I kind of agree with you and almost said that, but thought about it more and realized that everything comes down to defining useful levels of abstraction. Yes, “URL redirection” is in reality
just an HTTP response code (or meta redirect in an HTML document). But, following that logic, isn’t an HTTP connection really just a TCP connection with some data fields? And isn’t a TCP connection just a bunch of IP packets?
So I think the question is less whether the model is “right” and more about whether it’s a useful abstraction to use for analysis. All models are wrong, some models are useful and all that.
So it’s a little more philosophical but I think CybOX should be open to representing these types of abstractions if people feel they’re useful. And so these types of relationships where you have extra data will in some cases be abstractions on other types
of objects or on top of actions, but maybe that’s fine.
John
From:
<cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, June 8, 2016 at 12:41 PM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Object Relationships - Metadata
FWIW the example doesn't make any sense to me as a URL doesn't do redirection or return HTTP codes at all.
301 Redirection and HTTP response codes should not be in the URL object, they should be in the HTTP extension of the Network Connection object.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Kirillov, Ivan A." ---06/08/2016 01:18:39 PM---It seems like
we have come to general consensus that relationships between CybOX Objects should be e
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/08/2016 01:18 PM
Subject: [cti-cybox] Object Relationships - Metadata
Sent by: <cti-cybox@lists.oasis-open.org>
It seems like we have come to general consensus that relationships between CybOX Objects should be expressed as embedded fields, e.g., a “redirects_to_ref” on the URL Object for pointing to another URL that the parent redirected
to. However, recently Trey and I were wondering if this approach is too simplistic, in that it may not capture enough detail about the relationship being expressed. For instance, in the case of URL redirection, it’s useful to know the type of URL direction
that was observed (e.g., the particular HTTP redirect code). Thus, we were wondering if we should consider expanding the embedded relationship structure to allow for additional metadata, which could perhaps (as a strawman) take on the form of additional keys
in the relationship. For example, for URL redirection we could have something like:
{
"type": "url-object",
"id": "url-object--1",
"spec_version": "cybox-3.0",
"value": "http://foo.bar.com/qwerty",
"redirects_to_ref": {"object_ref":"url-object--2",
"http_redirect_code":"301"}
}
We could also perhaps follow a more flattened approach and embed the metadata as a separate sibling field:
{
"type": "url-object",
"id": "url-object--1",
"spec_version": "cybox-3.0",
"value": "http://foo.bar.com/qwerty",
"redirects_to_ref": "url-object--2"
"redirects_to_meta": {"http_redirect_code":"301"}
}
Anyhow, just throwing this out there to see what everyone thinks about 1) us needing to support metadata in Object relationships and 2) the best way to do so (if needed). This will be one our discussion topics for tomorrow’s
call.
Regards,
Ivan