OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [EXT] Re: [cti-stix] Multiple of the same qualifier - bugfix

Jason,

Please make the suggested changes in the Patterning document (currently Part 5).  I will go in now and flag that issue as a bug and something to fix for 2.1.  

Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, April 4, 2019 7:27 AM
To: drew.varner@ninefx.com
Cc: cti-stix@lists.oasis-open.org
Subject: [EXT] Re: [cti-stix] Multiple of the same qualifier - bugfix
 
Ah good catch Drew, it seems we brought this up in the past :)


-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown




From:        drew.varner@ninefx.com
To:        Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:        cti-stix@lists.oasis-open.org
Date:        04/04/2019 10:11 AM
Subject:        Re: [cti-stix] Multiple of the same qualifier - bugfix
Sent by:        <cti-stix@lists.oasis-open.org>



See also https://github.com/oasis-tcs/cti-stix2/issues/70

On Apr 4, 2019, at 8:42 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

It's come to our attention that according to the spec and our accompanying ANTLR grammars, we allow the same _expression_ qualifiers to be used multiple times.

For example, this is a valid pattern:

[network-traffic:src_port = ‘127’] START t'2019-04-04T11:19:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ START t'2019-04-04T11:34:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ START t'2019-04-04T11:44:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ REPEATS 10 TIMES REPEATS 15 TIMES REPEATS 20 TIMES

This behaviour allows one to create patterns that, in my opinion, make no logical sense - even though it is allowed, it is ambiguous and undefined in the spec how one is supposed to interpret the above pattern.

I believe this should be interpreted as a bug in the spec. I would like to propose the following changes to section 4.1.1 of STIX 2.1 Part 4

Former text:

   Each Observation _expression_ MAY have additional temporal or repetition restrictions using the respective WITHIN, START/STOP, and REPEATSkeywords.

Proposed change:

   Each Observation _expression_ MAY have additional temporal or repetition restrictions using the respective WITHIN, START/STOP, and REPEATSqualifiers. Each distinct qualifier type MUST NOT be applied more than once to an individual Observation _expression_.

-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]