Re: [cti-users] Indicators/Observed Data based on snort rules

["Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>]

Hi Jason,

 

Thanks for the help here.

 

OK, I guess I have found the example:

 

{

  "0":{

    "type": "artifact",

    "payload_bin": "dGhpcyBpcyBhIHRlc3Q="

    }

}

 

Thanks,

Michal

 

From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, 7 October 2019 at 19:01
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicators/Observed Data based on snort rules

 

RE "I am not able to define âcontainâ condition"

.. I presume you are referring to "contains", as in you want to match the string "rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2" inside the payload?

Please see the STIX Patterning reference, there are many examples of this, you need to leverage the MATCHES operator.

-
Jason Keirstead
Chief Architect - IBM Security Threat Management
www.ibm.com/security

"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."

- Thomas J. Watson



From:        "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
To:        "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date:        10/04/2019 06:06 PM
Subject:        [EXTERNAL] [cti-users] Indicators/Observed Data based on snort rules
Sent by:        <cti-users@lists.oasis-open.org>

---

 

Hello STIX Community !

 

What would be your recommendation for mapping snort rules into STIX indicators ?

 

Example, snort rule:

 

49888

MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt

 

alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flagred, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )

 

Network Traffic object:

http://docs.oasis-open.org/cti/stix/v2.0/cs01/part4-cyber-observable-objects/stix-v2.0-cs01-part4-cyber-observable-objects.html#_Toc496716259

Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.

 

Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.

Any hints ?

 

 

Regards,

Michal

 

----

Michal Garcarz               | Managed Security Services Architect                            |

Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |

Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com       |

GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |

Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com             |

 

Attachment: smime.p7s
Description: S/MIME cryptographic signature