Proposal: revise Observable composition operators

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Proposal: revise Observable composition operators

Charles Schmidt (MITRE)
Administrator
Hello all,

This proposal deals with a proposal to remove some ambiguity in the
operators used to compose Observables in CybOX. Specifically, there is some
confusion as to how an operator value of NOT is to be interpreted if there
are multiple operands. (Is the meaning NOT-AND, or NOT-OR?)

A detailed proposal, including expected impacts, is attached. This
corresponds to item #5 in the CybOX Project/Schemas issue tracker on GitHub.
(https://github.com/CybOXProject) Please note that this is not describing an
accepted change but rather is a proposal being put forward for community
review and feedback. Comments and concerns with regard to this proposal are
welcome - please send comments in response to this message.

Thanks,
Charles (for the CybOX Team)

ReviseObservableCompositionOperators.pdf (613K) Download Attachment
smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Proposal: revise Observable composition operators

Aharon
I am OK with this change. I know we are trying to be flexible here, but at the same time a bunch of @negate="false"s all over a document will just add to the noise of reading it. We should have something in the CybOx or STIX documentation recommending to only use false if it adds overall reading clarity.


Aharon

DTCC Non-Confidential (White)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
O: 813-470-2173



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Schmidt, Charles M.
Sent: Tuesday, February 26, 2013 9:55 AM
To: cybox-discussion-list Cyber Observable Expression/CybOX Discussi
Subject: Proposal: revise Observable composition operators

Hello all,

This proposal deals with a proposal to remove some ambiguity in the
operators used to compose Observables in CybOX. Specifically, there is some
confusion as to how an operator value of NOT is to be interpreted if there
are multiple operands. (Is the meaning NOT-AND, or NOT-OR?)

A detailed proposal, including expected impacts, is attached. This
corresponds to item #5 in the CybOX Project/Schemas issue tracker on GitHub.
(https://github.com/CybOXProject) Please note that this is not describing an
accepted change but rather is a proposal being put forward for community
review and feedback. Comments and concerns with regard to this proposal are
welcome - please send comments in response to this message.

Thanks,
Charles (for the CybOX Team)
<BR>_____________________________________________________________
<FONT size=2><BR>
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses.  The company
accepts no liability for any damage caused by any virus transmitted
by this email.</FONT>
Reply | Threaded
Open this post in threaded view
|

RE: Proposal: revise Observable composition operators

Charles Schmidt (MITRE)
Administrator
Hi Aharon,

I agree - one of the things on our to-do list is the development of
something akin to a "style guide" for CybOX and STIX. Recommending that the
@negate attribute only appear when it isn't the default value of false is
probably something that should go there.

Charles

>-----Original Message-----
>From: Chernin, Michael A. [mailto:[hidden email]]
>Sent: Wednesday, February 27, 2013 6:23 AM
>To: Schmidt, Charles M.; cybox-discussion-list Cyber Observable
>Expression/CybOX Discussi
>Subject: RE: Proposal: revise Observable composition operators
>
>I am OK with this change. I know we are trying to be flexible here, but at
the

>same time a bunch of @negate="false"s all over a document will just add to
>the noise of reading it. We should have something in the CybOx or STIX
>documentation recommending to only use false if it adds overall reading
>clarity.
>
>
>Aharon
>
>DTCC Non-Confidential (White)
>---------------------------------------------------
>Michael "Aharon" Chernin
>Security Automation Program Manager
>Corporate Information Security -Depository Trust & Clearing Corporation
>O: 813-470-2173
>
>
>
>-----Original Message-----
>From: [hidden email] [mailto:owner-cybox-
>[hidden email]] On Behalf Of Schmidt, Charles M.
>Sent: Tuesday, February 26, 2013 9:55 AM
>To: cybox-discussion-list Cyber Observable Expression/CybOX Discussi
>Subject: Proposal: revise Observable composition operators
>
>Hello all,
>
>This proposal deals with a proposal to remove some ambiguity in the
>operators used to compose Observables in CybOX. Specifically, there is some
>confusion as to how an operator value of NOT is to be interpreted if there
>are multiple operands. (Is the meaning NOT-AND, or NOT-OR?)
>
>A detailed proposal, including expected impacts, is attached. This
>corresponds to item #5 in the CybOX Project/Schemas issue tracker on
>GitHub.
>(https://github.com/CybOXProject) Please note that this is not describing
an

>accepted change but rather is a proposal being put forward for community
>review and feedback. Comments and concerns with regard to this proposal
>are
>welcome - please send comments in response to this message.
>
>Thanks,
>Charles (for the CybOX Team)
><BR>_______________________________________________________
>______
><FONT size=2><BR>
>DTCC DISCLAIMER: This email and any files transmitted with it are
>confidential and intended solely for the use of the individual or
>entity to whom they are addressed. If you have received this email
>in error, please notify us immediately and delete the email and any
>attachments from your system. The recipient should check this email
>and any attachments for the presence of viruses.  The company
>accepts no liability for any damage caused by any virus transmitted
>by this email.</FONT>

smime.p7s (9K) Download Attachment