File Coverage

blib/lib/XML/IODEF/PhraudReport.pm

Criterion	Covered	Total	%
statement	18	25	72.0
branch			n/a
condition	0	3	0.0
subroutine	6	7	85.7
pod	0	1	0.0
total	24	36	66.6

line	stmt	cond	sub	pod	time	code
1						package XML::IODEF::PhraudReport;
2	1		1		38314	use base qw(XML::IODEF);
	1				3
	1				933
3
4	1		1		7	use strict;
	1				2
	1				38
5	1		1		6	use warnings;
	1				14
	1				62
6
7						our $VERSION = '0.01';
8
9						# If you're reading the source, this is a VERY rough first cut, please feel free to send me any bugs to improve this.
10						# Based on the examples I have available it does most things according to the RFC, but should be TESTED before being put into production
11						# This code SHOULD BE CONSIDERED ALPHA CODE until this warning is removed******** YOU HAVE BEEN WARNED! :-)
12
13	1		1		13	use constant ANY => "ANY";
	1				2
	1				176
14	1		1		7	use constant PCDATA => "PCDATA";
	1				2
	1				41
15	1		1		5	use constant EMPTY => "EMPTY";
	1				1
	1				1711
16
17						sub new {
18	0		0	0		my $proto = shift;
19	0	0				my $class = ref($proto) \|\| $proto;
20	0					my $self = XML::IODEF->new(@_);
21	0					bless($self,$class);
22
23	0					my $ext_dtd = {
24						"AdditionalData" => {
25						ATTRIBUTES => {
26						"restriction" => ["public", "need-to-know", "private", "default"],
27						"type" => ["string", "boolean", "byte", "character", "date-time",
28						"integer", "ntpstamp", "portlist", "real", "xml"],
29						"meaning" => [],
30						},
31						CONTENT => ANY,
32						CHILDREN => [ "?PhraudReport" ],
33						},
34						"PhraudReport" => {
35						ATTRIBUTES => {
36						"Version" => ["string"],
37						"FraudType" => [ "phishemail", "recruitemail", "malwareemail", "fraudsite", "dnsspoof",
38						"keylogger", "ole", "im", "cve", "archive" ],
39						},
40						CHILDREN => [ "?PhishNameRef", "?PhishNameLocalRef", "?FraudParameter", "*FraudedBrandName",
41						"+LureSource", "+OriginatingSensor", "?EmailRecord", "DCSite", "TakeDownInfo",
42						"ArchivedData", "RelatedData", "*CorrelatedData", "?PRComments" ],
43						},
44						"FraudParameter" => {
45						ATTRIBUTES => { "type" => ["MLStringType"], },
46						CONTENT => PCDATA,
47						},
48						"PhishNameRef" => {
49						ATTRIBUTES => { "type" => ["string"] },
50						CONTENT => PCDATA,
51						},
52						"PhishNameLocalRef" => {
53						ATTRIBUTES => { "type" => ["string"] },
54						CONTENT => PCDATA,
55						},
56						"FraudedBrandName" => {
57						ATTRIBUTES => { "type" => ["string"] },
58						CONTENT => PCDATA,
59						},
60						"LureSource" => {
61						CHILDREN => ["+System", "*DomainData", "?IncludedMalware", "?FilesDownloaded", "?RegistryKeysModified"],
62						},
63						"OriginatingSensor" => {
64						ATTRIBUTES => { "OriginatingSensorType" => ["Web", "WebGateway", "MailGateway", "Browser", "ISPsensor",
65						"Human", "Honeypot", "Other"],
66						},
67						CHILDREN => ["1DateFirstSeen", "+System"],
68						},
69						"EmailRecord" => {
70						CHILDREN => ["1EmailCount", "?Email", "?Message", "?ARPText", "?EmailComments"],
71						},
72						"DCSite" => {
73						ATTRIBUTES => { "DCSite" => ["web", "email", "keylogger", "automation", "unspecified"] },
74						CHILDREN => ["?SiteURL", "?Domain", "?EmailSite","?System","?Unknown","?DomainData", "?Assessment"],
75
76						},
77						"TakeDownInfo" => {
78						CHILDREN => ["?TakeDownDate", "TakeDownAgency", "TakeDownComments"],
79						},
80						"ArchivedData" => {
81						ATTRIBUTES => { "type" => ["collectionsite", "basecamp", "sendersite", "credentialInfo", "unspecified"] },
82						CHILDREN => ["?ArchivedDataURL", "?ArchivedDataComments", "?ArchivedData"],
83						},
84						"RelatedData" => { CONTENT => PCDATA },
85						"CorrelatedData" => { CONTENT => PCDATA },
86						"PRComments" => { CONTENT => PCDATA },
87
88						# LureSource
89						"DomainData" => {
90						ATTRIBUTES => {
91						"SystemStatus" => ["spoofed", "fradulent", "innocent-hakced", "innocent-hijacked", "unknown"],
92						"DomainStatus" => ["reservedDelegation", "assignedAndActive", "assignedAndInactive", "assignedAndOnHold",
93						"revoked", "transferPending", "registryLock", "registrarLock"],
94						},
95						CHILDREN => ["1Name", "?DateDomainWasChecked", "?RegistrationDate", "?ExpirationDate", "*Nameservers",
96						"DNSRecord", "DomainContacts"],
97						},
98
99						# IncludedMalware
100						"IncludedMalware" => {
101						CHILDREN => [ "+Name", "?Hashvalue", "?Data" ],
102						},
103						"FilesDownloaded" => { CONTENT => PCDATA },
104						"RegistryKeysModified" => {
105						CHILDREN => ["+Key"],
106						},
107
108						# DomainData
109						"Server" => {
110						ATTRIBUTES => { "type" => ["MLString"] },
111						CONTENT => PCDATA,
112						},
113
114						"DateDomainWasChecked" => {
115						ATTRIBUTES => { "type" => ["date-time"] },
116						CONTENT => PCDATA,
117						},
118						"RegistrationDate" => {
119						ATTRIBUTES => { "type" => ["date-time"] },
120						CONTENT => PCDATA,
121						},
122						"ExpirationDate" => {
123						ATTRIBUTES => { "type" => ["date-time"] },
124						CONTENT => PCDATA,
125						},
126						"Nameservers" => {
127						CHILDREN => ["?Server", "+Address"],
128						},
129						"DNSRecord" => {
130						CHILDREN => ["1owner", "1type", "?class", "?ttl", "1rdata"],
131						},
132						"DomainContacts" => {
133						CHILDREN => ["?SameDomainContact", "+DomainContact"],
134						},
135						"SameDomainContact" => {
136						ATTRIBUTES => { "type" => ["DNSNAME"] },
137						CONTENT => PCDATA,
138						},
139						"DomainContact" => {
140						ATTRIBUTES => { "restriction" => [ "public", "need-to-know", "private", "default" ],
141						"Role" => [ "registrant", "registrar", "billing", "technical", "administrative",
142						"legal", "zone", "abuse", "security", "domainOwner",
143						"ipAddressOwner", "hostingProvider", "other" ],
144						"Confidence" => [ "known-fradulent", "looks-fradulent", "known-real", "looks-real", "unknown" ],
145						"type" => [ "person", "organization" ],
146						},
147						CHILDREN => [ "?name", "Description", "RegistryHandle", "?PostalAddress",
148						"Email", "Telephone", "?Fax", "?Timezone", "*Contact" ],
149						},
150
151						# IncludedMalware
152						"Hashvalue" => {
153						ATTRIBUTES => { "Algorithm" => ["SHA1"] },
154						CONTENT => PCDATA,
155						},
156						"Data" => {
157						ATTRIBUTES => { "XORPattern" => [] },
158						CHILDREN => [ "?StringData", "?BinaryData" ],
159						},
160
161						# RegistryKeysModified
162						"Key" => {
163						CHILDREN => ["?Name", "?Value"], # FIXME?
164						},
165
166						# DNSRecord
167						"owner" => { ATTRIBUTES => { "type" => ["string"] }, CONTENT => PCDATA },
168						"type" => { CONTENTS => PCDATA },
169						"class" => { CONTENTS => PCDATA },
170						"ttl" => { ATTRIBUTES => { "type" => ["integer"] }, CONTENT => PCDATA },
171						"rdata" => { CONTENT => PCDATA },
172
173						# IncludedMalwareData
174						"StringData" => { CONTENT => PCDATA },
175						"BinaryData" => { CONTENT => ANY },
176
177						# OriginalSensor
178						"DateFirstSeen" => {
179						ATTRIBUTES => { "type" => ["date-time"] },
180						CONTENT => PCDATA,
181						},
182
183						## EmailRecord
184						"EmailCount" => {
185						ATTRIBUTES => { "type" => ["integer"], },
186						CONTENT => PCDATA,
187						},
188						"Email" => {
189						CHILDREN => ["1EmailHeader", "?EmailBody"],
190						},
191						"Message" => {
192						ATTRIBUTES => { "type" => ["MLStringType"]},
193						CONTENT => PCDATA,
194						},
195						"ARPText" => {
196						ATTRIBUTES => { "type" => ["string"] },
197						CONTENT => PCDATA,
198						},
199						"EmailComments" => {
200						ATTRIBUTES => { "type" => ["string"] },
201						CONTENT => PCDATA,
202						},
203
204						## Email
205						"EmailHeader" => {
206						ATTRIBUTES => { "type" => ["string"] },
207						CHILDREN => ["+Header"],
208						},
209						"EmailBody" => {
210						ATTRIBUTES => { "type" => ["MLStringType"] },
211						CONTENT => PCDATA,
212						},
213
214						## EmailHeader
215						"Header" => {
216						ATTRIBUTES => { "type" => ["MLStringType"] },
217						CONTENT => PCDATA,
218						},
219
220						## DCSite
221						"SiteURL" => { CONTENT => PCDATA },
222						"Domain" => { CONTENT => PCDATA },
223						"EmailSite" => { CONTENT => PCDATA },
224						"Unknown" => { CONTENT => PCDATA },
225
226						## TakeDownInfo
227						"TakeDownDate" => { ATTRIBUTES => { "type" => ["date-time"] }, CONTENT => PCDATA },
228						"TakeDownAgency" => { CONTENT => PCDATA },
229						"TakeDownComments" => { CONTENT => PCDATA },
230
231						## ArchivedData
232						"ArchivedDataURL" => { CONTENT => PCDATA },
233						"ArchivedDataComments" => { CONTENT => PCDATA },
234						"ArchivedData" => { CONTENT => PCDATA },
235
236						#
237						# Simple Elements with no attributes
238						#
239						"Name" => { CONTENT => PCDATA },
240						"Value" => { CONTENT => PCDATA },
241						};
242	0					XML::IODEF::extend_dtd($ext_dtd,'IODEF-Document');
243	0					return($self);
244						}
245
246						1;
247
248						__END__