| The STIX 2.1 specification should make this a bit easier. In addition, a STIX 2.1 Indicator can now contain a SNORT pattern natively.
Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Hello STIX Community ! What would be your recommendation for mapping snort rules into STIX indicators ? Example, snort rule: | 49888 | MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt |
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; ) Network Traffic object: Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects. Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here. Any hints ? Regards, Michal ---- Michal Garcarz | Managed Security Services Architect | Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH | GPG Fingerprint | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |
|