I just wanted to let everyone know where we stand on these issues. Trey and I had a discussion on this topic and decided to make the following changes:
·
file_path in File Object/file-system-properties-type was changed to a string. As others had pointed out, there was no benefit to the delimited approach and it had the side effect
of making patterns more complex.
·
We’ve removed the string-with-encoding-type and reverted all uses back to string. We will similarly go back to our old approach of capturing observed encoding using the flattened
“_enc” and “_b64” fields – for an example of this please see the file_name and corresponding fields [1]. We’ve also reverted our old section in CybOX Core on this topic [2] – please review and comment. Also, let us know which other fields in the CybOX Objects
we should be adding this for.
Regards,
Ivan
From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, August 2, 2016 at 3:28 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: John-Mark Gurney <jmg@newcontext.com>, "Mates, Jeffrey CIV DC3\\DCCI" <Jeffrey.Mates@dc3.mil>, Ivan Kirillov <ikirillov@mitre.org>, John Wunder <jwunder@mitre.org>, Greg Back <gback@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Recent CybOX Changes
I agree, I am also unsure what the purpose of this field is... are there actual threat analytics use cases where knowing the encoding of a piece of text conveys useful information? Was this requested by a specific user group?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Allan Thomson ---08/02/2016 03:47:31 PM---That’s a
good clarification and it makes me wonder why this attribute needs to be conveyed at all. W
From: Allan Thomson <athomson@lookingglasscyber.com>
To: John-Mark Gurney <jmg@newcontext.com>
Cc: "Mates, Jeffrey CIV DC3\\DCCI" <Jeffrey.Mates@dc3.mil>, "'Kirillov, Ivan A.'" <ikirillov@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>,
"Back, Greg" <gback@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 08/02/2016 03:47 PM
Subject: Re: [cti-cybox] Recent CybOX Changes
Sent by: <cti-cybox@lists.oasis-open.org>
That’s a good clarification and it makes me wonder why this attribute needs to be conveyed at all. What is a recipient expected to do with this information?
Certainly combining it into a single field makes no sense now.
Thanks for sharing this perspective. It changes my opinion of what this encoding field is attempting to convey and how it should be done.
allan
On 8/2/16, 10:47 AM, "John-Mark Gurney" <jmg@newcontext.com> wrote:
Allan Thomson wrote this message on Tue, Aug 02, 2016 at 14:02 +0000:
> Finally, *if* encoding must be conveyed when a field that may have different encodings possible is required. Then what is the most efficient and effective way to allow two systems to a) generate that package b) read that package efficiently and effectively.
I want to clarify this statement.. Fields only ever contain Unicode
data. They never contain non-Unicode, or encoded data.. The encoding
is a way to convey what encoding the original data had before converting
to CybOX.
--
John-Mark