cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Thu, 26 Jul 2018 16:38:16 -0300
I believe our team has uncovered a bug
in STIX Patterning WRT lack of clarify around qualifiers.
Currently the specification
a) does not appear to limit the number
of times a qualifier can be used after an observation _expression_
b) does not appear to define how qualifiers
should be evaluated against an observation _expression_ (are they left-associative,
or right associative, are they greedy or non-greedy *)
This means you can have a legal patterns
like this:
[ipv4-addr:value = '198.51.100.1/32']
REPEATS 5 TIMES REPEATS 10 TIMES
[ipv4-addr:value = '198.51.100.1/32']
WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES
.... any of which would result in an
undefined behaviour in the spec.
I would like to be proposed we make
some changes here in 2.1.
1) I would suggest we make change to
the spec to disallow (a) outright, so that any given qualifier can be used
at most once in an observation _expression_ (IE, you can use REPEATS only
once, START / STOP only once, etc). However, I am unsure exactly where
in the spec it would be best to make this change, as we discuss qualifiers
in a few places.
2) I would suggest that we define that
qualifiers should be evaluated as left-associative and non-greedy.
* we actually say in an example in 4.1.2
that they are supposed to be non-greedy, but we don't say it normatively
anywhere.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]