STIX 2.1 pattern validation failing on multiple START STOP qualifiers

[delliott90]

When running the following from a terminal:

validate-patterns -v 2.1
[network-traffic:src_port = 37020 AND user-account:user_id = 'root'] START t'2016-06-01T01:30:00.123Z' STOP t'2016-06-01T02:20:00.123Z' OR [ipv4-addr:value = '192.168.122.83'] START t'2016-06-01T03:55:00.123Z' STOP t'2016-06-01T04:30:24.743Z'

I get a failure: FAIL: The same qualifier is used more than once

I thought STIX patterns supported multiple START STOP qualifiers since the qualifier affects only the observation that immediately precedes it. Am I wrong in this?

[delliott90]

It looks like it errors out on other qualifiers as well.

[network-traffic:src_port = 37020 AND user-account:user_id = 'root'] WITHIN 30 SECONDS OR [ipv4-addr:value = '192.168.122.83'] WITHIN 10 SECONDS

will fail with the same error message but curiously

[network-traffic:src_port = 37020 AND user-account:user_id = 'root'] WITHIN 10 SECONDS OR [ipv4-addr:value = '192.168.122.83'] WITHIN 10 SECONDS

will pass, I guess because the number of seconds is the same?

[delliott90]

I see in the 2.1 documentation that, under the Observation Expression Qualifiers section there is the following: "An Observation Expression MUST NOT have more than one Qualifier of a particular type". However, this rule seems to be getting applied to the entire pattern.

[mdazam1942]

@clenk do you have any comment on this?

[chisholm]

Looks like a bug in the validator. I am having a look at it.

[mdazam1942]

@clenk @chisholm thanks for the quick response.