cti-cybox message

Subject: Patterning against multiple object types

From: Greg Back <gback@mitre.org>
To: <cti-cybox@lists.oasis-open.org>
Date: Mon, 11 Jul 2016 16:31:12 -0500

[I changed the subject to reflect the changing topic]

On 7/8/2016 8:06 AM, Kirillov, Ivan A. wrote:

Ah, yes, thanks for mentioning this Trey. I think we’ll want to consider
updating the patterning spec so that we can allow for such patterns
(i.e., the same field on any Object).

As a more general approach, what about dropping the requirement for anobject type altogether? Then you could just do:


    body MATCHES /.*evil stuff.*/

You could match against specific types by saying something like:

    type = 'file-object' AND hashes.sha-256 =
    'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'

For which we could define "syntactic sugar" that makes the originalconstruction equivalent:


    file-object:hashes.sha-256 =
    'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'

Greg

Follow-Ups:
- Re: [cti-cybox] Patterning against multiple object types
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>

References:
- MVP/Message Objects
  - From: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Re: [cti-cybox] MVP/Message Objects
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-cybox] MVP/Message Objects
  - From: Trey Darley <trey@kingfisherops.com>
- Re: [cti-cybox] MVP/Message Objects
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-cybox] MVP/Message Objects
  - From: Trey Darley <trey@kingfisherops.com>
- Re: [cti-cybox] MVP/Message Objects
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-cybox] MVP/Message Objects
  - From: "Kirillov, Ivan A." <ikirillov@mitre.org>