RFC Errata
RFC 7970, "The Incident Object Description Exchange Format Version 2", November 2016
Source of RFC: mile (sec)
Errata ID: 6163
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: François Poirotte
Date Reported: 2020-05-10
Section 7.2 says:
An example of C2 domains from a given campaign.
<?xml version="1.0" encoding="UTF-8"?>
<!-- A list of C2 domains associated with a campaign -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="watch" restriction="green">
<IncidentID name="csirt.example.com">897923</IncidentID>
<RelatedActivity>
<ThreatActor>
<ThreatActorID>
TA-12-AGGRESSIVE-BUTTERFLY
</ThreatActorID>
<Description>Aggressive Butterfly</Description>
</ThreatActor>
<Campaign>
<CampaignID>C-2015-59405</CampaignID>
<Description>Orange Giraffe</Description>
</Campaign>
</RelatedActivity>
<GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<Description>Summarizes the Indicators of Compromise
for the Orange Giraffe campaign of the Aggressive
Butterfly crime gang.
</Description>
<Assessment>
<BusinessImpact type="breach-proprietary"/>
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<IndicatorData>
<Indicator>
<IndicatorID name="csirt.example.com" version="1">
G90823490
</IndicatorID>
<Description>C2 domains</Description>
<StartTime>2014-12-02T11:18:00-05:00</StartTime>
<Observable>
<BulkObservable type="fqdn">
It should say:
An example of C2 domains from a given campaign.
<?xml version="1.0" encoding="UTF-8"?>
<!-- A list of C2 domains associated with a campaign -->
<IODEF-Document version="2.00" xml:lang="en"
xmlns="urn:ietf:params:xml:ns:iodef-2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://www.iana.org/assignments/xml-registry/schema/
iodef-2.0.xsd">
<Incident purpose="watch" restriction="green">
<IncidentID name="csirt.example.com">897923</IncidentID>
<RelatedActivity>
<ThreatActor>
<ThreatActorID>
TA-12-AGGRESSIVE-BUTTERFLY
</ThreatActorID>
<Description>Aggressive Butterfly</Description>
</ThreatActor>
<Campaign>
<CampaignID>C-2015-59405</CampaignID>
<Description>Orange Giraffe</Description>
</Campaign>
</RelatedActivity>
<GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime>
<Description>Summarizes the Indicators of Compromise
for the Orange Giraffe campaign of the Aggressive
Butterfly crime gang.
</Description>
<Assessment>
<BusinessImpact type="breach-proprietary"/>
</Assessment>
<Contact type="organization" role="creator">
<ContactName>CSIRT for example.com</ContactName>
<Email>
<EmailTo>contact@csirt.example.com</EmailTo>
</Email>
</Contact>
<IndicatorData>
<Indicator>
<IndicatorID name="csirt.example.com" version="1">
G90823490
</IndicatorID>
<Description>C2 domains</Description>
<StartTime>2014-12-02T11:18:00-05:00</StartTime>
<Observable>
<BulkObservable type="domain-name">
Notes:
Neither the IODEF Data Model (XML Schema) in section 8 nor the main body in section 3.29.3.1 define a type named "fqdn" for the BulkObservable class.
Instead, section 3.29.3.1 states that the "domain-name" type is used to denote "A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com).". The XML schema agrees with that.
The example in section 7.2 was changed to comply with this definition.