OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] RE: Indicators and patterning

I think this would be a re-evaluation of whether we think it’s valuable to be able to use Snort and YARA patterns instead of STIX Patterns in Indicators. At the time, we opened this up as an extension because we felt that people would want to, for example, write a Yara pattern and use that in an indicator that they link to some malware. Yara, Snort, and OpenIOC are very popular languages for sharing IOCs, after all -- more so than STIX. IMO the merge of STIX and CybOX into a single Work Product doesn’t really change that reasoning.

 

That said I was always relatively ambivalent on this point, so if consensus is to remove them I wouldn’t object too much.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of Greg Back <gback@mitre.org>
Date: Tuesday, October 25, 2016 at 4:21 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] RE: Indicators and patterning

 

I think getting rid of pattern_lang and pattern_lang_version makes sense (and assume pattern-lang-ov would go away as well). My only concern with using custom properties is that if “pattern” field is required, I’m not sure what would go in that field for other types of indicators.

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS)
Sent: Tuesday, October 25, 2016 1:36 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Indicators and patterning

 

All,

 

When we started really working on STIX 2.0 we had this idea that CybOX was going to be separate and we should treat it as a separate thing entirely.. This unfortunately caused us to make some design decisions in STIX to reflect this artificial line in the sand we had drawn.  Fast forward 10 months and we have now merged STIX and CybOX and during this merge we have been able to clean up some of the weirdness that existed with the artificial line in the sand.  

There is however, one thing that is still in the specification, that we did because of this separation that I would personally like to us get rid of.  

 

In Indicators we created the following 3 fields to address the artificial separation:

pattern

pattern_lang

pattern_lang_version

 

The idea was if we are going to support CybOX as a separate "thing" we might also want to support "other" things.  I would suggest at this stage we drop support for "other" things and just have a single "pattern" property.  

 

If people want to do YARA or SNORT, they can do it via a custom property.  And if we find in a later release that lots of people want to support YARA or SNORT we can then create properties for them.

 

Bret

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]