[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Common CybOX Object Refactoring
>Along with the whole DomainName is in the URI Object, yet FQDN and Top Level Domain are in the DomainName Object (that one has always puzzled me!).
That’s something we should revisit soon; my hope is that we can run through the “simple” Objects (URI, DomainName, etc.) in one go and make any necessary changes there.
>As for the additional objects, I would say that ASN should be recorded in the separate object. Using relationships will allow us to use one AS object and relate the IP addresses within that AS to the
AS number easily.
I agree, and it’s worth noting that we already have an AS Object [1] that captures AS Name, Number, and some other properties.
>I do think that we need a way of tracking the Assigned IPv4 and IPv6 addresses compared to AS number as well, such as assigned by Regional Internet Registries (https://www.apnic.net/publications/research-and-insights/by-rir).
I’m not sure if I’m understanding this correctly; are you suggesting that we add the ability to associate an IPv4/IPv6 address with its assigning RIR?
>The rest of the objects listed (ATM, IPv4 Netmask and IPv6 Netmask) don’t need to be moved to CybOX 3 right now. If there is a need for them in the future then we can add them in a dot release.
Agreed!
Regards,
Ivan
From: Terry MacDonald <terry@soltra.com>
Date: Monday, February 22, 2016 at 2:43 PM To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: RE: Common CybOX Object Refactoring Hi Ivan, Address object: I really like the separating into different objects. In training that I’ve done in the past it’s invariably been the first question – why are email
addresses in the same object as IP addresses? Along with the whole DomainName is in the URI Object, yet FQDN and Top Level Domain are in the DomainName Object (that one has always puzzled me!). As for the additional objects, I would say that ASN should be recorded in the separate object. Using relationships will allow us to use one AS object
and relate the IP addresses within that AS to the AS number easily. I do think that we need a way of tracking the Assigned IPv4 and IPv6 addresses compared to AS number as well, such as assigned by Regional Internet
Registries (https://www.apnic.net/publications/research-and-insights/by-rir). This is important for discovering bulletproof hosting environments whose entire infrastructure aand
IP address rangers can be blocked as they are full of maliciousness. The rest of the objects listed (ATM, IPv4 Netmask and IPv6 Netmask) don’t need to be moved to CybOX 3 right now. If there is a need for them in the
future then we can add them in a dot release. File Object: It looks very logical. I’m not a host forensics guy, but I do like it. Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Kirillov, Ivan A. I’d like us to get to consensus on the Address and File Object refactoring; I’ve highlighted some of the open questions and current consensus below. If there
are no additional thoughts/comments by the end of the week, then I’d suggest that consensus has been reached.
Regards, Ivan From:
Ivan Kirillov <ikirillov@mitre.org> Sending this to the broader CTI list since it’s part of the STIX/CybOX Indicator tranche. Here’s a summary of the status of the refactoring of the most commonly used CybOX Objects (based on CTI-stats). Please let us know if you don’t agree with
the consensus status for Address and File, and also if you have any input on their open questions.
Accordingly, I would propose grouping and timeboxing the refactoring discussions as such:
Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]