1 karl 1.1 // ===================================================================
2 // Title: Security Events
3 // $State: Preliminary $
4 // $Date: 2004/07/16 14:02:10 $
5 // $Source: /home/dmtf2/dotorg/var/cvs/repositories/dev/Schema/MOF/Security_Events.mof,v $
6 // $Revision: 1.17 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 karl 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 karl 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44
45
46 #pragma Locale ("en_US")
47
48
49 // ==================================================================
50 // SecurityIndication
51 // ==================================================================
52 [Indication, Experimental, Version ( "2.8.1000" ), Description (
53 "SecurityIndication provides a common superclass for the CIM "
54 "Security Events schema. SecurityIndications are messages "
55 "produced by Detectors that watch for and report on events that "
56 "have security implications. Detectors may include, but are not "
57 "limited to intrusion detection systems, antivirus scanners, "
58 "firewalls, vulnerability scanners, or operating system "
59 "sentries and subsystems. \n"
60 "Although often due to attacks or probes, security events can "
61 "also reflect normal activity, such as host or network login, "
62 "firewall connections, etc. Messages include information about "
63 "the Effect of the event, the Mechanism or method by which the "
64 karl 1.1 "event occurred, and the Resource affected by the event. \n"
65 "Properties from the base class CIM_Indication that MUST be "
66 "populated are: IndicationIdentifier and IndicationTime. A "
67 "property from the superclass CIM_AlertIndication that MUST be "
68 "populated is: AlertType which MUST be set to \"Security\". "
69 "EventID, ProviderName and AlertingManagedElement in some "
70 "combination SHOULD be populated in a way that identifies the "
71 "device type and its source in an unambiguous way from the "
72 "Detector's point of view.")]
73 class CIM_SecurityIndication : CIM_AlertIndication {
74
75 [Required, Override ( "IndicationIdentifier" ), Description (
76 "An identifier for the Indication. This property is similar "
77 "to a key value in that it can be used for identification, "
78 "when correlating Indications (see the CorrelatedIndications "
79 "array). Its value SHOULD be unique as long as Alert "
80 "correlations are reported, but MAY be reused or left NULL "
81 "if no future Indications will reference it in their "
82 "CorrelatedIndications array."),
83 MappingStrings { "Recommendation.ITU|X733.Notification "
84 "identifier" }]
85 karl 1.1 string IndicationIdentifier;
86
87 [Required, Override ( "AlertType" ), Description (
88 "Primary classification of the Indication. The following "
89 "value is the only value permitted from AlertIndication: \n"
90 "8 - Security Alert. An Indication of this type is "
91 "associated with security violations, detection of viruses, "
92 "and similar issues."),
93 ValueMap { "8" },
94 Values { "Security Alert" },
95 MappingStrings { "Recommendation.ITU|X733.Event type" }]
96 uint16 AlertType=8;
97
98 [Required, Description (
99 "MessageType is an identifier distinguishing the instance of "
100 "a SecurityIndication semantically. Instances of this class "
101 "or its subclasses have different meaning depending upon the "
102 "value of MessageType. For example, overrides of this "
103 "property in subclasses can define new MethodTypes, such as "
104 "\"Virus Found\" or \"Vulnerability Detected\". A range of "
105 "values, DMTF_Reserved, and Vendor Reserved, has been "
106 karl 1.1 "defined that allows subclasses to override and define their "
107 "specific event message types. \n"
108 "Note that MessageType does not correspond to the "
109 "CIM_AlertIndication \"Message\" property, which holds a "
110 "formatted string for general AlertIndications. "
111 "CIM_AlertIndication.Message MAY be used to contain message "
112 "text sent by the Detector, but in addition to, rather than "
113 "in lieu of SecurityIndication specific properties."),
114 ValueMap { "0", "2", "3..15999", "16000.." },
115 Values { "Unknown", "Not Applicable", "DMTF Reserved",
116 "Vendor Reserved" }]
117 uint16 MessageType;
118
119 [Required, Override ( "IndicationTime" ), Description (
120 "The time and date of creation of the Indication. The "
121 "property may be set to NULL if the entity creating the "
122 "Indication is not capable of determining this information. "
123 "Note that IndicationTime may be the same for two "
124 "Indications that are generated in rapid succession."),
125 ModelCorrespondence { "CIM_SecurityIndication.IndicationEndTime"
126 }]
127 karl 1.1 datetime IndicationTime;
128
129 [Description (
130 "The end time and date of a range of events represented by "
131 "the Indication whose beginning is IndicationTime. If the "
132 "Indication represents a single event, this property MUST be "
133 "set to NULL. If the Indication represents multiple events "
134 "over time, the EventCount property MUST be greater than 1 "
135 "and this property MUST be greater than or equal to the "
136 "IndicationTime value. In this case, the Indication "
137 "represents an event aggregate with the aggregate amplitude "
138 "being the EventCount property. The time range or EventCount "
139 "does not imply a threshold in and of itself, but a time or "
140 "amplitude threshold MAY be used in determining how a "
141 "Detector populates this property."),
142 ModelCorrespondence { "CIM_SecurityIndication.EventCount",
143 "CIM_SecurityIndication.IndicationTime" }]
144 datetime IndicationEndTime;
145
146 [Description (
147 "The number of events represented by this Indication. If "
148 karl 1.1 "IndicationEndTime is not NULL, EventCount MUST be greater "
149 "than 1 which means that the Indication represents an event "
150 "aggregate."),
151 Counter, MinValue ( 1 ),
152 ModelCorrespondence { "CIM_SecurityIndication.IndicationEndTime"
153 }]
154 uint16 EventCount = 1;
155
156 [Required, Description (
157 "An array of enumerated values that describes the effect(s) "
158 "of an event from the Detector's point of view. Some "
159 "security devices such as simple packet filters may not be "
160 "able to detect the notion of an event's Effect. In these "
161 "cases, the Effect is \"Unknown\". Although in many cases "
162 "the Effect of an attack is intended, not all attacks have a "
163 "known intent, such as viruses or other malicious code, "
164 "which may have multiple varied Effects. If there is more "
165 "than one Effect, the first element in the array SHOULD "
166 "represent the most significant or most severe Effect, from "
167 "the Detector's point of view. The following values are "
168 "defined: \n"
169 karl 1.1 "0 - Unknown means the Effect of the event is purely "
170 "unknown. \n"
171 "2 - Degradation. The message indicates that an attempt was "
172 "made to damage or impair usability, performance, service "
173 "availability, etc. \n"
174 "3 - Reconnaissance. The message indicates that there was an "
175 "attempt to gather information useful for attacks, or probe "
176 "for vulnerabilities without necessarily exploiting them. \n"
177 "4 - Access. The message indicates that access has been "
178 "attempted or made to data or services. \n"
179 "5 - Integrity. The message indicates that there was an "
180 "attempt to modify or delete data."),
181 ValueMap { "0", "2", "3", "4", "5", "6..15999", "16000.." },
182 Values { "Unknown", "Degradation", "Reconnaissance", "Access",
183 "Integrity", "DMTF Reserved", "Vendor Reserved" },
184 ModelCorrespondence {
185 "CIM_SecurityIndication.MoreSpecificEffects" }]
186 uint16 Effects[];
187
188 [Description (
189 "If more details are known about the effect of an attack or "
190 karl 1.1 "probe, this property can contain that information. For "
191 "example, if one of the values of Effects is Access, a more "
192 "specific Effect might be HostCompromised. Or, if the Effect "
193 "is Degradation, a more specific effect might be "
194 "DistributedDoS. \n"
195 "String values for this property are vendor or Detector "
196 "specific and as such, the property "
197 "CIM_AlertIndication.OwningEntity SHOULD be populated to "
198 "identify the business entity or standards body defining the "
199 "possible values."),
200 ModelCorrespondence { "CIM_SecurityIndication.Effects",
201 "CIM_AlertIndication.OwningEntity" }]
202 string MoreSpecificEffects[];
203
204 [Required, Description (
205 "An integer indicating the method(s) used in an attack, "
206 "probe, or other action. Mechanism values can be used with "
207 "any of the Effect values, depending on the method employed "
208 "in an attack or probe. For example, if the Effect is "
209 "Degradation such as a DoS attack using ICMP packets, the "
210 "Mechanism would be NetworkICMP. If the Effect is "
211 karl 1.1 "Reconnaissance using a port sweep then the Mechanism would "
212 "be PortSweep."),
213 ValueMap { "0", "2", "3", "4", "5", "6", "7", "8", "9", "10",
214 "11", "12", "13", "14", "15", "16", "17", "18", "19", "20",
215 "21", "22", "23", "24..15999", "16000.." },
216 Values { "Unknown", "ArpPoisoning", "Backdoor", "Rootkit",
217 "Trojan", "BufferOverflow", "GuessPassword", "ReplayAttack",
218 "SQLInjection", "SpoofIdentity", "PortSweep", "HostSweep",
219 "NetworkSweep", "NetworkICMP", "NetworkTCP", "NetworkUDP",
220 "Worm", "Virus", "Non-viral malicious", "Spyware", "Adware",
221 "Login", "Logout", "DMTF Reserved", "Vendor Reserved" },
222 ModelCorrespondence {
223 "CIM_SecurityIndication.MoreSpecificMechanisms" }]
224 uint16 Mechanisms[];
225
226 [Description (
227 "Specifies a more specific mechanism based on a value "
228 "specified in the Mechanisms property. For example, if one "
229 "of the values of Mechanisms is Trojan, then a "
230 "MoreSpecificMechanisms might be Connect for a trojan that "
231 "opens a port and listens for connections. A different "
232 karl 1.1 "method might be Response if the trojan sends information. \n"
233 "String values for this property are vendor or Detector "
234 "specific and as such, the property "
235 "CIM_AlertIndication.OwningEntity SHOULD be populated to "
236 "identify the business entity or standards body defining the "
237 "possible values."),
238 ModelCorrespondence { "CIM_SecurityIndication.Mechanisms",
239 "CIM_AlertIndication.OwningEntity" }]
240 string MoreSpecificMechanisms[];
241
242 [Required, Description (
243 "An integer indicating the type(s) of resource affected by "
244 "an attack or probe. For example, DB indicates that an "
245 "attack was made against a database server, where Mail "
246 "indicates that some type of email server is affected. DB, "
247 "DNS, and other values can mean a server or service, e.g. "
248 "there is no distinction between a DNS server resource and a "
249 "DNS service resource. Web means a web server/service but "
250 "more specific resources of this type can be specified using "
251 "the MoreSpecificResources property, e.g. IIS, Apache, "
252 "iPlanet, etc."),
253 karl 1.1 ValueMap { "0", "2", "3", "4", "5", "6", "7", "8", "9", "10",
254 "11", "12", "13", "14", "15", "16", "17", "18", "19", "20",
255 "21", "22", "23", "24", "25", "26", "27", "28", "29", "30",
256 "31..15999", "16000.." },
257 Values { "Unknown", "DB", "DNS", "FTP", "Mail", "RPC", "SNMP",
258 "Web", "Host", "Firewall", "Registry", "NetworkDevice",
259 "Hardware", "User Activity", "Cookies", "Network Data",
260 "Application Data", "Application Configuration", "OS Kernel",
261 "OS Configuration", "OS Session", "File System", "Process",
262 "Service", "Network Session", "URL", "User Account",
263 "Privileges", "User Policy", "Group", "DMTF Reserved",
264 "Vendor Reserved" },
265 ModelCorrespondence {
266 "CIM_SecurityIndication.MoreSpecificResources" }]
267 uint16 Resources[];
268
269 [Description (
270 "Specifies a more specific resource based on a value "
271 "specified in the Resources property. For example, if one of "
272 "the values of Resources is Web, then a MoreSpecificResource "
273 "might be Apache for an attack or probe against an Apache "
274 karl 1.1 "web server. \n"
275 "String values for this property are vendor or Detector "
276 "specific and as such, the property "
277 "CIM_AlertIndication.OwningEntity SHOULD be populated to "
278 "identify the business entity or standards body defining the "
279 "possible values."),
280 ModelCorrespondence { "CIM_SecurityIndication.Resources",
281 "CIM_AlertIndication.OwningEntity" }]
282 string MoreSpecificResources[];
283 };
284
285 // ==================================================================
286 // IPNetworkSecurityIndication
287 // ==================================================================
288 [Indication, Experimental, Version ( "2.8.1000" ), Description (
289 "IPNetworkSecurityIndication is a class that represents events "
290 "that have a network context, i.e. a source or destination "
291 "address is a necessary property of the indication. More "
292 "specific Indication subclasses that can derive from this class "
293 "are for example, firewall or intrusion detection subclasses. "
294 "This class is not limited to use on IPv4 networks but has "
295 karl 1.1 "numerical property support for IPv4 networks that can be used "
296 "for efficient implementations of search and analysis.")]
297 class CIM_IPNetworkSecurityIndication : CIM_SecurityIndication {
298 [Required, Override ( "MessageType" ), Description (
299 "An integer indicating the type of message to which the "
300 "Indication applies. Generic indications of this class "
301 "SHOULD set the value to Unknown. DMTF subclasses will "
302 "define specific values from the DMTF Class Reserved range."),
303 ValueMap { "0","2","3..500","501..15999","16000.." },
304 Values { "Unknown", "Not Applicable", "DMTF Class Reserved",
305 "DMTF Reserved","Vendor Reserved" }]
306 uint16 MessageType;
307
308 [Required, Description (
309 "An integer indicating the type of network protocol for the "
310 "traffic associated with this Indication."),
311 ValueMap { "0","2","3","4","5","6" },
312 Values { "Unknown","ARP","TCP","UDP","ICMP","IGMP" }]
313 uint16 Protocol;
314
315 [Required, Description (
316 karl 1.1 "This property explicitly defines support for different "
317 "versions of the IP protocol for the traffic associated with "
318 "this Indication."),
319 ValueMap { "0", "2", "3" },
320 Values { "Unknown", "IPv4", "IPv6" }]
321 uint16 IPVersionSupport;
322
323 [Description (
324 "The address for the originator of the network traffic "
325 "associated with this Indication from the Detector's point "
326 "of view. This address MUST be identical to the "
327 "IPv4NumericSourceAddress if both property values are not "
328 "NULL and the IPVersionSupport property is \"IPv4\" ."),
329 ModelCorrespondence {
330 "CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress",
331 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
332 string SourceAddress;
333
334 [Description (
335 "The IPv4 source address in numeric form. This address MUST "
336 "be identical to the SourceAddress property if both property "
337 karl 1.1 "values are not NULL and the IPVersionSupport property is "
338 "\"IPv4\"."),
339 ModelCorrespondence {
340 "CIM_IPNetworkSecurityIndication.SourceAddress",
341 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
342 uint32 IPv4NumericSourceAddress;
343
344 [Description (
345 "The prefix length for the IPv6 address for the originator "
346 "of the network traffic associated with this Indication from "
347 "the Detector's point of view."),
348 ModelCorrespondence {
349 "CIM_IPNetworkSecurityIndication.SourceAddress",
350 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
351 uint8 SourcePrefixLength;
352
353 [Description (
354 "The address for the destination of the network traffic "
355 "associated with this Indication from the Detector's point "
356 "of view. This address MUST be identical to the "
357 "IPv4NumericDestAddress if both property values are not NULL "
358 karl 1.1 "and the IPVersionSupport property is \"IPv4\"."),
359 ModelCorrespondence {
360 "CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress",
361 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
362 string DestAddress;
363
364 [Description (
365 "The IPv4 destination address in numeric form. This address "
366 "MUST be identical to the DestAddress property if both "
367 "property values are not NULL and the IPVersionSupport "
368 "property is \"IPv4\"."),
369 ModelCorrespondence {
370 "CIM_IPNetworkSecurityIndication.DestAddress",
371 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
372 uint32 IPv4NumericDestAddress;
373
374 [Description (
375 "The prefix length for the IPv6 address for the destination "
376 "of the network traffic associated with this Indication from "
377 "the Detector's point of view."),
378 ModelCorrespondence {
379 karl 1.1 "CIM_IPNetworkSecurityIndication.DestAddress",
380 "CIM_IPNetworkSecurityIndication.IPVersionSupport" }]
381 uint8 DestPrefixLength;
382
383 [Description (
384 "The port for the source address for this message from the "
385 "Detector's point of view."),
386 ModelCorrespondence {
387 "CIM_IPNetworkSecurityIndication.SourceAddress",
388 "CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress" }]
389 uint32 SourcePort;
390
391 [Description (
392 "The port for the destination address for this message from "
393 "the Detector's point of view."),
394 ModelCorrespondence {
395 "CIM_IPNetworkSecurityIndication.DestAddress",
396 "CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress" }]
397 uint32 DestPort;
398
399 [Description (
400 karl 1.1 "The MAC address for the source address for this message "
401 "from the Detector's point of view."),
402 ModelCorrespondence {
403 "CIM_IPNetworkSecurityIndication.SourceAddress",
404 "CIM_IPNetworkSecurityIndication.IPv4NumericSourceAddress" }]
405 string SourceMACAddress;
406
407 [Description (
408 "The MAC address for the destination address for this "
409 "message from the Detector's point of view."),
410 ModelCorrespondence {
411 "CIM_IPNetworkSecurityIndication.DestAddress",
412 "CIM_IPNetworkSecurityIndication.IPv4NumericDestAddress" }]
413 string DestMACAddress;
414 };
415
416 // ==================================================================
417 // IPPacketFilterIndication
418 // ==================================================================
419 [Indication, Experimental, Version ( "2.8.1000" ), Description (
420 "The IPPacketFilterIndication class is intended to provide a "
421 karl 1.1 "base set of properties to allow for common data to be logged "
422 "by all packet filtering services and devices in a consistent "
423 "manner. This single consistent model of data will allow for "
424 "common reporting of many messages across different packet "
425 "filtering systems, which will help improve security "
426 "information management by providing a single view of the "
427 "information.")]
428 class CIM_IPPacketFilterIndication : CIM_IPNetworkSecurityIndication {
429 [Required, Override ( "MessageType" ), Description (
430 "An integer indicating the type of message to which the "
431 "indication applies. DMTF subclasses will define specific "
432 "values from the DMTF Class Reserved range."),
433 ValueMap { "0","2","3","4","5","6..100","101..15999","16000.." },
434 Values { "Unknown","Not Applicable",
435 "Connection Accepted","Connection Rejected",
436 "Connection Dropped","DMTF Class Reserved",
437 "DMTF Reserved","Vendor Reserved" }]
438 uint16 MessageType;
439
440 [Required, Description (
441 "An integer indicating the direction of packet traffic from "
442 karl 1.1 "the standpoint of the packet filter."),
443 ValueMap { "0","1" },
444 Values { "Ingress","Egress" }]
445 uint16 Direction;
446
447 [Description (
448 "An integer indicating the naming convention used for host "
449 "names reported by the packet filter. The default is "
450 "\"DNS\"."),
451 ValueMap { "0","1" },
452 Values { "DNS","NETBIOS" }]
453 uint16 NamingConvention = 0;
454
455 [Description (
456 "The name of the host that corresponds to the "
457 "IPv4SourceAddress or IPv6SourceAddress."),
458 ModelCorrespondence {
459 "CIM_IPPacketFilterIndication.NamingConvention" }]
460 string SourceHostName;
461
462 [Description (
463 karl 1.1 "The name of the host that corresponds to the "
464 "IPv4DestinationAddress or IPv6DestinationAddress."),
465 ModelCorrespondence {
466 "CIM_IPPacketFilterIndication.NamingConvention" }]
467 string DestinationHostName;
468
469 [Description (
470 "The name of the TCP or UDP service that corresponds to the "
471 "DestPort.")]
472 string DestinationServiceName;
473
474 [Description (
475 "The source port after translation when Network Address "
476 "Translation is performed by the packet filter.")]
477 uint16 TranslatedSourcePort;
478
479 [Description (
480 "The source IPv4 address after translation when Network "
481 "Address Translation is performed by the packet filter.")]
482 uint32 TranslatedSourceIPv4NumericAddress;
483
484 karl 1.1 [Description (
485 "The source address after translation when Network Address "
486 "Translation is performed by the packet filter.")]
487 string TranslatedSourceAddress;
488
489 [Description (
490 "The destination port after translation when Network Address "
491 "Translation is performed by the packet filter.")]
492 uint16 TranslatedDestPort;
493
494 [Description (
495 "The destination IPv4 address after translation when Network "
496 "Address Translation is performed by the packet filter.")]
497 uint32 TranslatedDestIPv4NumericAddress;
498
499 [Description (
500 "The destination address after translation when Network "
501 "Address Translation is performed by the packet filter.")]
502 string TranslatedDestAddress;
503 };
|