[xml] greetings & a question
- From: <tlewis mindspring com>
- To: libxml dev list <xml gnome org>
- Subject: [xml] greetings & a question
- Date: Sat, 18 Aug 2001 02:40:27 -0400 (EDT)
Greetings. I am using libxml2 for a new, free network intrusion detection
system called hank. I hope to announce it publically next month.
So far, I have been very pleased by my experiences using it.
My rule file is xml, and reports are specified like this:
<rule>
<match>
<PRIM proto="arp" section="Hdr" field="operation_code" op="<">16535</PRIM>
</match>
<report>
ARP:
hardware_address_space = <field proto="arp" section="Hdr" field="hardware_address_space"/>
protocol_address_space = <field proto="arp" section="Hdr" field="protocol_address_space"/>
hardware_address_length = <field proto="arp" section="Hdr" field="hardware_address_length"/>
protocol_address_length = <field proto="arp" section="Hdr" field="protocol_address_length"/>
operation_code = <field proto="arp" section="Hdr" field="operation_code"/>
sender_hardware_address = <field proto="arp" section="Hdr" field="sender_hardware_address"/>
sender_protocol_address = <field proto="arp" section="Hdr" field="sender_protocol_address"/>
target_hardware_address = <field proto="arp" section="Hdr" field="target_hardware_address"/>
target_protocol_address = <field proto="arp" section="Hdr" field="target_protocol_address"/>
</report>
</rule>
This approach was very simple and easy to code; copy the text and replace
the <field> nodes with my field data structure in C.
Now, I would like to allow people to have their reports as more than
plain text documents; I would like to generate xml for such purposes
as supporting idmef or other NIDS xml report formats. Under such a scheme,
users would instead state rules like this:
<rule>
<match>
<PRIM proto="arp" section="Hdr" field="operation_code" op="<">16535</PRIM>
</match>
<report>
<IDMEF-Message version="0.1">
<Alert alertid="329440" impact="unknown" version="1">
<Analyzer ident="IDS1">
<Node category="dns">
<location>FooBar</location>
<name>Hank</name>
<Address category="ipv4-addr">
<!-- *************** This is the interesting part. *************** -->
<address> <field proto="arp" section="ipv4" field="source_address"/> </address>
</Address>
</Node>
</Analyzer>
</Alert>
</IDMEF-Message>
</report>
</rule>
The naive way to code this is: make a copy and walk the tree, looking
for all "field" nodes and replacing them. This, however, seems rather a
lot of work, and repetitive at that. I also thought about caching their
location, but the representation of nodes as linked lists makes this
cumbersome to do for a humble C journeyman as myself, and potentially
even more work than walking the entire tree, since large portions of the
tree could be traversed repeatedly unless I get even more adventurous
with my coding, etc.
My question is, is there a way to identify these nodes before-hand, copy
the tree and replace the corresponding nodes in the new tree? I don't
know if I could xlink them or use some other xml magic to make this easy
or if there's a more obvious approach that I'm just too dumb to realize.
I had ruled out replacing them in the original before copying because of
memory leak fears, but maybe there's a way to adopt this approach.
Any and all advice is welcome and appreciated.
--
Todd Lewis
tlewis mindspring com
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
