[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] ID Contributing Properties
That was definitely not the intended behavior. It looks like it is just a wording glitch. The non-hash properties if listed should always be included as material for id generation. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti@lists.oasis-open.org> on behalf of "Piazza, Rich" <rpiazza@mitre.org> (Apologies if you already saw this on the cti users list) Iâm attempting to derive ârealâ deterministic ids for the examples in the spec. Right now the SCO are expressed as âstand-insâ that look like âtype--00000000-0000-0000-0000-000000000000â. Iâm writing a script that will generate the ids â but I have encountered some text in the spec which seems ambiguous. They concern SCOs where a hash is one of the id contributing properties: Here are the three uses: For Artifact: hashes, payload_bin Where
1. if hashes exists
only include 1 hash from this common ordered list (based on the following order of preference) [ md5, sha1, sha256, sha512 ] 2. if
no hashes are defined and payload_bin exists include only the payload_bin For File: hashes, name, extensions Where
1. if hashes exists
include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2. If no hashes
a. Include defined extensions b. Include
defined name For X509 Certificates: hashes, serial_number Where
1. if hashes exists
include 1 hash from this ordered list [ md5, sha1, sha256, sha512 ] only
2. Include serial_number The way I read this, Artifact and File only include other properties if there are no hashes available, but X509 Certificates always includes serial_number. If that is the case, then I would probably want to clean up the text â but Iâm not sure that this is what was intended. Can someone more explicitly describe the use of the contributing properties for these three types? Rich -- Rich Piazza The MITRE Corporation 781-271-3760 CAUTION: This email originated from outside of FireEye from a third party. Please take extra precaution clicking on any embedded links or downloading and opening file attachments. If you feel this is a suspicious
email, please use the âReport Phishingâ button in your Outlook toolbar. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]