[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: XML Rule files not according to XML specification.

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: XML Rule files not according to XML specification.
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Tue, 17 Jul 2007 21:04:34 -0300
Cc: "Frank Spierings" <Frank.Spierings@xxxxxxxxx>
Content-disposition: inline
Content-transfer-encoding: 7bit


Hi Frank,

First of all, good idea creating the rule editor. The project needs
that and hopefully
you will release it to everyone :)

Rest inline...

On 7/16/07, Frank Spierings <Frank.Spierings@xxxxxxxxx> wrote:


I was trying to implement a nice PHP based rule editor. I'm stuck at
the moment though, since I would love to use SimpleXML for parsing the
XML rule files back and forth. Problem is, that not all the rule files
are according to the XML specification, since some rule files have
multiple root elements.


Yes, that's a known problem and not only the rules, but also the
config and decoders
can have multiple root elements. That's what happens when you write your own
xml library :) The initial idea was to have only one group per rule
file and only
one "ossec_config" per config file, but to make things easier (via
shell scripts)
we ended up with more than one.

I was wondering if I could give these files an encapsulating element
like for instance -->
<document>
  <group></group>
  <group></group>
  <group></group>
</document>
Without modifying the ossec source code (probably not...). And
otherwise I look for a hint where I should find the code which
currently handles it.


We would need to modify the ossec code to support that (and a bunch of our
installation/update scripts). We can plan that for a future release
and we should
put them as:

<groups>
 <group>xx</group>
</groups>

<decoders>
 <decoder>yy</decoder>
</decoders>

However, for now, a simple "hackish" solution is to fix the XML files
before you read
them. Just add a "root_element" to the beginning of the xml file (and
the matching close at the end). When you are writing them back to the
ossec rules directory, make sure
to remove them... Not pretty, but can help in the short term.

Also I noticed that for instance ids_rules.xml contains an
undocumented <var> element. This is not helping my "project" either ;)


Haha! Again, that's what happens when you write your own XML library and adds
a few features that no one else has... Basically this "var" is an
internal element
for the os_xml library used to create variables that are replaced in
the whole xml*.
If you wrap the file before reading with a root element you don't need
to worry about
it.

In the code when you see:

   /* Reading the XML */
   if(OS_ReadXML(rulepath,&xml) < 0)
   {
       merror(XML_ERROR, ARGV0, rulepath, xml.err, xml.err_line);
       free(rulepath);
       return(-1);
   }

   /* Applying any variable found */
   if(OS_ApplyVariables(&xml) != 0)
   {
       merror(XML_ERROR_VAR, ARGV0, rulepath, xml.err);
       return(-1);
   }

The ApplyVariables replaces any variable in the xml for whatever that
is specified
at var (or xml_var).

Hope somebody can help,



Hope it helps...

--
Daniel B. Cid
dcid ( at ) ossec.net

References:
- [ossec-dev] XML Rule files not according to XML specification.
  - From: Frank Spierings

Prev by Date: [ossec-dev] [Bug 51] New: Reload Option
Next by Date: [ossec-dev] [Bug 49] manage_agents tool restart
Previous by thread: [ossec-dev] XML Rule files not according to XML specification.
Next by thread: [ossec-dev] [Bug 49] New: manage_agents tool restart
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.