Flow

The Flow class groups related the source and target hosts.

Flow Flow Flow System System [ML_STRING] Description (0..*) [ENUM] restriction (Optional) [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] interface (Optional) [ENUM] spoofed (Optional) Flow->System 1..* Node Node [ML_STRING] NodeName (0..*) [ML_STRING] Location (0..1) [] DateTime (0..1) System->Node 1..1 Counter Counter [ENUM] type (Required) [STRING] ext-type (Optional) [ENUM] duration (Optional) [STRING] ext-duration (Optional) System->Counter 0..* Service Service [INTEGER] Port (0..1) [PORTLIST] Portlist (0..1) [INTEGER] ProtoCode (0..1) [INTEGER] ProtoType (0..1) [INTEGER] ProtoFlags (0..1) [INTEGER] ip_protocol (Required) System->Service 0..* OperatingSystem OperatingSystem [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) System->OperatingSystem 0..1 AdditionalData AdditionalData [ENUM] dtype (Required) [STRING] ext-dtype (Optional) [STRING] meaning (Optional) [STRING] formatid (Optional) [ENUM] restriction (Optional) System->AdditionalData 0..* Address Address [ENUM] category (Required) [STRING] ext-category (Optional) [STRING] vlan-name (Optional) [STRING] vlan-num (Optional) Node->Address 0..* NodeRole NodeRole [ENUM] category (Required) [STRING] ext-category (Optional) [ENUM] lang (Required) Node->NodeRole 0..* Node->Counter 0..* Application Application [URL] URL (0..1) [STRING] swid (Optional) [STRING] configid (Optional) [STRING] vendor (Optional) [STRING] family (Optional) [STRING] name (Optional) [STRING] version (Optional) [STRING] patch (Optional) Service->Application 0..* 
digraph Flow {
	graph [bb="0,0,879,857.5",
		rankdir=LR
	];
	node [label="\N"];
	Flow	 [height=0.5,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Flow.html" TITLE="The Flow class groups related the source and target hosts. ">Flow</td> </tr>" %</table>>,
		pos="27,445",
		shape=plaintext,
		width=0.75];
	System	 [height=2.1528,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/System.html" TITLE="The System class describes a system or network involved in an event. The systems or networks represented by this class are categorized according to the role they played in the incident through the category attribute. The value of this category attribute dictates the semantics of the aggregated classes in the System class. If the category attribute has a value of &quot;source&quot;, then the aggregated classes denote the machine and service from which the activity is originating. With a category attribute value of &quot;target&quot; or &quot;intermediary&quot;, then the machine or service is the one targeted in the activity. A value of &quot;sensor&quot; dictates that this System was part of an instrumentation to monitor the network. ">System</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="A free-form text description of the System.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="This attribute is defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="Classifies the role the host or network played in the incident.  The possible values are:">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="A means by which to extend the category attribute.  See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="Specifies the interface on which the event(s) on this System originated.  If the Node class specifies a network rather than a host, this attribute has no meaning.">[STRING] interface (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/System.html" TITLE="An indication of confidence in whether this System was the true target or attacking host.  The permitted values for this attribute are shown below.  The default value is &quot;unknown&quot;.">[ENUM] spoofed (Optional) </td></tr>%</table>>,
		pos="219.5,445",
		shape=plaintext,
		width=2.9861];
	Flow -> System	 [label="1..*",
		lp="83,452.5",
		pos="e,111.93,445 54.089,445 67.158,445 83.995,445 101.89,445"];
	"Node"	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Node.html" TITLE="The Node class names a system (e.g., PC, router) or network. ">Node</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Node.html" TITLE="The name of the Node (e.g., fully qualified domain name).  This information MUST be provided if no Address information is given.">[ML_STRING] NodeName (0..*) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Node.html" TITLE="A free-from description of the physical location of the equipment.">[ML_STRING] Location (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Node.html" TITLE="A timestamp of when the resolution between the name and address was performed.  This information SHOULD be provided if both an Address and NodeName are specified.">[] DateTime (0..1) </td></tr>%</table>>,
		pos="495.5,659",
		shape=plaintext,
		width=2.9444];
	System -> "Node"	 [label="1..1",
		lp="356,593.5",
		pos="e,404.93,612.87 289.35,522.74 306.65,540.26 325.78,558.07 345,573 360.85,585.32 378.65,597.08 396.29,607.73"];
	Counter	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#993016" HREF="/idmef_parser/IODEF/Counter.html" TITLE="The Counter class summarize multiple occurrences of some event, or conveys counts or rates on various features (e.g., packets, sessions, events). ">Counter</td> </tr>" %<tr><td BGCOLOR="#FF5024"  HREF="/idmef_parser/IODEF/Counter.html" TITLE="Specifies the units of the element content.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#FF5024"  HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024"  HREF="/idmef_parser/IODEF/Counter.html" TITLE="If present, the Counter class represents a rate rather than a count over the entire event.  In that case, this attribute specifies the denominator of the rate (where the type attribute specified the nominator).  The possible values of this attribute are defined in Section 3.10.2">[ENUM] duration (Optional) </td></tr>%<tr><td BGCOLOR="#FF5024"  HREF="/idmef_parser/IODEF/Counter.html" TITLE="A means by which to extend the duration attribute.  See Section 5.1.">[STRING] ext-duration (Optional) </td></tr>%</table>>,
		pos="771.5,559",
		shape=plaintext,
		width=2.9722];
	System -> Counter	 [label="0..*",
		lp="495.5,569.5",
		pos="e,664.19,562.8 327.17,508.68 345.91,517.54 365.63,525.49 385,531 472.87,555.99 576.3,562.32 653.89,562.77"];
	Service	 [height=2.1528,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Service.html" TITLE="The Service class describes a network service of a host or network. The service is identified by specific port or list of ports, along with the application listening on that port. ">Service</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="A port number.">[INTEGER] Port (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="A list of port numbers formatted according to Section 2.10.">[PORTLIST] Portlist (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol-specific code field (e.g., ICMP code field).">[INTEGER] ProtoCode (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific type field (e.g., ICMP type field).">[INTEGER] ProtoType (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="A layer-4 protocol specific flag field (e.g., TCP flag field).">[INTEGER] ProtoFlags (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Service.html" TITLE="The IANA protocol number.">[INTEGER] ip_protocol (Required) </td></tr>%</table>>,
		pos="495.5,445",
		shape=plaintext,
		width=3.0694];
	System -> Service	 [label="0..*",
		lp="356,452.5",
		pos="e,384.91,445 327.22,445 342.75,445 358.83,445 374.6,445"];
	OperatingSystem	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="The OperatingSystem class describes the operating system running on a System. The definition is identical to the Application class (Section 3.17.1). ">OperatingSystem</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/OperatingSystem.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>,
		pos="495.5,251",
		shape=plaintext,
		width=2.6806];
	System -> OperatingSystem	 [label="0..1",
		lp="356,361.5",
		pos="e,398.79,318.77 327.22,369.44 348.05,354.69 369.86,339.25 390.59,324.57"];
	AdditionalData	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="495.5,67",
		shape=plaintext,
		width=2.7639];
	System -> AdditionalData	 [label="0..*",
		lp="356,194.5",
		pos="e,395.81,131.92 250.71,367.48 278.68,302.49 324.98,209.87 385,143 386.17,141.7 387.36,140.41 388.58,139.13"];
	Address	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Address.html" TITLE="The Address class represents a hardware (layer-2), network (layer-3), or application (layer-7) address. ">Address</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Address.html" TITLE="The type of address represented.  The permitted values for this attribute are shown below.  The default value is &quot;ipv4-addr&quot;.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Address.html" TITLE="A means by which to extend the category attribute.  See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Address.html" TITLE="The name of the Virtual LAN to which the address belongs.">[STRING] vlan-name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Address.html" TITLE="The number of the Virtual LAN to which the address belongs.">[STRING] vlan-num (Optional) </td></tr>%</table>>,
		pos="771.5,801",
		shape=plaintext,
		width=2.9861];
	"Node" -> Address	 [label="0..*",
		lp="635,741.5",
		pos="e,663.83,745.72 585.46,705.1 607.53,716.54 631.51,728.97 654.66,740.97"];
	NodeRole	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="The NodeRole class describes the intended function performed by a particular host. ">NodeRole</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="Functionality provided by a node.">[ENUM] category (Required) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A means by which to extend the category attribute.  See Section 5.1.">[STRING] ext-category (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/NodeRole.html" TITLE="A valid language code per RFC 4646 [7] constrained by the definition of &quot;xs:language&quot;.  The interpretation of this code is described in Section 6.">[ENUM] lang (Required) </td></tr>%</table>>,
		pos="771.5,680",
		shape=plaintext,
		width=2.9861];
	"Node" -> NodeRole	 [label="0..*",
		lp="635,677.5",
		pos="e,663.82,671.82 601.65,667.06 618.68,668.36 636.41,669.72 653.7,671.05"];
	"Node" -> Counter	 [label="0..*",
		lp="635,618.5",
		pos="e,664.27,597.77 601.65,620.62 618.97,614.3 637.01,607.72 654.57,601.31"];
	Application	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>,
		pos="771.5,386",
		shape=plaintext,
		width=2.6806];
	Service -> Application	 [label="0..*",
		lp="635,425.5",
		pos="e,674.74,406.62 606.37,421.34 625.64,417.19 645.66,412.88 664.81,408.76"];
}

Aggregates

System (1..*)

A host or network involved in an event.

IDMEF

IODEF