I want to reply to Allans comment in the working call meeting notes as I was not present: Alan: Is the proposal is to add it to the pattern or add it as a separate thing in addition to STIX patterning? Jason may be suggesting adding sort or Yara to the same pattern property and just clarify which it is Bret: Jason wants to put it in the STIX pattern Alan: makes no sense to combine them into one. Why not have an enum with strings of STIX pattern, snort, Yara, and then you put the pattern in there. The reason I want to have this inside the SCO pattern is simple. YARA is just another way to find files (no different than a matching properties on an SCO file object). Snort is just another way to find network traffic (no different than matching a propertieson an SCO network-traffic object). The same is true for all of these "rudimentary patterms" people want to use. They are just different syntaxes to write an Observation _expression_. I would like to be able to say [ SNORT:'alert tcp any any -> any any (content:"ABC"; content:"DEF"; distance:1;) ] AND [ ip-address:value = '1.2.3.4' ] or [ YARA: < YARA HERE > ] FOLLOWED BY [ network-traffic:<foobar> ] WITHIN 5 MINUTES This is very simple, and how I actually want to make use of these things. I opened
https://github.com/oasis-tcs/cti-stix2/issues/162 to track this. - Jason Keirstead Lead Architect - IBM Security Connect
www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure." - Thomas J. Watson