It is not "multiple"
in my proposal - its plain SCO pattern. You just allow the optional use
of external syntaxes for the observation _expression_. - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure." - Thomas J. Watson From:
Allan
Thomson <
athomson@lookingglasscyber.com> To:
Jason
Keirstead <
Jason.Keirstead@ca.ibm.com> Cc:
"cti-stix@lists.oasis-open.org"
<
cti-stix@lists.oasis-open.org> Date:
06/12/2019
11:23 AM Subject:
[EXTERNAL]
Re: Re: [cti-stix] RE
https://github.com/oasis-tcs/cti-stix2/issues/28 I
disagree that it needs to be deprecated. You
could easily just add an enum that says the string contains multiple in
future for combinational language strings and define rules on how you qualify
the content as have been suggested to do that. I
just don t think we should be doing that as step1 which is what you are
suggesting. Allan From:
Jason Keirstead <
Jason.Keirstead@ca.ibm.com> Date: Wednesday, June 12, 2019 at 7:12 AM To: Allan Thomson <
athomson@lookingglasscyber.com> Cc: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> Subject: Re: Re: [cti-stix] RE
https://github.com/oasis-tcs/cti-stix2/issues/28 " So
if someone wants to add an IP address to a signature in Snort then they
would just do that. They wouldn t update the Snort signature to combine
with STIX2." It's not about that. It is about using Snort for the network traffic part
and YARA for the file part and being able to combine them both in an indicator
in STIX. Something neither language can do today. There are toolchains
that support both Snort and YARA. I did create the seperate Github item for tracking.
https://github.com/oasis-tcs/cti-stix2/issues/162 However it should be noted that that is basically going to deprecate this
property once implemented. So we are going forward with something we already
know will be deprecated. - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure." - Thomas J. Watson From: Allan
Thomson <
athomson@lookingglasscyber.com> To: Jason
Keirstead <
Jason.Keirstead@ca.ibm.com>, "cti-stix@lists.oasis-open.org"
<
cti-stix@lists.oasis-open.org> Date: 06/12/2019
10:57 AM Subject: [EXTERNAL]
Re: [cti-stix] RE
https://github.com/oasis-tcs/cti-stix2/issues/28 Sent by: <
cti-stix@lists.oasis-open.org> Jason
I think we understood that you were suggesting combination capability
to combine both Snort + STIX2 or Yara + STIX2 .etc. My
point was that if a product already supports Snort or Yara then its likely
much (but not all) of the capabilities would be defined in the single language
itself and not a combination of languages. So
if someone wants to add an IP address to a signature in Snort then they
would just do that. They wouldn t update the Snort signature to combine
with STIX2. Now
I can see future cases where something is not possible to define holly
in Snort2 or YARA and therefore you need additional capabilities. But that
seems like a running step when we re barely crawling with pattern grammar
use. If
you want to combine languages then I suggest we target that capability
beyond 2.1. Allan From:
"cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
on behalf of Jason Keirstead <
Jason.Keirstead@ca.ibm.com> Date: Wednesday, June 12, 2019 at 4:48 AM To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> Subject: [cti-stix] RE
https://github.com/oasis-tcs/cti-stix2/issues/28 I
want to reply to Allans comment in the working call meeting notes as I
was not present: Alan: Is the proposal is to add it to the
pattern or add it as a separate thing in addition to STIX patterning? Jason
may be suggesting adding sort or Yara to the same pattern property and
just clarify which it is Bret: Jason wants to put it in the STIX pattern Alan: makes no sense to combine them into
one. Why not have an enum with strings of STIX pattern, snort, Yara, and
then you put the pattern in there. The reason I want to have this inside the SCO pattern is simple. YARA is
just another way to find files (no different than a matching properties
on an SCO file object). Snort is just another way to find network traffic
(no different than matching a propertieson an SCO network-traffic object).
The same is true for all of these "rudimentary patterms" people
want to use. They are just different syntaxes to write an Observation _expression_.
I would like to be able to say [
SNORT:'alert tcp any any -> any any (content:"ABC"; content:"DEF";
distance:1;) ] AND
[ ip-address:value
= '1.2.3.4' ] or [ YARA: < YARA HERE > ] FOLLOWED BY [ network-traffic:<foobar>
] WITHIN 5 MINUTES This is very simple, and how I actually want to make use of these things. I opened
https://github.com/oasis-tcs/cti-stix2/issues/162 to
track this. - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple,
really. Double your rate of failure." - Thomas J. Watson