Re: [cti-cybox] CybOX Patterning question

[John-Mark Gurney <jmg@newcontext.com>]

Terry MacDonald wrote this message on Wed, Oct 05, 2016 at 08:26 +1300:
> I also prefer option two. It should apply to the preceding single content
> item. If you want it to apply to multiple items then they should be wrapped
> in parentheses so that they become a single item. This is how other
> languages such as the snort rules language work,  and is how I would expect
> it to work.

As general concense seems to be option 2, non-gready, where
ALONGWITH/FOLLOWEDBY have higher precendence than qualifiers, unless I
hear a disagreement in the next couple days, I'll update the spec
accordingly.

Thanks.

> On 5 Oct. 2016 3:51 am, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
> wrote:
> 
> > If we make them greedy then can I break it apart with ( ) parens when I do
> > not want that behaviour, and want to define multiple independent sequences?
> > Because that is an important use case..
> >
> > -
> > Jason Keirstead
> > STSM, Product Architect, Security Intelligence, IBM Security Systems
> > www.ibm.com/security | www.securityintelligence.com
> >
> > Without data, all you are is just another person with an opinion - Unknown
> >
> >
> > [image: Inactive hide details for John-Mark Gurney ---10/03/2016 06:51:38
> > PM---Hello, There is a discussion on Slack (and in the Patter]John-Mark
> > Gurney ---10/03/2016 06:51:38 PM---Hello, There is a discussion on Slack
> > (and in the Patterning spec) about how
> >
> > From: John-Mark Gurney <jmg@newcontext.com>
> > To: cti-cybox@lists.oasis-open.org
> > Date: 10/03/2016 06:51 PM
> > Subject: [cti-cybox] CybOX Patterning question
> > Sent by: <cti-cybox@lists.oasis-open.org>
> > ------------------------------
> >
> >
> >
> > Hello,
> >
> > There is a discussion on Slack (and in the Patterning spec) about how
> > Observation Operators and Qualifiers interact.  I'm bringing it here to
> > have a full SC discussion.
> >
> > Link to Patterning Spec:
> >
> > *https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY/edit#heading=h.t32x0azc539r*
> > <https://docs.google.com/document/d/1suvd7z7YjNKWOwgko-vJ84jfGuxSYZjOQlw5leCswPY/edit#heading=h.t32x0azc539r>
> >
> > The question is, do Qualifiers (REPEAT or WITHIN or START/STOP) apply to
> > the immediately preceding Observation Expression, or to all preceding
> > Observation Expressions?
> >
> > The spec has it as not greedy, option 2 below.
> >
> > 1) Qualifiers are greedy and apply to all preceding expressions (have low
> > precedence than ALONGWITH/FOLLOWEDBY) : `[ a ] ALONGWITH [ b ] REPEAT 5
> > TIMES` results in 5 a's and 5 b's (to get other result, you need to use: `[
> > a ] ALONGWITH ([ b ] REPEAT 5 TIMES)`)
> >
> > 2) Qualifiers are not greedy and only apply to the immediately preceding
> > expression (have a higher precedence than ALONGWITH/FOLLOWEDBY): `[ a
> > ] ALONGWITH [ b] REPEAT 5 TIMES` results in 1 a and 5 b's. (to get other
> > result, you need to use: `([ a ] ALONGWITH [ b ]) REPEAT 5 TIMES)`).
> >
> > There is also the point that some qualifiers make sense to be greedy,
> > REPEAT and START/STOP, while WITHIN be non-greedy as it doesn't make
> > sense to apply to only one Observation Expression.  I would prefer NOT to
> > split these as it will confuse writers and readers of these patterns.  Yes,
> > they could be described w/ a simple precedence table, but that would just
> > add another rule that people have to memorize.
> >
> > I do not have a strong preference for one or the other.  I personally
> > think that 2 makes slightly more sense, as if you write a long pattern w/
> > multiple qualifiers, you'll end up using less parens than the other way.

-- 
John-Mark