OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [EXT] [cti-users] Indicators/Observed Data based on snort rules

It is also important to point out that in STIX 2.1, the SCO objects are top-level objects.  

Bret


On Oct 8, 2019, at 8:46 AM, Michal Garcarz (mgarcarz) <mgarcarz@cisco.com> wrote:

Hi Jason,
 
Thanks for the help here.
 
OK, I guess I have found the example:
 

{

  "0":{

    "type": "artifact",

    "payload_bin": "dGhpcyBpcyBhIHRlc3Q="

    }

}

 
Thanks,
Michal
 
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, 7 October 2019 at 19:01
To: "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicators/Observed Data based on snort rules
 
RE "I am not able to define âcontainâ condition"

.. I presume you are referring to "contains", as in you want to match the string "rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2" inside the payload?

Please see the STIX Patterning reference, there are many examples of this, you need to leverage the MATCHES operator.

-
Jason Keirstead
Chief Architect - IBM Security Threat Management
www.ibm.com/security

"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."

- Thomas J. Watson



From:        "Michal Garcarz (mgarcarz)" <mgarcarz@cisco.com>
To:        "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date:        10/04/2019 06:06 PM
Subject:        [EXTERNAL] [cti-users] Indicators/Observed Data based on snort rules
Sent by:        <cti-users@lists.oasis-open.org>

 

Hello STIX Community !
 
What would be your recommendation for mapping snort rules into STIX indicators ?
 
Example, snort rule: 
 
49888
MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt
 
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data:; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flagred, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1; gid:1; )
 
Network Traffic object:
Seems not being able to address that ? (I am not able to define âcontainâ condition). The same for file objects.
 
Could not find any solution when looking at CybOX or STIX patterning, probably I am missing something simple here.
Any hints ?
 
 
Regards,
Michal
 
----
Michal Garcarz               | Managed Security Services Architect                            |
Active Threat Analytics | CCIE #25272 (RS, Sec, Wireless), CISSP, CEH                |
Krakow SOC, Poland      | tel. +48123211296 email: mgarcarz@cisco.com       |
GPG Fingerprint             | 7AA70853EB9DFCB7572C5EE154DA9BC91D959B51 |
Working Hours               | M-F 8-17 EMEA/CET, ata-soc-ext@cisco.com             | 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]