ASF GitHub Bot commented on METRON-1102:

Github user cestella commented on the issue:

    Ok, so good questions @ottobackwards .  I'll do my best to answer them, but 
the answer to some of these expands past this PR and to the history of Taxii 
support for Metron (which was one of the first things we added and thus at a 
period of time where documentation was scarcer than it is even now ;) )
    * `Where is the documentation for the version of Stix and the Version of 
Cybox metron supports?`
    We do not currently document that, the answer is, however, that our support 
for Stix, cybox and taxii is entirely bound up in the mitre java-stix library.  
We use the most current version 
[released](https://github.com/STIXProject/java-stix/tree/v1.2.0.2), which is
    * `How is the extractor factored to handle support for other versions?`
    The extractor is handled to support other versions only insomuch as the 
java-stix library can support multiple versions.  As this is officially 
supported by the stix project, I think that it's backwards compatible, but 
there may be nuance here that I'm missing.
    * `How is the extractor factored to handle JSON if / when stix and cybox 
change over?`
    The extractor abstraction works at the level of the object model that the 
java-stix library provides us rather than doing actual parsing (i.e. we 
implement support for new types by providing a handler that looks for objects 
of that type as the output of the parse).  If Stix moves to JSON, presumably 
the library will handle that transparently *or* we'll need another approach.
    * `Can we handle just Cybox? Should this be factored to support them 
    We can create handlers for anything the java-stix library can parse, but 
cybox seems to be common and officially supported by the stix project.
    * `Where is the documentation for the support in this PR?`
    I added the new URI type to the README.md in metron-data-management.  Since 
that's the scope of this PR, not to document better our taxii/stix/etc support.
    Ok, so it's apparent that some of the design decisions around taxii never 
made it into documentation.  A couple of questions for you:
    * Where should that documentation live?
    * Are we unhappy enough about having our abstraction bound to the (from 
what I can tell only) java library provided by the stix project that you'd like 
to start a discuss thread about developing a better approach to taxii?
    Just a note on the second, we chose that because it was the only game in 
town other than parsing the XML ourselves and it was the officially supported 
library.  I even looked into that and decided against it as the XML format is 
extremely complex with lots of referential links that need to get coalesced to 
handle the blocks of stix that come across.

> Add support for ingesting cybox URI observables from taxii feeds
> ----------------------------------------------------------------
>                 Key: METRON-1102
>                 URL: https://issues.apache.org/jira/browse/METRON-1102
>             Project: Metron
>          Issue Type: Bug
>            Reporter: Casey Stella
> There would be value in ingesting URIs from taxii feeds.  As of now, we do 
> not do this.

This message was sent by Atlassian JIRA

Reply via email to