[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] STIX 2.0 Pattern Expressiveness
On 12/28/2016 5:03 PM, Nick Dimiduk wrote:
Hi Ivan, Thanks for the comments. I've spent some time with the antlr grammar [0], which has answered some questions and introduced some others. For my (1), (2), it seems the grammar defines a 'NULL' terminal node. It appears this can be used within an equality property test, so the appropriate syntax would be "[ foo:bar != NULL ]" or "[ foo:bar <> NULL ]". It's still left up to implementors to decide which object-paths are comparable with NULL and which are not.
I'm less qualified to comment on the rationale and history of the specification, but I can give bit of background on the grammar: the current grammar is based on an older grammar that used to be in an appendix at the end of the pattern specification. That grammar was based on much earlier pattern language designs. I'm pretty sure 'null' is a holdover from that.
The specification has been a moving target, so the grammar has always been a bit behind. One of the things I try to do (as a contributor to the grammar, validator, and matcher) is look over the specification periodically and try to find what's changed in the specification and become outdated in the grammar. You're right that "null" no longer seems to appear in the spec, which I hadn't noticed. So that's a good catch. Others can comment on that history.
Part 3 Section 2 defines a bunch of data types that are not represented in the grammar (list, open-vocab, timestamp, binary, hex, dictionary). Obviously some of them could be specified a type-name aliases of others. Is there a plan to update the grammar with support for these types?
For binary and hex types: I added support for them (locally) a little while ago, but discussion was still ongoing and it seemed possible for awhile that the lexical spaces could change, being replaced with a new function-call-like syntax, which meant I'd have to redo it. It makes more sense to wait and let the spec settle before going to the trouble of updating the grammar and tools. But I think the spec has settled down more now, so I hope to have support before too long.
The situation is similar for timestamps. There was a lively discussion about them, but I think it has settled enough to update the grammar.
I'll defer to others for the other types. Andy1. https://github.com/oasis-open/cti-pattern-matcher/blob/master/pattern_matcher/grammars/CyboxPattern.g4
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]