Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can i build up more complex id's #969

Open
brettforbes opened this issue Apr 28, 2023 · 1 comment
Open

How can i build up more complex id's #969

brettforbes opened this issue Apr 28, 2023 · 1 comment

Comments

@brettforbes
Copy link

We really love your tool, but currently all of the flexibility lies in what happens after one selects an id variable, like category or name.

However, I want to use the system to write Stix Pattern rules for cyber security. In this, my id variables, are actually object pathways, like:

  • email-message:from_ref.value (object:property.sub-property)

Thus rules are more complicated because the object pathways are more complicated, even though the grouping and other conditions you already do, for example

  • [email-message:from_ref.value MATCHES '.+\@example\.com$' AND email-message:body_multipart[*].body_raw_ref.name MATCHES '^Final Report.+\.exe$']
  • ([file:name = 'foo.dll'] AND [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\foo\bar']) OR [process:image_ref.name = 'fooproc' OR process:image_ref.name = 'procfoo']
  • [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.33/32']
  • ([file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY [windows-registry-key:key = 'HKEY_LOCAL_MACHINE\foo\bar']) WITHIN 300 SECONDS
  • [user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary']

Obviously I could give you many more examples, but the main difficulty appears to be selecting an object-variable pathway, like object:property.sub-property.sub-sub-property, before selecting the comparison operator and the variable or wildcard system. All I need to do is to build those complex queries, and then in the back end i have full grammar processing engine to process the query.

Assume i already have the data model (lists, linked lists, dicts etc) to drive this object-variable pathway dynamically on the user interface, is it:

  1. Possible to build these more complex variables in your query builder, assuming i have the data model so one one can first select the object, then the property, then the sub property and so on, before selecting the comparison operator and the value?
  2. Possible for you to give us a sketch of how to go about this?

We love the rest of your toolset, but making the variables more complex appears tricky.

Can you help please?
@brettforbes
Copy link
Author

Please see attached a reference card describing the Stix Pattern Rules standard, for your interest.

Please do not get put off by the complexity. the main issue remains selecting objects, properties, sub properties and so on before the comparison operator.

If you can help me do this, then i can easily handle the complexity of handling lists and dicts in addition to discrete values. Plus from a geeky perspective, if you can do this one, then i can bring many more cyber security rule sets to your tool, like Sigma, Yara etc.. which is pretty exciting.

STIX-Patterning-Quick-Reference-Card (1).pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brettforbes