OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-cybox] CybOX Patterning question

I also prefer option two. It should apply to the preceding single content item. If you want it to apply to multiple items then they should be wrapped in parentheses so that they become a single item. This is how other languages such as the snort rules language work,  and is how I would expect it to work.

Cheers
Terry MacDonald
Cosive


On 5 Oct. 2016 3:51 am, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

If we make them greedy then can I break it apart with ( ) parens when I do not want that behaviour, and want to define multiple independent sequences? Because that is an important use case..

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for John-Mark Gurney ---10/03/2016 06:51:38 PM---Hello, There is a discussion on Slack (and in the PatterJohn-Mark Gurney ---10/03/2016 06:51:38 PM---Hello, There is a discussion on Slack (and in the Patterning spec) about how

From: John-Mark Gurney <jmg@newcontext.com>
To: cti-cybox@lists.oasis-open.org
Date: 10/03/2016 06:51 PM
Subject: [cti-cybox] CybOX Patterning question
Sent by: <cti-cybox@lists.oasis-open.org>




Hello,

There is a discussion on Slack (and in the Patterning spec) about how Observation Operators and Qualifiers interact.  I'm bringing it here to have a full SC discussion.

Link to Patterning Spec:
https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY/edit#heading=h.t32x0azc539r

The question is, do Qualifiers (REPEAT or WITHIN or START/STOP) apply to the immediately preceding Observation _expression_, or to all preceding Observation Expressions?

The spec has it as not greedy, option 2 below.

1) Qualifiers are greedy and apply to all preceding expressions (have low precedence than ALONGWITH/FOLLOWEDBY) : `[ a ] ALONGWITH [ b ] REPEAT 5 TIMES` results in 5 a's and 5 b's (to get other result, you need to use: `[ a ] ALONGWITH ([ b ] REPEAT 5 TIMES)`)

2) Qualifiers are not greedy and only apply to the immediately preceding _expression_ (have a higher precedence than ALONGWITH/FOLLOWEDBY): `[ a ] ALONGWITH [ b] REPEAT 5 TIMES` results in 1 a and 5 b's. (to get other result, you need to use: `([ a ] ALONGWITH [ b ]) REPEAT 5 TIMES)`).

There is also the point that some qualifiers make sense to be greedy, REPEAT and START/STOP, while WITHIN be non-greedy as it doesn't make sense to apply to only one Observation _expression_.  I would prefer NOT to split these as it will confuse writers and readers of these patterns.  Yes, they could be described w/ a simple precedence table, but that would just add another rule that people have to memorize.

I do not have a strong preference for one or the other.  I personally think that 2 makes slightly more sense, as if you write a long pattern w/ multiple qualifiers, you'll end up using less parens than the other way.

Thanks for your input.

John-Mark


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]