Linkage
The Linkage class represents file system connections between the file described in the
digraph Linkage { graph [bb="0,0,946,376", rankdir=LR ]; node [label="\N"]; Linkage [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The Linkage class represents file system connections between the file described in the <File> element and other objects in the file system. For example, if the <File> element is a symbolic link or shortcut, then the <Linkage> element should contain the name of the object the link points to. Further information can be provided about the object in the <Linkage> element with another <File> element, if appropriate. ">Linkage</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The name of the file system object, not including the path.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Linkage.html" TITLE="Section 10.)">[ENUM] category (Optional) </td></tr>%</table>>, pos="93,188", shape=plaintext, width=2.5833]; File [height=3.3194, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The File class provides specific information about a file or other file-like object that has been created, deleted, or modified on the target. The description can provide either the file settings prior to the event or the file settings at the time of the event, as specified using the "category" attribute. ">File</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The name of the file to which the alert applies, not including the path to the file.">[STRING] name (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The full path to the file, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.">[STRING] path (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was created. Note that this is *not* the Unix "st_ctime" file attribute (which is not file creation time). The Unix "st_ctime" attribute is contained in the "Inode" class.">[DATETIME] create-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last modified.">[DATETIME] modify-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="Time the file was last accessed.">[DATETIME] access-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The size of the data, in bytes. Typically what is meant when referring to file size. On Unix UFS file systems, this value corresponds to stat.st_size. On Windows NTFS, this value corresponds to Valid Data Length (VDL).">[INTEGER] data-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The physical space on disk consumed by the file, in bytes. On Unix UFS file systems, this value corresponds to 512 * stat.st_blocks. On Windows NTFS, this value corresponds to End of File (EOF).">[INTEGER] disk-size (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="A unique identifier for this file; see Section 3.2.9.">[STRING] ident (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file system the file resides on. This attribute governs how path names and other attributes are interpreted.">[ENUM] category (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/File.html" TITLE="The type of file, as a mime-type.">[STRING] file-type (0..1) </td></tr>%</table>>, pos="350,188", shape=plaintext, width=2.9444]; Linkage -> File [label=1, lp="215,195.5", pos="e,243.65,188 186.06,188 201.39,188 217.46,188 233.29,188"]; File -> Linkage [label="0..*", lp="215,177.5", pos="e,186.29,171.78 243.78,169.84 230.41,169.04 216.89,168.95 204,170 201.47,170.21 198.91,170.44 196.33,170.69"]; FileAccess [height=0.69444, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="The FileAccess class represents the access permissions on a file. The representation is intended to be useful across operating systems. ">FileAccess</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/FileAccess.html" TITLE="Level of access allowed. The permitted values are shown below. There is no default value. (See also Section 10.)">[ENUM] Permission (1..*) </td></tr>%</table>>, pos="621,309", shape=plaintext, width=2.4167]; File -> FileAccess [label="0..*", lp="485,273.5", pos="e,539.31,283.93 456.29,246.81 475.24,256.45 495.01,265.92 514,274 519.07,276.16 524.32,278.27 529.66,280.31"]; Inode [height=2.1528, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The Inode class is used to represent the additional information contained in a Unix file system i-node. ">Inode</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The time of the last inode change, given by the st_ctime element of "struct stat".">[DATETIME] change-time (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The inode number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device number of the device the file resides on.">[INTEGER] major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device number of the device the file resides on.">[INTEGER] minor-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The major device of the file itself, if it is a character special device.">[INTEGER] c-major-device (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Inode.html" TITLE="The minor device of the file itself, if it is a character special device.">[INTEGER] c-minor-device (0..1) </td></tr>%</table>>, pos="621,188", shape=plaintext, width=2.9722]; File -> Inode [label="0..1", lp="485,195.5", pos="e,513.59,188 456.16,188 471.63,188 487.65,188 503.34,188"]; Checksum [height=1.2778, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The Checksum class represents checksum information associated with the file. This checksum information can be provided by file integrity checkers, among others. ">Checksum</td> </tr>" %<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The value of the checksum.">[STRING] value (1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="The key to the checksum, if appropriate.">[STRING] key (0..1) </td></tr>%<tr><td BGCOLOR="#FFCC00" HREF="/idmef_parser/IDMEF/Checksum.html" TITLE="default value. (See also Section 10.)">[ENUM] algorithm (Required) </td></tr>%</table>>, pos="621,46", shape=plaintext, width=2.7083]; File -> Checksum [label="0..*", lp="485,127.5", pos="e,530.89,92.138 456.12,131.66 475.36,121.42 495.27,110.86 514,101 516.58,99.642 519.2,98.268 521.84,96.882"]; UserId [height=1.8611, label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#3d7a99" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The UserId class provides specific information about a user. More than one UserId can be used within the User class to indicate attempts to transition from one user to another, or to provide complete information about a user's (or process') privileges. ">UserId</td> </tr>" %<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group name.">[STRING] name (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A user or group number.">[INTEGER] number (0..1) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="A unique identifier for the user id, see Section 3.2.9.">[STRING] ident (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The type of user information represented. The permitted values for this attribute are shown below. The default value is "original-user". (See also Section 10.)">[ENUM] type (Optional) </td></tr>%<tr><td BGCOLOR="#66CCFF" HREF="/idmef_parser/IDMEF/UserId.html" TITLE="The tty the user is using.">[STRING] tty (Optional) </td></tr>%</table>>, pos="858.5,309", shape=plaintext, width=2.4306]; FileAccess -> UserId [label=1, lp="749.5,316.5", pos="e,770.92,309 708.02,309 725.16,309 743.26,309 760.73,309"]; }
Aggregates
name (1)
The name of the file system object, not including the path.
path (1)
The full path to the file system object, including the name. The path name should be represented in as "universal" a manner as possible, to facilitate processing of the alert.
File (1)
Aelement may be used in place of the and elements if additional information about the file is to be included.
Attributes
category (Optional)
Section 10.)
Rank Keyword Description 0 hard-link The element represents another name for this file. This information may be more easily obtainable on NTFS file systems than others. 1 mount-point An alias for the directory specified by the parent's and elements. 2 reparse-point Applies only to Windows; excludes symbolic links and mount points, which are specific types of reparse points. 3 shortcut The file represented by a Windows "shortcut". A shortcut is distinguished from a symbolic link because of the difference in their contents, which may be of importance to the manager. 4 stream An Alternate Data Stream (ADS) in Windows; a fork on MacOS. Separate file system entity that is considered an extension of the main . 5 symbolic-link The element represents the file to which the link points.