public function testReader()
{
$xml = file_get_contents(__DIR__ . '/iodef.xml');
$XMLDoc = new Marknl\Iodef\Reader($xml);
$iodef_read = $XMLDoc->parse();
// The value for the 'action' attribute is expected to be 'investigate'.
$expectation_attributes = $iodef_read['value']->Incident[0]->EventData[0]->Expectation[0]->getAttributes();
$this->assertEquals('investigate', $expectation_attributes['action']);
// This object has required attributes
$this->assertObjectHasAttribute('attributes', $iodef_read['value']->Incident[0]);
// IncidentID should have this value.
$this->assertEquals(908711, $iodef_read['value']->Incident[0]->IncidentID->value);
// There should be 2 reference entries.
$this->assertCount(2, $iodef_read['value']->Incident[0]->Method[0]->Reference);
// This object MUST have a value.
$this->assertObjectHasAttribute('value', $iodef_read['value']->Incident[0]->ReportTime);
$iodef_write = new Marknl\Iodef\Writer();
$iodef_write->write([['name' => 'IODEF-Document', 'attributes' => $iodef_read['value']->getAttributes(), 'value' => $iodef_read['value']]]);
$expected = new DOMDocument();
$expected->loadXML(file_get_contents(__DIR__ . '/iodef.xml'));
$actual = new DOMDocument();
$actual->loadXML($iodef_write->outputMemory());
$this->assertEqualXMLStructure($expected->firstChild, $actual->firstChild, true);
}
public function testWriter()
{
$Document = new Marknl\Iodef\Elements\IODEFDocument();
$Incident = new Marknl\Iodef\Elements\Incident();
$Incident->setAttributes(['purpose' => 'mitigation']);
$IncidentID = new Marknl\Iodef\Elements\IncidentID();
$IncidentID->setAttributes(['name' => 'csirt.example.com']);
$IncidentID->value('908711');
$Incident->addChild($IncidentID);
$ReportTime = new Marknl\Iodef\Elements\ReportTime();
$ReportTime->value('2006-06-08T05:44:53-05:00');
$Incident->addChild($ReportTime);
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('Large bot-net');
$Incident->addChild($Description);
$Assessment = new Marknl\Iodef\Elements\Assessment();
$Impact = new Marknl\Iodef\Elements\Impact();
$Impact->setAttributes(['type' => 'dos', 'severity' => 'high', 'completion' => 'succeeded']);
$Assessment->addChild($Impact);
$Incident->addChild($Assessment);
$Method = new Marknl\Iodef\Elements\Method();
$Reference = new Marknl\Iodef\Elements\Reference();
$ReferenceName = new Marknl\Iodef\Elements\ReferenceName();
$ReferenceName->value('GT Bot');
$Reference->addChild($ReferenceName);
$Method->addChild($Reference);
$Reference = new Marknl\Iodef\Elements\Reference();
$ReferenceName = new Marknl\Iodef\Elements\ReferenceName();
$ReferenceName->value('CA-2003-22');
$Reference->addChild($ReferenceName);
$URL = new Marknl\Iodef\Elements\URL();
$URL->value('http://www.cert.org/advisories/CA-2003-22.html');
$Reference->addChild($URL);
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('Root compromise via this IE vulnerability to install the GT Bot');
$Reference->addChild($Description);
$Method->addChild($Reference);
$Incident->addChild($Method);
$Contact = new Marknl\Iodef\Elements\Contact();
$Contact->setAttributes(['role' => 'irt', 'type' => 'person']);
$ContactName = new Marknl\Iodef\Elements\ContactName();
$ContactName->value('Joe Smith');
$Contact->addChild($ContactName);
$Email = new Marknl\Iodef\Elements\Email();
$Email->value('*****@*****.**');
$Contact->addChild($Email);
$Incident->addChild($Contact);
$EventData = new Marknl\Iodef\Elements\EventData();
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('These hosts are compromised and acting as bots communicating with irc.example.com.');
$EventData->addChild($Description);
$Flow = new Marknl\Iodef\Elements\Flow();
$System = new Marknl\Iodef\Elements\System();
$System->setAttributes(['category' => 'source']);
$Node = new Marknl\Iodef\Elements\Node();
$Address = new Marknl\Iodef\Elements\Address();
$Address->setAttributes(['category' => 'ipv4-addr']);
$Address->value('192.0.2.3');
$Node->addChild($Address);
$System->addChild($Node);
$Counter = new Marknl\Iodef\Elements\Counter();
$Counter->setAttributes(['type' => 'byte', 'duration' => 'second']);
$Counter->value(250000);
$System->addChild($Counter);
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('Sample description for this contact.');
$System->addChild($Description);
$Flow->addChild($System);
$EventData->addChild($Flow);
$Flow = new Marknl\Iodef\Elements\Flow();
$System = new Marknl\Iodef\Elements\System();
$System->setAttributes(['category' => 'intermediate']);
$Node = new Marknl\Iodef\Elements\Node();
$NodeName = new Marknl\Iodef\Elements\NodeName();
$NodeName->value('irc.example.com');
$Node->addChild($NodeName);
$Address = new Marknl\Iodef\Elements\Address();
$Address->setAttributes(['category' => 'ipv4-addr']);
$Address->value('192.0.2.20');
$Node->addChild($Address);
$DateTime = new Marknl\Iodef\Elements\DateTime();
$DateTime->value('2006-06-08T01:01:03-05:00');
$Node->addChild($DateTime);
$System->addChild($Node);
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('IRC server on #give-me-cmd channel');
$System->addChild($Description);
$Flow->addChild($System);
$EventData->addChild($Flow);
$Expectation = new Marknl\Iodef\Elements\Expectation();
$Expectation->setAttributes(['action' => 'investigate']);
$Description = new Marknl\Iodef\Elements\Description();
$Description->value('Confirm the source and take machines off-line and remediate');
$Expectation->addChild($Description);
$EventData->addChild($Expectation);
$Incident->addChild($EventData);
$Document->addChild($Incident);
$iodef = new Marknl\Iodef\Writer();
$iodef->write([['name' => 'IODEF-Document', 'attributes' => $Document->getAttributes(), 'value' => $Document]]);
$expected = new DOMDocument();
$expected->loadXML(file_get_contents(__DIR__ . '/iodef.xml'));
$actual = new DOMDocument();
$actual->loadXML($iodef->outputMemory());
$this->assertEqualXMLStructure($expected->firstChild, $actual->firstChild, true);
}
