Re: [cti-cybox] Patterning against multiple object types

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

My own feeling is that our grammar is already sufficiently complex such that I don't think we want to venture into such syntactic sugar right now - at least not if we expect people to have workable at-scale implementations in the next 12 months.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Greg Back ---07/11/2016 06:31:25 PM---[I changed the subject to reflect the changing topic] On 7/8/2016 8:06 AM, Kirillov, Ivan A. wrote:

From: Greg Back <gback@mitre.org>
To: <cti-cybox@lists.oasis-open.org>
Date: 07/11/2016 06:31 PM
Subject: [cti-cybox] Patterning against multiple object types
Sent by: <cti-cybox@lists.oasis-open.org>

---

[I changed the subject to reflect the changing topic]

On 7/8/2016 8:06 AM, Kirillov, Ivan A. wrote:
> Ah, yes, thanks for mentioning this Trey. I think we’ll want to consider
> updating the patterning spec so that we can allow for such patterns
> (i.e., the same field on any Object).

As a more general approach, what about dropping the requirement for an 
object type altogether? Then you could just do:

     body MATCHES /.*evil stuff.*/

You could match against specific types by saying something like:

     type = 'file-object' AND hashes.sha-256 =
     'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'

For which we could define "syntactic sugar" that makes the original 
construction equivalent:

     file-object:hashes.sha-256 =
     'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f'

Greg

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php