PHPackages fpoirotte/idmef - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. fpoirotte/idmef ActiveLibrary[Security](/categories/security) fpoirotte/idmef =============== IDMEF library for PHP v1.0.0(6y ago)111[1 PRs](https://github.com/fpoirotte/php-idmef/pulls)MITPHPPHP >=7.1CI failing Since May 5Pushed 4mo ago1 watchersCompare [ Source](https://github.com/fpoirotte/php-idmef)[ Packagist](https://packagist.org/packages/fpoirotte/idmef)[ Docs](https://github.com/fpoirotte/php-idmef)[ RSS](/packages/fpoirotte-idmef/feed)WikiDiscussions master Synced 3w ago READMEChangelogDependencies (2)Versions (4)Used By (0) PHP-IDMEF ========= [](#php-idmef) Introduction ------------ [](#introduction) This repository contains a PHP library implementing the Intrusion Detection Message Exchange Format (IDMEF) defined in [RFC 4765](https://tools.ietf.org/html/rfc4765). It supports all the classes and attributes defined in the RFC, supports XML serialization/unserialization and also includes code to send alerts generated using IDMEF to [Prelude SIEM](https://www.prelude-siem.org/). Prerequisites ------------- [](#prerequisites) For basic usage, you only need the following dependencies: - The [Composer](https://getcomposer.org/) dependency manager - PHP >= 7.4 - the PHP `DOM` extension - the PHP `Filter` extension Additional features require additional dependencies. To use XML serialization/unserialization, you will also need: - the PHP `XMLReader` extension - the PHP `XMLWriter` extension To send alerts to Prelude SIEM, you will need: - the PHP `FFI` extension Installation ------------ [](#installation) Use Composer to add the library to your project's requirements: ``` $ php /path/to/composer.phar require fpoirotte/idmef ``` Usage ----- [](#usage) ### IDMEF messages [](#idmef-messages) #### A few words about IDMEF paths [](#a-few-words-about-idmef-paths) To make working with IDMEF messages easier, this library implements the same concept of "IDMEF paths" as Prelude SIEM through a `getIterator()`method. (more on that later) The library also supports direct access to attributes using getters and setters. (read on for more information) When returning an attribute's path through the `getName()` method, the library always uses the official class/attribute names defined in the IDMEF RFC, such as `Alert.CorrelationAlert.name`. However, when setting an IDMEF message's attributes, you may also use Prelude SIEM's IDMEF paths, such as `alert.correlation_alert.name`. A list of valid paths recognized by both Prelude SIEM and this library can be found on the [SECEF website](https://redmine.secef.net/projects/secef/wiki/LibPrelude_IDMEF_path). When using getters/setters, a similar approach is taken, but with a few caveats: - PHP's object operator (`->`) is used instead of a dot (`.`) to separate the various parts of the IDMEF path. Hence, to retrieve the value for the `Alert.CorrelationAlert.name` path inside an IDMEF object, use `$name = $alert->CorrelationAlert->name`, Prelude's path names (`$alert->correlation_alert->name`) are also supported. - PHP's array operator (`[]`) is used to access entries inside a list, instead of Prelude's list access operator (`()`). Like Prelude SIEM, this library also supports negative list indices. Therefore, to retrieve the name of the last source node using the getters, the following call may be used: `$name = $alert->source[-1]->node->name;`. Compare this to Prelude's paths: `alert.source(-1).node.name`. - Prelude SIEM's prepend (``) operators can be used. As a result, the following call appends a new source node to the alert and gives it a name: `$alert->source['>>']->node->name = "foo";`. - PHP's array operator may also be used to append a new entry to a list. Therefore, calling `$alert->source[]->node->name = "foo";` is functionally identical to calling `$alert->source['>>']->node->name = "foo";`. As is the case with Prelude SIEM, this library indexes IDMEF lists starting from 0. So, `$alert->source[0]` refers to the first source in the alert. Last but not least, there is one noticeable difference between this library's paths implementation and Prelude SIEM's paths, involving the `Analyzer`class. The RFC states that analyzers can be chained using a recursive definition (`Alert.Analyzer`, `Alert.Analyzer.Analyzer` ...). To make working with chained analyzers easier, Prelude SIEM represents them as a list (`alert.analyzer(0)`, `alert.analyzer(1)`, ...). To be as close to the IDMEF RFC as possible, this library uses the recursive approach to represent chained analyzers. However, some of the API may also implement Prelude SIEM's notation for them, so your mileage may vary. #### Data types [](#data-types) The library automatically converts values to their expected type whenever it is possible. It will also convert PHP types to their IDMEF counterparts automatically. Therefore, it is possible to pass a string value representing an integer to an attribute that expects an IDMEF integer: ``` // Import a few symbols use \fpoirotte\IDMEF\Types\IntegerType; use \fpoirotte\IDMEF\Types\StringType; // The following statements are okay: $alert->OverflowAlert->size = new IntegerType(42); // IDMEF integer object $alert->OverflowAlert->size = 42; // PHP integer $alert->OverflowAlert->size = '42'; // IDMEF integer value $alert->OverflowAlert->size = '0x2A'; // IDMEF (hexadecimal) integer value // The following statements will throw an exception: $alert->OverflowAlert->size = new StringType('42'); // The "size" attribute is an integer, not a string $alert->OverflowAlert->size = 42.0; // A floating-point value is not an integer either $alert->OverflowAlert->size = ''; // Invalid integer (value is missing) $alert->OverflowAlert->size = '0x'; // Invalid integer (hexadecimal number missing a value) $alert->OverflowAlert->size = '2A'; // Invalid integer (possibly an hexadecimal number missing the prefix, // or trailing data after the intended number) ``` However, this is only true when the expected type is known in advance. For those situations where this may not be the case (eg. additional data), the library will also attempt to convert the type automatically, but you may have to set the type explicitly. The following table shows how native PHP types after converted into their IDMEF counterparts. PHP-type to IDMEF-type conversion table PHP typeIDMEF type`boolean`boolean (`\fpoirotte\IDMEF\Types\BooleanType`)`integer`integer (`\fpoirotte\IDMEF\Types\IntegerType`)`string`string (`\fpoirotte\IDMEF\Types\StringType`)`float`real number (`\fpoirotte\IDMEF\Types\RealType`)`\DateTimeInterface` and its derivativesdate-type (`\fpoirotte\IDMEF\Types\DateTimeType`)`\DOMNode`xmltext (`\fpoirotte\IDMEF\Types\XmltextType`)`\SimpleXMLElement`xmltext (`\fpoirotte\IDMEF\Types\XmltextType`)`\XMLWriter`xmltext (`\fpoirotte\IDMEF\Types\XmltextType`)`\fpoirotte\IDMEF\Types\AbstractType` and its derivatives*unchanged**any other value**throws an exception*The following types must be managed manually when used in additional data: - `\fpoirotte\IDMEF\Types\ByteType` - `\fpoirotte\IDMEF\Types\ByteStringType` - `\fpoirotte\IDMEF\Types\CharacterType` - `\fpoirotte\IDMEF\Types\NtpstampType` - `\fpoirotte\IDMEF\Types\PortlistType` #### IDMEF message manipulation [](#idmef-message-manipulation) The following example shows how to create an alert, set some of its attributes, then do some stuff with it. ```