OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-taxii] What happens when you GET messages

Bret –

 

In many circumstances, a TAXII client (that is using long-polling) that is retrieving this data may be doing a polled mechanism where it is important to get all new data since a last cycle or successful connection.

 

There’s two options on this.

 

1)       Get-Content-By-Last-ID

a.       Where the client provides the last ID that it got back from the server and a batch size that it wants to return.

b.       Batch-size == 1 effectively means that it can retrieve each message one-by-one and server’s could enforce batch-size=1 support if they don’t want to support larger batch retrieval sizes.

2)       Get-Content-By-Last-Timestamp

a.       Where the client provides the last timestamp (UTC) that it got from the last message posted to the server

b.       Batch-size logic would be the same as Get-Content-By-Last-ID

 

For me this provides the most efficient mechanisms (where servers and clients can decide on batch-size and helps cases where they can easily get the next message where they left off).

 

allan

 

 

From: <cti-taxii@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Saturday, October 8, 2016 at 8:16 AM
To: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Subject: [cti-taxii] What happens when you GET messages

 

All,

 

In the current TAXII API design we have path that looks something like this for messages on a channel.

 

https://foo.examples.com/taxii/some-api-base-name/channels/some-channel-name/messages

 

In the following examples I will use ellipses to represent a shorter version the above URL.

 

What I would like to know is what should happen on a "channel" when you perform

 

GET ../messages 

 

Should this return:

 

1) A JSON array of all of the content on the channel named "some-channel-name" (in practice this might be called Indicator, or threats, or my-risk-matrix, etc.,

 

2) A JSON array of TAXII message meta data so that you can turn around and do a GET for each message.  Namely something like:

[{

  "type": "message",

  "url": "../channels/some-channel-name/message/111223344",

  "size": 33221

  ...

} {

  "type": "message",

  "url": "../channels/some-channel-name/message/555223399",

  "size": 991123

  ...

}]

 

3) A single TAXII message of meta data. Doing this would obviously prevent some extra details or granular meta data about each message.  But it would look something like:

{

  "type": "message",

  "urls": [

    "../channels/some-channel-name/message/111223344",

    "url": "../channels/some-channel-name/message/555223399"

  ]

}

 

 

 

Thanks

Bret

 

 

 

 

 

 

 

  

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]