[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring
+1 for MIMEType as well – I think this would be semantically less ambiguous than “content type”, and so it would be my preference. This would likely be a property that we would add into the default “file metadata” extension;
I’ll update the proposal accordingly. There are likely other properties that would fit in here as well – things like entropy. Is there a sense in the community as far as other common file metadata related properties we should be including?
As far as characterizing directories, as mentioned in the writeup below, the current plan is allow for this through the use of the file_path field without the file_name field. E.g, the following would be a directory:
{ "file_system_properties":{"file_path": {"delimiter":"\\", "components":["C:","windows"]}} } This goes along with the notion, as Mark pointed out, that files and directories are treated the same in many languages and also operating systems. However, Paul has a good point that this is less explicit than having a separate
directory object. We’ve thought about this in the past and the discussion has always come back to the fact that directories are usually analogous to files in most places, just not in Windows. Therefore, perhaps what we can do is:
{ "file_system_properties":{“is_directory": True, "file_path": {"delimiter":"\\", "components":["C:","windows"]}} } What do you think?
Regards,
Ivan
From: John Anderson <janderson@soltra.com>
Date: Tuesday, December 15, 2015 at 7:09 AM To: Jerome Athias <athiasjerome@gmail.com>, Paul Patrick <ppatrick@isightpartners.com> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Ivan Kirillov <ikirillov@mitre.org>, Bret Jordan <bret.jordan@bluecoat.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Terry MacDonald <terry@soltra.com> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring +1 for having an attribute that holds a MIME Type value. (And maybe "mimetype" is the right attribute name.)
Random use-case: An executable that has a ".txt" extension is still executable on Linux, if the right bits are set. If the MIME type is known, then that might make it easier for automated systems to pay attention. From: Jerome Athias <athiasjerome@gmail.com>
Sent: Tuesday, December 15, 2015 8:28 AM To: Paul Patrick Cc: Jason Keirstead; Kirillov, Ivan A.; Jordan, Bret; cti-cybox@lists.oasis-open.org; John Anderson; Terry MacDonald Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring MIMEType is used in Malware Metadata Exchange Format (MMDEF), which is used in MAEC
Ref. https://standards.ieee.org/develop/indconn/icsg/mmdef.html
2015-12-15 16:19 GMT+03:00 Paul Patrick
<ppatrick@isightpartners.com>:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]