OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-comment] STIX 2.0 CSD01 errata as of March 27

John,

 

We have received your comments on STIX 2.0 CSDPR01 below. Thanks for your feedback!

 

The TC maintains a log of all comments received on its work here:https://docs.google.com/spreadsheets/d/1TCNdwL9o4lbblsIlDfeV0mHsBVGMdbFgwp95dhLLfaI/edit#gid=5055878. Your comments have been added as comments 4-15. When the public review period is over, the TC will consider all comments and note the resolutions in the log.

 

Again, thank you for your comment and please feel free to send along additional observations.

 

Sarah Kelley

STIX SC Co-Chair

 

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

 

From: <cti-comment@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Monday, March 27, 2017 at 4:28 PM
To: "cti-comment@lists.oasis-open.org" <cti-comment@lists.oasis-open.org>
Subject: [cti-comment] STIX 2.0 CSD01 errata as of March 27

 

All,

 

In working through the STIX 2.0 documents, the editors have found the following issues, most of which are minor:

 

  • Part 1:
    • Update section 5.1.2 to correct the data markings description to indicate that they can't have relationships.

 

  • Part 2:
    • Attack pattern example:  external_reference should have an external_id property
    • The create time of the malware in the coa example is after the create time of the relationship that refers to it
    • The COA Example has a typo. The Malware SDO at the bottom of the example has a property called `relationship_type` which should actually be `name`
    • 2016-01-201T17:00:00Z in the report example has a 3 digit day
    • The threat-actor example is pretty skimpy and should be expanded

 

  • Part 4
    • home_dir in unix-account-ext isn't a ref to a directory object, but just a string
    • the x509 extension is named inconsistently:  most other extensions are "foo_ext", this one is 'x509-v3-extensions-type'
    • In the x509-certificate properties table, there is no entry for extension, even though it has one.
    • Timestamp in pe-binary-file needs a trailing Z
    • Windows-service-ext example should have service_name, not display_name
    • In the x509 example, validity_not_before and validity_not_after are after subject – but that is not the order in the table.  No big deal – but examples usually follow the order in the table.

 

I suggest we fix these for 2.0.

 

John


...

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]