Quantcast

Describing CEE Event requirements with XML Schema

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Describing CEE Event requirements with XML Schema

heinbockel
To get all of you up to speed,

Right now, we are on track to have the next version of the CEE
specifications release within the next two weeks.
We are trying to work out some final kinks and will be soliciting your
feedback in preparation.


I am working with some folks at RedHat to allow for the next release of the
CEE specifications to allow for the expression of custom CEE Profile event
requirements using XML Schema instead of the awkward v0.6 CEE Profile XML
format. Doing this allows many benefits, including a more slimmed down
Profile specification and interoperability with XML tools and validation
capabilities (e.g., JAXB, generateDS).

This will also allow users/vendors to define their own event profiles using
XML Schema. One thing that CEE will strictly enforce is that users will only
be allowed to add fields as simpleType element -- right now, no additional
nesting will be permitted.

After thorough testing, the only apparent affects to CEE include changes to
the CEE XML format as well as the addition of one layer to the CEE Record to
handle the user-defined profile data.


<CEE>
  <Event>
    <p_proc>proc1</p_proc>
    <p_sys>host.vendor.com</p_sys>
    <time>2012-01-18T05:55:12.4321-05:00</time>
    <Profile>
      <CustomProfile>
        <schema>http://vendor.com/events/cee-profile.xsd</schema>
        <new_field>a string value</new_field>
        <new_val>1234</new_val>
        <product_host>source.example.com</product_host>
      </CustomProfile>
    </Profile>
  </Event>
</CEE>

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Describing CEE Event requirements with XML Schema

STOECKP
Bill,

Since the next version of the CEE specification is being considered a
question has come up:

The current base profile does not seem allow you to define a FieldType that
is an unsigned 64 bit integer. The IntegerRestriction element derives from
the integerFacets which is limited to types of xs:long (64 bit signed) which
means the MaxValue element will reject fields that have a type of unsigned
64 bit integer.  Was this an oversight?

Regards,

Paul



-----Original Message-----
From: Heinbockel, Bill [mailto:[hidden email]]
Sent: Tuesday, January 24, 2012 4:57 PM
To: [hidden email]
Subject: [CEE-DISCUSSION-LIST] Describing CEE Event requirements with XML
Schema

To get all of you up to speed,

Right now, we are on track to have the next version of the CEE
specifications release within the next two weeks.
We are trying to work out some final kinks and will be soliciting your
feedback in preparation.


I am working with some folks at RedHat to allow for the next release of the
CEE specifications to allow for the expression of custom CEE Profile event
requirements using XML Schema instead of the awkward v0.6 CEE Profile XML
format. Doing this allows many benefits, including a more slimmed down
Profile specification and interoperability with XML tools and validation
capabilities (e.g., JAXB, generateDS).

This will also allow users/vendors to define their own event profiles using
XML Schema. One thing that CEE will strictly enforce is that users will only
be allowed to add fields as simpleType element -- right now, no additional
nesting will be permitted.

After thorough testing, the only apparent affects to CEE include changes to
the CEE XML format as well as the addition of one layer to the CEE Record to
handle the user-defined profile data.


<CEE>
  <Event>
    <p_proc>proc1</p_proc>
    <p_sys>host.vendor.com</p_sys>
    <time>2012-01-18T05:55:12.4321-05:00</time>
    <Profile>
      <CustomProfile>
        <schema>http://vendor.com/events/cee-profile.xsd</schema>
        <new_field>a string value</new_field>
        <new_val>1234</new_val>
        <product_host>source.example.com</product_host>
      </CustomProfile>
    </Profile>
  </Event>
</CEE>

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615



smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Describing CEE Event requirements with XML Schema

heinbockel
There is an issue when dealing with 64-bit integers when it comes to
cross-platform and cross-language compatibilities.

For example, many JSON parsers are built using a double to represent all
numbers. This limits precision of integers to somewhere around 50-bits.

Originally, the unsigned 64-bit integer was excluded so that all integers
would fit in a signed 64-bit int. I am looking into relaxing this
restriction to allow unsigned 64-bit integers to be used.

William Heinbockel
The MITRE Corporation


>-----Original Message-----
>From: [hidden email] [mailto:[hidden email]]
>Sent: Wednesday, 25 January, 2012 23:32
>To: Heinbockel, Bill; cee-discussion-list CEE-Related Discussion
>Subject: RE: Describing CEE Event requirements with XML Schema
>
>Bill,
>
>Since the next version of the CEE specification is being considered a
>question has come up:
>
>The current base profile does not seem allow you to define a FieldType that
>is an unsigned 64 bit integer. The IntegerRestriction element derives from
>the integerFacets which is limited to types of xs:long (64 bit signed)
>which
>means the MaxValue element will reject fields that have a type of unsigned
>64 bit integer.  Was this an oversight?
>
>Regards,
>
>Paul
>
>
>
>-----Original Message-----
>From: Heinbockel, Bill [mailto:[hidden email]]
>Sent: Tuesday, January 24, 2012 4:57 PM
>To: [hidden email]
>Subject: [CEE-DISCUSSION-LIST] Describing CEE Event requirements with XML
>Schema
>
>To get all of you up to speed,
>
>Right now, we are on track to have the next version of the CEE
>specifications release within the next two weeks.
>We are trying to work out some final kinks and will be soliciting your
>feedback in preparation.
>
>
>I am working with some folks at RedHat to allow for the next release of the
>CEE specifications to allow for the expression of custom CEE Profile event
>requirements using XML Schema instead of the awkward v0.6 CEE Profile XML
>format. Doing this allows many benefits, including a more slimmed down
>Profile specification and interoperability with XML tools and validation
>capabilities (e.g., JAXB, generateDS).
>
>This will also allow users/vendors to define their own event profiles using
>XML Schema. One thing that CEE will strictly enforce is that users will
>only
>be allowed to add fields as simpleType element -- right now, no additional
>nesting will be permitted.
>
>After thorough testing, the only apparent affects to CEE include changes to
>the CEE XML format as well as the addition of one layer to the CEE Record
>to
>handle the user-defined profile data.
>
>
><CEE>
>  <Event>
>    <p_proc>proc1</p_proc>
>    <p_sys>host.vendor.com</p_sys>
>    <time>2012-01-18T05:55:12.4321-05:00</time>
>    <Profile>
>      <CustomProfile>
>        <schema>http://vendor.com/events/cee-profile.xsd</schema>
>        <new_field>a string value</new_field>
>        <new_val>1234</new_val>
>        <product_host>source.example.com</product_host>
>      </CustomProfile>
>    </Profile>
>  </Event>
></CEE>
>
>William Heinbockel
>Infosec Engineer, Sr.
>The MITRE Corporation
>202 Burlington Rd. MS S145
>Bedford, MA 01730
>[hidden email]
>781-271-2615
>


smime.p7s (4K) Download Attachment
Loading...