File
The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute.
digraph File { graph [bb="0,0,702,486", rankdir=LR ]; node [label="\N"]; File [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. ">File</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.">[DATETIME] create-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last modified.">[DATETIME] modify-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last accessed.">[DATETIME] access-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).">[INTEGER] data-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).">[INTEGER] disk-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="A unique identifier for this file; see Section 3.2.9.">[STRING] ident (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.">[ENUM] category (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file, as a mime-type.">[STRING] file-type (0..1) </td></tr>%</table>>, pos="106,292", shape=plaintext, width=2.9444]; FileAccess [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. ">FileAccess</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)">[ENUM] Permission (1..*) </td></tr>%</table>>, pos="377,419", shape=plaintext, width=2.4167]; File -> FileAccess [label="0..*", lp="241,384.5", pos="e,292.35,393.98 212.32,356.3 231.18,366.59 250.91,376.6 270,385 274.14,386.82 278.41,388.6 282.75,390.31"]; Linkage [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. ">Linkage</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The name of the file system object, not including the path.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="Section 10.)">[ENUM] category (Optional) </td></tr>%</table>>, pos="377,330", shape=plaintext, width=2.5833]; File -> Linkage [label="0..*", lp="241,320.5", pos="e,283.59,316.95 212.16,306.86 232.33,309.7 253.42,312.68 273.51,315.52"]; Inode [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. ">Inode</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of "struct stat".">[DATETIME] change-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The inode number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device number of the device the file resides on.">[INTEGER] major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device number of the device the file resides on.">[INTEGER] minor-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device of the file itself, if it is a character special device.">[INTEGER] c-major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device of the file itself, if it is a character special device.">[INTEGER] c-minor-device (0..1) </td></tr>%</table>>, pos="377,188", shape=plaintext, width=2.9722]; File -> Inode [label="0..1", lp="241,251.5", pos="e,269.59,229.14 212.16,251.34 227.93,245.25 244.26,238.93 260.23,232.76"]; Checksum [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. ">Checksum</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The value of the checksum.">[STRING] value (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The key to the checksum, if appropriate.">[STRING] key (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="default value. (See also Section 10.)">[ENUM] algorithm (Required) </td></tr>%</table>>, pos="377,46", shape=plaintext, width=2.7083]; File -> Checksum [label="0..*", lp="241,140.5", pos="e,282.22,92.013 196.96,172.08 219.16,146.82 244.06,121.61 270,101 271.34,99.936 272.7,98.883 274.09,97.842"]; UserId [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#3d7a99" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. ">UserId</td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group name.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)">[ENUM] type (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The tty the user is using.">[STRING] tty (Optional) </td></tr>%</table>>, pos="614.5,419", shape=plaintext, width=2.4306]; FileAccess -> UserId [label=1, lp="505.5,426.5", pos="e,526.92,419 464.02,419 481.16,419 499.26,419 516.73,419"]; Linkage -> File [label=1, lp="241,300.5", pos="e,212.21,289.22 283.89,299.41 273.23,296.8 262.44,294.56 252,293 242.38,291.56 232.37,290.54 222.29,289.83"]; }
Aggregates
name (1)
The name of the file to which the alert applies, not including the path to the file.
path (1)
The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
create-time (0..1)
Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.
modify-time (0..1)
Time the file was last modified.
access-time (0..1)
Time the file was last accessed.
data-size (0..1)
The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).
disk-size (0..1)
The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).
FileAccess (0..*)
Access permissions on the file.
Linkage (0..*)
File system objects to which this file is linked (other references for the file).
Inode (0..1)
Inode information for this file (relevant to Unix).
Checksum (0..*)
Checksum information for this file.
ident (0..1)
A unique identifier for this file; see Section 3.2.9.
category (0..1)
The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.
file-type (0..1)
The type of file, as a mime-type.