OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Indicators/Observed Data based on snort rules

Hello Bret,

 

Thanks for the answer, indeed in:

https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070776

 

I can see:

pattern_type (required)

open-vocab

The type of pattern used in this indicator. The property is an open vocabulary and currently has the values of stixsnort, and yara.

 

I can see also libstix2 library generating indicators with:

âspec_version": "2.1",

"pattern_type": "stix",

 

But I can not see any details anywhere how the pattern should look like for pattern_type=snort.

How is that snort rule encoded ?

 

Is there any document which explains those details ?

 

What is the adoption level for STIX 2.1 and any additional recommendations for pattern_type=snort ?

 

Thanks,

Michal

 

From: Bret Jordan <jordan2175@gmail.com>
Date: Friday, 4 October 2019 at 23:07
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicators/Observed Data based on snort rules

 

The STIX 2.1 specification should make this a bit easier.  In addition, a STIX 2.1 Indicator can now contain a SNORT pattern natively.  

 

 

Thanks,

Bret

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."



On Oct 4, 2019, at 3:04 PM, Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

 

Hello STIX Community !

 

What would be your recommendation for mapping snort rules into STIX indicators ?

 

Example, snort rule: 

49888

MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )

 

Network Traffic object:

Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.

 

Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.

Any hints ?

 

 

Regards,

Michal

 

----

Michal Garcarz               | Managed Security Services Architect                            |

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |

Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com        |

GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com              | 

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]