[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring
Jason – I think there is again some confusion regarding our use of the term “extension” :) What we’re referring to here are the actual File Object (and other Object) extensions that we’ve proposed, such as FileMetadataExtension and EXT3FileExtension. Thus,
“type” would be used to specify the name of the extension that is being used, e.g., “type” = “FileMetadataExtension”:
{ "hashes" : [{"type":"md5", "hash_value":"3773a88f65a5e780c8dff9cdc3a056f3"}], "size" : 25537, "file_system_properties":{"is_directory":false, "file_name": "foo.exe", "file_path": {"delimiter":"/", "components":["usr","tmp"]}}, "extensions": [{"type":"FileMetadataExtension", "mime_type":"vnd.microsoft.portable-executable"}] } This doesn’t have anything to do with extensions that are found in file names, which would still be captured in the “file_name” property (as in the example above). Maybe we need to call this something else for clarity - “extension point” perhaps?
Regards,
Ivan
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, December 22, 2015 at 7:40 AM To: Mark Davidson <mdavidson@soltra.com> Cc: Ivan Kirillov <ikirillov@mitre.org>, John Wunder <jwunder@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring The problem with using "type" to refer to the file extension type to me, is it is removing important information from the serialization. Personally I like the idea that certain keywords are reserved. Forcing implementers to remember which “type” fields indicate the object type and which “type” fields indicate some other type (e.g., PE binary type, as in the referenced example) would expand the cognitive load required to “grok” CybOX 3.0 significantly. Thank you. -Mark From: <cti-cybox@lists.oasis-open.org> on behalf of "Kirillov, Ivan A." <ikirillov@mitre.org> Date: Tuesday, December 22, 2015 at 9:18 AM To: "Wunder, John A." <jwunder@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring “Extension_type” is just the required property on all extensions that defines the name of the object extension (which unfortunately collides with the concept of file extensions); I agree with Jason that “metadata_type” is rather abstract and so it may not be better. I’m fine with just “type” if we feel that it would be a better, standardized approach (it’s actually what we originally had) - the only issue there is that there are other places where “type” is used (e.g., [1]), so they would have to be changed since “type” would effectively become a reserved keyword. I also concur with Mark’s points on MIMEType and Magic Number. [1] http://stixproject.github.io/data-model/1.2/WinExecutableFileObj/WindowsExecutableFileObjectType/ Regards, Ivan From: <cti-cybox@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Date: Tuesday, December 22, 2015 at 7:10 AM To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring I agree w/ all of Mark’s comments. Regarding #1, would this be a good place to use the “type” field that EclecticIQ has added to their JSON? It seems to serve the same purpose and if we standardize on that name across STIX, CybOX, and TAXII we’ll make things much easier for users. John From: <cti-cybox@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@soltra.com> Date: Tuesday, December 22, 2015 at 7:13 AM To: Ivan Kirillov <ikirillov@mitre.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: "Wunder, John A." <jwunder@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, Patrick Maroney <Pmaroney@specere.org>, Sean Barnum <sbarnum@mitre.org>, John Anderson <janderson@soltra.com>, Paul Patrick <ppatrick@isightpartners.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Terry MacDonald <terry@soltra.com> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring Overall I like the proposal. I have a few comments:
-Mark From: <cti-cybox@lists.oasis-open.org> on behalf of "Kirillov, Ivan A." <ikirillov@mitre.org> Date: Monday, December 21, 2015 at 3:03 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: "Wunder, John A." <jwunder@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, Patrick Maroney <Pmaroney@specere.org>, "Barnum, Sean D." <sbarnum@mitre.org>, John Anderson <janderson@soltra.com>, Paul Patrick <ppatrick@isightpartners.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Terry MacDonald <terry@soltra.com> Subject: Re: [cti-cybox] CybOX 3.0: File Object Refactoring Just a heads up that we’ve updated the File Object Refactoring proposal [1] to take into account some of the great points brought up around file metadata and masquerading discussion during our last SC call. Let us know what you think. FileMetadataExtension
[1] https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-Refactoring#filemetadataextension Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]