[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/689 +1 by inspection. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/689 I would like to see at least the version of Stix and Cybox that is supported documented. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user cestella commented on the issue: https://github.com/apache/metron/pull/689 Yeah, it seems to me that we might need something like a location for discussion and description of architectural decisions made. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user cestella commented on the issue: https://github.com/apache/metron/pull/689 Ah, for the moment we only have the StixExtractor. We could MAKE a cybox extractor and it could reuse the handler logic, but we haven't done that. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/689 As for where... over in METRON-777 @mmiklavc is talking about a better documentation area... this may fall into that --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/689 > Can we handle just Cybox What I mean is, can we import a file that is **ONLY** cybox observables, without Stix. Stix supports cybox. But they are separate things. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user cestella commented on the issue: https://github.com/apache/metron/pull/689 Ok, so good questions @ottobackwards . I'll do my best to answer them, but the answer to some of these expands past this PR and to the history of Taxii support for Metron (which was one of the first things we added and thus at a period of time where documentation was scarcer than it is even now ;) ) * `Where is the documentation for the version of Stix and the Version of Cybox metron supports?` We do not currently document that, the answer is, however, that our support for Stix, cybox and taxii is entirely bound up in the mitre java-stix library. We use the most current version [released](https://github.com/STIXProject/java-stix/tree/v1.2.0.2), which is 1.2.0.2. * `How is the extractor factored to handle support for other versions?` The extractor is handled to support other versions only insomuch as the java-stix library can support multiple versions. As this is officially supported by the stix project, I think that it's backwards compatible, but there may be nuance here that I'm missing. * `How is the extractor factored to handle JSON if / when stix and cybox change over?` The extractor abstraction works at the level of the object model that the java-stix library provides us rather than doing actual parsing (i.e. we implement support for new types by providing a handler that looks for objects of that type as the output of the parse). If Stix moves to JSON, presumably the library will handle that transparently *or* we'll need another approach. * `Can we handle just Cybox? Should this be factored to support them separately?` We can create handlers for anything the java-stix library can parse, but cybox seems to be common and officially supported by the stix project. * `Where is the documentation for the support in this PR?` I added the new URI type to the README.md in metron-data-management. Since that's the scope of this PR, not to document better our taxii/stix/etc support. Ok, so it's apparent that some of the design decisions around taxii never made it into documentation. A couple of questions for you: * Where should that documentation live? * Are we unhappy enough about having our abstraction bound to the (from what I can tell only) java library provided by the stix project that you'd like to start a discuss thread about developing a better approach to taxii? Just a note on the second, we chose that because it was the only game in town other than parsing the XML ourselves and it was the officially supported library. I even looked into that and decided against it as the XML format is extremely complex with lots of referential links that need to get coalesced to handle the blocks of stix that come across. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] metron issue #689: METRON-1102: Add support for ingesting cybox URI observab...
Github user ottobackwards commented on the issue: https://github.com/apache/metron/pull/689 So, I think this is a great addition, but I have some comments. - Where is the documentation for the version of Stix and the Version of Cybox metron supports? - How is the extractor factored to handle support for other versions? - How is the extractor factored to handle JSON if / when stix and cybox change over? - Can we handle just Cybox? Should this be factored to support them separately? - Where is the documentation for the support in this PR? --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
