[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Indicators/Observed Data based on snort rules
Hello STIX Community ! What would be your recommendation for mapping snort rules into STIX indicators ? Example, snort rule:
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; ) Network Traffic object: Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects. Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here. Any hints ? Regards, Michal ---- Michal Garcarz | Managed Security Services Architect | Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH | Krakow SOC, Poland | tel. +48123211296 email: mgarcarz@cisco.com | GPG Fingerprint | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 | Working Hours | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com | |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]