cti-stix message

Subject: Re: [cti-stix] RE: Indicators and patterning

From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
To: John-Mark Gurney <jmg@newcontext.com>, "Wunder, John A." <jwunder@mitre.org>
Date: Wed, 26 Oct 2016 19:49:11 +0000

We are proposing for STIX 2.0-rc3 that we ONLY support STIX Patterns. This will give us more time to figure out what it would mean to really support SNORT or YARA in a dot release.

Bret

From: John-Mark Gurney <jmg@newcontext.com>
Sent: Wednesday, October 26, 2016 1:47:41 PM
To: Wunder, John A.
Cc: Bret Jordan (CS); Allan Thomson; Back, Greg; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] RE: Indicators and patterning

Wunder, John A. wrote this message on Tue, Oct 25, 2016 at 22:28 +0000:
> Since an indicator can now have more than one pattern we need some text to call out how they're related (are they alternatives? do they need to test for the same exact things? Is one preferred?)

If we support both/multiple, they need to be equivalent. Otherwise if
one implementation picks YARA, and the other picks native, they won't
operate the same.

--
John-Mark

References:
- Re: [cti-stix] RE: Indicators and patterning
  - From: "Wunder, John A." <jwunder@mitre.org>
- Re: [cti-stix] RE: Indicators and patterning
  - From: Allan Thomson <athomson@lookingglasscyber.com>
- Re: [cti-stix] RE: Indicators and patterning
  - From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
- Re: [cti-stix] RE: Indicators and patterning
  - From: Allan Thomson <athomson@lookingglasscyber.com>
- Re: [cti-stix] RE: Indicators and patterning
  - From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
- RE: [cti-stix] RE: Indicators and patterning
  - From: "Wunder, John A." <jwunder@mitre.org>
- Re: [cti-stix] RE: Indicators and patterning
  - From: John-Mark Gurney <jmg@newcontext.com>