With regards to the use of MIMEType, I’d agree that its better than using ‘content_type’. Is it envisioned that this would be used to replace today’s FileOjb:magic_number or in addition? The problem with using both is that they create an opportunity
to be in conflict.
While my preference would be for a Directory object, I could get behind the later proposal as its makes it explicit rather than left for someone to infer whether its actually a file or whether its just not supplied. With that said, I would recommend that
we make ‘is_directory’ mandatory so that we avoid this confusion and make it explicit
Paul
+1 for MIMEType as well – I think this would be semantically less ambiguous than “content type”, and so it would be my preference. This would likely be a property that we would add into the default “file metadata” extension;
I’ll update the proposal accordingly. There are likely other properties that would fit in here as well – things like entropy. Is there a sense in the community as far as other common file metadata related properties we should be including?
As far as characterizing directories, as mentioned in the writeup below, the current plan is allow for this through the use of the file_path field without the file_name field. E.g, the following would be a directory:
{
"file_system_properties":{"file_path": {"delimiter":"\\",
"components":["C:","windows"]}}
}
This goes along with the notion, as Mark pointed out, that files and directories are treated the same in many languages and also operating systems. However, Paul has a good point that this is less explicit than having a separate
directory object. We’ve thought about this in the past and the discussion has always come back to the fact that directories are usually analogous to files in most places, just not in Windows. Therefore, perhaps what we can do is:
- Add extensions for directory-specific properties (likely just for Windows
- To make it more explicit that you’re characterizing a directory, add an “is_directory” boolean property
{
"file_system_properties":{“is_directory": True,
"file_path": {"delimiter":"\\",
"components":["C:","windows"]}}
}
What do you think?
Regards,
Ivan
+1 for having an attribute that holds a MIME Type value. (And maybe "mimetype" is the right attribute name.)
Random use-case: An executable that has a ".txt" extension is still executable on Linux, if the right bits are set. If the MIME type is known, then that might make it easier for automated systems to pay attention.
JSA
From: Jerome Athias <athiasjerome@gmail.com>
Sent: Tuesday, December 15, 2015 8:28 AM
To: Paul Patrick
Cc: Jason Keirstead; Kirillov, Ivan A.; Jordan, Bret;
cti-cybox@lists.oasis-open.org; John Anderson; Terry MacDonald
Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring
MIMEType is used in Malware Metadata Exchange Format (MMDEF), which is used in MAEC
|