CTI STIX Subcommittee

 View Only
  • 1.  Indicator Patterns

    Posted 10-26-2016 18:46
    Per my discussion I brought up the other day and after having talked with John W, Allan, and Jason, I would like to propose that for STIX 2.0 we do the following: 1) drop the "pattern_lang" and "pattern_lang_version" properties 2) remove the "pattern-lang-ov" 3) remove support for including SNORT and YARA in the Indicator:Pattern field.  This will finish removing most of the artificial separation we had in the documents.  Then in STIX 2.1 or 2.2, if people really need and want SNORT and YARA support, we can add it back in as separate properties, aka ("snort" and "yara") in the indicator.  Thanks Bret  


  • 2.  Re: [cti-stix] Indicator Patterns

    Posted 10-28-2016 05:11
    We are using embedded snort rules right now in a project. Please do not remove that functionality. We are going to be moving to STIX 2 as soon as we can, so we REALLY need that functionality. Cheers Terry MacDonald Cosive On 27 Oct. 2016 7:45 am, "Bret Jordan (CS)" < Bret_Jordan@symantec.com > wrote: Per my discussion I brought up the other day and after having talked with John W, Allan, and Jason, I would like to propose that for STIX 2.0 we do the following: 1) drop the "pattern_lang" and "pattern_lang_version"  properties 2) remove the "pattern-lang-ov" 3) remove support for including SNORT and YARA in the Indicator:Pattern field.  This will finish removing most of the artificial separation we had in the documents.  Then in STIX 2.1 or 2.2, if people really need and want SNORT and YARA support, we can add it back in as separate properties, aka ("snort" and "yara") in the indicator.  Thanks Bret