Thanks,
-Marlon
From: cti@lists.oasis-open.org on behalf of Jordan, Bret
Sent: Friday, April 29, 2016 4:17:07 PM
To: Taylor, Marlon
Cc: John Anderson; Mark Davidson; cti@lists.oasis-open.org
Subject: Re: [cti] Update from STIX Package renaming Mini-Group
Currently we have:
"description": "This file is part of Poison Ivy",
"pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
}
"description": "This file is part of Poison Ivy",
"pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
}
{
"type": "package",
"id": "package--5e2cb95f-30c1-46d3-8b39-d97d34d82d3c",
"created_by_ref": "source--5e2cb95f-30c1-46d3-8b39-d97d34AAAAAA",
"created_time": "2016-04-29T14:09:00.123456Z",
"revision": 1,
"modified_time: "2016-04-29T14:09:00.123456Z",
"spec_version": "stix-2.0",
"indicators": [
{
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_time": "2016-04-29T14:09:00.123456Z",
"revision": 1,
"modified_time: "2016-04-29T14:09:00.123456Z",
"title": "Poison Ivy Malware","description": "This file is part of Poison Ivy",
"pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
}
]
}
What we are proposing is:
{
"type": "bundle",
"spec_version": "stix-2.0",
"indicators": [
{
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "source--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created_time": "2016-04-29T14:09:00.123456Z",
"revision": 1,
"modified_time: "2016-04-29T14:09:00.123456Z",
"title": "Poison Ivy Malware","description": "This file is part of Poison Ivy",
"pattern": "file-object.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3'"
}
]
}
Basically the bundle will be a simple wrapper for transmitting bulk STIX content without any implied meaning or context. It will also not contain any top level object properties as the bundle should not be versioned or IDed or anything. A consumer
would just throw the outer layer away after it received and processed the contents.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Apr 29, 2016, at 11:44, Taylor, Marlon <Marlon.Taylor@hq.dhs.gov> wrote:
Hi Mark,
Would someone provide samples to show the differences of these changes?
Thanks,
-Marlon
From: cti@lists.oasis-open.org on behalf of John Anderson
Sent: Friday, April 29, 2016 1:32:38 PM
To: Mark Davidson; cti@lists.oasis-open.org
Subject: [cti] Re: Update from STIX Package renaming Mini-Group
Disclaimer: This is my own personal opinion, in no way representative of any professional connections or organizations I'm involved with.
Hmm...There's something odd about "STIX-Bundle". I'm not sure I can say what, exactly.
I wonder if any of these synonyms to "bundle" would work? http://www.thesaurus.com/browse/bundle
Here are some alternatives I find appealing:
STIX-Assortment (evokes a box of chocolates)
STIX-Box (evokes the "toss everything in" use case)
STIX-Pile (evokes Autumn and kids jumping in the leaves)
The funny thing is that this synonym seems to make the most sense, because of the whole "shipping things around" analogy:
STIX-Package
Happy Friday, everyone! <OutlookEmoji-😊.png>JSA
PS-If we could expand our search, we could use words that evoke "tying together for transport". Like "STIX-ZipTie" or "STIX-Rope". Then again, there's something musical about "STIX-Band". Come sail away, come sail away...
PPS-Thanks for reading. Sometimes a little humor can help lighten things up. I hope this has. <OutlookEmoji-😊.png>
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@soltra.com>
Sent: Friday, April 29, 2016 12:56:45 PM
To: cti@lists.oasis-open.org
Subject: [cti] Update from STIX Package renaming Mini-GroupAll,
Here is a quick update from the STIX Package name mini-group. The mini group is proposing:
- Renaming STIX-Package to STIX-Bundle
- STIX-bundle is simply a transport container
- STIX-Bundle is a grouping of STIX content that isn’t required to be related (it MIGHT be related, but being in the same bundle doesn’t mean it’s related)
- Removing all TLO Common Properties (with an open question about Data Markings)
- Removed properties: id, created_by_ref, created_time, revision, modified_time, revoked, revision_comment, confidence, object_markings_refs, granular_markings
- STIX-Bundle will keep the `spec_version` property
- All content in the bundle MUST be the same STIX version (identified by spec_version)
There is an open question about whether Data Markings should be in the STIX-Bundle. Arguments for keeping it are:
- The group seemed to have consensus that Bundle-level markings were desired, but evidence was difficult for the mini-group to find.
- Certain sharing communities would appreciate the simplicity of package marking.
- It makes objects look smaller and is more natural for people who are new to the specs
Arguments for removing it are:
- Data Marking at the bundle level is “two ways of doing things” - on-the-object markings and on-the-bundle markings
- TLO signatures will not be valid when the Bundle-level markings are used
Thank you.-Mark