Re: [cti-interoperability] Re: [cti] Quality of the specs

[Patrick Maroney <Pmaroney@Specere.org>]

I think Sarah's original point to include a section on Ramrod in STIX training was an excellent one and [+1] her recommendation to add it to the course syllabus.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Thu, Feb 4, 2016 at 6:15 AM -0800, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

I can't speak for your threat sharing list or how it works - but if I was receiving things like that, I would start replying to the originator saying the document was invalid and asking for it to be re-sent... if you don't tell them its broken then they'll never fix it.

I presume at some point the STIX it is coming from a tool - either written by an internal group, or an external vendor - regardless, there is some party that they should push on to fix the problem.

Recipients of STIX shouldn't have to worry about it being constantly invalid... it gives the whole effort a black eye... maybe a good topic for the Interoperability working group.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Sarah Kelley ---02/04/2016 10:02:58 AM---Unfortunately, I can’t say with 100% certainty. The STIX documents were sent via email, so I don’t h

From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 02/04/2016 10:02 AM
Subject: Re: [cti] Quality of the specs
Sent by: <cti@lists.oasis-open.org>

---

Unfortunately, I can’t say with 100% certainty. The STIX documents were sent via email, so I don’t have a clue what created the documents from a tool perspective.

I feel like some of it is that people are just taking liberties with the language. For example, one error I just got when trying to validate a file said:

“The value ‘Domain Name’ is not an element of the set {‘FQDN’, ‘TLD’}”

This says to me, and I could just be wrong, that someone implemented something that didn’t like the options of FQDN or TLD, so they just put Domain Name there instead.

However, some of the problems might be just an issue reading/interpreting the specs. I have also seen the error:

“Element ‘{http://stix.mitre.org/stix-1}Handling’ is not a member of…” however “{http://stix.mitre.org/Indicator-2}Handling” is one of the options in the list. Since I’m an analyst and not a spec writer or a tool developer, this error doesn’t mean much to me, but it might mean something to others.

Sorry I can’t provide more specifics, but I really don’t know how these documents were generated.



Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity


From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, February 4, 2016 at 8:48 AM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: Sarah Kelley <sarah.kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Quality of the specs

Furthermore - are the people creating this STIX using a tool provided by a vendor, or crafting it by hand (or using home grown tools).

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Eric Burger ---02/04/2016 07:20:43 AM---In your experience is it that people are not reading the specs, the specs are ambiguous, the specs a

From: Eric Burger <Eric.Burger@georgetown.edu>
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 02/04/2016 07:20 AM
Subject: [cti] Quality of the specs
Sent by: <cti@lists.oasis-open.org>

---

In your experience is it that people are not reading the specs, the specs are ambiguous, the specs are wrong, or the validator is wrong?

On Feb 2, 2016, at 2:53 PM, Sarah Kelley <Sarah.Kelley@cisecurity.org> wrote:

Can I make a request that every training that takes place regarding STIX/TAXII/CybOX specifically mention/provide training on the STIX validator? We have had several different instances where people attempt to share information with us in STIX format, but the STIX doesn’t validate so we can’t actually use what they’re sending us.

...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]