Indicators/Observed Data based on snort rules

["Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>]

Hello STIX Community !

 

What would be your recommendation for mapping snort rules into STIX indicators ?

 

Example, snort rule:

49888

MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )

 

Network Traffic object:

http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716259

Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.

 

Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.

Any hints ?

 

 

Regards,

Michal

 

----

Michal Garcarz               | Managed Security Services Architect                            |

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |

Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com        |

GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com              | 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature