[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Re: Stix v2 RC3 - Cybox 3b
|
Ok, thanks for the responses folks. Noted the reconciliation of the two specifications and thanks for the pointer as to where I can represent the user agent. Regards Conrad From: "Kirillov, Ivan A." <ikirillov@mitre.org> Ditto – we appreciate the feedback, Conrad. I think we can definitely add the ability to capture HTTP responses to our roadmap. Also, given that our current HTTP extension for the Network Traffic captures
solely requests, I’m wondering if it would make more sense to rename it to http-request-ext and then add a corresponding
http-response-ext later on. As far as capturing HTTP user agent strings, you can currently do this using the request_header property (which is just a dictionary for capturing any/all request header fields) of the
http-ext: { "type": "network-traffic", "dst_ref": "0", "protocols": [ "tcp", "http" ], "extended_properties": { "http-ext": { "request_method": "get", "request_value": "/download.html", "request_version": "http/1.1", "request_header": { "Accept-Encoding": "gzip,deflate", "User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113", "Host": "www.example.com" } } } } Regards, Ivan Kirillov Cyber Observable (formerly CybOX) Co-chair From: <cti-users@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com> Conrad, Thanks for the note... This release of STIX is an MVP (minimally viable product) release. Not all of the objects that were found in the old STIX 1x or CybOX 2x are currently in this release. Specifically the
STIX Cyber Observable layer (formerly CybOX 3) will be added to as we move forward. One thing to note is that CybOX is no longer a separate specification. It is now called "STIX Cyber Observables" and is contained in Part 3a and Part 3b of the overall STIX specification. This should allow
people to continue to reference this cyber observable layer without referencing all of STIX. Bret From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Conrad Crampton <conrad.crampton@SecData.com> A quick follow up question also relates to v2 -> v3 Cybox differences. It also appears that user_agent cannot be represented in v3. Unless one parses the user agent string and then treats each element – browser and os as two ‘software’ Cybox objects. Is this the intention? Thanks From: Conrad Crampton <conrad.crampton@SecData.com> Hi, I see that the latest draft specification for Stix & Cybox have been merged into the same document set. However, I don’t know as a result of this some fidelity of the objects have been lost in comparison to
Cybox v2 or that this happened much earlier. Specifically, I am looking to model an object / graph store using Cybox as the basis for the class structure but when I come to model an HTTP request / response the latter is missing. I can model the HTTP request
reasonably well in the http-ext of network-traffic, but what I can’t do is model the response element of the ‘transaction’. I believe this was present in v2 as HTTP_Session object which also had HTTP_Request and HTTP_Response objects.
I don’t suggest moving this model asis into v3 as it seemed a little verbose, but is there any intention of having some representation of the http_response attributes (response_code etc. – thinking about it,
this is really only the attribute I’m concerned with at the moment). Of course, I could add this as an extension myself, but just wondering… Thanks Conrad SecureData, combating cyber threats The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the intended recipient. If you are not the intended recipient any disclosure, reproduction, distribution or other
dissemination or use of this communications is strictly prohibited. The views expressed in this email are those of the individual and not necessarily of SecureData Europe Ltd. Any prices quoted are only valid if followed up by a formal written quote. SecureData Europe Limited. Registered in England & Wales 04365896. Registered Address: SecureData House, Hermitage Court, Hermitage Lane, Maidstone, Kent, ME16 9NT ***This email originated outside SecureData*** Click
here to report this email as spam. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]