cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Questions on boolean observation operators and on network-traffic
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Mon, 26 Mar 2018 08:52:26 -0400
Hello everyone. I have been working with
our team on implementing some things surrounding SCO and pattern and have
run into some questions that I actually can't answer / recall what we were
thinking when we designed these sections, and am hoping for some guidance.
Question #1: boolean observation
operators
The first question surrounds section
4.1, observation operators. We are having a very difficult time coming
up with a logical difference between [ a ] AND [ b ] and [ a
] OR [ b ]:
[a ] AND[ b ] | aand b MUST both be Observation Expressions and MUST both evaluate
to true on different Observations. | Left
to right |
[a ] OR[ b ] | aand b MUST both be Observation Expressions and one of a or
b MUST evaluate to true on different Observations. | Left
to right |
The problem is, these are logically
equivalent because of the fact that [a] and [b] MUST be different
observations, which essentially morphs the "AND" into an "OR"
in the first clause.... I challenge anyone to find any examples of tests
and/or data whereby [ a ] AND[ b ] will result in a
different evaluation than [ a] OR[ b ]...
This poses the question - should
"AND" even be a valid observation operator ?
Question #2: network-traffic object
protocols
The second question surrounds the "protocols"
enumeration on network-traffic. This field is marked as REQUIRED - however
there are numerous situations where it is unknown, where one still wants
to record the network-traffic. I believe this field should be changed to
be OPTIONAL.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]