Heads up! These docs are for STIX 1.1.1, which is not the latest version (1.2). View the latest!

SnortTestMechanismTypeSnort Test Mechanism Instance Schema

The SnortTestMechanismType specifies an instantial extension from the abstract TestMechanismType intended to support the inclusion of a Snort rule as a test mechanism content.


Fields

Field Name Type Description
@idoptional QName

Specifies a unique ID for this Test Mechanism.

@idrefoptional QName

Specifies a reference to the ID of a Test Mechanism specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.

Efficacy0..1 StatementType

The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.

Producer0..1 InformationSourceType

The Producer field details the source of this entry.

Product_Name0..1 string

Name of the Snort-compatible tool that the rules were written again. If the tool has a CPE name, use of that name is suggested, otherwise a simple name like "Snort", "Suricata", or "Sourcefire" could be used.

Version0..1 string

The Version of Snort or Snort-compatible tool that the rules were written against.

Rule0..n EncodedCDATAType

The Rule field encapsulates a Snort rule in its native format within a String field. The specification should be within a CDATA construct within the String field.

Event_Filter0..n EncodedCDATAType

The Event_Filter field encapsulates a Snort event filter line in its native format within a String field. The specification should be within a CDATA construct within the String field.

Rate_Filter0..n EncodedCDATAType

The Rate_Filter field encapsulates a Snort rate filter line in its native format within a String field. The specification should be within a CDATA construct within the String field.

Event_Suppression0..n EncodedCDATAType

The Event_Suppression field encapsulates a Snort event suppression line in its native format within a String field. The specification should be within a CDATA construct within the String field.