Re: [cti-cybox] CybOX Review: Round 2

["Kirillov, Ivan A." <ikirillov@mitre.org>]

Thanks John – I also think that ID is probably not necessary on Container if our intent is for container to be extended and used as needed in downstream users of CybOX. This also makes sense given the recent discussions around embedding rather than referencing the Container in STIX.

 

The links should be correct; I think the problem may be that certain email viewers (e.g., Outlook) are converting the ‘#’ to ‘%23’ when you click on the link, malforming it.

 

We really need some reviews on the CybOX Objects – I don’t think we’ve had any comments on these so far (besides the Network Connection discussion on this email list).

 

Regards,

Ivan

 

From: <cti-cybox@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Date: Wednesday, June 15, 2016 at 6:47 PM
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Review: Round 2

 

Regarding CybOX Container: I said this on one of the calls, but I’d like to get it out there for the record now. IMO the CybOX-defined container should not have an ID field. The language where the CybOX container is used can extend it and determine whether or not to add their own ID to it. I do agree with having “spec_version”, and could go either way on “type”. STIX likely doesn’t need these fields because we’ll only support one version of CybOX in a version of STIX and will do our own typing, but I can see why you’d want these fields for consistency across different usages of CybOX.

 

I’ll spend some time to review the objects that I have a chance of understanding over the next few working days. Great work getting so much out there!!

 

John

 

PS: Most of the links in the e-mail are broken (except the container one I think). I’m guessing one of the documents was moved or something?

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Wednesday, June 15, 2016 at 4:20 PM
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: [cti-cybox] CybOX Review: Round 2

 

Here’s the second round of CybOX entities out for review. Besides addressing any specific open questions, please review for accuracy and consistency, and feel free to add any questions or comments to the Google docs. Also, it’s worth noting that I will be out for the next few weeks and Trey will be out part of the time, so we probably won’t be able to get to your comments until we return.

 

CybOX Core

·         Container: https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A/edit#heading=h.2p8taumnmgqi

o   Open question: should the CybOX Container have an ID field? If so, should IDs on the container be abstract (e.g., a string field that is left open to the implementer to define the syntax of)?

·         Object field observed encoding: https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A/edit#heading=h.8qyrq8w3ztbt

 

CybOX Objects

·         File Object/Image File Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.u5z7i2ox8w4x

·         Registry Key Object (re-review): https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.luvw8wjlfo3y

·         Software Object: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.7rkyhtkdthok

·         Artifact Object: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.3py86bmi9w34

·         Process Object: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.hpppnm86a1jm

o   Windows Process Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.oyegq07gjf5t

o   Windows Service Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.lbcvc2ahx1s0

·         User Account Object: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.azo70vgj1vm2

o   Physical Address Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.rxd8yai9i1kz

o   Unix Account Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.hodiamlggpw5

o   Windows Account Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.qdzezthcserd

o   User Account Extension: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.dkiv9w3evdio

·         Network Connection Object: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.rgnc3w40xy

o   HTTP Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.b0e376hgtml8

o   TCP Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.k2njqio7f142

o   UDP Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.e4a0fsat8ga7

o   ICMP Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.ozypx0lmkebv

o   Connection State Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.2bjvl8ozvs2s

o   Flow Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.87z6jbjc9fn4

o   Network Socket Extension: https://docs.google.com/document/d/1oPAHN6nitdVF60RuDlajq0VuN6S_p_RP3ZE48yOBBfQ/edit#heading=h.8jamupj9ubdv

 

Regards,

Ivan