NAME
XML::IDMEF - A module for building/parsing IDMEF messages
QUICK START
Below is an example of Alert IDMEF message.
<IDMEF-Message version="0.5">
<Alert>
<AdditionalData meaning="data2" type="string">value2</AdditionalData>
<AdditionalData meaning="data1" type="string">value1</AdditionalData>
<Target>
<Node>
<name>mynode</name>
</Node>
</Target>
<Analyzer model="myids" />
</Alert>
</IDMEF-Message>
The previous IDMEF message can be built with the following code snipset:
use XML::IDMEF;
my $idmef = new XML::IDMEF();
$idmef->add("AlertTargetNodename", "mynode");
$idmef->add("AlertAdditionalData", "value1", "data1");
$idmef->add("AlertAdditionalData", "value2", "data2");
$idmef->add("AlertAnalyzermodel", "myids");
print $idmef->out();
To automatically insert an Alert ident tag and set the CreateTime class to the current time, add the 2 lines:
$idmef->create_ident();
$idmef->create_time();
and you will get:
<IDMEF-Message version="0.5">
<Alert ident="00003D9047B8722743900005A3F0001">
<AdditionalData meaning="data2" type="string">value2</AdditionalData>
<AdditionalData meaning="data1" type="string">value1</AdditionalData>
<CreateTime ntpstamp="0xc4fd2d38.0x0">2002-08-24T11:08:40Z</CreateTime>
<Target>
<Node>
<name>mynode</name>
</Node>
</Target>
<Analyzer model="myids" />
</Alert>
</IDMEF-Message>
DESCRIPTION
IDMEF.pm is an interface for simply creating and parsing IDMEF messages. IDMEF is an XML based standard for representing Intrusion Detection related messages (http://www.silicondefense.com/idwg/).
IDMEF.pm is compliant with IDMEF v0.5, and hence provides calls for building Alert, ToolAlert, CorrelationAlert, OverflowAlert and Heartbeat IDMEF messages.
This interface has been designed for simplifying the task of translating a key-value based format to its idmef representation, which is the most common situation when writing a log export module for a given software. A typical session involves the creation of a new IDMEF message, the initialisation of some of its fields and its conversion into an IDMEF string (see example in SYNOPSIS).
An interface to load and parse an IDMEF message is also provided (with the 'tohash' function).
This module contains a generic XML DTD parser and include a class based definition of the IDMEF DTD. It can hence easily be upgraded or extended to support new XML node. For information on how to extend IDMEF with IDMEF.pm, read the documentation in the source code.
This code is distributed under the BSD license, and with the support of Proact Defcom AB, Stockholm, Sweden.
EXPORT
xml_encode
xml_decode
byte2string
extend_idmef
AUTHOR
Erwan Lemonnier - erwan@cpan.org
LICENSE
This code was developed with the support of Proact Defcom AB, Stockholm, Sweden, and is released under the BSD license.
SEE ALSO
XML::Simple, XML::Parser, XML::Expat, libexpat
SYNOPSIS
In the following, function calls and function parameters are passed in a perl object-oriented fashion. Hence, some functions are said to not take any argument, while they in fact take an IDMEF object as first argument. Refer to the examples in case of confusion.
- new()
- $idmef->in([PATH|STRING])
-
- ARGS
-
PATH|STRING: either an IDMEF message as a string or a path to a file containing an IDMEF message.
- RETURN
-
the IDMEF object corresponding to this IDMEF message.
- DESC
-
in
creates a new IDMEF message from either a stringSTRING
or a file located at the pathPATH
. If no argument is provided, an empty IDMEF message is created and returned. - EXAMPLES
-
my $idmef = XML::IDMEF::in("idmef.file"); my $idmef = XML::IDMEF::in();
- $idmef->out()
- $idmef->create_ident()
-
- ARGS none.
- RETURN nothing.
- DESC
-
create_ident
generates a unique IDMEF ident tag and inserts it into this IDMEF message. The tag is generated base on the local time, a random number, the process pid and an intern counter. If the IDMEF message does not yet have a type, it will become 'Alert' by default. - EXAMPLES
-
$idmef->create_ident();
- $idmef->create_time()
- $idmef->gettype()
- $idmef->add($tagpath, $value)
-
- ARGS
-
$idmef: a hash representation of an IDMEF message, as received from
new
orin
.$tagpath: a string obtained by concatenating the names of the nested XML tags, from the Alert tag down to the closest tag to value.
$value: the value (content of a tag, or value of an attribute) of the last tag given in tagpath.
- RETURN
-
1 if the field was correctly added, 0 otherwise.
- DESC
-
Each IDMEF content/value of a given IDMEF message node can be created through an appropriate add() call. A 'tagpath' is a string contained by concatenating the names of the XML nodes from the top 'Alert' node down to the attribute or content whose value we want to set. Hence, in the example given in introduction, the tagpath for setting the value of the Alert Analyzer model attribute is 'AlertAnalyzermodel'.
The
add
call was designed for easily building a new IDMEF message while parsing a log file, or any data based on a key-value format. - RESTRICTIONS
-
add
cannot be used to change the value of an already existing content or attribute. An attempt to run add() on an attribute that already exists will just be ignored. Contents cannot be changed either, but a new tag can be created if you are adding an idmef content that can occur multiple time (ex: UserIdname, AdditionalData...). - SPECIAL CASE: AdditionalData
-
AdditionalData is a special tag requiring at least 2 add() calls to build a valid node. In case of multiple AdditionalData delaration, take care of building AdditionalData nodes one at a time, and always begin by adding the "AddtitionalData" field (ie the tag content). Otherwise, the idmef key insertion engine will get lost, and you will get scrap.
As a response to this issue, the 'add("AlertAdditionalData", "value")' call accepts an extended syntax compared with other calls:
add("AlertAdditionalData", <value>); => add the content <value> to Alert/AdditionalData add("AlertAdditionalData", <value>, <meaning>); => same as: (type string is assumed by default) add("AlertAdditionalData", <value>); add("AlertAdditionalDatameaning", <meaning>); add("AlertAdditionalDatatype", "string"); add("AlertAdditionalData", <value>, <meaning>, <type>); => same as: add("AlertAdditionalData", <value>); add("AlertAdditionalDatameaning", <meaning>); add("AlertAdditionalDatatype", <type>);
The use of
add("AlertAdditionalData", <arg1
, <arg2>, <arg3>);> is prefered to the simpleadd
call, since it creates the whole AdditionalData node at once. In the case of multiple argumentsadd("AlertAdditionalData"...)
, the returned value is 1 if the type key was inserted, 0 otherwise. - EXAMPLES
-
my $idmef = new XML::IDMEF(); $idmef->add("Alertimpact", "<value>"); $idmef->add($idmef, "AlertTargetUserUserIdname", "<value>"); # AdditionalData case: # DO: $idmef->add("AlertAdditionalData", "value"); # content add first $idmef->add("AlertAdditionalDatatype", "string"); # ok $idmef->add("AlertAdditionalDatameaning", "meaning"); # ok $idmef->add("AlertAdditionalData", "value2"); # content add first $idmef->add("AlertAdditionalDatatype", "string"); # ok $idmef->add("AlertAdditionalDatameaning", "meaning2"); # ok # or BETTER: $idmef->add("AlertAdditionalData", "value", "meaning", "string"); # VERY GOOD $idmef->add("AlertAdditionalData", "value2", "meaning2"); # VERY GOOD (string type is default) # DO NOT DO: $idmef->add("AlertAdditionalData", "value"); # BAD!! content should be declared first $idmef->add("AlertAdditionalDatameaning", "meaning2"); # BAD!! content first! # DO NOT DO: $idmef->add("AlertAdditionalData", "value"); # BAD!!!!! mixing node declarations $idmef->add("AlertAdditionalData", "value2"); # BAD!!!!! for value & value2 $idmef->add("AlertAdditionalDatatype", "string"); # BAD!!!!! $idmef->add("AlertAdditionalDatatype", "string"); # BAD!!!!!
- $idmef->tohash()
-
- ARGS none.
- RETURN
-
the IDMEF message flattened inside a hash.
- DESC
-
tohash
returns a hash enumerating all the contents and attributes of this IDMEF message. Each key is a concatenated sequence of XML tags (a 'tagpath', seeadd()
) leading to the content/attribute, and the corresponding value is an array containing the content/attribute itself. In case of multiple occurences of one 'tagpath', the corresponding values are listed as elements of the array (See the example). All IDMEF contents and values are converted from IDMEF format (STRING or BYTE) back to the original ascii string. - EXAMPLES
-
<IDMEF-message version="0.5"> <Alert ident="myalertidentity"> <Target> <Node category="dns"> <name>node2</name> </Node> </Target> <AdditionalData meaning="datatype1">data1</AdditionalData> <AdditionalData meaning="datatype2">data2</AdditionalData> </Alert> </IDMEF-message> becomes: { "version" => [ "0.5" ], "Alertident" => [ "myalertidentity" ], "AlertTargetNodecategory" => [ "dns" ], "AlertTargetNodename" => [ "node2" ], "AlertAdditionalDatameaning" => [ "datatype1", "datatype2" ], # meaning & contents are "AlertAdditionalData" => [ "type1", "type2" ], # listed in same order }
- xml_encode($string)
-
- ARGS
-
$string: a usual string
- RETURN
-
the xml encoded string equivalent to $string.
- DESC
-
You do not need this function if you are using add() calls (which already calls it). To convert a string into an idmef STRING, xml_encode basically replaces the following characters: with:
& & < < > > " " ' '
REM: if you want to convert data to the BYTE[] format, use 'byte2string' instead
- xml_decode($string)
-
- ARGS
-
$string: a string encoded using xml_encode.
- RETURN
-
the corresponding decoded string.
- DESC
-
You do not need this function with 'tohash' (which already calls it). It decodes <xmlstring> into a string, ie replace the following characters: with: & & < < > > " " &apos ' &#xx; xx in base 10 &#xxxx; xxxx in base 16
It also decodes strings encoded with 'byte2string'
- byte_2_string($bytes)
-
- ARGS
-
$bytes: a binary string.
- RETURN
-
The string obtained by converting <bytes> into its IDMEF representation, refered to as type BYTE[] in the IDMEF rfc.
- DESC
-
convert a binary string into its BYTE[] representation, according to the IDMEF rfc.
- extend_subclass($IDMEF-class, $Extended-subclass)
-
- ARGS
-
$IDMEF-class: an extension class DTD
$Extended-subclass: the name of the extended class's root
- RETURN nothing.
- DESC
-
extend_subclass
allows to extend the IDMEF DTD by registring new subclasses to classes from the standard IDMEF DTD. Internally, the IDMEF.pm module is built around a DTD parser, which reads an XML DTD (written in a proprietary but straightforward format) and provides functions to build and parse XML messages compliant with this DTD. This DTD parser and its API could be used for any other XML format than IDMEF, provided that the appropriate DTD gets loaded in the module.extend_subclass
allows to inject new subclasses of pre-loaded DTD classes into the IDMEF.pm DTD engine.ex: extend_sublass($IDMEF-class, $Extended-subclass);
The format of the $xxx-class is too complex to be described here. Refer to the documentation inside the source code.
1 POD Error
The following errors were encountered while parsing the POD:
- Around line 1508:
=over without closing =back