OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: 9/20 Working Session Notes and Open Questions

All,

 

Here are some notes on the changes that were made and discussed during today’s working session, along with some open questions that resulted:

 

·         Email Message Object

o    There was a question raised about how the additional_header_fields property handles fields with multiplicity greater than one – is the data concatenated, handled as a list, or something else? We’re looking at a few examples of such fields before we address this.

o    There was much discussion on whether we should allow files to be referenced as email attachments, in the mime-part-type, which is not currently permitted. A cited use case was the ability to capture the file name along with its hashes for an email attachment. There are a few possibilities in this regard:

§  Update raw_body_ref to reference only File Objects, which can in turn reference Artifacts (via file_content_ref) to capture the actual binary representation of the mime part. A potential issue with this approach is that it’s semantically an abstraction since MIME parts aren’t really files, just blobs of data.

§  Update mime-part-type to allow for reference of Artifact or File Objects, perhaps as separate fields. The problem with this approach is that it’s potentially duplicative, as a File Object can also reference an Artifact (as above). Also, both File Objects and Artifacts allow for the capture of hashes.

§  Open questions: should we allow the mime-part-type to reference Files? If so, how should this be implemented?

·         Network Connection Object

o    The introductory text for the Object was significantly updated for clarity and accuracy, such as stating that it can encompass connections that were not actually established.

o    There was much discussion on what this object should be called – for now, we’ve settled on the more neutral term of “Network Traffic Object”. Let us know what you think.

o    Open questions: should we rename this object to Network Traffic Object?

·         File Object

o    There was discussion around the issue of merging the fields of the File Header and Optional Header into the base set of PE File Extension properties. The consensus was that we should take a middle road and merge the File Header fields, since they weren’t quite as numerous, while still keeping the Optional Header fields separate. This is the approach that we’ve currently implemented.

·         Patterning

o    There was some brief discussion around patterning. The main point is that we’ll likely keep patterning open for comments beyond COB Wednesday, since it needs more review than the Core and Objects specifications.

 

 

Regards,

Ivan and Trey

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]