-
Notifications
You must be signed in to change notification settings - Fork 0
Proposal: Allow User defined List Delimiters
Status: Closed
Comment Period Closes: 12/17/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/87
CybOX 2.0.1 allowed authors to express lists of items in a single field using a ##comma##
delimiter when defining CybOX patterns.
Example 1:
<EmailMessageObj:From category="e-mail">
<AddrObj:Address_Value condition="Equals" apply_condition="ANY">attacker@example.com##comma##attacker1@example.com##comma##attacker@bad.example.com</AddrObj:Address_Value>
</EmailMessageObj:From>
The above example is an excerpt of a larger email message observable pattern. This section of the pattern defines a list of email addresses, where ANY
of the individual email addresses will satisfy the pattern evaluation criteria. The ##comma##
delimiter separates the list values to be used in the evaluation of the pattern.
Add a delimiter
attribute to CybOX properties (fields) that allows CybOX authors to define a list delimiter. Pattern evaluation utilities can inspect the delimiter
attribute before looking at the field value to determine the list delimiter value. The default value of the delimiter
attribute will be set to ##comma##
so as not to break backwards compatibility.
Example 2:
<EmailMessageObj:From category="e-mail">
<AddrObj:Address_Value condition="Equals" apply_condition="ANY" delimiter="**">attacker@example.com**attacker1@example.com**attacker@bad.example.com</AddrObj:Address_Value>
</EmailMessageObj:From>
The above example is a clone of Example 1, except that this declares a delimiter
attribute on the Address_Value
field, set to **
. The field values are separated by this delimiter as a result.
The delimiter
attribute will be added to the PatternFieldGroup
attribute group found within the CybOX Common schema. Doing this means it will be inherently added to BaseObjectPropertyType
and every CybOX property field as a result.
There are no foreseen backwards compatibility issues.
- Does this allow CybOX authors to adequately express lists of field values when defining CybOX patterns?