[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Indicators and patterning
|
All,
When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us to make some design decisions in STIX to reflect this artificial line in the
sand we had drawn. Fast forward 10 months and we have now merged STIX and CybOX and during this merge we have been able to clean up some of the weirdness that existed with the artificial line in the sand. There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of.
In Indicators we created the following 3 fields to address the artificial separation: pattern pattern_lang pattern_lang_version
The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things. I would suggest at this stage we drop support for "other" things and just have a single "pattern" property.
If people want to do YARA or SNORT, they can do it via a custom property. And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them.
Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]