While one option when sharing indicator signatures is to use the tool-neutral Observable field in the indicator using CybOX, another option is to take a tool-specific approach and share indicators with signatures in the native language of specific tools via the Test_Mechanisms field. The advantage of this is that you can share signatures that work natively in existing tools but can still integrate with the rest of the STIX architecture.
This idiom describes using the Yara test mechanism to share the basic Yara rule that is used on the Yara homepage.
A hypothetical producer of this information might want to use just a plain Yara signature (no CybOX) if they know that all consumers use Yara anyway. The use inside a STIX indicator rather than just raw Yara allows for later usage of the indicator in the STIX data model…relate it to a TTP or campaign once that is discovered, for example.
The information that the producer provides is simply the Yara signature and a Title/Description for the indicator. Given this limited information, only an Indicator is necessary to encode the information.
There are a few other details to note as well:
Producer field is set to provide a reference back to the original information source (blog entry) from Yara.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<stix:Indicator id="example:indicator-567b201c-4fd5-4bde-a5db-42abc340807a" timestamp="2014-06-20T15:16:56.987616+00:00" xsi:type='indicator:IndicatorType' negate="false" version="2.1.1">
<indicator:Title>silent_banker</indicator:Title>
<indicator:Description>This is just an example.</indicator:Description>
<indicator:Test_Mechanisms>
<indicator:Test_Mechanism id="example:testmechanism-a1475567-50f7-4dae-b0d0-47c7ea8e79e1" xsi:type='yaraTM:YaraTestMechanismType'>
<indicator:Producer>
<stixCommon:Identity id="example:Identity-a0740d84-9fcd-44af-9033-94e76a53201e">
<stixCommon:Name>Yara</stixCommon:Name>
</stixCommon:Identity>
<stixCommon:References>
<stixCommon:Reference>http://plusvic.github.io/yara/</stixCommon:Reference>
</stixCommon:References>
</indicator:Producer>
<yaraTM:Rule><![CDATA[
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
]]></yaraTM:Rule>
</indicator:Test_Mechanism>
</indicator:Test_Mechanisms>
</stix:Indicator>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rule = """
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
"""
indicator = Indicator(title="silent_banker", description="This is just an example")
tm = YaraTestMechanism()
tm.rule = rule
tm.efficacy = "Low"
tm.producer = InformationSource(identity=Identity(name="Yara"))
tm.producer.references = ["http://plusvic.github.io/yara/"]
indicator.test_mechanisms = [tm]
1
2
3
4
5
6
7
8
9
10
stix_package = STIXPackage.from_xml('yara-test-mechanism.xml')
for indicator in stix_package.indicators:
print("== INDICATOR ==")
print("Title: " + indicator.title)
print("Description: " + indicator.description.value)
for tm in indicator.test_mechanisms:
print("Producer: " + tm.producer.identity.name)
print("Rule: %s" % tm.rule)
| Full XML | Python Producer | Python Consumer |