Re: [cti] concerns about 'artifact' object's payload_bin property size limit(<=10MB) of STIX 2.0

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I think I agree with Cheolho Lee's use
case as well.

Consider one who wants to submit a 15MB
APK for analysis to say Virus Total, via STIX/TAXII. How would that be
accomplished via a URL? I am not running a web server on the client side.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Trey Darley <trey@newcontext.com>
To:      
 Cheolho Lee <chlee@nsr.re.kr>
Cc:      
 cti@lists.oasis-open.org
Date:      
 08/28/2017 01:56 PM
Subject:    
   Re: [cti] concerns
about 'artifact' object's payload_bin property size limit(<=10MB) of
STIX 2.0
Sent by:    
   <cti@lists.oasis-open.org>

---

On 24.08.2017 17:40:17, Cheolho Lee wrote:
> 
> In the problem of a large size file over 10MB, my next question is
> on the use of multiple artifact objects with their multiple
> separated archived files for a large file.
> 
> archived files are also represented as archive extensions of file
> objects which are separately archived from a large file and they are
> linked to artifact objects which has payload_bin < 10MB.
> 

Hi, Cheolho -

Sharing a file <10MB archived and split across multiple artifact
objects could be a bit messy. In order to support this, at a minimum
we'd need to define additional properties on the artifact object to
capture the archive method (zip, tar, etc) and the ordering of the
archive in order to enable consumers to reassemble and extract the
split archive.

We could of course decide to add these capabilities but as we already
have a mechanism designed specifically to address sharing artifacts
<10MB (via the artifact url property) I'd be curious to hear from
others for whom this does not work.

One of our core design principles for STIX 2 has been to avoid
creating two different ways of accomplishing the same thing wherever
possible - which this would certainly entail. Design principles
represent an ideal that we strive for but meeting the needs of the CTI
TC community can justify making pragmatic exceptions. I think we'd
need to hear from some additional voices before taking such a
decision.

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Director of Standards Development, New Context
gpg fingerprint: 3918 9D7E 50F5 088F 823F  018A 831A 270A 6C4F C338
++--------------------------------------------------------------------------++
--
"Law stands mute in the midst of arms." --Cicero
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]