[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: Indicators and patterning
I think this would be a re-evaluation of whether we think it’s valuable to be able to use Snort and YARA patterns instead of STIX Patterns in Indicators. At the time, we opened this up
as an extension because we felt that people would want to, for example, write a Yara pattern and use that in an indicator that they link to some malware. Yara, Snort, and OpenIOC are very popular languages for sharing IOCs, after all -- more so than STIX.
IMO the merge of STIX and CybOX into a single Work Product doesn’t really change that reasoning. That said I was always relatively ambivalent on this point, so if consensus is to remove them I wouldn’t object too much. John From:
<cti-stix@lists.oasis-open.org> on behalf of Greg Back <gback@mitre.org> I think getting rid of pattern_lang and pattern_lang_version makes sense (and assume pattern-lang-ov would go away as well). My only concern with using custom properties is that if “pattern”
field is required, I’m not sure what would go in that field for other types of indicators. From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Bret Jordan (CS) All, When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us
to make some design decisions in STIX to reflect this artificial line in the sand we had drawn. Fast forward 10 months and we have now merged STIX and CybOX and during this merge we have been able to clean up some of the weirdness that existed with the artificial
line in the sand. There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of. In Indicators we created the following 3 fields to address the artificial separation: pattern pattern_lang pattern_lang_version The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things. I would suggest at this stage we drop support for "other" things and just have a single "pattern"
property. If people want to do YARA or SNORT, they can do it via a custom property. And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them. Bret |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]