Flow

The Flow class groups related the source and target hosts. 

digraph Flow {
	graph [bb="0,0,903,696.5",
		rankdir=LR
	];
	node [label="\N"];
	Flow	 [height=0.5,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#65779e" HREF="/idmef_parser/IODEFv1/Flow.html" TITLE="The Flow class groups related the source and target hosts. "><FONT FACE="Nimbus Sans L">Flow</FONT></td> </tr>" %</table>>,
		pos="27,284",
		shape=plaintext,
		width=0.75];
	System	 [height=2.1528,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#65779e" HREF="/idmef_parser/IODEFv1/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. "><FONT FACE="Nimbus Sans L">System</FONT></td> </tr>" %<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="A free-form text description of the System."><FONT FACE="Nimbus Sans L">[ML_STRING] Description (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="This attribute is defined in Section 3.2."><FONT FACE="Nimbus Sans L">[ENUM] restriction (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="Classifies the role the host or network played in the incident.  The possible values are:"><FONT FACE="Nimbus Sans L">[ENUM] category (Required)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="A means by which to extend the category attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-category (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="Specifies the interface on which the event(s) on this System originated.  If the Node class specifies a network rather than a host, this attribute has no meaning."><FONT FACE="Nimbus Sans L">[STRING] interface (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#7e95c5"  HREF="/idmef_parser/IODEFv1/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host.  The permitted values for this attribute are shown below.  The default value is &quot;unknown&quot;."><FONT FACE="Nimbus Sans L">[ENUM] spoofed (Optional)</FONT></td></tr>%</table>>,
		pos="224,284",
		shape=plaintext,
		width=3.0833];
	Flow -> System	 [label="1..*",
		lp="83.5,291.5",
		pos="e,112.88,284 54.392,284 67.683,284 84.674,284 102.74,284"];
	"Node"	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv1/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. "><FONT FACE="Nimbus Sans L">Node</FONT></td> </tr>" %<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name).  This information MUST be provided if no Address information is given."><FONT FACE="Nimbus Sans L">[ML_STRING] NodeName (0..*)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Node.html" TITLE="A free-from description of the physical location of the equipment."><FONT FACE="Nimbus Sans L">[ML_STRING] Location (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed.  This information SHOULD be provided if both an Address and NodeName are specified."><FONT FACE="Nimbus Sans L">[] DateTime (0..1)</FONT></td></tr>%</table>>,
		pos="508,498",
		shape=plaintext,
		width=2.9583];
	System -> "Node"	 [label="1..1",
		lp="364.5,432.5",
		pos="e,415.24,451.99 295.49,361.83 313.41,379.34 333.19,397.13 353,412 369.5,424.39 387.98,436.18 406.28,446.85"];
	Counter	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cc6a51" HREF="/idmef_parser/IODEFv1/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). "><FONT FACE="Nimbus Sans L">Counter</FONT></td> </tr>" %<tr><td BGCOLOR="#ff8465"  HREF="/idmef_parser/IODEFv1/Counter.html" TITLE="Specifies the units of the element content."><FONT FACE="Nimbus Sans L">[ENUM] type (Required)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465"  HREF="/idmef_parser/IODEFv1/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-type (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465"  HREF="/idmef_parser/IODEFv1/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event.  In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator).  The possible values of this attribute are defined in Section 3.10.2"><FONT FACE="Nimbus Sans L">[ENUM] duration (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#ff8465"  HREF="/idmef_parser/IODEFv1/Counter.html" TITLE="A means by which to extend the duration attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-duration (Optional)</FONT></td></tr>%</table>>,
		pos="792,398",
		shape=plaintext,
		width=3.0417];
	System -> Counter	 [label="0..*",
		lp="508,408.5",
		pos="e,682.33,402.33 335.25,348.92 354.33,357.7 374.35,365.55 394,371 485.04,396.23 592.07,402.24 672.2,402.35"];
	Service	 [height=2.1528,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IODEFv1/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. "><FONT FACE="Nimbus Sans L">Service</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="A port number."><FONT FACE="Nimbus Sans L">[INTEGER] Port (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="A list of port numbers formatted according to Section 2.10."><FONT FACE="Nimbus Sans L">[PORTLIST] Portlist (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoCode (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoType (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field)."><FONT FACE="Nimbus Sans L">[INTEGER] ProtoFlags (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Service.html" TITLE="The IANA protocol number."><FONT FACE="Nimbus Sans L">[INTEGER] ip_protocol (Required)</FONT></td></tr>%</table>>,
		pos="508,284",
		shape=plaintext,
		width=3.1667];
	System -> Service	 [label="0..*",
		lp="364.5,291.5",
		pos="e,393.78,284 335.02,284 351,284 367.52,284 383.73,284"];
	OperatingSystem	 [height=0.5,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#65779e" HREF="/idmef_parser/IODEFv1/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). "><FONT FACE="Nimbus Sans L">OperatingSystem</FONT></td> </tr>" %</table>>,
		pos="508,170",
		shape=plaintext,
		width=1.7778];
	System -> OperatingSystem	 [label="0..1",
		lp="364.5,220.5",
		pos="e,443.91,183.03 335.32,223.18 354.56,213.98 374.61,205.18 394,198 406.76,193.27 420.63,189.11 434.15,185.53"];
	AdditionalData	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#87689e" HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. "><FONT FACE="Nimbus Sans L">AdditionalData</FONT></td> </tr>" %<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;."><FONT FACE="Nimbus Sans L">[ENUM] dtype (Required)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-dtype (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="A free-form description of the element content."><FONT FACE="Nimbus Sans L">[STRING] meaning (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content."><FONT FACE="Nimbus Sans L">[STRING] formatid (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#a982c6"  HREF="/idmef_parser/IODEFv1/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2."><FONT FACE="Nimbus Sans L">[ENUM] restriction (Optional)</FONT></td></tr>%</table>>,
		pos="508,67",
		shape=plaintext,
		width=2.8194];
	System -> AdditionalData	 [label="0..*",
		lp="364.5,179.5",
		pos="e,406.3,134.01 313.91,206.47 339.37,185.34 367.4,162.81 394,143 395.38,141.97 396.77,140.95 398.17,139.92"];
	Address	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv1/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. "><FONT FACE="Nimbus Sans L">Address</FONT></td> </tr>" %<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Address.html" TITLE="The type of address represented.  The permitted values for this attribute are shown below.  The default value is &quot;ipv4-addr&quot;."><FONT FACE="Nimbus Sans L">[ENUM] category (Required)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Address.html" TITLE="A means by which to extend the category attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-category (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Address.html" TITLE="The name of the Virtual LAN to which the address belongs."><FONT FACE="Nimbus Sans L">[STRING] vlan-name (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/Address.html" TITLE="The number of the Virtual LAN to which the address belongs."><FONT FACE="Nimbus Sans L">[STRING] vlan-num (Optional)</FONT></td></tr>%</table>>,
		pos="792,640",
		shape=plaintext,
		width=3.0833];
	"Node" -> Address	 [label="0..*",
		lp="651.5,580.5",
		pos="e,680.93,584.47 600.21,544.1 623.04,555.52 647.84,567.92 671.8,579.9"];
	NodeRole	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#3daf3d" HREF="/idmef_parser/IODEFv1/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. "><FONT FACE="Nimbus Sans L">NodeRole</FONT></td> </tr>" %<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/NodeRole.html" TITLE="Functionality provided by a node."><FONT FACE="Nimbus Sans L">[ENUM] category (Required)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/NodeRole.html" TITLE="A means by which to extend the category attribute.  See Section 5.1."><FONT FACE="Nimbus Sans L">[STRING] ext-category (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#4cdb4c"  HREF="/idmef_parser/IODEFv1/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;.  The interpretation of this code is described in Section 6."><FONT FACE="Nimbus Sans L">[ENUM] lang (Required)</FONT></td></tr>%</table>>,
		pos="792,519",
		shape=plaintext,
		width=3.0833];
	"Node" -> NodeRole	 [label="0..*",
		lp="651.5,516.5",
		pos="e,680.58,510.76 614.56,505.88 632.84,507.23 651.95,508.64 670.58,510.02"];
	"Node" -> Counter	 [label="0..*",
		lp="651.5,457.5",
		pos="e,682.48,436.56 614.56,460.48 633.63,453.76 653.61,446.73 673.01,439.9"];
	Application	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IODEFv1/Application.html" TITLE="The Application class describes an application running on a System providing a Service. "><FONT FACE="Nimbus Sans L">Application</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="A URL describing the application."><FONT FACE="Nimbus Sans L">[URL] URL (0..1)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="An identifier that can be used to reference this software."><FONT FACE="Nimbus Sans L">[STRING] swid (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software."><FONT FACE="Nimbus Sans L">[STRING] configid (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="Vendor name of the software."><FONT FACE="Nimbus Sans L">[STRING] vendor (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="Family of the software."><FONT FACE="Nimbus Sans L">[STRING] family (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="Name of the software."><FONT FACE="Nimbus Sans L">[STRING] name (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="Version of the software."><FONT FACE="Nimbus Sans L">[STRING] version (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IODEFv1/Application.html" TITLE="Patch or service pack level of the software."><FONT FACE="Nimbus Sans L">[STRING] patch (Optional)</FONT></td></tr>%</table>>,
		pos="792,225",
		shape=plaintext,
		width=2.7083];
	Service -> Application	 [label="0..*",
		lp="651.5,263.5",
		pos="e,694.38,245.28 622.29,260.26 642.82,255.99 664.15,251.56 684.48,247.34"];
}

Aggregates

System (1..*)

A host or network involved in an event.

IDMEFv1

IDMEFv2

IODEFv1

IODEFv2