<?xml version="1.0" encoding="UTF-8"?>

<!-- * Simple Network Markup Language (SNML)
     *  Version 0.3
     *
     * snml.dtd
     * Copyright (C) 2000-2003 Carnegie Mellon University
     *
     * GNU Lesser Public License (LGPL) Rights pursuant to Version 2, June 1991
 -->
     
<!-- The Simple Network Markup Language (SNML) is a representation 
     for alerts generated by Network Intrusion Detection Systems.

     Comments or questions can be directed to:

        Roman Danyliw <rdd@cert.org>
 -->

<!ELEMENT SNML-Message (sensor, event+)>
<!ATTLIST SNML-Message
          version  (CDATA)  #FIXED  '0.3'
>

<!ELEMENT event (signature, reference*, timestamp, packet, extension*)>

<!-- 
 | The sensor element contains information that can be used to 
 | uniquely identify the source which detected the event.
 | It always contains a hostname.  Optionally, a
 | sensor filter, a data source filename, or an ip address 
 | and network interface may be given. 
 -->
<!ELEMENT sensor ((file|(ipaddr, interface?)), hostname, filter?)>

<!-- 
 | sensor attributes
 |   format  = encoding format of the packet payload (data)
 |   detail  = defines which protocol fields will be present
 |              fast - limited information
 |              full - the full packet will be present
 -->
<!ATTLIST sensor
          encoding ( base64 | ascii | hex ) #REQUIRED
          detail   ( fast | full )          #REQUIRED
>

<!-- This field contains an ordinary hostname -->
<!ELEMENT hostname (#PCDATA)>

<!-- This contains a file name with a full path -->
<!ELEMENT file (#PCDATA)>

<!-- 
 | IP address (in dot-quad notation).
 |   e.g., 10.1.2.3
 |  Note: Domain names are not valid. 
 |    
 |  The version attribute is the version of IP address 
 |  (should be 4 or 6).
 -->
<!ELEMENT ipaddr (#PCDATA)>
<!ATTLIST ipaddr
          version   CDATA  #REQUIRED
>

<!-- 
 | Contains a string representing a network interface
 |   e.g., eth0, ppp0, hme0, etc. 
 --> 
<!ELEMENT interface (#PCDATA)>

<!-- 
 | A string representing a tcpdump filter that is normally passed
 | in on the command line. e.g. "not net 10.1.1.0/24" 
 --> 
<!ELEMENT filter (#PCDATA)>

<!-- 
 | The signature is free-form text describing the event. In snort,
 | it is the string contained in the "msg" rule option 
 -->
<!ELEMENT signature (#PCDATA)>

<!--
 | signature attributes
 |  id       = unique identifier of this signature (0..2^32-1)
 |  revision = revision number of this signature
 |  class    = classification identifier of this signature (numeric) 
 |  priority = numeric priority of this event - (0..255)
 -->
<!ATTLIST signature
          id           CDATA   #IMPLIED
          revision     CDATA   #IMPLIED
          class        CDATA   #IMPLIED
          priority     CDATA   #IMPLIED
>

<!-- 
 | A reference provides a mechanism to refer to an external 
 | database for information related to this signature or event.
 -->
<!ELEMENT reference (#PCDATA)>

<!-- 
 | reference attribute
 |    system   = the external database referenced
 |                - cve       : Common Vulnerabilities and Exposures
 |                              (http://cve.mitre.org)
 |                - bugtraq   : Bugtraq
 |                              (http://www.securityfocus.com/bid)
 |                - arachnids : arachNIDS
 |                              (http://www.whitehats.com/ids)
 |                - mcafee    : McAfee
 |                              (http://vil.nai.com)
 |                - url       : custom URL
 -->
<!ATTLIST reference
          system    CDATA    #REQUIRED
>

<!-- 
 | The timestamp must conform to ISO-8601 standard.
 |    e.g., ISO-8601: 1999-08-04 00:01:23-05
 -->
<!ELEMENT timestamp (#PCDATA)>

<!-- 
 | A packet can be logged without being decoded using "raw"
 | mode. This encoding should only be used when a packet is 
 | received containing protocols which cannot be decoded.
 -->
<!ELEMENT packet (raw|iphdr)>

<!-- raw contains a base64 representation of a packet -->
<!ELEMENT raw (#PCDATA)>

<!-- 
 | IPv4 header
 |    saddr   = source IP address      - IP address  IP  (192.168.1.2)
 |    daddr   = destination IP address - IP address  IP  (192.168.1.2)
 |    ver     = version of ip          - 1 byte INT (0 - 15) 
 |    hlen    = header length in 32 bit words
 |                                     - 1 byte INT (0 - 15)
 |    tos     = type of service        - 1 byte INT (0 - 255)
 |    len     = total length of the packet
 |                                     - 2 byte INT (0 - 65535)
 |    id      = identification         - 2 byte INT (0 - 65535)
 |    flags   = fragment flags         - 1 byte INT (0 - 7)
 |    off     = fragment offset        - 2 byte INT (0 - 65535)
 |    ttl     = time to live           - 1 byte INT (0 - 255) 
 |    proto   = protocol               - 1 byte INT (0 - 255)
 |    csum    = checksum               - 2 byte INT (0 - 65535)
 -->
<!ELEMENT iphdr ((tcphdr|udphdr|icmphdr)?, option*, data?)>
<!ATTLIST iphdr 
          saddr     CDATA  #REQUIRED
          daddr     CDATA  #REQUIRED
          ver       CDATA  #REQUIRED
          hlen      CDATA  #IMPLIED
          tos       CDATA  #IMPLIED
          len       CDATA  #IMPLIED
          id        CDATA  #IMPLIED
          flags     CDATA  #IMPLIED
          ttl       CDATA  #IMPLIED
          off       CDATA  #IMPLIED
          ttl       CDATA  #IMPLIED
          proto     CDATA  #REQUIRED
          csum      CDATA  #IMPLIED
>

<!-- 
 | IP or TCP option
 |   option  = option code            - 1 byte INT (0 - 255)
 |   len     = length of option data  - 1 byte INT (0 - 255)
 -->
<!ELEMENT option (#PCDATA)>
<!ATTLIST option
          code      CDATA  #REQUIRED
          len       CDATA  #IMPLIED
>
           
<!-- 
 | TCP header information
 |    sport   = source port            - 2 byte INT (0 - 65535)  
 |    dport   = destination port       - 2 byte INT (0 - 65535)
 |    seq     = sequence number        - 4 byte INT (0 - 4294967295) 
 |    ack     = acknowledgment number  - 4 byte INT (0 - 4294967295) 
 |    off     = data offset            - 1 byte INT (0 - 15)
 |    res     = reserved field         - 1 byte INT (0 - 63)
 |    flags   = represents TCP flags   - 1 byte INT (0 - 255)
 |    win     = window                 - 2 byte INT (0 - 65535)
 |    csum    = checksum               - 2 byte INT (0 - 65535)
 |    urp     = urgent pointer         - 2 byte INT (0 - 65535)
 -->
<!ELEMENT tcphdr (option*, data?)>
<!ATTLIST tcphdr
          sport     CDATA  #REQUIRED
          dport     CDATA  #REQUIRED
          seq       CDATA  #IMPLIED
          ack       CDATA  #IMPLIED
          off       CDATA  #IMPLIED
          res       CDATA  #IMPLIED
          flags     CDATA  #REQUIRED
          win       CDATA  #IMPLIED
          csum      CDATA  #IMPLIED
          urp       CDATA  #IMPLIED
>

<!-- 
 | UDP header information
 |    sport   = source port            - 2 byte INT (0 - 65535)
 |    dport   = destination port       - 2 byte INT (0 - 65535)
 |    len     = length field of UDP header 
 |                                     - 2 byte INT (0 - 65535)
 |    csum    = checksum               - 2 byte INT (0 - 65535) 
 -->
<!ELEMENT udphdr (data?)>
<!ATTLIST udphdr
          sport     CDATA  #REQUIRED
          dport     CDATA  #REQUIRED
          len       CDATA  #IMPLIED
          csum      CDATA  #IMPLIED
>

<!-- 
 | ICMP header
 |    type    = icmp type              - 1 byte INT (0 - 255)  
 |    code    = icmp code              - 1 byte INT (0 - 255)
 |    csum    = checksum               - 2 byte INT (0 - 65535)
 |    id      = identifier             - 2 byte INT (0 - 65535)   
 |    seq     = sequence number        - 2 byte INT (0 - 65535)
 -->
<!ELEMENT icmphdr (data?)>
<!ATTLIST icmphdr
          type   CDATA #REQUIRED
          code   CDATA #REQUIRED
          csum   CDATA #IMPLIED
          id     CDATA #IMPLIED
          seq    CDATA #IMPLIED
>

<!-- Packet payload -->
<!ELEMENT data (#PCDATA)>

<!-- We are just not that clever -->
<!ELEMENT extension (#PCDATA)>
<!ATTLIST extension
          name  CDATA   #REQUIRED
          type  CDATA   #IMPLIED
>

<!--]>-->