: text
}
BusinessImpact = {
? severity: any
? ext-severity: any
type: any
? ext-type: any
? Description: text
}
TimeImpact = {
? value: any
? severity: any
metric: any
? ext-metric: any
? duration: any
? ext-duration: any
}
MonetaryImpact = {
? MonetaryImpactValue: any
? severity: any
? currency: any
}
Confidence = {
? ConfidenceValue: any
rating: any
? ext-rating: any
}
History = {
? restriction: restriction
? ext-restriction: text
HistoryItem: any
}
HistoryItem = {
action: any
? ext-action: any
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
DateTime: any
? IncidentID: any
? Contact: Contact
? Description: text
? DefinedCOA: any
? AdditionalData: [* ExtensionType]
}
EventData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? Description: text
? DetectTime: any
? StartTime: any
? EndTime: any
? RecoveryTime: any
ReportTime: text
? Contact: Contact
? Discovery: Discovery
? Assessment: any
? Method: Method
? System: System
? Expectation: Expectation
? Record: Record
? EventData: EventData
? AdditionalData: [* ExtensionType]
}
Expectation = {
? action: any
? ext-action: any
? severity: any
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? Description: text
? DefinedCOA: any
? StartTime: any
? EndTime: any
? Contact: Contact
}
System = {
? category: "source" / "target" / "intermediate" / "sensor" /
"infrastructure" / "ext-value"
? ext-category: any
? interface: any
? spoofed: any
? virtual: any
? ownership: any
? ext-ownership: any
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Node: Node
? NodeRole: NodeRole
? Service: Service
? OperatingSystem: any
? Counter: Counter
? AssetID: any
? Description: text
? AdditionalData: [* ExtensionType]
}
Node = {
? DomainData: DomainData
? Address: Address
? PostalAddress: any
? Location: text
? Counter: Counter
}
Address = {
? AddressValue: any
category: any
? ext-category: any
? vlan-name: any
? vlan-num: int
? observable-id: IDtype
}
NodeRole = {
category: any
? ext-category: any
? Description: text
}
Counter = {
? value: text
type: any
? ext-type: any
unit: any
? ext-unit: any
? meaning: any
? duration: any
? ext-duration: any
}
DomainData = {
system-status: any
? ext-system-status: any
domain-status: any
? ext-domain-status: any
? observable-id: IDtype
Name: any
? DateDomainWasChecked: any
? RegistrationDate: any
? ExpirationDate: any
? RelatedDNS: any
? NameServers: NameServers
? DomainContacts: DomainContacts
}
NameServers = {
Server: any
Address: Address
}
DomainContacts = {
? SameDomainContact: any
Contact: Contact
}
Service = {
? ip-protocol: any
? observable-id: IDtype
? ServiceName: any
? Port: any
? Portlist: any
? ProtoCode: any
? ProtoType: any
? ProtoField: any
? ApplicationHeader: any
? EmailData: any
? Application: any
}
ServiceName = {
? IANAService: any
? URL: URLtype
? Description: text
}
ApplicationHeader = {
? ApplicationHeaderField: any
}
EmailData = {
? EmailTo: any
? EmailFrom: any
? EmailSubject: any
? EmailX-Mailer: any
? EmailHeaderField: any
? EmailHeaders: any
? EmailBody: any
? EmailMessage: any
? HashData: HashData
? SignatureData: SignatureData
}
Record = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
? DateTime: any
? Description: text
? Applicadtion: any
? RecordPattern: any
? RecordItem: any
? URL: URLtype
? FileData: FileData
? WindowsRegistryKeysModified: any
? CertificateData: CertificateData
? AdditionalData: [* ExtensionType]
}
RecordPattern = {
? RecordPatternValue: any
type: any
? ext-type: any
? offset: any
? offsetunit: any
? ext-offsetunit: any
? instance: int
}
WindowsRegistryKeysModified = {
? observabile-id: any ; @@@ typo @@@
Key: any
}
Key = {
? registryaction: any
? ext-registryaction: any
? observable-id: IDtype
KeyName: any
? KeyValue: any
}
CertificateData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
Certificate: Certificate
}
Certificate = {
? observable-id: IDtype
X509Data: any
? Description: text
}
FileData = {
? restriction: restriction
? ext-restriction: text
? observable-id: IDtype
File: File
}
File = {
? FileName: text
? FileSize: any
? FileType: any
? URL: URLtype
? HashData: HashData
? SignatureData: SignatureData
? AssociatedSoftware: any
? FileProperties: any
}
HashData = {
scope: any
? HashTargetID: any
? Hash: Hash
? FuzzyHash: FuzzyHash
}
Hash = {
DigestMethod: text
DigestValue: text
? CanonicalizationMethod: any
? Application: any
}
FuzzyHash = {
FuzzyHashValue: ExtensionType
? Application: any
? AdditionalData: [* ExtensionType]
}
; ** unused: {"SignatureValue"=>"xxxxxxxx", "id"=>"xxxxxxxx"}
SignatureData = {
Signature: any
}
Indicator = {
? restriction: restriction
? ext-restriction: text
IndicatorID: IndicatorID
? AlternativeIndicatorID: AlternativeIndicatorID
? Description: text
? StartTime: any
? EndTime: any
? Confidence: Confidence
? Contact: Contact
? Observable: any
? ObservableReference: ObservableReference
? IndicatorExpression: IndicatorExpression
? IndicatorReference: IndicatorReference
? NodeRole: NodeRole
? AttackPhase: AttackPhase
? Reference: Reference
? AdditionalData: [* ExtensionType]
}
IndicatorID = {
? id: any
name: text
version: text
}
AlternativeIndicatorID = {
? restriction: restriction
? ext-restriction: text
IndicatorReference: IndicatorReference
}
Observable = {
? restriction: restriction
? ext-restriction: text
? System: any
? Address: any
? DomainData: DomainData
? EmailData: any
? Service: Service
? WindowsRegistryKeysModified: any
? FileData: FileData
? CertificateData: CertificateData
? RegistryHandle: any
? Record: Record
? EventData: any
? Incident: any
? Expectation: Expectation
? Reference: Reference
? Assessment: any
? DetectionPattern: any
? HistoryItem: any
? BulkObservable: text
? AdditionalData: [* ExtensionType]
}
BulkObservable = {
? type: any
? ext-type: any
? BulkObservableFormant: any
? BulkObservableList: text
? AdditionalData: [* ExtensionType]
}
BulkObservableFormat = {
? Hash: Hash
? AdditionalData: [* ExtensionType]
}
IndicatorExpression = {
? operator: any
? ext-operator: text
? IndicatorExpression: IndicatorExpression
? Observable: any
? ObservableReference: ObservableReference
? IndicatorReference: IndicatorReference
? AdditionalData: [* ExtensionType]
}
ObservableReference = {
uid-ref: any
}
IndicatorReference = {
? uid-ref: any
? euid-ref: text
? version: text
}
AttackPhase = {
? AttackPhaseID: text
? URL: URLtype
? Description: text
? AdditionalData: [* ExtensionType]
}
anymap = {
* text => any
}
- [mile] JSON representation of IODEF (FW: New Vers… Takeshi Takahashi
- Re: [mile] JSON representation of IODEF (FW: New … Jerome Athias
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Takeshi Takahashi
- Re: [mile] JSON representation of IODEF (FW: New … Carsten Bormann
- Re: [mile] JSON representation of IODEF (FW: New … Jerome Athias