Related to this https://github.com/oasis-tcs/cti-stix2/issues/70 ?
I believe our team has uncovered a bug
in STIX Patterning WRT lack of clarify around qualifiers.Currently the specification a) does not appear to limit the number
of times a qualifier can be used after an observation _expression_b) does not appear to define how qualifiers
should be evaluated against an observation _expression_ (are they left-associative,
or right associative, are they greedy or non-greedy *)This means you can have a legal patterns
like this:[ipv4-addr:value = '198.51.100.1/32']
REPEATS 5 TIMES REPEATS 10 TIMES[ipv4-addr:value = '198.51.100.1/32']
WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES.... any of which would result in an
undefined behaviour in the spec.I would like to be proposed we make
some changes here in 2.1.1) I would suggest we make change to
the spec to disallow (a) outright, so that any given qualifier can be used
at most once in an observation _expression_ (IE, you can use REPEATS only
once, START / STOP only once, etc). However, I am unsure exactly where
in the spec it would be best to make this change, as we discuss qualifiers
in a few places. 2) I would suggest that we define that
qualifiers should be evaluated as left-associative and non-greedy. * we actually say in an example in 4.1.2
that they are supposed to be non-greedy, but we don't say it normatively
anywhere.- Jason Keirstead Lead Architect - IBM Security Cloud www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
|