[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: CybOX Object Extensions
Sending this to the broader CTI list since it’s part of the STIX/CybOX Indicator tranche.
I don’t believe we have consensus yet on the concept of CybOX extensions, so here’s our current thinking to help summarize where we stand:
Here’s a JSON example of what extensions on a File Object would look like:
{ "hashes": [{ "type": "md5", "hash-value": "3773a88f65a5e780c8dff9cdc3a056f3" }], "size": 25537, "extended-properties": { "FileMetadataExtension": {"mime-type": "vnd.microsoft.portable-executable"}, "EXT3FileExtension": {"inode": "34483923"}, "PEBinaryFileExtension": {"exports": [{"name": "foo_app"}]} } } Besides some logistical questions around extension management and versioning [2], the biggest open question is around extension design, especially whether we should permit overlapping properties. Our current thinking is that extensions are defined independently
and cannot extend/sub-class each other (to avoid the same issues that we’ve had with this approach). What this means in practice is that there could be cases where two extensions share one or more properties; for example, if we have an EXT2FileExtension and
EXT3FileExtension, both could have the “inode” property. To get around this, we could create a “generic” EXTFileExtension that has a set of properties common to all EXT file systems, and have the EXT2FileExtension and EXT3FileExtension contain only their unique
set of properties.
Are there any thoughts on how we should approach this? Should we permit overlapping properties in extensions?
Regards,
Ivan
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]