Transaction
The Transaction class contains specific information about the data exchange during the attack.
digraph Transaction { graph [bb="0,0,952,596", rankdir=LR ]; node [label="\N"]; Transaction [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IDMEFv2/Transaction.html" TITLE="The Transaction class contains specific information about the data exchange during the attack."><FONT FACE="Nimbus Sans L">Transaction</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IDMEFv2/Transaction.html" TITLE="Direction of the attack source <-> target"><FONT FACE="Nimbus Sans L">[Enum] direction (Optional)</FONT></td></tr>%</table>>, pos="92.5,317", shape=plaintext, width=2.5694]; File [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. "><FONT FACE="Nimbus Sans L">File</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file."><FONT FACE="Nimbus Sans L">[STRING] name (1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class."><FONT FACE="Nimbus Sans L">[DATETIME] create-time (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="Time the file was last modified."><FONT FACE="Nimbus Sans L">[DATETIME] modify-time (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="Time the file was last accessed."><FONT FACE="Nimbus Sans L">[DATETIME] access-time (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL)."><FONT FACE="Nimbus Sans L">[INTEGER] data-size (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF)."><FONT FACE="Nimbus Sans L">[INTEGER] disk-size (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="A unique identifier for this file; see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted."><FONT FACE="Nimbus Sans L">[ENUM] category (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/File.html" TITLE="The type of file, as a mime-type."><FONT FACE="Nimbus Sans L">[STRING] file-type (0..1)</FONT></td></tr>%</table>>, pos="348.5,317", shape=plaintext, width=2.9028]; Transaction -> File [label="0..*", lp="214.5,324.5", pos="e,243.89,317 185.28,317 201.04,317 217.58,317 233.82,317"]; FileAccess [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv2/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. "><FONT FACE="Nimbus Sans L">FileAccess</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] Permission (1..*)</FONT></td></tr>%</table>>, pos="621,529", shape=plaintext, width=2.4028]; File -> FileAccess [label="0..*", lp="482.5,487.5", pos="e,534.3,506.67 441.83,436.53 463.06,458.25 486.84,479.05 512,495 516.13,497.62 520.47,500.04 524.94,502.29"]; Linkage [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv2/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. "><FONT FACE="Nimbus Sans L">Linkage</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Linkage.html" TITLE="The name of the file system object, not including the path."><FONT FACE="Nimbus Sans L">[STRING] name (1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert."><FONT FACE="Nimbus Sans L">[STRING] path (1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Linkage.html" TITLE="Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] category (Optional)</FONT></td></tr>%</table>>, pos="621,440", shape=plaintext, width=2.6389]; File -> Linkage [label="0..*", lp="482.5,416.5", pos="e,525.65,420.53 453.04,392.03 459.01,395.25 465.02,398.27 471,401 485.06,407.41 500.36,412.9 515.63,417.58"]; Inode [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. "><FONT FACE="Nimbus Sans L">Inode</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of "struct stat"."><FONT FACE="Nimbus Sans L">[DATETIME] change-time (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The inode number."><FONT FACE="Nimbus Sans L">[INTEGER] number (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The major device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] major-device (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The minor device number of the device the file resides on."><FONT FACE="Nimbus Sans L">[INTEGER] minor-device (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The major device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-major-device (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Inode.html" TITLE="The minor device of the file itself, if it is a character special device."><FONT FACE="Nimbus Sans L">[INTEGER] c-minor-device (0..1)</FONT></td></tr>%</table>>, pos="621,298", shape=plaintext, width=3.0278]; File -> Inode [label="0..1", lp="482.5,315.5", pos="e,511.73,305.62 453.08,309.71 468.99,308.6 485.51,307.45 501.7,306.32"]; Checksum [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca300" HREF="/idmef_parser/IDMEFv2/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. "><FONT FACE="Nimbus Sans L">Checksum</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Checksum.html" TITLE="The value of the checksum."><FONT FACE="Nimbus Sans L">[STRING] value (1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Checksum.html" TITLE="The key to the checksum, if appropriate."><FONT FACE="Nimbus Sans L">[STRING] key (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEFv2/Checksum.html" TITLE="default value. (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] algorithm (Required)</FONT></td></tr>%</table>>, pos="621,156", shape=plaintext, width=2.75]; File -> Checksum [label="0..*", lp="482.5,240.5", pos="e,529.65,202.1 453.12,247.71 472.5,235.48 492.71,223.12 512,212 514.86,210.35 517.77,208.7 520.72,207.05"]; Stream [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#CECECE" HREF="/idmef_parser/IDMEFv2/Stream.html" TITLE="The Stram class contains specific information about the content of a file"><FONT FACE="Nimbus Sans L">Stream</FONT></td> </tr>" %<tr><td HREF="/idmef_parser/IDMEFv2/Stream.html" TITLE=""><FONT FACE="Nimbus Sans L">[ENUM] offsetunit (Optional)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IDMEFv2/Stream.html" TITLE="Amount of units (determined by the offsetunit attribute) to seek into the File"><FONT FACE="Nimbus Sans L">[INTEGER] offset (Optional)</FONT></td></tr>%<tr><td HREF="/idmef_parser/IDMEFv2/Stream.html" TITLE="Content of the file"><FONT FACE="Nimbus Sans L">[DATA] Data (Required)</FONT></td></tr>%</table>>, pos="621,46", shape=plaintext, width=2.6806]; File -> Stream [label="0..1", lp="482.5,143.5", pos="e,524.32,91.613 423.95,197.36 449.14,163.43 479.22,128.34 512,101 513.34,99.88 514.71,98.775 516.11,97.686"]; UserId [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#52a3cc" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. "><FONT FACE="Nimbus Sans L">UserId</FONT></td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="A user or group name."><FONT FACE="Nimbus Sans L">[STRING] name (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="A user or group number."><FONT FACE="Nimbus Sans L">[INTEGER] number (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)"><FONT FACE="Nimbus Sans L">[ENUM] type (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEFv2/UserId.html" TITLE="The tty the user is using."><FONT FACE="Nimbus Sans L">[STRING] tty (Optional)</FONT></td></tr>%</table>>, pos="863,529", shape=plaintext, width=2.4722]; FileAccess -> UserId [label=1, lp="752,536.5", pos="e,773.66,529 707.68,529 725.76,529 744.96,529 763.46,529"]; Linkage -> File [label=1, lp="482.5,389.5", pos="e,453.08,364.2 525.63,396.95 505.2,387.73 483.42,377.9 462.37,368.4"]; }
Aggregates
File (0..*)
File exchange during the attack, can be a certificate
Attributes
direction (Optional)
Direction of the attack source <-> target
Rank Keyword Description 0 unknown Direction of the attack unknown 1 Source Source 2 Target Target