cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE https://github.com/oasis-tcs/cti-stix2/issues/28
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Wed, 12 Jun 2019 08:48:33 -0300
I want to reply to
Allans comment in the working call meeting notes as I was not present:
Alan:
Is the proposal is to add it to the pattern or add it as a separate thing
in addition to STIX patterning? Jason may be suggesting adding sort or
Yara to the same pattern property and just clarify which it is
Bret:
Jason wants to put it in the STIX pattern
Alan:
makes no sense to combine them into one. Why not have an enum with strings
of STIX pattern, snort, Yara, and then you put the pattern in there.
The reason I want
to have this inside the SCO pattern is simple. YARA is just another way
to find files (no different than a matching properties on an SCO file object).
Snort is just another way to find network traffic (no different than matching
a propertieson an SCO network-traffic object).
The same is true
for all of these "rudimentary patterms" people want to use. They
are just different syntaxes to write an Observation _expression_.
I would like to
be able to say [
SNORT:'alert tcp any any -> any any (content:"ABC"; content:"DEF";
distance:1;) ]AND [ip-address:value = '1.2.3.4' ]
or
[ YARA: < YARA
HERE > ] FOLLOWED BY [ network-traffic:<foobar> ] WITHIN 5 MINUTES
This is very simple,
and how I actually want to make use of these things.
I opened https://github.com/oasis-tcs/cti-stix2/issues/162to track this.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."
- Thomas J. Watson
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]