Re: [mile] IODEF predicate logic
"Roman D. Danyliw" <rdd@cert.org> Tue, 30 July 2013 09:54 UTC
Return-Path: <rdd@cert.org>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E9511E80D5 for <mile@ietfa.amsl.com>; Tue, 30 Jul 2013 02:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.297
X-Spam-Level:
X-Spam-Status: No, score=-6.297 tagged_above=-999 required=5 tests=[AWL=0.302, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mYX2Dp2qDyUv for <mile@ietfa.amsl.com>; Tue, 30 Jul 2013 02:54:00 -0700 (PDT)
Received: from shetland.sei.cmu.edu (shetland.sei.cmu.edu [192.58.107.44]) by ietfa.amsl.com (Postfix) with ESMTP id EBD3211E8144 for <mile@ietf.org>; Tue, 30 Jul 2013 02:53:55 -0700 (PDT)
Received: from pawpaw.sei.cmu.edu (pawpaw.sei.cmu.edu [10.64.21.22]) by shetland.sei.cmu.edu (8.14.4/8.14.4/1408) with ESMTP id r6U9rrRd027079; Tue, 30 Jul 2013 05:53:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1375178033; bh=+Bmff9NR+L+i+kpQQ223CFN821iCw0DdBtWCrQUSP1g=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version:Sender: Reply-To:Cc; b=e8ZXKY3BrLwDBj2X2B/oOt5f9V/MaOC9VQal4mg4Zqtxs3tJTe+OCShUKDPgCzZ2J OPK4wKQJsIFeryJhiWsRr9REoWP6FnecBP0BqMTz7O7RANgSz8ZzwHq7RI+STQdr5w tRXkShNsxPyFlZ9zK9rJ0tOwEp7ffp9vRHVMjsc4=
Received: from CASSINA.ad.sei.cmu.edu (cassina.sei.cmu.edu [10.64.28.249]) by pawpaw.sei.cmu.edu (8.14.4/8.14.4/1408) with ESMTP id r6U9s2Ag010288; Tue, 30 Jul 2013 05:54:02 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.02.0318.004; Tue, 30 Jul 2013 05:53:52 -0400
From: "Roman D. Danyliw" <rdd@cert.org>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "mile@ietf.org" <mile@ietf.org>
Thread-Topic: IODEF predicate logic
Thread-Index: Ac6BljICQSOPLvR4RuCRb/L6J7DnMgKmeGjA
Date: Tue, 30 Jul 2013 09:53:51 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC13C56E47@marathon>
References: <1C9F17D1873AFA47A969C4DD98F98A753E59AE@xmb-rcd-x10.cisco.com>
In-Reply-To: <1C9F17D1873AFA47A969C4DD98F98A753E59AE@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [mile] IODEF predicate logic
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mile>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 09:54:08 -0000
Hi Panos!
Could you describe a little more about what you had in mind with the predicate logic? In your email below you used the terminology "multiple indicators on one folder" which I hadn't read before. Did you mean multiple indicators in a single IODEF document?
In seeking clarity in Section 4.4 of draft-ietf-mile-iodef-guidance-01 I had a few questions. Citing this section ...
> [I-D.ietf-mile-rfc5070-bis] defines two new category attributes in
> the System Class. These are watchlist-source and watchlist-
> destination and they serve for watchlist indicator groupings. When
> an IODEF Node consists of two or more System Classes with various
> watchlist-source and watchlist-destination attributes (watchlist of
> Systems)
Isn't that reversed, "When an IODEF **System** consists of two or more **Node** classes with the category attribute set to watchlist-source or watchlist-destination ...", since Node sub-element of System? However, this isn't consistent with the -00 draft since System can only contain exactly 1 node.
[snip]
<xs:element name="System">
<xs:complexType>
<xs:sequence>
<xs:element ref="iodef:Node" maxOccurs="unbounded"/>
...
> the System information should be ORed with the information
> in the Flow Class.
Could you clarify what it means to be OR multiple Systems in the flow class? For example, with a snippet as follows,
<EventData> ...
<Flow>
<System category=" watchlist-source"> <Node><Address>IP1</Address>... </System>
<System category=" watchlist-source"> <Node><Address>IP2</Address>... </System>
<System category=" watchlist-source"> <Node><Address>IP3</Address>... </System>
</Flow>
<Flow>
<System category=" watchlist-source"> <Node><Address>IP4</Address>... </System>
<System category=" watchlist-source"> <Node><Address>IP5</Address>... </System>
<System category=" watchlist-source"> <Node><Address>IP6</Address>... </System>
</Flow>
</EventData>
Is the watchlist defined as "(IP1 OR IP2 or IP3) AND (IP4 OR IP5 OR IP6)"?
> In other words, either System description should
> be considered as a watchlist indicator. The rest of the content in
> the EventData Class the Node belongs to should be combined with the
> watchlist of Systems using AND logic.
Is this AND logic applied across different Flow classes or any other indicator in the EventData class parent outside of the Flow parent of the given System class of interest?
Roman
From: mile-bounces@ietf.org [mailto:mile-bounces@ietf.org] On Behalf Of Panos Kampanakis (pkampana)
Sent: Monday, July 15, 2013 4:02 PM
To: mile@ietf.org
Subject: [mile] IODEF predicate logic
Hello everyone,
In the past people have asked how IODEF can combine multiple indicators in one IODEF definition. For example a question can be, if there are more than two malicious addresses, how they can be added in one definition and what is the logic behind how they are combined?
draft-ietf-mile-rfc5070-bis-00 introduces some watchlist fields that allow for multiple indicators on one folder. In draft-ietf-mile-iodef-guidance-01 I have added section http://tools.ietf.org/html/draft-ietf-mile-iodef-guidance-01#section-4.4 that describes how the predicate logic works.
Comments and thoughts are welcome.
Rgs,
Panos
- [mile] IODEF predicate logic Panos Kampanakis (pkampana)
- Re: [mile] IODEF predicate logic Roman D. Danyliw
- Re: [mile] IODEF predicate logic Panos Kampanakis (pkampana)
- Re: [mile] IODEF predicate logic Panos Kampanakis (pkampana)
- Re: [mile] IODEF predicate logic Roman D. Danyliw
- Re: [mile] IODEF predicate logic Panos Kampanakis (pkampana)
- Re: [mile] IODEF predicate logic Moriarty, Kathleen
- Re: [mile] IODEF predicate logic Panos Kampanakis (pkampana)