Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection rules (yara, snort, suricata, sigma, etc) #335

Closed
Fred-certeu opened this issue Nov 19, 2019 · 1 comment
Closed

Detection rules (yara, snort, suricata, sigma, etc) #335

Fred-certeu opened this issue Nov 19, 2019 · 1 comment
Assignees
@SamuelHassine
Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Milestone
Release 2.1.2

Comments

@Fred-certeu
Copy link

Please replace every line in curly brackets { like this } with appropriate answers, and remove this line.

Problem to Solve

There is a requirement to:

  • store detection rules of various types in OpenCTI
  • associate these rules to objects such as reports, threat actors, intrusion sets, malware and attack pattern (i.e. 'this rule is good to detect this threat actor / intrusion set / ATT&CK technique, malware family, etc)

Current Workaround

None

Proposed Solution

In MISP, detection rules are stored as attributes.
In CTI, there is no preferred way. They could be stored as observables (just need to create new types) or any other method that would be STIX compatible.

Additional Information

{ Any additional information, including logs or screenshots if you have any. }
@richard-julien richard-julien added the feature use for describing a new feature to develop label Nov 29, 2019
@SamuelHassine SamuelHassine self-assigned this Dec 16, 2019
@SamuelHassine SamuelHassine added this to the Release 2.1.2 milestone Dec 16, 2019
@SamuelHassine SamuelHassine added the solved use to identify issue that has been solved (must be linked to the solving PR) label Dec 17, 2019
@alidhamieh
Copy link

Where you able to associate any detection rules to objects such as reports, threat actors, intrusion sets, malware and attack pattern?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SamuelHassine SamuelHassine

Labels
feature use for describing a new feature to develop solved use to identify issue that has been solved (must be linked to the solving PR)
Projects
None yet
Milestone
Release 2.1.2
Development

No branches or pull requests
4 participants
@richard-julien @SamuelHassine @Fred-certeu @alidhamieh