| Reference |
origin |
0 |
unknown |
Origin of the name is not known |
[RFC4765] |
| Reference |
origin |
1 |
vendor-specific |
A vendor-specific name (and hence, URL);
this can be used to provide
product-specific information |
[RFC4765] |
| Reference |
origin |
2 |
user-specific |
A user-specific name (and hence, URL);
this can be used to provide
installation-specific information |
[RFC4765] |
| Reference |
origin |
3 |
bugtraqid |
The SecurityFocus ("Bugtraq")
vulnerability database identifier
(http://www.securityfocus.com/bid) |
[RFC4765] |
| Reference |
origin |
4 |
cve |
The Common Vulnerabilities and Exposures
(CVE) name (http://cve.mitre.org/) |
[RFC4765] |
| Reference |
origin |
5 |
osvdb |
The Open Source Vulnerability Database
(http://www.osvdb.org) |
[RFC4765] |
| Source |
spoofed |
0 |
unknown |
Accuracy of source information unknown |
[RFC4765] |
| Source |
spoofed |
1 |
yes |
Source is believed to be a decoy |
[RFC4765] |
| Source |
spoofed |
2 |
no |
Source is believed to be "real" |
[RFC4765] |
| Target |
decoy |
0 |
unknown |
Accuracy of target information unknown |
[RFC4765] |
| Target |
decoy |
1 |
yes |
Target is believed to be a decoy |
[RFC4765] |
| Target |
decoy |
2 |
no |
Target is believed to be "real" |
[RFC4765] |
| AdditionalData |
type |
0 |
boolean |
The element contains a boolean value, i.e.,
the strings "true" or "false" |
[RFC4765] |
| AdditionalData |
type |
1 |
byte |
The element content is a single 8-bit byte
(see Section 3.2.4) |
[RFC4765] |
| AdditionalData |
type |
2 |
character |
The element content is a single character
(see Section 3.2.3) |
[RFC4765] |
| AdditionalData |
type |
3 |
date-time |
The element content is a date-time string
(see Section 3.2.6) |
[RFC4765] |
| AdditionalData |
type |
4 |
integer |
The element content is an integer (see
Section 3.2.1) |
[RFC4765] |
| AdditionalData |
type |
5 |
ntpstamp |
The element content is an NTP timestamp (see
Section 3.2.7) |
[RFC4765] |
| AdditionalData |
type |
6 |
portlist |
The element content is a list of ports (see
Section 3.2.8 |
[RFC4765] |
| AdditionalData |
type |
7 |
real |
The element content is a real number (see
Section 3.2.2 |
[RFC4765] |
| AdditionalData |
type |
8 |
string |
The element content is a string (see
Section 3.2.3 |
[RFC4765] |
| AdditionalData |
type |
9 |
byte-string |
The element content is a byte[] (see
Section 3.2.4 |
[RFC4765] |
| AdditionalData |
type |
10 |
xmltext |
The element content is XML-tagged data (see
Section 5.2 |
[RFC4765] |
| Impact |
severity |
0 |
info |
Information only |
[RFC4765] |
| Impact |
severity |
1 |
low |
Low severity |
[RFC4765] |
| Impact |
severity |
2 |
medium |
Medium severity |
[RFC4765] |
| Impact |
severity |
3 |
high |
High severity |
[RFC4765] |
| Impact |
completion |
0 |
failed |
The attempt was not successful |
[RFC4765] |
| Impact |
completion |
1 |
succeeded |
The attempt succeeded |
[RFC4765] |
| Impact |
type |
0 |
admin |
Administrative privileges were attempted or
obtained |
[RFC4765] |
| Impact |
type |
1 |
dos |
A denial of service was attempted or
completed |
[RFC4765] |
| Impact |
type |
2 |
file |
An action on a file was attempted or
completed |
[RFC4765] |
| Impact |
type |
3 |
recon |
A reconnaissance probe was attempted or
completed |
[RFC4765] |
| Impact |
type |
4 |
user |
User privileges were attempted or obtained |
[RFC4765] |
| Impact |
type |
5 |
other |
Anything not in one of the above categories |
[RFC4765] |
| Action |
category |
0 |
block-installed |
A block of some sort was installed to
prevent an attack from reaching its
destination. The block could be a
port block, address block, etc., or
disabling a user account. |
[RFC4765] |
| Action |
category |
1 |
notification-sent |
A notification message of some sort
was sent out-of-band (via pager,
e-mail, etc.). Does not include the
transmission of this alert. |
[RFC4765] |
| Action |
category |
2 |
taken-offline |
A system, computer, or user was taken
offline, as when the computer is shut
down or a user is logged off. |
[RFC4765] |
| Action |
category |
3 |
other |
Anything not in one of the above
categories. |
[RFC4765] |
| Confidence |
rating |
0 |
low |
The analyzer has little confidence in its
validity |
[RFC4765] |
| Confidence |
rating |
1 |
medium |
The analyzer has average confidence in its
validity |
[RFC4765] |
| Confidence |
rating |
2 |
high |
The analyzer has high confidence in its
validity |
[RFC4765] |
| Confidence |
rating |
3 |
numeric |
The analyzer has provided a posterior
probability value indicating its
confidence in its validity |
[RFC4765] |
| Node |
category |
0 |
unknown |
Domain unknown or not relevant |
[RFC4765] |
| Node |
category |
1 |
ads |
Windows 2000 Advanced Directory Services |
[RFC4765] |
| Node |
category |
2 |
afs |
Andrew File System (Transarc) |
[RFC4765] |
| Node |
category |
3 |
coda |
Coda Distributed File System |
[RFC4765] |
| Node |
category |
4 |
dfs |
Distributed File System (IBM) |
[RFC4765] |
| Node |
category |
5 |
dns |
Domain Name System |
[RFC4765] |
| Node |
category |
6 |
hosts |
Local hosts file |
[RFC4765] |
| Node |
category |
7 |
kerberos |
Kerberos realm |
[RFC4765] |
| Node |
category |
8 |
nds |
Novell Directory Services |
[RFC4765] |
| Node |
category |
9 |
nis |
Network Information Services (Sun) |
[RFC4765] |
| Node |
category |
10 |
nisplus |
Network Information Services Plus (Sun) |
[RFC4765] |
| Node |
category |
11 |
nt |
Windows NT domain |
[RFC4765] |
| Node |
category |
12 |
wfw |
Windows for Workgroups |
[RFC4765] |
| Address |
category |
0 |
unknown |
Address type unknown |
[RFC4765] |
| Address |
category |
1 |
atm |
Asynchronous Transfer Mode network address |
[RFC4765] |
| Address |
category |
2 |
e-mail |
Electronic mail address (RFC 822) |
[RFC4765] |
| Address |
category |
3 |
lotus-notes |
Lotus Notes e-mail address |
[RFC4765] |
| Address |
category |
4 |
mac |
Media Access Control (MAC) address |
[RFC4765] |
| Address |
category |
5 |
sna |
IBM Shared Network Architecture (SNA)
address |
[RFC4765] |
| Address |
category |
6 |
vm |
IBM VM ("PROFS") e mail address |
[RFC4765] |
| Address |
category |
7 |
ipv4-addr |
IPv4 host address in dotted decimal
notation (a.b.c.d) |
[RFC4765] |
| Address |
category |
8 |
ipv4-addr-hex |
IPv4 host address in hexadecimal notation |
[RFC4765] |
| Address |
category |
9 |
ipv4-net |
IPv4 network address in dotted decimal
notation, slash, significant bits
(a.b.c.d/nn) |
[RFC4765] |
| Address |
category |
10 |
ipv4-net-mask |
IPv4 network address in dotted decimal
notation, slash, network mask in
dotted decimal notation (a.b.c.d/w.x.y.z) |
[RFC4765] |
| Address |
category |
11 |
ipv6-addr |
IPv6 host address |
[RFC4765] |
| Address |
category |
12 |
ipv6-addr-hex |
IPv6 host address in hexadecimal notation |
[RFC4765] |
| Address |
category |
13 |
ipv6-net |
IPv6 network address, slash, significant
bits |
[RFC4765] |
| Address |
category |
14 |
ipv6-net-mask |
IPv6 network address, slash, network mask |
[RFC4765] |
| User |
category |
0 |
unknown |
User type unknown |
[RFC4765] |
| User |
category |
1 |
application |
An application user |
[RFC4765] |
| User |
category |
2 |
os-device |
AN operating system or device user |
[RFC4765] |
| UserId |
category |
0 |
current-user |
The current user id being used by the user
or process. On Unix systems, this would
be the "real" user id, in general. |
[RFC4765] |
| UserId |
category |
1 |
original-user |
The actual identity of the user or process
being reported on. On those systems that
(a) do some type of auditing and (b)
support extracting a user id from the
"audit id" token, that value should be
used. On those systems that do not
support this, and where the user has
logged into the system, the "login id"
should be used. |
[RFC4765] |
| UserId |
category |
2 |
target-user |
The user id the user or process is
attempting to become. This would apply,
on Unix systems for example, when the user
attempts to use "su," "rlogin," "telnet,"
etc. |
[RFC4765] |
| UserId |
category |
3 |
user-privs |
Another user id the user or process has
the ability to use, or a user id
associated with a file permission. On
Unix systems, this would be the
"effective" user id in a user or process
context, and the owner permissions in a
file context. Multiple UserId elements of
this type may be used to specify a list of
privileges. |
[RFC4765] |
| UserId |
category |
4 |
current-group |
The current group id (if applicable) being
used by the user or process. On Unix
systems, this would be the "real" group
id, in general. |
[RFC4765] |
| UserId |
category |
5 |
group-privs |
Another group id the group or process has
the ability to use, or a group id
associated with a file permission. On
Unix systems, this would be the
"effective" group id in a group or process
context, and the group permissions in a
file context. On BSD-derived Unix
systems, multiple UserId elements of this
type would be used to include all the
group ids on the "group list." |
[RFC4765] |
| UserId |
category |
6 |
other-privs |
Not used in a user, group, or process
context, only used in the file context.
The file permissions assigned to users who
do not match either the user or group
permissions on the file. On Unix systems,
this would be the "world" permissions. |
[RFC4765] |
| File |
category |
0 |
current |
The file information is from after the
reported change |
[RFC4765] |
| File |
category |
1 |
original |
The file information is from before the
reported change |
[RFC4765] |
| File |
fstype |
0 |
ufs |
Berkeley UNIX Fast File System |
[RFC4765] |
| File |
fstype |
1 |
efs |
Linux "efs" file system |
[RFC4765] |
| File |
fstype |
2 |
nfs |
Network File System |
[RFC4765] |
| File |
fstype |
3 |
afs |
Andrew File System |
[RFC4765] |
| File |
fstype |
4 |
ntfs |
Windows NT File System |
[RFC4765] |
| File |
fstype |
5 |
fat16 |
16-bit Windows FAT File System |
[RFC4765] |
| File |
fstype |
6 |
fat32 |
32-bit Windows FAT File System |
[RFC4765] |
| File |
fstype |
7 |
pcfs |
"PC" (MS-DOS) file system on CD-ROM |
[RFC4765] |
| File |
fstype |
8 |
joliet |
Joliet CD-ROM file system |
[RFC4765] |
| File |
fstype |
9 |
iso9660 |
ISO 9660 CD-ROM file system |
[RFC4765] |
| FileAccess |
permission |
0 |
noAccess |
No access at all is allowed for this
user |
[RFC4765] |
| FileAccess |
permission |
1 |
read |
This user has read access to the file |
[RFC4765] |
| FileAccess |
permission |
2 |
write |
This user has write access to the file |
[RFC4765] |
| FileAccess |
permission |
3 |
execute |
This user has the ability to execute
the file |
[RFC4765] |
| FileAccess |
permission |
4 |
search |
This user has the ability to search
this file (applies to "execute"
permission on directories in UNIX) |
[RFC4765] |
| FileAccess |
permission |
5 |
delete |
This user has the ability to delete
this file |
[RFC4765] |
| FileAccess |
permission |
6 |
executeAs |
This user has the ability to execute
this file as another user |
[RFC4765] |
| FileAccess |
permission |
7 |
changePermissions |
This user has the ability to change
the access permissions on this file |
[RFC4765] |
| FileAccess |
permission |
8 |
takeOwnership |
This user has the ability to take
ownership of this file |
[RFC4765] |
| Linkage |
category |
0 |
hard-link |
The <name> element represents another name
for this file. This information may be
more easily obtainable on NTFS file
systems than others. |
[RFC4765] |
| Linkage |
category |
1 |
mount-point |
An alias for the directory specified by
the parent's <name> and <path> elements. |
[RFC4765] |
| Linkage |
category |
2 |
reparse-point |
Applies only to Windows; excludes symbolic
links and mount points, which are specific
types of reparse points. |
[RFC4765] |
| Linkage |
category |
3 |
shortcut |
The file represented by a Windows
"shortcut." A shortcut is distinguished
from a symbolic link because of the
difference in their contents, which may be
of importance to the manager. |
[RFC4765] |
| Linkage |
category |
4 |
stream |
An Alternate Data Stream (ADS) in Windows;
a fork on MacOS. Separate file system
entity that is considered an extension of
the main <File>. |
[RFC4765] |
| Linkage |
category |
5 |
symbolic-link |
The <name> element represents the file to
which the link points. |
[RFC4765] |
| Checksum |
algorithm |
0 |
MD4 |
The MD4 algorithm. |
[RFC4765] |
| Checksum |
algorithm |
1 |
MD5 |
The MD5 algorithm. |
[RFC4765] |
| Checksum |
algorithm |
2 |
SHA1 |
The SHA1 algorithm. |
[RFC4765] |
| Checksum |
algorithm |
3 |
SHA2-256 |
The SHA2 algorithm with 256 bits length. |
[RFC4765] |
| Checksum |
algorithm |
4 |
SHA2-384 |
The SHA2 algorithm with 384 bits length. |
[RFC4765] |
| Checksum |
algorithm |
5 |
SHA2-512 |
The SHA2 algorithm with 512 bits length. |
[RFC4765] |
| Checksum |
algorithm |
6 |
CRC-32 |
The CRC algorithm with 32 bits length. |
[RFC4765] |
| Checksum |
algorithm |
7 |
Haval |
The Haval algorithm. |
[RFC4765] |
| Checksum |
algorithm |
8 |
Tiger |
The Tiger algorithm. |
[RFC4765] |
| Checksum |
algorithm |
9 |
Gost |
The Gost algorithm. |
[RFC4765] |
