Open ikiril01 opened 8 years ago
We need to determine the syntax of the CybOX (?) patterning language that will be replacing the existing patterning structures. As previously discussed, a starting point could be to adopt a YARA-like syntax:
"pattern": { "type": "twigs", "base64": "false", "content_type: "application/json", "charset": "utf-8", "properties": [ "$prop1": { "key":"FileObject:hashes/hash/simple_hash_value", "operator":"equals", "value":"c38862b4835729d979e7940d72a48172" }, "$prop2": { "key":"FileObject:file_name", "operator":"contains", "value":"abcd.dll" }, "$prop3": { "key":"WinRegistryKeyObject:key", "operator":"equals", "value":".DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\{19127AD2-394B-70F5-C650-B97867BAA1F7" }, "$prop4": { "key":"WinRegistryKeyObject:hive", "operator":"equals", "value":"HKEY_USERS" } "$prop5": { "key":"IPv4AddressObject:hive", "operator":"equals", "value":"1.2.3.4" } ], "condition": "($prop1 AND $prop2) OR ($prop3 AND $prop4) FOLLOWED_BY $prop5 WITHIN 15 MINS" }
Related to #420
ikiril01
commented
8 years ago
We need to determine the syntax of the CybOX (?) patterning language that will be replacing the existing patterning structures. As previously discussed, a starting point could be to adopt a YARA-like syntax: