---------- Forwarded message ----------
From: Kirillov, Ivan A. <[hidden email]>
Date: Wed, Feb 13, 2013 at 3:05 PM
Subject: RE: questions
To: eileen donlon <[hidden email]>
Cc: "Cyber Observables Expression (CybOX)" <[hidden email]>
Absolutely, please feel free to post this thread to our discussion list: [hidden email].
You’re right about there not being much discussion there at the moment, but this would certainly be applicable for posting, and we encourage participation from the broader community.
With respect to your question on STIX – it doesn’t solve the issues with CybOX, but rather we intend to use it to capture both the raw Snort rule (as a string) along with any contextual objects extracted using the extractor script. That way, the rule can be used as-is as an indicator, and the contextual information can be passed on fur further analysis, attribution, etc. I’m in the process of getting the discussion started internally in terms of updating the CybOX use cases for the attack pattern generation and associated slides/documentation so I’ll have the responses for you on those a bit later.
From: eileen donlon [mailto:[hidden email]]
On Wed, Feb 13, 2013 at 11:17 AM, eileen donlon <[hidden email]> wrote:
On Wed, Feb 13, 2013 at 8:26 AM, Kirillov, Ivan A. <[hidden email]> wrote:
We’ve had discussions on this topic for the past two weeks, and although I can’t address all of your points individually, hopefully I can now provide you with some useful information on our stance.
As far as the specific Snort -> CybOX tool issues you’ve encountered, we’re generally re-categorizing all of our tools as “experimental” in order to better explain their nature as proof on concept. With regards to the tool itself, we’re working on updating the documentation and more importantly, re-labeling this tool as a Snort to CybOX “extractor”, as clearly the “translator” label is a misrepresentation of both this tool’s capabilities and CybOX’s ability to fully capture Snort rules. Thus, in this sense we’re extracting key patterns and features from Snort rules to enable automated analysis of such data (versus detecting on it).
|Free forum by Nabble||Edit this page|