OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [NEWSLETTER] [cti-stix] Multiple of the same qualifier - bugfix

Makes sense to me, Jason. Good catch. Please propose the change in the
current working draft.

Cheers,
Trey

On 04.04.2019 08:42:25, Jason Keirstead wrote:
> It's come to our attention that according to the spec and our accompanying 
> ANTLR grammars, we allow the same expression qualifiers to be used 
> multiple times.
> 
> For example, this is a valid pattern:
> 
> [network-traffic:src_port = â127â] START t'2019-04-04T11:19:00.000Zâ STOP 
> t'2019-04-04T11:49:00.000Zâ START t'2019-04-04T11:34:00.000Zâ STOP 
> t'2019-04-04T11:49:00.000Zâ START t'2019-04-04T11:44:00.000Zâ STOP 
> t'2019-04-04T11:49:00.000Zâ REPEATS 10 TIMES REPEATS 15 TIMES REPEATS 20 
> TIMES
> 
> This behaviour allows one to create patterns that, in my opinion, make no 
> logical sense - even though it is allowed, it is ambiguous and undefined 
> in the spec how one is supposed to interpret the above pattern.
> 
> I believe this should be interpreted as a bug in the spec. I would like to 
> propose the following changes to section 4.1.1 of STIX 2.1 Part 4
> 
> Former text:
> 
>     Each Observation Expression MAY have additional temporal or repetition 
> restrictions using the respective WITHIN, START/STOP, and REPEATS 
> keywords. 
> 
> Proposed change:
> 
>     Each Observation Expression MAY have additional temporal or repetition 
> restrictions using the respective WITHIN, START/STOP, and REPEATS 
> qualifiers. Each distinct qualifier type MUST NOT be applied more than 
> once to an individual Observation Expression. 
> 
> -
> Jason Keirstead
> Lead Architect - IBM Security Connect
> www.ibm.com/security
> 
> "Things may come to those who wait, but only the things left by those who 
> hustle." - Unknown 
> 
> 

-- 
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550  6607 AE9A 7FF2 8000 0E4E
-- 
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be

Attachment: signature.asc
Description: PGP signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]