XML Flex Connector generates identical events

Hello,

I'm trying to create a XML Flex Connector for NIST Vulnerability data feed (especially for the CVSS data in it) and I'm stuck in an odd Connector behaviour: the file is parsed and events are generated but all events are identical. The token data is extracted from the first XML trigger node and it's like the parser does not reset the token values for each trigger node and it does not read the token values from each node.

Sample XML (2 nodes, simpified ) from the file available at : http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-recent.xml

<?xml version='1.0' encoding='UTF-8'?>
<nvd xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:cvss="http://scap.nist.gov/schema/cvss-v2/0.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:patch="http://scap.nist.gov/schema/patch/0.1" xmlns="http://scap.nist.gov/schema/feed/vulnerability/2.0" xmlns:vuln="http://scap.nist.gov/schema/vulnerability/0.4" xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1" pub_date="2011-11-01T01:00:00" nvd_xml_version="2.0" xsi:schemaLocation="http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd">
  <entry id="CVE-2009-0900">
    <vuln:cve-id>CVE-2009-0900</vuln:cve-id>
    <vuln:cvss>
      <cvss:base_metrics>
        <cvss:score>4.1</cvss:score>
        <cvss:access-vector>LOCAL</cvss:access-vector>
        <cvss:access-complexity>MEDIUM</cvss:access-complexity>
        <cvss:authentication>SINGLE_INSTANCE</cvss:authentication>
        <cvss:confidentiality-impact>PARTIAL</cvss:confidentiality-impact>
        <cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
        <cvss:availability-impact>PARTIAL</cvss:availability-impact>
        <cvss:source>http://nvd.nist.gov</cvss:source>
        <cvss:generated-on-datetime>2011-10-31T10:31:00.000-04:00</cvss:generated-on-datetime>
      </cvss:base_metrics>
    </vuln:cvss>
  </entry>
  <entry id="CVE-2009-0905">
    <vuln:cve-id>CVE-2009-0905</vuln:cve-id>
    <vuln:cvss>
      <cvss:base_metrics>
        <cvss:score>1.7</cvss:score>
        <cvss:access-vector>LOCAL</cvss:access-vector>
        <cvss:access-complexity>LOW</cvss:access-complexity>
        <cvss:authentication>SINGLE_INSTANCE</cvss:authentication>
        <cvss:confidentiality-impact>NONE</cvss:confidentiality-impact>
        <cvss:integrity-impact>PARTIAL</cvss:integrity-impact>
        <cvss:availability-impact>NONE</cvss:availability-impact>
        <cvss:source>http://nvd.nist.gov</cvss:source>
        <cvss:generated-on-datetime>2011-10-31T10:52:00.000-04:00</cvss:generated-on-datetime>
      </cvss:base_metrics>
    </vuln:cvss>
  </entry>

</nvd>

For testing, I just want to extract the CVSS Score and CVE ID :

namespace.count=8

namespace[0].prefix=default
namespace[0].uri=http://scap.nist.gov/schema/feed/vulnerability/2.0

namespace[1].prefix=xsi
namespace[1].uri=http://www.w3.org/2001/XMLSchema-instance

namespace[2].prefix=schemaLocation
namespace[2].uri=http://scap.nist.gov/schema/patch/0.1 http://nvd.nist.gov/schema/patch_0.1.xsd http://scap.nist.gov/schema/scap-core/0.1 http://nvd.nist.gov/schema/scap-core_0.1.xsd http://scap.nist.gov/schema/feed/vulnerability/2.0 http://nvd.nist.gov/schema/nvd-cve-feed_2.0.xsd

namespace[3].prefix=cpe-lang
namespace[3].uri=http://cpe.mitre.org/language/2.0

namespace[4].prefix=cvss
namespace[4].uri=http://scap.nist.gov/schema/cvss-v2/0.2

namespace[5].prefix=patch
namespace[5].uri=http://scap.nist.gov/schema/patch/0.1

namespace[6].prefix=vuln
namespace[6].uri=http://scap.nist.gov/schema/vulnerability/0.4

namespace[7].prefix=scap-core
namespace[7].uri=http://scap.nist.gov/schema/scap-core/0.1


trigger.node.expression=/nvd/entry

token.count=2

token[0].name=CVE_ID
token[0].expression=/nvd/entry/vuln:cve-id

token[1].name=cvss_score
token[1].expression=/nvd/entry/vuln:cvss/cvss:base_metrics/cvss:score


event.name=CVE_ID
event.deviceSeverity=__split(cvss_score,".","1")

event.deviceCustomNumber1=__safeToRoundedLong(cvss_score)
event.deviceCustomNumber1Label=__stringConstant("CVSS-Score")


event.deviceProduct=__stringConstant("CVSS-CPE")
event.deviceVendor=__stringConstant("NVD")
   
severity.map.high.if.deviceSeverity=7,8,9,10
severity.map.medium.if.deviceSeverity=4,5,6
severity.map.low.if.deviceSeverity=0,1,2,3

After running that, I end up with 2 events having identical values for the fields which were mapped to tokens, like event.name=CVE-2009-0900 for both events.

Anybody encounterd this behaviour?

Thank you,

Dragos.

Parents Reply Children
No Data