A few questions about MAEC version 1.1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

A few questions about MAEC version 1.1

Blake Hartstein
Hi everybody, thanks for MAEC.

I have a few questions about the current version 1.1 release, I hope
that these are solved in the new upcoming release.

In complexType uriObject, what is the point of NoQuestionMark uriString
not allowing question mark characters? Since uriString can't have
question marks was this intended to be html escaped or was this
mistakenly swapped with the xs:string path?

Why is the handles of element Process_Object_Attributes so simple? The
nested objects are simply xs:integer Name (no other fields). I'd like to
link a handle to an ObjectType (with type="Handle"), what is the best
way to link these to the process? I suppose that I should use
Related_Objects to link these but it isn't as clear cut as some of the
others, so it could deserve some additional fields for the HandleType
(Key, File), and an Object Reference.

Cheers,
Blake
Reply | Threaded
Open this post in threaded view
|

RE: A few questions about MAEC version 1.1

Kirillov, Ivan A.
Hi Blake,

Good questions!

We actually import the uriObject (and several others) from v1.1 of the IEEE ICSG's Malware Metadata Exchange Schema; it turns out that in this schema, there is a separate object for capturing any parameters of URL's (e.g. ?query=something), which is why they don't allow question mark characters in uriString. I'll ask the schema authors what their rationale for doing so was, but I think that in MAEC 2.0 we'll likely switch to a xs:string type for URI's, so that you can specify the full URI as a single element.

Thanks for pointing out the missing attributes with regards to process handles; we first added handles to process object attributes in MAEC 1.1 as a feature request, and simply overlooked attributes other than name. Right now your best bet may be to define a new object with a type of 'Handle' and then use the Custom_Object_Attributes to define any of the missing types. You can then link to this object using the 'Related_Objects' element.

Clearly this isn't optimal, so in MAEC 2.0 we've defined handle attributes (using Mandiant's OpenIOC as a reference) for Name, Type, Pointer Count, Handle Count, Object Address, Access Mask, and Index. We're also trying to make sure that handles can be defined for all relevant objects, including registry keys, files, directories, and processes; to do so, we'll likely have a similar 'Handles' element for each of these objects.  

Regards,
Ivan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Blake Hartstein
Sent: Tuesday, May 10, 2011 2:43 PM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: A few questions about MAEC version 1.1

Hi everybody, thanks for MAEC.

I have a few questions about the current version 1.1 release, I hope
that these are solved in the new upcoming release.

In complexType uriObject, what is the point of NoQuestionMark uriString
not allowing question mark characters? Since uriString can't have
question marks was this intended to be html escaped or was this
mistakenly swapped with the xs:string path?

Why is the handles of element Process_Object_Attributes so simple? The
nested objects are simply xs:integer Name (no other fields). I'd like to
link a handle to an ObjectType (with type="Handle"), what is the best
way to link these to the process? I suppose that I should use
Related_Objects to link these but it isn't as clear cut as some of the
others, so it could deserve some additional fields for the HandleType
(Key, File), and an Object Reference.

Cheers,
Blake