[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Questions on boolean observation operators and on network-traffic
Jason Keirstead wrote this message on Mon, Mar 26, 2018 at 08:52 -0400: > Hello everyone. I have been working with our team on implementing some > things surrounding SCO and pattern and have run into some questions that I > actually can't answer / recall what we were thinking when we designed > these sections, and am hoping for some guidance. > > Question #1: boolean observation operators > > The first question surrounds section 4.1, observation operators. We are > having a very difficult time coming up with a logical difference between [ > a ] AND [ b ] and [ a ] OR [ b ]: > > [ a ] AND [ b ] > a and b MUST both be Observation Expressions and MUST both evaluate to > true on different Observations. > Left to right > [ a ] OR [ b ] > a and b MUST both be Observation Expressions and one of a or b MUST > evaluate to true on different Observations. > Left to right > > The problem is, these are logically equivalent because of the fact that > [a] and [b] MUST be different observations, which essentially morphs the > "AND" into an "OR" in the first clause.... I challenge anyone to find any > examples of tests and/or data whereby [ a ] AND [ b ] will result in a > different evaluation than [ a ] OR [ b ]... > > This poses the question - should "AND" even be a valid observation > operator ? Originally we didn't have an OR, but just an AND, but I was convienced to add OR... By themselves, they are still different, as the AND requires two Observed data's to match, while the OR only requires one observed data object to match... OR was added because of the requirement that with in a single observation expression, that the object-type (ala ipv4-addr: or user-account:) be the same for ALL parts of the expression... so, you couldn't do: [ ipv4-addr:value = '192.168.0.1' OR user-account:name = 'jqp' ] and instead, have to do: [ ipv4-addr:value = '192.168.0.1' ] OR [ user-account:name = 'jqp' ] This is also significant when combined w/ other qualifiers, such as WITHIN x SECONDS, or REPEATS > Question #2: network-traffic object protocols > > The second question surrounds the "protocols" enumeration on > network-traffic. This field is marked as REQUIRED - however there are > numerous situations where it is unknown, where one still wants to record > the network-traffic. I believe this field should be changed to be > OPTIONAL. In what cases could it be unknown? You at least know it's IP, if you provide an IP address... Also, interestingly, protocols is the ONLY required field on network-traffic... If you don't know what the protocol of the object, how do you know it's network-traffic? -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]