OASIS Collaborative Automated Course of Action Operations (CACAO) for Cyber Secu

Using the STIX pattern grammar

  • 1.  Using the STIX pattern grammar

    Posted 08-17-2022 16:20
    Hi,   I looked into the STIX pattern grammar (see relevant parts below).  I think what is needed for CACAO is different enough that it shouldn’t be tied to this grammar.   Issues:   $s are not acceptable identifier characters The left-side of a STIX _expression_ is an “objectPath”, which is how properties of SCOs are specified.  From what I understand, object paths are not what will be used in CACAO.   The STIX pattern grammar can certainly be used as a starting point for a CACAO _expression_ grammar, but they should be discussed and maintained separately.                   Rich     -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760 –––––––––––––––––––––––––––––––––––– MITRE - Solving Problems for a Safer World™     From the pattern grammar   propTest   : objectPath NOT? (EQ NEQ) primitiveLiteral       # propTestEqual   objectPath NOT? (GT LT GE LE) orderableLiteral  # propTestOrder   objectPath NOT? IN setLiteral                   # propTestSet   objectPath NOT? LIKE StringLiteral              # propTestLike   objectPath NOT? MATCHES StringLiteral           # propTestRegex   objectPath NOT? ISSUBSET StringLiteral          # propTestIsSubset   objectPath NOT? ISSUPERSET StringLiteral        # propTestIsSuperset   LPAREN comparisonExpression RPAREN              # propTestParen   EXISTS objectPath                               # propTestExists   ;   objectPath   : objectType COLON firstPathComponent objectPathComponent?   ;   objectType   : IdentifierWithoutHyphen   IdentifierWithHyphen   ;   firstPathComponent   : IdentifierWithoutHyphen   StringLiteral   ;   objectPathComponent   : <assoc=left> objectPathComponent objectPathComponent  # pathStep   '.' (IdentifierWithoutHyphen StringLiteral)         # keyPathStep   LBRACK (IntPosLiteral IntNegLiteral ASTERISK) RBRACK  # indexPathStep   ;   // After keywords, so the lexer doesn't tokenize them as identifiers. // Object types may have unquoted hyphens, but property names // (in object paths) cannot. IdentifierWithoutHyphen :   [a-zA-Z_] [a-zA-Z0-9_]*   ;   IdentifierWithHyphen :   [a-zA-Z_] [a-zA-Z0-9_-]*   ;