RFC Errata
RFC 7970, "The Incident Object Description Exchange Format Version 2", November 2016
Source of RFC: mile (sec)
Errata ID: 6163
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: François Poirotte
Date Reported: 2020-05-10
Section 7.2 says:
An example of C2 domains from a given campaign. <?xml version="1.0" encoding="UTF-8"?> <!-- A list of C2 domains associated with a campaign --> <IODEF-Document version="2.00" xml:lang="en" xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://www.iana.org/assignments/xml-registry/schema/ iodef-2.0.xsd"> <Incident purpose="watch" restriction="green"> <IncidentID name="csirt.example.com">897923</IncidentID> <RelatedActivity> <ThreatActor> <ThreatActorID> TA-12-AGGRESSIVE-BUTTERFLY </ThreatActorID> <Description>Aggressive Butterfly</Description> </ThreatActor> <Campaign> <CampaignID>C-2015-59405</CampaignID> <Description>Orange Giraffe</Description> </Campaign> </RelatedActivity> <GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime> <Description>Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang. </Description> <Assessment> <BusinessImpact type="breach-proprietary"/> </Assessment> <Contact type="organization" role="creator"> <ContactName>CSIRT for example.com</ContactName> <Email> <EmailTo>contact@csirt.example.com</EmailTo> </Email> </Contact> <IndicatorData> <Indicator> <IndicatorID name="csirt.example.com" version="1"> G90823490 </IndicatorID> <Description>C2 domains</Description> <StartTime>2014-12-02T11:18:00-05:00</StartTime> <Observable> <BulkObservable type="fqdn">
It should say:
An example of C2 domains from a given campaign. <?xml version="1.0" encoding="UTF-8"?> <!-- A list of C2 domains associated with a campaign --> <IODEF-Document version="2.00" xml:lang="en" xmlns="urn:ietf:params:xml:ns:iodef-2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation= "http://www.iana.org/assignments/xml-registry/schema/ iodef-2.0.xsd"> <Incident purpose="watch" restriction="green"> <IncidentID name="csirt.example.com">897923</IncidentID> <RelatedActivity> <ThreatActor> <ThreatActorID> TA-12-AGGRESSIVE-BUTTERFLY </ThreatActorID> <Description>Aggressive Butterfly</Description> </ThreatActor> <Campaign> <CampaignID>C-2015-59405</CampaignID> <Description>Orange Giraffe</Description> </Campaign> </RelatedActivity> <GenerationTime>2015-10-02T11:18:00-05:00</GenerationTime> <Description>Summarizes the Indicators of Compromise for the Orange Giraffe campaign of the Aggressive Butterfly crime gang. </Description> <Assessment> <BusinessImpact type="breach-proprietary"/> </Assessment> <Contact type="organization" role="creator"> <ContactName>CSIRT for example.com</ContactName> <Email> <EmailTo>contact@csirt.example.com</EmailTo> </Email> </Contact> <IndicatorData> <Indicator> <IndicatorID name="csirt.example.com" version="1"> G90823490 </IndicatorID> <Description>C2 domains</Description> <StartTime>2014-12-02T11:18:00-05:00</StartTime> <Observable> <BulkObservable type="domain-name">
Notes:
Neither the IODEF Data Model (XML Schema) in section 8 nor the main body in section 3.29.3.1 define a type named "fqdn" for the BulkObservable class.
Instead, section 3.29.3.1 states that the "domain-name" type is used to denote "A fully qualified domain name or part of a name (e.g., fqdn.example.com, example.com).". The XML schema agrees with that.
The example in section 7.2 was changed to comply with this definition.