Copyright 2013 Mandiant Corporation. Licensed under the Apache 2.0 license.
Mandiant licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-
Restructured the XML. OpenIOC now has thee distinct sections
-
metadata: Description, creator, dates... Metadata that pertains to the entire IOC.
-
criteria: Everything that used to be
<definition>. This is the part of the IOC that performs the actual matching. -
parameters: Additional section for providing arbitrary metadata on specific and elements.
-
-
Removed IOCs requirement to respect Lucene behaviors.
-
Added additional operators. Including the existing 'is' and 'contains', we now have the following: The following operators are expected to perform as they are described in XPath 2.0. Also, OpenIOC now respects Bool & Float variables in IOC terms files.
String Md5sum IPAddr Integer DateTime Bool Float is yes yes yes yes yes yes yes contains yes no no no no no no matches yes no yes no no no no starts-with yes no no no no no no ends-with yes no no no no no no greater-than no no no yes yes no yes less-than no no no yes yes no yes -
Moved operator negation out of the operator itself (isnot and containsnot) to its own attribute
IndicatorItem/@negate=true|false. -
Added case sensitivity
IndicatorItem/@preserve-case=true|false.-
The behavior of
IndicatorItem/@preserve-caseshould only apply to strings. The table below states whether or not the given preserve-case value (true or false) is acceptable for a given content type.String Md5sum IPAddr Integer DateTime Bool Float true yes no no no no no no false yes yes yes yes yes yes yes -
By default, the
IndicatorItem/@preserve-caseattribute should be set to 'false' when creating a IndicatorItem. -
The case sensitivity of a regular expression match, where
IndicatorItem/@condition='matches', should be determined by theIndicatorItem/@preserve-caseterm.
-
-
IndicatorItem/@idis now a required item. Previously it was not, allowing for Items to not have ids and still validate. -
Added node context
Indicator/@node-context=xs:string, this will allow for future ability to specify node-context to allow matches that consist of sibling or parent/child nodes that did not evaluate together properly in 1.0. -
IndicatorItem/contentandIndicatorItem/contextare nowminOccurs=1-- this prevents items from existing without content or without context (this is important now that we allow you to specify context). -
Parameters now have two id attributes:
IOCParameter/@idis a unique GUID to identify the parameter, andIOCParameter/@ref-idis used to show which element inside the IOC that specific parameter refers to. -
All attributes of parameters are required to keep blank/improper parameters from being created/retained.
-
If you use a Link in the IOC metadata, the
relattribute is now required (i.e. there must actually be a link represented in the IOC xml, even if it is empty).
2019-08-02 Matthew Dunwoody
- Added "platform" field, which contains a comma-delimited list of relevant/supported operating systems, e.g. "win,osx,linux".