See also https://github.com/oasis-tcs/cti-stix2/issues/70
It's come to our attention that according
to the spec and our accompanying ANTLR grammars, we allow the same _expression_
qualifiers to be used multiple times.For example, this is a valid pattern:[network-traffic:src_port = â127â]
START t'2019-04-04T11:19:00.000Zâ STOP t'2019-04-04T11:49:00.000Zâ START
t'2019-04-04T11:34:00.000Zâ STOP t'2019-04-04T11:49:00.000Zâ START t'2019-04-04T11:44:00.000Zâ
STOP t'2019-04-04T11:49:00.000Zâ REPEATS 10 TIMES REPEATS 15 TIMES REPEATS
20 TIMESThis behaviour allows one to create
patterns that, in my opinion, make no logical sense - even though it is
allowed, it is ambiguous and undefined in the spec how one is supposed
to interpret the above pattern.I believe this should be interpreted
as a bug in the spec. I would like to propose the following changes to
section 4.1.1 of STIX 2.1 Part 4Former text: Each Observation _expression_
MAY have additional temporal or repetition restrictions using the respective
WITHIN,
START/STOP,
and REPEATSkeywords. Proposed change: Each Observation _expression_
MAY have additional temporal or repetition restrictions using the respective
WITHIN,
START/STOP,
and REPEATSqualifiers. Each distinct
qualifier type MUST NOT be applied more than once to an individual Observation
_expression_. -
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
|