cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Multiple of the same qualifier - bugfix
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Thu, 4 Apr 2019 08:42:25 -0400
It's come to our attention that according
to the spec and our accompanying ANTLR grammars, we allow the same _expression_
qualifiers to be used multiple times.
For example, this is a valid pattern:
[network-traffic:src_port = â127â]
START t'2019-04-04T11:19:00.000Zâ STOP t'2019-04-04T11:49:00.000Zâ START
t'2019-04-04T11:34:00.000Zâ STOP t'2019-04-04T11:49:00.000Zâ START t'2019-04-04T11:44:00.000Zâ
STOP t'2019-04-04T11:49:00.000Zâ REPEATS 10 TIMES REPEATS 15 TIMES REPEATS
20 TIMES
This behaviour allows one to create
patterns that, in my opinion, make no logical sense - even though it is
allowed, it is ambiguous and undefined in the spec how one is supposed
to interpret the above pattern.
I believe this should be interpreted
as a bug in the spec. I would like to propose the following changes to
section 4.1.1 of STIX 2.1 Part 4
Former text:
Each Observation _expression_
MAY have additional temporal or repetition restrictions using the respective
WITHIN,
START/STOP,
and REPEATSkeywords.
Proposed change:
Each Observation _expression_
MAY have additional temporal or repetition restrictions using the respective
WITHIN,
START/STOP,
and REPEATSqualifiers. Each distinct
qualifier type MUST NOT be applied more than once to an individual Observation
_expression_.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]