OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000

We should have an explicit timezone reference, it will allow standard parsing libraries to understand what’s going on. Either “Z” or “+00:00” (or allow both, it’s in the spec so the vast majority of parsing libraries will be able to handle either).

I would prefer a separate precision field if we need to tackle it those use cases. Otherwise it will be impossible to distinguish something that happened on the 23rd vs. something that happened on the 23rd at T00:00:00.000000.

On Nov 23, 2015, at 1:08 PM, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:

I miss typed in my last email, I meant to say micro seconds not milliseconds, aka 6 digits of precision not 3 digits of precision.  Wireshark and other networking / security tools are able to work with and provide 6 digits of precision. That is VERY common. What is not really common today is 9 digits of precision.  

I propose that STIX / CybOX / TAXII use the following RFC3339/ISO8601 timestamp format:

yyyy-mm-ddThh:mm:ss.mmmmmm where all times are recorded in UTC format.  A UI tool can display and should display the time in a format that works for the end user.  

Open Questions for manual creation of timestamps of when you think something took place.
1) How do you define a time of just a date?  Meaning, I do not know what time of day it took place?  I am documenting this event retrospectively.
2015-11-23T00:00:00.000000 ????

2) What if I only know the month and year?
2015-11-00T00:00:00.000000 ????

3) What if I do not know the seconds but know the hour and minute?
2015-11-23T11:06:00.000000 ????  This can be weird as you would not know 

I just want us to all be on the same page.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Nov 23, 2015, at 10:35, Trey Darley <trey@SOLTRA.COM> wrote:

On 23.11.2015 17:22:16, Trey Darley wrote:

I don't insist on nanoseconds. I thought there was demand and since
the bits are cheap, why not futureproof? Since it seems I misread the
general consensus, let's standardize on nanoseconds and be done with
it. The point is a) let's have one clear way to do it and b) let's
take a decision so we can move on to other topics.

Sorry, fumblefingers, s/standardize on nanoseconds/standardize on milliseconds/g

Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
"There's never enough time. Thank you for yours." --Dan Geer

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]