OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [EXT] Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix

This sounds reasonable Jason.


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, July 26, 2018 5:23:04 PM
To: John-Mark Gurney
Cc: cti-stix@lists.oasis-open.org
Subject: [EXT] Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix
The problem with this approach is - even if you do clarify that qualifiers are left associative and non-greedy, you have an ambiguous behaviour, because of conflicting qualifiers.

If I have the _expression_..

 '[ipv4-addr:value = ''] REPEATS 5 TIMES REPEATS 10 TIMES

... I have conflicting qualifiers, because qualifiers are not operating on themselves (they don't nest)... as per the spec, qualifiers are only operating on the observation _expression_ itself. So if I have two 'REPEATS' qualifiers, it is ambiguous which one is the one that should be evaluated.

IMO it is simpler to just disallow this behaviour. Why allow it, what is the use case.

Jason Keirstead
Lead Architect - IBM Security Cloud

"Things may come to those who wait, but only the things left by those who hustle." - Unknown

From:        John-Mark Gurney <jmg@newcontext.com>
To:        Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:        cti-stix@lists.oasis-open.org
Date:        07/26/2018 06:34 PM
Subject:        Re: [cti-stix] Probable bug in STIX 2.0/2.1 in Patterning WRT Qualifiers and suggested fix
Sent by:        <cti-stix@lists.oasis-open.org>

Jason Keirstead wrote this message on Thu, Jul 26, 2018 at 16:38 -0300:
> I believe our team has uncovered a bug in STIX Patterning WRT lack of
> clarify around qualifiers.
> Currently the specification
> a) does not appear to limit the number of times a qualifier can be used
> after an observation _expression_
> b) does not appear to define how qualifiers should be evaluated against an
> observation _expression_ (are they left-associative, or right associative,
> are they greedy or non-greedy *)
> This means you can have a legal patterns like this:
> [ipv4-addr:value = ''] REPEATS 5 TIMES REPEATS 10 TIMES
> [ipv4-addr:value = ''] WITHIN 5 SECONDS REPEATS 5 TIMES

The first qualifier doesn't make sense here, since there is only one
observation, and it will always be WITHING 5 SECONDS.

> .... any of which would result in an undefined behaviour in the spec.

I don't see that this is undefined in the spec..

A qualifier cannot exist w/o an observation _expression_.  so you have
[ a ], then if you have [ a ] WITHIN 5 SECONDS, that results in a new
observation _expression_, which is the qualified by REPEATS 5 TIMES, and
so on...

> I would like to be proposed we make some changes here in 2.1.
> 1) I would suggest we make change to the spec to disallow (a) outright, so
> that any given qualifier can be used at most once in an observation
> _expression_ (IE, you can use REPEATS only once, START / STOP only once,
> etc). However, I am unsure exactly where in the spec it would be best to
> make this change, as we discuss qualifiers in a few places.

I don't see a need to constrain the spec like this..  it seems unnecessary
and makes the specification more complex...

> 2) I would suggest that we define that qualifiers should be evaluated as
> left-associative and non-greedy.

I am fine w/ adding additional text to make it more clear that the
qualifiers are non-greedy...  I thought we had added text to clarify
it, but I cannot find a specific clause to point too..

> * we actually say in an example in 4.1.2 that they are supposed to be
> non-greedy, but we don't say it normatively anywhere.

We do have the text:
> This interpretation is due to qualifiers not being greedy, and is
> equivalent to [ a = 'b' ] FOLLOWEDBY ( [ c = 'd' ] REPEATS 5 TIMES).


To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]