OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Re: Call for CTI De-Fanging Conventions (Draft Motion)


I second the motion, and agree with you Mark.

Also, just as an FYI, it looks like one of the developers in the MISP project has developed a nice executable file in PHP for defanging URLs/eMails/Domains & IPs in Alerts.

The GitHub link is here:


Especially take a look at the code from lines 1083 to 1104...but, there are a lot of other nice features as well, including a set-up for TAXII connectivity and adding a cryptographic signature. 

Jane Ginn

On 8/20/2015 7:18 AM, Mark Clancy wrote:

I support this! 

Although I suspect we will also have to deal with a ton of "non-standard" defag approaches in the field regardless of what every we formally come up with in OASIS.

Defanged data does not place nice with automated hunting for the signs of the fangs.



Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |  +44 7823 626 535  UK mobile
mclancy@soltra.com | soltra.com
One organization's incident becomes everyone's defense.

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Sent: Thursday, August 20, 2015 9:35 AM
To: cti@lists.oasis-open.org
Subject: [cti] Call for CTI De-Fanging Conventions (Draft Motion)
One CTI Standard that would provide broad applicability and immediate value to the overall CTI Community would be the definition and adoption of a set of standards and methods for "de-fanging" Indicators and weaponized/malicious artifacts.

Draft Motion:

The OASIS CTI TC shall develop Normative CTI standards for "de-fanging" Indicators and weaponized/malicious artifacts.  

This includes non-normative methods for "De-Fanging" /"Re-Fanging" and compliance validation of STIX and CybOX data.

Format of this specification shall be universal in nature with specific enumerations within STIX/CybOX* referencing this "default" convention.

* Depending on the outcomes of TAXII functionality discussions this standard may be applicable to TAXII in addition to STIX and CybOX.  (i.e., is TAXII processing/parsing atomic level objects and making decisions based on content and marking?, Query functionality within TAXII).

Patrick Maroney
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]