Re: [cti-stix] Questions on boolean observation operators and on network-traffic

[Sean Barnum <sean.barnum@FireEye.com>]

I am a little confused by your assertions in Question #1.

As far as I can see, there is a clear difference between [ a ] AND [ b ] and [ a ] OR [ b ].

[a] evaluates to true if there is any observation present in the queried observation set where a is true.

[b] evaluates to true if there is any observation present in the queried observation set where b is true.

[ a ] OR [ b ] evaluates to true if there is any observation present in the queried observation set where a is true OR there is any observation present in the queried observation set where b is true

[ a ]AND [ b ] evaluates to true if there is any observation present in the queried observation set where a is true AND there is any observation present in the queried observation set where b is true

The requirement that “[a] and [b] MUST be different observations” has no effect on the logic involved.

 

Using JMG’s examples for a and b ([a]=[ ipv4-addr:value = '192.168.0.1' ] & [b]= [ user-account:name = 'jqp' ]), there is a clear difference between [a] OR [b] & [a] AND [b].

If the observation set contains no observations where [ ipv4-addr:value = '192.168.0.1' ] is true and no observations where [ user-account:name = 'jqp' ] is true then: [a] is false, [b] is false, [a] OR [b] is false, and [a] AND [b] is false

If the observation set contains an observation where [ ipv4-addr:value = '192.168.0.1' ] is true and no observations where [ user-account:name = 'jqp' ] is true then: [a] is true, [b] is false, [a] OR [b] is true, and [a] AND [b] is false

If the observation set contains no observations where [ ipv4-addr:value = '192.168.0.1' ] is true and an observation where [ user-account:name = 'jqp' ] is true then: [a] is false, [b] is true [a] OR [b] is true, and [a] AND [b] is false

If the observation set contains an observation where [ ipv4-addr:value = '192.168.0.1' ] is true and an observation where [ user-account:name = 'jqp' ] is true then: [a] is true, [b] is true, [a] OR [b] is true, and [a] AND [b] is true

 

I definitely believe that both OR and AND are necessary.

While it is true that any situation where AND resolves true, OR will also resolve true, it is not the case that any situation where OR resolves true that AND will also resolve true.

This is simply the nature of boolean operations. It does not preclude the usefulness of either operator.

 

Jason, I am not sure what I am missing in your assertion.

 

 

On question #2, I would agree that ‘protocols’ should be optional. We see many different network-traffic indicators where the protocol is not asserted either because it is unknown or it is intentionally left out so as not to restrict its application to a specific protocol(s)

 

 

 

Sean Barnum

Principal Architect

FireEye

M: 703.473.8262

E: sean.barnum@fireeye.com

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, March 26, 2018 at 8:52 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Questions on boolean observation operators and on network-traffic

 

Hello everyone. I have been working with our team on implementing some things surrounding SCO and pattern and have run into some questions that I actually can't answer / recall what we were thinking when we designed these sections, and am hoping for some guidance.

Question #1: boolean observation operators

The first question surrounds section 4.1, observation operators. We are having a very difficult time coming up with a logical difference between [ a ] AND [ b ] and [ a ] OR [ b ]:

[a ] AND[ b ]	aand b MUST both be Observation Expressions and MUST both evaluate to true on different Observations.	Left to right
[a ] OR[ b ]	aand b MUST both be Observation Expressions and one of a or b MUST evaluate to true on different Observations.	Left to right

The problem is, these are logically equivalent because of the fact that [a] and [b] MUST be different observations, which essentially morphs the "AND" into an "OR" in the first clause.... I challenge anyone to find any examples of tests and/or data whereby [ a ] AND[ b ] will result in a different evaluation than [ a] OR[ b ]...

This poses the question - should "AND" even be a valid observation operator ?

Question #2: network-traffic object protocols

The second question surrounds the "protocols" enumeration on network-traffic. This field is marked as REQUIRED - however there are numerous situations where it is unknown, where one still wants to record the network-traffic. I believe this field should be changed to be OPTIONAL.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.