1
<?xml version="1.0" encoding="UTF-8"?>
<idmef:IDMEF-Message version="1.0"  xmlns:idmef="http://iana.org/idmef">
 <idmef:Alert messageid="abc123456789">
   <idmef:Analyzer analyzerid="bc-corr-01">
     <idmef:Node category="dns">
       <idmef:name>correlator01.example.com</idmef:name>
     </idmef:Node>
   </idmef:Analyzer>
       <idmef:CreateTime ntpstamp="0xbc72423b.0x00000000">2000-03-09T15:31:07Z
   </idmef:CreateTime>
   <idmef:Source ident="a1">
     <idmef:Node ident="a1-1">
       <idmef:Address ident="a1-2" category="ipv4-addr">
         <idmef:address>192.0.2.200</idmef:address>
       </idmef:Address>
     </idmef:Node>
   </idmef:Source>
   <idmef:Target ident="a2">
     <idmef:Node ident="a2-1" category="dns">
       <idmef:name>www.example.com</idmef:name>
       <idmef:Address ident="a2-2" category="ipv4-addr">
         <idmef:address>192.0.2.50</idmef:address>
       </idmef:Address>
     </idmef:Node>
     <idmef:Service ident="a2-3">
       <idmef:portlist>5
       </idmef:portlist>
     </idmef:Service>
   </idmef:Target>
   <idmef:Classification text="Login Authentication">
     <idmef:Reference origin="vendor-specific">
       <idmef:name>portscan</idmef:name>
       <idmef:url>http://www.vendor.com/portscan</idmef:url>
     </idmef:Reference>
   </idmef:Classification>
 <idmef:Assessment>
     <idmef:Impact severity ="high" completion ="failed" type ="file" >
     </idmef:Impact>
 </idmef:Assessment>
 </idmef:Alert>
 </idmef:IDMEF-Message>

I'm working with a xml messaging system, where a message packet is read from a queue, and applied against a rule with a pattern in it. If the pattern matches, the rule fires and some elements, node etc of the xml are read and stored. The definition of what to be read from the message is defined using Xpath expression. For example, the following xpath takes the severity attribute and store it.

name.set(".//idmef:Classification/idmef:Assesment/idmef:Impact/@severity","high");

So, I would take that xpath, compile it, and read the serverity attribute and store for latter use.

When I go to create the new XML message using the stored value, there may be a case that the completion and type attribute are mandatory.

So question is, how do I check if those attributes need to be written out. I know that schema is involved somehow, but how do you do it. More to the point, if the user selects only the severity attribute, how would I go about, adding in the rest of the structure, like Classification, Message and other elements, when have additional xpath lookups, for example down at

Bob.

scope_creep
  • 4,213
  • 11
  • 35
  • 64
  • This XML is not well-formed. Are you missing some of it? – John Saunders Oct 03 '09 at 16:56
  • Yea i'm missing a wee bit. B – scope_creep Oct 03 '09 at 16:58
  • Ubtil you have well formed xml you cannot do anything with it - so please provide us with the correct xml – mmmmmm Oct 03 '09 at 18:28
  • I'm not certain what you are trying to do. It sounds like the trouble is that you want to create a well formed, and valid XML message. You can get the well-formed, but to validate you need to know the schema. – Blue Toque Oct 03 '09 at 21:13
  • Yes, I want to do. When the user creates a xpath expression and binds a suitable value around it, I want to take that and build suitable xml around that xpath. I have the schema. Bob. – scope_creep Oct 03 '09 at 22:09
  • The schema is huge. It runs to 80 odd pages. So any ideas. Is it a case of somehow flattening the schema, some mechanical process? – scope_creep Oct 03 '09 at 22:13
  • If somebody specifies this. name.set(".//idmef:Classification/idmef:Assesment/idmef:Impact/@severity","high"); I want to build the xml around it which is well formed. – scope_creep Oct 03 '09 at 22:25
  • Its also worth mentioning that the xml is being written out using the xsd generated c# classes before being serialize. – scope_creep Oct 04 '09 at 12:53
  • I was using XMLSpy this morning, and it can take the schema and write out a fully well formed xml document from it. So their must be a way of reading the schema and building the xml from it. – scope_creep Oct 05 '09 at 23:55

3 Answers3

0

The commenters are correct - you need to first fix your XML to make it well formed.

However, If I understand your problem correctly, you need write out some XML, adding or changing some attributes.

If this is what you need I would try using an XSL transform to add the attributes. Here is a modified version of the identity transform that should be close to what you need. if you need some conditional logic then surround the attribute tags with xsl:if 

<xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:fn="http://www.w3.org/2005/xpath-functions" 
    xmlns:idmef="http://iana.org/idmef" xpath-default-namespace="http://iana.org/idmef">
        <xsl:output method="xml" version="1.0" encoding="UTF-8" indent="yes"/>

        <xsl:template match="@*|node()">
            <xsl:copy>
                <xsl:apply-templates select="@*|node()"/>
            </xsl:copy>
        </xsl:template>

        <xsl:template match="Impact">
            <xsl:copy>
                <xsl:copy-of select="@*"/>
                <xsl:attribute name="severity">high</xsl:attribute>
                <xsl:attribute name="completion">failed</xsl:attribute>
                <xsl:attribute name="type">file</xsl:attribute>
                <xsl:apply-templates/>
            </xsl:copy>
        </xsl:template>
    </xsl:stylesheet>
nont
  • 9,322
  • 7
  • 62
  • 82
  • Hi Nont, That different xml. I edited the question to put in real xml, as opposed to the example. So how does that work. I've not done of xslt before. – scope_creep Oct 06 '09 at 19:34
  • I can see how it works, as your selecting node, and then matching on the attributes, but how would it work, if a user gave me the xpath string to set portlist to 5 as below. 5 How would I go about building the nodes around it and including any mandatory xml nodes with in, obviously attribute fields would be blank, or default values, as the user has not supplied them. I think your quite close, but I need to see how it works on different parts of the xml packet. – scope_creep Oct 06 '09 at 19:42
  • XSLT is made for transforming XML. The idea is that you take one piece of XML and it transforms it into another. I got the impression from you question that your output document looks alot like your input document. If this is the case, then XSL would be a good choice. If its very different, and I'm mistaken, then its not a good choice. I use Saxon to run the transform. The example I gave only modifies the Impact node, and leaves the rest as it was. For a general XSL tutorial, try http://www.w3schools.com/xsl/ – nont Oct 06 '09 at 19:55
  • If you're looking for a dot-net XSl intro, try this: http://www.xml.com/pub/a/2002/08/14/dotnetxslt.html – nont Oct 06 '09 at 20:01
  • Hi Nont, I've got xslt reference book from Wrox, but I never got round to reading it. As regards above, output doc and input doc use the same schema, as i',, building a rule engine, which take IDMEF packets, in, and select node from selected message, based on a xpath set. If the rule hits, it selects certain xml out of it, and when later, that xml is built up into another composite packet, and sent out. Could you show me how it would work with using the example from my previous comment. If the user selected 5 I would have to built – scope_creep Oct 06 '09 at 20:47
  • Also how would it link the xpath expression, if the user specifed name.set(".//idmef:Classification/idmef:Assesment/idmef:Impact/@severity","high") How would I link that xpath expression to define the above xslt. Maybe code blocks, with all xpaths having an xslt transform? would it be a mechami – scope_creep Oct 06 '09 at 21:00
  • I have read, I need more concrete examples to see how it would work with elements as well. – scope_creep Oct 08 '09 at 01:35
  • Nont, Thanks for your help. Bob. – scope_creep Oct 13 '09 at 13:07
  • The correct way to say thanks is to upvote my answer. Unless you're being sarcastic. – nont Oct 15 '09 at 19:20
0

You could:

  • Open original XML (A)
  • Create a new XML document (B)
  • Run your xpath against (A)
  • Add matching results to (B)
  • Save (B)

This makes any sense?

Rubens Farias
  • 57,174
  • 8
  • 131
  • 162
  • Sure that the way it need to be done, but how is it done for the 4th and 5th actions. When you run the xpath against A, how do you apply a chunk of A into B. – scope_creep Oct 09 '09 at 17:52
0

I found an answer here on stackoverflow, and here it is. Create XML Nodes from XPath I know it is as far away from how I described it above, but at the time I was designing it, I didn't have a scobie how it would work.

Community
  • 1
  • 1
scope_creep
  • 4,213
  • 11
  • 35
  • 64