Linkage
The Linkage class represents file system connections between the file described in the
digraph Linkage { graph [bb="0,0,1041,376", rankdir=LR ]; node [label="\N"]; Linkage [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. "><FONT FACE="Nimbus Sans L">Linkage</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The name of the file system object, not including the path."><FONT FACE="Nimbus Sans L">[STRING] name (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Linkage.html" TITLE="Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] category (Optional)</FONT></td></tr>%</table>>, pos="95,188", shape=plaintext, width=2.6389]; File [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. "><FONT FACE="Nimbus Sans L">File</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file."><FONT FACE="Nimbus Sans L">[STRING] name (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class."><FONT FACE="Nimbus Sans L">[DATETIME] create-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was last modified."><FONT FACE="Nimbus Sans L">[DATETIME] modify-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="Time the file was last accessed."><FONT FACE="Nimbus Sans L">[DATETIME] access-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL)."><FONT FACE="Nimbus Sans L">[INTEGER] data-size (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF)."><FONT FACE="Nimbus Sans L">[INTEGER] disk-size (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="A unique identifier for this file; see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted."><FONT FACE="Nimbus Sans L">[ENUM] category (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/File.html" TITLE="The type of file, as a mime-type."><FONT FACE="Nimbus Sans L">[STRING] file-type (Optional)</FONT></td></tr>%</table>>, pos="367.5,188", shape=plaintext, width=3.2917]; Linkage -> File [label=1, lp="219.5,195.5", pos="e,248.76,188 190.31,188 205.94,188 222.37,188 238.65,188"]; File -> Linkage [label="0..*", lp="219.5,177.5", pos="e,190.12,171.75 248.69,169.55 234.99,168.92 221.2,168.96 208,170 205.44,170.2 202.86,170.43 200.25,170.68"]; FileAccess [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. "><FONT FACE="Nimbus Sans L">FileAccess</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] Permission (Required)</FONT></td></tr>%</table>>, pos="668.5,309", shape=plaintext, width=2.9028]; File -> FileAccess [label="0..*", lp="515.5,274.5", pos="e,570.87,283.96 486.46,250.07 505.77,259.05 525.74,267.7 545,275 550.2,276.97 555.56,278.88 561,280.72"]; Inode [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. "><FONT FACE="Nimbus Sans L">Inode</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of "struct stat"."><FONT FACE="Nimbus Sans L">[DATETIME] change-time (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The inode number."><FONT FACE="Nimbus Sans L">[INTEGER] number (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The major device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] major-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The minor device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] minor-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The major device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-major-device (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Inode.html" TITLE="The minor device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-minor-device (Optional)</FONT></td></tr>%</table>>, pos="668.5,188", shape=plaintext, width=3.4306]; File -> Inode [label="0..1", lp="515.5,195.5", pos="e,544.63,188 486.03,188 501.97,188 518.41,188 534.59,188"]; Checksum [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. "><FONT FACE="Nimbus Sans L">Checksum</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The value of the checksum."><FONT FACE="Nimbus Sans L">[STRING] value (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="The key to the checksum, if appropriate."><FONT FACE="Nimbus Sans L">[STRING] key (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv1/Checksum.html" TITLE="default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] algorithm (Required)</FONT></td></tr>%</table>>, pos="668.5,46", shape=plaintext, width=2.75]; File -> Checksum [label="0..*", lp="515.5,127.5", pos="e,569.27,89.81 486.08,129.13 505.7,119.6 525.88,109.94 545,101 549.92,98.701 554.95,96.369 560.05,94.028"]; UserId [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. "><FONT FACE="Nimbus Sans L">UserId</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A user or group name."><FONT FACE="Nimbus Sans L">[STRING] name (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A user or group number."><FONT FACE="Nimbus Sans L">[INTEGER] number (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] type (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv1/UserId.html" TITLE="The tty the user is using."><FONT FACE="Nimbus Sans L">[STRING] tty (Optional)</FONT></td></tr>%</table>>, pos="938.5,309", shape=plaintext, width=2.8472]; FileAccess -> UserId [label=1, lp="814,316.5", pos="e,835.56,309 773.28,309 790.38,309 808.16,309 825.45,309"]; }
Aggregates
name (Required)
The name of the file system object, not including the path.
path (Required)
The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
File (1)
Aelement may be used in place of the and elements if additional information about the file is to be included.
Attributes
category (Optional)
Section 10.)
Rank Keyword Description 0 hard-link The element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others. 1 mount-point An alias for the directory specified by the parent's and elements. 2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points. 3 shortcut The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager. 4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main . 5 symbolic-link The element represents the file to which the link points.