RE: [cti-users] Indicators/Observed Data based on snort rules- request -

[michel vermeulen <michel@acni.be>]

Dear All,

 

I am receiving your conversations, but I would like to be removed from your distribution list.

Tx to remove my email address.

 

I changed business to become responsible for a great new game producer! https://www.bannan.be

 

Kind Regards,

Michel Vermeulen, CEO Bannan bvba

 

Advertisement: See our latest boardgame: VALDA , race of the gods:

 

 

https://www.bannan.be

Do you know that we receive the following comments on VALDA from our first hand players:

        The game components are amazing, it was honestly one of the nicest games I have ever opened.

        The components are top notch.

        Amaaaaazing box

        The quality of the game components is really good, the game is pretty good

        I would like to say that I really like this game after only playing it once. I think itâs a great game.

        The components look great. Cannot wait to play it

        Box & design are beautifully designed and produced. Artwork is phenomenal!

        Debossed playerboards give an overview and avoid the famous 'f$%k! -where my cubes again?

        Tempels divided in phase areas is a big added value for accessibility.

        High production value overall

 

 

 

Van: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> Namens Michal Garcarz (mgarcarz)
Verzonden: vrijdag 4 oktober 2019 23:19
Aan: Bret Jordan <jordan2175@gmail.com>
CC: cti-users@lists.oasis-open.org
Onderwerp: Re: [cti-users] Indicators/Observed Data based on snort rules

 

Hello Bret,

 

Thanks for the answer, indeed in:

https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html#_Toc16070776

 

I can see:

pattern_type (required)

open-vocab

The type of pattern used in this indicator. The property is an open vocabulary and currently has the values of stix, snort, and yara.

 

I can see also libstix2 library generating indicators with:

âspec_version": "2.1",

"pattern_type": "stix",

 

But I can not see any details anywhere how the pattern should look like for pattern_type=snort.

How is that snort rule encoded ?

 

Is there any document which explains those details ?

 

What is the adoption level for STIX 2.1 and any additional recommendations for pattern_type=snort ?

 

Thanks,

Michal

 

From: Bret Jordan <jordan2175@gmail.com>
Date: Friday, 4 October 2019 at 23:07
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicators/Observed Data based on snort rules

 

The STIX 2.1 specification should make this a bit easier.  In addition, a STIX 2.1 Indicator can now contain a SNORT pattern natively.  

 

 

Thanks,

Bret

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

 

On Oct 4, 2019, at 3:04 PM, Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

 

Hello STIX Community !

 

What would be your recommendation for mapping snort rules into STIX indicators ?

 

Example, snort rule: 

49888

MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )

 

Network Traffic object:

http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716259

Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.

 

Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.

Any hints ?

 

 

Regards,

Michal

 

----

Michal Garcarz               | Managed Security Services Architect                            |

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |

Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com        |

GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com              |