RE: [cti] RE: Patterning Operators - CONTAINS

["Back, Greg" <gback@mitre.org>]

Comments inline.

> -----Original Message-----
> From: John-Mark Gurney [mailto:jmg@newcontext.com]
> Sent: Thursday, October 27, 2016 6:41 PM
> To: Back, Greg <gback@mitre.org>
> Cc: Kirillov, Ivan A. <ikirillov@mitre.org>; cti@lists.oasis-open.org
> Subject: Re: [cti] RE: Patterning Operators - CONTAINS
> 
...

> Forgot to address this issue in my email.  IN is not the same as CONTAINS.  a
> IN (x, y, ...) is short hande for a == x OR a == Y ..., and so not a proper set
> operation.

How is IN not (semantically) equivalent to a set operation, assuming we are talking about finite sets (even large finite sets like a /8 netblock)? 

> This means that we cannot repurpose IN w/o having confusing change of
> behavior of the IN operator.  As Jason pointed out, Oracle uses a new
> operator to handle IP subset identification.

I'm fine with having a special operator for IP subnet containment; I just don't think it should be a generic "subset" operator, at least until we identify more use cases for it. Re-using IN has its pros and cons, and subnet containment is a special case either way.
 
> The first standard use for this is black lists.  Is this IP part of a C&C network.
> 
> The second are things like, does the interface of this machine have this IP on
> it's local subnet:
> network-interface:network ISSUPERSET '192.168.1.5'

We don't currently define a network-interface object (that I can find), so at this point I'm still not convinced it's needed. That said, I'm not opposed to a (better-named) ISSUPERSET operator, since implementing it will likely be easy once the converse ISSUBSET (again, better-named) operator is. 

Greg