Re: [MAEC] [STIX] How to represent a zip file as observable

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] [STIX] How to represent a zip file as observable

amihay gonen

Send again. Without the attachment.


On Sun, 15 Feb 2015 11:32 amihay gonen <[hidden email]> wrote:
Thanks for the information . 
I've some questions , please be patient  with me since i'm  "newbaby" in this area.

Here is some more details on the my use case : 

I'm now part of group of architects which are designing a a new cyber analysis system.
My main goal is to be able to complaint to STIX/MAEC/CyBOX as much as possible .

The system get "alerts" from several front-end engines  (detection & analysis)  and correlate together to an object call investigation .

Alert can contain one or more  evidences (infected file, a C&C session etc).

My questions are :
1. Is the following mapping make scene:
     Campaign= a set of related investigations.
     Incident = investigation
     Oberable= alert , in case of serveral obserable I'll oberable compiste.

2. One of the engines is scanning files and may produce an alert on a "zip" file . 
What is the best way to define it ? 

bellow is "sample" the engine alert (I've also attached the full alert to the main ) 

This is nested json , where the root file is the zip (tar) .


Thanks for your time .

Regards ,
amihay .

"
{
    "profile": 1,
    "request_id": "5946946182684086273",
    "scan_date": 1419251010267,
    "single_file_result": [
        {
            "engine_results": [
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "reputation",
                    "scan_end_time": 91048713,
                    "scan_start_time": 91048712
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91049250,
                    "scan_start_time": 91048944
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91049250,
                    "scan_start_time": 91048944
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91049250,
                    "scan_start_time": 91048944
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91049250,
                    "scan_start_time": 91048944
                }
            ],
            "file_name": "",
            "file_size": 1173,
            "is_root_parent": true,
            "malicious_confidence": {
                "value": 0
            },
            "md5": "5d17b1458a627b194b0826d2c9c654f9",
            "mime_type": "application/x-rar-compressed",
            "passthrough_object": "",
            "status": "OK"
        },
        {
            "engine_results": [
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "reputation",
                    "scan_end_time": 91049724,
                    "scan_start_time": 91049724
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91050065,
                    "scan_start_time": 91049804
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91050065,
                    "scan_start_time": 91049804
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91050065,
                    "scan_start_time": 91049804
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "1 scan engine",
                    "scan_end_time": 91050065,
                    "scan_start_time": 91049804
                }
            ],
            "file_name": "/file2.txt",
            "file_size": 4,
            "is_root_parent": false,
            "malicious_confidence": {
                "value": 0
            },
            "md5": "81dc9bdb52d04dc20036dbd8313ed055",
            "mime_type": "text/plain",
            "passthrough_object": "",
            "status": "OK"
        },
        {
            "engine_results": [
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "reputation",
                    "scan_end_time": 91049744,
                    "scan_start_time": 91049743
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": " scan engine",
                    "scan_end_time": 91049862,
                    "scan_start_time": 91049788
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": " scan engine",
                    "scan_end_time": 91049862,
                    "scan_start_time": 91049788
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": " scan engine",
                    "scan_end_time": 91049862,
                    "scan_start_time": 91049788
                },
                {
                    "engine_malicious_confidence": {
                        "value": 0
                    },
                    "engine_name": "eset scan engine",
                    "scan_end_time": 91049862,
                    "scan_start_time": 91049788
                }
            ],
            "file_name": "/1.rar",
            "file_size": 1054,
            "is_root_parent": false,
            "malicious_confidence": {
                "value": 0
            },
            "md5": "6b51203b4772fa9804455710d311603d",
            "mime_type": "application/x-rar-compressed",
            "passthrough_object": "",
            "status": "OK"
        },
 
     ....
...

 


On Fri Feb 13 2015 at 9:47:54 PM Kirillov, Ivan A. <[hidden email]> wrote:

Amihay,

 

Jerome is correct – this could likely be done with a MAEC Package/Bundle as part of a STIX TTP, specifically through the use of multiple Malware Subjects (one for the zip file and one for each file contained inside). By confidence do you mean that the engine actually produces a confidence score for its AV classification, or does that refer to just the AV classification itself. Also, if it would be possible to provide a sample of the engine’s output we could then better assist you in mapping it into STIX/MAEC.

 

Regards,

Ivan Kirillov

MITRE

 

From: Jerome Athias [mailto:[hidden email]]
Sent: Thursday, February 12, 2015 12:52 PM
To: stix-discussion-list Structured Threat Information Expression/ST
Subject: Re: [STIX] How to represent a zip file as observable

 

Hi

 

That seems to be a candidate for a MAEC Bundle

I would suggest you join the MAEC list, providing some details

On Thursday, February 12, 2015, amihay gonen <[hidden email]> wrote:

Hi I've case that an engine that detect virus in file may product an alert on zip file.

I'm thinking to use observable instance but I'm not sure how since the engine send confidence on the zip file plus confidence on each file inside.

Thanks amihay