CTI STIX Subcommittee

 View Only

  • 1.  Indicators and patterning

    Posted 10-25-2016 18:36
    All, When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us to make some design decisions in STIX to reflect this artificial line in the sand we had drawn.  Fast forward 10 months and we have now merged STIX and CybOX and d uring this merge we have been able to clean up some of the weirdness that existed with the artificial line in the sand.   There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of.   In Indicators we created the following 3 fields to address the artificial separation: pattern pattern_lang pattern_lang_version The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things.  I would suggest at this stage we drop support for "other" things and just have a single "pattern" property.   If people want to do YARA or SNORT, they can do it via a custom property.  And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them. Bret


  • 2.  RE: Indicators and patterning

    Posted 10-25-2016 20:21
    I think getting rid of pattern_lang and pattern_lang_version makes sense (and assume pattern-lang-ov would go away as well). My only concern with using custom properties is that if “pattern” field is required, I’m not sure what would go in that field for other types of indicators.   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS) Sent: Tuesday, October 25, 2016 1:36 PM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Indicators and patterning   All,   When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us to make some design decisions in STIX to reflect this artificial line in the sand we had drawn.  Fast forward 10 months and we have now merged STIX and CybOX and during this merge we have been able to clean up some of the weirdness that existed with the artificial line in the sand.   There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of.     In Indicators we created the following 3 fields to address the artificial separation: pattern pattern_lang pattern_lang_version   The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things.  I would suggest at this stage we drop support for "other" things and just have a single "pattern" property.     If people want to do YARA or SNORT, they can do it via a custom property.  And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them.   Bret


  • 3.  Re: Indicators and patterning

    Posted 10-25-2016 21:17
    Yeah, we might need to make a small tweak to the normative language around it.  But it seems like the right thing to do, now that we have merged STIX and CybOX and are not longer treating them artificially as separate things... Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Back, Greg <gback@mitre.org> Sent: Tuesday, October 25, 2016 2:21:05 PM To: Bret Jordan (CS); cti-stix@lists.oasis-open.org Subject: [cti-stix] RE: Indicators and patterning   I think getting rid of pattern_lang and pattern_lang_version makes sense (and assume pattern-lang-ov would go away as well). My only concern with using custom properties is that if “pattern” field is required, I’m not sure what would go in that field for other types of indicators.   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS) Sent: Tuesday, October 25, 2016 1:36 PM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Indicators and patterning   All,   When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us to make some design decisions in STIX to reflect this artificial line in the sand we had drawn.  Fast forward 10 months and we have now merged STIX and CybOX and during this merge we have been able to clean up some of the weirdness that existed with the artificial line in the sand.   There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of.     In Indicators we created the following 3 fields to address the artificial separation: pattern pattern_lang pattern_lang_version   The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things.  I would suggest at this stage we drop support for "other" things and just have a single "pattern" property.     If people want to do YARA or SNORT, they can do it via a custom property.  And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them.   Bret


Related Content