[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Common CybOX Object Refactoring
Hi Ivan, Address object: I really like the separating into different objects. In training that I’ve done in the past it’s invariably been the first question
– why are email addresses in the same object as IP addresses? Along with the whole DomainName is in the URI Object, yet FQDN and Top Level Domain are in the DomainName Object (that one has always puzzled me!). As for the additional objects, I would say that ASN should be recorded in the separate object. Using relationships will allow us to
use one AS object and relate the IP addresses within that AS to the AS number easily.
I do think that we need a way of tracking the Assigned IPv4 and IPv6 addresses compared to AS number as well, such as assigned by Regional
Internet Registries (https://www.apnic.net/publications/research-and-insights/by-rir). This is important for discovering bulletproof hosting environments whose entire infrastructure
aand IP address rangers can be blocked as they are full of maliciousness. The rest of the objects listed (ATM, IPv4 Netmask and IPv6 Netmask) don’t need to be moved to CybOX 3 right now. If there is a need
for them in the future then we can add them in a dot release. File Object: It looks very logical. I’m not a host forensics guy, but I do like it. Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Kirillov, Ivan A. I’d like us to get to consensus on the Address and File Object refactoring; I’ve highlighted some of the open questions and current consensus below. If there are
no additional thoughts/comments by the end of the week, then I’d suggest that consensus has been reached.
Regards, Ivan From:
Ivan Kirillov <ikirillov@mitre.org> Sending this to the broader CTI list since it’s part of the STIX/CybOX Indicator tranche. Here’s a summary of the status of the refactoring of the most commonly used CybOX Objects (based on CTI-stats). Please let us know if you don’t agree with the consensus
status for Address and File, and also if you have any input on their open questions.
Accordingly, I would propose grouping and timeboxing the refactoring discussions as such:
Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]