[xml] question for the libxsl experts
- From: tlewis mindspring com
- To: libxml dev list <xml gnome org>
- Cc: Ignacio Vazquez-Abrams <ignacio openservices net>
- Subject: [xml] question for the libxsl experts
- Date: Thu, 20 Sep 2001 06:07:55 -0400 (EDT)
Fellas,
libxml continues, unsuprisingly, to suprise me with its quality.
My Network Intrusion Detection System (NIDS) hank is using xml (and
libxml) for its rule format. I have this week been reading up on xslt
and am using a stylesheet to take a generic ruleset, which specifies the
signature characteristics of various attacks, and transform it according
to a site policy into a working rule file, with such local details as
to whom reports should be sent, if matching packets should be dropped
by the OS's firewall (if available), etc. I don't know anyone else
who can do stuff like this, and I owe it all to Xmlsoft. 8^)
This part is going well. However, in the formulation of the reports, I
have a question that I fear wasting a good deal of time finding the right
answer, so I thought that I would see if I could cheat by asking here.
I asked it in a more primitive form last month and got this answer
from Ignacio:
On Sat, 18 Aug 2001, Ignacio Vazquez-Abrams wrote:
Have you looked at XSLT? You're basically translating one type of XML document
into another, even if it's as simple as replacing elements with text. XSLT
excels at manipulating XML.
You could even change your original C code to output an XSLT stylesheet
instead of doing search-and-replace on an xmlDoc, then use libxslt to apply
the stylesheet to any report you choose, copying any elements it doesn't know
about, and replacing ones it does know about with the appropriate value.
This was excellent advice. So now I have looked at and used XSLT, and
it certainly is, generally, the tool that I want to use to solve this
problem. My question comes in the specifics of how I use it. I will
have a set of zero or more report snippets which will be populated with
actual values from the network traffic, like this:
<SNIPPET>
ILLEGAL DNS PACKET: opcode is <REPORT proto="dns" field="opcode"/>.
</SNIPPET>
'<REPORT proto="dns" field="opcode"/>' will be replaced with something
poetic like '4'; that code I have ready to go once I know where to plug
it in.
I then want to take these (zero or more) snippets and stick them in a
report, like this:
<report>
Aiee! Major attack detected! Packet matches following attacks:
<snippet-all/>
</report>
So, I have three elements constituend: the snippet, the dynamic values
used to populate the snippet, and then the report template, which is
combined with the post-processed snippets to generate the final report.
Now, I have an article from IBM that explains rather well how to use
XSLTs to generate themselves, and I'm sure that I could do that given
enough effort, but from the libxslt documentation, composing (potentially
several) new stylesheets for each report sounds expensive. I really
don't care which part is the document and which is the stylesheet;
judging from the literature that I have read thusfar, this is a common
ambivalence. So, not caring either way, I ask:
1) Which parts should be stylesheet and which should be document?
I have thought about just generating a document with the protocol values
and transforming the hell out of that with one or several stylesheets,
or generating a dynamic stylesheet with the protocol values and using the
snippet as the document, or having a series of stylesheets. I really
don't know why one would adopt one approach over another, and so I am
seriously floundering at this point.
2) Are there any tricks recommended to get the final document produced
with a minimum of cost?
I'm pretty sure that generating several new stylesheets for each report I
want to generate would be expensive, but I don't know that to be the case.
3) Code-wise, how does one shuffle all of these xml documents around in
memory and combine them? Can I just re-parent the DOM tree in memory
underneath where it needs to go in the new document? Even if I come
up with an XML strategy (this stylesheet applied to that document,
resulting subtree stuck here...) I really have no idea how to perform
cross-document integration like this using libxml when it comes to the
actual code.
4) Is there anyone else out there who is dealing with dynamic data to
compose reports like this who can offer advice, or software that does
this that I could review?
If this were something that I had been doing for a while, then I would
just start playing with it and see where I end up, but I am still new
enough to the entire XML universe that I am afraid of doing something
really performance-killing without even knowing it.
Any and all advice is welcome. If this is just something that I should
experiment with and stop bothering people about, then my feelings won't
be hurt if people say so.
--
Todd Lewis
tlewis mindspring com
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
