File
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute.
digraph File { graph [bb="0,0,792,486", rankdir=LR ]; node [label="\N"]; File [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. "><FONT FACE="Nimbus Sans L">File</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file."><FONT FACE="Nimbus Sans L">[STRING] name (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class."><FONT FACE="Nimbus Sans L">[DATETIME] create-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was last modified."><FONT FACE="Nimbus Sans L">[DATETIME] modify-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was last accessed."><FONT FACE="Nimbus Sans L">[DATETIME] access-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL)."><FONT FACE="Nimbus Sans L">[INTEGER] data-size (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF)."><FONT FACE="Nimbus Sans L">[INTEGER] disk-size (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="A unique identifier for this file; see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted."><FONT FACE="Nimbus Sans L">[ENUM] category (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The type of file, as a mime-type."><FONT FACE="Nimbus Sans L">[STRING] file-type (Optional)</FONT></td></tr>%</table>>, pos="118.5,292", shape=plaintext, width=3.2917]; FileAccess [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. "><FONT FACE="Nimbus Sans L">FileAccess</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] Permission (Required)</FONT></td></tr>%</table>>, pos="419.5,419", shape=plaintext, width=2.9028]; File -> FileAccess [label="0..*", lp="266.5,383.5", pos="e,321.12,393.99 237.17,358.6 256.52,368.17 276.58,377.34 296,385 301.04,386.99 306.24,388.91 311.53,390.75"]; Linkage [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. "><FONT FACE="Nimbus Sans L">Linkage</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The name of the file system object, not including the path."><FONT FACE="Nimbus Sans L">[STRING] name (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] category (Optional)</FONT></td></tr>%</table>>, pos="419.5,330", shape=plaintext, width=2.6389]; File -> Linkage [label="0..*", lp="266.5,318.5", pos="e,324.3,317.98 237.03,306.96 262.48,310.18 289.21,313.55 314.12,316.7"]; Inode [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. "><FONT FACE="Nimbus Sans L">Inode</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of "struct stat"."><FONT FACE="Nimbus Sans L">[DATETIME] change-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The inode number."><FONT FACE="Nimbus Sans L">[INTEGER] number (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The major device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] major-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The minor device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] minor-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The major device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-major-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The minor device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-minor-device (Optional)</FONT></td></tr>%</table>>, pos="419.5,188", shape=plaintext, width=3.4306]; File -> Inode [label="0..1", lp="266.5,250.5", pos="e,295.63,230.8 237.03,251.05 253.12,245.49 269.72,239.75 286.05,234.11"]; Checksum [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. "><FONT FACE="Nimbus Sans L">Checksum</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The value of the checksum."><FONT FACE="Nimbus Sans L">[STRING] value (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The key to the checksum, if appropriate."><FONT FACE="Nimbus Sans L">[STRING] key (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] algorithm (Required)</FONT></td></tr>%</table>>, pos="419.5,46", shape=plaintext, width=2.75]; File -> Checksum [label="0..*", lp="266.5,140.5", pos="e,320.44,86.598 216.54,172.46 240.81,147.21 267.95,122.14 296,102 301.02,98.396 306.31,94.943 311.76,91.647"]; UserId [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. "><FONT FACE="Nimbus Sans L">UserId</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A user or group name."><FONT FACE="Nimbus Sans L">[STRING] name (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A user or group number."><FONT FACE="Nimbus Sans L">[INTEGER] number (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] type (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The tty the user is using."><FONT FACE="Nimbus Sans L">[STRING] tty (Optional)</FONT></td></tr>%</table>>, pos="689.5,419", shape=plaintext, width=2.8472]; FileAccess -> UserId [label=1, lp="565,426.5", pos="e,586.56,419 524.28,419 541.38,419 559.16,419 576.45,419"]; Linkage -> File [label=1, lp="266.5,300.5", pos="e,237.18,289.47 324.24,301.64 308.9,298.08 293.1,294.99 278,293 268.01,291.68 257.64,290.72 247.2,290.04"]; }
Aggregates
name (Required)
The name of the file to which the alert applies, not including the path to the file.
path (Required)
The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
create-time (Optional)
Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.
modify-time (Optional)
Time the file was last modified.
access-time (Optional)
Time the file was last accessed.
data-size (Optional)
The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).
disk-size (Optional)
The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).
FileAccess (0..*)
Access permissions on the file.
Linkage (0..*)
File system objects to which this file is linked (other references for the file).
Inode (0..1)
Inode information for this file (relevant to Unix).
Checksum (0..*)
Checksum information for this file.
ident (Optional)
A unique identifier for this file; see Section 3.2.9.
category (Optional)
The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.
Rank Keyword Description 0 current The file information is from after the reported change 1 original The file information is from before the reported change
file-type (Optional)
The type of file, as a mime-type.