[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring
Are there (m)any situations where the path IS important? For example, a ".bashrc" file by itself doesn't really matter much, but put it under "/home/*/.bashrc" (using glob notation) and now it may be a Big Deal.
A random text file named "hosts" on Windows isn't a big deal...unless it's at "%WinDir%\System32\Drivers\Etc".
I don't see the searching concern as an issue...if the underlying database is indexed. Using an old-school SQL example:
SELECT * FROM Files WHERE Path LIKE '%/bad.exe'
Sure, it could have awful performance. Or, not, depending on the indexing and any full-text search out there.
Do we need to build indexing considerations into our serialization representation? Or rather, how important is that?
JSA From: Barnum, Sean D. <sbarnum@mitre.org>
Sent: Thursday, November 19, 2015 3:24 PM To: Jason Keirstead; John Anderson Cc: cti-cybox@lists.oasis-open.org; Kirillov, Ivan A. Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring +1
From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, November 19, 2015 at 3:06 PM To: John Anderson <janderson@soltra.com> Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Steve Cell <ikirillov@mitre.org> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring :) File globs are friendlier than regex. Some examples: https://github.com/cyberdelia/django-pipeline/issues/208
From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com> Sent: Thursday, November 19, 2015 2:53 PM To: Kirillov, Ivan A. Cc: cti-cybox@lists.oasis-open.org Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring - regex searching is extremely expensive over large amounts of data, so we should try to avoid the need for software to do it during design if possible. - I was more referring to this optional part of the proposal
FileName
- Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Kirillov, Ivan A." ---11/19/2015 03:45:06 PM---That’s a fair point, Jason – my only counter-argument is that most queries such as these can easily From: "Kirillov, Ivan A." <ikirillov@mitre.org> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Date: 11/19/2015 03:45 PM Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring Sent by: <cti-cybox@lists.oasis-open.org> That’s a fair point, Jason – my only counter-argument is that most queries such as these can easily be expressed with a regular _expression_. E.g., for "find all observables that <match other params> and are explorer.exe” you’d have: file_name.regex = "explorer\.exe$” As far as John’s point about file extensions, I’d completely agree that they’re largely superfluous today. It’s also worth noting that our concept of “extensions” has to do with extending the File Object with context/domain-specific data and NOT with regards to “.dll”, “.exe” and so forth. Perhaps we need another name for it :) Regards, Ivan From: Jason Keirstead Date: Thursday, November 19, 2015 at 2:37 PM To: Ivan Kirillov Cc: "cti-cybox@lists.oasis-open.org" Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring My only comment - and I have not decided where I sit on the fence - is that if you remove "file extension" and "file name" properties, and consolidate them all into one value called "path", this will make filtering and QUERY more difficult against your data. IE "find all observables that <match other params> and are DLL" or "find all observables that <match other params> and are explorer.exe" - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Kirillov, Ivan A." ---11/19/2015 01:20:31 PM---All, As Trey mentioned in his previous email, we’ve been thinking about how to refactor and fix the From: "Kirillov, Ivan A." <ikirillov@mitre.org> To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Date: 11/19/2015 01:20 PM Subject: [cti-cybox] CybOX 3.0: File Object Refactoring Sent by: <cti-cybox@lists.oasis-open.org> All, As Trey mentioned in his previous email, we’ve been thinking about how to refactor and fix the issues associated with the File Object (and its subclasses). Accordingly, we’ve put together a page that outlines the existing issues and our ideas on addressing them: https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-Refactoring We’ll be discussing this during today’s call, but we’d love to get your input here (and/or on Slack) as well – generally on your feelings with regards to these changes, but also on:
Regards, Ivan and Trey --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]