OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring

What’s the upside of not requiring the producer to specify the version? If it’s distinguishable by format, coudn’t the producer just do that and always provide the format?

On Oct 29, 2015, at 9:44 AM, John Anderson <janderson@soltra.com> wrote:

I still hold that IP addresses are distinguishable by format alone. However, I acknowledge that it might be nice to know that the value was "assessed" by the producer (however, whether that's really useful is debatable).

Hence, may I suggest:


Generic IP Address field:
{
    "ip_address": "127.0.0.1"
}

or, if the producer knows the version:
{
    "ip_address": {"127.0.0.1": "ipv4"}
}

or, if that much dynamism gives you heartburn:

{
    "ip_address": {"value": "127.0.0.1", "type": "ipv4"}
}

Then, for things with multiple IP Addresses:

{
    "inbound_ip_address": "1.2.3.4",
    "outbound_ip_address": "2001:0db8:0a0b:12f0::0001",
    "another_ip_address": {"127.1.1.1": "ipv4"},
    "ip_address_list": [
        "5.6.7.8",
        {"9.8.7.6": "ipv6"}
    ]
}

Now, for the white elephant: Are we moving to JSON, officially? Or should we be discussing this with XML examples instead?


JSA

PS-Bonus points! Did you spot the data inconsistency? Do you see the problem that it exposes?

________________________________________
From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Davidson II, Mark S <mdavidson@mitre.org>
Sent: Thursday, October 29, 2015 9:26 AM
To: Trey Darley; Terry MacDonald
Cc: Jordan, Bret; Kirillov, Ivan A.; cti-cybox@lists.oasis-open.org
Subject: RE: [cti-cybox] CybOX 3.0: Address Object Refactoring

I like this form also.

As to representing a host with multiple network interfaces, I wonder if that's a slightly different discussion. In that case, would you have multiple IP address objects with a relationship to e.g., a host object?
-Mark

-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Trey Darley
Sent: Thursday, October 29, 2015 5:22 AM
To: Terry MacDonald <terry@soltra.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; Kirillov, Ivan A. <ikirillov@mitre.org>; cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] CybOX 3.0: Address Object Refactoring

On 28.10.2015 22:27:02, Terry MacDonald wrote:
>
> I probably prefer this one:
>
> {
>      "ipv4Address": "128.25.213.19",
>      "ipv6Address": "fe80::3e07:54ff:fe6c:6d13"
> }
>

+1

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"Good, Fast, Cheap: Pick any two (you can't have all three)." --RFC 1925

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]