Prelude IDMEF Path¶
In Prelude, an IDMEF Path is a pointer to a specific value in an IDMEF message.
Using this pointer, you can update or retrieve the value pointed by that path.
Any class specified in the IDMEF RFC can be converted to a Prelude IDMEF path.
Mapping an IDMEF class to a Prelude IDMEF Path¶
When mapping an IDMEF XML class to Prelude, you should obey the following rules:- Prelude IDMEF Path are lower case.
- Subsequent member of a path should be separated using "*.*"
- Where IDMEF XML class use upper case for word separation, Prelude use a dash "*_*".
- In case a path member is a list, you can use a specific index to access the path, for example: alert.source*(0)*.node.name
Indexed member¶
When accessing listed object (example: alert.source, alert.additional_data), the index can be specified as a number, which should be a currently existing index, or, in the context of assigning an object, the first unassigned index of the list (example, if source(0) and source(1) currently exist, you might use index 0, 1, or 2 to assign data, but not 3).
Note that you might also use negatives indexes to access listed objects: -1, -2, -n...
-1 will always point to the end of the list, -2 to the object next to last, etc.
Additionally, in the context of an assignement, you might use the >> append or << prepend operator:
alert.source(>>).interface = eth1 alert.source(-1).node.name = myNode
The above example append a source object to the current 'alert.source' list, which interface value is eth1. It then set the node.name attribute for this added source object to myNode.
Example:¶
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFC XXXX IDMEF v1.0//EN"
"idmef-message.dtd">
<IDMEF-Message version="1.0" xmlns="urn:iana:xml:ns:idmef">
<Alert messageid="abc123456789">
<Analyzer analyzerid="hq-dmz-analyzer01">
<Node category="dns">
<location>Headquarters DMZ Network</location>
<name>analyzer01.example.com</name>
</Node>
</Analyzer>
<CreateTime ntpstamp="0xbc723b45.0xef449129">
2000-03-09T10:01:25.93464-05:00
</CreateTime>
<Source ident="a1b2c3d4">
<Node ident="a1b2c3d4-001" category="dns">
<name>badguy.example.net</name>
<Address ident="a1b2c3d4-002" category="ipv4-net-mask">
<address>192.0.2.50</address>
<netmask>255.255.255.255</netmask>
</Address>
</Node>
</Source>
<Target ident="d1c2b3a4">
<Node ident="d1c2b3a4-001" category="dns">
<Address category="ipv4-addr-hex">
<address>0xde796f70</address>
</Address>
</Node>
</Target>
<Classification text="Teardrop detected">
<Reference origin="bugtraqid">
<name>124</name>
<url>http://www.securityfocus.com/bid/124</url>
</Reference>
</Classification>
</Alert>
</IDMEF-Message>
alert.messageid=abc123456789 alert.analyzer(0).analyzerid=hq-dmz-analyzer01 alert.analyzer(0).node.category=dns alert.analyzer(0).node.location=Headquarters DMZ Network alert.analyzer(0).node.name=analyzer01.example.com alert.create_time=0xbc723b45.0xef449129 alert.source(0).ident=a1b2c3d4 alert.source(0).node.ident=a1b2c3d4-001 alert.source(0).node.category=dns alert.source(0).node.name=badguy.example.net alert.source(0).node.address(0).ident=a1b2c3d4-002 alert.source(0).node.address(0).category=ipv4-net-mask alert.source(0).node.address(0).address=192.0.2.50 alert.source(0).node.address(0).netmask=255.255.255.255 alert.target(0).ident=d1c2b3a4 alert.target(0).node.ident=d1c2b3a4-001 alert.target(0).node.category=dns alert.target(0).node.address(0).category=ipv4-addr-hex alert.target(0).node.address(0).address=0xde796f70 alert.classification.text=Teardrop detected alert.classification.reference(0).origin=bugtraqid alert.classification.reference(0).name=124 alert.classification.reference(0).url=http://www.securityfocus.com/bid/124