OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-cybox] CybOX Patterning question

If we make them greedy then can I break it apart with ( ) parens when I do not want that behaviour, and want to define multiple independent sequences? Because that is an important use case..

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for John-Mark Gurney ---10/03/2016 06:51:38 PM---Hello, There is a discussion on Slack (and in the PatterJohn-Mark Gurney ---10/03/2016 06:51:38 PM---Hello, There is a discussion on Slack (and in the Patterning spec) about how

From: John-Mark Gurney <jmg@newcontext.com>
To: cti-cybox@lists.oasis-open.org
Date: 10/03/2016 06:51 PM
Subject: [cti-cybox] CybOX Patterning question
Sent by: <cti-cybox@lists.oasis-open.org>




Hello,

There is a discussion on Slack (and in the Patterning spec) about how Observation Operators and Qualifiers interact.  I'm bringing it here to have a full SC discussion.

Link to Patterning Spec:
https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY/edit#heading=h.t32x0azc539r

The question is, do Qualifiers (REPEAT or WITHIN or START/STOP) apply to the immediately preceding Observation _expression_, or to all preceding Observation Expressions?

The spec has it as not greedy, option 2 below.

1) Qualifiers are greedy and apply to all preceding expressions (have low precedence than ALONGWITH/FOLLOWEDBY) : `[ a ] ALONGWITH [ b ] REPEAT 5 TIMES` results in 5 a's and 5 b's (to get other result, you need to use: `[ a ] ALONGWITH ([ b ] REPEAT 5 TIMES)`)

2) Qualifiers are not greedy and only apply to the immediately preceding _expression_ (have a higher precedence than ALONGWITH/FOLLOWEDBY): `[ a ] ALONGWITH [ b] REPEAT 5 TIMES` results in 1 a and 5 b's. (to get other result, you need to use: `([ a ] ALONGWITH [ b ]) REPEAT 5 TIMES)`).

There is also the point that some qualifiers make sense to be greedy, REPEAT and START/STOP, while WITHIN be non-greedy as it doesn't make sense to apply to only one Observation _expression_.  I would prefer NOT to split these as it will confuse writers and readers of these patterns.  Yes, they could be described w/ a simple precedence table, but that would just add another rule that people have to memorize.

I do not have a strong preference for one or the other.  I personally think that 2 makes slightly more sense, as if you write a long pattern w/ multiple qualifiers, you'll end up using less parens than the other way.

Thanks for your input.

John-Mark


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]