[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: Indicators and patterning
I need to have snort support for a project I am working on. I really do not want to see that be removed.
Surely we can mandate that indicators need to have a STIX pattern in the indicator, and then they are free to provide any additional patterns they wish? That would ensure that two STIX compatible repositories would be able to know that they will definitely have a STIX pattern to match on...
Cheers
Terry MacDonald
Cosive
We are proposing for STIX 2.0-rc3 that we ONLY support STIX Patterns. This will give us more time to figure out what it would mean to really support SNORT or YARA in a dot release.
Bret
From: John-Mark Gurney <jmg@newcontext.com>
Sent: Wednesday, October 26, 2016 1:47:41 PM
To: Wunder, John A.
Cc: Bret Jordan (CS); Allan Thomson; Back, Greg; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] RE: Indicators and patterningWunder, John A. wrote this message on Tue, Oct 25, 2016 at 22:28 +0000:
> Since an indicator can now have more than one pattern we need some text to call out how they're related (are they alternatives? do they need to test for the same exact things? Is one preferred?)
If we support both/multiple, they need to be equivalent. Otherwise if
one implementation picks YARA, and the other picks native, they won't
operate the same.
--
John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]