[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Indicators/Observed Data based on snort rules
Hello STIX Community !
What would be your recommendation for mapping snort rules into STIX indicators ?
Example, snort rule:
49888 | MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt |
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flagred, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )
Network Traffic object:
Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.
Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.
Any hints ?
Regards,
Michal
----
Michal Garcarz | Managed Security Services Architect |
Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH |
Krakow SOC, Poland | tel. +48123211296 email: mgarcarz@cisco.com |
GPG Fingerprint | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |
Working Hours | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]