I hear you, and it wasn’t a great example – I’m definitely against added data that can be expressed elsewhere (such as other CybOX Objects) into relationships. Again, one way of doing things J
Here’s perhaps a better example, where you can specify the signature type for a signed binary:
{
"type": "file-object",
"id": "file-object--1",
"hashes": {"md5": "66e2ea40dc71d5ba701574ea215a81f1"},
"size": 641028,
"signed_with":{"object_ref":"x509-cert-object--1",
"signature_type":"authenticode"}
},
Regards,
Ivan
From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, June 8, 2016 at 12:27 PM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] RE: Object Relationships - Metadata
I think having HTTP redirection inside the URL object is really weird to me... makes me queasy.
What other HTTP headers should we stick in? What if a URL returns a 401, should I put that in? Should we put in the Content-Type and Content-Length of the URL response?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Kirillov, Ivan A." ---06/08/2016 03:10:58 PM---I agree that URL redirection may not have been the best example; Trey and I are working on coming up
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/08/2016 03:10 PM
Subject: Re: [cti-cybox] RE: Object Relationships - Metadata
Sent by: <cti-cybox@lists.oasis-open.org>
I agree that URL redirection may not have been the best example; Trey and I are working on coming up with a few more (if you have any feel free to share them!). However, John made a good point in that it still might be a useful abstraction when you don’t want to use the Network Connection Object for capturing URL redirects.
Also, it’s worth highlighting that this is something that we need to get right in CybOX 3.0, as refactoring how relationships are done would be a backwards compatibility-breaking change and require another major revision.
I too like Jeff’s approach, though maybe we can append something like “_rel” to such a field to make it clear that it’s a relationship?
{
"type": "url-object",
"id": "url-object--1",
"spec_version": "cybox-3.0",
"value": "http://foo.bar.com/qwerty",
"redirects_to_rel": {
"object_ref":"url-object--2",
"http_redirect_code":"301"
}
}
Regards,
Ivan
On 6/8/16, 11:36 AM, "cti-cybox@lists.oasis-open.org on behalf of Wunder, John A." <cti-cybox@lists.oasis-open.org on behalf of jwunder@mitre.org> wrote:
>+1 to Jeff.
>
>On 6/8/16, 12:45 PM, "Mates, Jeffrey CIV DC3/DCCI" <cti-cybox@lists.oasis-open.org on behalf of Jeffrey.Mates@dc3.mil> wrote:
>
>>I definitely agree that we need to be able to capture rich data about embedded relationships and keeping them side by side helps do that. However, I like keeping to the convention that every single item reference ends with "_ref" while list of references ends with "_refs". So I'm in favor of a slightly modified version of number 1
>>
>>{
>> "type": "url-object",
>> "id": "url-object--1",
>> "spec_version": "cybox-3.0",
>> "value": "http://foo.bar.com/qwerty",
>> "redirects_to": {
>> "object_ref":"url-object--2",
>> "http_redirect_code":"301"
>> }
>>}
>>
>>Jeffrey Mates, Civ DC3/DCCI
>>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>Computer Scientist
>>Defense Cyber Crime Institute
>>jeffrey.mates@dc3.mil
>>410-694-4335
>>
>>
>>-----Original Message-----
>>From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Kirillov, Ivan A.
>>Sent: Wednesday, June 08, 2016 12:18 PM
>>To: cti-cybox@lists.oasis-open.org
>>Subject: [Non-DoD Source] [cti-cybox] Object Relationships - Metadata
>>
>>It seems like we have come to general consensus that relationships between CybOX Objects should be expressed as embedded fields, e.g., a “redirects_to_ref” on the URL Object for pointing to another URL that the parent redirected to. However, recently Trey and I were wondering if this approach is too simplistic, in that it may not capture enough detail about the relationship being expressed. For instance, in the case of URL redirection, it’s useful to know the type of URL direction that was observed (e.g., the particular HTTP redirect code). Thus, we were wondering if we should consider expanding the embedded relationship structure to allow for additional metadata, which could perhaps (as a strawman) take on the form of additional keys in the relationship. For example, for URL redirection we could have something like:
>>
>>
>>
>> {
>>
>> "type": "url-object",
>>
>> "id": "url-object--1",
>>
>> "spec_version": "cybox-3.0",
>>
>> "value": "http://foo.bar.com/qwerty",
>>
>> "redirects_to_ref": {"object_ref":"url-object--2",
>>
>> "http_redirect_code":"301"}
>>
>> }
>>
>>
>>
>>We could also perhaps follow a more flattened approach and embed the metadata as a separate sibling field:
>>
>> {
>>
>> "type": "url-object",
>>
>> "id": "url-object--1",
>>
>> "spec_version": "cybox-3.0",
>>
>> "value": "http://foo.bar.com/qwerty",
>>
>> "redirects_to_ref": "url-object--2"
>>
>> "redirects_to_meta": {"http_redirect_code":"301"}
>>
>> }
>>
>>
>>
>>Anyhow, just throwing this out there to see what everyone thinks about 1) us needing to support metadata in Object relationships and 2) the best way to do so (if needed). This will be one our discussion topics for tomorrow’s call.
>>
>>
>>
>>Regards,
>>
>>Ivan
>>
>>
>>
>