CTI STIX Subcommittee

 View Only
  • 1.  Questions on boolean observation operators and on network-traffic

    Posted 03-26-2018 12:53
    Hello everyone. I have been working with our team on implementing some things surrounding SCO and pattern and have run into some questions that I actually can't answer / recall what we were thinking when we designed these sections, and am hoping for some guidance. Question #1: boolean observation operators The first question surrounds section 4.1, observation operators. We are having a very difficult time coming up with a logical difference between [ a ] AND [ b ] and [ a ] OR [ b ] : [ a ] AND [ b ] a and b MUST both be Observation Expressions and MUST both evaluate to true on different Observations. Left to right [ a ] OR [ b ] a and b MUST both be Observation Expressions and one of a or b MUST evaluate to true on different Observations. Left to right The problem is, these are logically equivalent because of the fact that [a] and [b] MUST be different observations, which essentially morphs the "AND" into an "OR" in the first clause.... I challenge anyone to find any examples of tests and/or data whereby [ a ] AND [ b ] will result in a different evaluation than [ a ] OR [ b ] ... This poses the question - should "AND" even be a valid observation operator ? Question #2: network-traffic object protocols The second question surrounds the "protocols" enumeration on network-traffic. This field is marked as REQUIRED - however there are numerous situations where it is unknown, where one still wants to record the network-traffic. I believe this field should be changed to be OPTIONAL. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security "Things may come to those who wait, but only the things left by those who hustle." - Unknown


  • 2.  Re: [cti-stix] Questions on boolean observation operators and on network-traffic

    Posted 04-10-2018 00:00
    Jason Keirstead wrote this message on Mon, Mar 26, 2018 at 08:52 -0400: > Hello everyone. I have been working with our team on implementing some > things surrounding SCO and pattern and have run into some questions that I > actually can't answer / recall what we were thinking when we designed > these sections, and am hoping for some guidance. > > Question #1: boolean observation operators > > The first question surrounds section 4.1, observation operators. We are > having a very difficult time coming up with a logical difference between [ > a ] AND [ b ] and [ a ] OR [ b ]: > > [ a ] AND [ b ] > a and b MUST both be Observation Expressions and MUST both evaluate to > true on different Observations. > Left to right > [ a ] OR [ b ] > a and b MUST both be Observation Expressions and one of a or b MUST > evaluate to true on different Observations. > Left to right > > The problem is, these are logically equivalent because of the fact that > [a] and [b] MUST be different observations, which essentially morphs the > "AND" into an "OR" in the first clause.... I challenge anyone to find any > examples of tests and/or data whereby [ a ] AND [ b ] will result in a > different evaluation than [ a ] OR [ b ]... > > This poses the question - should "AND" even be a valid observation > operator ? Originally we didn't have an OR, but just an AND, but I was convienced to add OR... By themselves, they are still different, as the AND requires two Observed data's to match, while the OR only requires one observed data object to match... OR was added because of the requirement that with in a single observation expression, that the object-type (ala ipv4-addr: or user-account:) be the same for ALL parts of the expression... so, you couldn't do: [ ipv4-addr:value = '192.168.0.1' OR user-account:name = 'jqp' ] and instead, have to do: [ ipv4-addr:value = '192.168.0.1' ] OR [ user-account:name = 'jqp' ] This is also significant when combined w/ other qualifiers, such as WITHIN x SECONDS, or REPEATS > Question #2: network-traffic object protocols > > The second question surrounds the "protocols" enumeration on > network-traffic. This field is marked as REQUIRED - however there are > numerous situations where it is unknown, where one still wants to record > the network-traffic. I believe this field should be changed to be > OPTIONAL. In what cases could it be unknown? You at least know it's IP, if you provide an IP address... Also, interestingly, protocols is the ONLY required field on network-traffic... If you don't know what the protocol of the object, how do you know it's network-traffic? -- John-Mark


  • 3.  Re: [cti-stix] Questions on boolean observation operators and on network-traffic

    Posted 04-10-2018 17:30




    I am a little confused by your assertions in Question #1.
    As far as I can see, there is a clear difference between
    [ a ] AND [ b ] and
    [ a ] OR [ b ] .
    [a] evaluates to true if there is any observation present in the queried observation set where a is
    true.
    [b] evaluates to true if there is any observation present in the queried observation set where b is
    true.
    [ a ] OR [ b ] evaluates to true if there is any observation present in the queried observation set
    where a is true OR there is any observation present in the queried observation set where b is true
    [ a ]AND [ b ] evaluates to true if there is any observation present in the queried observation set
    where a is true AND there is any observation present in the queried observation set where b is true
    The requirement that “ [a] and
    [b] MUST be different observations” has no effect on the logic involved.
     
    Using JMG’s examples for a and b ([a]= [ ipv4-addr:value = '192.168.0.1' ] & [b]= [ user-account:name = 'jqp' ] ), there is a clear difference
    between [a] OR [b] & [a] AND [b].

    If the observation set contains no observations where
    [ ipv4-addr:value = '192.168.0.1' ] is true and no observations where
    [ user-account:name = 'jqp' ] is true then: [a] is false, [b] is false, [a] OR [b] is false, and [a] AND [b] is false
    If the observation set contains an observation where
    [ ipv4-addr:value = '192.168.0.1' ] is true and no observations where
    [ user-account:name = 'jqp' ] is true then: [a] is true, [b] is false, [a] OR [b] is true, and [a] AND [b] is false
    If the observation set contains no observations where
    [ ipv4-addr:value = '192.168.0.1' ] is true and an observation where
    [ user-account:name = 'jqp' ] is true then: [a] is false, [b] is true [a] OR [b] is true, and [a] AND [b] is false
    If the observation set contains an observation where
    [ ipv4-addr:value = '192.168.0.1' ] is true and an observation where
    [ user-account:name = 'jqp' ] is true then: [a] is true, [b] is true, [a] OR [b] is true, and [a] AND [b] is true
     
    I definitely believe that both OR and AND are necessary.
    While it is true that any situation where AND resolves true, OR will also resolve true, it is not the case that any situation where OR resolves true that AND will also resolve true.
    This is simply the nature of boolean operations. It does not preclude the usefulness of either operator.
     
    Jason, I am not sure what I am missing in your assertion.
     
     
    On question #2, I would agree that ‘protocols’ should be optional. We see many different network-traffic indicators where the protocol is not asserted either because
    it is unknown or it is intentionally left out so as not to restrict its application to a specific protocol(s)
     
     
     
    Sean Barnum
    Principal Architect
    FireEye
    M: 703.473.8262

    E: sean.barnum@fireeye.com

    From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
    Date: Monday, March 26, 2018 at 8:52 AM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: [cti-stix] Questions on boolean observation operators and on network-traffic


     

    Hello everyone. I have been working with our team on implementing some things surrounding SCO and pattern and have run into some questions that I
    actually can't answer / recall what we were thinking when we designed these sections, and am hoping for some guidance.


    Question #1: boolean observation operators

    The first question surrounds section 4.1, observation operators. We are having a very difficult time coming up with a logical difference between
    [ a ] AND [ b ] and [ a ] OR [ b ] :




    [ a ]
    AND [
    b ]



    a and
    b MUST both be Observation Expressions and MUST both evaluate to true on
    different Observations.



    Left to right





    [ a ]
    OR [
    b ]



    a and
    b MUST both be Observation Expressions and one of a or b MUST evaluate to true on
    different Observations.



    Left to right







    The problem is, these are logically equivalent because of the fact that
    [a] and [b] MUST be different observations, which essentially morphs the "AND" into an "OR" in the first clause.... I challenge anyone to find any examples of tests and/or data whereby
    [ a ] AND [
    b ] will result in a different evaluation than
    [ a ] OR [
    b ] ...

    This poses the question -
    should "AND" even be a valid observation operator ?

    Question #2: network-traffic object protocols

    The second question surrounds the "protocols" enumeration on network-traffic. This field is marked as REQUIRED - however there are numerous situations
    where it is unknown, where one still wants to record the network-traffic. I believe this field should be changed to be OPTIONAL.

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security

    "Things may come to those who wait, but only the things left by those who hustle." - Unknown





    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.
    If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.





  • 4.  Re: [cti-stix] Questions on boolean observation operators and on network-traffic

    Posted 04-24-2018 16:22
    Hi - I thought I replied to this already but it may have gotten lost.   We discussed this on Slack a bit and the conclusion we came to is the reason I was having a hard time is because I was coming at it from the point of view of search vs. the point of view of analysis.   If you're using STIX patterning as a way to find things (search) - then there is actually no difference between  [ a ] AND [ b ]   and   [ a ] OR [ b ] . The result set returned in this case will be an identical set. When it matters is if you're doing stateful analytics whose output is a binary true/false. In that case, there is a big difference, as you point out.   - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security Things may come to those who wait, but only the things left by those who hustle. - Unknown