Questions on boolean observation operators and on network-traffic

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Hello everyone. I have been working with
our team on implementing some things surrounding SCO and pattern and have
run into some questions that I actually can't answer / recall what we were
thinking when we designed these sections, and am hoping for some guidance.

Question #1: boolean observation
operators

The first question surrounds section
4.1, observation operators. We are having a very difficult time coming
up with a logical difference between [ a ] AND [ b ] and [ a
] OR [ b ]:

[a ] AND[ b ]	aand b MUST both be Observation Expressions and MUST both evaluate to true on different Observations.	Left to right
[a ] OR[ b ]	aand b MUST both be Observation Expressions and one of a or b MUST evaluate to true on different Observations.	Left to right

The problem is, these are logically
equivalent because of the fact that [a] and [b] MUST be different
observations, which essentially morphs the "AND" into an "OR"
in the first clause.... I challenge anyone to find any examples of tests
and/or data whereby [ a ] AND[ b ] will result in a
different evaluation than [ a] OR[ b ]...

This poses the question - should
"AND" even be a valid observation operator ?

Question #2: network-traffic object
protocols

The second question surrounds the "protocols"
enumeration on network-traffic. This field is marked as REQUIRED - however
there are numerous situations where it is unknown, where one still wants
to record the network-traffic. I believe this field should be changed to
be OPTIONAL.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

"Things may come to those who wait, but only the things left by those
who hustle." - Unknown