[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] Software object - recommend to use CPE?
With respect to using other XML standards, OpenC2 faced this challenge when we needed to define a JSON protocol that depended on CybOX 2 XML objects.
Our approach was to create a language-independent representation of the subset of CybOX objects we needed from information in the XSDs. That representation is used to validate OpenC2 messages containing CybOX 2 objects in several JSON dialects, and we plan to extend that to binary message formats as well.
The attached cybox abstract file (which currently includes some empty placeholder objects) is used to validate OpenC2 messages such as:
{"ACTION": "DENY",
"TARGET": {"type": "cybox:Network_Connection",
"specifiers": {
"Layer3Protocol": "IPv4",
"Layer4Protocol": "TCP",
"SourceSocketAddress": {
"IP_Address": {
"Address_Value": "any"}},
"DestinationSocketAddress": {
"IP_Address": {
"Address_Value": "10.10.10.2"}}}},
"ACTUATOR": {"type": "network-firewall",
"specifiers": {
"asset_id": "30"}},
"MODIFIERS": {
"context_ref": 91}}
The same approach would allow re-use of other XML vocabularies and structures in protocols supporting both JSON and binary message formats.
+1 on Patrick's suggestion to develop a re-use strategy, either here or in a broader working group. A top priority would be to define distributed development (namespace) conventions/standards for JSON. The above example just reuses the XML ns convention ("cybox:Network_Connection"), for lack of anything better. That is a workable approach, but it, or another, needs to be formalized if we intend to re-use structures/vocabularies defined elsewhere. Note that CybOX 3 does not use XML conventions, so the above example used a CybOX 3 TARGET, it would have to use a different convention to identify the CybOX 3 namespace.
Dave
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Coderre, Robert
Sent: Friday, September 23, 2016 12:00 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Patrick Maroney <Pmaroney@Specere.org>
Cc: OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org>; 寺田真敏 / TERADA,MASATO <masato.terada.rd@hitachi.com>; Paul Patrick <paul.patrick@fireeye.com>
Subject: RE: [cti-cybox] Software object - recommend to use CPE?
+1. We’ve adopted CPE 2.3 naming convention only, specifically URI binding.
From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com]
Sent: Friday, September 23, 2016 8:41 AM
To: Patrick Maroney
Cc: OASIS CTI TC CybOX SC list; Jason Keirstead; 寺田真敏 / TERADA,MASATO; Paul Patrick; Coderre, Robert
Subject: Re: [cti-cybox] Software object - reccomend to use CPE?
I'm not suggesting adopting the XML format, simply the naming dictionary for entries.
cpe:2.3:a:adobe:acrobat:10.1:*:*:*:*:*:*:*
Vendor: adobe
Product: acrobat
Version: 10.1
cpe:2.3:a:google:chrome:0.2.149.27:*:*:*:*:*:*:* <https://web.nvd.nist.gov/view/cpe/detail?keyword=chrome&status=FINAL&orderBy=CPEURI&namingFormat=2.3&cpeId=109370>
Vendor: google
Product: chrome
Version: 0.2.149.27
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security <http://www.ibm.com/security> | www.securityintelligence.com <http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion - Unknown
Patrick Maroney ---09/23/2016 09:30:32 AM---[+1] on the concept of adopting CPE. However, since CPE is defined in XML and requires support dict
From: Patrick Maroney <Pmaroney@Specere.org <mailto:Pmaroney@Specere.org> >
To: 寺田真敏 / TERADA,MASATO <masato.terada.rd@hitachi.com <mailto:masato.terada.rd@hitachi.com> >, Paul Patrick <paul.patrick@fireeye.com <mailto:paul.patrick@fireeye.com> >
Cc: OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >, Jason Keirstead/CanEast/IBM@IBMCA, "Coderre, Robert" <rcoderre@verisign.com <mailto:rcoderre@verisign.com> >
Date: 09/23/2016 09:30 AM
Subject: Re: [cti-cybox] Software object - reccomend to use CPE?
________________________________
[+1] on the concept of adopting CPE. However, since CPE is defined in XML and requires support dictionary extensions (also in XML) it's not clear how we can subsume this directly.
We have this challenge with adoption of other XML based standards.
(1) What's the current strategy?
(2) If we don't have a strategy, does this broader issue warrant a working group?
Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org <mailto:pmaroney@specere.org>
________________________________
From: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> > on behalf of 寺田真敏 / TERADA,MASATO <masato.terada.rd@hitachi.com <mailto:masato.terada.rd@hitachi.com> >
Sent: Thursday, September 22, 2016 11:54:04 PM
To: Paul Patrick
Cc: Coderre, Robert; Jason Keirstead; OASIS CTI TC CybOX SC list
Subject: Re: Re: [cti-cybox] Software object - reccomend to use CPE?
+2 for using CPE
{Masato Terada}
Hitachi Incident Response Team
masato.terada.rd@hitachi.com <mailto:masato.terada.rd@hitachi.com>
+81-90-4369-3601 <tel:+91-90-4369-3601>
On Sep 23, 2016, at 10:56, Paul Patrick <Paul.Patrick@FireEye.com <mailto:Paul.Patrick@fireeye.com> > wrote:
+1 for using CPE
From: <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> > on behalf of "Coderre, Robert" <rcoderre@verisign.com <mailto:rcoderre@verisign.com> >
Date: Thursday, September 22, 2016 at 6:36 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> >
Cc: OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] Software object - reccomend to use CPE?
I would support using CPE as a SHOULD in this case. It's what we've standardized on as a product identifier.
CPE is not without its limitations, but it's better than a free form text field. Although, for giggles, you should look up Internet Explorer in the CPE dictionary at the NVD site...
--
Rob Coderre
iDefense, Director of Product Management
Verisign, Inc.
rcoderre@verisign.com <mailto:rcoderre@verisign.com>
o: +1 703-948-3833
m: +1 571-224-4627
On Sep 22, 2016, at 8:41 PM, Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> > wrote:
I have concerns about the Cybox "software" object, and how it is so free-form with no real limitations.
Based on experience of trying to map things based on software names, it will descend into a mess. You will have some vendors using the word "MSIE" and others using "Microsoft IE" and others using "Internet Explorer" and others using "Microsoft Internet Explorer", all in the same field (this is just one example).
Should we perhaps instead look to use CPE? Or at least suggesting using CPE where it fits as a SHOULD ? Why are we reinventing the wheel when CPE solved this...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
http://www.ibm.com/security <http://www.ibm.com/security> | http://www.securityintelligence.com <http://www.securityintelligence.com/>
Without data, all you are is just another person with an opinion - Unknown
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
-- Generated from cybox.jasn, Wed Sep 21 15:27:55 2016
/*
module: cybox
title: Cyber Observable Expression (cybox) 2.1 definitions
version: 2.1
description: Selected CybOX 2.1 objects used by OpenC2. Abstract syntx
information extracted from XSD source documents.
namespace: http://cybox.mitre.org/objects
sources: NetworkConnectionObject: Network_Connection_Object.xsd
Layer4ProtocolType: Cybox_common.xsd
Layer3ProtocolType: Network_Connection_Object.xsd
HostnameObject: Hostname_Object.xsd
*/
cybox DEFINITIONS ::=
BEGIN
Layer3ProtocolType ::= ENUMERATED {
IPv4 (1),
IPv6 (2),
ICMP (3),
IGMP (4),
IGRP (5),
CLNP (6),
EGP (7),
EIGRP (8),
IPSec (9),
IPX (10),
Routed-SMLT (11),
SCCP (12)
}
Layer4ProtocolType ::= ENUMERATED {
TCP (1),
UDP (2),
AH (3),
ESP (4),
GRE (5),
IL (6),
SCTP (7),
Sinec H1 (8),
SPX (9),
DCCP (10)
}
AddressObject ::= RECORD {
Address_Value UTF8String OPTIONAL,
VLAN_Name UTF8String OPTIONAL,
VLAN_Num INTEGER OPTIONAL
}
DeviceObject ::= MAP {
Description [1] UTF8String OPTIONAL,
Device_Type [2] UTF8String OPTIONAL,
Manufacturer [3] UTF8String OPTIONAL,
Model [4] UTF8String OPTIONAL,
Serial_Number [5] UTF8String OPTIONAL,
Firmware_Version [6] UTF8String OPTIONAL,
System_Details [7] UTF8String OPTIONAL
}
DiskObject ::= RECORD {
}
DiskPartitionObject ::= RECORD {
}
DomainNameTypeEnum ::= ENUMERATED {
FQDN (1),
TLD (2)
}
DomainNameObject ::= RECORD {
type DomainNameTypeEnum,
Value UTF8String
}
EmailMessageObject ::= RECORD {
}
FileObject ::= RECORD {
}
HostnameObject ::= RECORD {
Hostname_Value UTF8String,
Naming_System UTF8String OPTIONAL
}
MemoryObject ::= RECORD {
}
NetworkFlowObject ::= RECORD {
}
NetworkPacketObject ::= RECORD {
}
NetworkSubnetObject ::= RECORD {
}
PortObject ::= RECORD {
Port_Value INTEGER OPTIONAL,
Layer4_Protocol Layer4ProtocolType OPTIONAL
}
ProcessObject ::= RECORD {
}
ProductObject ::= RECORD {
}
SocketAddressChoice ::= CHOICE {
IP_Address [1] AddressObject,
Hostname [2] HostnameObject
}
SocketAddressObject ::= RECORD {
* SocketAddressChoice,
Port PortObject OPTIONAL
}
NetworkConnectionObject ::= RECORD {
Layer3Protocol Layer3ProtocolType OPTIONAL,
Layer4Protocol Layer4ProtocolType OPTIONAL,
SourceSocketAddress SocketAddressObject OPTIONAL,
DestinationSocketAddress SocketAddressObject OPTIONAL
}
URITypeEnum ::= ENUMERATED {
URL (1),
General URN (2),
Domain Name (3)
}
SystemObject ::= RECORD {
}
URIObject ::= RECORD {
type URITypeEnum,
Value UTF8String
}
UserAccountObject ::= RECORD {
}
UserSessionObject ::= RECORD {
Effective_Group UTF8String OPTIONAL,
Effective_Group_ID UTF8String OPTIONAL,
Effective_User UTF8String OPTIONAL,
Effective_User_ID UTF8String OPTIONAL,
Login_Time UTF8String OPTIONAL,
Logout_Time UTF8String OPTIONAL
}
VolumeObject ::= RECORD {
}
WindowsRegistryKeyObject ::= RECORD {
}
WindowsServiceObject ::= RECORD {
}
X509CertificateObject ::= ENUMERATED {
Certificate (1),
RawCertificate (2),
CertificateSignature (3)
}
CyboxObject ::= ATTRIBUTE {
Address [1] AddressObject,
Device [2] DeviceObject,
Disk [3] DiskObject,
Disk_Partition [4] DiskPartitionObject,
Domain_Name [5] DomainNameObject,
Email_Message [6] EmailMessageObject,
File [7] FileObject,
Hostname [8] HostnameObject,
Memory [9] MemoryObject,
Network_Connection [10] NetworkConnectionObject,
Network_Flow [11] NetworkFlowObject,
Network_Packet [12] NetworkPacketObject,
Network_Subnet [13] NetworkSubnetObject,
Port [14] PortObject,
Process [15] ProcessObject,
Product [16] ProductObject,
Socket_Address [17] SocketAddressObject,
System [18] SystemObject,
URI [19] URIObject,
User_Account [20] UserAccountObject,
User_Session [21] UserSessionObject,
Volume [22] VolumeObject,
Windows_Registry_Key [23] WindowsRegistryKeyObject,
Windows_Service [24] WindowsServiceObject,
X509_Certificate [25] X509CertificateObject
}
END
-- Generated from openc2.jasn, Wed Sep 21 15:28:56 2016
/*
module: openc2
title: OpenC2 Command Definitions
version: 0.1
description: Classes that define the content of OpenC2 commands. These
classes are used with an Encoder/Decoder (codec) to serialize and
deserialize commands for transmission in a format such as JSON,
XML, or CBOR, or to generate format-specific message schemas.
namespace: http://openc2.org/objects
root: OpenC2Command
import: http://cybox.mitre.org/common-2: cybox
http://docs.oasis-open.org/CTI/cybox-3: cybox3
*/
openc2 DEFINITIONS ::=
BEGIN
Action ::= ENUMERATED {
scan (1),
locate (2),
query (3),
report (4),
get (5),
notify (6),
deny (7),
contain (8),
allow (9),
start (10),
stop (11),
restart (12),
pause (13),
resume (14),
cancel (15),
set (16),
update (17),
move (18),
redirect (19),
delete (20),
snapshot (21),
detonate (22),
restore (23),
save (24),
modify (25),
throttle (26),
delay (27),
substitute (28),
copy (29),
sync (30),
distill (31),
augment (32),
investigate (33),
mitigate (34),
remediate (35),
response (36),
alert (37)
}
TargetType ::= ENUMERATED {
cybox:Address (1),
cybox:Device (2),
cybox:Disk (3),
cybox:Disk_Partition (4),
cybox:Domain_Name (5),
cybox:Email_Message (6),
cybox:File (7),
cybox:Hostname (8),
cybox:Memory (9),
cybox:Network_Connection (10),
cybox:Network_Flow (11),
cybox:Network_Packet (12),
cybox:Network_Subnet (13),
cybox:Port (14),
cybox:Process (15),
cybox:Product (16),
cybox:Socket_Address (17),
cybox:System (18),
cybox:URI (19),
cybox:User_Account (20),
cybox:User_Session (21),
cybox:Volume (22),
cybox:Windows_Registry_Key (23),
cybox:Windows_Service (24),
cybox:X509_Certificate (25),
Data (1),
cybox3 (2)
}
ActuatorType ::= ENUMERATED {
endpoint (1),
endpoint-digital-telephone-handset (2),
endpoint-laptop (3),
endpoint-pos-terminal (4),
endpoint-printer (5),
endpoint-sensor (6),
endpoint-server (7),
endpoint-smart-meter (8),
endpoint-smart-phone (9),
endpoint-tablet (10),
endpoint-workstation (11),
network (12),
network-bridge (13),
network-firewall (14),
network-gateway (15),
network-guard (16),
network-hips (17),
network-hub (18),
network-ids (19),
network-ips (20),
network-modem (21),
network-nic (22),
network-proxy (23),
network-router (24),
network-security-manager (25),
network-sense-making (26),
network-sensor (27),
network-switch (28),
network-vpn (29),
network-wap (30),
process (31),
process-aaa-server (32),
process-anti-virus-scanner (33),
process-connection-scanner (34),
process-directory-server (35),
process-dns-server (36),
process-email-service (37),
process-file-scanner (38),
process-location-service (39),
process-network-scanner (40),
process-remediation-service (41),
process-reputation-service (42),
process-sandbox (43),
process-virtualization-service (44),
process-vulnerability-scanner (45)
}
Target ::= RECORD {
type TargetType,
specifiers cybox:CyboxObject.&type OPTIONAL
}
ActuatorSpecifiers ::= RECORD {
port UTF8String OPTIONAL,
asset_id UTF8String OPTIONAL
}
ActuatorObject ::= ATTRIBUTE {
endpoint [1] ActuatorSpecifiers,
endpoint-digital-telephone-handset [2] ActuatorSpecifiers,
endpoint-laptop [3] ActuatorSpecifiers,
endpoint-pos-terminal [4] ActuatorSpecifiers,
endpoint-printer [5] ActuatorSpecifiers,
endpoint-sensor [6] ActuatorSpecifiers,
endpoint-server [7] ActuatorSpecifiers,
endpoint-smart-meter [8] ActuatorSpecifiers,
endpoint-smart-phone [9] ActuatorSpecifiers,
endpoint-tablet [10] ActuatorSpecifiers,
endpoint-workstation [11] ActuatorSpecifiers,
network [12] ActuatorSpecifiers,
network-bridge [13] ActuatorSpecifiers,
network-firewall [14] ActuatorSpecifiers,
network-gateway [15] ActuatorSpecifiers,
network-guard [16] ActuatorSpecifiers,
network-hips [17] ActuatorSpecifiers,
network-hub [18] ActuatorSpecifiers,
network-ids [19] ActuatorSpecifiers,
network-ips [20] ActuatorSpecifiers,
network-modem [21] ActuatorSpecifiers,
network-nic [22] ActuatorSpecifiers,
network-proxy [23] ActuatorSpecifiers,
network-router [24] ActuatorSpecifiers,
network-security-manager [25] ActuatorSpecifiers,
network-sense-making [26] ActuatorSpecifiers,
network-sensor [27] ActuatorSpecifiers,
network-switch [28] ActuatorSpecifiers,
network-vpn [29] ActuatorSpecifiers,
network-wap [30] ActuatorSpecifiers,
process [31] ActuatorSpecifiers,
process-aaa-server [32] ActuatorSpecifiers,
process-anti-virus-scanner [33] ActuatorSpecifiers,
process-connection-scanner [34] ActuatorSpecifiers,
process-directory-server [35] ActuatorSpecifiers,
process-dns-server [36] ActuatorSpecifiers,
process-email-service [37] ActuatorSpecifiers,
process-file-scanner [38] ActuatorSpecifiers,
process-location-service [39] ActuatorSpecifiers,
process-network-scanner [40] ActuatorSpecifiers,
process-remediation-service [41] ActuatorSpecifiers,
process-reputation-service [42] ActuatorSpecifiers,
process-sandbox [43] ActuatorSpecifiers,
process-virtualization-service [44] ActuatorSpecifiers,
process-vulnerability-scanner [45] ActuatorSpecifiers
}
Actuator ::= RECORD {
type UTF8String,
specifiers ActuatorObject.&type OPTIONAL
}
ResponseValue ::= ENUMERATED {
ack (1),
status (2)
}
MethodValue ::= ENUMERATED {
acl (1),
blackhole (2),
sinkhole (3),
blacklist (4),
whitelist (5)
}
WhereValue ::= ENUMERATED {
internal (1),
perimeter (2)
}
Duration ::= UTF8String(PATTERN "^\d+$")
DateTime ::= UTF8String(PATTERN "^\d{4}-\d\d-\d\dT\d\d:\d\d:\d\d(\.\d{1,6})?Z|[-+]\d\d:\d\d$")
Modifiers ::= MAP {
delay [1] Duration OPTIONAL,
duration [2] Duration OPTIONAL,
frequency [3] Duration OPTIONAL,
response [4] ResponseValue OPTIONAL,
time [5] DateTime OPTIONAL,
method [6] MethodValue OPTIONAL,
where [7] WhereValue OPTIONAL
}
OpenC2Command ::= RECORD {
action Action,
target Target,
actuator Actuator OPTIONAL,
modifiers Modifiers OPTIONAL
}
END
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]