OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix

Yep - that would be the same as (a)


-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown




From:        drew.varner@ninefx.com
To:        Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:        cti-stix@lists.oasis-open.org
Date:        07/26/2018 04:46 PM
Subject:        Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix



Related to this https://github.com/oasis-tcs/cti-stix2/issues/70?

On Jul 26, 2018, at 3:38 PM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

I believe our team has uncovered a bug in STIX Patterning WRT lack of clarify around qualifiers.

Currently the specification

a) does not appear to limit the number of times a qualifier can be used after an observation _expression_
b) does not appear to define how qualifiers should be evaluated against an observation _expression_ (are they left-associative, or right associative, are they greedy or non-greedy *)

This means you can have a legal patterns like this:

[ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES

[ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES WITHIN 10 SECONDS REPEATS 15 TIMES

.... any of which would result in an undefined behaviour in the spec.

I would like to be proposed we make some changes here in 2.1.

1) I would suggest we make change to the spec to disallow (a) outright, so that any given qualifier can be used at most once in an observation _expression_ (IE, you can use REPEATS only once, START / STOP only once, etc). However, I am unsure exactly where in the spec it would be best to make this change, as we discuss qualifiers in a few places.

2) I would suggest that we define that qualifiers should be evaluated as left-associative and non-greedy.  

* we actually say in an example in 4.1.2 that they are supposed to be non-greedy, but we don't say it normatively anywhere.

-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]