OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object

Hi Bret,

This isn't designed to just replicate HTML. It's designed to allow people to record bits from a webpage. We need a way to record a webpage with _javascript_ in it that redirects to an exploit page. This object would allow us to record the interesting bits of the redirect site, such as the _javascript_ that does the redirection.

Or if there was a .onion ransomware webpage that infected users were redirected to, we now have a way of recording that.

Or if there is a webpage defacement, we can record the bits of the webpage that were defaced.

Or if there is an underground web forum that has a series of web posts discussing a new exploit kit for sale we can now record that.

As you can see this is very flexible, and I think it is imperative to get something similar into six to allow us to record this sort of information. It's a huge hole in the current STIX Cyber Observables arsenal.

Cheers
Terry MacDonald
Cosive

On 14 Jan. 2017 15:47, "Bret Jordan" <Bret_Jordan@symantec.com> wrote:

I am not so sure about this one..  It seems like there are already "structured" ways of sending this information, aka its native form.  I do not think we should be re-inventing HTML or HTMLv5.  


I just do not see any vendors producing a product that tears HTML apart and puts it in specialized containers.  IMHO, they will just attack the webpage as an artifact and then put some notes that you should parse it with the HTML diagnostic tools that you already have for doing the exact thing. 


Bret

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Sent: Thursday, January 5, 2017 1:45:44 AM
To: cti-stix@lists.oasis-open.org; OASIS CTI TC CybOX SC list
Subject: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object
 
Hi All,

In the spirit of gift giving at this time of year, I have yet another proposal to offer the grou pfor discussion at the upcoming F2F...

​2.6.Webpage Object

Type Name: webpage


The Webpage Object represents an instance of a webpage, corresponding to the HTML W3C recommendations described at https://www.w3.org/TR/#tr_HTML.



If you wish to comment, please do so as a reply to this email, or leave a comment on the Google Doc here: https://docs.google.com/document/d/1UdU20HcBbRM1yBQJw0-phC7HEryaokgp7X04h6pJ_Ak/edit?usp=sharing 

PDF version attached for those who prefer those.....

Cheers

Terry MacDonald | Chief Product Officer







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]