IDMEF and IODEF

The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document.
digraph Record {
	graph [bb="0,0,743,674.5",
		rankdir=LR
	];
	node [label="\N"];
	Record	 [height=0.69444,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/Record.html" TITLE="The Record class is a container class for log and audit data that provides supportive information about the incident. The source of this data will often be the output of monitoring tools. These logs should substantiate the activity described in the document. ">Record</td> </tr>" %<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/Record.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="97,300",
		shape=plaintext,
		width=2.6944];
	RecordData	 [height=1.2778,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordData.html" TITLE="The RecordData class groups log or audit data from a given sensor (e.g., IDS, firewall log) and provides a way to annotate the output. ">RecordData</td> </tr>" %<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Timestamp of the RecordItem data.">[] DateTime (0..1) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordData.html" TITLE="Free-form textual description of the provided RecordItem data.  At minimum, this description should convey the significance of the provided RecordItem data.">[ML_STRING] Description (0..*) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="358,300",
		shape=plaintext,
		width=2.9444];
	Record -> RecordData	 [label="1..*",
		lp="223,307.5",
		pos="e,251.94,300 194.07,300 209.54,300 225.7,300 241.57,300"];
	Application	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#182f5f" HREF="/idmef_parser/IODEF/Application.html" TITLE="The Application class describes an application running on a System providing a Service. ">Application</td> </tr>" %<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="A URL describing the application.">[URL] URL (0..1) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference this software.">[STRING] swid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="An identifier that can be used to reference a particular configuration of this software.">[STRING] configid (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Vendor name of the software.">[STRING] vendor (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Family of the software.">[STRING] family (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Name of the software.">[STRING] name (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Version of the software.">[STRING] version (Optional) </td></tr>%<tr><td BGCOLOR="#284f9f"  HREF="/idmef_parser/IODEF/Application.html" TITLE="Patch or service pack level of the software.">[STRING] patch (Optional) </td></tr>%</table>>,
		pos="632.5,576",
		shape=plaintext,
		width=2.6806];
	RecordData -> Application	 [label="0..1",
		lp="493,453.5",
		pos="e,535.78,482.79 402.91,346.26 435.51,380.43 481.2,427.94 522,469 524.11,471.12 526.24,473.26 528.39,475.42"];
	RecordPattern	 [height=2.1528,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="The RecordPattern class describes where in the content of the RecordItem relevant information can be found. It provides a way to reference subsets of information, identified by a pattern, in a large log file, audit trail, or forensic data. ">RecordPattern</td> </tr>" %<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the type of pattern being specified in the element content.  The default is &quot;regex&quot;.">[ENUM] type (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the type attribute. See Section 5.1.">[STRING] ext-type (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Amount of units (determined by the offsetunit attribute) to seek into the RecordItem data before matching the pattern.">[INTEGER] offset (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Describes the units of the offset attribute. The default is &quot;line&quot;.">[ENUM] offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="A means by which to extend the offsetunit attribute.  See Section 5.1.">[STRING] ext-offsetunit (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordPattern.html" TITLE="Number of types to apply the specified pattern.">[INTEGER] instance (Optional) </td></tr>%</table>>,
		pos="632.5,382",
		shape=plaintext,
		width=3.0694];
	RecordData -> RecordPattern	 [label="0..*",
		lp="493,350.5",
		pos="e,521.92,349.02 464.36,331.7 479.98,336.41 496.18,341.28 512.07,346.06"];
	RecordItem	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a00" HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The RecordItem class provides a way to incorporate relevant logs, audit trails, or forensic data to support the conclusions made during the course of analyzing the incident. The class supports both the direct encapsulation of the data, as well as, provides primitives to reference data stored elsewhere. ">RecordItem</td> </tr>" %<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#ffcc00"  HREF="/idmef_parser/IODEF/RecordItem.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="632.5,219",
		shape=plaintext,
		width=2.7639];
	RecordData -> RecordItem	 [label="1..*",
		lp="493,268.5",
		pos="e,532.68,248.37 464.36,268.68 483.57,262.97 503.66,257 522.97,251.26"];
	AdditionalData	 [height=1.8611,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr > <td BGCOLOR="#997a3d" HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The AdditionalData class serves as an extension mechanism for information not otherwise represented in the data model. For relatively simple information, atomic data types (e.g., integers, strings) are provided with a mechanism to annotate their meaning. The class can also be used to extend the data model (and the associated Schema) to support proprietary extensions by encapsulating entire XML documents conforming to another Schema (e.g., IDMEF). A detailed discussion for extending the data model and the schema can be found in Section 5. ">AdditionalData</td> </tr>" %<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="The data type of the element content.  The permitted values for this attribute are shown below.  The default value is &quot;string&quot;.">[ENUM] dtype (Required) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A means by which to extend the dtype attribute.  See Section 5.1.">[STRING] ext-dtype (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="A free-form description of the element content.">[STRING] meaning (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="An identifier referencing the format and semantics of the element content.">[STRING] formatid (Optional) </td></tr>%<tr><td BGCOLOR="#FFCC66"  HREF="/idmef_parser/IODEF/AdditionalData.html" TITLE="This attribute has been defined in Section 3.2.">[ENUM] restriction (Optional) </td></tr>%</table>>,
		pos="632.5,67",
		shape=plaintext,
		width=2.7639];
	RecordData -> AdditionalData	 [label="0..1",
		lp="493,183.5",
		pos="e,533.03,134.2 402.87,253.99 434.7,221.56 479.46,177.87 522,143 523.01,142.17 524.02,141.35 525.04,140.52"];
}
Record

Aggregates

RecordData (1..*)

Attributes

restriction (Optional)

IDMEF

IODEF
