[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] Re: [cti-stix] Multiple of the same qualifier - bugfix
Jason,
Please make the suggested changes in the Patterning document (currently Part 5). I will go in now and flag that issue as a bug and something to fix for 2.1.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, April 4, 2019 7:27 AM To: drew.varner@ninefx.com Cc: cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Multiple of the same qualifier - bugfix Ah good catch Drew, it seems we brought this up in the past :)
- Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown From: drew.varner@ninefx.com To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: cti-stix@lists.oasis-open.org Date: 04/04/2019 10:11 AM Subject: Re: [cti-stix] Multiple of the same qualifier - bugfix Sent by: <cti-stix@lists.oasis-open.org> See also https://github.com/oasis-tcs/cti-stix2/issues/70 On Apr 4, 2019, at 8:42 AM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote: It's come to our attention that according to the spec and our accompanying ANTLR grammars, we allow the same _expression_ qualifiers to be used multiple times. For example, this is a valid pattern: [network-traffic:src_port = ‘127’] START t'2019-04-04T11:19:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ START t'2019-04-04T11:34:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ START t'2019-04-04T11:44:00.000Z’ STOP t'2019-04-04T11:49:00.000Z’ REPEATS 10 TIMES REPEATS 15 TIMES REPEATS 20 TIMES This behaviour allows one to create patterns that, in my opinion, make no logical sense - even though it is allowed, it is ambiguous and undefined in the spec how one is supposed to interpret the above pattern. I believe this should be interpreted as a bug in the spec. I would like to propose the following changes to section 4.1.1 of STIX 2.1 Part 4 Former text: Each Observation _expression_ MAY have additional temporal or repetition restrictions using the respective WITHIN, START/STOP, and REPEATSkeywords. Proposed change: Each Observation _expression_ MAY have additional temporal or repetition restrictions using the respective WITHIN, START/STOP, and REPEATSqualifiers. Each distinct qualifier type MUST NOT be applied more than once to an individual Observation _expression_. - Jason Keirstead Lead Architect - IBM Security Connect www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]