OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix

Jason Keirstead wrote this message on Thu, Jul 26, 2018 at 16:38 -0300:
> I believe our team has uncovered a bug in STIX Patterning WRT lack of 
> clarify around qualifiers.
> 
> Currently the specification 
> 
> a) does not appear to limit the number of times a qualifier can be used 
> after an observation expression
> b) does not appear to define how qualifiers should be evaluated against an 
> observation expression (are they left-associative, or right associative, 
> are they greedy or non-greedy *)
> 
> This means you can have a legal patterns like this:
> 
> [ipv4-addr:value = '198.51.100.1/32'] REPEATS 5 TIMES REPEATS 10 TIMES
> 
> [ipv4-addr:value = '198.51.100.1/32'] WITHIN 5 SECONDS REPEATS 5 TIMES 
> WITHIN 10 SECONDS REPEATS 15 TIMES

The first qualifier doesn't make sense here, since there is only one
observation, and it will always be WITHING 5 SECONDS.

> .... any of which would result in an undefined behaviour in the spec.

I don't see that this is undefined in the spec..

A qualifier cannot exist w/o an observation expression.  so you have
[ a ], then if you have [ a ] WITHIN 5 SECONDS, that results in a new
observation expression, which is the qualified by REPEATS 5 TIMES, and
so on...

> I would like to be proposed we make some changes here in 2.1.
> 
> 1) I would suggest we make change to the spec to disallow (a) outright, so 
> that any given qualifier can be used at most once in an observation 
> expression (IE, you can use REPEATS only once, START / STOP only once, 
> etc). However, I am unsure exactly where in the spec it would be best to 
> make this change, as we discuss qualifiers in a few places. 

I don't see a need to constrain the spec like this..  it seems unnecessary
and makes the specification more complex...

> 2) I would suggest that we define that qualifiers should be evaluated as 
> left-associative and non-greedy. 

I am fine w/ adding additional text to make it more clear that the
qualifiers are non-greedy...  I thought we had added text to clarify
it, but I cannot find a specific clause to point too..

> * we actually say in an example in 4.1.2 that they are supposed to be 
> non-greedy, but we don't say it normatively anywhere.

We do have the text:
> This interpretation is due to qualifiers not being greedy, and is
> equivalent to [ a = 'b' ] FOLLOWEDBY ( [ c = 'd' ] REPEATS 5 TIMES).

-- 
John-Mark

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]