Skip to content

Proposal: Allow User defined List Delimiters

Ivan Kirillov edited this page Dec 18, 2013 · 3 revisions

Status: Closed
Comment Period Closes: 12/17/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/87

Background Information

CybOX 2.0.1 allowed authors to express lists of items in a single field using a ##comma## delimiter when defining CybOX patterns.

Example 1:

<EmailMessageObj:From category="e-mail">
    <AddrObj:Address_Value condition="Equals" apply_condition="ANY">attacker@example.com##comma##attacker1@example.com##comma##attacker@bad.example.com</AddrObj:Address_Value>
</EmailMessageObj:From>

The above example is an excerpt of a larger email message observable pattern. This section of the pattern defines a list of email addresses, where ANY of the individual email addresses will satisfy the pattern evaluation criteria. The ##comma## delimiter separates the list values to be used in the evaluation of the pattern.

Proposal

Add a delimiter attribute to CybOX properties (fields) that allows CybOX authors to define a list delimiter. Pattern evaluation utilities can inspect the delimiter attribute before looking at the field value to determine the list delimiter value. The default value of the delimiter attribute will be set to ##comma## so as not to break backwards compatibility.

Example 2:

<EmailMessageObj:From category="e-mail">
    <AddrObj:Address_Value condition="Equals" apply_condition="ANY" delimiter="**">attacker@example.com**attacker1@example.com**attacker@bad.example.com</AddrObj:Address_Value>
</EmailMessageObj:From>

The above example is a clone of Example 1, except that this declares a delimiter attribute on the Address_Value field, set to **. The field values are separated by this delimiter as a result.

The delimiter attribute will be added to the PatternFieldGroup attribute group found within the CybOX Common schema. Doing this means it will be inherently added to BaseObjectPropertyType and every CybOX property field as a result.

Impact

There are no foreseen backwards compatibility issues.

Requested Feedback

  1. Does this allow CybOX authors to adequately express lists of field values when defining CybOX patterns?
Clone this wiki locally