[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Re: [cti-stix] RE https://github.com/oasis-tcs/cti-stix2/issues/28
Jason â I think we understood that you were suggesting combination capability to combine both Snort + STIX2 or Yara + STIX2â.etc.
My point was that if a product already supports Snort or Yara then its likely much (but not all) of the capabilities would be defined in the single language itself and not a combination of languages.
So if someone wants to add an IP address to a signature in Snort then they would just do that. They wouldnât update the Snort signature to combine with STIX2.
Now I can see future cases where something is not possible to define holly in Snort2 or YARA and therefore you need additional capabilities. But that seems like a running step when weâre barely crawling with pattern grammar use.
If you want to combine languages then I suggest we target that capability beyond 2.1.
Allan
From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, June 12, 2019 at 4:48 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] RE https://github.com/oasis-tcs/cti-stix2/issues/28
I
want to reply to Allans comment in the working call meeting notes as I
was not present:
Alan: Is the proposal is to add it to
the pattern or add it as a separate thing in addition to STIX patterning?
Jason may be suggesting adding sort or Yara to the same pattern property
and just clarify which it is
Bret: Jason wants to put it in the STIX
pattern
Alan: makes no sense to combine them
into one. Why not have an enum with strings of STIX pattern, snort, Yara,
and then you put the pattern in there.
The reason I want to have this inside the SCO pattern is simple. YARA is
just another way to find files (no different than a matching properties
on an SCO file object). Snort is just another way to find network traffic
(no different than matching a propertieson an SCO network-traffic object).
The same is true for all of these "rudimentary patterms" people
want to use. They are just different syntaxes to write an Observation _expression_.
I would like to be able to say [
SNORT:'alert tcp any any -> any any (content:"ABC"; content:"DEF";
distance:1;) ]AND
[ip-address:value
= '1.2.3.4' ]
or
[ YARA: < YARA HERE > ] FOLLOWED BY [ network-traffic:<foobar>
] WITHIN 5 MINUTES
This is very simple, and how I actually want to make use of these things.
I opened https://github.com/oasis-tcs/cti-stix2/issues/162to
track this.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure."
- Thomas J. Watson
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]