RE https://github.com/oasis-tcs/cti-stix2/issues/28

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I want to reply to
Allans comment in the working call meeting notes as I was not present:

          Alan:
Is the proposal is to add it to the pattern or add it as a separate thing
in addition to STIX patterning? Jason may be suggesting adding sort or
Yara to the same pattern property and just clarify which it is
          Bret:
Jason wants to put it in the STIX pattern
          Alan:
makes no sense to combine them into one. Why not have an enum with strings
of STIX pattern, snort, Yara, and then you put the pattern in there.

The reason I want
to have this inside the SCO pattern is simple. YARA is just another way
to find files (no different than a matching properties on an SCO file object).
Snort is just another way to find network traffic (no different than matching
a propertieson an SCO network-traffic object). 

The same is true
for all of these "rudimentary patterms" people want to use. They
are just different syntaxes to write an Observation _expression_. 

I would like to
be able to say [
SNORT:'alert tcp any any -> any any (content:"ABC"; content:"DEF";
distance:1;) ]AND [ip-address:value = '1.2.3.4' ]

or  

[ YARA: < YARA
HERE > ] FOLLOWED BY [ network-traffic:<foobar> ] WITHIN 5 MINUTES

This is very simple,
and how I actually want to make use of these things.

I opened https://github.com/oasis-tcs/cti-stix2/issues/162to track this.

-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."

- Thomas J. Watson