Unfortunately, I can’t say with 100% certainty. The STIX documents were sent via email, so I don’t have a clue what created the documents from a tool perspective.
I feel like some of it is that people are just taking liberties with the language. For example, one error I just got when trying to validate a file said:
“The value ‘Domain Name’ is not an element of the set {‘FQDN’, ‘TLD’}”
This says to me, and I could just be wrong, that someone implemented something that didn’t like the options of FQDN or TLD, so they just put Domain Name there instead.
However, some of the problems might be just an issue reading/interpreting the specs. I have also seen the error:
“Element ‘{http://stix.mitre.org/stix-1}Handling’ is not a member of…” however “{http://stix.mitre.org/Indicator-2}Handling” is one of the options in the
list. Since I’m an analyst and not a spec writer or a tool developer, this error doesn’t mean much to me, but it might mean something to others.
Sorry I can’t provide more specifics, but I really don’t know how these documents were generated.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity
From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, February 4, 2016 at 8:48 AM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: Sarah Kelley <sarah.kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Quality of the specs
Date: Thursday, February 4, 2016 at 8:48 AM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: Sarah Kelley <sarah.kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Quality of the specs
Furthermore - are the people creating this STIX using a tool provided by a vendor, or crafting it by hand (or using home grown tools).
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Eric Burger
---02/04/2016 07:20:43 AM---In your experience is it that people are not reading the specs, the specs are ambiguous, the specs a
From: Eric Burger <Eric.Burger@georgetown.edu>
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 02/04/2016 07:20 AM
Subject: [cti] Quality of the specs
Sent by: <cti@lists.oasis-open.org>
In your experience is it that people are not reading the specs, the specs are ambiguous, the specs are wrong, or the validator is wrong?
-
On Feb 2, 2016, at 2:53 PM, Sarah Kelley <Sarah.Kelley@cisecurity.org> wrote:
Can I make a request that every training that takes place regarding STIX/TAXII/CybOX specifically mention/provide training on the STIX validator? We have had several different instances where people attempt to share information with us in STIX format, but the STIX doesn’t validate so we can’t actually use what they’re sending us.
...
. . .