search

mitre / stix2patterns_translator

Translate STIX 2 Patterning Queries
Apache License 2.0
30 stars 8 forks source link

add support for smb/smb2 network traffic extension #5

Open samcornwell opened 6 years ago

samcornwell commented 6 years ago

There are several CAR analytics which use SMB information parsed from network traffic. This is an example of an analytic which looks for writes to named pipes:

flow = search Flow:Message
smb_write = filter flow where (dest_port == "445" and protocol == "smb.write_pipe")
smb_write.pipe_name = smb_write.proto_info.pipe_name
output smb_write

STIX cannot currently represent this analytic because there is no existing extension to in STIX. This proposal is to add a standard extension to be able to capture this analytic. The resulting analytic may look like the following:

[ network-traffic:dst_port = 445 AND network-traffic:protocols[*] = 'microsoft-ds' 
AND 
network-traffic:extensions.smb2-ext.command = 'write' 
AND
network-traffic:extensions.smb2-ext.file_name MATCHES '^\\\\\.\\pipe\\' ]
samcornwell commented 6 years ago

wiki proposal: SMB Extension Proposal