[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-taxii] RE: [cti-stix] STIX 2.0 - Sightings object
Suggest we need to include the whole set of prior discussions on how we represent non-linear/multi-path/concurrent temporal relationships between events/state changes and objects (in both absolute and relative representations). This globally applies to
sightings and observables/patterns and should therefore be consistently represented (per our new consensus "One Way to do 'Things'" Doctrine).
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org > For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support? I think in some way shape or form the answer has to be yes, but maybe that’s a TAXII thing.
For TAXII, one of the recent thoughts is pipelining. Let’s say for the sake of argument, TAXII 2.0 is done over HTTP, and assume a scenario where a TAXII Client connects to a TAXII Server and has multiple messages waiting for it. Two options for delivery are 1) one HTTP request/response per message; and 2) pipelining - deliver all messages in one HTTP response (assuming some kind of max_size limit is not exceeded). If there’s 300 small messages (e.g., what sightings could be) then one HTTP request/response per message is a ton of overhead. Putting all the messages into one HTTP response (aka – pipelining) could make that issue a non-factor.
So maybe there’s something like <sighting id=’1’ count=’35’/> or maybe it’s just <sighting id=’1’/> repeated 35 times and TAXII is efficient enough that multiple sightings are a non-issue.
Thank you. -Mark
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Wunder, John A.
It’s funny you say that because I’ve had this same exact thought. I do think this is a good way to think about it.
A few complexities / things to think about
1. I’ve noticed that a lot of these exchanges also include a sightings count. For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support? 2. A lot of times people will want to sight an indicator (or even an observable) and include more details about what exactly was seen. For example, the indicator might be for an IP address but the sighting producer wants to include the actual network connection. So, given that, also consider that you might have sighting as a relationship between a full CybOX observable and the indicator that it matched (with the information source on the observable being who did the sighting) rather than a relationship between the producer and the indicator. 3. Do you sight indicators or observables (the age old question). Or, both? Can you sight a piece of malware even without an indicator?
John
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]