[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti] RE: Patterning Operators - CONTAINS
Comments inline. > -----Original Message----- > From: John-Mark Gurney [mailto:jmg@newcontext.com] > Sent: Thursday, October 27, 2016 6:41 PM > To: Back, Greg <gback@mitre.org> > Cc: Kirillov, Ivan A. <ikirillov@mitre.org>; cti@lists.oasis-open.org > Subject: Re: [cti] RE: Patterning Operators - CONTAINS > ... > Forgot to address this issue in my email. IN is not the same as CONTAINS. a > IN (x, y, ...) is short hande for a == x OR a == Y ..., and so not a proper set > operation. How is IN not (semantically) equivalent to a set operation, assuming we are talking about finite sets (even large finite sets like a /8 netblock)? > This means that we cannot repurpose IN w/o having confusing change of > behavior of the IN operator. As Jason pointed out, Oracle uses a new > operator to handle IP subset identification. I'm fine with having a special operator for IP subnet containment; I just don't think it should be a generic "subset" operator, at least until we identify more use cases for it. Re-using IN has its pros and cons, and subnet containment is a special case either way. > The first standard use for this is black lists. Is this IP part of a C&C network. > > The second are things like, does the interface of this machine have this IP on > it's local subnet: > network-interface:network ISSUPERSET '192.168.1.5' We don't currently define a network-interface object (that I can find), so at this point I'm still not convinced it's needed. That said, I'm not opposed to a (better-named) ISSUPERSET operator, since implementing it will likely be easy once the converse ISSUBSET (again, better-named) operator is. Greg
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]