Ah, yes, thanks for mentioning this Trey. I think we’ll want to consider updating the patterning spec so that we can allow for such patterns (i.e., the same field on any Object).
Terry – thanks again for your submissions of the Post and Credential Dump Objects. I think the feeling is that we just don’t have enough bandwidth and time to make sure we get these concepts
right for MVP, and as we all saw the issue of Post vs. Message didn’t have consensus. However, I definitely want us to put these on the table for post-MVP discussion. Also, as far as the Post Object, can you help us understand the use cases a bit more? So
is the notion that such forum posts will be captured and exchanged using the STIX Observed Data construct, or are you more interested in writing in being able to write patterns against them?
Regards,
Ivan
From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, July 8, 2016 at 6:19 AM
To: Trey Darley <trey@kingfisherops.com>
Cc: Ivan Kirillov <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] MVP/Message Objects
Ah OK - this solves my main problem. Thanks;
( I also wish I could attend more of the cybox working group calls! )
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Trey Darley ---07/08/2016 09:07:21 AM---On 08.07.2016 08:38:21,
Jason Keirstead wrote: >
From: Trey Darley <trey@kingfisherops.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "Kirillov, Ivan A." <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 07/08/2016 09:07 AM
Subject: Re: [cti-cybox] MVP/Message Objects
Sent by: <cti-cybox@lists.oasis-open.org>
On 08.07.2016 08:38:21, Jason Keirstead wrote:
>
> ... but then, all of the X millions of pieces of existing content
> would still exist with that object, so you would now still have to
> write multiple signature patterns to capture things reliably in any
> message context.
>
Hey, Jason -
On yesterday's CybOX working call, we talked through this issue. The
proposal was two-fold:
* for all message-like objects having a notional
sender/recipient/subject/body/etc, that those field names would be
defined identically across all message-like object definitions
* extend the patterning spec such that you could write a CybOX pattern
like:
`*-message-object:body MATCHES /.*evil stuff.*/` which could be tested
against both an `email-message-object` and a `skype-message-object`.
It's a pity you couldn't make the call yesterday, Jason! We really
missed your input. :-(
--
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"There are two types of people: those who fit into my taxonomy and
those who do not." --anonymous
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]